Set up Thredds server
- Former user (Deleted)
- Former user (Deleted)
Create Thredds server (v4.6) on QRISCloud
Step-by-step guide
- Install Java 8
- Install Tomcat 8
- Deploy Thredds war file
- Install Apache and Configure mod_proxy and mod_rewrite
- Create tomcat user and group Run tomcat as service
- Harden tomcat security
Install Java 8
Download Java 8 JDK from Oracle. The latest 1.8 is required. We will be using jdk-8u111-linux-x64.tar.gz
# tar zxvf /opt/jdk-8u111-linux-x64.tar.gz
# cd /opt/jdk-8u111
# alternatives --install /usr/bin/java java /opt/jdk1.8.0_111/bin/java 2
# alternatives --config java
At this point, Java 8 has been successfully installed. It is also recommended to setup javac and jar commands path using alternatives.
# alternatives --install /usr/bin/jar jar /opt/jdk1.8.0_111/bin/jar 2 # alternatives --install /usr/bin/javac javac /opt/jdk1.8.0_111/bin/javac 2 # alternatives --set jar /opt/jdk1.8.0_111/bin/jar # alternatives --set javac /opt/jdk1.8.0_111/bin/javac
Configuring environment variables
# export JAVA_HOME=/opt/jdk1.8.0_111# export JRE_HOME=/opt/jdk1.8.0_111/jre# export PATH=$PATH:/opt/jdk1.8.0_111/bin:/opt/jdk1.8.0_111/jre/bin
Install Tomcat 8
Download current version of Tomcat 8 servlet container. At the time of writing this document, version 8.0.24 is used. (apache-tomcat-8.0.24.tar.gz)
cd /opt/tds/
tar xvzf apache-tomcat-8.0.24.tar.gz
verify tomcat is running by go to http://IP_ADRESS:8080/
Shut down tomcat
create setenv.sh file under tomcat bin/ directory
cd /opt/tds/apache-tomcat-8.0.24/bin
vi setenv.sh
Add the following information and save your setenv.sh file:
#!/bin/sh
#
# ENVARS for Tomcat
#
export CATALINA_HOME="/opt/tds/apache-tomcat-8.0.24/"export CATALINA_BASE="/opt/tds/apache-tomcat-8.0.24/"
export JAVA_HOME="/opt/jdk1.8.0_111"
# TDS specific ENVARS
#
# Define where the TDS content directory will live
# THIS IS CRITICAL and there is NO DEFAULT - the
# TDS will not start without this.
#
CONTENT_ROOT=-Dtds.content.root.path=/opt/tds/apache-tomcat-8.0.24/content# set java prefs related variables (used by the wms service, for example)
JAVA_PREFS_ROOTS="-Djava.util.prefs.systemRoot=$CATALINA_HOME/content/thredds/javaUtilPrefs \
-Djava.util.prefs.userRoot=$CATALINA_HOME/content/thredds/javaUtilPrefs"#
# Some commonly used JAVA_OPTS settings:
#
NORMAL="-d64 -Xmx4096m -Xms512m -server -ea"
HEAP_DUMP="-XX:+HeapDumpOnOutOfMemoryError"
HEADLESS="-Djava.awt.headless=true"#
# Standard setup.
#
JAVA_OPTS="$CONTENT_ROOT $NORMAL $MAX_PERM_GEN $HEAP_DUMP $HEADLESS $JAVA_PREFS_ROOTS"export JAVA_OPTS
Restart Tomcat
Deploy Thredds server war file
Download TDS war file from Unidata website. The current TDS version we used is 4.6.2. (thredds.war)
Deploy the war file in Tomcat
cd /opt/tds/apache-tomcat-8.0.24/webapps
mv ~/thredds.war .
Wait a couple of seconds after placing war file in tomcat webapp/ folder.
Confirm the creation of TDS content/ directory
Install Apache and Configure mod_proxy and mod_rewrite
yum install -y httpd
edit /etc/httpd/conf/httpd.conf file, make sure mod_proxy is enabled. Add the following lines to the bottom of the file.
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_http_module modules/mod_proxy_http.so
create a mod_proxy.conf file in /etc/httpd/conf.d/ past the following content into the file
<IfModule mod_proxy.c>
ProxyRequests Off
Redirect "/" "http://dap.tern.org.au/thredds/"
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
# destination server and directory
ProxyPass /thredds ajp://localhost:8009/thredds
ProxyPassReverse /thredds ajp://localhost:8009/thredds
</IfModule>
This will forward all traffic to Thredds app under tomcat.
Edit tomcat server.xml to enable ajp. make sure the following lines are uncommented
<Connector port="8009" enableLookups="false" protocol="AJP/1.3" redirectPort="8443" />
Restart tomcat and httpd.
Create tomcat user and group Run tomcat as service
First create a tomcat group
sudo groupadd tomcat
Then create a new tomcat user and make this user a member of the tomcat group, with a home directory of /opt/tds/apache-tomcat-8.0.24, and with a shell of /bin/false so nobody can login to the account.
sudo useradd -M -s /bin/nologin -g tomcat -d /opt/tomcat tomcat
Update permission for tomcat user and group
chgrp -R tomcat /opt/tds/apache-tomcat-8.0.24/conf
chmod g+rwx /opt/tds/apache-tomcat-8.0.24/conf
chmod g+r /opt/tds/apache-tomcat-8.0.24/conf/*
chown -R tomcat /opt/tds/apache-tomcat-8.0.24/webapps /opt/tds/apache-tomcat-8.0.24/work /opt/tds/apache-tomcat-8.0.24/temp /opt/tds/apache-tomcat-8.0.24/logs
Install systemd unit file, we can run tomcat as a service
Create and open the unit file
vi /etc/systemd/system/tomcat.service
Paste in the following
# Systemd unit file for tomcat
[Unit]
Description=Apache Tomcat Web Application Container
After=syslog.target network.target[Service]
Type=forkingEnvironment=JAVA_HOME=/opt/jdk1.8.0_111
Environment=CATALINA_PID=/opt/tds/apache-tomcat-8.0.24/temp/tomcat.pid
Environment=CATALINA_HOME=/opt/tds/apache-tomcat-8.0.24
Environment=CATALINA_BASE=/opt/tds/apache-tomcat-8.0.24
Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'
Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'ExecStart=/opt/tds/apache-tomcat-8.0.24/bin/startup.sh
ExecStop=/bin/kill -15 $MAINPIDUser=tomcat
Group=tomcat[Install]
WantedBy=multi-user.target
Save and exit. Reload systemd to load tomcat unit file. Start tomcat and enable tomcat
systemctl daemon-reload
systemctl start tomcat
systemctl enable tomcat
Harden tomcat security
- Remove server banner
add Server=" " under Connector port in server.xml<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" Server =" " redirectPort="8443" />
- Enable access log logging
uncomment Valve entry ofr valves.AccessLogValve
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
3. Add secure flag in cookie
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" Server=" " Secure="true" redirectPort="8443" />
4. add httponly in cookie by modify context.xml
<context usehttponly="true">
...
</context>THREDDS Installation
THREDDS Data Manager (TDM)
http://www.unidata.ucar.edu/software/thredds/current/tds/reference/collections/TDM.html