I've updated the software running this blog to a new version of TightBlog, running on a standalone Tomcat on Ubuntu running on Linode. It's still a SNAPSHOT version with some things to fix. Below are my installation notes. Note many of these instructions hold for deploying any WAR-file in such an environment, so what I've written below may be useful for other apps.
glenmazza.net and then configured it for my linode following these instructions.
I installed OpenJDK 17 and then manually Tomcat on my image, using a non-root account. Another option, which I had problems getting to work before switching to the above (probably due to since-learned firewall configuration omissions on my part), is using sudo apt-get install, which if you use requires some extra configuration for it to work with JDK 17.
Either Tomcat install method above should result in
sudo systemctl [start|stop|restart] tomcat (or ...
tomcat9) command-line instructions being available for starting and stopping Tomcat. After starting Tomcat, confirm you can access Tomcat's port 8080 from a browser using your linode's IP address.
future note: update instructions to use pem files (see above) sudo systemctl stop tomcat For housekeeping on key updates, may wish to delete logs at /opt/tomcat/latest/logs sudo -H certbot certonly --standalone -d glenmazza.net -d www.glenmazza.net (see "Congratulations!" feedback indicating Let's Encrypt worked. Any problem running? Try this) sudo -s cd /etc/letsencrypt/live/glenmazza.net* sudo openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_and_key.p12 -name tomcat -CAfile chain.pem -caname root -- The above command will prompt you for a password for the temporary cert_and_key.p12 file. -- Choose what you wish but remember for the next command ("abc" in the command below.) -- The next command has placeholders for the Java key and keystore password (both necessary). Choose what you wish but as I understand -- Tomcat expects the two to be the same (can see previous password via sudo more /var/lib/tomcat8/conf/server.xml) sudo keytool -importkeystore -destkeystore MyDSKeyStore.jks -srckeystore cert_and_key.p12 -srcstorepass abc -srcstoretype PKCS12 -alias tomcat -deststorepass <changeit> -destkeypass <changeit> sudo cp MyDSKeyStore.jks /opt/tomcat/latest sudo systemctl start tomcat ...confirm website accessible again at https://..., if not working ensure tomcat dirs all owned by tomcat user & restart cd /etc/letsencrypt/live sudo rm -r glenmazza.net*
The Java keystore password chosen above will need to be placed in the server.xml file next.
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" redirectPort="443" /> <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="MyTomcatKeystore.jks" keystorePass="?????"/>
The keystore file referenced above would need to be placed in Tomcat's root directory, if you use another location be sure to update the keystoreFile value to include the path to the file.
/etc/default/tomcat8 file to activate it and then run a script similar to the following (replace "tomcat8" with the non-root user that is running Tomcat on your linode):
sudo touch /etc/authbind/byport/80 sudo chmod 500 /etc/authbind/byport/80 sudo chown tomcat8 /etc/authbind/byport/80 sudo touch /etc/authbind/byport/443 sudo chmod 500 /etc/authbind/byport/443 sudo chown tomcat8 /etc/authbind/byport/443
Because the Ubuntu Linode I was using was running the UFW firewall by default, I needed further commands to be able to expose 80 and 443 to external browsers:
sudo ufw allow 80/tcp sudo ufw allow 443/tcp
sudo ufw status to confirm the ports are available, for IPv4 you should see:
Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere 3306 ALLOW Anywhere 8080/tcp ALLOW Anywhere 80/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere
https://yourdomain.com/ instead of
https://yourdomain.com/tightblog). The WAR file will need to be placed in the Tomcat webapps folder as usual.
application-tbcustom.properties file (sample). Create or download these as appropriate.
/home/gmazza/tbfiles/mediafiles. Note for Tomcat to be able to read and write from these folders, the leaf folder (here,
mediafiles should have the ownership of the user account running Tomcat (e.g.
tomcat:tomcat), and that user must have execute permissions for every parent folder.
scp ROOT.war email@example.com:~/tbfiles. However, I prefer "sftp glenmazza.net", navigating to desired folders, and using "put" or "get" to upload or download respectively.
Troubleshooting: if accessing https://yourdomain.com[/tightblog] from a browser returns 404's while you can still ping the domain, check to see if you can access that URL from a terminal window that is SSH'ed into your Linode using the command-line Lynx browser. If you can, that would mean Tomcat is running properly but there is most likely a problem with the authbind or iptable rerouting preventing external access. If you can't, Tomcat configuration should be looked at first.
Export to a file: mysqldump -u root -p tightblogdb > db_backup_YYYYMMDD.sql Import into the database to restore it: mysql -u root tightblogdb < db_backup_YYYYMMDD.sql
Best to save the backup copy outside of the linode (e.g., on your local machine) and create a regular backup routine.