You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by climbingrose <cl...@gmail.com> on 2007/07/09 08:24:11 UTC
Hide 501 error message
Hi all,
I'm configuring Tomcat 6.0.10 behind Apache 2.0 using mod_jk 1.2.3.
Everything is working beautifully but I want to hide 501 error when
malicious user try to access the server. For example:
# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
alsfjalsfjsdf
<html><head><title>Apache Tomcat/6.0.10 - Error report</title><style><!--H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
P
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
{color : black;}A.name {color : black;}HR {color : #525D76;}--></style>
</head><body><h1>HTTP Status 501 - Method alsfjalsfjsdf is not defined in
RFC 2068 and is not supported by the Servlet API </h1><HR size="1"
noshade="noshade"><p>type Status report</p><p>message <u>Method
alsfjalsfjsdf is not defined in RFC 2068 and is not supported by the Servlet
API </u></p><p>description <u>The server does not support the functionality
needed to fulfill this request (Method alsfjalsfjsdf is not defined in RFC
2068 and is not supported by the Servlet API ).</u></p><HR size="1"
noshade="noshade"><h3>Apache Tomcat/6.0.10</h3></body></html>Connection
closed by foreign host.
I don't want to show the message because it contains Tomcat information as
well as revealing the technology I'm using on my website. Any ideas?
Thanks.
--
View this message in context: http://www.nabble.com/Hide-501-error-message-tf4047399.html#a11496600
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Hide 501 error message
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Subject: Re: Hide 501 error message
>
> I'm sure you can turn off this version disclosure within Tomcat, too,
> but I can't remember how to do it. Check the archives, 'cause I'm sure
> this has been asked in the past.
>From the doc for the server attribute of the HTTP connector:
"The Server header for the http response. Unless your [sic] paranoid,
you won't need this feature."
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
Of course, "Just because you're paranoid doesn't mean they're not out to
get you."
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Hide 501 error message
Posted by climbingrose <cl...@gmail.com>.
I tried to configure Apache with "ErrorDocument 501 error.html" howewer, it
doesn't seem to take affect. That error message still appears when I try to
connect via telnet and enter some characters. So I suspect that Tomcat
doesn't return 501 error code but return normal "html" signaling the error.
That's why Apache doesn't know about the error and render the appropriate
error page. Any idea?
Christopher Schultz-2 wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> climbingrose,
>
> climbingrose wrote:
>> I'm configuring Tomcat 6.0.10 behind Apache 2.0 using mod_jk 1.2.3.
>> Everything is working beautifully but I want to hide 501 error when
>> malicious user try to access the server.
>
> I assume you always want to hide these messages, since it's difficult to
> determine whether a user is malicious or not.
>
>> # telnet localhost 80
>> Trying 127.0.0.1...
>> Connected to localhost.
>> Escape character is '^]'.
>> alsfjalsfjsdf
>>
>>
>> <html><head><title>Apache Tomcat/6.0.10 - Error
>> report</title><style><!--H1
>
> [snip]
>
>> I don't want to show the message because it contains Tomcat information
>> as
>> well as revealing the technology I'm using on my website. Any ideas?
>
> Apache httpd is capable of sending an error document based upon any
> response code, and it can override that sent by Tomcat. For instance,
> you can have Apache httpd intercept 501 from Tomcat and display a page
> that contains no server information at all.
>
> Don't forget that your HTTP headers might leak information, too. Check
> the ServerTokens Apache httpd directive to make sure you aren't
> announcing your server version from Apache httpd.
>
> I'm sure you can turn off this version disclosure within Tomcat, too,
> but I can't remember how to do it. Check the archives, 'cause I'm sure
> this has been asked in the past.
>
> - -chris
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGkmDR9CaO5/Lv0PARAm1nAJ4005uxITWo45E8WkYNUFOP/2TvJgCeN9To
> bgiqRYZtKcLyIef/hJRmZNg=
> =a7uu
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Hide-501-error-message-tf4047399.html#a11514195
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Hide 501 error message
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
climbingrose,
climbingrose wrote:
> I'm configuring Tomcat 6.0.10 behind Apache 2.0 using mod_jk 1.2.3.
> Everything is working beautifully but I want to hide 501 error when
> malicious user try to access the server.
I assume you always want to hide these messages, since it's difficult to
determine whether a user is malicious or not.
> # telnet localhost 80
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> alsfjalsfjsdf
>
>
> <html><head><title>Apache Tomcat/6.0.10 - Error report</title><style><!--H1
[snip]
> I don't want to show the message because it contains Tomcat information as
> well as revealing the technology I'm using on my website. Any ideas?
Apache httpd is capable of sending an error document based upon any
response code, and it can override that sent by Tomcat. For instance,
you can have Apache httpd intercept 501 from Tomcat and display a page
that contains no server information at all.
Don't forget that your HTTP headers might leak information, too. Check
the ServerTokens Apache httpd directive to make sure you aren't
announcing your server version from Apache httpd.
I'm sure you can turn off this version disclosure within Tomcat, too,
but I can't remember how to do it. Check the archives, 'cause I'm sure
this has been asked in the past.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGkmDR9CaO5/Lv0PARAm1nAJ4005uxITWo45E8WkYNUFOP/2TvJgCeN9To
bgiqRYZtKcLyIef/hJRmZNg=
=a7uu
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org