[SATLUG] Question Regarding http Headers

Donald L Wilcox dwilcox at neonnightrider.com
Mon Feb 4 12:14:56 CST 2013


If I remember correctly, Debian-based distros always use apache2.conf as the config file. I have recent versions rpm-based distros (e.g. Fedora, RHEL, CentOS) that use httpd.conf.

Also, I think I used ServerSignature and ServerTokens in .htaccess, so that'll also work if you only want to obfuscate at the vhost level.

__________________________________________________________________
Donald Wilcox        Web: http://www.neonnightrider.com
San Antonio, TX LinkedIn: http://www.linkedin.com/in/donaldwilcoxjr
__________________________________________________________________

-----Original Message-----
From: "Wes Henderson" <whendersonii at gmail.com>
Sent: Sunday, February 3, 2013 20:46
To: "The San Antonio Linux User's Group Mailing List" <satlug at satlug.org>
Subject: Re: [SATLUG] Question Regarding http Headers

Thank you very much for the feedback; the article made for a nice read,
although it also referenced the httpd.conf file. I have since found the
solution and I thought I would share in case anyone else is interested.

It seems that the apache2.conf file has replaced the httpd.conf file as the
primary configuration file for apache2 (source:
https://help.ubuntu.com/10.04/serverguide/httpd.html); however, the
apache2.conf file does not have the option to obfuscate the server info.
The option is now located at /etc/apache2/conf.d/security (source:
http://serverfault.com/questions/430974/ubuntu-apache-httpd-conf-or-apache2-conf).
Simply changing the 'ServerTokens' parameter to 'Prod' will obfuscate the
HTTP header, and changing The 'ServerSignature' parameter to 'Off' will
remove the server info from 404 error pages (source:
http://www.petefreitag.com/item/505.cfm). FYI, that last link is an awesome
read.

I used '$ curl -I <URL>' to view the HTTP header information, and changing
the 'ServerTokens' field to 'Prod' changed my HTTP header from 'Server:
Apache/2.2.22 (Ubuntu)' to 'Server: Apache'.

Thank you again for the excellent feedback and I hope that this information
can help someone else.


On Sat, Feb 2, 2013 at 12:32 PM, Mark Mayfield <mayfield_mark at gvtc.com>wrote:

> If you mean removing the apache and version info from the response
> headers, I looked into that a while back. The information I found stated
> that that web server information is an important part of the proper
> functioning of the web server and that it is not a proper practice to
> remove. I found some information about modifying the appropriate sections
> of code and recompiling Apache, but I don't believe the versions of Apache
> that ship with distros or come in the repositories will support removing
> that info from the headers.
>
> If you look at the following link you'll notice that you are instructed to
> modify the source code to achieve the result. This was just a quick google
> search, I remember finding something on the official apache site to the
> same effect.
>
> http://www.dsm.fordham.edu/~**mathai/apache.html<http://www.dsm.fordham.edu/~mathai/apache.html>
>
>
>
> On 02/02/2013 12:05 PM, Wes Henderson wrote:
>
>> Hey guys, I have a quick question that I was hoping someone could help
>> with. I am running a webserver with apache v2.2.22 utilizing virtual hosts
>> on Mint and I was hoping to obfuscate the http header information. All of
>> my searches this morninig pointed to the .htaccess file and the httpd.conf
>> file; neither of which appear to be in use on my version of apache. Any
>> help getting pointed to the right direction would be greatly appreciated.
>> Thanks in advance.
>>
>
> --
> ______________________________**_________________
> SATLUG mailing list
> SATLUG at satlug.org
> http://alamo.satlug.org/**mailman/listinfo/satlug<http://alamo.satlug.org/mailman/listinfo/satlug>to manage/unsubscribe
> Powered by Rackspace (www.rackspace.com)
>



-- 
*Wes Henderson*
IT Consultant
Email: whendersonii at gmail.com

Find me on my website: weshenderson.info
And elsewhere -
     Google+ <https://plus.google.com/u/0/118217301983867537201/posts>
     Linkedin <http://www.linkedin.com/pub/wes-henderson/41/3b7/a96>
     Twitter <https://twitter.com/intent/tweet?screen_name=whendersonii>

"Unix is simple, but it takes a genius to understand the simplicity." -
Dennis Ritchie
-- 
_______________________________________________
SATLUG mailing list
SATLUG at satlug.org
http://alamo.satlug.org/mailman/listinfo/satlug to manage/unsubscribe
Powered by Rackspace (www.rackspace.com)




More information about the SATLUG mailing list