<?xml version="1.0" encoding="UTF-8"?>
<!--
  Minimal Tomcat server.xml authored for CVE-2024-24549 reproduction.

  Goal: expose ONE unauthenticated HTTP/2 listener with a known, modest
  header limit so an over-limit HEADERS+CONTINUATION block is trivial to
  construct. HTTP/2 is offered over cleartext (h2c) for test simplicity,
  which the criterion explicitly permits. No proxy, no TLS, no other
  services. Nothing in front normalizes or pre-validates headers.

  - Connector protocol is HTTP/1.1 (NIO); the Http2Protocol UpgradeProtocol
    makes the same port speak h2c (both via HTTP/1.1 Upgrade: h2c and via
    the HTTP/2 prior-knowledge preface).
  - maxHttpHeaderSize is pinned to 8192 bytes on BOTH the base connector and
    the Http2Protocol so "over-limit" is unambiguous and modest. A single
    header block larger than 8 KB exceeds it.
-->
<Server port="8005" shutdown="SHUTDOWN">

  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <Service name="Catalina">

    <Connector port="8080"
               protocol="org.apache.coyote.http11.Http11NioProtocol"
               connectionTimeout="20000"
               maxHttpHeaderSize="8192"
               maxParameterCount="1000">
      <!-- Same port also speaks HTTP/2 (h2c). Http2Protocol has no
           maxHttpHeaderSize setter of its own: it derives the effective max
           header size from the enclosing connector's maxHttpHeaderSize
           (Http2Protocol.getMaxHttpRequestHeaderSize -> http11Protocol). So
           the modest 8192-byte limit above governs the HTTP/2 parser too.
           maxHeaderCount is settable here and pinned to a modest 20 as a
           second, equally easy over-limit trigger. -->
      <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
                       maxHeaderCount="20"
                       maxConcurrentStreams="100" />
    </Connector>

    <Engine name="Catalina" defaultHost="localhost">
      <Host name="localhost" appBase="webapps"
            unpackWARs="true" autoDeploy="true">
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
      </Host>
    </Engine>
  </Service>
</Server>
