MyTimetable needs both a Java Runtime Environment (JRE) as well as Apache Tomcat. These can be installed using the package manager of the operating system, but we often see that the JRE bundled with Linux distribution is very outdated. For this reason we recommend installing a separate JRE and Apache Tomcat bundle, and keeping this up-to-date manually. This page lists the required files and gives some pointers on how to install Tomcat in /opt, but be aware that basic Linux system administration knowledge is assumed and some commands will need to be changed to suit your environment.

See Software packages and download locations for the download locations of the Oracle JRE and Apache Tomcat.

Unpacking and installing

# Download files
root@server:~# cd /opt
root@server:/opt# wget https://files.eveoh.nl/OpenJDK8U-jre_x64_linux_hotspot_8uxxx.tar.gz
root@server:/opt# wget https://files.eveoh.nl/apache-tomcat-9.x.x.tar.gz
 
# Unpack files
root@server:/opt# tar xvfz OpenJDK8U-jre_x64_linux_hotspot_8*.tar.gz
root@server:/opt# tar xvfz apache-tomcat-*.tar.gz
 
# Remove downloads
root@server:/opt# rm OpenJDK8U-jre_x64_linux_hotspot_8*.tar.gz apache-tomcat-*.tar.gz
 
# Create /opt/jre and /opt/tomcat symlinks for easier administration
root@server:/opt# ln -s jdk* jre
root@server:/opt# ln -s apache-tomcat* tomcat

# Create a user for Tomcat (Debian based command)
root@server:/opt# adduser --home /opt/tomcat --shell /bin/bash tomcat
 
# Fix various ownerships
root@server:/opt# chown -R root:root /opt/jdk* /opt/apache-tomcat*
root@server:/opt# chown -R tomcat:tomcat /opt/apache-tomcat*/work /opt/apache-tomcat*/logs /opt/apache-tomcat*/temp

# Delete default apps (keeps the manager if you want)
root@server:/opt# rm -rf /opt/tomcat/webapps/*
 
# Create default config dir
root@server:/opt# mkdir -p /opt/tomcat/conf/Catalina/localhost

After this, follow the instructions at Configuring Apache Tomcat to setup Tomcat.

Init script

You can find an example init.d script to start Tomcat at https://gist.github.com/MikeN123/8562092. This script is meant for Debian and Ubuntu and you will probably have to make the necessary adjustments for other operating systems. Install this script in /etc/init.d, create a file /etc/defaults/tomcat with the JAVA_HOME (set it to /opt/jre), TOMCAT_USER, TOMCAT_GROUP and JAVA_OPTS settings (see Configuring Apache Tomcat), and run insserv tomcat to start the service by default.

Reverse proxy

In order to run Tomcat on port 80/443 a reverse proxy is recommended. We recommend setting up nginx for this purpose, but Apache httpd is also a good option. In this case, do not configure SSL on the Tomcat server, but configure two connectors: 1 unsecure and 1 secure connector. Using Tomcat's RemoteIpValve causes issues with redirects, and is not recommended. An example Tomcat connector config would look like:

<Connector maxThreads="100" port="8080" protocol="HTTP/1.1" connectionTimeout="10000" keepAliveTimeout="120000" maxKeepAliveRequests="-1" proxyPort="80" />
     
<Connector maxThreads="100" port="8443" protocol="HTTP/1.1" connectionTimeout="10000" keepAliveTimeout="120000" maxKeepAliveRequests="-1" scheme="https" secure="true" proxyPort="443" />

An appropriate nginx config would include something like:

http {
	<various other settings, logging etc...>
 
	# Let nginx handle the gzipping, do not enable compression in Tomcat
	gzip on;
	gzip_disable "msie6";
	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript text/calendar;
 
	proxy_set_header Host $host;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
 
    upstream http_backend {
		server x.x.x.x:8080;
		keepalive 100;
	}
	
	server {
   		listen 80;
        listen [::]:80;
       
        server_name mytimetable.institution.domain;
        
		location / {
        	proxy_pass http://http_backend;
        }
	}
 
	upstream https_backend {
		server x.x.x.x:8443;
		keepalive 100;
	}
 
    server {
   		listen 443 ssl;
        listen [::]:443 ssl;
        <SSL config>
        server_name mytimetable.institution.domain;
        
		location / {
        	proxy_pass http://https_backend;
        }
	}
}

Another option is to simply create some iptables prerouting rules, like this:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

A last option is to use authbind (which comes with Debian and Ubuntu), but we do not recommend this option since it lacks IPv6 support.

  • No labels