原文地址:https://alphahinex.github.io/2023/10/22/hide-tomcat-server-info/
description: "Error Report Valve"
date: 2023.10.22 10:26
categories:
- Tomcat
tags: [Tomcat]
keywords: Tomcat, server info, Host, Valve, ErrorReportValve
访问 Tomcat 发布的应用中不存在的页面或 URL 中包含特殊字符时,会看到下面这样的界面:
http://localhost:8080/not-exist
404http://localhost:8080/([%5E
如遇安全扫描等场景希望不暴露 Tomcat 版本信息时,可以在其配置文件 conf/server.xml
中的 Host
元素内添加如下内容:
<Valve className="org.apache.catalina.valves.ErrorReportValve"
showReport="false" showServerInfo="false" />
以截图中使用的 Tomcat 10.1.15 版本为例,原始的去掉注释部分的 conf/server.xml
内容如下:
<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
maxParameterCount="1000"
/>
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
添加 Valve
后为:
<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
maxParameterCount="1000"
/>
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
<Valve className="org.apache.catalina.valves.ErrorReportValve"
showReport="false" showServerInfo="false" />
</Host>
</Engine>
</Service>
</Server>
隐藏后效果如下:
404-hide 400-hideError Report Valve
关于 ErrorReportValve
的用法,可参照 Tomcat 对应版本的官方文档,如:https://tomcat.apache.org/tomcat-10.1-doc/config/valve.html#Error_Report_Valve
特殊字符
如果不想上例中的包含特殊字符的请求(http://localhost:8080/([%5E
)被 Tomcat 拒绝至 400 错误页,可通过 Tomcat HTTP Connector 的 标准实现 中的 relaxedPathChars
和 relaxedQueryChars
参数配置在请求路径和查询字符串中允许的特殊字符,例如下面的配置可以使 http://localhost:8080/([%5E
请求跳转到 404 错误页不是默认的 400 错误页。
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
maxParameterCount="1000"
relaxedPathChars="<>[\]^`{|}"
/>
系统参数 中的
tomcat.util.http.parser.HttpParser.requestTargetAllow
配置项在 Tomcat 8 中声明弃用,被relaxedPathChars
和relaxedQueryChars
Connector 属性取代。
网友评论