I have "Server: Apache" in my HTTP response headers and want to remove it.
I followed instructions like adding this to httpd.conf:
ServerSignature Off
ServerTokens Prod
Header unset Server
But the last line has no effect. First two lines have changed header's content (earlier it contained also information about OS and PHP), but I need to remove it completely.
How to do this?
Apache don't allow you to unset this completely. In fact some of the developers are vehemently against adding this despite it being a simple code change that's been suggested (and even written!) several times. See here and here for just some of the discussions where this has been brought up and rejected.
They give various reasons for this, including:
It might make it more difficult to count the number of Apache installs in the wild. This is, I suspect, the main reason. Web server usage is fiercely contested and one of Apache's rivals (which may or may not begin with an N) regularly posts how it is gaining ground on Apache and most scans will be based on the HTTP Header, so I can understand this reluctance to make it easier to hide this.
Security by obscurity is a myth, and gives a false sense of security as it's easy to fingerprint a server to see which software it likely is, based on how it responds to certain requests. While there is an inkling of truth in that, specifying ServerTokens as Full by default definitely is a security issue leaking far too much information than should be shown by default on a public website.
It may or may not be against the HTTP spec to not supply a server header. This seems to be in some disputes and still doesn't answer why they don't allow you to change it to some random string rather than Apache.
It makes it difficult to debug issues, but you'd think anyone needing to debug would know, or be able to find out, the exact versions.
Proxy servers "might" handle requests differently if they know the server type at the other end. Which is wrong of proxy servers IMHO and I doubt it's done much anymore.
If people really want to amend or hide this header they can edit the source code. Which is, quite frankly, a dangerous recommendation to advise people with no experience of the code to do and could lead to other security issues if they run from a non-packaged version just to add this.
They even goes as far as adding this in the official documentation:
Setting ServerTokens to less than minimal is not recommended because
it makes it more difficult to debug interoperational problems. Also
note that disabling the Server: header does nothing at all to make
your server more secure. The idea of "security through obscurity" is a
myth and leads to a false sense of safety.
That reasoning is, IMHO, ridiculous and, as I say, if that's the main reason to not allow it then I don't see why they don't change their stance. At worse case it doesn't add anything as they say and it stops this whole question being raised every so often though personally I think the less unnecessary information you give out, the better so would prefer to be able to turn this off.
Until that unlikely u-turn, you're left with:
Setting it minimal (so it will show "Apache") - which is probably good enough
Editing the source code - which is overkill except for the most paranoid, and means the same change needs to be applied on each new version.
Installing ModSecurity - which (at least used to) allow you to overwrite (but not remove) this header to whatever you wanted to hide the server software. Probably overkill to install this just for that, though there are other benefits to a WAF.
Proxy Apache behind another web server which allows you to change this field.
Switch to another web server.
It should be noted however, for points 4 and 5, that most other web servers don't allow you to turn this off either so this is not a problem unique to Apache. For example Nginx doesn't allow this to be turned off without similarly editing the source code.
Header retrieval
To get the headers, this seems to work adequately if on the server (all tests done on Ubuntu 14.04 Trusty Tahr):
curl -v http://localhost:80/ | head
which produces something like:
< HTTP/1.1 200 OK
< Date: Mon, 25 Jan 2021 09:17:51 GMT
* Server Apache/2.4.7 (Ubuntu) is not blacklisted
< Server: Apache/2.4.7 (Ubuntu)
Removing the version number
To remove the version number, edit the file /etc/apache2/conf-enabled/security.conf and amend the lines:
ServerTokens OS to ServerTokens Prod
ServerSignature On to ServerSignature Off
and restart Apache:
sudo service apache2 restart
You should now get the a response like:
< HTTP/1.1 200 OK
< Date: Mon, 25 Jan 2021 09:20:03 GMT
* Server Apache is not blacklisted
< Server: Apache
Removing the word "Apache"
To remove the word Apache completely, first install ModSecurity:
sudo apt-get install libapache2-mod-security2
The following lines appear to not be required (enabling the module and restarting Apache) but for reference:
sudo a2enmod security2
sudo service apache2 restart
Check that the module is enabled:
apachectl -M | grep security
which should show:
security2_module (shared)
Then although you can amend /etc/modsecurity/modsecurity.conf (by renaming modsecurity.conf-recommended), instead amend /etc/apache2/apache.conf which seems easier (note you can use whatever name you want, in this case I've simply used a space):
<IfModule security2_module>
SecRuleEngine on
ServerTokens Min
SecServerSignature " "
</IfModule>
(Using Min rather than Full also prevents modules such as mod_fastcgi appearing after the blank server name.)
Then restart Apache:
sudo service apache2 restart
Final check
Now when you run the command:
curl -v http://localhost:80/ | head
you should get:
< HTTP/1.1 200 OK
< Date: Mon, 25 Jan 2021 09:31:11 GMT
* Server is not blacklisted
< Server:
I AM NOT RESPONSIBLE FOR ANYTHING CAUSED!MAKE SURE YOU FOLLOW THE LICENSE FILE INCLUDED WITH IT!THE FOLLOWING CURRENTLY WORKS FOR APACHE VERSION 2.4.46:
To remove the Server: header completely:
Download the Apache source from https://httpd.apache.org, extract it, and edit it.
Edit the file httpd-2.4.46/server/core.c, and change the following lines:
enum server_token_type {
SrvTk_MAJOR, /* eg: Apache/2 */
SrvTk_MINOR, /* eg. Apache/2.0 */
SrvTk_MINIMAL, /* eg: Apache/2.0.41 */
SrvTk_OS, /* eg: Apache/2.0.41 (UNIX) */
SrvTk_FULL, /* eg: Apache/2.0.41 (UNIX) PHP/4.2.2 FooBar/1.2b */
SrvTk_PRODUCT_ONLY /* eg: Apache */
};
TO:
enum server_token_type {
SrvTk_MAJOR, /* eg: Apache/2 */
SrvTk_MINOR, /* eg. Apache/2.0 */
SrvTk_MINIMAL, /* eg: Apache/2.0.41 */
SrvTk_OS, /* eg: Apache/2.0.41 (UNIX) */
SrvTk_FULL, /* eg: Apache/2.0.41 (UNIX) PHP/4.2.2 FooBar/1.2b */
SrvTk_PRODUCT_ONLY, /* eg: Apache */
SrvTk_NONE /* removes Server: header */
};
Change this other line:
if (ap_server_tokens == SrvTk_PRODUCT_ONLY) {
ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT);
}
else if (ap_server_tokens == SrvTk_MINIMAL) {
ap_add_version_component(pconf, AP_SERVER_BASEVERSION);
}
else if (ap_server_tokens == SrvTk_MINOR) {
ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MINORREVISION);
}
else if (ap_server_tokens == SrvTk_MAJOR) {
ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MAJORVERSION);
}
else {
ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (" PLATFORM ")");
}
TO:
if (ap_server_tokens == SrvTk_PRODUCT_ONLY) {
ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT);
}
else if (ap_server_tokens == SrvTk_MINIMAL) {
ap_add_version_component(pconf, AP_SERVER_BASEVERSION);
}
else if (ap_server_tokens == SrvTk_MINOR) {
ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MINORREVISION);
}
else if (ap_server_tokens == SrvTk_MAJOR) {
ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MAJORVERSION);
}
else if (ap_server_tokens == SrvTk_NONE) {
ap_add_version_component(pconf, "");
}
else {
ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (" PLATFORM ")");
}
And change this:
if (!strcasecmp(arg, "OS")) {
ap_server_tokens = SrvTk_OS;
}
else if (!strcasecmp(arg, "Min") || !strcasecmp(arg, "Minimal")) {
ap_server_tokens = SrvTk_MINIMAL;
}
else if (!strcasecmp(arg, "Major")) {
ap_server_tokens = SrvTk_MAJOR;
}
else if (!strcasecmp(arg, "Minor") ) {
ap_server_tokens = SrvTk_MINOR;
}
else if (!strcasecmp(arg, "Prod") || !strcasecmp(arg, "ProductOnly")) {
ap_server_tokens = SrvTk_PRODUCT_ONLY;
}
else if (!strcasecmp(arg, "Full")) {
ap_server_tokens = SrvTk_FULL;
}
else {
return "ServerTokens takes 1 argument: 'Prod(uctOnly)', 'Major', 'Minor', 'Min(imal)', 'OS', or 'Full'";
}
TO:
if (!strcasecmp(arg, "OS")) {
ap_server_tokens = SrvTk_OS;
}
else if (!strcasecmp(arg, "Min") || !strcasecmp(arg, "Minimal")) {
ap_server_tokens = SrvTk_MINIMAL;
}
else if (!strcasecmp(arg, "Major")) {
ap_server_tokens = SrvTk_MAJOR;
}
else if (!strcasecmp(arg, "Minor") ) {
ap_server_tokens = SrvTk_MINOR;
}
else if (!strcasecmp(arg, "Prod") || !strcasecmp(arg, "ProductOnly")) {
ap_server_tokens = SrvTk_PRODUCT_ONLY;
}
else if (!strcasecmp(arg, "Full")) {
ap_server_tokens = SrvTk_FULL;
}
else if (!strcasecmp(arg, "None")) {
ap_server_tokens = SrvTk_NONE;
}
else {
return "ServerTokens takes 1 argument: 'Prod(uctOnly)', 'Major', 'Minor', 'Min(imal)', 'OS', 'Full' or 'None'";
}
Compile Apache from the source you have modified. See: http://httpd.apache.org/docs/current/install.html
Set the following in httpd.conf:
ServerSignature Off
ServerTokens None
OR:
Download the Apache source from https://httpd.apache.org, extract it, and edit it.
Edit the file httpd-2.4.46/server/core.c, and change the following:
if (ap_server_tokens == SrvTk_PRODUCT_ONLY) {
ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT);
}
else if (ap_server_tokens == SrvTk_MINIMAL) {
ap_add_version_component(pconf, AP_SERVER_BASEVERSION);
}
else if (ap_server_tokens == SrvTk_MINOR) {
ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MINORREVISION);
}
else if (ap_server_tokens == SrvTk_MAJOR) {
ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MAJORVERSION);
}
else {
ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (" PLATFORM ")");
}
TO:
if (ap_server_tokens == SrvTk_PRODUCT_ONLY) {
ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT);
}
else if (ap_server_tokens == SrvTk_MINIMAL) {
ap_add_version_component(pconf, AP_SERVER_BASEVERSION);
}
else if (ap_server_tokens == SrvTk_MINOR) {
ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MINORREVISION);
}
else if (ap_server_tokens == SrvTk_MAJOR) {
ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MAJORVERSION);
}
else {
ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (" PLATFORM ")");
}
ap_add_version_component(pconf, "");
So, if you change your mind, you could just set ServerTokens to Prod or something else... And the header will be back. Change to None again, it is gone :)
I know this is a late answer. But, still it can help a lot!
This aproach:
Header always set "Server" "Generic Web Server"
Only works for 2XX responses. If you have a rewrite rule with a redirection, it's ignored and returns the value set by ServerTokens option.
Finally I've modified the variable it's defining product name in include/ap_release.h. More simple and it can be done with a single sed:
sed 's/AP_SERVER_BASEPRODUCT\ "Apache"/AP_SERVER_BASEPRODUCT\ "Generic Web Server"/' include/ap_release.h
If the need is simply hide the information regarding which web-server is running, you can try to add the following row in the configuration file:
Header set "Server" "Generic Web Server".
You probably haven't enabled mod_headers.
Check if it's enabled:
root#host: a2query -m headers
If mod headersis enabled output should be something like headers (enabled by ...).
If it's not enabled activate the module by using:
a2enmod headers
Related
I'm using varnish-3.0.6-1 on one host and tomcat8 on another.
Tomcat is running fine but for some reason I can't get varnish backend to be healthy.
Here's my config:
probe healthcheck {
.url = "/openam/";
.timeout = 3 s;
.interval = 10 s;
.window = 3;
.threshold = 2;
.expected_response = 302;
}
backend am {
.host = "<INTERNAL-IP>";
.port = "8090";
.probe = healthcheck;
}
sub vcl_recv {
if (req.request == "PURGE") {
if (!client.ip ~ purgers) {
error 405 "You are not permitted to PURGE";
}
return(lookup);
}
else if (req.http.host == "bla.domain.com" || req.http.host == "<EXTERNAL-IP>") {
set req.backend = am;
}
else if (req.url ~ "\.(ico|gif|jpe?g|png|bmp|swf|js)$") {
unset req.http.cookie;
set req.backend = lighttpds;
}
else {
set req.backend = apaches;
}
}
It always shows:
Backend_health - am Still sick 4--X-R- 0 2 3 0.001956 0.000000 HTTP/1.1 302
telnet works fine to that host, the only thing that I can't figure it out is that curl returns 302 and that's because main page under 'openam' on tomcat redirects to another page.
$ curl -I http://<INTERNAL-IP>:8090/openam/
HTTP/1.1 302
Location: http://<INTERNAL-IP>:8090/openam/config/options.htm
Transfer-Encoding: chunked
Date: Tue, 12 Sep 2017 15:00:24 GMT
Is there a way to fix that problem?
Any advice appreciated,
Thanks
Based on the information provided, you're hitting on this bug of Varnish 3.
The reporter had 3.0.7 and that's the only one available now in packaged releases so you will likely have to build from sources.
So considering that, and Varnish 3 being quite old, I would rather recommend to upgrade to newer Varnish 4 or 5. (It's always easier to rewrite a few lines of VCL than maintaining something that was compiled from sources and the hassle associated with making sure it's always up-to-date).
Another obvious solution would be adjusting your app to send HTTP reason along the code, or perhaps point to the final redirect location which might (or not) already provide reason in HTTP status.
Check whether curl -IL http://<INTERNAL-IP>:8090/openam/config/options.htm provides a reason in the output.
If it's something like HTTP/1.1 200 OK and not just HTTP/1.1 200 then simply update your health check to that URL (naturally adjust expected response code as well).
I am trying to use std.ip which is a part of varnish 4.0 to to return the client IP which should be the first valid IP address in the X-Forwarded-For header, if the example in the documentation is correct.
varnishtest "Test v4 vcl X-Forwarded-For Header logic"
server s1 {
rxreq
expect req.http.X-Real-IP == "2.1.1.1"
expect req.http.X-Forwarded-For == "2.1.1.1, 3.3.3.3, 3.3.3.3, 127.0.0.1"
txresp
} -start
varnish v1 -vcl+backend {
sub vcl_recv {
set req.http.X-Real-IP = std.ip(req.http.X-Forwarded-For, "0.0.0.0");
}
} -start
client c1 {
txreq -url "/" -hdr "X-Forwarded-For: 2.1.1.1, 3.3.3.3, 3.3.3.3"
rxresp
}
client c1 -run
The above dies an ugly death:
...
*** v1 0.9 debug| Assert error in vwk_thread(), waiter/cache_waiter_kqueue.c line 115:\n
*** v1 0.9 debug| Condition(read(vwk->pipe[0], &c, 1) == 1) not true.\n
...
And does not behave as I would want by returning the first IP address.
Updated
Alternatively I have found that the following does work for the same purposes, But still could not get std.ip to work:
varnish v1 -vcl+backend {
sub vcl_recv {
set req.http.X-Real-IP = regsub(req.http.X-Forwarded-For, "\s*,.*$", "");
}
} -start
As a follow up question. This vcl_recv{...} logic actually lives in my default.vcl file, where all my backends, probes are defined. But when I try to test that code by including into a varnishtest file as follows:
varnish v1 -vcl+backend {
include "/path/to/file.vcl";
} -start
The test does not get the expect statements in the server s1. If someone could give some clarity on the following I'd be much ablighed:
Why does std.ip(req.http.X-Forwarded-For, "0.0.0.0") not behave as expected?
How can I test an included default.vcl with expect statements in the set server s1?
Thank you.
You need to add the line
import std;
at the top of your vcl file
I'm implementing Varnish (4.0) for a server with lots (1000+) of named virtual hosts (on Apache), from which most of them point to the same IP- and web. I get Varnish to work fine with:
backend default {
.host = "127.0.0.1";
.port = "80";
}
sub vcl_recv {
if (req.http.host ~ "^www.domain1.de(:[0-9]+)?$") {
set req.http.host = "www.domain1.de";
} else if (req.http.host ~ "^www.domain2.de(:[0-9]+)?$") {
set req.http.host = "www.domain2.de";
}
....
....
set req.backend_hint = default;
}
but, to do this for 1000+ domains seems a bit odd. I don't need any special configuration for the sites, they have all the same backend.
If I don't add any specific configuration, I only get to the standard website (no matter what domain I enter).
Any hint on how to solve that?
Thanks!
If you wish to remove the port name for example, or need to do some changes in general to the req.http.host you can use the regsub() method in your varnish VCL:
set req.http.host = regsub(req.http.host , "(.*)(:[0-9]+|)" , "\1" );
This example removes the port number if present.
Please set up the regexp according to your needs as your question does not really state what you are trying to achieve.
Note that you can invoke the replacement strings via \N and not as $1 as some man pages suggest. (A bug has already been filed to address this issue.)
And for last a nice Varnish regexp cheat-sheet:
http://kly.no/varnish/regex.txt
I am trying to debug a problem that occured after an apache upgrade. I want to integrate redmine into my apache authentification/access control.
Here is my apache config:
<Location "/git/">
AuthType Basic
AuthName "Git Access"
Require valid-user
Order deny,allow
Allow from all
PerlAccessHandler Apache::Authn::Redmine::access_handler
PerlAuthenHandler Apache::Authn::Redmine::authen_handler
...
And this is the access/authen handler:
sub access_handler {
my $r = shift;
unless ($r->some_auth_required) {
$r->log_reason("No authentication has been configured");
return FORBIDDEN;
}
return OK unless request_is_read_only($r);
my $project_id = get_project_identifier($r);
$r->log_error("Setting Auth to OK") if is_public_project($project_id, $r) && anonymous_role_allows_browse_repository($r);
$r->log_error("Content: " . $r->get_handlers("PerlAuthenHandler"));
$r->set_handlers(PerlAuthenHandler => [\&ok_authen_handler])
if is_public_project($project_id, $r) && anonymous_role_allows_browse_repository($r);
return OK
}
sub ok_authen_handler {
my $r = shift;
$r->log_error("ok_authen_handler()...");
my ($res, $redmine_pass) = $r->get_basic_auth_pw();
return OK;
}
sub authen_handler {
my $r = shift;
$r->log_error("authen_handler() ...");
my ($res, $redmine_pass) = $r->get_basic_auth_pw();
return $res unless $res == OK;
if (is_member($r->user, $redmine_pass, $r)) {
$r->log_error("Auth succeeded");
return OK;
} else {
$r->log_error("Auth failed...");
$r->note_auth_failure();
return DECLINED;
}
}
As you can see, the access handler resets the auth handler to some dummy method in case the authentication is not needed. In theory, this allows for selective anonymous access.
In practice, though apache 2.4 yields an error:
AH00027: No authentication done but request not allowed without authentication for $PATH. Authentication not configured?
I already nailed the problem to the hack in the access handler, if I uncomment the set_handlers statement, I can authenticate against redmine. So I guess there is something wrong in this "hack". Unfortunately I am not really a perl guy, so I have no idea how to investigate the issue any further.
Is there any way to figure out what is the important difference between the "hacked" control flow (i.e. setting the auth handler programmatically) and the normal one?
A little bit dirty workaround is to always set the "user" (REMOTE_USER) variable even in anonymous mode, so "Require valid-user" seems happy,
$r->user("");
return Apache2::Const::OK;
We had this problem to implement lazy authentication (Shibboleth style).
I recently upgraded from 2.3 to 2.5.1. Now i get the same strange behavior as long as the project is public. I have some projects, where others need access without registration on the redmine site. So i need a quick solution. But i have also no idea how to solve it. Therefore i created a bug report at the redmine project side:
http://www.redmine.org/issues/16948
I am trying to get WebSocket running on an Apache server with the help of pywebsocket.
The server is now setup and I am able to make a Websocket connection through Chrome. However, when I try to make a connection through Safari I am getting a "Unexpected response code: 404" and it doesn't appear that the WebSocket connection is able to be established with the server.
Any pointers here would be appreciated. Below is the client side JS code I am invoking to make a connection and the safari header tags vs the Chrome header tags.
function connect() {
if ('WebSocket' in window) {
socket = new WebSocket("ws://localhost/mystream");
} else if ('MozWebSocket' in window) {
socket = new MozWebSocket("ws://localhost/mystream");
} else {
return;
}
socket.onopen = function () {
showResult('Opened');
};
socket.onmessage = function (event) {
showResult(event.data);
};
socket.onerror = function () {
showResult('Error in connection');
};
socket.onclose = function (event) {
var logMessage = 'Closed (';
if ((arguments.length == 1) && ('CloseEvent' in window) && (event instanceof CloseEvent)) {
logMessage += 'wasClean = ' + event.wasClean;
if ('code' in event) {
logMessage += ', code = ' + event.code;
}
if ('reason' in event) {
logMessage += ', reason = ' + event.reason;
}
} else {
logMessage += 'CloseEvent is not available';
}
showResult(logMessage + ')');
};
showResult('Successfully Connected ');
}
Safari Headers :
Origin: http://192.168.1.8
Sec-WebSocket-Key1: 26 ~ 5 75G3 36< 0 U8T
Connection: Upgrade
Host: localhost
Sec-WebSocket-Key2: 1<A 9 4 4l865P5/6L5
Upgrade: WebSocket
Chrome Headers :
Connection:Upgrade
Host:localhost
Origin:http://192.168.1.8
Sec-WebSocket-Key:IAkX9XGWsCZHPQepzYjwxA==
Sec-WebSocket-Version:13
Upgrade:websocket
(Key3):00:00:00:00:00:00:00:00
Managed to get it working now. Safari (5.1) and mobile safari both require the Hixie-75 flag which has experimental support in pywebsockets. The issue was with the entry in the apache conf file, the entry is supposed to be in all lowercase (i.e on) but the sample entry had it in CamelCase (On) . Reverting to all lowercase has solved the issue.
Updated
Those Safari headers are for an older revision of the protocol: Hixie-76. Hixie-76 is a lot less friendly to integration with web servers because there is special data (key3) sent after the headers. I suspect Safari will be updated to the newer version of the protocol (HyBi) in the next release or two.
The HyBi-76 handshake happens in handshake/hybi00.py You might try adding some debug to try and figure out where it is failing. In particular make sure that _get_challenge is actually getting the final 8 bytes (key3) of the challenge that are sent after the headers (this is the part that makes it complicated to handle Hixie-76 in a web server).