RE: Trying to modify Server header for apache 2.2.4 but fails (Apache Users)

Thanks a lot to all for the insight. There were some websites which were talking that you CAN do it thru mod_headers , but now it seems you cannot do it.

Soumendu

From: Nir Peled [mailto:nirp@xxxxxxxxxxxxxxx]
Sent: Sunday, June 01, 2008 9:40 PM
To: users@xxxxxxxxxxxxxxxx
Subject: RE: Trying to modify Server header for apache 2.2.4 but fails

Yes, I am sorry, I guess I didn't check it correctly. My apologies.

מאת: Tamer Embaby [mailto:Tamer.Embaby@xxxxxxxxxx]
נשלח: א 01/06/2008 18:40
אל: users@xxxxxxxxxxxxxxxx
נושא: RE: Trying to modify Server header for apache 2.2.4 but fails

Soumendu,

Moreover, you can use mod_security to change it using SecServerSignature

directive.

Tamer

From: Tamer Embaby [mailto:Tamer.Embaby@xxxxxxxxxx]
Sent: Sunday, June 01, 2008 6:31 PM
To: users@xxxxxxxxxxxxxxxx
Subject: RE: Trying to modify Server header for apache 2.2.4 but fails

Soumendu,

You cannot achieve that with mod_headers AFAIK. “Server” header is an exception,

you have to change it in code and recompile Apache.

Regards,

Tamer

From: Nir Peled [mailto:nirp@xxxxxxxxxxxxxxx]
Sent: Sunday, June 01, 2008 4:38 PM
To: Nir Peled; users@xxxxxxxxxxxxxxxx
Subject: RE: Trying to modify Server header for apache 2.2.4 but fails

By the way, I see you already tried it, but I just tried it as well, and it really does remove the header, so if it still doesn't work see that you're doing it in the right place.

From: Nir Peled
Sent: Sunday, June 01, 2008 4:37 PM
To: 'users@xxxxxxxxxxxxxxxx'
Subject: RE: Trying to modify Server header for apache 2.2.4 but fails

Hi again,

If you really want to use mod_headers for this, I'd suggest the following line:

Header unset Server

Regards,

Nir Peled

From: Soumendu Bhattacharya [mailto:soumendu_bhattacharya@xxxxxxxxxxxxxxx]
Sent: Sunday, June 01, 2008 4:30 PM
To: users@xxxxxxxxxxxxxxxx
Subject: RE: Trying to modify Server header for apache 2.2.4 but fails

Thanks Nir. Now Apache doesn’t reveal everything else , but still says its Apache. I guess this should be fine, but any idea why mod_headers didn’t work ?

Regards

Soumendu

From: Nir Peled [mailto:nirp@xxxxxxxxxxxxxxx]
Sent: Sunday, June 01, 2008 6:47 PM
To: users@xxxxxxxxxxxxxxxx
Subject: RE: Trying to modify Server header for apache 2.2.4 but fails

My bad, it is ServerTokens, not ServerToken.

From: Nir Peled [mailto:nirp@xxxxxxxxxxxxxxx]
Sent: Sunday, June 01, 2008 4:13 PM
To: users@xxxxxxxxxxxxxxxx
Subject: RE: Trying to modify Server header for apache 2.2.4 but fails

Hi Soumendu,

Did you try setting ServerToken to Prod?

I'm not sure it changes the headers, but it might. Give it a try.

Regards,

Nir

From: Soumendu Bhattacharya [mailto:soumendu_bhattacharya@xxxxxxxxxxxxxxx]
Sent: Sunday, June 01, 2008 4:11 PM
To: users@xxxxxxxxxxxxxxxx
Subject: Trying to modify Server header for apache 2.2.4 but fails

Hi ,

I am trying to modify the Server header (to disable Apache banner information) with mod_headers , but it doesn’t seem to be working.

Header unset Server

Header set Server " Web Server"

If I change it to Server1 , it works , but seems it’s not able to modify the Server header in particular. I have verified the output thru wget & live http headers. Also I am requesting a static image file and it’s not a dynamic content ( I have jboss as my application server , Apache connects thru mod_jk). This image file is not being served by Jboss and is getting served directly by Apache ( I also have mod_cache enabled , but tried clearing the cache , still same result).

Is this a limitation or am I doing something wrong ? Is there any other way to stop apache from revealing its version information ?

Regards

Soumendu