Tomcat Web Server Optimization

Tomcat is mainly used as middleware in the architecture, and currently we use the LNMJ architecture, Tomcat to handle dynamic requests, processing speed, but the use of resources, this lazy cat, want to run fast will give a big fish, otherwise it will affect the host performance

The following is a brief introduction to the optimization of the content

Middleware level baseline detection According to CIS-TOMCAT7 's latest baseline standards

Note: Do not allow root login to be handled with caution, the root account is not allowed to wait directly after login

Check item 1:TOMCAT process run permission detection

Path:/application/tomcat
Current Value: 0

`加固建议: 请创建低权限的账号运行tomcat`

Check entry: Turn on user logon failure lock
Path:/application/tomcat/conf/server.xml
Current value:

加固建议: <Realm className="org.apache.catalina.realm.LockOutRealm" failureCount="3" lockOutTime="600" cacheSize="1000" cacheRemovalWarningTime="3600">

Check entry: Restrict remote management IP
Path:/application/tomcat/conf/server.xml
Current value:

`加固建议: 增加<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="允许远程管理IP"/>`

Check entry: Suppress exception debug information
Path:/application/tomcat/conf/web.xml
Current value:

`加固建议: 在当前web.xml里面的web-app添加子节点：<error-page><exception-type>java.lang.Throwable</exception-type><location>/error.jsp</location></error-page>，在webapps目录下创建error.jsp，定义自定义错误信息`

Check entry: Turn on Transport Layer Security properties
Path:/application/tomcat/webapps/manager/web-inf/web.xml
Current value:

加固建议: 在当前路径的web.xml里面的web-app添加子节点：<security-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint> </security-constraint>

Check entry: Turn on the security cycle Life listener
Path:/application/tomcat/conf/server.xml
Current value:

`加固建议: 取消 <Listener className="org.apache.catalina.security.SecurityListener" /> 注释`

Check item: Sample file Detection
Path:/application/tomcat/
Current Value:/application/tomcat/webapps/examples

加固建议: 请删除检测出的示例文件或目录

Check entry: Tomcat directory permission detection
Path:/application/tomcat/
Current Value: Root

加固建议: 使用chown -R tomcat:tomcat "根目录"修改tomcat根目录文件所有者

Check entry: Disable automatic deployment
Path:/application/tomcat/conf/server.xml
Current Value: Host:autodeploy=true

 加固建议: 将autoDeploy="false"

Check entry: Prohibit app to run in power-up mode
Path:/application/tomcat/webapps/manager/meta-inf/context.xml
Current Value: Context:privileged=true

加固建议: 将privileged="false"

Check entry: Prohibit app to run in power-up mode
Path:/application/tomcat/webapps/host-manager/meta-inf/context.xml
Current Value: Context:privileged=true

加固建议: 将privileged="false"

Check entry: Set HTTP size (default = 4096)
Path:/application/tomcat/conf/server.xml
Current Value: Maxhttpheadersize

加固建议: 对检测出的Connector增加属性：maxHttpHeaderSize="8192"

Check entry: Monitoring port Service Protocol configuration detection
Path:/application/tomcat/conf/server.xml
Current value: 8080

加固建议: 为该监听端口配置scheme="http"或"https"属性

Check entry: Monitoring port Service Protocol configuration detection
Path:/application/tomcat/conf/server.xml
Current Value: 8009

加固建议: 为该监听端口配置scheme="http"或"https"属性

Check entry: Using Userdatabaserealm detection (authentication mechanism)
Path:/application/tomcat/conf/server.xml
Current Value: Org.apache.catalina.realm.UserDatabaseRealm

加固建议: 建议关闭UserDatabaseRealm使用

Tomcat Web Server Optimization