解决Apache Tomcat Default Files的Ne

【问题描述】
Nessus扫描出的Tomcat默认文件相关的中危漏洞，如下：
12085 - Apache Tomcat Default Files -
Synopsis
The remote web server contains default files.
Description
The default error page, default index page, example JSPs, and/or example servlets are installed on the remote Apache Tomcat server. These files should be removed as they may help an attacker uncover information about the remote Tomcat install or host itself.
See Also
https://wiki.apache.org/tomcat/FAQ/Miscellaneous#Q6
https://www.owasp.org/index.php/Securing_tomcat
Solution
Delete the default index page and remove the example JSP and servlets. Follow the Tomcat or OWASP instructions to replace or modify the default error page.
Risk Factor
Medium
CVSS v3.0 Base Score
7.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVSS Base Score
6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
References
XREF CWE:20
XREF CWE:74
XREF CWE:79
XREF CWE:442
XREF CWE:629
XREF CWE:711
XREF CWE:712
XREF CWE:722
XREF CWE:725
XREF CWE:750
XREF CWE:751
XREF CWE:800
XREF CWE:801
XREF CWE:809
XREF CWE:811
XREF CWE:864
XREF CWE:900
XREF CWE:928
XREF CWE:931
XREF CWE:990
Plugin Information:
Published: 2004/03/02, Modified: 2018/01/30
Plugin Output
tcp/8983
The following default files were found :
/nessus-check/default-404-error-page.html

【问题分析】
原因是tomcat默认的404页面带了tomcat的版本号，被Nessus扫描工具认定为中危漏洞。只需将该页面的tomcat版本号去除即可。

【解决方法】
参照https://blog.csdn.net/damaolly/article/details/73927938
替换404页面为自定义的404页面，去除tomcat版本号即可。
1、在web.xml中增加error-page的配置

<error-page>
　　<error-code>404</error-code>
　　<location>/solr_error_page.html</location>
</error-page>

2、自定义solr_error_page.html页面，页面中不要存放tomcat版本号。

<!DOCTYPE html>
<html lang="en">
 <head>
  <title>HTTP Status 404 - Not Found</title>
  <style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}</style>
 </head>
 <body>
  <h1>HTTP Status 404 - Not Found</h1>
  <hr class="line" />
  <p><b>Type</b> Status Report</p>
  <p><b>Message</b> No Solr Page</p>
  <p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p>
  <hr class="line" />
 </body>
</html>

（2019-06-12 更新）由于Nessus扫描库升级，规则变更，导致该自定义页面solr_error_page.html又被扫描出来了，因此干脆将该页面修改为最简模式，如下：

<html lang="en">
 <head>
  <title>No Solr Page</title>
 </head>
 <body>
  <p>No Solr Page</p>
 </body>
</html>

3、将自定义solr_error_page.html页面放置在如下web应用目录和ROOT下。

• webapps/solr/solr_error_page.html
  当url为http://[ip]:[port]/solr/***不存在时访问。
• webapps/ROOT/solr_error_page.html
  当url为http://[ip]:[port]/***不存在时访问。

4、重启tomcat服务方可生效。