美文网首页
隐藏 Tomcat 版本信息

隐藏 Tomcat 版本信息

作者: AlphaHinex | 来源:发表于2023-10-21 11:02 被阅读0次

    原文地址:https://alphahinex.github.io/2023/10/22/hide-tomcat-server-info/


    description: "Error Report Valve"
    date: 2023.10.22 10:26
    categories:
    - Tomcat
    tags: [Tomcat]
    keywords: Tomcat, server info, Host, Valve, ErrorReportValve


    访问 Tomcat 发布的应用中不存在的页面或 URL 中包含特殊字符时,会看到下面这样的界面:

    http://localhost:8080/not-exist

    404

    http://localhost:8080/([%5E

    400

    如遇安全扫描等场景希望不暴露 Tomcat 版本信息时,可以在其配置文件 conf/server.xml 中的 Host 元素内添加如下内容:

    <Valve className="org.apache.catalina.valves.ErrorReportValve" 
           showReport="false" showServerInfo="false" />
    

    以截图中使用的 Tomcat 10.1.15 版本为例,原始的去掉注释部分的 conf/server.xml 内容如下:

    <?xml version="1.0" encoding="UTF-8"?>
    <Server port="8005" shutdown="SHUTDOWN">
      <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
      <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
      <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
      <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
      <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
    
      <GlobalNamingResources>
        <Resource name="UserDatabase" auth="Container"
                  type="org.apache.catalina.UserDatabase"
                  description="User database that can be updated and saved"
                  factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
                  pathname="conf/tomcat-users.xml" />
      </GlobalNamingResources>
    
      <Service name="Catalina">
    
        <Connector port="8080" protocol="HTTP/1.1"
                   connectionTimeout="20000"
                   redirectPort="8443"
                   maxParameterCount="1000"
                   />
        <Engine name="Catalina" defaultHost="localhost">
    
          <Realm className="org.apache.catalina.realm.LockOutRealm">
            <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
                   resourceName="UserDatabase"/>
          </Realm>
    
          <Host name="localhost"  appBase="webapps"
                unpackWARs="true" autoDeploy="true">
    
            <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
                   prefix="localhost_access_log" suffix=".txt"
                   pattern="%h %l %u %t &quot;%r&quot; %s %b" />
    
          </Host>
        </Engine>
      </Service>
    </Server>
    

    添加 Valve 后为:

    <?xml version="1.0" encoding="UTF-8"?>
    <Server port="8005" shutdown="SHUTDOWN">
      <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
      <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
      <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
      <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
      <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
    
      <GlobalNamingResources>
        <Resource name="UserDatabase" auth="Container"
                  type="org.apache.catalina.UserDatabase"
                  description="User database that can be updated and saved"
                  factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
                  pathname="conf/tomcat-users.xml" />
      </GlobalNamingResources>
    
      <Service name="Catalina">
    
        <Connector port="8080" protocol="HTTP/1.1"
                   connectionTimeout="20000"
                   redirectPort="8443"
                   maxParameterCount="1000"
                   />
        <Engine name="Catalina" defaultHost="localhost">
    
          <Realm className="org.apache.catalina.realm.LockOutRealm">
            <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
                   resourceName="UserDatabase"/>
          </Realm>
    
          <Host name="localhost"  appBase="webapps"
                unpackWARs="true" autoDeploy="true">
    
            <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
                   prefix="localhost_access_log" suffix=".txt"
                   pattern="%h %l %u %t &quot;%r&quot; %s %b" />
    
            <Valve className="org.apache.catalina.valves.ErrorReportValve" 
                   showReport="false" showServerInfo="false" />
    
          </Host>
        </Engine>
      </Service>
    </Server>
    

    隐藏后效果如下:

    404-hide 400-hide

    Error Report Valve

    关于 ErrorReportValve 的用法,可参照 Tomcat 对应版本的官方文档,如:https://tomcat.apache.org/tomcat-10.1-doc/config/valve.html#Error_Report_Valve

    ErrorReportValve

    特殊字符

    如果不想上例中的包含特殊字符的请求(http://localhost:8080/([%5E)被 Tomcat 拒绝至 400 错误页,可通过 Tomcat HTTP Connector 的 标准实现 中的 relaxedPathCharsrelaxedQueryChars 参数配置在请求路径和查询字符串中允许的特殊字符,例如下面的配置可以使 http://localhost:8080/([%5E 请求跳转到 404 错误页不是默认的 400 错误页。

    <Connector port="8080" protocol="HTTP/1.1"
                connectionTimeout="20000"
                redirectPort="8443"
                maxParameterCount="1000"
                relaxedPathChars="&lt;>[\]^`{|}"
                />
    

    系统参数 中的 tomcat.util.http.parser.HttpParser.requestTargetAllow 配置项在 Tomcat 8 中声明弃用,被 relaxedPathCharsrelaxedQueryChars Connector 属性取代。

    相关文章

      网友评论

          本文标题:隐藏 Tomcat 版本信息

          本文链接:https://www.haomeiwen.com/subject/ohrkidtx.html