-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 climbingrose,
climbingrose wrote: > I'm configuring Tomcat 6.0.10 behind Apache 2.0 using mod_jk 1.2.3. > Everything is working beautifully but I want to hide 501 error when > malicious user try to access the server. I assume you always want to hide these messages, since it's difficult to determine whether a user is malicious or not. > # telnet localhost 80 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > alsfjalsfjsdf > > > <html><head><title>Apache Tomcat/6.0.10 - Error report</title><style><!--H1 [snip] > I don't want to show the message because it contains Tomcat information as > well as revealing the technology I'm using on my website. Any ideas? Apache httpd is capable of sending an error document based upon any response code, and it can override that sent by Tomcat. For instance, you can have Apache httpd intercept 501 from Tomcat and display a page that contains no server information at all. Don't forget that your HTTP headers might leak information, too. Check the ServerTokens Apache httpd directive to make sure you aren't announcing your server version from Apache httpd. I'm sure you can turn off this version disclosure within Tomcat, too, but I can't remember how to do it. Check the archives, 'cause I'm sure this has been asked in the past. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGkmDR9CaO5/Lv0PARAm1nAJ4005uxITWo45E8WkYNUFOP/2TvJgCeN9To bgiqRYZtKcLyIef/hJRmZNg= =a7uu -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
