Shulou(Shulou.com)06/01 Report--

This article mainly shows you the "sample analysis of security configuration and performance optimization based on Tomcat", which is easy to understand and well-organized. I hope it can help you solve your doubts. Let me lead you to study and study the "sample analysis of security configuration and performance optimization based on Tomcat".

I. version security

Upgrade the current tomcat version to the latest stable version. Therefore, according to the name, the latest stable version should take into account both the latest and stable concepts. A stable version takes time to precipitate, and the latest is the latest relative to the stable version. Therefore, we generally choose the current large version, the latest version forward a few versions or a few months forward version.

At present, the major versions of tomcat commonly used in enterprises are version 6.0 and version 7.0. although version 8.0 has been out for a long time, it is still not recommended.

There are two things to be aware of in the upgrade version:

1. Try to avoid cross-version upgrades.

2. Back up the server.xml, catalina.sh, web.xml and tomcat-users.xml files of the current old version of tomcat, and then after deploying the new version of tomcat, overwrite these configuration files, then stop the old version and start the new version to complete the upgrade.

2. Hide version information

In order to prevent hackers from attacking certain versions, we need to hide or disguise Tomcat version information.

The display of this information is controlled by a jar package, which is stored in the lib directory under the Tomcat installation directory, named catalina.jar.

We can extract the jar package with the jar xf command to get two directories, META-INF and org, and change our tomcat version information by modifying the serverinfo field in the org/apache/catalina/util/ServerInfo.properties file.

The file information is as follows:

[root@localhost ~] # cat org/apache/catalina/util/ServerInfo.properties | grep-v'^ $| # 'server.info=Apache Tomcat/7.0.53server.number=7.0.53.0server.built=Mar 25 2014 06:20:16 of course, there is another way to hide or disguise Tomcat version information, but the essence is the same as above The operation is as follows: [root@localhost ~] # cd / usr/local/apache-tomcat-7.0.53/lib [root@localhost lib] # mkdir-p org/apache/catalina/util [root@localhost lib] # cd org/apache/catalina/util [root@localhost util] # vim ServerInfo.propertiesserver.info=nolinux # if you want to change it to another version number, just change the value in this place to another value.

After the modification, restart Tomcat to see the effect!

Third, optimize web.xml

Servlet and other configuration files that are set up for the entire Web application must conform to the standard format of the servlet specification. Through it, you can configure the relevant options for your web application, and tomcat will read this file at startup to complete some initialization of the system you developed.

It can do the following things:

1. Provide relevant configurations based on servlet

2. Add listeners, monitor session or load some resources you want to load when tomcat starts. Such as creating a database connection pool and so on.

3. Set the expiration time of session. Tomcat defaults to 30 minutes.

4. Change the default web page of the application, such as index.html/index.jsp, etc.

5. Add filters and do some filtering operations you want, such as filtering sensitive words.

6. Add some definitions of jstl (Standard tag Library) to facilitate includ directly in jsp and use these tags directly.

7. Some configurations of struts,spring or hibernate, etc.

Here is an excerpt from O'REILLY 's "authoritative Guide to Tomcat":

The file format of web.xml is defined in the Servlet specification, so it is used by all Java Servlet Container that conforms to the Servlet specification. When Tomcat deploys an application (during activation or after the application is loaded), it reads the generic conf/web.xml and then reads the WEB-INF/web.xml in the web application. In fact, according to their location, we can know that the settings in the conf/web.xml file apply to all web applications, while the settings in the WEB-INF/web.xml of some web applications apply only to the application itself.

If there is no WEB-INF/web.xml file, tomcat will output messages that cannot be found, but the web application will still be deployed and used. The authors of the servlet specification want to implement a way to quickly and easily set a new scope for testing, so this web.xml is not necessary, but it is usually best to let every live web application have its own WEB-INF/web.xml, even if it is only used for identification. But I think it's a good habit.

Because the Servlet specification is mainly used by web programmers, not system administrators. Therefore, as far as operation and maintenance is concerned, we may be more concerned about the default web page, custom error page, forbidden column directory and so on.

Because, in a normal production environment, tomcat will not directly provide services to the public network, and there must be apache or nginx in the front end. Therefore, for the default home page and custom error page of the site, we do it in the front-end apache or nginx. In addition, the company may leave it to the programmer to make the definition in the WEB-INF/web.xml within the project.

In the new version of tomcat, the column directory feature has been disabled by default.

Below, I list several common features that are expressed in web.xml:

Site default home page

Customize the error page

Define session timeout

It is forbidden to list directories.

Fourth, optimize tomcat-user.xml

This file contains a manifest file for the user name, role, and password. Responsible for providing login authentication management of manager project under webapps.

In a production environment, we need to comment out all the files.

Fifth, optimize server.xml

Tomcat's main configuration file, which contains many major elements, such as Service, Connector, Host, etc., all of which create software "objects", sorting, and nesting of these elements set in the process pipeline, so that we can perform filtering, grouping, and so on.

If we want to optimize the modified file, we need to understand the structure of the file first!

Structure diagram of server.xml:

This file describes how to start Tomcat Server

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.