뭐 어쩌다보니 톰캣의 버전을 올리게 되었다. KISA 권고사항이라서(?)


그랬더니 패키지 만들면서 했던 작업들이 생각이 잘 안나더라.

그래서 적어본다


# 톰캣 보안처리
https://tomcat.apache.org/tomcat-9.0-doc/config/http.html

# 1. 톰캣용 에러 페이지 적용
https://motolies.com/776

# 2. relaxedQueryChars 옵션 추가 (server.xml > connector)
# 3. server 에 이름 추가 (server.xml > connector)

  <Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" 
    redirectPort="443" URIEncoding="UTF-8" relaxedQueryChars="&lt;&gt;&quot;&#39;" maxPostSize="-1" 
    maxThreads="500" maxHttpHeaderSize="8192" emptySessionPath="true" enableLookups="false" 
      acceptCount="100" disableUploadTimeout="true" server="PCOFF" />

# 4. server 정보 숨기기(tomcat/lib/catalina.jar 파일 풀어서 ServerInfo.properties 수정)
server.info=Apache Tomcat
server.number=
server.built=

# 5. 메소드 제한하기(web.xml > security-constraint)
https://offbyone.tistory.com/179

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>restricted methods</web-resource-name>
            <url-pattern>/*</url-pattern>
                <http-method>HEAD</http-method>
                <http-method>PUT</http-method>
                <http-method>PATCH</http-method>
                <http-method>CONNECT</http-method>
                <http-method>OPTIONS</http-method>
                <http-method>TRACE</http-method>
        </web-resource-collection>
        <auth-constraint />
    </security-constraint>

# 6. ciphers 설정 (server.xml > connector)
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA"





















Posted by motolies

댓글을 달아 주세요