Justin Bertram created AMQ-6952:
-----------------------------------
Summary: CLONE - Hide embedded jetty version
Key: AMQ-6952
URL: https://issues.apache.org/jira/browse/AMQ-6952
Project: ActiveMQ
Issue Type: New Feature
Reporter: Justin Bertram
Hi,
sorry in advance if this is something easy for jetty experts. We need some
guidance or see if hiding the embedded jetty configuration is possible.
We have not seen anywhere in the documentation how to hide the embedded jetty
version. This is marked as a security thread by our penetration testers when we
are using a web sockets transport on port 80. We have been playing around with
the configuration file jetty.xml and the parameters, but no success. It has
been addressed for other projects (see
https://issues.apache.org/jira/browse/HADOOP-13414)
So far we have been trying to change the configuration in jetty.xml.
As far as we know, this should be the configuration for the property:
{code:java}
<bean id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<property name="sendServerVersion" value="false">
</property>
</bean>
{code}
However, this has no effect in the exposing of the version. We tried further
and tried with a connection factory, but this also had no effect:
{code:java}
<bean id="invokeConnectors"
class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetObject" ref="Server" />
<property name="targetMethod" value="setConnectors" />
<property name="arguments">
<list>
<bean id="Connector" class="org.eclipse.jetty.server.ServerConnector">
<constructor-arg ref="Server" />
<constructor-arg>
<list>
<bean id="httpConnectionFactory"
class="org.eclipse.jetty.server.HttpConnectionFactory">
<constructor-arg ref="httpConfig"/>
</bean>
</list>
</constructor-arg>
<!-- see the jettyPort bean -->
<property name="host" value="#{systemProperties['jetty.host']}" />
<property name="port" value="#{systemProperties['jetty.port']}" />
</bean>
</list>
</property>
</bean>
{code}
Are we on the right track, or does it need to be addressed by the codebase of
ActiveMQ?
This is how we show the version:
{code:java}
#nmap -sV -p80 localhost
Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-23 18:16 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000098s latency).
PORT STATE SERVICE VERSION
80/tcp open http Jetty 9.2.22.v20170606
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.34 seconds
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
