Disable X-Powered-By in JBOSS AS 7.1.1 Final - apache

I want to remove Server Apache-Coyote/1.1 and X-Powered-By JSP/2.2 from response header in Jboss AS 7.1.1 final. I tried a lot but could not found any thing.
What i tried is
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<configuration>
<static-resources listings="true"/>
<jsp-configuration development="true" x-powered-by="false" display-source-fragment="false"/>
</configuration>
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<virtual-server name="default-host" enable-welcome-root="false">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
but this is not working, Still same response headers are comming.
Please help me.

To modify Server header you can use the system property:
org.apache.coyote.http11.Http11Protocol.SERVER
Eg:
<system-properties>
<property name="org.apache.coyote.http11.Http11Protocol.SERVER" value="myserver"/>
</system-properties>
About X-Powered-By header there is a known issue in 7.1.1 that jsp-configuration element is not properly processed by the server and as such none of the settings configured are applied. See jsp configuration is ignored
It was fixed in version 7.1.2, you can download and compile this version, or even better upgrade to WildFly 8.x

Related

How to verify wildfly web server is using added keystore file for https connection?

I have created a self-signed certificate(public_certificate.crt), private key file(private_key.pem). and these are stored in keystore file keystore.jks.
I have configured the same keystore.jks file in the standalone.xml file of widlfly 10 in two section as:
Section 1:
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="keystore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit" />
</ssl>
</server-identities>
</security-realm>
Section 2:
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm" enable http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
I have restarted the server, now when i am accessing the wildfly url(https://localhost:8443) it is coming as "Not Secure" in the browser url section of chrome.
I am having two question related to it:
With or Without configuring the standalone.xml file with our keystore, chrome is mentioning "Not Secure" in browser URL section. it might be because i am using self-signed certificate. but my question is, how will i know that my self-signed certificate is being used by Wildfly.
Is there any way to avoid "Not Secure" warning and it should be coming as "Lock" symbol in the browser for self-signed certificate.

Accessing Multiple web applications on Jboss7 or Wildfly

I know we can deploy multiple web applications on JBoss 7 or Wildfly. But how can we access different web application with a different port? Where do we set that port for a web application?
For example,
application1 is accessible on x.x.x.x:8080
application2 is accessible on x.x.x.x:30000
application3 is accessible on x.x.x.x:35000
In your standalone you have to set up a different server and host for each application.
<subsystem xmlns="urn:jboss:domain:undertow:1.2">
<server name="server1">
<http-listener name="default" socket-binding="http-server1"/>
<host name="webapp1" default-web-module="webapp1.war" alias="webapp1.com">
</host>
</server>
<server name="server2">
<http-listener name="default" socket-binding="http-server2"/>
<host name="webapp2" default-web-module="webapp2.war" alias="webapp2.com">
</host>
</server>
<!-- Other Settings -->
</subsystem>
For the socketbinding:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="http-server1" port="${jboss.http.port:8080}"/>
<socket-binding name="http-server2" port="${jboss.http.port:8081}"/>
<!-- Other ports -->
</socket-binding-group>
And then finally, you can have your .war files in the deployments directory but for configurations like this I sometimes find it easier to set the runtime names explicitly:
<deployments>
<deployment name="webapp1" runtime-name="webapp1.war">
<fs-archive path="/path/to/webapp1.war" />
</deployment>
<deployment name="webapp2" runtime-name="webapp2.war">
<fs-archive path="/path/to/webapp2.war" />
</deployment>
</deployments>

gzip Cannot enable in Wildfly 8?

I want to enable gzip compression in wildfly server. I used the following tutorial. Tutorial
This is the gzip enabling code I included in the standalone.xml
<subsystem xmlns="urn:jboss:domain:undertow:1.0">
<buffer-caches>
<buffer-cache name="default" buffer-size="1024" buffers-per-region="1024" max-regions="10"/>
</buffer-caches>
<server name="default-server">
<http-listener name="default" socket-binding="http"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content" />
**<filter-ref name="gzipFilter" predicate="path-suffix['.css'] or path-suffix['.js']" />**
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default" default-buffer-cache="default" stack-trace-on-error="local-only">
<jsp-config/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content" directory-listing="true"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="Wildfly 8"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow 1"/>
<gzip name="gzipFilter"/>
</filters>
</subsystem>
But When I used this code in the Ubuntu 14.04.1 LTS, It works perfectly. But when I installed the application in CentOS Linux release 7.0.1406. It doesn't work. I used the same settings. But I could not figure out the problem so far. I'm very grateful someone can provide your valuable idea.
I recommend you to test upgrade to wildfly 8.2
I has the new undertow 1.1.0 interated which has solved a couple of issues around filters.
I assume your issue is also this:
UNDERTOW-331

How to Change SSL Version for HTTPS Connections in JBoss EAP 6.1

I have a simple HTTPS connector configured on my JBoss EAP 6.1 server for SSL connections to a bunch of RESTful web services I am working on. I am not sure if JBoss EAP 6.1 comes with TLS 1.2 (or SSL 3.2, since I believe TLS is really just later versions of SSL), but I want to use that version of TLS or later.
What is the default SSL version of JBoss EAP 6.1 , if my standalone.xml file tags that handle this connector look like this? :
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="https" key-alias="localhost" password="something" certificate-key-file="${jboss.server.config.dir}/localhost.jks"/>
</connector>
There is no SSL version information given in the standalone.xml entry above, as you can see, so I've no idea.
I have read on the JBoss community web site that you can add something like sslProtocol="TLS" in the tag, and protocol="TLSv2" in the tag, but is that really all there is to it?
i.e.
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true" sslProtocol="TLS">
<ssl name="https" key-alias="localhost" password="something" certificate-key-file="${jboss.server.config.dir}/localhost.jks" protocol="TLSv2" />
</connector>
Will the above work, and if so, how can I tell?
According to redhat documentation for EAP 6.1
protocol
The version of the SSL protocol to use. Supported values include SLv2, SSLv3, >TLSv1, SSLv2+SSLv3, and ALL. The default is ALL
Adding sslProtocol="TLS" and protocol="TLSv2" should work fine. Not to sound condescending, but the easiest way to see if it works is by testing it.
If this question did get moved to another SE site could you please provide the link?

Enabling JBoss AS 7 Directory Listings

I have the following directory structure deployed to JBoss AS 7.1.1.Final (under standalone/deployments):
doc.war
-> module1
-> index.html
-> module2
-> index.html
As you can see, there's no index.html under doc.war. When I browse to localhost:8080/doc/module1/, the correct index.html is displayed, but when I browse to localhost:8080/doc/, JBoss shows an error message (404 - The requested resource is not available).
I think this is related to the fact that directory listings are turned off by default in JBoss AS 7. How can I enable directory listings, either globally or more specifically for this one application?
Edit
Based on Mukul Goel's answer, I ran the CLI command to add the static-resources feature, restarted the server and retried the request, but it didn't work.
Here's the relevant snippet from the standalone.xml file. Please note that I have the native connector enabled.
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="true">
<configuration>
<static-resources listings="true"/>
</configuration>
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
Here's the error message that JBoss is showing:
Update
So the conclusion to this seems to be that there is an issue with the official JBoss 7.1.1.Final (http://www.jboss.org/jbossas/downloads) download. I didn't manage to get Directory Listings working with this version. Trying a later version (from the JBoss CI server at https://ci.jboss.org/jenkins/job/JBoss-AS-7.x-latest/), I was able to see the directory listings after applying the config change that Mukul Goel had suggested below.
A potential source of this issue could be the version of JBossWeb that is used in JBoss. The official 7.1.1.Final bundles JBossWeb 7.0.13. Mukul (see below) was able to get it working running a version of JBoss that bundles JBossWeb 7.0.16.
I'm accepting Mukul Goel's answer as solving this issue, but be aware that it will probably not work with the official 7.1.1.Final download.
Yes you are right, directory listings are by default disabled (a security measure)
To enable directory listing in JBOSS
Try running the following CLI command to enable diectory listing:
In Domain Mode
/profile=full/subsystem=web/configuration=static-resources/:write-attribute(name=listings,value=true)
.
In Standalone Mode
/subsystem=web/configuration=static-resources/:write-attribute(name=listings,value=true)
It will generate following kind of configuration :
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<configuration>
<static-resources listings="true"/>
</configuration>
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
UPDATE:
Tried it myself as the user is facing problems
RAN CLI command for the standaloneMode
This was generated, note that the native is disabled also there is no HTTPS connector generated for me (Don`t know why it is showing enabled for you? are you using openSSL somewhere? )
I created a sample webprojet(a client side project) with two htmls ,published it to jboss and hit url
http://localhost:8080/sample/
and this is the screenshot of directory listing
The command worked it for me, So that does turns on Directory listing on JBOSS AS7.1.1 Final(I am also using the same version)
So the question comes down to rest of your server configuration, your application structure, technologies you are using, springs etc and also if you are using some ssl library.
UPDATE 2
Suggested a fresh download and reconfigure environment and see
nwinkler was still facing issues even with a fresh distribution (JbossWeb 7.0.13) So suggested to take nightly builds from
ci.jboss.org/jenkins/job/JBoss-AS-7.x-latest
Just go to the link and download whats under last successful artifact
And the problem was resolved. Looks like some bug with jbossWeb 7.0.13
Do go through the comments, the discussion might be helpful