Apache in testing - ServerTokens Prod

[Suno Ano]

On some host (debian testing), I am running Apache and tried to add

ServerSignature Off
ServerTokens Prod

to /etc/apache2/apache2.conf in order to silence Apache a bit.

http://www.mydigitallife.info/2007/07/22/improve-apache-web-server-security-use-servertokens-and-serversignature-to-disable-header/


Even after issuing /etc/init.d/apache2 restart does it not work. By not
work I mean, if I navigate to some page that actually does not exist,
Apache still shows the entire Apache/2.2.11 (Debian) Server at
localhost Port 80 message.

Can anybody confirm this or enlighten me? I already checked ... no bug
filed for this as of now.


pgp46jK02S7bs.pgp
Description: PGP signature

Re: Apache in testing - ServerTokens Prod

[Ansgar Burchardt]

Hi,

Suno Ano suno@sunoano.org writes:

 On some host (debian testing), I am running Apache and tried to add

 ServerSignature Off
 ServerTokens Prod

 to /etc/apache2/apache2.conf in order to silence Apache a bit.

These settings are set in /etc/apache2/conf.d/security.  Changing it
there works here.  (If you set them in apache2.conf, I suppose you would
have to set them after the include directive for conf.d.)

Regards,
Ansgar


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: Apache in testing - ServerTokens Prod

[Suno Ano]

 Ansgar These settings are set in /etc/apache2/conf.d/security. Changing it
 Ansgar there works here. (If you set them in apache2.conf, I suppose you
 Ansgar would have to set them after the include directive for conf.d.)

Right ... that stuff lives in /etc/apache2/conf.d/security since Lenny
now. I simply did not know -- it was in /etc/apache2/apache2.conf
before.

Below are my settings which, after restarting Apache, should make Apache
a lot less verbose:

,[ changes applied to a pristine Apache installation ]
| wks-ve10:/etc/apache2# grep -v \# conf.d/security | grep .
| ServerTokens Prod
| ServerSignature Off
| TraceEnable Off
| wks-ve10:/etc/apache2# grep conf.d apache2.conf
| Include /etc/apache2/conf.d/
| wks-ve10:/etc/apache2# dpkg -l apache2-mp* | grep ii
| ii  apache2-mpm-worker  2.2.11-5  Apache HTTP Server 
- high speed threaded mod
| wks-ve10:/etc/apache2# lsb_release -ric
| Distributor ID: Debian
| Release:testing
| Codename:   squeeze
| wks-ve10:/etc/apache2#
`

As the box topic implies, I did not do anything else -- I just installed
apache2-mpm-worker and then made the changes as it can be seen above and
restarted. Now, if I try to visit a site that actually does not exist, I
should get the less verbose information because of ServerSignature Off
and ServerTokens Prod. Well, I should but nothing changes here. What am
I missing?

@Ansgar
You did exactly the same things I as shown above yes?


pgpcYVH0oHy7h.pgp
Description: PGP signature