[SATLUG] Question Regarding http Headers

Wes Henderson whendersonii at gmail.com
Mon Feb 4 12:38:23 CST 2013


I currently use the .htaccess for the sole purpose of securing certain
pages with user authentication; I could have used the .htaccess files for
the obfuscation as well, but it just did not make sense to me. If I did
that then I would have to adjust the .htaccess file for each virtual host;
I cannot think of a scenario where I would want the server info hidden for
host A but not host B.

You may very well be right on the Debian distros as they do have a few
differences for apache management (namely the ap2enmod/ad2dismod and
ap2ensite/ap2dissite commands). However, I thought that when I ran apache
on Ubuntu 10.04 that I used the httpd.conf file, but I may be wrong. I
definitely remember on 10.04 the service being named httpd as opposed to
apache2. I may throw apache2 on CentOS tonight just to see the differences.

Thanks for the info.


On Mon, Feb 4, 2013 at 12:14 PM, Donald L Wilcox <dwilcox at neonnightrider.com
> wrote:

> If I remember correctly, Debian-based distros always use apache2.conf as
> the config file. I have recent versions rpm-based distros (e.g. Fedora,
> RHEL, CentOS) that use httpd.conf.
>
> Also, I think I used ServerSignature and ServerTokens in .htaccess, so
> that'll also work if you only want to obfuscate at the vhost level.
>
> __________________________________________________________________
> Donald Wilcox        Web: http://www.neonnightrider.com
> San Antonio, TX LinkedIn: http://www.linkedin.com/in/donaldwilcoxjr
> __________________________________________________________________
>
> -----Original Message-----
> From: "Wes Henderson" <whendersonii at gmail.com>
> Sent: Sunday, February 3, 2013 20:46
> To: "The San Antonio Linux User's Group Mailing List" <satlug at satlug.org>
> Subject: Re: [SATLUG] Question Regarding http Headers
>
> Thank you very much for the feedback; the article made for a nice read,
> although it also referenced the httpd.conf file. I have since found the
> solution and I thought I would share in case anyone else is interested.
>
> It seems that the apache2.conf file has replaced the httpd.conf file as the
> primary configuration file for apache2 (source:
> https://help.ubuntu.com/10.04/serverguide/httpd.html); however, the
> apache2.conf file does not have the option to obfuscate the server info.
> The option is now located at /etc/apache2/conf.d/security (source:
>
> http://serverfault.com/questions/430974/ubuntu-apache-httpd-conf-or-apache2-conf
> ).
> Simply changing the 'ServerTokens' parameter to 'Prod' will obfuscate the
> HTTP header, and changing The 'ServerSignature' parameter to 'Off' will
> remove the server info from 404 error pages (source:
> http://www.petefreitag.com/item/505.cfm). FYI, that last link is an
> awesome
> read.
>
> I used '$ curl -I <URL>' to view the HTTP header information, and changing
> the 'ServerTokens' field to 'Prod' changed my HTTP header from 'Server:
> Apache/2.2.22 (Ubuntu)' to 'Server: Apache'.
>
> Thank you again for the excellent feedback and I hope that this information
> can help someone else.
>
>
> On Sat, Feb 2, 2013 at 12:32 PM, Mark Mayfield <mayfield_mark at gvtc.com
> >wrote:
>
> > If you mean removing the apache and version info from the response
> > headers, I looked into that a while back. The information I found stated
> > that that web server information is an important part of the proper
> > functioning of the web server and that it is not a proper practice to
> > remove. I found some information about modifying the appropriate sections
> > of code and recompiling Apache, but I don't believe the versions of
> Apache
> > that ship with distros or come in the repositories will support removing
> > that info from the headers.
> >
> > If you look at the following link you'll notice that you are instructed
> to
> > modify the source code to achieve the result. This was just a quick
> google
> > search, I remember finding something on the official apache site to the
> > same effect.
> >
> > http://www.dsm.fordham.edu/~**mathai/apache.html<
> http://www.dsm.fordham.edu/~mathai/apache.html>
> >
> >
> >
> > On 02/02/2013 12:05 PM, Wes Henderson wrote:
> >
> >> Hey guys, I have a quick question that I was hoping someone could help
> >> with. I am running a webserver with apache v2.2.22 utilizing virtual
> hosts
> >> on Mint and I was hoping to obfuscate the http header information. All
> of
> >> my searches this morninig pointed to the .htaccess file and the
> httpd.conf
> >> file; neither of which appear to be in use on my version of apache. Any
> >> help getting pointed to the right direction would be greatly
> appreciated.
> >> Thanks in advance.
> >>
> >
> > --
> > ______________________________**_________________
> > SATLUG mailing list
> > SATLUG at satlug.org
> > http://alamo.satlug.org/**mailman/listinfo/satlug<
> http://alamo.satlug.org/mailman/listinfo/satlug>to manage/unsubscribe
> > Powered by Rackspace (www.rackspace.com)
> >
>
>
>
> --
> *Wes Henderson*
> IT Consultant
> Email: whendersonii at gmail.com
>
> Find me on my website: weshenderson.info
> And elsewhere -
>      Google+ <https://plus.google.com/u/0/118217301983867537201/posts>
>      Linkedin <http://www.linkedin.com/pub/wes-henderson/41/3b7/a96>
>      Twitter <https://twitter.com/intent/tweet?screen_name=whendersonii>
>
> "Unix is simple, but it takes a genius to understand the simplicity." -
> Dennis Ritchie
> --
> _______________________________________________
> SATLUG mailing list
> SATLUG at satlug.org
> http://alamo.satlug.org/mailman/listinfo/satlug to manage/unsubscribe
> Powered by Rackspace (www.rackspace.com)
>
>
> --
> _______________________________________________
> SATLUG mailing list
> SATLUG at satlug.org
> http://alamo.satlug.org/mailman/listinfo/satlug to manage/unsubscribe
> Powered by Rackspace (www.rackspace.com)
>



-- 
*Wes Henderson*
IT Consultant
Email: whendersonii at gmail.com

Find me on my website: weshenderson.info
And elsewhere -
     Google+ <https://plus.google.com/u/0/118217301983867537201/posts>
     Linkedin <http://www.linkedin.com/pub/wes-henderson/41/3b7/a96>
     Twitter <https://twitter.com/intent/tweet?screen_name=whendersonii>

"Unix is simple, but it takes a genius to understand the simplicity." -
Dennis Ritchie


More information about the SATLUG mailing list