[
https://issues.apache.org/jira/browse/AMQ-6951?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré resolved AMQ-6951.
---------------------------------------
Resolution: Fixed
> Hide embedded jetty version
> ---------------------------
>
> Key: AMQ-6951
> URL: https://issues.apache.org/jira/browse/AMQ-6951
> Project: ActiveMQ
> Issue Type: New Feature
> Affects Versions: 5.15.14
> Reporter: Marcos Moreno Martin
> Assignee: Matt Pavlovich
> Priority: Major
> Fix For: 5.17.0, 5.15.15, 5.16.2
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Hi,
> sorry in advance if this is something easy for jetty experts. We need some
> guidance or see if hiding the embedded jetty configuration is possible.
> We have not seen anywhere in the documentation how to hide the embedded jetty
> version. This is marked as a security thread by our penetration testers when
> we are using a web sockets transport on port 80. We have been playing around
> with the configuration file jetty.xml and the parameters, but no success. It
> has been addressed for other projects (see
> https://issues.apache.org/jira/browse/HADOOP-13414)
> So far we have been trying to change the configuration in jetty.xml.
> As far as we know, this should be the configuration for the property:
> {code:java}
> <bean id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
> <property name="sendServerVersion" value="false">
> </property>
> </bean>
> {code}
> However, this has no effect in the exposing of the version. We tried further
> and tried with a connection factory, but this also had no effect:
> {code:java}
> <bean id="invokeConnectors"
> class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
> <property name="targetObject" ref="Server" />
> <property name="targetMethod" value="setConnectors" />
> <property name="arguments">
> <list>
> <bean id="Connector" class="org.eclipse.jetty.server.ServerConnector">
> <constructor-arg ref="Server" />
> <constructor-arg>
> <list>
> <bean id="httpConnectionFactory"
> class="org.eclipse.jetty.server.HttpConnectionFactory">
> <constructor-arg ref="httpConfig"/>
> </bean>
> </list>
> </constructor-arg>
> <!-- see the jettyPort bean -->
> <property name="host" value="#{systemProperties['jetty.host']}" />
> <property name="port" value="#{systemProperties['jetty.port']}" />
> </bean>
> </list>
> </property>
> </bean>
> {code}
> Are we on the right track, or does it need to be addressed by the codebase of
> ActiveMQ?
> This is how we show the version:
> {code:java}
> #nmap -sV -p80 localhost
> Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-23 18:16 CEST
> Nmap scan report for localhost (127.0.0.1)
> Host is up (0.000098s latency).
> PORT STATE SERVICE VERSION
> 80/tcp open http Jetty 9.2.22.v20170606
> Service detection performed. Please report any incorrect results at
> https://nmap.org/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 11.34 seconds
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
