80 lines
3.3 KiB
HTML
80 lines
3.3 KiB
HTML
<!-- Start Instructions -->
|
|
<h1>How To Configure Tomcat</h1><br><br>
|
|
<h2>Introduction</h2>
|
|
<p>WebGoat comes with default configurations for Tomcat. This page will explain these configurations
|
|
and other possible configurations for Tomcat. This is just
|
|
a short description which should be enough in most cases. For more advanced tasks please
|
|
refer to the Tomcat documentation. Please note that all solutions
|
|
are written for the standard configurations on port 80 or 8080. If you use another port you have
|
|
to adjust the solution to your configuration.</p>
|
|
|
|
<h2>The Standard Configurations</h2>
|
|
<p>WebGoat has multiple ways of being run. The <a href="https://github.com/WebGoat/WebGoat/wiki/Installation-(WebGoat-6.0)">
|
|
WebGoat Wiki</a> is the best place to find the latest configuration instructions.
|
|
By default WebGoat will run on port 8080. In the basic configurations you use the server on your localhost.
|
|
In Linux you have to start WebGoat as root or with sudo if you want to run it on port 80 and
|
|
443. Running software as root is dangerous we strongly advice to use
|
|
the port 8080 and 8443.
|
|
</p>
|
|
|
|
<h2>Server Configurations</h2>
|
|
<p>
|
|
If you are a single user of WebGoat the standard configurations should be
|
|
enough but if you want to use WebGoat in laboratory or in class there
|
|
might be the need to change the configurations. Before changing
|
|
the configurations we recommend doing a backup of the files you change.
|
|
</p>
|
|
|
|
<h3>Change Ports</h3>
|
|
<p>
|
|
To change the ports open Tomcat's server.xml which you find in tomcat/conf and change the
|
|
non-SSL port. If you want to change your
|
|
Tomcat server to use it on port 8079 for example:
|
|
</p>
|
|
|
|
<pre>
|
|
<!-- Define a non-SSL HTTP/1.1 Connector on port 8079 -->
|
|
<Connector address="127.0.0.1" port="8079"...
|
|
</pre>
|
|
<p>
|
|
You can also change the SSL connector to another port of course.
|
|
In this example to port 8442:
|
|
</p>
|
|
<pre>
|
|
<!-- Define a SSL HTTP/1.1 Connector on port 8442 -->
|
|
<Connector address="127.0.0.1" port="8442"...
|
|
</pre>
|
|
</p>
|
|
You can also modify WebGoat's pom.xml file to change the port. You will need to modify
|
|
the tomcat7-maven-plugin plugin configuration.
|
|
</p>
|
|
<br>
|
|
|
|
<h3>Make WebGoat Reachable From Another Client</h3>
|
|
<p>THIS MAKES IT POSSIBLE TO REALLY ATTACK YOUR SERVER! DO NOT DO THIS
|
|
UNTIL YOU KNOW WHAT YOU ARE DOING. THIS CONFIGURATION SHOULD BE ONLY USED IN
|
|
SAFE NETWORKS!</p>
|
|
<p>By its default configuration, WebGoat is only
|
|
reachable within the localhost. In a laboratory or a class
|
|
there is maybe the need of having a server and a few clients.
|
|
In this case it is possible to make WebGoat reachable.
|
|
</p>
|
|
|
|
<h3>Permit Only Certain Client Connection</h3>
|
|
<p>
|
|
If you have made WebGoat reachable it is reachable for
|
|
all clients. If you want to make it reachable only for certain clients specified
|
|
by their IP you can archive this by using a 'Remote Address Filter'.
|
|
The filter can be set in a whitebox or blackbox approach. Here is
|
|
only discussed the whitebox approach. You have to add following lines to the
|
|
Host section of server.xml in your Tomcat server configuration:
|
|
</p>
|
|
<pre>
|
|
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
|
|
allow="127.0.0.1,ip1,ip2"/>
|
|
</pre>
|
|
<p>In this case only localhost, ip1 and ip2 are permitted to connect.</p>
|
|
|
|
|
|
|
|
<!-- Stop Instructions --> |