diff --git a/main/project/WebContent/lesson_plans/TomcatSetup.html b/main/project/WebContent/lesson_plans/TomcatSetup.html new file mode 100644 index 000000000..7947da6b3 --- /dev/null +++ b/main/project/WebContent/lesson_plans/TomcatSetup.html @@ -0,0 +1,101 @@ +<!-- Start Instructions --> +<h1>How To Setup Tomcat</h1><br><br> +<h2>Introduction</h2> +<p>WebGoat comes with a sane default setup for Tomcat. This page will explain the setup +and which further possibilites you have to setup Tomcat. This is just +a short description which should be enough in most cases. For more advanced tasks please +refer to the Tomcat documentation. Please note that all solutions +are written for the standard setup on port 80. If you use another configuration you have +to ajust the solution to your configuration.</p> + +<h2>The standard Setup</h2> +<p>There are two standard Tomcat setups. In this setups WebGoat is only reachable from within + the localhost. + Both are identically with the only difference + that one is running on port 80 and 443 (SSL) and the other on 8080 and 8443. In Linux you have + to start WebGoat as root or with sudo if you want to run it on port 80 and + 443. + As running software as root is dangerous we strongly advice to use +the port 8080 and 8443. In Windows you can +run WebGoat.bat to run it on port 80 and WebGoat_8080.bat to run it on port 8080. In Linux you +can use webgoat.sh and run it with webgoat.sh start80 or wegoat.sh start8080. The user in these +setups is guest with password guest +</p> + +<h2>Server Configurations</h2> +<p> +If you are a single user of WebGoat the standard setups should be +enough but if you want to use WebGoat in laboratory or in class there +might bee the need to change the configuration. Before changing +the configurations we recommend doing a backup of the files you change. +</p> + +<h3>Change Ports</h3> +<p> +To change the ports open the server_80.xml which you find in tomcat/conf and change the +non-SSL port. If you want to use it on port 8079 for example: +</p> + +<pre> + <!-- Define a non-SSL HTTP/1.1 Connector on port 8079 --> + <Connector address="127.0.0.1" port="8079"... +</pre> +<p> +You can also change the SSL connector to another port of course. +In this example to port 8442: +</p> +<pre> + <!-- Define a SSL HTTP/1.1 Connector on port 8442 --> + <Connector address="127.0.0.1" port="8442"... +</pre> + +<h3>Make WebGoat Reachable From Another Client</h3> +<p><b>THIS MAKES IT POSSIBLE TO REALLY ATTACK YOUR SERVER! DO NOT DO THIS + UNTIL YOU KNOW WHAT YOU ARE DOING. THIS CONFIGURATION SHOULD BE ONLY USED IN +SAVE NETWORKS!</b></p> +<p>By its default configuration WebGoat is only +reachable within the localhost. In a laboratory or a class +there is maybe the need of having a server and a few clients. +In this case it is possible to make WebGoat reachable. +</p> +<p>The reason why WebGoat is only reachable within the localhost is +the parameter address in the connectors in server_80.xml. It is set +to 127.0.0.1. The applications only listens on the port of this address for +incoming connections if it is set. If you remove this parameter the server listens on all IPs on the +specific port.</p> + +<h3>Permit Only Certain Clients Connection</h3> +<p> +If you have made WebGoat reachable it is reachable for +all clients. If you want to make it reachable only for certain clients specified +by there IP you can archive this by using a 'Remote Address Filter'. +The filter can be set in a whitebox or blackbox approach. Here is +only discussed the whitebox approach. You have to add following lines to the Host section of web_80.xml: +</p> +<pre> + <Valve className="org.apache.catalina.valves.RemoteAddrValve" + allow="127.0.0.1,ip1,ip2"/> +</pre> +<p>In this case only localhost, ip1 and ip2 are permitted to connect.</p> + +<h2>Users</h2> +<p> +Usually using WebGoat you just use the user guest with the password guest. +But maybe in laboratory you have made a configuration with one server and a lot of +clients. In this case you might want to have a user for every client + and you have to alter tomcat-users.xml +in tomcat/conf as the users are stored there. <b>We recommend not to use real passwords +as the passwords are stored in plain text in this file!</b> +</p> +<h3>Add User</h3> +<p> +Adding a user is straight forward. You can use the guest entry as an example. The added +users should have the same role as the guest user. Add lines like this to the file: +</p> +<pre> + <user name="user1" password="password1" roles="webgoat_user"/> + <user name="user2" password="password2" roles="webgoat_user"/> + ... +</pre> + +<!-- Stop Instructions --> \ No newline at end of file