Tomcat Security Configuration and Performance Optimization

Tomcat Security Configuration and Performance Optimization

Tomcat is a free and open-source WEB Application Server under the Apache Software Foundation. It can run on Linux, Windows, and other platforms, thanks to its stable performance, good scalability, and free features, it is favored by many users. Currently, many Internet and enterprise applications are deployed on Tomcat servers, such as our company.

Previously we used the default configuration for Tomcat, so there are still some security risks. Last week, Tomcat security was optimized for all servers in the test environment, and some performance optimizations were also made roughly. Here we will share a simple record!

I. Version Security

Upgrade tomcat to the latest stable version. The latest stable version must take into account the concepts of the latest and stable versions. A stable version requires time precipitation, and the latest version is the latest compared with the stable version. Therefore, we usually select the current major version, the latest version to push a few versions forward or a few months forward.

Currently, enterprise tomcat versions 6.0 and 7.0 are commonly used. Although 8.0 has been available for a long time, it is not recommended.

In the upgraded version, note the following:

1. Try to avoid major version upgrades

2. Set the current old version of tomcat server. xml, catalina. sh, web. back up the xml and tomcat-users.xml files, and deploy the new versions of tomcat, overwrite these configuration files, stop the old version, start the new version to complete the upgrade.

Ii. Hide version information

To prevent hackers from attacking certain versions, we need to hide or disguise Tomcat version information.

The default Tomcat version is as follows:

The display of this information is controlled by a jar package, which is stored in the lib directory under the Tomcat installation directory and named catalina. jar.

We can decompress this jar package through the jar xf command to get two directories of META-INF and org, by modifying org/apache/catalina/util/ServerInfo. the serverinfo field in the properties file to change the tomcat version information.

The file information is as follows:

[Root @ localhost ~] # Cat org/apache/catalina/util/ServerInfo. properties | grep-v '^ $ | #'

Server.info = Apache Tomcat/7.0.53

Server. number = 7.0.53.0

Server. built = Mar 25 2014 06:20:16

Of course, there is another way to hide or disguise the version information of Tomcat, but the essence is the same as above, the operation is as follows:

[Root @ localhost ~] # Cd/usr/local/apache-tomcat-7.0.53/lib

[Root @ localhost lib] # mkdir-p org/apache/catalina/util

[Root @ localhost lib] # cd org/apache/catalina/util

[Root @ localhost util] # vim ServerInfo. properties

Server.info = nolinux # If you want to change the version number to another version number, just change the value of this location to another value.

After modification, restart Tomcat to see the effect!

The effect is as follows:

3. Optimize web. xml

Servlet and other configuration files applicable to the entire Web application must comply with the standard servlet format. You can configure related options for your web application. tomcat will read this file at startup to complete initialization of the system you developed.

It can do the following:

1. servlet-Based Configuration

2. Add listeners to monitor sessions or load resources you want to load when tomcat is started. For example, creating a database connection pool

3. Set the session expiration time. The default value of tomcat is 30 minutes.

4. modified the app's webpage, usually index.html/index. jsp, etc.

5. Add a filter and perform some filtering operations you want, such as filtering sensitive words.

6. Add some jstl (Standard tag Library) definitions to facilitate includ in jsp and use these labels directly.

7. struts, spring, or hibernate configurations

The following is an excerpt from o'reilly's Tomcat authoritative guide (for more information about how to download the Tomcat authoritative guide (version 2nd) PDF version:

The file format of web. xml is defined in the Servlet specification. Therefore, all Java Servlet Container compliant with the Servlet specification will use it. When Tomcat deploys an application (during activation or after the application is loaded), it will read the common conf/web. and then read the WEB-INF/web. xml. In fact, according to their location, we can know, conf/web. settings in the xml file apply to all web applications, while some web applications WEB-INF/web. the settings in xml are only applied to the application.

If there is no WEB-INF/web. in the xml file, tomcat will output messages that cannot be found, but still deploy and use web applications. The author of the servlet specification wants to implement a method that can quickly and easily set a new range, for testing, therefore, this web. xml is not necessary, but it is usually better to have a WEB-INF/web for every online web application. xml, even if it is only used for identification, but I think this is a good habit.

The Servlet specification is mainly used by web programmers rather than system administrators. Therefore, for O & M, we may be more concerned with the site's default webpage, custom error page, column directory and other functions.

In normal production environments, tomcat will certainly not directly provide services to the public network, and apache or nginx will certainly be available at the front end. Therefore, for the default homepage and custom error page of the site, we have done this in front of apache or nginx. In addition, the company may also be defined by programmers in the WEB-INF/web. xml within the project.

In the new version of tomcat, the column directory function is automatically disabled by default.

Load Balancing between Apache and multiple Tomcat clusters in Linux

Nginx Tomcat Cluster load balancing solution notes

Instance details Tomcat component installation + Nginx reverse proxy Tomcat + Apache use mod_jk and mod_proxy Reverse Proxy and load balancing

Deploy a log server using Rsyslog + LogAnalyzer + MySQL in CentOS 6.5

Build an Apache + Tomcat environment (JK deployment process)

Below, I will list several common functions in the form of web. xml:

Site default homepage:

Custom error page:

Defines the Session Timeout time:

Column directory prohibited:

4. Optimize tomcat-user.xml

This file contains a list of user names, roles, and passwords. Provides logon authentication management for the manager project under webapps.

In the production environment, we need to comment out all the files.

The annotation effect is as follows:

For more details, please continue to read the highlights on the next page:

1 2 Next Page