GeoServer 是 OpenGIS Web 服务器规范的 J2EE 实现,利用 GeoServer 可以方便的发布地图数据,允许用户对特征数据进行更新、删除、插入操作,通过 GeoServer 可以比较容易的在用户之间迅速共享空间地理信息。
GeoServer 主要特性:兼容 WMS 和 WFS 特性;支持 PostgreSQL、 Shapefile 、 ArcSDE 、 Oracle 、 VPF 、 MySQL 、 MapInfo ;支持上百种投影;能够将网络地图输出为 jpeg 、 gif 、 png 、 SVG 、 KML 等格式;能够运行在任何基于 J2EE/Servlet 容器之上;嵌入 MapBuilder 支持 AJAX 的地图客户端OpenLayers;除此之外还包括许多其他的特性。
一、实验环境
操作系统: CentOS7.5 Minimal
GeoServer服务器: 192.168.1.103
二、安装包下载
Java SE Runtime Environment 8
jre-8u221-linux-x64.tar.gz
https://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html
geoserver-2.14.2-bin.zip
https://versaweb.dl.sourceforge.net/project/geoserver/GeoServer/2.14.2/geoserver-2.14.2-bin.zip
三、安装java运行环境jre
GeoServer的运行,依赖于java虚拟机,所以安装nexus前,我们需要先安装jre,JAVA运行环境。
# rpm -e --nodeps $(rpm -qa | grep -i openjdk)
# tar zxvf jre-8u221-linux-x64.tar.gz -C /usr/local/
# echo 'JAVA_HOME="/usr/local/jre1.8.0_221"' > /etc/profile.d/jre.sh
# source /etc/profile.d/jre.sh
# echo "export PATH=$JAVA_HOME/bin:$PATH" >> /etc/profile.d/jre.sh
# source /etc/profile.d/jre.sh
# java -version
四、安装GeoServer
关闭selinux
# setenforce 0
# sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config
解压软件包
# unzip geoserver-2.14.2-bin.zip -d /opt
# ll /opt
创建服务运行用户
# groupadd -g 2019 geoserver
# useradd -u 2019 -g 2019 -s /sbin/nologin geoserver
更改目录属主属组
# chown -R geoserver:geoserver /opt/geoserver-2.14.2/
创建服务的unit文件
# vim /etc/systemd/system/geoserver.service
############################################################
[Unit]
Description=GeoServer
After=network.target
[Service]
Type=simple
Environment="GEOSERVER_HOME=/opt/geoserver-2.14.2"
ExecStart=/opt/geoserver-2.14.2/bin/startup.sh
ExecStop=/opt/geoserver-2.14.2/bin/shutdown.sh
User=geoserver
Group=geoserver
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
#############################################################
# systemctl daemon-reload
# systemctl start geoserver.service
# systemctl enable geoserver.service
# systemctl status geoserver.service
查看服务的端口监听
# ss -tan |grep 8080
浏览器访问
http://192.168.1.103:8080/
http://192.168.1.103:8080/geoserver
默认管理员账号密码:admin/geoserver
五、在 jetty中配置 SSL/TLS 以支持 HTTPS
查看jetty版本
# cd /opt/geoserver-2.14.2/
# java -jar start.jar --version
下载jetty 的ssl 模块
https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution
https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.2.13.v20150730/jetty-distribution-9.2.13.v20150730.tar.gz
# wget https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.2.13.v20150730/jetty-distribution-9.2.13.v20150730.tar.gz
# tar -zxf jetty-distribution-9.2.13.v20150730.tar.gz
# cp jetty-distribution-9.2.13.v20150730/modules/ssl.mod /opt/geoserver-2.14.2/modules/
# chown -R geoserver:geoserver /opt/geoserver-2.14.2/
# ll /opt/geoserver-2.14.2/modules/
# vim /opt/geoserver-2.14.2/start.ini
增加ssl相关配置
####################################
--module=ssl
jetty.ssl.port=8443
jetty.sslContext.keyStorePath=etc/keystore
jetty.sslContext.trustStorePath=etc/keystore
jetty.sslContext.keyStorePassword=storepwd
jetty.sslContext.keyManagerPassword=keypwd
jetty.sslContext.trustStorePassword=storepwd
--module=https
#####################################
# systemctl restart geoserver.service
# systemctl status geoserver.service
查看端口监听
# ss -tan | grep 8080
# ss -tan | grep 8443
http://192.168.1.103:8080/geoserver
https://192.168.1.103:8443/geoserver
现在GeoServer同时提供http和https协议的服务访问,那么将http重定向到https?
# vim /opt/geoserver-2.14.2/webapps/geoserver/WEB-INF/web.xml
######################################################
#########################################################
浏览器访问
http://192.168.1.103:8080/geosever
https://192.168.1.103:8443/geoserver
如何设置,使得jetty只使用https?
如果只使用https,那么无需在 /opt/geoserver-2.14.2/webapps/geoserver/WEB-INF/web.xml中配置重定向字段。
当然,/opt/geoserver-2.14.2/modules/ssl.mod 需要添加。
将http module内容注释掉,只开启https、ssl 模块配置
# vim /opt/geoserver-2.14.2/start.ini
浏览器访问:
# systemctl restart geoserver.service
# systemctl status geoserver.service
如何配置jetty的监听IP?
# vim /opt/geoserver-2.14.2/start.ini
################################
jetty.host=192.168.1.103
################################
# systemctl restart geoserver.service
# ss -tan | grep 8443
六、Geoserver文件、目录的安全加固
安全整改要求,GeoServer服务部署的相关文件权限要求为640,目录文件权限为750。
# systemctl stop geoserver.service
# chmod 640 /etc/systemd/system/geoserver.service
# find /opt/geoserver-2.14.2/ -type d -exec chmod 750 {} \;
# find /opt/geoserver-2.14.2/ -type f -exec chmod 640 {} \;
# chmod 550 /opt/geoserver-2.14.2/bin/*.sh
# vim /opt/geoserver-2.14.2/bin/startup.sh
增加该服务的 umask设置
####################################
# Set umask
umask 0027
####################################
# systemctl restart geoserver.service
# ll /opt/geoserver-2.14.2/data_dir/
七、参考
GeoServer用户手册
https://www.osgeo.cn/geoserver-user-manual/index.html
Jetty:配置安全
https://www.cnblogs.com/bhlsheji/p/4293854.html
geoserver.service
https://aur.archlinux.org/cgit/aur.git/tree/geoserver.service?h=geoserver-bin
https://docs.geoserver.org/latest/en/user/production/linuxscript.html
https://stackoverflow.com/questions/29508981/systemd-service-startup-issue
How to enable GeoSever https with jetty?
https://www.jianshu.com/p/db0d28189449
How to secure Jetty to only allow access from the specified IP?
https://stackoverflow.com/questions/1955455/how-to-secure-jetty-to-only-allow-access-from-loopbacklocalhost
https://serverfault.com/questions/475692/configuring-jetty-to-accept-connections-from-only-certain-ip-addresses
http://jetty.4.x6.nabble.com/How-to-make-Jetty-bind-to-specific-IP-address-td12206.html
How to set umask for Docker container?
https://codeyarns.com/2017/07/21/how-to-set-umask-for-docker-container
http://widerin.net/blog/change-umask-in-docker-containers
https://stackoverflow.com/questions/46891571/fix-umask-for-future-run-commands-in-dockerfile