问题描述
在创建Azure App Service时,服务端的配置使用Java 8 + Tomcat 8.5。默认的根目录页面显示出App Service Tomcat版本信息,存在一定的安全隐患。
如何来避免这个问题呢?
问题解答
因为在初始创建App Service时,Azure会根据所选Stack, Web Server的信息默认生成首页内容。大多是情况下,在部署您的应用时,默认的首页内容会被替换掉。
App Service默认使用的首页名称如下(这些文件位于wwwroot目录下):
但对于Java Tomcat服务,默认的首页启动路径为 wwwroot/webapps/ROOT/index.jsp, 所以只需要修改 index.jsp中的内容或者删除这个文件就可以避免根路径 (“/”) 泄露服务信息。
修改步骤
1)登录App Service Kudu站点 ( 在左侧目录栏中选择 Advanced Tools –> Go 进入Kudu站点(https://<your app service name>.scm.chinacloudsites.cn/)), 选择 Debug Console 页面
2) 进入 HOME\SITE\WWWROOT\WEBAPPS\ROOT 目录
点击编辑 index.jsp 或者删除这个文件(文件删除后,访问App Service默认URL会返回404错误)
修改index.jsp文件:
如把内容修改为:This is Java Site...保存后,在浏览器中再次访问App Service
删除index.jsp文件
以上方式均可以避免在App Service的首页暴露 服务端Tomcat 信息!
默认生成的Index.jsp 内容
默认生成的Index.jsp 内容 <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title>Microsoft Azure App Service - Welcome</title> <link rel="SHORTCUT ICON" href="https://c.s-microsoft.com/favicon.ico?v2" type="image/x-icon"/> <link rel="stylesheet" href="https://ajax.aspnetcdn.com/ajax/bootstrap/4.1.1/css/bootstrap.min.css" crossorigin="anonymous"> <link rel="stylesheet" type="text/css" href="https://appservice.azureedge.net/css/linux-landing-page/v3/main.css"> <style> #container { position: relative; } #abc{ position: relative; bottom: 0px; } .abc{ position: relative; bottom: 0px; } </style> <script type="text/javascript"> window.onload=function(){try{var a=window.location.hostname;if(a.includes(".azurewebsites.net")){a=a.replace(".azurewebsites.net", "")}var b=document.getElementById("depCenterLink");b.setAttribute("href", b.getAttribute("href") + "&sitename=" + a);}catch(d){}} </script> </head> <body> <nav class="navbar navbar-light bg-light"> <a class="navbar-brand " href="#"> <div class="container pl-4 ml-5"> <img src="https://appservice.azureedge.net/images/linux-landing-page/v3/microsoft_azure_logo.png" width="270" height="108" alt=""> </div> </a> </nav> <div class="container-fluid container-height mr-2"> <div class="pt-10 pb-10 mt-10 mb-10 d-xxs-none d-xs-none d-sm-none d-md-none d-lg-block d-xl-block" style="height:20px; width:100%; clear:both;"></div> <div class="row"> <div class="row col-xs-12 col-sm-12 d-block d-lg-none d-xl-none d-md-block d-sm-block d-xs-block"> <div class="text-center"> <img src="https://appservice.azureedge.net/images/linux-landing-page/v3/java.svg"> </div> </div> <div class=" extra-pl-small-scr offset-xl-1 offset-lg-1 offset-md-2 offset-sm-2 offset-xs-4 col-xl-5 col-lg-5 col-md-10 col-sm-11 col-xs-11 div-vertical-center"> <div class="container-fluid"> <div class="row"> <h2>Hey, Java developers!</h2> </div> <br> <div class="row"> <h4>Your app service is up and running.</h4> </div> <div class="row"> <h4>Time to take the next step and deploy your code.</h4> </div> <div class="row info-mg-top"> <p class=" pl-0 col-md-6 col-sm-12 info-mg-top"> Have your code ready?<br> Use deployment center to get code published from your client or setup continuous deployment.<br> <a id='depCenterLink' href="https://go.microsoft.com/fwlink/?linkid=2057852"> <button class="btn btn-primary btn-mg-top" type="submit">Deployment Center</button> </a> </p> <p class="pl-0 offset-md-1 col-md-5 col-sm-12 info-mg-top"> Don't have your code yet?<br> Follow our quickstart guide and you'll have a full app ready in 5 minutes or less.<br> <button onclick="location.href='http://aka.ms/java-quickstart-windows'" class="btn btn-primary btn-mg-top" type="submit">Quickstart</button> </p> </div> </div> </div> <div class="col-xl-5 col-lg-5 col-md-12 d-none d-lg-block"> <div class="text-center"> <img src="https://appservice.azureedge.net/images/linux-landing-page/v3/java.svg"> </div> </div> <div class="col-xl-1 col-lg-1 col-md-1"></div> </div> <div class="row"> <div class=" extra-pl-small-scr offset-xl-1 offset-lg-1 offset-md-2 offset-sm-2 offset-xs-4 col-xl-5 col-lg-5 col-md-10 col-sm-11 col-xs-11 iv-vertical-center"> <div class="container-fluid"> <div class="row"> <b>Technical Information</b> </div> <div class="row"> <% page import="java.util.*" %> <% ArrayList<String> mainPageProps = new ArrayList<String>(); mainPageProps.add("catalina.base"); mainPageProps.add("jetty.base"); mainPageProps.add("java.version"); mainPageProps.add("java.home"); for(String name : mainPageProps) { String value = System.getProperty(name); if(value != null) { out.print(name + ": " + value + "<br>"); } } %> </div> </div> </div> <div class="col-xl-5 col-lg-5 col-md-12 d-none d-lg-block"></div> <div class="col-xl-1 col-lg-1 col-md-1"></div> </div> </div> <!-- Bootstrap core JavaScript==================================================--> <script src="https://ajax.aspnetcdn.com/ajax/jquery/jquery-3.2.1.min.js" crossorigin="anonymous"></script> <script src="https://ajax.aspnetcdn.com/ajax/bootstrap/4.1.1/bootstrap.min.js" crossorigin="anonymous"></script> </body> </html>Java Index Page
