top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Apache: header unset server does not work

+1 vote
524 views

After setting "ServerTokens Prod", I would like to modify or remove the server header that says "Apache" from the response. Reading some googles it says that is not possible with "Header unset server"
as you'd expect from reading
http://httpd.apache.org/docs/current/mod/mod_headers.html

Besides modifying the source, is there some new trick that is supposed to work? I can't seem to read it in the (mod_header) documentation for 2.4.

IBM's version of Apache has a directive AddServerHeader off http://publib.boulder.ibm.com/httpserv/manual70/mod/core.html#addserverheader
I am really really curious, why didn't the brilliant IBM Engineers not include that change in the main Apache dev trunk?

posted Jun 11, 2013 by anonymous

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

+1 vote

A number of the Apache HTTP Server developers do not want users to be able to suppress the Server header without modifying the source code or adding third-party modules. The issue comes up from time to time and is subject to change.

answer Jun 11, 2013 by anonymous
Similar Questions
+1 vote

I am working on a Ubuntu 10.04 server, on which I installed PHP 5.3, Apache 2 2.2.9. I followed the below steps to do the installation :

  1. I installed apache2 using SUDO APT-GET INSTALL APACHE2

  2. I also installed libapache2 and php using the below commands
    sudo apt-get install php5 libapache2-mod-php5
    sudo apt-get install php5-core

  3. I did redirection to port by configuring the DEFAULT file in /ETC/APACHE2/SITES-AVAILABLE. Redirection happened successfully.

  4. PHP5-curl was installed using
    SUDO APT-GET INSTALL PHP5-CURL

  5. Rewrite mod was enabled in apache2 using
    SUDO A2ENMOD REWRITE and apache2 was restarted.

Now, after following this if I try to access the URL, I get the following message -

 THE REQUESTED URL /.../..../ WAS NOT FOUND ON THIS SERVER.  

But, the same URL is accessed from another system with the same configuration , it works fine.

+1 vote

I have Apache SSL virtuals behind the Nginx proxy defined with this directive:

SetEnvIf X-Forwarded-Proto https HTTPS=on

Users often use the following rewrite rule in their htaccess files for detecting SSL connection, but the variable HTTPS is not treated as expected:

RewriteCond %{HTTPS} =on

Is there any workaround for this? So far, I tried to disable mod_ssl completely and also checked modules hooks and it seems that environment files are loaded before the rewrite module.

+1 vote

Apache/Tomcat (by default) does not allow symbolic linking (nice as it can cross mounted file systems) except in the top apache/lib directory. I use hard links in the Application/WEB-INF/lib directories to reduce copying and help me manage things.

HOWEVER, some applications have special needs - e.g. pictures. You don't want to always distribute these with the release of the application (Application.war file), so symbolic links are the way to go (except for MS land, sorry). The nice solution to this is:

.../webapps/Application/WEB-INF/context.xml
which must contain at least the two below lines:

However this allows ALL symbolic linking in the Application directory. I agree with the developers that this is dangerous.

Is there some way to allow linking in just ONE sub-directory of the Application?
- e.g. .../webapps/Application/images

This would allow all I need to have local images for the application without endangering other things using a symbolic link.

+1 vote

I tried both of the following methods to block an ip address, but neither worked. In .htaccess, I put:

Order Deny,Allow
Deny from 123.123.123.123

and 

RewriteCond %{REMOTE_ADDR} ^123.123.123.123
RewriteRule .* /maintenance.html [R=503,L]

(I do have the mod_rewrite module installed). In both cases, I put the rules at the top of the file so that it would be the first rules executed.

After each one, i did an apachectl stop, then apachectl start. In both cases, when i monitored my site with the server-status module, the ip address was still there, with sometimes more than 30 requests, and all for the same page, which was ..../login.php. And it continued to be there for the next 30 minutes until it just dropped off, but i was doing nothing to stop it at that point.

This method of blocking has worked for me in the past.

Is it possible for someone to bypass my blocking method(s)? Or is there something more I need to do?

+3 votes

How to do apache configuration to work as forward proxy.

...