nginx+tomcat服务器配置（秒杀安全扫描）

nginx配置修改

1.解决配置limit_conn_zone来限制并发连接数

      在http处添加
      limit_conn_zone $binary_remote_addr zone=perip:10m;
      limit_conn_zone $server_name zone=perserver:10m;

2.解决 Slow HTTP POST vulnerability（150079 Slow HTTP headers vulnerability

150085 Slow HTTP POST vulnerability）

 （1）在server处添加
if ($request_method = PUT ) {
                 return 403;
          }
 if ($request_method = DELETE ) {
             return 403;
          }
client_body_timeout 10s;
client_header_timeout 10s;
large_client_header_buffers 4 8k;
client_header_buffer_size 1k;

limit_conn perip 5;
limit_conn perserver 20;
（2）在具体的context(location)添加
proxy_connect_timeout 6s;
proxy_send_timeout 6s;
proxy_read_timeout 6s;
proxy_buffer_size 4k;
proxy_buffers 32 4k;
proxy_busy_buffers_size 64k;
client_max_body_size    10m;
client_body_buffer_size 128k;

3.解决HttpOnly问题（150123 Cookie Does Not Contain The "HTTPOnly" Attribute (1)）

在具体的location里添加
add_header Set-Cookie "HttpOnly=true;Secure=true";

1.修改tomcat\conf\context.xml
在<Context>
里添加
 <Context  useHttpOnly="true" >

2.在tomcat\conf\web.xml
在<session-config>
     <session-timeout>30</session-timeout>
</session-config>
里添加
<session-config>
     <session-timeout>30</session-timeout>
    <cookie-config>
             <http-only>true</http-only>
    </cookie-config>
</session-config>

4.解决Clickjacking - x框选项头没有设置(150081 Clickjacking - X-Frame-Options header is not set)

在具体的location里添加
add_header X-Frame-Options SAMEORIGIN;

5.解决会话Cookie不包含“安全”属性(150122 Cookie Does Not Contain The "secure" Attribute)

在tomcat\webapps\程序包\WEB-INF\web.xml添加(com.*.*.XssFilter.XssFilter为根据实际项目编写)
<filter>   
        <filter-name>XssFilter</filter-name>   
        <filter-class>com.*.*.XssFilter.XssFilter</filter-class>               

    </filter>   
    <filter-mapping>   
        <filter-name>XssFilter</filter-name>   
        <url-pattern>/*</url-pattern>   
    </filter-mapping>

6.解决页面提示400导致配置信息外泄的危险(150022 Verbose Error Message)

在tomcat\webapps\程序包\WEB-INF\web.xml添加
<!-- 配置错误页面 -->
 <error-page>
  <error-code>400</error-code>
  <location>/error/404.jsp</location>
 </error-page>
 
 <error-page>
  <error-code>404</error-code>
  <location>/error/404.jsp</location>
 </error-page>
 <error-page>
  <error-code>500</error-code>
  <location>/error/500.jsp</location>
 </error-page>
 <welcome-file-list>
  <welcome-file>index.html</welcome-file>
 </welcome-file-list>

在程序包的tomcat\webapps\context\添加error包

附xss代码：

 
import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;

public class XssFilter implements Filter {

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse resp = (HttpServletResponse) response;   

        String sessionid = req.getSession().getId();

//https协议
        resp.setHeader("Set-Cookie", "JSESSIONID=" + sessionid + "; path=/; HttpOnly; secure");

//http协议   

//resp.setHeader("Set-Cookie", "JSESSIONID=" + sessionid + "; path=/; HttpOnly");    
        XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request);
        filterChain.doFilter(xssRequest, response);
    }

    @Override
    public void destroy() {}

    @Override
    public void init(FilterConfig arg0) throws ServletException {}
}

 
import java.util.regex.Pattern;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

 public XssHttpServletRequestWrapper(HttpServletRequest request) {
   super(request);
 }

 @Override
    public String[] getParameterValues(String parameter) {
        String[] values = super.getParameterValues(parameter);

        if (values == null) {
            return null;
        }

        int count = values.length;
        String[] encodedValues = new String[count];
        for (int i = 0; i < count; i++) {
            encodedValues[i] = stripXSS(values[i]);
        }

        return encodedValues;
    }

    @Override
    public String getParameter(String parameter) {
//     if("jsessionid".equals(parameter)){
//      System.out.println(111);
//     }
        String value = super.getParameter(xssEncode(parameter));

        value=stripXSS(value);
        if (value != null) {
   value = xssEncode(value);
  }
  return value;
    }

    @Override
    public String getHeader(String name) {
        String value = super.getHeader(xssEncode(name));
        value=stripXSS(value);
        if (value != null) {
   value = xssEncode(value);
  }
  return value;
    }

    private String stripXSS(String value) {
        if (value != null) {
            // NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
            // avoid encoded attacks.
            // value = ESAPI.encoder().canonicalize(value);

            // Avoid null characters
            value = value.replaceAll("", "");

            // Avoid anything between script tags
            Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid anything in a src='...' type of expression
            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // Remove any lonesome </script> tag
            scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // Remove any lonesome <script ...> tag
            scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid eval(...) expressions
            scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid expression(...) expressions
            scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid javascript:... expressions
            scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid vbscript:... expressions
            scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid onload= expressions
            scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
        }
        return value;
    }
    /**
 * 将容易引起xss漏洞的半角字符直接替换成全角字符
 *
 * @param s
 * @return
 */
 private static String xssEncode(String s) {
  if (s == null || "".equals(s)) {
   return s;
  }
  StringBuilder sb = new StringBuilder(s.length() + 16);
  for (int i = 0; i < s.length(); i++) {
   char c = s.charAt(i);
   switch (c) {
   case '>':
    sb.append('＞');//全角大于号
    break;
   case '<':
    sb.append('＜');//全角小于号
    break;
   case '\'':
    sb.append('‘');//全角单引号
    break;
   case '\"':
    sb.append('“');//全角双引号
    break;
   case '&':
    sb.append('＆');//全角
    break;
   case '\\':
    sb.append('＼');//全角斜线
    break;
   case '#':
    sb.append('＃');//全角井号
    break;
   default:
    sb.append(c);
    break;
   }
  }
  return sb.toString();
 }
}