-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Deepak,
On 5/12/14, 10:42 AM, dku...@ccilindia.co.in wrote: > We are using - Tomcat Version - 7.0.22 You should upgrade. Really. We are currently on Tomcat 7.0.53 which includes improvements and security fixes relative to 7.0.22. > Operating System Version : Windows 2003 server Isn't support for that dead, now? Maybe it's distinct from Windows XP. > To close a vulnerability, "To denying the request if it comes > through IP address instead of DNS", we have made below > configuration changes in server.xml > > > <Engine name="Catalina" defaultHost="server DNS name"> defaultHost > was set to localhost prior to change You didn't need to do this. Instead, you could make a smaller change that introduces a new <Host> within your existing engine. The name of the host would be the IP-address of the server instead of its DNS name. I'm curious as to why you think that responding to a request that uses the server's IP address is a vulnerability. > But Due this change we are losing logging in localhost.log in logs > folder of TOMCAT, Please suggest how to redirect console logging to > a given file or how to retain the localhost.log file of tomcat. The console log goes to catalina.out regardless of the Engine, Host, etc. If you didn't configure a logger for your host, I think you'll get nothing. You will need to modify conf/logging.properties to route messages for your new <Host> to the existing "localhost" log file. > Kindly also let us know instead of above settings any other > configuration setting will make denial of any request if it comes > through IP address instead of DNS. You could also install a Filter into your web application that simply rejects all requests whose Host header does not match your DNS hostname. No configuration in Tomcat would be necessary: just a new class in your web application and (possibly) a bit of configuration in your WEB-INF/web.xml file. Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTcSHQAAoJEBzwKT+lPKRY89UP/39c40k2h9wu8M0A3vmN/bbI /fUmWv9mcUerQCXfU8IWfwK28cefTRBNgjXnxXFOuP9FNIDfaJQS35FKpPpiI2Jr OV1HLEJc75FqSQvbSF2cQtYg/CQvITMv6nuLjY+ysoQf7tE3epmrnWyI/lr/FCV3 B66eoVGmA17CuhMDvhoFzgViy8qVga+84WKZzKN+j8m+a2zzK8dvKGEErsvYrisd bPLWBMprdVUY2xMysDzREJUsRIdmBNyBFamtwUtCDCpme+RhNytkB9I8zJ8gxvs3 XP2vLd80kAIJxJLDNJ97bNoOO30zvl26rFsdHqrSEUAUMGd0faRPelkwZ+257dEi RCmo6ApVu3Y1YcYlGnYkfX/iq88JPsM8ZxwzMz79WDWrZ6ZzeVLDsfJJ6zIUV+iA RW0Rca9I4U0QJB/bezdf1b5IJXh1M7oQtvFjgo0cfPNgfQs0LUWkepVRcQhbl0QA FTOy88Dl5ebg2kfK38gHBO9L/5OvPFg2yQzNT04V28pDSx3DuyrxOZKcgC8iihjp Rtx9xLoq8Wcjji/y4pgc5Uuk2U/eAbCNsdimIffzrFxUiFRuBcIofEiU9nHBk2ak 5wnlNUnIW4/+81q1ocCgRkFrad0Hz7k6tHPFlQbFZGHscpGNvxD8NGUhtO88zkMg iyyOpWXcnW8pIWnkWQEn =14mk -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
