뭐 어쩌다보니 톰캣의 버전을 올리게 되었다. KISA 권고사항이라서(?)
그랬더니 패키지 만들면서 했던 작업들이 생각이 잘 안나더라.
그래서 적어본다
# 톰캣 보안처리
https://tomcat.apache.org/tomcat-9.0-doc/config/http.html
# 1. 톰캣용 에러 페이지 적용
https://motolies.com/776
# 2. relaxedQueryChars 옵션 추가 (server.xml > connector)
# 3. server 에 이름 추가 (server.xml > connector)
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000"
redirectPort="443" URIEncoding="UTF-8" relaxedQueryChars="<>"'" maxPostSize="-1"
maxThreads="500" maxHttpHeaderSize="8192" emptySessionPath="true" enableLookups="false"
acceptCount="100" disableUploadTimeout="true" server="PCOFF" />
# 4. server 정보 숨기기(tomcat/lib/catalina.jar 파일 풀어서 ServerInfo.properties 수정)
server.info=Apache Tomcat
server.number=
server.built=
# 5. 메소드 제한하기(web.xml > security-constraint)
https://offbyone.tistory.com/179
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>PATCH</http-method>
<http-method>CONNECT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
# 6. ciphers 설정 (server.xml > connector)
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA"
