Tomcat 配置项说明¶
Server¶
注释说明
这是 server.xml 配置文件的根元素,代表整个 Tomcat 服务器实例。一个 Tomcat 实例只能有一个 <Server> 元素。
port="8005": 指定 Tomcat 服务器监听一个关闭端口(shutdown port),即 8005 端口。- 这个端口不用于处理 HTTP 请求,而是专门用于接收“关闭服务器”的命令。
- 当你执行 shutdown.sh 或 shutdown.bat 脚本时,脚本会向这个端口发送一条消息(即 shutdown 属性的值),Tomcat 接收到后就会安全关闭。
shutdown="SHUTDOWN": 定义了用于关闭服务器的“秘密口令”(shutdown command)。- 只有向 8005 端口发送 完全匹配的字符串 SHUTDOWN,Tomcat 才会执行关闭操作。
- 这是一种简单的安全机制,防止未经授权的关闭请求。
示例
Running ./shutdown.sh sends the word SHUTDOWN to port 8005. Tomcat listens on this port, checks if the message matches, and then shuts down.
安全提示
虽然 SHUTDOWN 是默认值,但在生产环境中建议:将 port 改为 -1 来 禁用网络关闭功能(只能通过脚本或进程信号关闭)。或者修改 shutdown 字符串为一个复杂的值,防止被轻易猜测。
Warning
如果 port="-1",则无法通过网络命令关闭 Tomcat,只能使用 kill 命令或本地脚本。
Listener¶
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
GlobalNamingResources¶
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
Resource¶
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
Service¶
name¶
Service name.
Connector¶
监听HTTP请求的端口号,默认为8080
- protocol 协议类型(如HTTP/1.1, org.apache.coyote.http11.Http11NioProtocol等)
- connectionTimeout 等待连接超时时间(毫秒)
- redirectPort 当需要SSL传输时重定向到的端口
- maxThreads 最大处理请求数量
- minSpareThreads 最小空闲线程数
- enableLookups 是否通过DNS查找客户端主机名
- acceptCount 队列最大长度
- compression 是否开启压缩
- scheme & secure 配置代理转发后的协议和安全性
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
Other Connector
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
Another Connector
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation. The default
SSLImplementation will depend on the presence of the APR/native
library and the useOpenSSL attribute of the
AprLifecycleListener.
Either JSSE or OpenSSL style configuration may be used regardless of
the SSLImplementation selected. JSSE style configuration is used below.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
Third Connector
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used. OpenSSL style
configuration is used below.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
fourth Connector
<!-- Define an AJP 1.3 Connector on port 8009 -->
<!--
<Connector protocol="AJP/1.3"
address="::1"
port="8009"
redirectPort="8443" />
-->
Engine¶
Engine name¶
引擎名称
Engine defaultHost¶
默认主机名
Cluster¶
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
Realm¶
用于用户认证和授权。
<!-- Use the LockOutRealm to prevent attempts to guess user passwords via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
Host¶
- name
- appBase 应用程序基础目录,默认为webapps
- unpackWARs 是否自动解压WAR包
- autoDeploy 是否自动部署
Value¶
Valve可以添加在Host或Engine中,用来实现不同的功能,例如访问日志、单点登录等。
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />