-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Justin,
Mark already answered your question, but ... On 12/12/11 3:20 PM, Justin Larose wrote: > <Connector connectionTimeout="20000" port="18080" > protocol="HTTP/1.1" redirectPort="8443" server="Unknown Web > Server/1.0"/> :( Really? Masking the server name? At least say "Apache Tomcat" or something like that. Security By Obscurity doesn't actually solve any security problems. Note that the default value for the "server string" is "Apache-Coyote/1.1" which doesn't really give an attacker any meaningful information. > <Connector SSLEnabled="true" acceptCount="100" clientAuth="false" > disableUploadTimeout="true" enableLookups="false" keyAlias="tomcat" > keystoreFile="conf/sample-ssl.jks" keystorePass="*****" > maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" > minSpareThreads="25" port="8443" scheme="https" secure="true" > sslProtocol="TLS" strategy="ms" > truststoreFile="conf/sample-ssl.jks" truststorePass="*****"/> Note: no "server" attribute, here... attackers can still see you are using "Apache-Coyote/1.1". > <Connector SSLEnabled="true" acceptCount="100" clientAuth="true" > disableUploadTimeout="true" enableLookups="false" keyAlias="tomcat" > keystoreFile="conf/sample-ssl.jks" keystorePass="*****" > maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" > minSpareThreads="25" port="8543" scheme="https" secure="true" > sslProtocol="TLS" strategy="ms" truststoreAlgorithm="AnyCert" > truststoreFile="conf/sample-ssl.jks" truststorePass="*****"/> Same here. > <!-- Define an AJP 1.3 Connector on port 8409. --> <Connector > port="8409" protocol="AJP/1.3" redirectPort="8443" server="Unknown > Web Server/1.0"/> I'm not sure if the AJP connector will return a "Server" response header to the web server. Most web servers will overwrite this value so that the client sees the proxy server's "Server" response header. > <Engine defaultHost="localhost" name="Catalina"> <!-- This Realm > uses the UserDatabase configured in the global JNDI resources under > the key "UserDatabase". Any edits that are performed against this > UserDatabase are immediately available for use by the Realm. --> > <Realm className="org.apache.catalina.realm.UserDatabaseRealm" > resourceName="UserDatabase"/> If you really are concerned about security, then you shouldn't be using UserDatabaseRealm. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7maHkACgkQ9CaO5/Lv0PCv1QCfWTlqSbf79C0YW81G2FAXLbBK T3UAnA3XgEwv9njrL2YyG8WNx7SKCA4x =Jp6s -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
