I want to hide server information "Apache-Coyote/1.1" when I execute curl -i ip:port command in my tomcat 5.0.28.
I tried to add <Connector port="8080" protocol="HTTP/1.1" server="Apache"> to server.xml file. but it doesn't work.
I tested it on tomcat 5.5, 6 and 7. in this case, It's works all find. But it doesn't work my tomcat(5.0.28 ver).
How can I hide this in my tomcat 5.0.28.
Thanks.
I thinsk it's not possible below 5.0. It's possible above 5.5.
Related
I've been trying to configure SSL for Tomcat 8.5 server on the school I work to use HTTPS protocol. Since we haven't buy a certificate with a CA, I used certbot to get a free one. I did some configuration and my Tomcat is serving on HTTP but not yet on HTTPS, and there are no errors on the logs. Here is what I did.
-The Tomcat 8.5 is installed on Windows server 2012. It has worked perfectly for 2 years serving applications on regular HTTP.
-Certbot does not support Windows, therefore, I had to install Ubuntu 16.04 on a VM.
-I installed certboot successfully on Ubuntu.
-I used the folowing command to get my certbot certificates:
sudo certbot certonly --preferred-challenges http --manual -d theDomainOfMySchool.com
-After succeeding the ACME challenge, I got these 4 .pem files: cert1.pem, chain1.pem, fullchain1.pem and privkey1.pem.
-All 4 files are clear text in base64 like this extract I’m pasting here:
-----BEGIN CERTIFICATE-----
MIIFYTCCBEmgAwIBAgISAwyxKh7NQWpNnH6w2enPbOlxMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
-After fighting a while with permissions to copy the 4 files from /etc/letsencrypt/archive, I placed them in the folder of my Tomcat server in Windows.
-I configured Tomcat with the following nodes on server.xml:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/cert/certbot_gallery/privkey1.pem"
certificateFile="conf/cert/certbot_gallery/cert1.pem"
certificateChainFile="conf/cert/certbot_gallery/chain1.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
-When I start my Tomcat, there are no errors on the logs.
-The server starts fine and serves on HTTP with no problem.
-When I try to access the applications through HTTPS I get ERR_CONNECTION_RESET on the browser.
What am I doing wrong. Are this kind of certificates not suitable for this Tomcat connector? Am I missing any configuration?
Thank you all.
Solved! As it turns out, I'm an as$. The configuration on my server.xml is wrong. The connector for Http11NioProtocol should use the port 443 (which is the default for HTTPS), instead of 8443.
The rest of the configuration and the request of the certs on certboot is OK.
I think the use of 8443 is in case that your Tomcat is behind Apache or something else. Since I'm using directly, and only, Tomcat, the connector port should be 443.
Also, make sure that your firewall allows 443 port.
I have followed some guides on the internet but I am stuck now as none of what they told me to do works from this point on.
I have Ubuntu 16.04 with a Tomcat8. I have deployed an application in Tomcat's webapps and it works fine on http. Then I used letsencrypt to get a certificate and after validating my Tomcat's settings, it gave me 4 .pem files.
chain.pem
fullchain.pem
cert.pem
privkey.pem
Now I don't understand how to link/use them in my Tomcat/conf/server.xml in order to be able to access the application on port 443/8443. I have already put in a portforwarding for 443 to 8443 as I installed the Tomcat-service with a non-root user. I put the .pem files into the conf-folder of my Tomcat, so server.xml is right next to them.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/privkey.pem"
certificateFile="conf/cert.pem"
certificateChainFile="conf/chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
This is my current setting in my server.xml file but it is not working. The presetting had no place for the "fullchain.pem" either and I don't know whether I need to change the lines with "org.apache" in them as I got no clue what those actually do.
Thanks in advance. I managed to do a self-signed certificate on Windows and Ubuntu, but you always get this insecure-warning then. I was told this doesn't happen with letsencrypt.
I will write how I managed to install it:
Download certbot:
$ wget https://dl.eff.org/certbot-auto<br/>
$ chmod a+x certbot-auto
Fetch the certificates:
$ sudo /path/to/certbot-auto certonly --webroot -w /path/to/apache-tomcat-8.5/webapps/ROOT -d example.com
Your certificates will be downloaded into this folder: "/etc/letsencrypt/live/YOUR_WEBSITE_HERE/"
Edit the HTTPS connector in the server.xml like this
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
<SSLHostConfig>
<Certificate
certificateKeyFile="/etc/letsencrypt/live/YOUR_WEBSITE_HERE/privkey.pem"
certificateFile="/etc/letsencrypt/live/YOUR_WEBSITE_HERE/cert.pem" certificateChainFile="/etc/letsencrypt/live/YOUR_WEBSITE_HERE/chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
Let’s Encrypt certificates are usually valid for 90 days, hence you need to renew them periodically. Add the following line to crontab to do so:
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && ./path/to/certbot-auto renew
I've also written a blog post about it which you can find here: https://www.gasimof.com/blog/enable-https-for-free-for-tomcat/
I have successfully configured Apache (2.4.7) to require a client certificate and -- as a reverse proxy -- forward the information within the certificate to a Tomcat 8 server.
When trying to accomplish the same with Spring Boot however, it fails with
The proxy server received an invalid response from an upstream server
The proxy server could not handle the request GET /myapp
and returns a HTTP 502 error code.
The relevant, working Tomcat configuration is:
<Connector SSLEnabled="true" clientAuth="want" keyAlias="myalias"
keystoreFile="mystore.jks" keystorePass="mypassword" maxThreads="150"
port="8443" protocol="HTTP/1.1" scheme="https" secure="true"
sslProtocol="TLS" truststoreFile="mystore.jks" truststorePass="mypassword"/>
The relevant part of the Spring Boot application.properties file that won't work:
server.context-path=/myapp
server.port=8443
server.ssl.enabled=true
server.use-forward-headers=true
server.ssl.protocol=TLS
server.ssl.client-auth=need
server.ssl.key-alias=myalias
server.ssl.key-store=/path/to/mykeystore.jks
server.ssl.key-store-password=mypassword
server.ssl.key-password=mypassword
server.ssl.trust-store=/path/to/mykeystore.jks
server.ssl.trust-store-password=mypassword
server.tomcat.remote-ip-header=x-forwarded-for
server.tomcat.port-header=x-forwarded-port
Note, when accessing the app directly (i.e. requesting https://myapp.company.tld:12345/myapp) it works just fine, but using the reverse proxy (i.e. https://proxy-load-balancer.company.tld:12345/myapp) throws the error above.
The port difference (12345 vs the configured 8443) is due to an intermediate Docker layer: both the reverse proxy and the application runs in a container and their open ports (443 for Apache, 8443 for Tomcat/Spring Boot) are mapped to a different port, i.e. 12345.
Ok, so this all got sorted out. First, this Spring security setting
server.ssl.client-auth=need
will always force your embedded Tomcat to ask for a certificate, so in a client=>reverse proxy=>Tomcat situation you won't be able to authenticate unless maybe you use AJP, not sure about that.
But it turned out that using
server.ssl.client-auth=want
enables the further processing of your request and what people usually do is process the certificate at the reverse proxy level and forward some information to the backend server (Tomcat, Jetty, etc.).
In the end the developers had to adapt their Spring Boot application to handle this latter mode of operation, i.e. extract data from the forwarded HTTP request's header and proceed with the authentication based on that.
Our architecture is:
external users<---https--->web server(Apache HTTP server)<----->webapp server (tomcat)
We fail to pass the IBM AppScan, which is used to detect any security defects in webapp server, because it finds our tomcat server.xml file is not added the secure="yes" attribute in our port.
However the secure="yes" attribute should not be added to the tomcat server.xml file because we do not need a secure connection between web server and webapp server.
How can we fix the issue?
Are there any secure="yes" attribute can be added to the configuration file of web server(Apache HTTP server)?
Thanks & Regards,
Gordon
If your users are accessing Tomcat (indirectly) through Apache httpd using TLS (https:// URL) then it is entirely appropriate to set secure="true" in your <Connector>. This tells your web application that the request being received is secure even when it is not (e.g. you are using plain-HTTP between httpd and Tomcat).
So, if you have set scheme="https" on your <Connector> then you probably want to also set secure="true".
This is not a configuration change that you can make on the Apache httpd side... it must be done in Tomcat.
I'm using the RavenDB-Build-2380 which is running on default port 8080. Hence it is using
http://localhost:8080/raven/studio.html#/databases?database=Test
How to configure RavenDb to run on another port?
I tried changing the following in Raven.Server.exe.config file, yet not working
<add key="Raven/Port" value="*"/>
Kindly share your suggestions on this issue.
Thanks in advance.
I changed the port the number here
<add key="Raven/Port" value="5050"/>
A restart of Raver.Server is required.
Command: Raven.Server.exe /restart
In latest build of Raven 2666, they brought the new feature of windows installer. While installing, it popup a window where the port configuration quite easy.