Linux howto's, compile information, information on whatever we learned on working with linux, MACOs and - of course - Products of the big evil....
gilthanaz
Site Admin
Posts: 444 Joined: Fri Aug 29, 2003 9:29 pm
Contact:
Post
by gilthanaz Fri Feb 19, 2016 11:21 pm
[Problem]
When displaying an empty page or an error, the server exposes the apache/php/ssl versions, like:
Code: Select all
Server: Apache/2.4.10 (Ubuntu) PHP/5.5.30-1+deb.sury.org~precise+1 OpenSSL/1.0.1
X-Powered-By: PHP/5.5.30-1+deb.sury.org~precise+1
Change in vhost (for each site + default):
Code: Select all
ServerSignature Off
ServerTokens ProductOnly
Change in php.ini:
gilthanaz
Site Admin
Posts: 444 Joined: Fri Aug 29, 2003 9:29 pm
Contact:
Post
by gilthanaz Mon Feb 29, 2016 3:37 pm
[Correction]
These settings are global and not by vhost. So one way to do it is to create config files with the above changes like this:
1. Create an apache conf file in /etc/apache2/conf.d/security.conf with:
Code: Select all
ServerSignature Off
ServerTokens ProductOnly 2. Create a php ini file in /etc/php5/apach2/conf.d/99-no_expose.ini with:
Symlink to activate:
Code: Select all
/etc/php5/apach2/conf.d/99-no_expose.ini --> /etc/php5/apache2/mods_available/no_expose.ini
Reload/restart apache2 and check if everything works by browsing to a non existing site; the bottom line should only say "Apache Server at <test URL> Port 80" without further server details.