From field experiences I must affirm that one of the greatest and stable combinations is Java Application Servers + Reverse Proxies, although some of the functionality is a clear overlap, I tend to put reverse proxies in front of application servers for the following reasons (please see NGINX page for more details):
- Load balancing: The reverse proxy acts as traffic cop and could be used as API gateway for clustered instances/backing services
- Web acceleration: Most of our applications nowadays use SPA frameworks, hence it is worth to cache all the js/css/html files and free the application server from this responsibility
- Security: Most of the HTTP requests could be intercepted by the reverse proxy before any attempt against the application server, increasing the opportunity to define rules
- SSL Management: It is easier to install/manage/deploy OpenSSL certificates in Apache/NGINX if compared to Java KeyStores. Besides this, Let's Encrypt officially support NGINX with plugins.
Requirements
为了演示此功能,本教程以经典(非docker)方式组合了以下堆栈,但是大多数概念对于Docker部署可能很有用:
- Payara 5作为应用服务器NGINX作为反向代理让我们加密SSL证书
假定在本教程中将使用干净的Oracle Linux 7.x(7.6)框,并且将通过以下方式在Oracle Cloud上执行测试:根用户。
Preparing the OS
Since Oracle Linux is binary compatible with RHEL, EPEL repository will be added to get access to Let's Encrypt. It is also useful to update the OS as a previous step:
yum -y update
yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Setting up Payara 5
为了安装Payara应用程序服务器,需要几个依赖项,特别是Java Developer Kit。 例如,OpenJDK包含在Oracle Linux存储库中。
yum -y install java-1.8.0-openjdk-headless
yum -y install wget
yum -y install unzip
一旦安装了所有依赖项,就可以下载,解压缩并安装Payara。 它将位于/选择外部软件包的以下标准Linux约定:
cd /opt
wget -O payara-5.191.zip https://search.maven.org/remotecontent?filepath=fish/payara/distributions/payara/5.191/payara-5.191.zip
unzip payara-5.191.zip
rm payara-5.191.zip
创建一个帕亚拉用户以进行管理,管理域或使用Systemd将Payara作为Linux服务运行:
adduser payara
chown -R payara:payara payara5
echo 'export PATH=$PATH:/opt/payara5/glassfish/bin' >> /home/payara/.bashrc
chown payara:payara /home/payara/.bashrc
还需要一个系统单元:
echo '[Unit]
Description = Payara Server v5
After = syslog.target network.target
[Service]
User=payara
ExecStart = /usr/bin/java -jar /opt/payara5/glassfish/lib/client/appserver-cli.jar start-domain
ExecStop = /usr/bin/java -jar /opt/payara5/glassfish/lib/client/appserver-cli.jar stop-domain
ExecReload = /usr/bin/java -jar /opt/payara5/glassfish/lib/client/appserver-cli.jar restart-domain
Type = forking
[Install]
WantedBy = multi-user.target' > /etc/systemd/system/payara.service
systemctl enable payara
此外,如果需要远程管理,则应启用安全管理员:
sudo -u payara /opt/payara5/bin/asadmin --host localhost --port 4848 change-admin-password
systemctl start payara
sudo -u payara /opt/payara5/bin/asadmin --host localhost --port 4848 enable-secure-admin
systemctl restart payara
Oracle Cloud默认配置将创建一个附加到您的实例的VNIC,因此您应检查规则以允许访问端口。
默认情况下,Oracle Linux实例在iptables和SELinux中具有一组受限的规则,因此应使用firewalld打开端口,并且应将SELinux配置为允许反向代理流量:
firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --zone=public --permanent --add-port=4848/tcp
setsebool -P httpd_can_network_connect 1
这样,可以保证对http + https + payara管理端口的访问。
Setting up NGINX reverse proxy
NGINX在EPEL上可用:
yum -y install nginx
systemctl enable nginx
此时,您将需要一个指向服务器的FQDN,否则我们的加密验证将无法正常工作。 对于本教程ocl.nabenik.com域将被使用。 如果您的域正确传播,您应该会看到如下页面:
不用担心Fedora徽标是由于EPEL引起的,但是您正在运行Oracle Linux :)。
现在是时候将NGINX设置为反向代理了,一个明智的部署选择是创建一个/ etc / nginx / sites-available和/ etc / nginx / sites-enabledNGINX配置中的结构,以隔离/管理具有相同实例的多个域(又名虚拟主机)。
mkdir -p /etc/nginx/sites-available
mkdir -p /etc/nginx/sites-enabled
mkdir -p /var/www/ocl.nabenik.com/
chown -R nginx:nginx /var/www/ocl.nabenik.com
echo 'server {
server_name ocl.nabenik.com;
gzip on;
gzip_types text/css text/javascript text/plain application/xml;
gzip_min_length 1000;
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/www/ocl.nabenik.com/;
default_type "text/plain";
try_files $uri =404;
}
location / {
proxy_pass http://localhost:8080;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
listen 80;
}' > /etc/nginx/sites-available/ocl.nabenik.com.conf
要启用新主机,将在以下位置创建符号链接网站启用:
ln -s /etc/nginx/sites-available/ocl.nabenik.com.conf /etc/nginx/sites-enabled/ocl.nabenik.com.conf
之后,您应该在其中添加以下行/etc/nginx/nginx.conf,就在配置文件结束之前。
include /etc/nginx/sites-enabled/*.conf;
使用以下命令检查配置也很有用Nginx的,如果所有作品财产都应在NGINX重新加载后到达payara。
Setting up Let's Encrypt
反向代理正常工作后,certbot应该足以添加SSL证书,该插件本身会在^〜/。众所周知/ acme-挑战/,因此必须排除代理(如上一配置步骤所示)。
yum install -y certbot-nginx
certbot --nginx -d ocl.nabenik.com
使用certbot的警告之一是python版本的依赖性。 如果发现任何问题,另一种方法是使用点子
yum install -y python-pip
pip install certbot-nginx
certbot --nginx -d ocl.nabenik.com
如果一切正常,您应该在SSL下看到Payara页面。
最后也是最重要的一点是,我们加密证书的有效期仅为90天,因此您可以添加证书续订(crontab -e)作为cron任务
15 3 * * * /usr/bin/certbot renew --quiet