Archive

Posts Tagged ‘tomcat’

Security through obscurity – hiding your server version information

August 31st, 2014 No comments

I’ve recently spent a lot of time reviewing the OWASP documentation, and (like many corporations) realized that I’d neglected to keep up with this configuration item.

By sharing the exact version of each piece of server software you are using, “hackers” are able to quickly identify unpatched systems and their known vulnerabilities.

To make their work harder, there are a few simple steps that the server admin can take to remove this information from the HTTP Headers and error pages.

Apache HTTPd:

  1. sudo vi /etc/apache2/conf-enabled/security.conf
  2. Add:

    ServerTokens ProductOnly
    ServerSignature Off
  3. If using virtual hosts, add the following to each one:
    ServerSignature Off
  4. sudo service apache2 restart

Apache Tomcat:

  1. cd /opt/tomcat7/lib
  2. mkdir -p org/apache/catalina/util
  3. vi /opt/tomcat7/lib/org/apache/catalina/util/ServerInfo.properties
    server.info=Apache Tomcat
  4. sudo service tomcat7 restart

PHP “X-Powered-By: PHP/5.x.x-1ubuntuX.X”

  1. sudo vi /etc/php5/apache2/php.ini
    expose_php = Off
  2. sudo service apache2 restart

REFERENCES:

Renaming JSESSIONID

August 30th, 2014 No comments

Older versions of Apache Tomcat, as well as the older servlet specifications required that several configuration values need to be set. With servlet 3, you can now modify the name of the session cookie (as well as the ‘rewriting’ attribute name) in the web.xml file

In web.xml: (servlet 3.x)

<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<name>mysessionid</name><!-- default is jsessionid -->
<http-only>true</http-only>
<!-- secure>true</secure-->
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>

Alternately for Tomcat7, modify TOMCAT_HOME\conf\context.xml:
<Context path="/exampleApp" sessionCookieName="myid">

If you are using spring security, then you should try setting disable-url-rewriting attribute of <http> element to true.

REFERENCES:

Problems uploading/deploying large WAR’s to Tomcat7?

August 17th, 2014 No comments

I’ve run into this a few times as my web applications got larger. Often this has been seen when builds automated by Jenkins start failing as they increase in size. It has also occurred to me when doing manual deployments as the Jenkins WAR itself is larger than 50MB lately.

Let’s just go in and increase the maximum expected file size…

This change should work on any platform, but the following is from my experience with Ubuntu.

sudo vi /opt/tomcat7/webapps/manager/WEB-INF/web.xml

Default is:

<multipart-config>
<!-- 50MB -->
<max-file-size>62428800</max-file-size>
<max-request-size>62428800</max-request-size>
<file-size-threshold>0</file-size-threshold>
</multipart-config>

Change to something a bit larger (to your liking):

<multipart-config>
<!-- 50MB max 62428800, 100MB = 104857600 -->
<max-file-size>104857600</max-file-size>
<max-request-size>104857600</max-request-size>
<file-size-threshold>0</file-size-threshold>
</multipart-config>

Restart with either…
sudo /etc/init.d/tomcat7 restart
or
sudo service tomcat7 restart

Install Splunk Universal Forwarder on Ubuntu

August 16th, 2014 No comments

After a while it can get tedious to access and review server logs via the command line. There are several tools available that can provide the same information in a graphical manner. Recently I’ve migrated to Splunk as there are both Enterprise and Free versions available.

  1. Of course, you’ll need a Splunk server installed first, as the forwarder is really just another (lighter) instance that will forward the log information to a central location.
  2. Download the system appropriate installer from:
    http://www.splunk.com/download/universalforwarder

  3. Check to see if you are running 32 or 64 bit OS.

    uname -a

    If you see i686 you are 32 bit, if x86_64 you are 64 bit!

  4. Download, you’ll likely need a different version:

    sudo dpkg -i splunkforwarder-6.1.3-220630-linux-2.6-intel.deb
    or
    sudo dpkg -i splunkforwarder-6.1.3-220630-linux-2.6-amd64.deb

  5. Enable auto-start on reboot:

    cd /opt/splunkforwarder/bin/

  6. sudo ./splunk enable boot-start

  7. Start the server:

    sudo service splunk start

  8. Set the password:

    The default ‘admin‘ password is ‘changeme‘ so we need to change it immediately to do anything else, or we will see errors in future steps.

    sudo /opt/splunkforwarder/bin/splunk edit user admin -password YOUR_NEW_PASSWORD -auth admin:changeme

  9. Set the server:

    sudo /opt/splunkforwarder/bin/splunk add forward-server YOUR_SERVER_ADDRESS:9997

    NOTE: if you get prompted for a splunk username/password you likely skipped the above step. Remember – the forwarder is a new ‘light’ installation of the server and as such has it’s own users!

  10. Enable some monitors on the box:

    Some common services and log locations to get you started…

    Apache2 HTTPd
    sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/apache2 -index main -sourcetype Apache2
    Tomcat7
    sudo /opt/splunkforwarder/bin/splunk add monitor /opt/tomcat7/logs -index main -sourcetype Tomcat7
    MySQL
    sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/mysql -index main -sourcetype MySQL
    Postfix (SMTP)
    sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/mail.log -index main -sourcetype Postfix
    SonarQube
    sudo /opt/splunkforwarder/bin/splunk add monitor /opt/sonar/logs -index main -sourcetype Sonar
  11. (OPTIONAL) Verify configuration by opening file at the following:

    sudo su
    vi /opt/splunkforwarder/etc/apps/search/local/inputs.conf
    exit

  12. You now should be able to log into your server and see new data flowing from the forwarder.

    NOTE: this requires you to enable ‘receiving’ of data on the port specified above, usually 9997.

REFERENCES:

Enable larger file uploads via Tomcat manager

December 7th, 2013 No comments

Shortly after I automated code deployments in my Tomcat7 development testing environment, I found that some larger builds began failing with the following error:


org.apache.tomcat.util.http.fileupload.FileUploadBase$SizeLimitExceededException: the request was rejected because its size (...) exceeds the configured maximum (62428800)

After a little digging, I found that the WAR files were exceeding the default maximum upload size, thankfully, this is trivial to increase.


sudo vi /usr/share/tomcat7-admin/manager/WEB-INF/web.xml

(Change 52428800 to a larger number, perhaps doubled like 104857600)

<multipart-config
<!-- 50MB max = 52428800 (100MB = 104857600) -->
<max-file-size>104857600</max-file-size>
<max-request-size>104857600</max-request-size>
<file-size-threshold>0</file-size-threshold>
</multipart-config>

REFERENCES:

Improve Apache Tomcat logging performance

April 6th, 2013 No comments

Logging is often an overlooked performance drain on systems requiring high throughput. Here’s a simple change to the default Tomcat logging configuration to implement. It works on all operating systems.

In the file:
$TOMCAT_HOME/conf/logging.properties

Change:
.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler

to
.handlers = 1catalina.org.apache.juli.FileHandler

REFERENCES:

Sample Tomcat7 setup

February 8th, 2013 No comments

There are a few steps that I generally take to setup a new Tomcat server instance, this enables the following:

  • The manager console
  • HTTP compression
  • UTF-8 encoding

Steps:

  1. tomcat-users.xml – add to bottom:

    <role rolename="manager-gui"/>
    <user username="tomcat" password="s3cr3t" roles="manager-gui"/>

  2. server.xml – add compression and URIEncoding, change port if desired:

    <Connector port="8080" protocol="HTTP/1.1"
    connectionTimeout="20000"
    redirectPort="8443" compression="on" URIEncoding="UTF-8" />

  3. server.xml – relocate webapps by adding ../ to appBase

    <Host name="localhost" appBase="../webapps"
    unpackWARs="true" autoDeploy="true">

  4. Restart your server, on Ubuntu use:

    sudo service tomcat7 restart

Custom 404 Page for Tomcat web applications

January 27th, 2011 No comments

This is a relatively common problem in JSP based apps as you need to understand the configuration. It’s further complicated if you use Apache HTTPD in front of the Apache Tomcat server to process requests as you need to know where each request is processed.

For this example, we will use the standard 404 error, but you can also intercept other errors for custom pages.

  1. create 404.jsp
    <% final SimpleDateFormat simpleDate = new SimpleDateFormat(“EE MMM dd yyyy hh:mm:ss aa zzz”);
    final String dttm = simpleDate.format(new Date()); %>
    <html>
    <title>404 Not Found</title>
    <ul>
    <li>Time: <%= dttm %></li>
    <li>User-Agent: <%= request.getHeader(“User-Agent”) %></li>
    <li>Server: <%= request.getServerName() %></li>
    <li>Request: <%= request.getRequestURI() %></li>
    <li>Remote: <%= request.getRemoteAddr() %></li>
    <li>Referer: <%= request.getHeader(“Referer”) %></li>
    </ul>
    </html>
  2. in WEB-INF/web.xml – add the following (NOTE: location within the file is important but outside the scope of this post)

    404
    /404.jsp

  3. You might want to force the HTTP Header to give something other than a ‘404 status’ code, otherwise MSIE will show an unstyled ‘friendly error message’ if the user has not turned off the default setting. Unfortunately, this also means that search engines might index these pages that should not exist.

REF:

Enable HTTP GZip compression on Apache Tomcat

September 29th, 2010 No comments

This one escaped me for a long time and I never saw a decent example of it in any of the documentation.

GZip compression saves on network bandwidth as files are compressed during transport between the HTTP Server and browser/client. If you already use Apache HTTP or a similar webserver to front Tomcat, this is not always necessary, but in cases where you expose your appserver directly, even if it is just for testing, you may want to add this configuration item as it increases the perceived speed of the application.

The solution is simple:

  1. To be safe, first stop the server and backup your configuration files
  2. Look in the /TOMCAT/conf installation folder.
  3. In the ‘server.xml’ file, you will find a line resembling…
    <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
  4. This one controls the HTTP/1.1 connections, add a new value to the list…
    compression="on"
  5. NOTE You might also see a value for for AJP/1.3, unfortunately compression only works for HTTP:
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
  6. Restart your server.

Cheers

Apache Tomcat Native Library (APR)

January 25th, 2010 No comments

If you have ever looked at the console or logs while starting a Tomcat instance on Windows you have probably seen the following line about APR.

INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path

As long as the “tcnative-1.dll”  is in the Windows PATH, generally you can place it in c:\windows\system32, but any other location in the PATH will work should you need it to be portable, or have different versions in use.

NOTE: Other Operating Systems use a similar approach as Windows to add an environmental variable, optionally you can also add the appropriate location to the “java.library.path” attribute used when calling the VM, if you are more technically inclined.

Cheers