问题描述
在创建Azure App Service时,服务端的配置使用Java 8 + Tomcat 8.5。默认的根目录页面显示出App Service Tomcat版本信息,存在一定的安全隐患。
如何来避免这个问题呢?
问题解答
因为在初始创建App Service时,Azure会根据所选Stack, Web Server的信息默认生成首页内容。大多是情况下,在部署您的应用时,默认的首页内容会被替换掉。
App Service默认使用的首页名称如下(这些文件位于wwwroot目录下):
但对于Java Tomcat服务,默认的首页启动路径为 wwwroot/webapps/ROOT/index.jsp, 所以只需要修改 index.jsp中的内容或者删除这个文件就可以避免根路径 (“/”) 泄露服务信息。
修改步骤
1)登录App Service Kudu站点 ( 在左侧目录栏中选择 Advanced Tools –> Go 进入Kudu站点(https://<your app service name>.scm.chinacloudsites.cn/)), 选择 Debug Console 页面
2) 进入 HOME\SITE\WWWROOT\WEBAPPS\ROOT 目录
点击编辑 index.jsp 或者删除这个文件(文件删除后,访问App Service默认URL会返回404错误)
修改index.jsp文件:
如把内容修改为:This is Java Site...保存后,在浏览器中再次访问App Service
删除index.jsp文件
以上方式均可以避免在App Service的首页暴露 服务端Tomcat 信息!
默认生成的Index.jsp 内容
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Microsoft Azure App Service - Welcome</title>
<link rel="SHORTCUT ICON" href="https://c.s-microsoft.com/favicon.ico?v2" type="image/x-icon"/>
<link rel="stylesheet" href="https://ajax.aspnetcdn.com/ajax/bootstrap/4.1.1/css/bootstrap.min.css" crossorigin="anonymous">
<link rel="stylesheet" type="text/css" href="https://appservice.azureedge.net/css/linux-landing-page/v3/main.css">
<style>
#container {
position: relative;
}
#abc{
position: relative;
bottom: 0px;
}
.abc{
position: relative;
bottom: 0px;
}
</style>
<script type="text/javascript">
window.onload=function(){try{var a=window.location.hostname;if(a.includes(".azurewebsites.net")){a=a.replace(".azurewebsites.net", "")}var b=document.getElementById("depCenterLink");b.setAttribute("href", b.getAttribute("href") + "&sitename=" + a);}catch(d){}}
</script>
</head>
<body>
<nav class="navbar navbar-light bg-light">
<a class="navbar-brand " href="#">
<div class="container pl-4 ml-5">
<img src="https://appservice.azureedge.net/images/linux-landing-page/v3/microsoft_azure_logo.png" width="270" height="108" alt=""> </div>
</a>
</nav>
<div class="container-fluid container-height mr-2">
<div class="pt-10 pb-10 mt-10 mb-10 d-xxs-none d-xs-none d-sm-none d-md-none d-lg-block d-xl-block" style="height:20px; width:100%; clear:both;"></div>
<div class="row">
<div class="row col-xs-12 col-sm-12 d-block d-lg-none d-xl-none d-md-block d-sm-block d-xs-block">
<div class="text-center">
<img src="https://appservice.azureedge.net/images/linux-landing-page/v3/java.svg"> </div>
</div>
<div class=" extra-pl-small-scr offset-xl-1 offset-lg-1 offset-md-2 offset-sm-2 offset-xs-4 col-xl-5 col-lg-5 col-md-10 col-sm-11 col-xs-11 div-vertical-center">
<div class="container-fluid">
<div class="row">
<h2>Hey, Java developers!</h2>
</div>
<br>
<div class="row">
<h4>Your app service is up and running.</h4>
</div>
<div class="row">
<h4>Time to take the next step and deploy your code.</h4>
</div>
<div class="row info-mg-top">
<p class=" pl-0 col-md-6 col-sm-12 info-mg-top">
Have your code ready?<br>
Use deployment center to get code published from your client or setup continuous deployment.<br>
<a id='depCenterLink' href="https://go.microsoft.com/fwlink/?linkid=2057852">
<button class="btn btn-primary btn-mg-top" type="submit">Deployment Center</button>
</a>
</p>
<p class="pl-0 offset-md-1 col-md-5 col-sm-12 info-mg-top">
Don't have your code yet?<br>
Follow our quickstart guide and you'll have a full app ready in 5 minutes or less.<br>
<button onclick="location.href='http://aka.ms/java-quickstart-windows'" class="btn btn-primary btn-mg-top" type="submit">Quickstart</button>
</p>
</div>
</div>
</div>
<div class="col-xl-5 col-lg-5 col-md-12 d-none d-lg-block">
<div class="text-center">
<img src="https://appservice.azureedge.net/images/linux-landing-page/v3/java.svg">
</div>
</div>
<div class="col-xl-1 col-lg-1 col-md-1"></div>
</div>
<div class="row">
<div class=" extra-pl-small-scr offset-xl-1 offset-lg-1 offset-md-2 offset-sm-2 offset-xs-4 col-xl-5 col-lg-5 col-md-10 col-sm-11 col-xs-11 iv-vertical-center">
<div class="container-fluid">
<div class="row">
<b>Technical Information</b>
</div>
<div class="row">
<%@ page import="java.util.*" %>
<%
ArrayList<String> mainPageProps = new ArrayList<String>();
mainPageProps.add("catalina.base");
mainPageProps.add("jetty.base");
mainPageProps.add("java.version");
mainPageProps.add("java.home");
for(String name : mainPageProps)
{
String value = System.getProperty(name);
if(value != null)
{
out.print(name + ": " + value + "<br>");
}
}
%>
</div>
</div>
</div>
<div class="col-xl-5 col-lg-5 col-md-12 d-none d-lg-block"></div>
<div class="col-xl-1 col-lg-1 col-md-1"></div>
</div>
</div>
<!-- Bootstrap core JavaScript==================================================-->
<script src="https://ajax.aspnetcdn.com/ajax/jquery/jquery-3.2.1.min.js" crossorigin="anonymous"></script>
<script src="https://ajax.aspnetcdn.com/ajax/bootstrap/4.1.1/bootstrap.min.js" crossorigin="anonymous"></script>
</body>
</html>Java Index Page