How to Install Apache Tomcat 10 with Nginx on Rocky Linux 8

Tomcat is an open-source web server for Java-based applications. It is used for deploying Java Servlet and JSP applications. Java servlets are small programs defining how a server handles requests and responses. Tomcat acts as an open-source implementation of the Java Servlet, JavaServer Pages, Java Expression Language, and Java WebSocket technologies.

There are multiple versions of Tomcat available. We will discuss the installation of Tomcat 10 for our tutorial. If you want to install Tomcat 9, the instructions will be the same. If there are any changes, they will be specified in the tutorial.

For our tutorial, we will install Tomcat 10 along with the Nginx server to act as a reverse proxy and protect it using SSL. There is a Tomcat 10.1.x version which is the latest alpha version of Tomcat, but we will not be installing that.

Prerequisites

  • A server running Rocky Linux 8.5

  • A non-sudo user with superuser privileges.

  • Make sure everything is updated.

    $ sudo dnf update
    
  • Packages required for the installation.

    $ sudo dnf install wget tar
    

Step 1 - Install Java

Tomcat 9 and 10 require Java 8 and later. We will install OpenJDK 11, the open-source implementation of the Java platform.

Run the following command to install OpenJDK.

$ sudo dnf install java-11-openjdk-devel

Verify the installation.

$ java -version
openjdk version "11.0.13" 2021-10-19 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.13+8-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.13+8-LTS, mixed mode, sharing)

Step 2 - Create a System User

We will create a new system user to minimize any security risk by running Tomcat as a root user. For the new user, we will set /opt/tomcat as the home directory.

Run the following command to create a new system user for Tomcat.

$ sudo useradd -m -U -d /opt/tomcat -s /bin/false tomcat

Step 3 - Download Tomcat

The latest version of Tomcat v10 can be downloaded from its download page. At the time of writing this tutorial, v10.0.14 is the latest available version. Check the latest version before you download Tomcat.

Use wget to download Tomcat.

$ VERSION=10.0.14
$ wget https://dlcdn.apache.org/tomcat/tomcat-10/v${VERSION}/bin/apache-tomcat-${VERSION}.tar.gz

Extract the file to the /opt/tomcat directory.

$ sudo tar -xf apache-tomcat-${VERSION}.tar.gz -C /opt/tomcat/

Create a symbolic link to the latest version of Tomcat that points to Tomcat's installation directory.

$ sudo ln -s /opt/tomcat/apache-tomcat-${VERSION} /opt/tomcat/latest

Change the ownership of the directory to the user created earlier.

$ sudo chown -R tomcat:tomcat /opt/tomcat

Step 4 - Create a Systemd Unit File

The next step is to create a service file for the Tomcat server so that it can be started automatically.

Create and open the file /etc/systemd/system/tomcat.service for editing.

$ sudo nano /etc/systemd/system/tomcat.service

Paste the following code.

[Unit]
Description=Apache Tomcat 10 Servlet container
Wants=network.target
After=network.target

[Service]
Type=forking

User=tomcat
Group=tomcat

Environment="JAVA_HOME=/usr/lib/jvm/jre"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"

Environment="CATALINA_BASE=/opt/tomcat/latest"
Environment="CATALINA_HOME=/opt/tomcat/latest"
Environment="CATALINA_PID=/opt/tomcat/latest/temp/tomcat.pid"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

ExecStart=/opt/tomcat/latest/bin/startup.sh
ExecStop=/opt/tomcat/latest/bin/shutdown.sh
Restart=always

[Install]
WantedBy=multi-user.target

Save the file by pressing Ctrl + X and entering Y when prompted to save.

Step 5 - Start and Enable the Tomcat service

Reload the service daemon to enable the Tomcat service.

$ sudo systemctl daemon-reload

Enable and Start the Tomcat service.

$ sudo systemctl enable tomcat --now

Check the service status.

$ sudo systemctl status tomcat
? tomcat.service - Apache Tomcat 10 Servlet container
   Loaded: loaded (/etc/systemd/system/tomcat.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-12-17 15:54:28 UTC; 24s ago
  Process: 86219 ExecStart=/opt/tomcat/latest/bin/startup.sh (code=exited, status=0/SUCCESS)
 Main PID: 86226 (java)
    Tasks: 19 (limit: 11411)
   Memory: 132.7M
   CGroup: /system.slice/tomcat.service
           ??86226 /usr/lib/jvm/jre/bin/java -Djava.util.logging.config.file=/opt/tomcat/latest/conf/logging.properties>

Dec 17 15:54:27 howtoforge systemd[1]: Starting Apache Tomcat 10 Servlet container...
Dec 17 15:54:28 howtoforge systemd[1]: Started Apache Tomcat 10 Servlet container.

Step 6 - Configure Firewall

Rocky Linux uses Firewalld Firewall. Check the firewall's status.

$ sudo firewall-cmd --state
running

Allow HTTP and HTTPS ports.

$ sudo firewall-cmd --permanent --add-service=http
$ sudo firewall-cmd --permanent --add-service=https

Reload the firewall to enable the changes.

$ sudo firewall-cmd --reload

Step 7 - Configure Tomcat Web Management Interface

The web management interface will only be accessible once we create a user credential for it.

Tomcat users and roles are defined in the /opt/tomcat/latest/conf/tomcat-users.xml file. Open the file for editing.

$ sudo nano /opt/tomcat/latest/conf/tomcat-users.xml

Add the following lines before the </tomcat-users line. Replace the username and password with your credentials.

Choose different credentials for Manager and Administrator Tomcat portals.

<tomcat-users>
<!--
    Comments
-->
<role rolename="manager-gui"/>
    <user username="manager" password="managerpassword" roles="manager-gui" />
<role rolename="admin-gui"/>
	<user username="admin" password="adminpassword" roles="admin-gui"/>
</tomcat-users>

Save the file by pressing Ctrl + X and entering Y when prompted to save.

By default, the Tomcat interface is only accessible from the localhost. If you need to access it from anywhere, you need to configure it.

Open the /opt/tomcat/latest/webapps/manager/META-INF/context.xml for editing.

$ sudo nano /opt/tomcat/latest/webapps/manager/META-INF/context.xml

Remove the following lines or comment them out as specified below by enclosing it in <!-- and -->.

<!--
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
-->

Allowing access from any IP address is a security risk. You can restrict it by allowing access only from your public IP address. If your public IP address is 22.22.22.22, then change the line as follows.

 <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|22.22.22.22" />

The list of allowed IP addresses is separated by a vertical bar (|). You can either add single IP addresses or use a regular expression.

Save the file by pressing Ctrl + X and entering Y when prompted to save.

Perform the same changes on the file /opt/tomcat/latest/webapps/host-manager/META-INF/context.xml as well.

Once finished, restart the Tomcat server.

$ sudo systemctl restart tomcat

Step 8 - Install SSL

To install an SSL certificate using Let's Encrypt, we need to install the Certbot tool.

Firstly, you need to download and install the EPEL repository.

$ sudo dnf install epel-release

Run the following commands to install Certbot.

$ sudo dnf install certbot

Generate the SSL certificate.

$ sudo certbot certonly --standalone --agree-tos --no-eff-email --staple-ocsp --preferred-challenges http -m [email protected] -d tomcat.example.com

The above command will download a certificate to the /etc/letsencrypt/live/tomcat.example.com directory on your server.

Generate a Diffie-Hellman group certificate.

$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Create a challenge webroot directory for Let's Encrypt auto-renewal.

$ sudo mkdir -p /var/lib/letsencrypt

Create a Cron Job to renew the SSL. It will run every day to check the certificate and renew if needed. For that, first, create the file /etc/cron.daily/certbot-renew and open it for editing.

$ sudo nano /etc/cron.daily/certbot-renew

Paste the following code.

#!/bin/sh
certbot renew --cert-name tomcat.example.com --webroot -w /var/lib/letsencrypt/ --post-hook "systemctl reload nginx"

Save the file by pressing Ctrl + X and entering Y when prompted.

Change the permissions on the task file to make it executable.

$ sudo chmod +x /etc/cron.daily/certbot-renew

Step 9 - Install Nginx

Rocky Linux 8.5 ships with the latest stable version of Nginx. Install it using the following command.

$ sudo dnf module install nginx:1.20

Verify the installation.

$ nginx -v
nginx version: nginx/1.20.1

Enable and start the Nginx service.

$ sudo systemctl enable nginx --now

Create and open the file /etc/nginx/conf.d/tomcat.conf for editing.

$ sudo nano /etc/nginx/conf.d/tomcat.conf

Paste the following code in it.

server {
    listen       443 ssl http2;
    listen       [::]:443 ssl http2;
    server_name  tomcat.example.com;

    access_log  /var/log/nginx/tomcat.access.log;
    error_log   /var/log/nginx/tomcat.error.log;
    
    # SSL
    ssl_certificate      /etc/letsencrypt/live/tomcat.example.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/tomcat.example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/tomcat.example.com/chain.pem;
    ssl_session_timeout  5m;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    resolver 8.8.8.8;

    location / {
      proxy_pass http://127.0.0.1:8080;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}
# enforce HTTPS
server {
    listen       80;
    listen       [::]:80;
    server_name  tomcat.example.com;
    return 301   https://$host$request_uri;
}

Save the file by pressing Ctrl + X and entering Y when prompted once finished.

Open the file /etc/nginx/nginx.conf for editing.

$ sudo nano /etc/nginx/nginx.conf

Add the following line before the line include /etc/nginx/conf.d/*.conf;.

server_names_hash_bucket_size  64;

Save the file by pressing Ctrl + X and entering Y when prompted.

Verify the Nginx configuration file syntax.

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart the Nginx service to enable the new configuration.

$ sudo systemctl restart nginx

Step 10 - Run TomCat

Launch https://tomcat.example.com in your browser, and it will open the following screen.

Tomcat Web Management Home

You can now access the Server Status, Manager App and Host Manager pages using the login credentials we configured in step 7.

Conclusion

This concludes our tutorial on installing and configuring Tomcat Server on a Rocky Linux 8.5 based server and serving it via Nginx reverse proxy, and using SSL to protect it. If you have any questions, post them in the comments below.

Share this page:

0 Comment(s)