環境
- Centos7 8G
- tomcat7
nessus漏掃修複
12085 - Apache Tomcat Servlet / JSP Container Default Files
- 删除tomcat/webapps/下example、doc、manager,(ROOT保留,内部隻留下自定義的404頁面)
35291 - SSL Certificate Signed Using Weak Hashing Algorithm
42873 - SSL Medium Strength Cipher Suites Supported
20007 - SSL Version 2 and 3 Protocol Detection
https證書簽名算法強度不夠,預設生成的是1024位,需要更新為2048, 指定Cipher,禁用ssl2.0 ssl3.0
證書制作參考HTTPSS證書制作筆記
注意:需要指定證書長度:
修改,指定
server.xml
、
keystoreFile
、
truststoreFile
、
sslProtocol
sslEnabledProtocols
<Connector port="8443" URIEncoding="UTF-8" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITAES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" keystoreFile="conf/server.keystore" keystorePass="123456"
truststoreFile="conf/server.keystore" truststorePass="123456"/>
cookie未設定HttpOnly屬性
vim tomcat/conf/contenxt.xml
<!-- 給cookies設定HttpOnly屬性 tomcat/conf/context.xml-->
<Context useHttpOnly="true">
新版tomcat預設就是HttpOnly
敏感資訊洩露
輸入一個不存在的位址時,洩露tomcat版本号等資訊
自定義tomcat的404頁面
#在ROOT下自定義一個404.html,其它都删除即可
# 配置tomcat 404頁面
vim conf/web.xml
...
#添加如下配置
<error-page>
<error-code></error-code>
<location>/html</location>
</error-page>
...
支援不安全的http方法
- 修改tomcat的web.xml檔案配置禁用options/PUT/DELETE這三種方法
# 在 <webapp></webapp>标簽中添加:
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
- 删除tomcat/webapps/下example、doc、manager,(ROOT保留,内部隻留下自定義的404頁面)
性能調優
jvm參數優化
vim catalina.sh
...
# 添加jvm參數配置
JAVA_OPTS="$JAVA_OPTS -XX:PermSize=128M -XX:MaxPermSize=256M -Xms1024M -Xmx1024M -Xss512k"
...
并發線程優化
vim server.xml
...
<Connector port="8443" URIEncoding="UTF-8" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="1024" maxConnections="1024" minSpareThreads="25" acceptCount="150"
enableLookups="false" disableUploadTimeout="true"
debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" ciphers="TLS_ECDHE_RSA_WITAES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" keystoreFile="conf/server.keystore" keystorePass="123456"
truststoreFile="conf/server.keystore" truststorePass="123456"/>
參數說明:
* acceptCount: 請求等待隊列大小,預設100(tomcat沒有空閑線程處理請求時放入該隊列緩存起來),超出該隊列大小後,拒絕連接配接
* maxConnections: tomcat最大并發連接配接數,bio預設是maxThreads數量,nio和nio2預設是10000,arp預設8192
* minSpareThreads: 線程池最小線程數,預設10
* maxThreads: 線程池最大線程數,預設200