Disable/hide apache version in headers?

[Richard G]

How can we hide this?

On security tests it's not a very bad thing, but the server is displayed in headers like Apache/2.4.
The advise is to hide this but how can this be done?

I found an older thread where it was written one should edit the /etc/httpd/conf/extra/httpd-default.conf and set:
ServerSignature Off (I believe this is the default)
and
ServerTokens Prod (default is Major)
and restart httpd.

Now I tried this, and also tried Minor on Servertokens, but it does not change much, keeps stating "Server apache/2.4" in headers.

How can we hide this?

 

[zEitEr]

Hello Richard,

You've got right, the file conf/extra/httpd-default.conf is the only one which needs to be updated regarding the matter. If it did not hide Apache version in your case it might be because of either apache failed to restart or you have the same directive in another place.

Whether or not apache's version is hidden you can detect on a default error page of apache, i.e. 4xx error, in their default view without processing with PHP.

 

[Richard G]

Hello Alex.

Seems indeed the case, changed it now and it is now only showing "Apache", which seems fine to me.

I presume to prevent overwriting I have to copy the current httpd-default.conf to the /usr/local/directadmin/custombuild/custom/ap2/conf/extra directory correct?

 

[zEitEr]

Richard,

Yes, that's correct.

 

[Richard8]

Hello Alex.

Seems indeed the case, changed it now and it is now only showing "Apache", which seems fine to me.

I presume to prevent overwriting I have to copy the current httpd-default.conf to the /usr/local/directadmin/custombuild/custom/ap2/conf/extra directory correct?

Old thread but similar situation:

My /usr/local/directadmin/custombuild/custom/ap2/ only contains configure.php72 (related to my build options), do I just mkdir conf and extra and add a file like httpd-default.conf10 so that I can set ServerTokens Prod persistent? That's the only extra line I need to change, but I need it to survive updates so I can execute it across all my DA servers.

Thanks,

 

[zEitEr]

That should be exactly httpd-default.conf, not httpd-default.conf10.

Create a directory structure, copy a file:

cd [COLOR=#333333]/usr/local/directadmin/custombuild/[/COLOR]
mkdir -p [COLOR=#333333]custom/ap2/conf/extra/
cp -p [/COLOR][COLOR=#333333]configure/ap2/conf/extra/[/COLOR][COLOR=#333333]httpd-default.conf [/COLOR][COLOR=#333333]custom/ap2/conf/extra/[/COLOR][COLOR=#333333]httpd-default.conf

Update the file and change the option to

[/COLOR][COLOR=#333333]ServerSignature Off

Restart Apache.[/COLOR]

 

[sgala]

Hi, I have same issue and solution I have seen higher just don't work.
I checked where serversignature mentioned and it's here

find / -name "*.conf" -exec grep -H "ServerSignature" {} \;
/usr/local/directadmin/data/templates/httpd.conf:ServerSignature On
/usr/local/directadmin/custombuild/configure/ap2/conf/extra/httpd-multilang-errordoc.conf:# of the setting of ServerSignature.
/usr/local/directadmin/custombuild/configure/ap2/conf/extra/httpd-default.conf:ServerSignature Off
/etc/httpd/conf/extra/httpd-multilang-errordoc.conf:# of the setting of ServerSignature.
/etc/httpd/conf/extra/httpd-default.conf:ServerSignature Off
/etc/httpd/conf/original/extra/httpd-multilang-errordoc.conf:# of the setting of ServerSignature.
/etc/httpd/conf/original/extra/httpd-default.conf:ServerSignature Off

So, it set off in httpd-default.
I also checked of roucse /usr/local/directadmin/data/templates/httpd.conf - I have changed it to off and restart apache, but same- no effect at all.
Any ideas?

 

[factor]

You can’t edit templates directly. You need to use the help section in my signature to find out how to add custom entry to Apache
vvvvv