Sunday, 28 May 2006

ServerTokens

I always set my ServerTokens to Prod[uction] for a touch of “security through obscurity.”

This setting will report just that I'm running Apache, nothing else.

[root@mercury conf]# curl -I localhost
HTTP/1.1 200 OK
Date: Sun, 28 May 2006 20:55:02 GMT
Server: Apache
Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
ETag: "23029d-2c-4c23b600"
Accept-Ranges: bytes
Content-Length: 44
Content-Type: text/html

[root@mercury conf]#

Apache 2.2.x has a new conf file layout, sub-dividing functionality into multiple files and Include'ing them into the main configuration file.

To accomplish the same thing in a pre-2.2x build of Apache, you would edit one file, ${APACHE_ROOT}/conf/httpd.conf}. Out of the box 2.2.x looks at multiple files, as noted, and you need to edit two (2) files: ${APACHE_ROOT}/conf/httpd.conf and ${APACHE_ROOT}/conf/extra/httpd-default.conf.

Edit ${APACHE_ROOT}/conf/extra/httpd-default.conf and uncomment ServerTokens Full (set to Full by default), and replace it with: 

ServerTokens Prod

Next, edit ${APACHE_ROOT}/conf/httpd.conf and uncomment the Include directive for ${APACHE_ROOT}/conf/extra/httpd-default.conf, otherwise you will get a “default-default” set of directives and restarting Apache will leave you quizzically wondering why editing ${APACHE_ROOT}/conf/extra/httpd-default.conf didn’t do the trick.

Restart the service—not the server!—and hide behind your new cloak.

The real trick is to hack the source and extend ServerTokens to identify your Apache as IIS, or Tomcat, or…you get the idea. These patches exist on the Internets, and I leave it as an exercise for the reader to implement them as desired.

Posted by caffeinated at 1:28 PM in kaffehaus
Responses (0)

Apache 2.2.2 notes

My toy rig is functioning at previous benchmarks.

I built Apache 2.2.2 with SSL last night. Ran into a hurdle with my original config.nice1 initially:

"./configure" \
"--with-ssl=/usr/include/ssl" \
"--with-mpm=worker" \
"--enable-mods-shared=all" \
"--enable-proxy=shared" \
"--enable-proxy=http=shared" \
"--enable-ssl=shared" \
"$@"

The emphasized line seemed to bomb the build. Not sure right now why it bombed. May or may not look into it…but removing that single line was the antidote to the poison in the Makefile.

[root@mercury apache]# /usr/local/apache/bin/apachectl start
[root@mercury apache]# curl -I localhost
HTTP/1.1 200 OK
Date: Sun, 28 May 2006 18:37:20 GMT
Server: Apache/2.2.2 (Unix) mod_ssl/2.2.2 OpenSSL/0.9.8a DAV/2
Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
ETag: "23029d-2c-4c23b600"
Accept-Ranges: bytes
Content-Length: 44
Content-Type: text/html

[root@mercury apache]#

meta-footnote-1=config.nice is a script generated by configure when building most autoconf compatible software. A nice reminder of how one last built Apache if coming back to it for a modification. My original config.nice came from my backup of my last Fedora install (FC4) with Apache 2.0.54. I'll have to check for some hidden incompatibility of the SSL headers that Apache found offensive when specifying the toolkit directory in the configure arguments.
Posted by caffeinated at 9:32 AM in nerdery
Responses (0)
« May »
SunMonTueWedThuFriSat
 123456
78910111213
14151617181920
21222324252627
28293031