The previous article introduced a tool software mobile toolbox that I developed recently. However, the installation package is placed on Huawei App Market. If you do not install huawei App Market, you cannot download the software. Build a server is very simple, here we will raise the requirements of the server, in order to mark the “production” standard requirements, to do more things, so make this article, to record.

First of all, the environment, Tencent cloud, CentOS 7.5 64-bit, the server using Java to complete, specifically is Springboot. Outline what to do:

  • This section describes the remote connection mode of the server
  • Perform basic server security configuration
    • Prohibit the root user from directly logging in to the server
    • None. Example Disable 22 Login port
    • Beware of accounts with empty passwords
    • Set the password expiration time
    • Set password complexity requirements
    • Disabling the Ping server
    • Most importantly, prevent RM-RF
  • Set up the production server environment
    • Installing the FTP Service
    • Connecting to the FTP Server
    • Install the JDK
    • Set up the Springboot environment
  • Release application
    • Start the Springboot program on the server
    • Specify vm startup parameters
    • Write the server startup script
    • Configuration of the domain name

1. This section describes the remote connection mode of the server

For Tencent Cloud, one connection method is to directly use the online Webshell provided by Tencent Cloud to log in. This login method provides SSH login. If we do FTP login to upload files, it will be more inconvenient. Tencent Cloud webshell is relatively easy to use, but generally we recommend using Xshell for SSH login, using XFTP for FTP login. You can go to my public account background reply [server connection software] to get my packaged software.

When we get a new server, the first thing we do is go to the console and reset the password. For the sake of system security, choose a complex password. For example, it is recommended to use an 8-bit password that contains uppercase and lowercase letters and numbers. The password should not contain words and be different from your name and date of birth.

After resetting the password as described above, you can log in. Here, Xshell is used to log in. The login method is relatively simple and will be skipped here.

2. Perform basic server security configurations

2.1 Prohibit the root user from directly logging in to the server

Why disable root login? First, the root user is well known, and using the root user increases the risk of attack. Second, root has high privileges, so neither the server owner nor the co-development of the server should directly use root to operate the server. The root user may cause fatal damage to the server.

Add a new administrator user before disallowing root login,

Step 1: Create a new user admin
adduser the_xxx_admin
# Step 2: Change the user password. The password should also meet the above requirements
passwd the_xxx_admin
# Step 3: Grant su permission to the user
gpasswd -a the_xxx_admin wheel
Copy the code

Add an administrator user named the_xxx_admin (not too generic) and set its user group to wheel. Wheel is a special user group in Linux that is designed to handle su authorization issues. Only members of the wheel group can use su to switch to root. If a user is not in the wheel group, you cannot switch to root even if you use the su command and enter the password correctly. The wheel user group has both su and sudo permissions, which can be found by browsing the /etc/sudoers file.

After adding a new user and granting sudo permission, we can disable root user login:

  1. Modify the/etc/ssh/sshd_configThe file will be#PermitRootLogin yesModified toPermitRootLogin no;
  2. useservice sshd restartRestart the SSH service and verify the login effect.

To modify the file, run the vim /etc/ssh/sshd_config command and enter /PermitRootLogin to locate the line containing #PermitRootLogin yes. Enter a to go to the editing mode and run the :wq! Exit.

After the restart, log in to the server as the root user. The system displays “SSH connection rejected” immediately. Then log in to the server as the new user.

2.2 Disabling 22 Login port

Mainly because port 22 login is well known, if we use other ports to implement the function of port 22 can reduce the risk of attack. To change the login port, modify the /etc/ssh/sshd_config file. In this file, we first add a port, and it is recommended to use a port with a number of more than 10000. Note That port 22 should be reserved and deleted after the configuration is complete and the new port can be logged in to. Also need to pay attention to place, verify whether the new interface can login must first open the firewall, the firewall to shut down the port can be used directly, but once the firewall open, and you don’t have to use a firewall to open the port, then the firewall may be blocking the port directly, cause you can’t log on to their server.

/etc/ssh/sshd_config using vim (Permission Denied) This can be done with the sudo command,

sudo vim /etc/ssh/sshd_config
Copy the code

Similar to sudo is the su command. The sudo command is similar to the su command, except that the sudo command requires the password of the current user, and the su command requires the password of the user to be switched to. Sudo makes more sense than su because, for example, if you want a user to switch to root, su requires the performer to know the password of the root account, which is obviously not safe for many people to know. Sudo only asks to confirm the identity of the current executor. If the current executing user has been granted root access in sudoers, it can switch to root, so that we give the user the permission to switch to root without telling him the password of root. In addition, we can configure in the sudoers file to limit user permissions, log more user logs, and so on.

Enter edit mode and locate Port 22 and add a new line Port 10022 below:

Port 22
Port 10022
Copy the code

Then, we need to open port 10022 following the management port logic described above. Then, restart the SSH service:

systemctl restart sshd Service SSHD restart
Copy the code

If the login is successful, comment out Port 22, restart the SSD service, and log in to the SSD service using Port 22 to check whether Port 22 is disabled.

In this case, I log in through port 22 again, and the message “Connection failed” is displayed.

2.3 Beware of accounts with empty passwords

An account with an empty password increases system security risks. Use the following command to query:

cat /etc/shadow | awk -F: '($2==""){print $1}'
Copy the code

In addition, you can modify the SSH configuration file /etc/ssh/sshd_config to disable logins with empty passwords:

PermitEmptyPasswords no
Copy the code

2.4 Setting the Password Expiration time

The chage command is used to set and query the password validity period. The command format is as follows:

Chage [parameter] [value]Copy the code

Common parameters:

  1. -m: specifies the minimum number of days in which a password can be changed. A value of zero means the password can be changed at any time.
  2. -m: indicates the maximum number of days that a password remains valid.
  3. -w: indicates the number of days that the user receives a warning message before the password expires.
  4. -e: indicates the account expiration date. After this day, the account will not be available.
  5. -d: indicates the date of the last change.
  6. -i: Stagnation. If a password has expired these days, the account will not be available.
  7. -l: indicates the current Settings. It is up to non-privileged users to determine when their passwords or accounts will expire.

Common usage examples are as follows.

Query the validity period of the user password:

chage -l admin
Copy the code

The following information is displayed:

Last password change                                    : Apr 07, 2020
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7
Copy the code

We can use the chage directive to change the password expiration time. For example, we can use the following command to set the maximum password expiration time to 99 days:

chage -M 99 admin
Copy the code

2.5 Setting Password complexity Requirements

There are two ways to set password complexity.

One way to do this is to modify the /etc/login.defs file, which contains several important options. You can change the value of the option to set the password pair requirements:

PASS_MAX_DAYS   90  # Maximum password expiration days
PASS_MIN_DAYS   80  # Minimum password expiration days
PASS_MIN_LEN    10  Minimum password length
PASS_WARN_AGE   7   # Number of days for warning of password expiration
Copy the code

Another option is to modify the /etc/pam.d/system-auth file. Edit the file and configure it on the following line:

password required pam_pwquality.so dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0
Copy the code

Configuration of the optional parameters can refer to the/etc/security/pwquality conf file. Common parameters are as follows:

  1. Retry =N: specifies the number of retry times when login or password change fails.
  2. Difok=N: defines that the new password must have several characters different from the old password. However, if more than half of the characters in the new password are different from the old password, the new password will be accepted.
  3. Minlen =N: defines the minimum length of the user password.
  4. Dcredit =N: defines how many digits must be in the user password;
  5. Ucredit =N: defines how many uppercase letters a user password must contain.
  6. Lcredit =N: defines how many lowercase letters a user password must contain;
  7. Ocredit =N: defines the number of special characters (excluding digits and letters) that must be contained in the user password.

2.6 Ping the Server Is Disabled

After ping is disabled, you cannot allow others to ping your IP address through the domain name. When disabled, pinging your own domain will return you the IP address of the service provider and prompt you to time out, so you can reduce your IP exposure and add a little more security.

This is done by editing the /etc/sysctl.conf configuration, if the following configuration is not added:

net.ipv4.icmp_echo_ignore_all=1
Copy the code

Then run the following command to make the configuration take effect:

sysctl -p
Copy the code

This disables the ping operation on the server. If you want to undo it, you just replace the top 1 with a 0.

After the configuration is complete, run ping IP address in the local command line interface. If the request times out, the configuration is successful.

2.7 Most importantly, prevent RM-RF

Rm-rf is a familiar phrase. In this section, we are not going to show you how to perform this operation on a server for comic effect, but how to avoid the negative effects of this operation. Note: The following operations use the source command, which is extremely dangerous and must be used with caution. This command is used to modify environment variables similar to those found in Windows, and if source fails, almost all commands can be dangerously unusable.

The implementation principle is to rewrite the RM command and associate it with a custom script. First, we have a hidden.trash file and.tools folder under the ~ directory,

# Create.trash folder
mkdir .trash
Create the.tools folder
mkdir .tools
Check the result of the creation
ls -al
Copy the code

Then create a script named remove.sh in the.tools folder and edit it as follows:

#! /bin/sh
trash_dir=~/.trash/`date +%Y%m%d`

if [ ! -d ${trash_dir}];then
    mkdir -p ${trash_dir}
fi

for i in $*
do
    suffix=`date "+%H%M%S"`
    if [ ! -d "${i}" ]&&[ ! -f "${i}" ];then    Check if it is a valid file or folder first
        if [[ "${i}"! ="-rf" && "${i}"! ="-f"]].then    -rf,-f, -rf, -rf,-f
            echo "[${i}] do not exist"
        fi
    else
        file_name=`basename $i`   Get the file name
        mv ${i} ${trash_dir}/${file_name}_${suffix}_${RANDOM}
        echo "[${i}] delete completed"
    fi
done
Copy the code

Here is a brief explanation of the contents of the script file. The script file follows the rules for file name concatenation, adds the date information to the file name (to distinguish files with the same name), and then uses the mv command to move the specified pair folder under the ~/. Trash directory. Note the handling of the -rf parameter here. I have seen some blogs’ scripts before, and these two parameters are not processed, resulting in the mv command cannot be executed.

We then modify the ~/.bashrc file to append the following line of code to the end. Associate the rm command with the specified Shell file:

alias rm='sh ~/.tools/remove.sh'
Copy the code

Then, use the following command to make our changes work,

source ~/.bashrc
Copy the code

Finally, create folders under the user root and test the effect using the rm -rf folder directive.

This essentially moves the directory to be deleted under the.trash directory. Then manage the removal folders based on the date of the operation. This will undoubtedly cause our folder to get bigger and bigger, so we need to delete that folder regularly. Here, we use scripts to achieve this goal.

Here we create a scheduled task to perform the delete operation. Add a script file clean.sh under the.tools folder and edit it as follows. Delete files in the recycle bin that have been updated for more than 3 days.

#! /bin/sh
trashdir=~/.trash
find ${trashdir} -mtime +3 -exec 'rm' -rf {} \;
Copy the code

We then add this task to the Crontab task.

Run the crontab -e command to go to the page for editing scheduled tasks

0 3 * * * sh ~/.tools/clean.sh     Execute the recycle bin cleanup script every day at 3:00
Copy the code

Run the service crond restart command to restart the crontab service. Run the crontab -l command to check whether the information is added successfully. Note that Linux cron expressions start in a slightly different unit than Springboot expressions.

Also, notice that you need to use source ~/.bashrc for the configured bash file to take effect. This must also be done when the user logs in again for our configuration to take effect again. As a programmer, of course, this is intolerable. So, we can solve this problem by making our configuration automatically take effect every time we log in to the server,

Edit the.profile file
vim .profile

Add the following configuration to the file
if [ -s ~/.bashrc ]; then
    source ~/.bashrc;
fi

You can also add the following code
source ~/.bashrc
Copy the code

After this configuration, our configuration will automatically take effect every time we restart the login.

Finally, if the.bashrc or.profile file does not exist in the user directory, you can copy it from the /etc/skel file to the user directory and then do the above configuration.

3. Set up production server environment

The above configuration meets the basic security requirements. Let’s set up the server production environment. Since it is a Java-based production environment, there are not many things required to install, a necessary FTP service, a JDK environment. Of course, there are also databases MySQL, Redis, and commonly used middleware MQ, ES and so on. Here we first set up a basic Java environment, can run Springboot, so the JDK is enough.

3.1 Installing the FTP Service

Ftp is still important, I usually use Ftp to upload jar packages to publish. In addition, some software installation packages are large and have network connection problems, resulting in low download rate. Therefore, sometimes the software is downloaded locally and then uploaded to the server through FTP for installation. Therefore, FTP is a very important link.

Install VSFTPD first,

yum install -y vsftpd
Copy the code

/etc/vsftp/var/FTP /

  1. The /etc/vsftp/ directory contains four files:

    1. ftpusersSpecifies which users cannot access the FTP service
    2. user_listWhen the VSFTPDuserlist_deny=NOIs allowed to access the FTP service only. When the VSFTPDuserlist_deny=YES(default), users are not allowed to access the FTP service
    3. vsftpd.confIs the core configuration file of VSFTPD
    4. vsftpd_conf_migrate.shAre variables and setup scripts for VSFTPD operations

  2. /var/ftp/ is the directory that can be accessed anonymously when accessing the FTP server

Use vim vsftpd.conf to edit the configuration file. Important configuration items are as follows:

The default is YES. For security reasons, we should turn it off
anonymous_enable=NO
# Whether to allow local accounts (system accounts) to log in
local_enable=YES
If you want to run upload, you need to enable this configuration
write_enable=YES
# Whether to monitor the FTP service in independent mode, FTP service running mode, NO indicates xinetd mode; If YES, it indicates standlone mode
listen=NO
User_list allows users of user_list to log in to FTP
userlist_enable=YES
User_list does not allow users of the user_list to log in to FTP
userlist_deny=YES
# This instruction should be careful!! Because when the value is set to YES, the FTP user can log in to the server, but can access the upper-level directory
chroot_local_user=NO
Create a chroot_list file under VSFTPD and write the specified username to the chroot_list file
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
allow_writeable_chroot=YES # This sentence must have
Copy the code

Other configurations are available:

# address: set listen on f t p service IP address, default listen on all IP addresses
listen_address=IP
Set the listening port number of FTP service
listen_port=21
# Allow download permission
download_enable=YES
The contents of the. Message file (if it already exists) are displayed when the user switches to the directory
dirmessage_enable=YES
Xferlog: /var/log/xferlog
xferlog_enable=YES
# FTP log format
xferlog_std_format=YES
The default data connection port number is 20
connect_from_port_20=YES
Disable passive mode connection; Passive mode connections are allowed by default
pasv_enable=NO
# Start port number
pasv_max_port=21600
# End port number
pasv_min_port=21700
# enable PAM authentication
pam_service_name=vsftpd
# allow multiple clients to connect at the same time (0 = unlimited)
max_clients=0
# allow the same IP address to access FTP connections (0 = unlimited)
max_per_ip=0
# FTP access control list improves security usage
tcp_wrappers=YES
Copy the code

After the configuration is complete, you can use the following command to start the service:

service vsftpd start
Copy the code

In addition, the system security module SELinux needs to be configured:

# Step 1: Open the SELinux file and edit:
vim /etc/sysconfig/selinux

# Step 2: Disable SELINUX=1
Copy the code

Then, we need to add an independent user for FTP access, and limit the FTP user to FTP connection, not server login, FTP user and login user should not be confused, in order to further ensure the security of the server:

# Step 1: Add user, the grammar is useradd [- mMnr] c < note > [-] [-d < login > directory] [-e < valid >] [-f < buffer days >] [- g group < >] [- g > < group] [-s < shell >] [-u < uid >] [user account]
/sbin/nologin = /sbin/nologin = /sbin/nologin = /sbin/nologin = /sbin/nologin
useradd ftpuser -d /home/ftpuser -s /sbin/nologin

# Step 2: Change the user password
passwd ftpuser

/path/you/set is set to the FTP root directory of the user
chown -R ftpuser /home/ftpuser

/etc/ VSFTPD/chroot_list/chroot_list/VSFTPD/chroot_list/chroot_list

Step 5: Restart the FTP service
service vsftpd restart

# Step 6: If the directory cannot be uploaded or read, set the read and write permission of the specified directory
chmod 777 /home/ftpuser
Copy the code

3.2 Connecting the FTP Server

1. Remotely connect to FTP

On a Mac, you can use Finder to connect to an FTP server, but only download, not upload. You can also use iterm2 to connect to the FTP server. Iterm2 is terminal magic on the Mac. For details about the installation and configuration, see “MAC Terminal Wizard Iterm2 — Farewell to Black and White”. Then, you need to install FTP on a MAC, see “MAC FTP Command Installation ready to Use”. For Windows, just use Xftp. You can go to my public account background reply [server connection software] to get my packaged software.

2. The CONNECTION to the FTP server fails

The remote folder cannot be displayed because it cannot be opened by using XFTP: choose “Properties -> Options -> Will use passive mode”.

3.3 to install the JDK

Note: JDK 8+ generally meets most of the requirements for the Java SDK and other middleware versions such as ElasticSearch.

Go to the official JDK download address to download the JDK. Before downloading from the official website, you need to log in and use the wget command after obtaining the download link:

wget http://download.oracle.com/otn-pub/java/jdk/8u171-b11/512cd62ec5174c3487ac17c61aaa89e8/jdk-8u171-linux-x64.tar.gz?AuthPa ram=1531155951_4e06a4d17c6c1dbfb8440352e19dd2aeCopy the code

Note that the download suffix contains the AuthParam parameter. If the link does not contain this parameter, it may not be available after the download.

If the download speed from the official website is slow, you can download it from Huawei JDK image.

To install:

# Step 1: Create the installation directory
mkdir /usr/local/java/

# Step 2: Unzip to the installation directory
tar -zxvf jdk-8u171-linux-x64.tar.gz -C /usr/local/java/
Copy the code

Setting environment variables:

# Step 1: Open profile editing mode
vim /etc/profile

# Step 2: Append environment variables to the end of the profile
export JAVA_HOME=/usr/local/ Java/jdk1.8.0 _171export JRE_HOME=${JAVA_HOME}/jre
export CLASSPATH=.:${JAVA_HOME}/lib:${JRE_HOME}/lib
export PATH=${JAVA_HOME}/bin:$PATH

# Step 3: Enable profile
source /etc/profile

# Step 4: Add soft links
ln -s /usr/local/ Java/jdk1.8.0 _171 / bin/Java/usr/bin/Java# Step 5: Check whether the installation is successful
java -version
Copy the code

3.4 Setting up a Springboot Environment

If you just provide a download service, it is relatively simple to build an HTML page using Springboot’s Web and template engine, and put apK in the static directory. There is also a problem that needs to be noted, namely if such a simple setup of a service is not secure, because there is no traffic limiting. I usually use Redis for traffic limiting, but this will introduce how to install Redis and various security configurations of Redis… So, don’t do it now, just show the details of the application and provide users with a way to download it.

4. Release your app

4.1 Starting the Springboot Program on the Server

After the Springboot application is developed, you can directly compile and package MVN install in the root directory of the project. The typed package is uploaded to the server through FTP.

For jar packages, if you want to start them in the background, you can use the following command,

Nohup Java -jar target/ package name. jar --spring.profiles.active=lt &Copy the code

That’s using nohup with an ampersand appended to the end. You can also start in the background without nohup and just append an am&, but this will stop the program after the SSH session ends.

In the nohup startup mode above, a file named nohup.out is generated under the current directory and the contents of the terminal are written to this file. When using this startup mode, the terminal does not display the startup process, so we can only get the content of nohup.out to determine whether the program started successfully. To dynamically obtain the contents of a file, run the tail -f nohup.out command. Of course, if you want to redirect the output log to a specific file or not to output the log (redirect to /dev/null), you can. For example, the following command redirects logs to a catalina.out file:

nohup java -jar xxx.jar > catalina.out  2>&1 &
Copy the code

To view the Springboot project process, run the following command:

ps aux | grep "java -jar" | grep -v "grep"
Copy the code

The above display contains the pid of the process. To kill a process, type the following command:

kill -9 pid
Copy the code

4.2 Specifying VM Startup Parameters

1. Remotely connect the VM

First, we need to connect our application remotely to observe the health of the virtual machine. This is important whether it is troubleshooting online problems or adjusting virtual machine parameters before starting a project. Two common connection tools are JConsole and JVisualVM. To enable our virtual machines to be monitored remotely requires us to do a little configuration.

First, we need to change the password for the virtual machine remote connection. Go to the management directory under the JRE installation directory, such as my jdk1.8.0_181/jre/lib/management directory. Then copy jmxremote. Password. The template and rename it to jmxremote. The password, the last two lines, then commented the monitorRole here is the default login name of the remote connection, what followed was a login password. You need to change the default password to enhance server security.

Then, we need to add several parameters to the project’s startup parameters to configure and enable remote connection. For example, my parameters are as follows:

Nohup Java jar - Djava. Rmi. Server hostname = 23.123.122.31 - Dcom. Sun. Management jmxremote. Port = 11162 -Dcom.sun.management.jmxremote.rmi.port=11163 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=true $portal_app_jar > portal.out 2>&1 &Copy the code

Here our parameter Settings and their meanings are as follows:

  1. java.rmi.server.hostname: The IP address of the remote connection is the real IP address of your server.
  2. com.sun.management.jmxremote.port: The port used for remote connection cannot be the same as the port used for application.
  3. com.sun.management.jmxremote.rmi.port: The port used for remote RMI connection cannot be the same as the application port.
  4. com.sun.management.jmxremote.ssl: Indicates whether to use SSL connection mode.
  5. com.sun.management.jmxremote.authenticate: Whether to enable authentication, this should be enabled, otherwise people can directly connect to and view your VIRTUAL machine without entering a password.

Once this configuration is complete, develop the two ports specified above and restart the application.

You can use either JConsole or JVisualVM to connect to virtual machines locally and remotely. These two executables are placed under the JDK bin directory. Double-click to open directly after the connection can be.

2. Set startup parameters

First, some official references

  • Springboot core configuration parameters official documentation: docs. Spring. IO /spring-boot…
  • Oracle virtual machine parameter tuning of the article above, including virtual machine version, choice of the garbage collector, set the heap size of tuning tips: docs.oracle.com/middleware/…

Common parameters:

-xx :MetaspaceSize= 128M (the default size of the meta space) -xx :MaxMetaspaceSize= 128M (the maximum size of the meta space) -xMS1024m (the default size of the heap is also the minimum size) -XMX1024M (the maximum size of the heap) -xmn256m (Xss256k) -xx :SurvivorRatio=8 (Xss256k) -xx :+UseConcMarkSweepGC (specify used garbage collector, CMS collector is used here) -xx :+PrintGCDetails (Prints verbose GC logs)Copy the code

The specific value depends on the type of application, concurrency, and server environment. You can specify parameters for your application in conjunction with the above documents.

4.3 Writing a Server Startup script

Of course, specifying the server startup parameters is tedious, so we usually write startup scripts and then execute scripts to start and stop the program. Here is a reference code,

#! /bin/bash
The program runs the script
# Author: Wang Huan-sheng
# define the Jar file for the program to start, without specifying the version of the Jar file
app_jar=box.jar

Script file usage instructions
usage() {
echo "| = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ="
echo "| script file instructions |"
echo "| = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ="
echo "| sh script name. Sh [start | stop | restart | status] [prev] |"
echo "| |"
echo "That | | parameters"
echo "| |"
echo "| | start: start the program"
echo "| | stop: stop program"
echo "| restart: restart the program |"
echo "| status: program state |"
echo "| |"
echo "| prev: optional parameters, if this parameter is specified, will the program run log output to the specified |"
echo "| file, otherwise don't output, it is recommended that the project officially released when this option is not enabled |"
echo "| = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ="
}

# program start function
The arguments in the function that use $are the arguments passed in when the function is called.
# instead of the arguments passed in when the entire script is called
start() {
  Run the Portal program
  vm_opt='-XX:NewSize=216m -XX:MaxNewSize=216m -XX:SurvivorRatio=8 -Xms1024m -Xmx2048m -XX:+PrintGCDetails - Djava. Rmi. Server hostname = your IP - Dcom. Sun. Management jmxremote. Port = your port - Dcom. Sun. Management jmxremote. Rmi. Port = your port -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=true'
  if [[ The $1= ="prev"]].then
    # preview
    nohup java -jar $vm_opt $app_jar > box.out 2>&1 &
    echo "box[prev] start succeed"
  else
    nohup java -jar $vm_opt $app_jar > /dev/null &
    echo "box app start succeed"
  fi  
}

# program stop function
stop() {
Get the pid of the program and kill it
is_exist $app_jar
if [ $? -eq "0" ]; then
  kill9 -$pid
  echo "Box was killed with pid ${pid}"
else
  echo "Box is NOT running" 
fi
}

# program state function
status() {
is_exist $app_jar
if [ $? -eq "0" ]; then
  echo "Box is running with pid ${pid}"
else
  echo "Box is NOT running" 
fi
}

# program restart function
restart() {
  stop $app_jar
  start $app_jar
}

# check whether the specified process exists
is_exist() {
pid=`ps -ef | grep The $1|grep -v grep | awk '{print $2}'`
if [ -z "${pid}" ]; then
  return 1
else
  return 0
fi
}

Select functions to execute based on user input parameters
case "The $1" in
"start")
start $2
;;
"stop")
stop
;;
"status")
status
;;
"restart")
restart
;;
*)
usage
;;
esac

# End
# = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Copy the code

I distinguish between preview and formal environment here, because sometimes the application will not start before it starts due to some configuration error. If you use the formal environment, the logs will be discarded as we described above, making it impossible to check the problem. You can redirect logs during startup to a specified file in the current directory by specifying a prev parameter at startup time. There are mainly several functions: start, restart, judge whether to start and instruction description.

4.4 Configuring domain Names

According to the above configuration we can use the IP address to access, but we still need to configure the domain name. I’m using an old subdomain here. Of course, in addition to configuring the domain name, you also need to configure the CDN. After configuring the CDN, the access logic is as follows:

Box-meiyan. tech -> CDN domain name -> IP address or port number specified by the CDN domain nameCopy the code

Another advantage of configuring CDN is that the IP address is not directly exposed when ping the specified domain name. This prevents one-step traffic traffic attacks.

conclusion

This article introduces the knowledge related to setting up the server and server security configuration, and also involves some Linux instructions. Due to the reason of space, it only introduces part of the above, and cannot be introduced in detail. In addition, I have written a complete dozen articles, from basic Linux instructions to a variety of common middleware security configuration and other detailed knowledge, if you are interested in follow. The mobile toolbox mentioned here is an Android tool software I recently developed, very practical, which contains a lot of very practical functions for developers, interested in downloading and trying.