Substitution of HTTP Server Header for various web servers
Hi, Habrachiteli.
Most (if not all) web servers respond to an HTTP request by default, declare themselves using the Server header, telling at best the name of the software being used, and in the worst case the version, the modules used, etc. They can be conveniently viewed using add-ons such as Server Spy for Mozilla Firefox.
')
But not all of the web servers allow, explicitly, with a single directive to disable this behavior. In my opinion, this is a potential breach safe. This article shows how to disable sending the Server header or change its value to an arbitrary one for Lighttpd, Nginx, Apache, G-WAN servers.
More under the cut.
Lighttpd is the only server listed in the configuration file of which the Server header is substituted. It looks like this:
More than once I met instructions on the Web how to change the Server header in the Nginx web server. Everything is done in the forehead - with the help of the substitution of values in the source code and recompilation. For example www.xakep.ru/post/54168
There is a simpler method. To achieve the result, you can use a combination of HttpHeadersModule and HttpHeadersMoreModule modules, or an even simpler version using one HttpHeadersMoreModule.
Using a combination of the HttpHeadersModule and HttpHeadersMoreModule modules:
Using one HttpHeadersMoreModule:
In the Apache web server, the contents of the Server header are configured using ServerTokens
The default is Full. Displays information like Apache / 2.4.1 (Unix) PHP / 4.2.2 MyMod / 1.2
The minimum to which it can be reduced is Apache. With the help of mod_header I tried to make a configuration similar to Nginx. It did not work - Apache ignores the settings and continues to persistently set the Server value according to ServerTokens and ServerSignature.
I had to put mod_security and add a line to the configuration:
It worked.
In the case of the G-WAN, the config itself does not exist. The C code in the handler looks like this:
The subtleties of G-WAN settings are not the topic of this article, so I don’t go into details.
This article discusses those web servers with which I work, and for testing it was not necessary to install software separately. If, by analogy, you configure any other web server - write, add to the article.
Most (if not all) web servers respond to an HTTP request by default, declare themselves using the Server header, telling at best the name of the software being used, and in the worst case the version, the modules used, etc. They can be conveniently viewed using add-ons such as Server Spy for Mozilla Firefox.
')
But not all of the web servers allow, explicitly, with a single directive to disable this behavior. In my opinion, this is a potential breach safe. This article shows how to disable sending the Server header or change its value to an arbitrary one for Lighttpd, Nginx, Apache, G-WAN servers.
More under the cut.
Lighttpd
Lighttpd is the only server listed in the configuration file of which the Server header is substituted. It looks like this:
server.tag = "gws"Nginx
More than once I met instructions on the Web how to change the Server header in the Nginx web server. Everything is done in the forehead - with the help of the substitution of values in the source code and recompilation. For example www.xakep.ru/post/54168
There is a simpler method. To achieve the result, you can use a combination of HttpHeadersModule and HttpHeadersMoreModule modules, or an even simpler version using one HttpHeadersMoreModule.
Using a combination of the HttpHeadersModule and HttpHeadersMoreModule modules:
# Server
more_clear_headers 'Server';
#
add_header Server gws;Using one HttpHeadersMoreModule:
# HttpHeadersMoreModule
more_set_headers 'Server: my-server';Apache
In the Apache web server, the contents of the Server header are configured using ServerTokens
The default is Full. Displays information like Apache / 2.4.1 (Unix) PHP / 4.2.2 MyMod / 1.2
The minimum to which it can be reduced is Apache. With the help of mod_header I tried to make a configuration similar to Nginx. It did not work - Apache ignores the settings and continues to persistently set the Server value according to ServerTokens and ServerSignature.
I had to put mod_security and add a line to the configuration:
SecServerSignature "gws"It worked.
G-wan
In the case of the G-WAN, the config itself does not exist. The C code in the handler looks like this:
xbuf_xcat(get_reply(argv),
"HTTP/1.1 200 OK\r\n"
"Content-type: text/html\r\n"
"Content-Length: 20\r\n"
"Server: gws\r\n"
"Connection: keep-alive\r\n\r\n"
"Hello, World");
// set the HTTP reply code
int *pHTTP_status = (int*)get_env(argv, HTTP_CODE);
if(pHTTP_status)
*pHTTP_status = 200; // 200:OK
return 2;The subtleties of G-WAN settings are not the topic of this article, so I don’t go into details.
Remarks
This article discusses those web servers with which I work, and for testing it was not necessary to install software separately. If, by analogy, you configure any other web server - write, add to the article.
Source: https://habr.com/ru/post/140734/
All Articles