search cancel

Mask Apache server Information on CA Access gateway

book

Article ID: 213081

calendar_today

Updated On:

Products

CA Single Sign On Federation (SiteMinder) SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

How can I mask apache server information during request?

For example:

curl -k -i --head https://www.aghost.com
HTTP/1.1 302 Found
Date: Wed, 14 Apr 2021 19:10:16 GMT
Server: Apache
Access-Control-Allow-Origin: *
Access-Control-Allow-Method: POST, GET, OPTIONS, DELETE, PUT
Access-Control-Max-Age: 1000

Environment

Release : 12.8

Component : SITEMINDER SECURE PROXY SERVER

Cause

Customer can add these two lines within httpd.conf: 
ServerSignature Off
ServerTokens Prod
 
"ServerSignature Off" tells apache not to display the server version on error pages, or other pages it generates.
"ServerTokens Prod" tells apache to only return Apache in the Server header, returned on every page request.

Apache will have six different ServerToken settings in configuration:

Full (or not specified) - Server: Apache/2.4.39 (UNIX) PHP/7.0.25
Prod (or ProductOnly) - Server: Apache
Major - Server: Apache/2
Minor - Server: Apache/2.4
Min (or Minimal) - Server: Apache/2.4.39
OS - Server: Apache/2.4.39 (UNIX)

Resolution

The response is expected based on configuration.
When httpd.conf has setting "ServerTokens Prod", then response will be "Server: Apache".
Omitting  "Server:Apache" response or masking it like “Server:Server” is not an out of box config option.

Additional Information

http://httpd.apache.org/docs/current/mod/core.html#servertokens

To verify the modules built-in with CA Access gateway:

./apachectl -M
Loaded Modules:
 core_module (static)
 so_module (static)
 http_module (static)
 mpm_worker_module (static)
 env_module (shared)
 log_config_module (shared)
 setenvif_module (shared)
 mime_module (shared)
 jk_module (shared)
 alias_module (shared)
 authz_core_module (shared)
 unixd_module (shared)
 slotmem_shm_module (shared)