[
https://issues.apache.org/jira/browse/AMQ-6951?focusedWorklogId=568117&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-568117
]
ASF GitHub Bot logged work on AMQ-6951:
---------------------------------------
Author: ASF GitHub Bot
Created on: 18/Mar/21 06:28
Start Date: 18/Mar/21 06:28
Worklog Time Spent: 10m
Work Description: jbonofre commented on pull request #615:
URL: https://github.com/apache/activemq/pull/615#issuecomment-801666752
OK I saw the discussion in the Jira, it makes sense. I don't think we need
to do it configurable for the transport connector. I will test the PR rebased
on `master` as I fixed the tests ;)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 568117)
Time Spent: 50m (was: 40m)
> Hide embedded jetty version
> ---------------------------
>
> Key: AMQ-6951
> URL: https://issues.apache.org/jira/browse/AMQ-6951
> Project: ActiveMQ
> Issue Type: New Feature
> Affects Versions: 5.15.14
> Reporter: Marcos Moreno Martin
> Assignee: Matt Pavlovich
> Priority: Major
> Fix For: 5.17.0, 5.15.15, 5.16.2
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> Hi,
> sorry in advance if this is something easy for jetty experts. We need some
> guidance or see if hiding the embedded jetty configuration is possible.
> We have not seen anywhere in the documentation how to hide the embedded jetty
> version. This is marked as a security thread by our penetration testers when
> we are using a web sockets transport on port 80. We have been playing around
> with the configuration file jetty.xml and the parameters, but no success. It
> has been addressed for other projects (see
> https://issues.apache.org/jira/browse/HADOOP-13414)
> So far we have been trying to change the configuration in jetty.xml.
> As far as we know, this should be the configuration for the property:
> {code:java}
> <bean id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
> <property name="sendServerVersion" value="false">
> </property>
> </bean>
> {code}
> However, this has no effect in the exposing of the version. We tried further
> and tried with a connection factory, but this also had no effect:
> {code:java}
> <bean id="invokeConnectors"
> class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
> <property name="targetObject" ref="Server" />
> <property name="targetMethod" value="setConnectors" />
> <property name="arguments">
> <list>
> <bean id="Connector" class="org.eclipse.jetty.server.ServerConnector">
> <constructor-arg ref="Server" />
> <constructor-arg>
> <list>
> <bean id="httpConnectionFactory"
> class="org.eclipse.jetty.server.HttpConnectionFactory">
> <constructor-arg ref="httpConfig"/>
> </bean>
> </list>
> </constructor-arg>
> <!-- see the jettyPort bean -->
> <property name="host" value="#{systemProperties['jetty.host']}" />
> <property name="port" value="#{systemProperties['jetty.port']}" />
> </bean>
> </list>
> </property>
> </bean>
> {code}
> Are we on the right track, or does it need to be addressed by the codebase of
> ActiveMQ?
> This is how we show the version:
> {code:java}
> #nmap -sV -p80 localhost
> Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-23 18:16 CEST
> Nmap scan report for localhost (127.0.0.1)
> Host is up (0.000098s latency).
> PORT STATE SERVICE VERSION
> 80/tcp open http Jetty 9.2.22.v20170606
> Service detection performed. Please report any incorrect results at
> https://nmap.org/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 11.34 seconds
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
