Change Apache httpd “Server:” HTTP header
One of the HTTP headers that the Apache httpd sends back with response data is "Server". For example, my web server machine is relatively up-to-date Arch Linux. It sends back headers closely resembling the following:
HTTP/1.1 404 Not Found
Date: Thu, 10 Apr 2014 17:19:27 GMT
Server: Apache/2.4.9 (Unix)
Content-Length: 1149
Connection: close
Content-Type: text/html
I have ServerSignature off in /etc/httpd/conf/httpd.conf, but the "Server:" header still appears. I have experimented with mod_headers. I have it enabled, and I've tried a few things:
<IfModule headers_module>
Header set ProcessingTime "%D"
Header set Server BigJohn
</IfModule>
After stopping and starting httpd with the above configuration, the HTTP headers include something like ProcessingTime: 1523, but the "Server:" header line remains unchanged. So I know that "mod_headers" is installed and enabled, and working, but not as I desire.
I see that something called "mod_security" claims to do this, but I don't want all the rest of the baggage that mod_security carries with it.
UPDATE:
Once you get mod_security installed, you only need a few directives:
<IfModule security2_module>
SecRuleEngine on
ServerTokens Full
SecServerSignature "Microsoft-IIS/6.0"
</IfModule>
That's for mod_security 2.7.7
http apache-httpd
asked Apr 10 '14 at 17:31
Bruce EdigerBruce Ediger
35k566119
add a comment |
One of the HTTP headers that the Apache httpd sends back with response data is "Server". For example, my web server machine is relatively up-to-date Arch Linux. It sends back headers closely resembling the following:
HTTP/1.1 404 Not Found
Date: Thu, 10 Apr 2014 17:19:27 GMT
Server: Apache/2.4.9 (Unix)
Content-Length: 1149
Connection: close
Content-Type: text/html
I have ServerSignature off in /etc/httpd/conf/httpd.conf, but the "Server:" header still appears. I have experimented with mod_headers. I have it enabled, and I've tried a few things:
<IfModule headers_module>
Header set ProcessingTime "%D"
Header set Server BigJohn
</IfModule>
After stopping and starting httpd with the above configuration, the HTTP headers include something like ProcessingTime: 1523, but the "Server:" header line remains unchanged. So I know that "mod_headers" is installed and enabled, and working, but not as I desire.
I see that something called "mod_security" claims to do this, but I don't want all the rest of the baggage that mod_security carries with it.
UPDATE:
Once you get mod_security installed, you only need a few directives:
<IfModule security2_module>
SecRuleEngine on
ServerTokens Full
SecServerSignature "Microsoft-IIS/6.0"
</IfModule>
That's for mod_security 2.7.7
http apache-httpd
asked Apr 10 '14 at 17:31
Bruce EdigerBruce Ediger
35k566119
2
Have you restarted apache since changing the conf file? Also I've never seen the file called 'httpd.com', usually it's called 'httpd.conf'.
– Michael Ozeryansky
Apr 10 '14 at 18:00
@MichaelOzeryansky - thanks for catching the misspelling. It is "httpd.conf" I do stop and start httpd after changing httpd.conf.
– Bruce Ediger
Apr 10 '14 at 18:14
add a comment |
One of the HTTP headers that the Apache httpd sends back with response data is "Server". For example, my web server machine is relatively up-to-date Arch Linux. It sends back headers closely resembling the following:
HTTP/1.1 404 Not Found
Date: Thu, 10 Apr 2014 17:19:27 GMT
Server: Apache/2.4.9 (Unix)
Content-Length: 1149
Connection: close
Content-Type: text/html
I have ServerSignature off in /etc/httpd/conf/httpd.conf, but the "Server:" header still appears. I have experimented with mod_headers. I have it enabled, and I've tried a few things:
<IfModule headers_module>
Header set ProcessingTime "%D"
Header set Server BigJohn
</IfModule>
After stopping and starting httpd with the above configuration, the HTTP headers include something like ProcessingTime: 1523, but the "Server:" header line remains unchanged. So I know that "mod_headers" is installed and enabled, and working, but not as I desire.
I see that something called "mod_security" claims to do this, but I don't want all the rest of the baggage that mod_security carries with it.
UPDATE:
Once you get mod_security installed, you only need a few directives:
<IfModule security2_module>
SecRuleEngine on
ServerTokens Full
SecServerSignature "Microsoft-IIS/6.0"
</IfModule>
That's for mod_security 2.7.7
http apache-httpd
asked Apr 10 '14 at 17:31
Bruce EdigerBruce Ediger
35k566119
One of the HTTP headers that the Apache httpd sends back with response data is "Server". For example, my web server machine is relatively up-to-date Arch Linux. It sends back headers closely resembling the following:
HTTP/1.1 404 Not Found
Date: Thu, 10 Apr 2014 17:19:27 GMT
Server: Apache/2.4.9 (Unix)
Content-Length: 1149
Connection: close
Content-Type: text/html
I have ServerSignature off in /etc/httpd/conf/httpd.conf, but the "Server:" header still appears. I have experimented with mod_headers. I have it enabled, and I've tried a few things:
<IfModule headers_module>
Header set ProcessingTime "%D"
Header set Server BigJohn
</IfModule>
After stopping and starting httpd with the above configuration, the HTTP headers include something like ProcessingTime: 1523, but the "Server:" header line remains unchanged. So I know that "mod_headers" is installed and enabled, and working, but not as I desire.
I see that something called "mod_security" claims to do this, but I don't want all the rest of the baggage that mod_security carries with it.
UPDATE:
Once you get mod_security installed, you only need a few directives:
<IfModule security2_module>
SecRuleEngine on
ServerTokens Full
SecServerSignature "Microsoft-IIS/6.0"
</IfModule>
That's for mod_security 2.7.7
http apache-httpd
http apache-httpd
asked Apr 10 '14 at 17:31
Bruce EdigerBruce Ediger
35k566119
asked Apr 10 '14 at 17:31
Bruce EdigerBruce Ediger
35k566119
edited Apr 12 '14 at 16:24
Bruce Ediger
asked Apr 10 '14 at 17:31
Bruce EdigerBruce Ediger
35k566119
asked Apr 10 '14 at 17:31
Bruce EdigerBruce Ediger
35k566119
asked Apr 10 '14 at 17:31
Bruce EdigerBruce Ediger
35k566119
35k566119
2
Have you restarted apache since changing the conf file? Also I've never seen the file called 'httpd.com', usually it's called 'httpd.conf'.
– Michael Ozeryansky
Apr 10 '14 at 18:00
@MichaelOzeryansky - thanks for catching the misspelling. It is "httpd.conf" I do stop and start httpd after changing httpd.conf.
– Bruce Ediger
Apr 10 '14 at 18:14
add a comment |
2
Have you restarted apache since changing the conf file? Also I've never seen the file called 'httpd.com', usually it's called 'httpd.conf'.
– Michael Ozeryansky
Apr 10 '14 at 18:00
@MichaelOzeryansky - thanks for catching the misspelling. It is "httpd.conf" I do stop and start httpd after changing httpd.conf.
– Bruce Ediger
Apr 10 '14 at 18:14
2
2
Have you restarted apache since changing the conf file? Also I've never seen the file called 'httpd.com', usually it's called 'httpd.conf'.
– Michael Ozeryansky
Apr 10 '14 at 18:00
Have you restarted apache since changing the conf file? Also I've never seen the file called 'httpd.com', usually it's called 'httpd.conf'.
– Michael Ozeryansky
Apr 10 '14 at 18:00
@MichaelOzeryansky - thanks for catching the misspelling. It is "httpd.conf" I do stop and start httpd after changing httpd.conf.
– Bruce Ediger
Apr 10 '14 at 18:14
@MichaelOzeryansky - thanks for catching the misspelling. It is "httpd.conf" I do stop and start httpd after changing httpd.conf.
– Bruce Ediger
Apr 10 '14 at 18:14
add a comment |
5 Answers
5
active
oldest
votes
The server ID/token header is controlled by "ServerTokens" directive (provided by mod_core). Aside from modifying the Apache HTTPD source code, or using mod_security module, there is no other way to fully suppress the server ID header.
With the mod_security approach, you can disable all of the module's directives/functions in the modsecurity.conf file, and leverage only the server header ID directive without any additional "baggage."
answered Apr 10 '14 at 18:31
ChipsterChipster
30623
This does work, thank you very much. I have to note that mod_security is not one of Arch Linux's ordinary packages. There's a PKGBUILD in the AUR, but it hasn't been updated since 2011 (as of April 12, 2014) and it references a really old version of mod_security. As always, your distro may vary.
– Bruce Ediger
Apr 12 '14 at 16:15
add a comment |
mod_security is great, but you don't really need it to achieve your goal.
after all mods have been included in httpd.conf you can simply unset the headers of your choosing.
Header unset Server
ServerSignature Off
ServerTokens Prod
http://httpd.apache.org/docs/2.4/mod/core.html#serversignature
answered Mar 31 '15 at 22:55
Matt RyanMatt Ryan
34123
2
mod_sec is needed for a custom text to hide completely the work apache otherwise your solution is good and simple :)
– intika
Aug 12 '15 at 18:13
This has no affect for me using Apache 2.2 (patched) on Centos 6.
– jph
Apr 19 '16 at 16:35
1
In Apache 2.4, it is reported as Syntax error : Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration
– Raptor
May 6 '16 at 10:07
2
@Raptor You have to install mod_headers withsudo a2enmod headers
– Ortomala Lokni
Nov 15 '16 at 15:58
1
Header unset Serverdoes not work in Apache 2.2 and 2.4. Response headers still containsServer: Apache
– Maris B.
Jul 11 '18 at 8:28
add a comment |
Just updating this for people who are still looking. I was having trouble getting the Server line in the HTTP header changed. This advice should work for Debian branch distros with systemd and Apache 2.4.7. Specifically, I am using Ubuntu Server LTS 14.04.03. Some advice I found was to do
grep -Ri servertokens /etc/apache2
This led me to /etc/apache2/conf-available/security.conf where both ServerTokens and ServerSignature were specified. Therefore, any changes I was making to /etc/apache2/apache2.conf were being overwritten by the directives already specified in security.conf.
I simply changed the directives in security.conf and Apache started working as I wanted.
ServerTokens Prod
ServerSignature Off
On the topic of Header unset Server, I found a bug report where the Apache devs said it is a won't fix issue. Apparently for them it is a philosophical issue, despite that the specification for HTTP/1.1, RFC 2616 authored in part by Tim Berners-Lee, saying that the Server tag is optional.
I really wanted to set the Server tag to "Unknown" to make our Qualys scans happy. So, I installed mod_security, now called libapache2-modsecurity, following this DigitalOcean tutorial. Best of luck, I hope I helped for all you future readers.
answered Oct 27 '15 at 15:18
slmaqslmaq
12112
add a comment |
I've tested something on Oracle HTTP Server 11.1.1.9 (which is built on Apache 2.2.22) that worked for me, to some extent..
Setting the "ServerTokens" to "none" seems to remove the "Server" header value, although the header itself keeps being sent in the response, but now it has a null value.
ServerTokens none
The response header would look like this:
HTTP/1.1 200 OK
Date: Mon, 28 Dec 2015 07:02:45 GMT
Server:
Last-Modified: Sun, 27 Dec 2015 07:29:13 GMT
.
.
answered Dec 28 '15 at 7:46
Mohab ElsayedMohab Elsayed
111
2
On Apache 2.2 stock, from Centos 6 repos, setting a value of "none" causes Apache to output all data. For instance: "Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Phusion_Passenger/4.0.59 mod_perl/2.0.4 Perl/v5.10.1"
– jph
Apr 19 '16 at 16:36
add a comment |
ServerTokens none shows error in the application
answered 9 mins ago
HoptozerzHoptozerz
1
New contributor
Hoptozerz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f124137%2fchange-apache-httpd-server-http-header%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
The server ID/token header is controlled by "ServerTokens" directive (provided by mod_core). Aside from modifying the Apache HTTPD source code, or using mod_security module, there is no other way to fully suppress the server ID header.
With the mod_security approach, you can disable all of the module's directives/functions in the modsecurity.conf file, and leverage only the server header ID directive without any additional "baggage."
answered Apr 10 '14 at 18:31
ChipsterChipster
30623
This does work, thank you very much. I have to note that mod_security is not one of Arch Linux's ordinary packages. There's a PKGBUILD in the AUR, but it hasn't been updated since 2011 (as of April 12, 2014) and it references a really old version of mod_security. As always, your distro may vary.
– Bruce Ediger
Apr 12 '14 at 16:15
add a comment |
The server ID/token header is controlled by "ServerTokens" directive (provided by mod_core). Aside from modifying the Apache HTTPD source code, or using mod_security module, there is no other way to fully suppress the server ID header.
With the mod_security approach, you can disable all of the module's directives/functions in the modsecurity.conf file, and leverage only the server header ID directive without any additional "baggage."
answered Apr 10 '14 at 18:31
ChipsterChipster
30623
This does work, thank you very much. I have to note that mod_security is not one of Arch Linux's ordinary packages. There's a PKGBUILD in the AUR, but it hasn't been updated since 2011 (as of April 12, 2014) and it references a really old version of mod_security. As always, your distro may vary.
– Bruce Ediger
Apr 12 '14 at 16:15
add a comment |
The server ID/token header is controlled by "ServerTokens" directive (provided by mod_core). Aside from modifying the Apache HTTPD source code, or using mod_security module, there is no other way to fully suppress the server ID header.
With the mod_security approach, you can disable all of the module's directives/functions in the modsecurity.conf file, and leverage only the server header ID directive without any additional "baggage."
answered Apr 10 '14 at 18:31
ChipsterChipster
30623
The server ID/token header is controlled by "ServerTokens" directive (provided by mod_core). Aside from modifying the Apache HTTPD source code, or using mod_security module, there is no other way to fully suppress the server ID header.
With the mod_security approach, you can disable all of the module's directives/functions in the modsecurity.conf file, and leverage only the server header ID directive without any additional "baggage."
answered Apr 10 '14 at 18:31
ChipsterChipster
30623
answered Apr 10 '14 at 18:31
ChipsterChipster
30623
answered Apr 10 '14 at 18:31
ChipsterChipster
30623
answered Apr 10 '14 at 18:31
ChipsterChipster
30623
30623
This does work, thank you very much. I have to note that mod_security is not one of Arch Linux's ordinary packages. There's a PKGBUILD in the AUR, but it hasn't been updated since 2011 (as of April 12, 2014) and it references a really old version of mod_security. As always, your distro may vary.
– Bruce Ediger
Apr 12 '14 at 16:15
add a comment |
This does work, thank you very much. I have to note that mod_security is not one of Arch Linux's ordinary packages. There's a PKGBUILD in the AUR, but it hasn't been updated since 2011 (as of April 12, 2014) and it references a really old version of mod_security. As always, your distro may vary.
– Bruce Ediger
Apr 12 '14 at 16:15
This does work, thank you very much. I have to note that mod_security is not one of Arch Linux's ordinary packages. There's a PKGBUILD in the AUR, but it hasn't been updated since 2011 (as of April 12, 2014) and it references a really old version of mod_security. As always, your distro may vary.
– Bruce Ediger
Apr 12 '14 at 16:15
This does work, thank you very much. I have to note that mod_security is not one of Arch Linux's ordinary packages. There's a PKGBUILD in the AUR, but it hasn't been updated since 2011 (as of April 12, 2014) and it references a really old version of mod_security. As always, your distro may vary.
– Bruce Ediger
Apr 12 '14 at 16:15
add a comment |
mod_security is great, but you don't really need it to achieve your goal.
after all mods have been included in httpd.conf you can simply unset the headers of your choosing.
Header unset Server
ServerSignature Off
ServerTokens Prod
http://httpd.apache.org/docs/2.4/mod/core.html#serversignature
answered Mar 31 '15 at 22:55
Matt RyanMatt Ryan
34123
2
mod_sec is needed for a custom text to hide completely the work apache otherwise your solution is good and simple :)
– intika
Aug 12 '15 at 18:13
This has no affect for me using Apache 2.2 (patched) on Centos 6.
– jph
Apr 19 '16 at 16:35
1
In Apache 2.4, it is reported as Syntax error : Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration
– Raptor
May 6 '16 at 10:07
2
@Raptor You have to install mod_headers withsudo a2enmod headers
– Ortomala Lokni
Nov 15 '16 at 15:58
1
Header unset Serverdoes not work in Apache 2.2 and 2.4. Response headers still containsServer: Apache
– Maris B.
Jul 11 '18 at 8:28
add a comment |
mod_security is great, but you don't really need it to achieve your goal.
after all mods have been included in httpd.conf you can simply unset the headers of your choosing.
Header unset Server
ServerSignature Off
ServerTokens Prod
http://httpd.apache.org/docs/2.4/mod/core.html#serversignature
answered Mar 31 '15 at 22:55
Matt RyanMatt Ryan
34123
2
mod_sec is needed for a custom text to hide completely the work apache otherwise your solution is good and simple :)
– intika
Aug 12 '15 at 18:13
This has no affect for me using Apache 2.2 (patched) on Centos 6.
– jph
Apr 19 '16 at 16:35
1
In Apache 2.4, it is reported as Syntax error : Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration
– Raptor
May 6 '16 at 10:07
2
@Raptor You have to install mod_headers withsudo a2enmod headers
– Ortomala Lokni
Nov 15 '16 at 15:58
1
Header unset Serverdoes not work in Apache 2.2 and 2.4. Response headers still containsServer: Apache
– Maris B.
Jul 11 '18 at 8:28
add a comment |
mod_security is great, but you don't really need it to achieve your goal.
after all mods have been included in httpd.conf you can simply unset the headers of your choosing.
Header unset Server
ServerSignature Off
ServerTokens Prod
http://httpd.apache.org/docs/2.4/mod/core.html#serversignature
answered Mar 31 '15 at 22:55
Matt RyanMatt Ryan
34123
mod_security is great, but you don't really need it to achieve your goal.
after all mods have been included in httpd.conf you can simply unset the headers of your choosing.
Header unset Server
ServerSignature Off
ServerTokens Prod
http://httpd.apache.org/docs/2.4/mod/core.html#serversignature
answered Mar 31 '15 at 22:55
Matt RyanMatt Ryan
34123
answered Mar 31 '15 at 22:55
Matt RyanMatt Ryan
34123
answered Mar 31 '15 at 22:55
Matt RyanMatt Ryan
34123
answered Mar 31 '15 at 22:55
Matt RyanMatt Ryan
34123
34123
2
mod_sec is needed for a custom text to hide completely the work apache otherwise your solution is good and simple :)
– intika
Aug 12 '15 at 18:13
This has no affect for me using Apache 2.2 (patched) on Centos 6.
– jph
Apr 19 '16 at 16:35
1
In Apache 2.4, it is reported as Syntax error : Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration
– Raptor
May 6 '16 at 10:07
2
@Raptor You have to install mod_headers withsudo a2enmod headers
– Ortomala Lokni
Nov 15 '16 at 15:58
1
Header unset Serverdoes not work in Apache 2.2 and 2.4. Response headers still containsServer: Apache
– Maris B.
Jul 11 '18 at 8:28
add a comment |
2
mod_sec is needed for a custom text to hide completely the work apache otherwise your solution is good and simple :)
– intika
Aug 12 '15 at 18:13
This has no affect for me using Apache 2.2 (patched) on Centos 6.
– jph
Apr 19 '16 at 16:35
1
In Apache 2.4, it is reported as Syntax error : Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration
– Raptor
May 6 '16 at 10:07
2
@Raptor You have to install mod_headers withsudo a2enmod headers
– Ortomala Lokni
Nov 15 '16 at 15:58
1
Header unset Serverdoes not work in Apache 2.2 and 2.4. Response headers still containsServer: Apache
– Maris B.
Jul 11 '18 at 8:28
2
2
mod_sec is needed for a custom text to hide completely the work apache otherwise your solution is good and simple :)
– intika
Aug 12 '15 at 18:13
mod_sec is needed for a custom text to hide completely the work apache otherwise your solution is good and simple :)
– intika
Aug 12 '15 at 18:13
This has no affect for me using Apache 2.2 (patched) on Centos 6.
– jph
Apr 19 '16 at 16:35
This has no affect for me using Apache 2.2 (patched) on Centos 6.
– jph
Apr 19 '16 at 16:35
1
1
In Apache 2.4, it is reported as Syntax error : Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration
– Raptor
May 6 '16 at 10:07
In Apache 2.4, it is reported as Syntax error : Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration
– Raptor
May 6 '16 at 10:07
2
2
@Raptor You have to install mod_headers with
sudo a2enmod headers– Ortomala Lokni
Nov 15 '16 at 15:58
@Raptor You have to install mod_headers with
sudo a2enmod headers– Ortomala Lokni
Nov 15 '16 at 15:58
1
1
Header unset Server does not work in Apache 2.2 and 2.4. Response headers still contains Server: Apache– Maris B.
Jul 11 '18 at 8:28
Header unset Server does not work in Apache 2.2 and 2.4. Response headers still contains Server: Apache– Maris B.
Jul 11 '18 at 8:28
add a comment |
Just updating this for people who are still looking. I was having trouble getting the Server line in the HTTP header changed. This advice should work for Debian branch distros with systemd and Apache 2.4.7. Specifically, I am using Ubuntu Server LTS 14.04.03. Some advice I found was to do
grep -Ri servertokens /etc/apache2
This led me to /etc/apache2/conf-available/security.conf where both ServerTokens and ServerSignature were specified. Therefore, any changes I was making to /etc/apache2/apache2.conf were being overwritten by the directives already specified in security.conf.
I simply changed the directives in security.conf and Apache started working as I wanted.
ServerTokens Prod
ServerSignature Off
On the topic of Header unset Server, I found a bug report where the Apache devs said it is a won't fix issue. Apparently for them it is a philosophical issue, despite that the specification for HTTP/1.1, RFC 2616 authored in part by Tim Berners-Lee, saying that the Server tag is optional.
I really wanted to set the Server tag to "Unknown" to make our Qualys scans happy. So, I installed mod_security, now called libapache2-modsecurity, following this DigitalOcean tutorial. Best of luck, I hope I helped for all you future readers.
answered Oct 27 '15 at 15:18
slmaqslmaq
12112
add a comment |
Just updating this for people who are still looking. I was having trouble getting the Server line in the HTTP header changed. This advice should work for Debian branch distros with systemd and Apache 2.4.7. Specifically, I am using Ubuntu Server LTS 14.04.03. Some advice I found was to do
grep -Ri servertokens /etc/apache2
This led me to /etc/apache2/conf-available/security.conf where both ServerTokens and ServerSignature were specified. Therefore, any changes I was making to /etc/apache2/apache2.conf were being overwritten by the directives already specified in security.conf.
I simply changed the directives in security.conf and Apache started working as I wanted.
ServerTokens Prod
ServerSignature Off
On the topic of Header unset Server, I found a bug report where the Apache devs said it is a won't fix issue. Apparently for them it is a philosophical issue, despite that the specification for HTTP/1.1, RFC 2616 authored in part by Tim Berners-Lee, saying that the Server tag is optional.
I really wanted to set the Server tag to "Unknown" to make our Qualys scans happy. So, I installed mod_security, now called libapache2-modsecurity, following this DigitalOcean tutorial. Best of luck, I hope I helped for all you future readers.
answered Oct 27 '15 at 15:18
slmaqslmaq
12112
add a comment |
Just updating this for people who are still looking. I was having trouble getting the Server line in the HTTP header changed. This advice should work for Debian branch distros with systemd and Apache 2.4.7. Specifically, I am using Ubuntu Server LTS 14.04.03. Some advice I found was to do
grep -Ri servertokens /etc/apache2
This led me to /etc/apache2/conf-available/security.conf where both ServerTokens and ServerSignature were specified. Therefore, any changes I was making to /etc/apache2/apache2.conf were being overwritten by the directives already specified in security.conf.
I simply changed the directives in security.conf and Apache started working as I wanted.
ServerTokens Prod
ServerSignature Off
On the topic of Header unset Server, I found a bug report where the Apache devs said it is a won't fix issue. Apparently for them it is a philosophical issue, despite that the specification for HTTP/1.1, RFC 2616 authored in part by Tim Berners-Lee, saying that the Server tag is optional.
I really wanted to set the Server tag to "Unknown" to make our Qualys scans happy. So, I installed mod_security, now called libapache2-modsecurity, following this DigitalOcean tutorial. Best of luck, I hope I helped for all you future readers.
answered Oct 27 '15 at 15:18
slmaqslmaq
12112
Just updating this for people who are still looking. I was having trouble getting the Server line in the HTTP header changed. This advice should work for Debian branch distros with systemd and Apache 2.4.7. Specifically, I am using Ubuntu Server LTS 14.04.03. Some advice I found was to do
grep -Ri servertokens /etc/apache2
This led me to /etc/apache2/conf-available/security.conf where both ServerTokens and ServerSignature were specified. Therefore, any changes I was making to /etc/apache2/apache2.conf were being overwritten by the directives already specified in security.conf.
I simply changed the directives in security.conf and Apache started working as I wanted.
ServerTokens Prod
ServerSignature Off
On the topic of Header unset Server, I found a bug report where the Apache devs said it is a won't fix issue. Apparently for them it is a philosophical issue, despite that the specification for HTTP/1.1, RFC 2616 authored in part by Tim Berners-Lee, saying that the Server tag is optional.
I really wanted to set the Server tag to "Unknown" to make our Qualys scans happy. So, I installed mod_security, now called libapache2-modsecurity, following this DigitalOcean tutorial. Best of luck, I hope I helped for all you future readers.
answered Oct 27 '15 at 15:18
slmaqslmaq
12112
answered Oct 27 '15 at 15:18
slmaqslmaq
12112
answered Oct 27 '15 at 15:18
slmaqslmaq
12112
answered Oct 27 '15 at 15:18
slmaqslmaq
12112
12112
add a comment |
add a comment |
I've tested something on Oracle HTTP Server 11.1.1.9 (which is built on Apache 2.2.22) that worked for me, to some extent..
Setting the "ServerTokens" to "none" seems to remove the "Server" header value, although the header itself keeps being sent in the response, but now it has a null value.
ServerTokens none
The response header would look like this:
HTTP/1.1 200 OK
Date: Mon, 28 Dec 2015 07:02:45 GMT
Server:
Last-Modified: Sun, 27 Dec 2015 07:29:13 GMT
.
.
answered Dec 28 '15 at 7:46
Mohab ElsayedMohab Elsayed
111
2
On Apache 2.2 stock, from Centos 6 repos, setting a value of "none" causes Apache to output all data. For instance: "Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Phusion_Passenger/4.0.59 mod_perl/2.0.4 Perl/v5.10.1"
– jph
Apr 19 '16 at 16:36
add a comment |
I've tested something on Oracle HTTP Server 11.1.1.9 (which is built on Apache 2.2.22) that worked for me, to some extent..
Setting the "ServerTokens" to "none" seems to remove the "Server" header value, although the header itself keeps being sent in the response, but now it has a null value.
ServerTokens none
The response header would look like this:
HTTP/1.1 200 OK
Date: Mon, 28 Dec 2015 07:02:45 GMT
Server:
Last-Modified: Sun, 27 Dec 2015 07:29:13 GMT
.
.
answered Dec 28 '15 at 7:46
Mohab ElsayedMohab Elsayed
111
2
On Apache 2.2 stock, from Centos 6 repos, setting a value of "none" causes Apache to output all data. For instance: "Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Phusion_Passenger/4.0.59 mod_perl/2.0.4 Perl/v5.10.1"
– jph
Apr 19 '16 at 16:36
add a comment |
I've tested something on Oracle HTTP Server 11.1.1.9 (which is built on Apache 2.2.22) that worked for me, to some extent..
Setting the "ServerTokens" to "none" seems to remove the "Server" header value, although the header itself keeps being sent in the response, but now it has a null value.
ServerTokens none
The response header would look like this:
HTTP/1.1 200 OK
Date: Mon, 28 Dec 2015 07:02:45 GMT
Server:
Last-Modified: Sun, 27 Dec 2015 07:29:13 GMT
.
.
answered Dec 28 '15 at 7:46
Mohab ElsayedMohab Elsayed
111
I've tested something on Oracle HTTP Server 11.1.1.9 (which is built on Apache 2.2.22) that worked for me, to some extent..
Setting the "ServerTokens" to "none" seems to remove the "Server" header value, although the header itself keeps being sent in the response, but now it has a null value.
ServerTokens none
The response header would look like this:
HTTP/1.1 200 OK
Date: Mon, 28 Dec 2015 07:02:45 GMT
Server:
Last-Modified: Sun, 27 Dec 2015 07:29:13 GMT
.
.
answered Dec 28 '15 at 7:46
Mohab ElsayedMohab Elsayed
111
answered Dec 28 '15 at 7:46
Mohab ElsayedMohab Elsayed
111
answered Dec 28 '15 at 7:46
Mohab ElsayedMohab Elsayed
111
answered Dec 28 '15 at 7:46
Mohab ElsayedMohab Elsayed
111
111
2
On Apache 2.2 stock, from Centos 6 repos, setting a value of "none" causes Apache to output all data. For instance: "Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Phusion_Passenger/4.0.59 mod_perl/2.0.4 Perl/v5.10.1"
– jph
Apr 19 '16 at 16:36
add a comment |
2
On Apache 2.2 stock, from Centos 6 repos, setting a value of "none" causes Apache to output all data. For instance: "Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Phusion_Passenger/4.0.59 mod_perl/2.0.4 Perl/v5.10.1"
– jph
Apr 19 '16 at 16:36
2
2
On Apache 2.2 stock, from Centos 6 repos, setting a value of "none" causes Apache to output all data. For instance: "Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Phusion_Passenger/4.0.59 mod_perl/2.0.4 Perl/v5.10.1"
– jph
Apr 19 '16 at 16:36
On Apache 2.2 stock, from Centos 6 repos, setting a value of "none" causes Apache to output all data. For instance: "Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Phusion_Passenger/4.0.59 mod_perl/2.0.4 Perl/v5.10.1"
– jph
Apr 19 '16 at 16:36
add a comment |
ServerTokens none shows error in the application
answered 9 mins ago
HoptozerzHoptozerz
1
New contributor
Hoptozerz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
ServerTokens none shows error in the application
answered 9 mins ago
HoptozerzHoptozerz
1
New contributor
Hoptozerz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
ServerTokens none shows error in the application
answered 9 mins ago
HoptozerzHoptozerz
1
New contributor
Hoptozerz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
ServerTokens none shows error in the application
answered 9 mins ago
HoptozerzHoptozerz
1
New contributor
Hoptozerz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 9 mins ago
HoptozerzHoptozerz
1
New contributor
Hoptozerz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 9 mins ago
HoptozerzHoptozerz
1
answered 9 mins ago
HoptozerzHoptozerz
1
1
New contributor
Hoptozerz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Hoptozerz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Hoptozerz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f124137%2fchange-apache-httpd-server-http-header%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
Have you restarted apache since changing the conf file? Also I've never seen the file called 'httpd.com', usually it's called 'httpd.conf'.
– Michael Ozeryansky
Apr 10 '14 at 18:00
@MichaelOzeryansky - thanks for catching the misspelling. It is "httpd.conf" I do stop and start httpd after changing httpd.conf.
– Bruce Ediger
Apr 10 '14 at 18:14