nginx+tomcat服务器配置(秒杀安全扫描)
nginx配置修改
1.解决配置limit_conn_zone来限制并发连接数
在http处添加
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;
2.解决 Slow HTTP POST vulnerability(150079 Slow HTTP headers vulnerability
150085 Slow HTTP POST vulnerability)
(1)在server处添加
if ($request_method = PUT ) {
return 403;
}
if ($request_method = DELETE ) {
return 403;
}
client_body_timeout 10s;
client_header_timeout 10s;
large_client_header_buffers 4 8k;
client_header_buffer_size 1k;
if ($request_method = PUT ) {
return 403;
}
if ($request_method = DELETE ) {
return 403;
}
client_body_timeout 10s;
client_header_timeout 10s;
large_client_header_buffers 4 8k;
client_header_buffer_size 1k;
limit_conn perip 5;
limit_conn perserver 20;
(2)在具体的context(location)添加
proxy_connect_timeout 6s;
proxy_send_timeout 6s;
proxy_read_timeout 6s;
proxy_buffer_size 4k;
proxy_buffers 32 4k;
proxy_busy_buffers_size 64k;
client_max_body_size 10m;
client_body_buffer_size 128k;
limit_conn perserver 20;
(2)在具体的context(location)添加
proxy_connect_timeout 6s;
proxy_send_timeout 6s;
proxy_read_timeout 6s;
proxy_buffer_size 4k;
proxy_buffers 32 4k;
proxy_busy_buffers_size 64k;
client_max_body_size 10m;
client_body_buffer_size 128k;
3.解决HttpOnly问题(150123 Cookie Does Not Contain The "HTTPOnly" Attribute (1))
在具体的location里添加
add_header Set-Cookie "HttpOnly=true;Secure=true";
add_header Set-Cookie "HttpOnly=true;Secure=true";
1.修改tomcat\conf\context.xml
在<Context>
里添加
<Context useHttpOnly="true" >
在<Context>
里添加
<Context useHttpOnly="true" >
2.在tomcat\conf\web.xml
在<session-config>
<session-timeout>30</session-timeout>
</session-config>
里添加
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
在<session-config>
<session-timeout>30</session-timeout>
</session-config>
里添加
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
4.解决Clickjacking - x框选项头没有设置(150081 Clickjacking - X-Frame-Options header is not set)
在具体的location里添加
add_header X-Frame-Options SAMEORIGIN;
add_header X-Frame-Options SAMEORIGIN;
5.解决会话Cookie不包含“安全”属性(150122 Cookie Does Not Contain The "secure" Attribute)
在tomcat\webapps\程序包\WEB-INF\web.xml添加(com.*.*.XssFilter.XssFilter为根据实际项目编写)
<filter>
<filter-name>XssFilter</filter-name>
<filter-class>com.*.*.XssFilter.XssFilter</filter-class>
<filter>
<filter-name>XssFilter</filter-name>
<filter-class>com.*.*.XssFilter.XssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
6.解决页面提示400导致配置信息外泄的危险(150022 Verbose Error Message)
在tomcat\webapps\程序包\WEB-INF\web.xml添加
<!-- 配置错误页面 -->
<error-page>
<error-code>400</error-code>
<location>/error/404.jsp</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/error/404.jsp</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/error/500.jsp</location>
</error-page>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<!-- 配置错误页面 -->
<error-page>
<error-code>400</error-code>
<location>/error/404.jsp</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/error/404.jsp</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/error/500.jsp</location>
</error-page>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
在程序包的tomcat\webapps\context\添加error包
附xss代码:
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
public class XssFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
String sessionid = req.getSession().getId();
resp.setHeader("Set-Cookie", "JSESSIONID=" + sessionid + "; path=/; HttpOnly; secure");
XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request);
filterChain.doFilter(xssRequest, response);
}
resp.setHeader("Set-Cookie", "JSESSIONID=" + sessionid + "; path=/; HttpOnly; secure");
XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request);
filterChain.doFilter(xssRequest, response);
}
@Override
public void destroy() {}
public void destroy() {}
@Override
public void init(FilterConfig arg0) throws ServletException {}
}
public void init(FilterConfig arg0) throws ServletException {}
}
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletRequestWrapper;
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
super(request);
}
@Override
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
if (values == null) {
return null;
}
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] = stripXSS(values[i]);
}
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] = stripXSS(values[i]);
}
return encodedValues;
}
}
@Override
public String getParameter(String parameter) {
// if("jsessionid".equals(parameter)){
// System.out.println(111);
// }
String value = super.getParameter(xssEncode(parameter));
public String getParameter(String parameter) {
// if("jsessionid".equals(parameter)){
// System.out.println(111);
// }
String value = super.getParameter(xssEncode(parameter));
value=stripXSS(value);
if (value != null) {
value = xssEncode(value);
}
return value;
}
if (value != null) {
value = xssEncode(value);
}
return value;
}
@Override
public String getHeader(String name) {
String value = super.getHeader(xssEncode(name));
value=stripXSS(value);
if (value != null) {
value = xssEncode(value);
}
return value;
}
public String getHeader(String name) {
String value = super.getHeader(xssEncode(name));
value=stripXSS(value);
if (value != null) {
value = xssEncode(value);
}
return value;
}
private String stripXSS(String value) {
if (value != null) {
// NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
// avoid encoded attacks.
// value = ESAPI.encoder().canonicalize(value);
if (value != null) {
// NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
// avoid encoded attacks.
// value = ESAPI.encoder().canonicalize(value);
// Avoid null characters
value = value.replaceAll("", "");
value = value.replaceAll("", "");
// Avoid anything between script tags
Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid anything in a src='...' type of expression
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome </script> tag
scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome <script ...> tag
scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid eval(...) expressions
scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid expression(...) expressions
scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid javascript:... expressions
scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid vbscript:... expressions
scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid onload= expressions
scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
}
return value;
}
/**
* 将容易引起xss漏洞的半角字符直接替换成全角字符
*
* @param s
* @return
*/
private static String xssEncode(String s) {
if (s == null || "".equals(s)) {
return s;
}
StringBuilder sb = new StringBuilder(s.length() + 16);
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
switch (c) {
case '>':
sb.append('>');//全角大于号
break;
case '<':
sb.append('<');//全角小于号
break;
case '\'':
sb.append('‘');//全角单引号
break;
case '\"':
sb.append('“');//全角双引号
break;
case '&':
sb.append('&');//全角
break;
case '\\':
sb.append('\');//全角斜线
break;
case '#':
sb.append('#');//全角井号
break;
default:
sb.append(c);
break;
}
}
return sb.toString();
}
}
scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
}
return value;
}
/**
* 将容易引起xss漏洞的半角字符直接替换成全角字符
*
* @param s
* @return
*/
private static String xssEncode(String s) {
if (s == null || "".equals(s)) {
return s;
}
StringBuilder sb = new StringBuilder(s.length() + 16);
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
switch (c) {
case '>':
sb.append('>');//全角大于号
break;
case '<':
sb.append('<');//全角小于号
break;
case '\'':
sb.append('‘');//全角单引号
break;
case '\"':
sb.append('“');//全角双引号
break;
case '&':
sb.append('&');//全角
break;
case '\\':
sb.append('\');//全角斜线
break;
case '#':
sb.append('#');//全角井号
break;
default:
sb.append(c);
break;
}
}
return sb.toString();
}
}