Linux & Ubuntu Setup

Install Ubuntu 24.04.2 LTS from ubuntu.com/download/server.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

sudo timedatectl set-timezone Europe/Stockholm

mkdir /opt/skywin /opt/skywin/config /var/log/skywin /etc/skywin /etc/skywin/sqlbackups

sudo ufw allow 22
sudo ufw allow 8080
sudo ufw allow 3306/tcp

sudo apt-get install openjdk-21-jdk apache2 mysql-server

sudo useradd -m -d /opt/tomcat -U -s /bin/false tomcat

cd /tmp
wget https://dlcdn.apache.org/tomcat/tomcat-10/v10.1.54/bin/apache-tomcat-10.1.54.tar.gz
sudo tar xzvf apache-tomcat-10*tar.gz -C /opt/tomcat --strip-components=1

sudo chown -R tomcat:tomcat /opt/tomcat/
sudo chmod -R u+x /opt/tomcat/bin

Edit /opt/tomcat/conf/tomcat-users.xml — make sure the tomcat-users section looks like this:

<tomcat-users>
  <role rolename="admin-gui"/>
  <role rolename="manager-gui"/>
  <user username="a_user_for_tomcat" password="a_password_for_tomcat" roles="admin-gui,manager-gui"/>
</tomcat-users>

In both /opt/tomcat/webapps/manager/META-INF/context.xml and /opt/tomcat/webapps/host-manager/META-INF/context.xml, comment out the RemoteAddrValve line:

<!--<Valve className="org.apache.catalina.valves.RemoteAddrValve"
      allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />-->

Create /etc/systemd/system/tomcat.service:

[Unit]
Description=Tomcat
After=network.target

[Service]
Type=forking

User=tomcat
Group=tomcat

Environment="JAVA_HOME=/usr/lib/jvm/java-1.21.0-openjdk-amd64"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"
Environment="CATALINA_BASE=/opt/tomcat"
Environment="CATALINA_HOME=/opt/tomcat"
Environment="CATALINA_PID=/opt/tomcat/temp/tomcat.pid"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"
Environment="SKYWIN_CONFIG_DIR=/opt/skywin/config"
Environment="SKYWIN_LOG_DIR=/var/log/skywin"

ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh

RestartSec=10
Restart=always

[Install]
WantedBy=multi-user.target

sudo systemctl daemon-reload
sudo systemctl enable tomcat
reboot

Verify by browsing from another machine on the same network to http://ip_address_of_ubuntu_server:8080.

mysql_secure_installation

Would you like to setup VALIDATE PASSWORD component? No
Remove anonymous users?                              Yes
Disallow root login remotely?                        Yes
Remove test database and access to it?               Yes
Reload privilege tables now?                         Yes

sudo mysql

CREATE USER 'administrator'@'127.0.0.1' IDENTIFIED BY 'a_password_for_administrator';
CREATE USER 'administrator'@'localhost' IDENTIFIED BY 'a_password_for_administrator';
CREATE USER 'administrator'@'%' IDENTIFIED BY 'a_password_for_administrator';
GRANT ALL ON *.* TO 'administrator'@'127.0.0.1' WITH GRANT OPTION;
GRANT ALL ON *.* TO 'administrator'@'localhost' WITH GRANT OPTION;
GRANT ALL ON *.* TO 'administrator'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;

SELECT user,host FROM mysql.user;

exit

sudo systemctl restart mysql.service
sudo systemctl status mysql

Open /etc/mysql/mysql.conf.d/mysqld.cnf and change the bind-address line:

bind-address = 0.0.0.0

sudo systemctl restart mysql.service
sudo systemctl status mysql

Create backup script /etc/skywin/backupDb.sh:

mysqldump -u root -pa_password_for_administrator your_database_name > /etc/skywin/sqlbackups/skywin_dump_$(date +"%Y%m%d_%H%M").sql

chmod +x /etc/skywin/backupDb.sh

Schedule daily backup — run crontab -e and add:

0 16 * * * /etc/skywin/backupDb.sh

Create /opt/skywin/config/skywinone.properties:

# Data connection attributes
dataSource.url=jdbc:mysql://127.0.0.1/your database name
#dataSource.username=database user
#dataSource.password=database password

# Base url for the API services
grails.serverURL=http://IP-address:8080

# Mail settings
grails.mail.username=
grails.mail.password=

# Internal cache can be preloaded or not, can affect performance
skywin_parameter_load_cache_upon_startup=true

# Stop brute force attacks
skywin_block_brute_force=true

Create deployment script /etc/skywin/deploySkywin.sh:

sudo systemctl stop tomcat
sudo rm -rf /opt/tomcat/webapps/ROOT
sudo rm -rf /opt/tomcat/webapps/ROOT.war
sudo rm -rf /opt/tomcat/work/Catalina
sudo cp /home/your_linux_username/skywinone.war /opt/tomcat/webapps/ROOT.war
sudo systemctl start tomcat && sudo tail -1000f /opt/tomcat/logs/catalina.out

chmod +x /etc/skywin/deploy*.sh

sudo apache2ctl configtest
# Expected: AH00558 warning + "Syntax OK"

Create /etc/apache2/conf-available/local-xxxxxxxx.conf with:

ServerName www.yyyyyy.com

sudo a2enconf local-skywinner
sudo systemctl reload apache2
sudo apache2ctl configtest
# Should result in: "Syntax OK"

sudo a2enmod ssl
sudo a2enmod headers
sudo a2enmod proxy
sudo a2enmod proxy_http

Create /etc/apache2/sites-available/xxxxxxxx.conf:

<VirtualHost *:80>
    ServerName www.yyyyyy.com
    ServerAlias yyyyyy.com
    ServerAdmin info@xxxxxxxx.com
    ProxyRequests off
    ProxyPass "/" "http://127.0.0.1:8080/"
    ProxyPassReverse "/" "http://127.0.0.1:8080/"
</VirtualHost>

sudo a2ensite xxxxxxxx.conf
sudo a2dissite 000-default.conf
sudo systemctl reload apache2
sudo apache2ctl configtest
# Should result in: "Syntax OK"

sudo ufw allow 'Apache Full'
sudo ufw enable
sudo ufw status

Update your DNS and load balancer, then verify the site works at www.yyyyyy.com.

After verification, tighten the firewall:

sudo ufw deny 8080
sudo ufw status numbered
sudo ufw delete 8,7,6,5  # remove IPv6 rows — adjust numbers to match your output

Final firewall state should resemble:

[ 1] 3306/tcp      ALLOW IN    Anywhere
[ 2] 22            ALLOW IN    Anywhere
[ 3] Apache Full   ALLOW IN    Anywhere