We Keep Coding

How to completely hide header information in Apache

I am trying to hide the Apache Web Server Information for security reasons, Previously we were getting following output on running curl command,
< Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n
But i made the changes to my conf file and added below following lines,
ServerSignature Off
ServerTokens Prod
After adding above lines in the conf file I am not getting following web server header output while running the curl command.
< Server: Apache
To get rid of the "Apache" information I followed the below link and updated ap_release.h file under Include folder of apache install directory as mentioned in the below Stack Overflow Link.
How to change Apache's 'Server:' header without mod_security?
Can someone guide me how to compile the source code, Also do we have to compile all the available source code or just the source code where I have made the modification.
Regards,
D

CGI script in Apache 2.4 runs but returns empty response?

In moving a website from older webservers running Apache 2.2 to newer webservers running Apache 2.4 I encountered a weird problem with CGI. Basically no CGI scripts work on the new webservers. They return 500 errors. However in the ScriptLog there is no "%error" section and the "%response" is empty. Scripts appear to be running but returning absolutely nothing! Since nothing implies no header the result is a 500 error.
The mod_cgi module is loaded (confirmed by running "apachectl -M"). We are using a prefork MPM so this is the correct module.
Most of the CGI scripts are Perl but we also have one which is compiled C which shows exactly the same pattern of behavior. Even a basic test script like this does not work:
#!/usr/bin/perl
print STDOUT "Content-type: text/html\n\n";
print STDOUT "Hello, World.";
I temporarily assigned a shell to the "apache" user, switched to that user, and was able to run several of these scripts. Not all produce meaningful output when run that way but they do run. Yes, /usr/bin/perl does exist, is the only copy of Perl on the system, and perl-CGI is installed.
All of these scripts are on an NFS share which is used by both the old and new webservers. The old webservers can still serve up these scripts as CGI with no problems. So in case it wasn't already clear the issue here is not with the CGI scripts themselves. It is a configuration problem with the new webservers.
The NFS share is mounted at /mnt/cgi/ with subdirectories for each user. There are sections in a file included in our Apache config which look like this:
Alias /cgi-bin/usera /mnt/cgi/usera
<Directory /mnt/cgi/usera>
Options +ExecCGI
AddHandler cgi-script .cgi .pl
Require all granted
</Directory>
A script in this directory would be accessed at http://server.example.com/cgi-bin/usera/first.pl . When I connect to this page this is appended to the log file specified in ServerLog (with the correct IP addresses... I xxx-ed those out):
%% [Fri Nov 11 12:00:00 2016] GET /cgi-bin/usera/first.pl HTTP/1.1
%% 500 /mnt/cgi/usera/first.pl
%request
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Via: 1.1 xxx.xxx.xxx.xxx:80
X-Forwarded-For: xxx.xxx.xxx.xxx
X-Forwarded-For-Port: 51380
%response
The permissions on these scripts are all 755, so that's not the problem. If I remove the AddHandler line from the Directory definition for the script directory then I can download the script, so Apache is definitely able to access them.
The new servers are RHEL7. SELinux is in Permissive mode, not Enforcing. The booleans httpd_enable_cgi and httpd_use_nfs are both "on" anyway.
Among the things which I have tried which do not help are:
Setting "ScriptAlias /cgi-bin/usera /mnt/cgi/usera" instead of just "Alias".
Setting "ScriptAlias /cgi-bin/ /mnt/cgi". In general we don't want to use ScriptAlias anyway since there are also text data files in some of those directories.
Making the scripts owner:group apache:apache.
Adding "AllowOverride None" to the Directory block.
Adding "use CGI::Carp 'fatalsToBrowser';" to a script. This returns nothing. Again, I think the scripts are running fine but the output is not being received by Apache somehow.
I should also add that in general the new webservers work fine. PHP-based webapps run just fine on them, and of course static content is no problem.
So that's a lot of detail but in the end the issue is this: How can Apache be executing CGI scripts but getting no output at all from them? Any thoughts?

Sure enough not too long after I asked this question I found the answer. Basically, we had this line in the config file for this site:
RLimitMEM 2000000 3000000
This limits the memory of processes to 2MB (soft) and 3MB (hard). It is also far too little for CGI scripts. 50MB/80MB worked. We set it even higher just in case.
Here are a few references to people having similar problems for the benefit of those of you who found this page via Google:
PHP out of memory error even though memory_limit not reached
http://www.wrensoft.com/forum/zoom-search-engine-v3-v4-v5-old-versions/29-php-cgi-script-returns-no-results-on-apache-rlimitmem-rlimitcpu

If your perl script is
#!/usr/bin/perl
print STDOUT "Content-type: text/html\n\n";
print STDOUT "Hello, World.";
Please try removing "STDOUT" from it.

Apache server type in response header

I don't want the server type to be shown in the response headers.
I've tried to add this to httpd.conf, as I saw in many answers:
ServerSignature Off
ServerTokens Prod
But I still see "Server: Apache" in the response:
Can I remove the "Apache" from the response?
Update
Also tried this:
LoadModule headers_module modules/mod_headers.so
Header unset Server
Header unset X-Powered-By
But I got the same response.

You cannot remove the header Server: Apache unless you modify the source code and recompile Apache. And if you do, still it may be not so difficult to find out which server software you are running.
Make a search for "webserver fingerprinting", you will find about HTTP header response ordering, answers to malformed requests and other ways to discover which server you are running. Spend your time securing your application instead of trying to achieve this obfuscation.
From Apache doc:
Setting ServerTokens to less than minimal is not recommended because
it makes it more difficult to debug interoperational problems. Also
note that disabling the Server: header does nothing at all to make
your server more secure.

JSJaC+Openfire works only local

so far I developed completey locally, having everything (Apache, Openfire, JSJaC application) on my laptop, running quite fine. Now I want to use remote server for Apache/Openfire. I did basically the same steps, incl. the whole http-bind stuff. I test the setting with simpleclient.html provided by JSJaC.
Now here's the deal, if I use the simpleclient directly on the remote server - e.g., http://here.domain.org/simpleclient.html - it works. If I use it locally - e.g., http://[local_machine]/simpleclient.html - and with the same settings I get an 503 (service unavailable). It seems to be more a network/Apache issue than Openfire/JSJaC one, but I'm not an expert.
My parameters for the simpleclient:
HTTP Base: http://here.domain.org/http-bind/
JabberServer: here.domain.org
So in my apache virtual host conf file I have the lines:
AddDefaultCharset UTF-8
ProxyReqests On
ProxyPass /http-bind/ http://127.0.0.1:7070/http-bind/
So basically the http bind works since I can connect when the simpleclient.html resides on the server. What I tried so far:
checked if 7070 open from extern: yes
checked etc/hosts - here the relevant lines
127.0.0.1 localhost
123.123.123.123 here.domain.org here
checked Apache conf for restrictions: can't find any, basically i have an "Allow from all" everywhere (but I'm not completely sure where to look at)
By the way, with,e.g., Pidgin I can connect from my laptop to the remote server. Just the JSJaC simpleclient won't do. So I assume it's the http-bind that causes the trouble. I would understand if port 7070 weren't open, but it is.
Any hints or help are much appreciated!
Christian

Ok, I got it. It was a cross-domain scripting issue. I started looking into the JSJaC library and noticed that it makes XmlHttpRequests which by default won't work across different domains. I therefore had to allow this with Apache on the Openfire-Server. I added the follwing entries in the VirtualHost conf file:
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Methods "POST, GET, OPTIIONS"
Header always set Access-Control-Allow-Credentials true
Header always set Access-Control-Allow-Headers "Content-Type, *"
Of course the mod_headers module must be loaded for this.
I'm not sure which entries are actually required, I didn't try every combinations. I think the always is needed since the request to the http-bind address is a proxy thingy.

Using keep-alive feature in .htaccess

I want to use the keep-alive feature in Apache. How can I do this with my host (.htaccess file), and what are the best values for the parameters like KeepAliveTimeout?

If Keep-alive is turned on in the Apache configuration, all you need is just set an HTTP header Connection: keep-alive. E.g. add following lines to your .htaccess file:
<ifModule mod_headers.c>
Header set Connection keep-alive
</ifModule>

You can't control keepalive behaviour in an .htaccess. Keepalives are a host-level feature, not one where different directories can behave differently depending on the per-directory htaccess info.
If you are on the kind of basic shared hosting that only gives you .htaccess to configure your sites, you can't change the keepalive settings. Presumably the hosting company will have set them appropriately, or just left them on the default settings, which are usually fine.

Yes Keep-alive behavior can be controlled in .htaccess file.
First check the server setting by printing $_SERVER and if
[HTTP_CONNECTION] => keep-alive
is there then you just have to include the setting in your .htaccess file.
Add the following line at the end of .htaccess file in your project's root directory.
<ifModule mod_headers.c>
Header set Connection keep-alive
</ifModule>

If you have SSH access to your server you should edit the Apache config file. Use these settings as a starter:
KeepAlive: on
KeepAliveTimeout: 3 seconds
MaxKeepAliveRequests: 60
This should work for most basic server setups with average traffic. You can always tweak the settings to suit your own needs. See here for more detailed info about this: http://www.giftofspeed.com/enable-keep-alive/
If you don't have access to your server you should contact your host. Changing the keepalive settings on your own by editing the .htaccess file will probably don't work.

It very much depends on your site and the amount of traffic it receives. If a user comes to your site, then clicks through to another page within the KeepAliveTimeout setting (default is 15), a new TCP does not have to be created. This can really help with overhead.
On the other hand, any Apache processes that are currently tied up w/ existing visitors will not be able to talk to the new ones. So you may have to increase the total number of Apache processes that are available.
In short... it requires tweaking.

you can't control keep-alive behavior in .htaccess

Paste the following code in your .htaccess file:
<ifModule mod_headers.c>
Header set Connection keep-alive
</ifModule>
Then use this website: https://varvy.com/pagespeed/ to check if it's enabled.