ServerTokens in Apache 2.2.4

[sol143]

Hi All,

I am having a problem with apache 2.2.4 running on Solaris 9 Box.

It seems the Directive "ServerTokens Prod" is not working anymore in this version.

you can even put anything like "SeverTokens AAAA", and you restart Apache and it does not complain.

Is this Directive available in Apache 2.2.4 ? if not what is the new one that provides the same feature?, Or is it a Bug ?. Is there any workaround ? or Bug fix.

The Default config file of Apache 2.2.4 does not come with this Directive, I added it in the apache config file. But it does not work. Now I understand why they did not put it in the first place.

I will appreciate any input on this thread.

Thanks.

 

[feherke]

Hi

Is this Directive available in Apache 2.2.4 ?

As [tt]ServerTokens[/tt] is still described in the 2.2 documentation, I would say it is available.

If you run [tt]httpd[/tt] with the -t ( run syntax check for config files ) command line option, still not complain ?

Feherke.

http://rootshell.be/~feherke/

 

[sol143]

Feherke,

Thanks for your prompt answer, but "SeverTokens Prod" is not working for me in apache 2.2.4, I put it in my config file and I still having this string on my Browser.

Server Version: Apache/2.2.4 (Unix) DAV/2 mod_ssl/2.2.4 PHP/5.2.2

So, it is not working. My question is How can I make it work in apache 2.2.4 if it is available.

The Check Configuration wiht "-t" is good to make sure you follow a correct syntax in your config.

But "ServerTokens AAAA" is wrong, it should not start Apache
or record it in the logs or on the console.

The Question is How to remove my Server Signature in 2.2.4
I do not want the users of the website to see which version of Apache or modules are running on the server.

thanks.

 

[sleipnir214]

sol143:
I am running Apache 2.2.4, compiled from source, and when I set httpd.conf to read:

[tt]ServerTokens Minor[/tt]

then restart Apache and connect via telnet on port 80, sending:

[tt]HEAD / HTTP/1.0[enter-key]
[enter-key][/tt]

I get, as part of the output from the server, the header:

[tt]Server: Apache/2.2[/tt]


If I change httpd.conf to read:

[tt]ServerTokens Prod[/tt]
or
[tt]ServerTokens ProductOnly[/tt]

then restart Apache, connect by telnet on port 80 and send the HTTP command I get:

[tt]Server: Apache[/tt]


So I can only conclude that the ServerTokens directive is working correctly on my system. And since my Apache installation is from a stock gzipped tarball I downloaded from apache.org, I feel safe in assuming the ServerTokens directive works in Apache 2.2.4.



Have you verified the output of Apache's "Server:" header by direct inspection using telnet has I have above, or indirectly through your (possibly cached) browser information?

Are you restarting Apache after you edit httpd.conf?

Are you sure that you're editing the correct copy of httpd.conf?




Want the best answers? Ask the best questions! TANSTAAFL!

 

[sol143]

Hi sleipnir214,

Thanks for your reply

It is working, I saw that later, but The page I was looking at is the Apache balancer-manager page, I do not know How to remove this information from this page: still showing

Load Balancer Manager for host
Server Version: Apache/2.2.4 (Unix) DAV/2 mod_ssl/2.2.4 OpenSSL/<> PHP/5.2.2 proxy_html/2.5 Server Built: May 8 2007 02:11:31

But I can live with that.
Thanks a lot ...

 

[sleipnir214]

Where are you seeing that string? "Server Version" and "Built" are not HTTP headers that Apache normally sends to clients.



Want the best answers? Ask the best questions! TANSTAAFL!

 

[ozdevworx]

The Server string you are seeing is the the "ServerSignature".
You can see what its set to by calling phpinfo().

ServerSignature gets appended to the footer of server generated documents.
Its primary purpose is to help identify the specific server generating the output page in a server chain.

Valid settings are: on|off|email
EG:
# gets set in httpd.conf
ServerSignature off

If set to "ServerSignature email" the server admin email address will be appended to the signature.

Hope this helps.