Mask Apache server Information on CA Access Gateway (Secure Proxy Server)?
Article ID: 213081
Updated On:
Products
Issue/Introduction
How to mask Apache server information during requests?
For example:
curl -k -i --head https://_host._domain._com
HTTP/1.1 302 Found
Date: Wed, 14 Apr 2021 19:10:16 GMT
Server: Apache
Access-Control-Allow-Origin: *
Access-Control-Allow-Method: POST, GET, OPTIONS, DELETE, PUT
Access-Control-Max-Age: 1000
Environment
Release : 12.8.xx and 12.9 (Applicable to all the supported releases)
Component : SMSPS : SITEMINDER SECURE PROXY SERVER
Cause
Add these two lines within httpd.conf:
ServerSignature Off
ServerTokens Prod
- "ServerSignature Off" tells Apache not to display the server version on error pages, or other pages it generates.
- "ServerTokens Prod" tells Apache to only return Apache in the Server header, returned on every page request.
Apache will have six different ServerToken settings in the configuration:
Full (or not specified) - Server: Apache/2.4.39 (UNIX) PHP/7.0.25
Prod (or ProductOnly) - Server: Apache
Major - Server: Apache/2
Minor - Server: Apache/2.4
Min (or Minimal) - Server: Apache/2.4.39
OS - Server: Apache/2.4.39 (UNIX)
Resolution
The response is expected based on configuration.
When httpd.conf has set "ServerTokens Prod", then the response will be "Server: Apache".
Omitting a "Server:Apache" response or masking it like "Server:Server" is not an out of box config option.
Additional Information
To verify the modules built-in with the CA Access Gateway (SPS):
./apachectl -M
Loaded Modules:
core_module (static)
so_module (static)
http_module (static)
mpm_worker_module (static)
env_module (shared)
log_config_module (shared)
setenvif_module (shared)
mime_module (shared)
jk_module (shared)
alias_module (shared)
authz_core_module (shared)
unixd_module (shared)
slotmem_shm_module (shared)
Feedback
