An Apache module that disguise or remove "Server: " HTTP header
By Jok on Monday, January 16 2006, 09:15 - Apache Modules Development - Permalink
Although sending the Server header in HTTP responses is not defined as a MUST in RFC 2616, the Apache HTTP Server does not allow you to disable sending this header via it's configuration. You can reduce it to "Apache" by removing the version, or the additional modules with the ServerTokens directive. Despite what some people are saying, even mod_headers can't suppress it.
Excerpt from RFC:
"
14.38 Server
The Server response-header field contains information about the software used by the origin server to handle the request. The field can contain multiple product tokens (section 3.8) and comments identifying the server and any significant subproducts. The product tokens are listed in order of their significance for identifying the application.
[ ... ]
If the response is being forwarded through a proxy, the proxy application MUST NOT modify the Server response-header. Instead, it SHOULD include a Via field (as described in section 14.45).
Note: Revealing the specific software version of the server might allow the server machine to become more vulnerable to attacks against software that is known to contain security holes. Server implementors are encouraged to make this field a configurable option.
"
In Apache httpd, the ServerTokens directive currently can at best be set to Prod, which will cause apache to return "Apache" as Server header. Some problem still occurs:
First, the level of security by obscurity of this directive is not acceptable by some people that just want to change it to some other value, without re-compiling Apache, or people that even want to simply drop the "Server: " header. Secondly, if apache is configured as a reverse proxy, and a malformed request is received, then it will display its own server token instead of the backend one, so we need to handle error response header.
I developed this tiny module by hijacking normal behavior of (reverse) proxy feature of Apache : i.e. even if a request is not a proxy request, I tag it as if it was, to make Apache core let me do what I want with this header.
Download Module to secure "Server:"
Next step, according to Brass, Phil (ISS Atlanta) (PBrass at iss dot net), would be to randomize header order.
Module directives are:
# The Server: header is no more displayed if this value is "on"
SecureServerHeaderDrop "on"/"off"
# The Server: header is no more displayed when an error occurs if this value is "on"
SecureServerHeaderErrorDrop "on"/"off"
# The Server: header that you want to display all the time.
SecureServerHeader "Hidden Name"
# The Server: header that you want to display in case of error.
SecureServerHeaderError "Hidden Name for errors"
To build this modules, you can proceed like this:
${APACHE_DIR}/bin/apxs -c -a -n sesehe ./mod_sesehe.c
${APACHE_DIR}/bin/apxs -i -a -n sesehe ./mod_sesehe.la
You can see the result of this module working on http://jok.is-a-geek.net and http://meroware.com.
Comments
Thanks very much for your hard work and allowing the community to enjoy your code. I would be interested to know if and how one might use this tool to give different headers/errors on an .htaccess bases?