DevHeads.net

header unset server does not work

Hi,

After setting "ServerTokens Prod", I would like to modify or remove the
server header that says "Apache" from the response.
Reading some googles it says that is not possible with "Header unset server"
as you'd expect from reading
<a href="http://httpd.apache.org/docs/current/mod/mod_headers.html" title="http://httpd.apache.org/docs/current/mod/mod_headers.html">http://httpd.apache.org/docs/current/mod/mod_headers.html</a>

Besides modifying the source, is there some new trick that is supposed to
work? I can't seem to read it in the (mod_header) documentation for 2.4.

IBM's version of Apache has a directive AddServerHeader off
<a href="http://publib.boulder.ibm.com/httpserv/manual70/mod/core.html#addserverheader" title="http://publib.boulder.ibm.com/httpserv/manual70/mod/core.html#addserverheader">http://publib.boulder.ibm.com/httpserv/manual70/mod/core.html#addserverh...</a>
I am really really curious, why didn't the brilliant IBM Engineers not
include that change in the main Apache dev trunk?

In advance many thanks for your replies and help,
Fred

Comments

Re: header unset server does not work

By Jeff Trawick at 06/11/2013 - 16:26

A number of the Apache HTTP Server developers do not want users to be able
to suppress the Server header without modifying the source code or adding
third-party modules. The issue comes up from time to time and is subject
to change.

Re: header unset server does not work

By Eric Covener at 06/11/2013 - 16:35

mod_security can do it too.

Re: header unset server does not work

By fredk2 at 06/12/2013 - 08:18

Thank you both for the replies.

I have used mod_security in the past, but concerned it would be
missimplemented.

1/ Do you think that AddServerHeader directive will ever be added to the
core Apache ?

2/ would someone reading the "module writing" tutorials be able to create a
module to modify or remove the server header or would this be one of the
more challenging module to write ?

Thanks again in advance,
Fred

Re: Re: header unset server does not work

By Jeff Trawick at 06/12/2013 - 09:46

???

It needs to be removed in a filter that sits right under the HTTP header
filter, and it has to be sensitive to basic HTTP response format and remove
the Server header while the headers are being passed down and get out of
the way afterwards. As such, it is a relatively simple filter but requires
some understanding that is not required of a lot of other modules.

Here's the general idea:

<a href="http://emptyhammock.com/downloads/mod_remove_server_header.c" title="http://emptyhammock.com/downloads/mod_remove_server_header.c">http://emptyhammock.com/downloads/mod_remove_server_header.c</a>

Re: header unset server does not work

By fredk2 at 06/12/2013 - 22:54

WOW!! very nice - thank you - I wasn't close at all :-)
Your code does work on my test servers.