Apache Tomcat is a widely-used open-source web server designed for Java-based applications. It enables the deployment of Java Servlet and JavaServer Pages (JSP) applications. Servlets are small Java programs that enhance server capabilities, handling requests and responses. Tomcat provides an open-source implementation of key Java technologies such as the Java Servlet, JavaServer Pages, Java Expression Language, and Java WebSocket. In this guide, we will walk through the installation of Tomcat 10, with similar steps applicable to Tomcat 9. We will also set up Nginx as a reverse proxy with SSL to secure our deployment. Note, however, that we will not be covering the latest alpha version, Tomcat 10.1.x.
Prerequisites
- A server running on Rocky Linux 8.5
- A non-sudo user with superuser privileges
- Ensure all packages are up to date
$ sudo dnf update
- Install required packages
$ sudo dnf install wget tar
Step 1 – Install Java
Both Tomcat 9 and 10 require Java 8 or later. We’ll install OpenJDK 11 for this tutorial.
Execute the following command to install OpenJDK:
$ sudo dnf install java-11-openjdk-devel
Verify the Java installation:
$ java -version openjdk version "11.0.13" 2021-10-19 LTS OpenJDK Runtime Environment 18.9 (build 11.0.13+8-LTS) OpenJDK 64-Bit Server VM 18.9 (build 11.0.13+8-LTS, mixed mode, sharing)
Step 2 – Create a System User
To minimize security risks, we will create a dedicated system user for Tomcat.
Use the following command:
$ sudo useradd -m -U -d /opt/tomcat -s /bin/false tomcat
Step 3 – Download Tomcat
Download the latest version of Tomcat v10 from the official download page. Ensure you have the correct version number before proceeding.
Download Tomcat using wget:
$ VERSION=10.0.14
$ wget https://dlcdn.apache.org/tomcat/tomcat-10/v${VERSION}/bin/apache-tomcat-${VERSION}.tar.gz
Extract the downloaded archive to /opt/tomcat:
$ sudo tar -xf apache-tomcat-${VERSION}.tar.gz -C /opt/tomcat/
Create a symbolic link to the extracted Tomcat directory:
$ sudo ln -s /opt/tomcat/apache-tomcat-${VERSION} /opt/tomcat/latest
Adjust directory ownership:
$ sudo chown -R tomcat:tomcat /opt/tomcat
Step 4 – Create a Systemd Unit File
Create a service file to manage the Tomcat server:
Edit or create /etc/systemd/system/tomcat.service:
$ sudo nano /etc/systemd/system/tomcat.service
Insert the following configuration:
[Unit] Description=Apache Tomcat 10 Servlet container Wants=network.target After=network.target [Service] Type=forking User=tomcat Group=tomcat Environment="JAVA_HOME=/usr/lib/jvm/jre" Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom" Environment="CATALINA_BASE=/opt/tomcat/latest" Environment="CATALINA_HOME=/opt/tomcat/latest" Environment="CATALINA_PID=/opt/tomcat/latest/temp/tomcat.pid" Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC" ExecStart=/opt/tomcat/latest/bin/startup.sh ExecStop=/opt/tomcat/latest/bin/shutdown.sh Restart=always [Install] WantedBy=multi-user.target
Save your changes and exit.
Step 5 – Start and Enable the Tomcat Service
Reload the systemd daemon and enable Tomcat:
$ sudo systemctl daemon-reload $ sudo systemctl enable tomcat --now
Confirm that Tomcat is running:
$ sudo systemctl status tomcat
Step 6 – Configure Firewall
Open HTTP and HTTPS ports on the firewall:
$ sudo firewall-cmd --permanent --add-service=http $ sudo firewall-cmd --permanent --add-service=https $ sudo firewall-cmd --reload
Step 7 – Configure Tomcat Web Management Interface
Configure user credentials for the Tomcat web management interface:
Edit /opt/tomcat/latest/conf/tomcat-users.xml:
$ sudo nano /opt/tomcat/latest/conf/tomcat-users.xml
Add user credentials:
<tomcat-users> <role rolename="manager-gui"/> <user username="manager" password="managerpassword" roles="manager-gui"/> <role rolename="admin-gui"/> <user username="admin" password="adminpassword" roles="admin-gui"/> </tomcat-users>
Edit the web application contexts to allow external access:
Modify /opt/tomcat/latest/webapps/manager/META-INF/context.xml and /opt/tomcat/latest/webapps/host-manager/META-INF/context.xml by commenting out IP address restrictions.
<!--
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->
Restart Tomcat after making changes:
$ sudo systemctl restart tomcat
Step 8 – Install SSL
Install the Certbot for SSL with Let’s Encrypt:
First, install EPEL:
$ sudo dnf install epel-release
Install Certbot:
$ sudo dnf install certbot
Generate an SSL certificate:
$ sudo certbot certonly --standalone --agree-tos --no-eff-email --staple-ocsp --preferred-challenges http -m name@example.com -d tomcat.example.com
Generate a Diffie-Hellman group:
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Create a directory for Let’s Encrypt auto-renewal:
$ sudo mkdir -p /var/lib/letsencrypt
Set up a cron job for SSL renewal:
Create /etc/cron.daily/certbot-renew:
$ sudo nano /etc/cron.daily/certbot-renew
Enter the following script:
#!/bin/sh certbot renew --cert-name tomcat.example.com --webroot -w /var/lib/letsencrypt/ --post-hook "systemctl reload nginx"
Make the script executable:
$ sudo chmod +x /etc/cron.daily/certbot-renew
Step 9 – Install Nginx
Install and verify Nginx:
$ sudo dnf module install nginx:1.20 $ nginx -v
Start Nginx:
$ sudo systemctl enable nginx --now
Configure Nginx as a reverse proxy:
Edit /etc/nginx/conf.d/tomcat.conf:
$ sudo nano /etc/nginx/conf.d/tomcat.conf
Insert the Nginx server block:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name tomcat.example.com;
access_log /var/log/nginx/tomcat.access.log;
error_log /var/log/nginx/tomcat.error.log;
# SSL
ssl_certificate /etc/letsencrypt/live/tomcat.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tomcat.example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/tomcat.example.com/chain.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
resolver 8.8.8.8;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
# enforce HTTPS
server {
listen 80;
listen [::]:80;
server_name tomcat.example.com;
return 301 https://$host$request_uri;
}
Save and close the file. Next, edit the main nginx.conf:
$ sudo nano /etc/nginx/nginx.conf
Add the following line:
server_names_hash_bucket_size 64;
Check the Nginx syntax and restart:
$ sudo nginx -t $ sudo systemctl restart nginx
Step 10 – Run Tomcat
Visit https://tomcat.example.com in your browser to verify the installation:
Use the credentials from Step 7 to access Tomcat’s management interfaces.
Conclusion
We have successfully set up Apache Tomcat 10 on a Rocky Linux 8.5 server, secured it with Nginx as a reverse proxy, and added SSL encryption. If you encounter any issues, feel free to leave a comment for further assistance.
FAQ
- What is Tomcat used for?
- Tomcat is an open-source web server that runs Java Servlets and JavaServer Pages (JSP). It processes servlets that can serve dynamic web content.
- Why configure Nginx as a reverse proxy?
- Nginx acts as a reverse proxy to distribute network traffic, improve load times, and provide an additional layer of security.
- How do I secure my connection with SSL?
- SSL encrypts data transferred between clients and servers. In this guide, we used Let’s Encrypt’s Certbot to generate SSL certificates, securing our Tomcat server.
- Can I use Tomcat 9 with these instructions?
- Yes, the steps are largely the same for Tomcat 9. Ensure you download the appropriate version.
- What is the purpose of creating a system user for Tomcat?
- The dedicated system user minimizes security risks by not permitting Tomcat to run as root, limiting potential damage from vulnerabilities.
- Do I need to set up a firewall for Tomcat?
- Yes, configuring your firewall enhances security by controlling the network traffic flow to and from your Tomcat server.