Giant Geek Blog

Improve Apache Tomcat logging performance

skotfred — Sat, 06 Apr 2013 21:09:44 +0000

Logging is often an overlooked performance drain on systems requiring high throughput. Here’s a simple change to the default Tomcat logging configuration to implement. It works on all operating systems.

In the file:
$TOMCAT_HOME/conf/logging.properties

Change:
.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler

to
.handlers = 1catalina.org.apache.juli.FileHandler

REFERENCES:

Prevent Robots from indexing portions of content

skotfred — Sat, 02 Mar 2013 19:22:35 +0000

Yahoo! initially introduced a CSS class that can be used to notify robots/spiders that a specific section or fragment of content should not be included for search purposes.

class=”robots-noindex”

REFERENCES:

Sample Tomcat7 setup

skotfred — Fri, 08 Feb 2013 16:57:29 +0000

There are a few steps that I generally take to setup a new Tomcat server instance, this enables the following:

The manager console
HTTP compression
UTF-8 encoding

Steps:

tomcat-users.xml – add to bottom:
server.xml – add compression and URIEncoding, change port if desired:
connectionTimeout="20000" redirectPort="8443" compression="on" URIEncoding="UTF-8" />
server.xml – relocate webapps by adding ../ to appBase
unpackWARs="true" autoDeploy="true">
Restart your server, on Ubuntu use:
sudo service tomcat7 restart

Remove Guest account from Ubuntu 12.10 menu

skotfred — Wed, 16 Jan 2013 06:16:54 +0000

Ubuntu continues to make great strides with improvement to the User Interface for the ‘common’ user. Unfortunately this sometimes comes at the cost of security. 12.10 added a “Guest” account to the launch screen, to allow a new session to be opened. This is not always useful as it represents a potential security concern.

A single line command and reboot will remove it:
sudo sh -c 'echo "allow-guest=false" >> /etc/lightdm/lightdm.conf'

Similarly “Remote Login” can also be hidden/removed.
sudo sh -c 'echo "greeter-show-remote-login=false" >> /etc/lightdm/lightdm.conf'

CSS Cursors

skotfred — Mon, 10 Dec 2012 00:53:04 +0000

The use of CSS cursors within your browser based application or website is a great way to add feedback to the user to increase usability. This is increasingly important for AJAX applications that may be “busy” even when the user is not directly taking action within their browser.

These are all easily appended to classes in your CSS files:

default
auto
inherit
pointer
crosshair
text
help
move
progress
wait
e-resize
ne-resize
n-resize
nw-resize
w-resize
sw-resize
s-resize
se-resize

Partial (CSS3) support in current browsers:

none
all-scroll
context-menu
cell
vertical-text
alias
copy
no-drop
not-allowed
col-resize
row-resize
ew-resize
ns-resize
nesw-resize
nwse-resize

NOTE: for very old browser, you can also set several attributes to allow for the supported one to be used.
.example { cursor:hand;/* IE5-IE5.5 only support (dropped in IE9) */ cursor:pointer; /* IE6 and later */ }

REFERENCES:

Morfeus scanner

skotfred — Mon, 03 Dec 2012 00:04:07 +0000

I was scanning my server log files the other day and found that this old “bot” is still making the rounds. It help’s to shut the door on this with some configuration. It’s specifically looking for PHP vulnerabilities and is easily identified by the expletive in it’s User-Agent HTTP request headers.

REFERENCES:

X-XSS-Protection HTTP Header

skotfred — Sat, 01 Dec 2012 21:51:37 +0000

This HTTP Header is a feature added by MSIE8 to force it to restrict some XSS vectors that can be disabled by the user. Generally you can add it into your webserver configuration.

X-XSS-Protection: 1; mode=block

REFERENCES:

Cross-Origin Resource Sharing (CORS) Header

skotfred — Sat, 01 Dec 2012 03:57:27 +0000

Crossdomain access can be enabled in JavaScript with a mechanism similar to that in Flash. Instead of hosting a crossdomain.xml file though, crossdomain access is enabled per file, through an additional HTTP response header:

Access-Control-Allow-Origin: *

CORS is a more modern equivalent to JSONP for cross-domain XmlHttpRequests(AJAX) with options to limit domains, subdomains and ports.

Initial browser support:

Firefox 3.5
Chrome 4
Safari 3.2
MSIE 8

REFERENCES:

crossdomain.xml

skotfred — Fri, 30 Nov 2012 00:46:08 +0000

Adobe FlashPlayer 7 added several security features. I first became aware of this one as I saw a large number of HTTP 404 errors for a file named ‘crossdomain.xml’ in my webserver logs.

If you use flash on your website, I’d suggest adding an appropriate copy of this file to limit your exposure to some potential security issues.

Restricted domains

Open to all domains (not recommended, but fully backward compatible)

REFERENCES:

Google Web Fonts

skotfred — Thu, 29 Nov 2012 03:08:56 +0000

The use of non-traditional web fonts was once a very challenging task due to various browser specific implementations. Thankfully Google WebFonts have made this easy enough for most developers to add in a cross-browser manner in a matter of minutes.

WARNING, there are a few considerations to make here…

Some browsers displays a blank space in place of the text that uses the font.

… and then re-render text in the web font once it has loaded

Method 1: (most compatible, but cross-browser loading behavior varies)

Method 2: (requires javascript, but is consistent cross-browser)