Open eballetbaz opened 3 months ago
In my opinion the suggested solution by @eballetbaz should be implemented as a best practice.
However, as a current workaround I am using the following script to make the modification on eb deployment:
.ebextensions/03_tomcat-hardening.config
files:
"/tmp/tomcat_server_hardening.sh":
owner: root
group: root
mode: "000755"
content: |
#! /bin/bash
CONFIGURED=\`grep -c 'showServerInfo="false"' /etc/tomcat10/server.xml\`
if [ $CONFIGURED = 0 ]
then
sed -i 's/<\/Host>/<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false"\/><\/Host>/' /etc/tomcat10/server.xml
logger -t tomcat_conf "/etc/tomcat10/server.xml updated successfully"
exit 0
else
logger -t tomcat_conf "/etc/tomcat10/server.xml already updated"
exit 0
fi
container_commands:
01_tomcat_server_hardening:
command: sh /tmp/tomcat_server_hardening.sh
Note the path for tomcat 10 is /etc/tomcat10
. For previous versions it was /etc/tomcat
Community Note
Tell us about your request By default Tomcat displays its version and the full stack trace when an uncaught error occurs. It it not always possible to catch all exceptions at application level: some errors occur before they reach the application: for exemple bad requests errors generated by forged requests with invalid characters. The solution is to configure Tomcat Valve "ErrorReportValve" to hide technical information related to Tomcat version and also hide the exception stack trace.
Is this request specific to an Elastic Beanstalk platform? Java Tomcat
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? Technical information related to Tomcat are visible by an attacker.
Are you currently working around this issue? The solution is to integrate an ErrorReportValve in server.xml file.
Reference https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Error_Report_Valve