【原创】Tomcat中间件隐藏版本号

da11 · 发表于 2021-5-7 16:07:44

少侠不来段修仙之旅吗~

x

一般为了安全，使用各中间件时，都会要求隐藏版本号Tomcat中间件隐藏版本号：

将Tomcta目录下lib文件夹中catalina.jar压缩包中 /org/apache/catalina/util/中的ServerInfo.properties 文件的版本号修改为其他信息或者删除

da11 · 发表于 2024-4-2 18:31:17

不改jar包的隐藏方式

转载地址：https://www.jianshu.com/p/2811420329e4

原文地址：https://alphahinex.github.io/2023/10/22/hide-tomcat-server-info/

访问 Tomcat 发布的应用中不存在的页面或 URL 中包含特殊字符时，会看到下面这样的界面：

如遇安全扫描等场景希望不暴露 Tomcat 版本信息时，可以在其配置文件 conf/server.xml 中的 Host 元素内添加如下内容：

<Valve className="org.apache.catalina.valves.ErrorReportValve"
   showReport="false" showServerInfo="false" />

以截图中使用的 Tomcat 10.1.15 版本为例，原始的去掉注释部分的 conf/server.xml 内容如下：

<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
            type="org.apache.catalina.UserDatabase"
            description="User database that can be updated and saved"
            factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
            pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>

  <Service name="Catalina">

<Connector port="8080" protocol="HTTP/1.1"
            connectionTimeout="20000"
            redirectPort="8443"
            maxParameterCount="1000"
            />
<Engine name="Catalina" defaultHost="localhost">

   <Realm className="org.apache.catalina.realm.LockOutRealm">
      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
            resourceName="UserDatabase"/>
   </Realm>

   <Host name="localhost"  appBase="webapps"
         unpackWARs="true" autoDeploy="true">

      <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
            prefix="localhost_access_log" suffix=".txt"
            pattern="%h %l %u %t "%r" %s %b" />

   </Host>
</Engine>
  </Service>
</Server>

添加 Valve 后为：

<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
            type="org.apache.catalina.UserDatabase"
            description="User database that can be updated and saved"
            factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
            pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>

  <Service name="Catalina">

<Connector port="8080" protocol="HTTP/1.1"
            connectionTimeout="20000"
            redirectPort="8443"
            maxParameterCount="1000"
            />
<Engine name="Catalina" defaultHost="localhost">

   <Realm className="org.apache.catalina.realm.LockOutRealm">
      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
            resourceName="UserDatabase"/>
   </Realm>

   <Host name="localhost"  appBase="webapps"
         unpackWARs="true" autoDeploy="true">

      <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
            prefix="localhost_access_log" suffix=".txt"
            pattern="%h %l %u %t "%r" %s %b" />

      <Valve className="org.apache.catalina.valves.ErrorReportValve"
            showReport="false" showServerInfo="false" />

   </Host>
</Engine>
  </Service>
</Server>

隐藏后效果如下：

Error Report Valve
关于 ErrorReportValve 的用法，可参照 Tomcat 对应版本的官方文档，如：https://tomcat.apache.org/tomcat ... #Error_Report_Valve

[原创] 【原创】Tomcat中间件隐藏版本号

少侠不来段修仙之旅吗~

本帖子中包含更多资源

浏览过的版块