tomcat 简单安全加固

简要几个安全加固配置项，待完善

证书部分，参考上一篇 《使用keytool生成tomcat证书》先导入证书

<?xml version="1.0" encoding="utf-8"?>

<Server port="8105" shutdown="exampleSHUTDOWN">   <!-- shutdown命令自定义 -->

  <Listener className="org.apache.catalina.startup.VersionLoggerListener"/>

  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/>

  <Listener className="org.apache.catalina.security.SecurityListener" checkedOsUsers="root,alex,bob" minimumUmask="0007"/>

  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>

  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>

  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>

  <GlobalNamingResources>

    <Resource name="UserDatabase" auth="Container"

              type="org.apache.catalina.UserDatabase"

              description="User database that can be updated and saved"

              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"

              pathname="conf/tomcat-users.xml"/>

  </GlobalNamingResources>

  <Service name="Catalina">

    <Connector connectionTimeout="20000" maxHttpHeaderSize="262144" maxPostSize="209715200" port="8082" protocol="HTTP/1.1" redirectPort="8445" server="example"/>

    <!-- maxHttpHeaderSize 设置最大http头部大小 256k, maxPostSize 设置最大post数据大小 200m -->

    <Connector port="8445" defaultSSLHostConfigName="x1.example.com" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="1500" SSLEnabled="true">

    <!-- maxThreads 设置最大线程数 1500 -->

      <SSLHostConfig hostName="x1.example.com">

        <Certificate

          certificateKeystoreFile="x1.keystore"

          certificateKeystorePassword="123456" type="RSA"/>

      </SSLHostConfig>

      <SSLHostConfig hostName="x12.example.com">

        <Certificate

          certificateKeystoreFile="x12.keystore"

          certificateKeystorePassword="123456" type="RSA"/>

      </SSLHostConfig>

    </Connector>

    <Engine name="Catalina" defaultHost="localhost">

      <Realm className="org.apache.catalina.realm.LockOutRealm">

        <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>

      </Realm>

      <Host appBase="webapps" autoDeploy="false" deployOnStartup="false" name="localhost" unpackWARs="true">

        <!-- autoDeploy 关闭自动部署，deployOnStartup 关闭启动时部署，unpackWARs 使能不解压.war包 -->

        <Context path="" reloadable="false" docBase="/path-of-tomcat/webapps/x1" workDir=""/>

        <!-- reloadable 关闭重载 -->

        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"

                prefix="localhost_access_log" suffix=".log"

                pattern="%h %l %u %t &quot;%r&quot; %s %b"/>

        <Alias>x1.example.com</Alias>

        <Alias>x12.example.com</Alias>

      </Host>

    </Engine>

  </Service>

</Server>