Home arrow Apache arrow Page 4 - Server Limits for Apache Security

Changing the Server Header Field - Apache

In this fourth part of a six-part series on Apache installation and configuration, you will learn how to set server configuration limits, prevent information leaks, and more. This article is excerpted from chapter two of Apache Security, written by Ivan Ristic (O'Reilly; ISBN: 0596007248). Copyright © 2006 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

  1. Server Limits for Apache Security
  2. Preventing Information Leaks
  3. Changing Web Server Identity
  4. Changing the Server Header Field
By: O'Reilly Media
Rating: starstarstarstarstar / 8
January 17, 2008

print this article



The following sections discuss alternative approaches to changing the web server identity.

Changing the name in the source code

You can make modifications to change the web server identity in two places in the source code. One is in the include file httpd.h in Apache 1 (ap_release.h in Apache 2) where the version macros are defined:

  #define SERVER_BASEVENDOR   "Apache Group"
  #define SERVER_BASEPRODUCT  "Apache"
  #define SERVER_BASEREVISION "1.3.29"

Apache Benchmark recommends that only the value of theSERVER_BASEPRODUCTmacro be changed, allowing the other information such as the version number to remain in the code so it can be used later, for example, for web server version identification (by way of code audit, not from the outside). If you decide to follow this recommendation, theServerTokens directive must be set toProductOnly, as discussed earlier in this chapter.

The reason Apache Benchmark recommends changing just one macro is because some modules (such as mod_ssl) are made to work only with a specific version of the Apache web server. To ensure correct operation, these modules check the Apache version number (contained in theSERVER_BASEVERSIONmacro) and refuse to run if the version number is different from what is expected.

A different approach for changing the name in a source file is to replace theap_set_version()function, which is responsible for construction of the server name in the first place. For Apache 1, replace the existing function (in http_main.c) with one like the following, specifying whatever server name you wish:

  static void ap_set_version(void)
/* set the server name */
/* do not allow other modules to add to it */

For Apache 2, replace the function (defined in core.c):

  static void ap_set_version(apr_pool_t *pconf)
/* set the server name */
ap_add_version_component(pconf, "Microsoft-IIS/5.0");
/* do not allow other modules to add to it */

Changing the name using mod_security

Changing the source code can be tiresome, especially if it is done repeatedly. A different approach to changing the name of the server is to use a third-party module, mod_security (described in detail in Chapter 12). For this approach to work, we must allow Apache to reveal its full identity, and then instruct mod_security to change the identity to something else. The following directives can be added to Apache configuration:

  # Reveal full identity (standard Apache directive)
  ServerTokens Full
  # Replace the server name (mod_security directive)
  SecServerSignature "Microsoft-IIS/5.0"

Apache modules are not allowed to change the name of the server completely, but mod_security works by finding where the name is kept in memory and overwriting the text directly. TheServerTokensdirective must be set toFullto ensure the web server allocates a large enough space for the name, giving mod_security enough space to make its changes later.

Changing the name using mod_headers with Apache 2

The mod_headers module is improved in Apache 2 and can change response headers. In spite of that, you cannot use it to change the two crucial response headers, Server and Date. But the approach does work when the web server is working in a reverse proxy mode. In that case, you can use the following configuration:

  Header set Server "Microsoft-IIS/5.0"

However, there is one serious problem with this. Though the identity change works in normal conditions, mod_headers is not executed in exceptional circumstances. So, for example, if you make an invalid request to the reverse proxy and force it to respond with status code400(“Bad request”), the response will include theServerheader containing the true identity of the reverse proxy server.

Please check back next week for the continuation of this article.

>>> More Apache Articles          >>> More By O'Reilly Media

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Apache Unveils Cassandra 1.2
- Apache on ARM Chips? Dell and Calxeda Help M...
- The Down Side of Open Source Software
- VMware Unveils Serengeti for Apache Hadoop
- SAP Takes Steps to Improve Hadoop Integration
- Looking to Hone Apache Hadoop Skills?
- How to Install Joomla on WAMPP
- Working with XAMPP and Wordpress
- GUI Available for Apache Camel
- Reduce Server Load for Apache and PHP Websit...
- Creating a VAMP (Vista, Apache, MySQL, PHP) ...
- Putting Apache in Jail
- Containing Intrusions in Apache
- Server Limits for Apache Security
- Setting Permissions in Apache

Developer Shed Affiliates


Dev Shed Tutorial Topics: