Das Werkstatt

what we do? everything.
http://das-werkstatt.com/forum/werkstatt/

Apache: Disable response headers

http://das-werkstatt.com/forum/werkstatt/viewtopic.php?f=7&t=2315

Page 1 of 1

Apache: Disable response headers

Posted: Fri Feb 19, 2016 11:21 pm
by gilthanaz
[Problem]
When displaying an empty page or an error, the server exposes the apache/php/ssl versions, like:

Code: Select all

Server: Apache/2.4.10 (Ubuntu) PHP/5.5.30-1+deb.sury.org~precise+1 OpenSSL/1.0.1
X-Powered-By: PHP/5.5.30-1+deb.sury.org~precise+1

[Solution]
Change in vhost (for each site + default):

Code: Select all

ServerSignature Off
ServerTokens ProductOnly
Change in php.ini:

Code: Select all

expose_php = off

Re: Apache: Disable response headers

Posted: Mon Feb 29, 2016 3:37 pm
by gilthanaz
[Correction]
These settings are global and not by vhost. So one way to do it is to create config files with the above changes like this:

1. Create an apache conf file in /etc/apache2/conf.d/security.conf with:

Code: Select all

ServerSignature Off
ServerTokens ProductOnly
2. Create a php ini file in /etc/php5/apach2/conf.d/99-no_expose.ini with:

Code: Select all

expose_php = off
Symlink to activate:

Code: Select all

/etc/php5/apach2/conf.d/99-no_expose.ini --> /etc/php5/apache2/mods_available/no_expose.ini
Reload/restart apache2 and check if everything works by browsing to a non existing site; the bottom line should only say "Apache Server at <test URL> Port 80" without further server details.
All times are UTC+02:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited