Apache Tomcat Http



In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. Installing Tomcat From the Apache Distribution It might not be as simple as typing a single repository command, but installing Tomcat using the latest official Apache binary release is the best way to avoid errors and confusion, provided you do it correctly.

Apache Tomcat is the leading Java application server by market share and the world's most widely used web application server overall. Currently at version 8, the popular web server has not been without its security flaws, perhaps most famously publicized in this incident of aircraft hacking by security researcher Chris Roberts earlier this year. However, hardening Tomcat's default configuration is just plain good security sense—even if you don't plan on using it on your plane's network. The following are 15 way to secure Apache Tomcat 8, out-of-the-box.

1. Don't run Tomcat as the root user

This line of advice applies to most web server platforms. Web-related services should not be run by user accounts with a high level of administrative access. In Tomcat's case, a user with the minimum necessary OS permissions should be created exclusively to run the Tomcat process.

2. Remove any default sample or test web applications

Most web server platforms also provide a set of sample or test web application for demo and learning purposes. These applications have been known to harbor vulnerabilities, and should be removed if not in use. Tomcat's examples web application is an application that should be removed to prevent exploitation.

3. Put Tomcat's shutdown procedure on lockdown

This prevents malicious actors from shutting down Tomcat's web services. Either disable the shutdown port by setting the port attribute in the server.xml file to -1. If the port must be kept open, be sure to configure a strong password for shutdown.

4. Disable support for TRACE requests

Though useful for debugging, enabling allowTrace can expose some browsers to an cross-site scripting XSS attack. This can be mitigated by disabling allowTrace in the server.xml file.

5. Disable sending of the X-Powered-By HTTP header

If enabled, Tomcat will send information such as the Servlet and JSP specification versions and the full Tomcat version, among others. This gives attackers a workable starting point to craft an attack. To prevent this information leakage, disable the xpoweredBy attribute in the server.xml file.

6. Disable SSLv3 to prevent POODLE attacks

POODLE is a SSL v3 protocol vulnerability discovered in 2014. An attacker can gain access to sensitive information such as passwords and browser cookies by exploiting this vulnerability; subsequently, SSL v3 (and SSL in general) should not be included in server.xml file under the sslEnabledProtocols attribute.

7. Set the deployXML attribute to false in a hosted environment

The prevents would-be attackers from attempting to increase privileges to a web application by packaging an altered/custom context.xml. This is especially critical in hosted environments where other web applications sharing the same server resources cannot be trusted.

8. Configure and use realms judiciously

Tomcat's realms are designed differently and their limitations should be understood before use. For example, the DataSourceRealm should be used in place of the JDBCRealm, as the latter is single threaded for all authentication/authorization options and not suited for production use. The JAASRealm should also be avoided, as it is seldom used and sports an immature codebase.

9. Set Tomcat to create new facade object for each request

This can be configured by setting the org.apache.catalina.connector.RECYCLE_FACADES system property to true. By doing this, you reduce the chance of a buggy application exposing data between requests.

10. Ensure that access to resources is set to read-only

This can be done by setting readonly to true under DefaultServlet, effectively preventing clients from deleting/modifying static resources on the server and uploading new resources.

11. Disable Tomcat from displaying directory listings

Listing the contents of directories with a large number of files can consume considerable system resources, and can therefore be used in a denial-of-service (DoS) attack. Setting listings to false under DefaultServlet mitigates this risk.

12. Enable logging of network traffic

In general, logs should generated and maintained on all levels (e.g., user access, Tomcat internals, et al), but network traffic logging is especially useful for breach assessment and forensics. To set up your Tomcat application to create logs of network traffic, use/configure the AccessLogValve component.

13. Disable automated deployment if not in use

If you're running a fully-realized CI/CD pipeline, good for you—you'll need full use of Tomcat's host components. However, if not—be sure to set all the host attributes to false (autoDeploy, deployOnStartup, and deployXML) to prevent them from being compromised by an attacker.

14. Disable or limit the Tomcat Manager Webapp

Tomcat Manager enables easy configuration and management of Tomcat instances through one web interface. Convenient, no doubt—for both authorized administrators and attackers. Alternative methods for administering Tomcat instances are therefore better, but if Tomcat Manager must be used, be sure to use its configuration options to limit your risk exposure.

15. Limit the availability of connectors

Connectors by default listen to all interfaces. For better security, they should only listen to those required by your web application and ignore the rest. This can be accomplished by setting the address attribute of the connector element.

In short, Apache Tomcat's popularity invariably means that its vulnerabilities and exploits are well known by both security professionals and malicious actors alike. Out-of-the-box security is never sufficient for protecting against today's cyber threats, and proper hardening of Tomcat is especially critical given the server platform's ubiquity. Looking for a way to perform these hardening checks and more, automatically—with just a few mouse clicks? Check out ScriptRock's platform for vulnerability detection and security monitoring. It's free for up to 10 servers, so try it today on us.

Sources


Error:

SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ['http-nio-8080']
java.net.BindException: Address already in use

SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8080]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8080]]
Solution:
Shut down the running instance with same port or change the new port number which is available for use.
~/bin/shutdown.sh
Change the port number in ~/apache-tomcat-8.0.32/conf/server.xml
Save the file and start the Tomcat again
~/bin/startup.sh

Status~/apache-tomcat-8.0.32/conf/server.xml file look like as mention bellow:
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the 'License'); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an 'AS IS' BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A 'Server' is not itself a 'Container', so you may not
define subcomponents such as 'Valves' at this level.
Documentation at /docs/config/server.html
-->
<Server port='8005' shutdown='SHUTDOWN'>
<Listener className='org.apache.catalina.startup.VersionLoggerListener' />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className='org.apache.catalina.security.SecurityListener' />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className='org.apache.catalina.core.AprLifecycleListener' SSLEngine='on' />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className='org.apache.catalina.core.JreMemoryLeakPreventionListener' />
<Listener className='org.apache.catalina.mbeans.GlobalResourcesLifecycleListener' />
<Listener className='org.apache.catalina.core.ThreadLocalLeakPreventionListener' />Http
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name='UserDatabase' auth='Container'
type='org.apache.catalina.UserDatabase'
description='User database that can be updated and saved'
factory='org.apache.catalina.users.MemoryUserDatabaseFactory'
pathname='conf/tomcat-users.xml' />
</GlobalNamingResources>
<!-- A 'Service' is a collection of one or more 'Connectors' that share
a single 'Container' Note: A 'Service' is not itself a 'Container',
so you may not define subcomponents such as 'Valves' at this level.
Documentation at /docs/config/service.html
-->
<Service name='Catalina'>
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name='tomcatThreadPool' namePrefix='catalina-exec-'
maxThreads='150' minSpareThreads='4'/>
-->
<!-- A 'Connector' represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.htmlHttps
Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
-->
<Connector port='8080' protocol='HTTP/1.1'
connectionTimeout='20000'
redirectPort='8443' />
<!-- A 'Connector' using the shared thread pool-->
<!--
<Connector executor='tomcatThreadPool'
port='8080' protocol='HTTP/1.1'Apache Tomcat Http
connectionTimeout='20000'
redirectPort='8443' />
-->
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<!--
<Connector port='8443' protocol='org.apache.coyote.http11.Http11NioProtocol'
maxThreads='150' SSLEnabled='true' scheme='https' secure='true'
clientAuth='false' sslProtocol='TLS' />
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port='8009' protocol='AJP/1.3' redirectPort='8443' />
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name='Catalina' defaultHost='localhost' jvmRoute='jvm1'>
-->
<Engine name='Catalina' defaultHost='localhost'>
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
Apache tomcat http status 500 /docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className='org.apache.catalina.ha.tcp.SimpleTcpCluster'/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className='org.apache.catalina.realm.LockOutRealm'>
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key 'UserDatabase'. Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className='org.apache.catalina.realm.UserDatabaseRealm'
resourceName='UserDatabase'/>
</Realm>
<Host name='localhost' appBase='webapps'
unpackWARs='true' autoDeploy='true'>
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className='org.apache.catalina.authenticator.SingleSignOn' />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern='common' -->
<Valve className='org.apache.catalina.valves.AccessLogValve' directory='logs'
prefix='localhost_access_log' suffix='.txt'
pattern='%h %l %u %t &quot;%r&quot; %s %b' />
</Host>
</Engine>
</Service>

Tomcat Vs Apache Web Server

</Server>

Apache Tomcat Http Status 500