文章目录
一、额外内容
默认可配置启动参数
参考
jetty.sh文件
dumpEnv()
{
echo "JAVA = $JAVA"
echo "JAVA_OPTIONS = ${JAVA_OPTIONS[*]}"
echo "JETTY_HOME = $JETTY_HOME"
echo "JETTY_BASE = $JETTY_BASE"
echo "START_D = $START_D"
echo "START_INI = $START_INI"
echo "JETTY_START = $JETTY_START"
echo "JETTY_CONF = $JETTY_CONF"
echo "JETTY_ARGS = ${JETTY_ARGS[*]}"
echo "JETTY_RUN = $JETTY_RUN"
echo "JETTY_PID = $JETTY_PID"
echo "JETTY_START_LOG = $JETTY_START_LOG"
echo "JETTY_STATE = $JETTY_STATE"
echo "JETTY_START_TIMEOUT = $JETTY_START_TIMEOUT"
echo "RUN_CMD = ${RUN_CMD[*]}"
}
建议配置参数
| 参数名 | 描述 |
|---|---|
| TMPDIR | 部署的临时目录 |
| JETTY_START_TIMEOUT | 默认时间为60秒,可以根据实际情况自己适当调整 |
| JETTY_RUN | 建议放在当前目录下,而非默认 |
| JAVA | 若未设置,会自动寻找java目录,若仅有一个可忽略 |
| JAVA_OPTIONS | 启动参数,适当可以调整jvm参数 |
| GCLOG_HOME | GC 日志存放目录 |
二、通用内容
1、start.ini更新
旧版本中的参数已经失效
# 端口号
jetty.port --> jetty.http.port
# 超时
http.timeout --> jetty.http.idleTimeout
# 最小线程数
threads.min --> jetty.threadPool.minThreads
# 最大线程数
threads.max --> jetty.threadPool.maxThreads
# 线程等待超时时间
threads.timeout --> jetty.threadPool.idleTimeout
# 缓冲区大小
jetty.output.buffer.size --> jetty.httpConfig.outputBufferSize
# 请求头缓冲区大小
jetty.request.header.size --> jetty.httpConfig.requestHeaderSize
# 响应头缓冲区大小
jetty.response.header.size -> jetty.httpConfig.responseHeaderSize
# 是否展示jetty版本号
jetty.send.server.version --> jetty.httpConfig.sendServerVersion
# 是否在请求头中附带时间
jetty.send.date.header --> jetty.httpConfig.sendDateHeader
# 带有内容的请求,是否会一直等待到发送完毕为止
jetty.delayDispatchUntilContent --> jetty.httpConfig.delayDispatchUntilContent
# 在启动Jetty之后存储 Jetty服务器、组件、应用的状态
jetty.dump.start --> jetty.server.dumpAfterStart
# 在关闭之前存储Jetty服务器的状态
jetty.dump.stop --> jetty.server.dumpBeforeStop
例如替换例子:
基于vi/vim
:%s/threads.min/jetty.threadPool.minThreads/
:%s/threads.max/jetty.threadPool.maxThreads/
:%s/threads.timeout/jetty.threadPool.idleTimeout/
:%s/jetty.output.buffer.size/jetty.httpConfig.outputBufferSize/
:%s/jetty.request.header.size/jetty.httpConfig.requestHeaderSize/
:%s/jetty.response.header.size/jetty.httpConfig.responseHeaderSize/
:%s/jetty.send.date.header/jetty.httpConfig.sendDateHeader/
:%s/delayDispatchUntilContent/delayDispatchUntilContent/
:%s/jetty.dump.start/jetty.server.dumpAfterStart/
:%s/jetty.dump.stop/jetty.server.dumpBeforeStop/
2、支持配置Same-Site(不需要代码自己加了)
配置文件:
etc/webdefault.xml
在cookie-config内新增了
<comment>__SAME_SITE_NONE__</comment>
以支持SameSite设置。
可选参数:
严格模式:SAME_SITE_STRICT
不使用:SAME_SITE_NONE
lax模式:SAME_SITE_LAX
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<secure>true</secure>
<http-only>true</http-only>
<comment>__SAME_SITE_NONE__</comment>
</cookie-config>
</session-config>
3、SSL配置搬家了
也就是
sslContextFactory配置,我们配置Http证书的位置
原来是属于jetty-ssl.xml,现在迁移到jetty-ssl-context.xml
懒人在线生成jks链接
| 属性 | 原有过期属性 | 默认值 | 描述 |
|---|---|---|---|
| jetty.sslContext.keyStorePath | jetty.keystore | etc/keystore | 这个是存放证书的位置 |
| jetty.sslContext.trustStorePath | jetty.truststore | etc/keystore | 这个是存放证书的位置 |
| jetty.sslContext.keyStorePassword | jetty.keystore.password | 不重要 | 设置的密码,如果是Set属性,则旧值名是KeyStorePassword |
| jetty.keymanager.password | jetty.sslContext.keyManagerPassword | 不重要 | 设置的密码,如果是Set属性,则旧值名是KeyManagerPassword |
加密套件排除也别忘记配置,照样是归属
sslContextFactory下,例子为通用加密套件限制
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
<!-- Disable cipher suites with Diffie-Hellman key exchange to prevent Logjam attack and avoid the ssl_error_weak_server_ephemeral_dh_key error in recent browsers -->
<Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item>
<Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
</Array>
</Set>
4、start.d可以配置的内容
可以配置我们日常很多需要进入xml内配置的基础属性。
如下命令可以查询可设置的属性,目前只列出我在使用的配置。
java -jar {JETTY_HOME}/start.jar --list-all-modules
如果非本地执行,可以附带基础目录
eg:java -jar {JETTY_HOME}/start.jar --create-startd jetty.base=/opt/jetty_home
当然,其实这些配置都可以在start.ini内搞定,但分开其实会更明朗
1)初始化start.d目录(–create-startd)
java -jar $JETTY_HOME/start.jar --create-startd
执行如上命令其实就是创建一个start.d目录以存放后续模块
2)初始化部署模块(deploy)
java -jar $JETTY_HOME/start.jar --add-to-start=deploy
实际上是将外部的start.ini包进目录内
INFO : deploy already enabled by [${jetty.base}/start.d/start.ini]
INFO : Base directory was not modified
3)配置http/https/ssl模块(http,https,ssl)
java -jar ./start.jar --add-to-start=http,https,ssl
三个一起,主要是现在还有谁不用https,一次性拉起三个配置就不需要进入xml中一一配对,很是麻烦。
但是加密套件排除与新增还是要到SSL配置内去配置
INFO : http already enabled by [${jetty.base}/start.d/start.ini]
INFO : https initialized in ${jetty.base}/start.d/https.ini
INFO : ssl initialized in ${jetty.base}/start.d/ssl.ini
COPY : ${jetty.base}/modules/ssl/keystore to ${jetty.base}/etc/keystore
INFO : Base directory was modified
之所以有第一段,通常是因为start.ini内已经启用了这个模块,所以不会增加http.ini
http.ini(默认配置)
实际上我们通常只需要更改
jetty.http.port这个属性
--module=http
### HTTP Connector Configuration
## Connector host/address to bind to
# jetty.http.host=0.0.0.0
## Connector port to listen on
# jetty.http.port=8080
## Connector idle timeout in milliseconds
# jetty.http.idleTimeout=30000
## Number of acceptors (-1 picks default based on number of cores)
# jetty.http.acceptors=-1
## Number of selectors (-1 picks default based on number of cores)
# jetty.http.selectors=-1
## ServerSocketChannel backlog (0 picks platform default)
# jetty.http.acceptQueueSize=0
## Thread priority delta to give to acceptor threads
# jetty.http.acceptorPriorityDelta=0
## Reserve threads for high priority tasks (-1 use a heuristic, 0 no reserved threads)
# jetty.http.reservedThreads=-1
## Connect Timeout in milliseconds
# jetty.http.connectTimeout=15000
## HTTP Compliance: RFC7230, RFC2616, LEGACY
# jetty.http.compliance=RFC7230
https.ini 与 ssl.ini
https.ini:
实际上还是开模块,最终还是要到/etc/jetty-https.xml内配置自己的内容
ssl.ini:
这里可以配置的内容其实囊括了https内容,若这里不能满足要求,会读取etc/jetty-ssl.xml配置对应属性。
关于ssl.ini
实际上我们通常需要更新的内容属性即可:
1、jetty.ssl.port—默认8443
2、jetty.sslContext.keyStorePath—默认:etc/keystore
3、jetty.sslContext.trustStorePath—默认etc/truststore
4、jetty.sslContext.keyStorePassword—默认OBF:
5、jetty.sslContext.keyManagerPassword—默认OBF:
6、jetty.sslContext.trustStorePassword—默认OBF:
ssl.ini 默认配置
--module=ssl
### TLS(SSL) Connector Configuration
## Connector host/address to bind to
# jetty.ssl.host=0.0.0.0
## Connector port to listen on
# jetty.ssl.port=8443
## Connector idle timeout in milliseconds
# jetty.ssl.idleTimeout=30000
## Number of acceptors (-1 picks default based on number of cores)
# jetty.ssl.acceptors=-1
## Number of selectors (-1 picks default based on number of cores)
# jetty.ssl.selectors=-1
## ServerSocketChannel backlog (0 picks platform default)
# jetty.ssl.acceptQueueSize=0
## Thread priority delta to give to acceptor threads
# jetty.ssl.acceptorPriorityDelta=0
## The requested maximum length of the queue of incoming connections.
# jetty.ssl.acceptQueueSize=0
## Enable/disable the SO_REUSEADDR socket option.
# jetty.ssl.reuseAddress=true
## Enable/disable TCP_NODELAY on accepted sockets.
# jetty.ssl.acceptedTcpNoDelay=true
## The SO_RCVBUF option to set on accepted sockets. A value of -1 indicates that it is left to its default value.
# jetty.ssl.acceptedReceiveBufferSize=-1
## The SO_SNDBUF option to set on accepted sockets. A value of -1 indicates that it is left to its default value.
# jetty.ssl.acceptedSendBufferSize=-1
## Connect Timeout in milliseconds
# jetty.ssl.connectTimeout=15000
## Whether SNI is required for all secure connections. Rejections are in TLS handshakes.
# jetty.sslContext.sniRequired=false
## Whether SNI is required for all secure connections. Rejections are in HTTP 400 response.
# jetty.ssl.sniRequired=false
## Whether request host names are checked to match any SNI names
# jetty.ssl.sniHostCheck=true
## max age in seconds for a Strict-Transport-Security response header (default -1)
# jetty.ssl.stsMaxAgeSeconds=31536000
## include subdomain property in any Strict-Transport-Security header (default false)
# jetty.ssl.stsIncludeSubdomains=true
### SslContextFactory Configuration
## Note that OBF passwords are not secure, just protected from casual observation
## See https://eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html
## The Endpoint Identification Algorithm
## Same as javax.net.ssl.SSLParameters#setEndpointIdentificationAlgorithm(String)
#jetty.sslContext.endpointIdentificationAlgorithm=
## SSL JSSE Provider
# jetty.sslContext.provider=
## KeyStore file path (relative to $jetty.base)
# jetty.sslContext.keyStorePath=etc/keystore
## KeyStore absolute file path
# jetty.sslContext.keyStoreAbsolutePath=${jetty.base}/etc/keystore
## TrustStore file path (relative to $jetty.base)
# jetty.sslContext.trustStorePath=etc/keystore
## TrustStore absolute file path
# jetty.sslContext.trustStoreAbsolutePath=${jetty.base}/etc/keystore
## KeyStore password
# jetty.sslContext.keyStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
## KeyStore type and provider
# jetty.sslContext.keyStoreType=JKS
# jetty.sslContext.keyStoreProvider=
# jetty.sslContext.keyStoreProvider=
## KeyManager password
# jetty.sslContext.keyManagerPassword=OBF:1u2u1wml1z7s1z7a1wnl1u2g
## TrustStore password
# jetty.sslContext.trustStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
## TrustStore type and provider
# jetty.sslContext.trustStoreType=JKS
# jetty.sslContext.trustStoreProvider=
## whether client certificate authentication is required
# jetty.sslContext.needClientAuth=false
## Whether client certificate authentication is desired
# jetty.sslContext.wantClientAuth=false
## Whether cipher order is significant (since java 8 only)
# jetty.sslContext.useCipherSuitesOrder=true
## To configure Includes / Excludes for Cipher Suites or Protocols see tweak-ssl.xml example at
## https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#configuring-sslcontextfactory-cipherSuites
## Set the size of the SslSession cache
# jetty.sslContext.sslSessionCacheSize=-1
## Set the timeout (in seconds) of the SslSession cache timeout
# jetty.sslContext.sslSessionTimeout=-1
## Allow SSL renegotiation
# jetty.sslContext.renegotiationAllowed=true
# jetty.sslContext.renegotiationLimit=5
4)配置日志模块(console-capture)
java -jar ./start.jar --add-to-start=console-capture
会将控制台内容抓取到logs内
其实这个属性默认是false,每次启动时都会新建一个文件,不会根据已有文件增加,建议保留默认值即可
jetty.console-capture.append=true
5)关闭默认自动部署
java -jar start.jar --disable=deploy
新的war包将不会被自动部署
默认配置
--module=console-capture
## Logging directory (relative to $jetty.base)
# jetty.console-capture.dir=./logs
## Whether to append to existing file
# jetty.console-capture.append=true
## How many days to retain old log files
# jetty.console-capture.retainDays=90
## Timezone of the log timestamps
# jetty.console-capture.timezone=GMT
5、需要关闭的内容
1、关闭目录可见性
- 找到jetty根目录下的
/etc/webdefault.xml- 找到
<servlet-name>default</servlet-name>下的dirAllowed选项
<init-param>
<param-name>dirAllowed</param-name>
<param-value>false</param-value>
</init-param>
2、关闭版本号讯息
1、找到jetty根目录下的
/etc/jetty.xml
2、定位sendServerVersion,将内容替换为false
<Set name="sendServerVersion"><Property name="jetty.httpConfig.sendServerVersion" deprecated="jetty.send.server.version" default="false" /></Set>
扫一扫
5776
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
