OpenStack-Ansible

Apache servers reporting version in response header

Bug #1484256 reported by Steve Lewis on 2015-08-12

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
OpenStack-Ansible	Fix Released	Low	Jean-Philippe Evrard	OpenStack-Ansible liberty-3
Kilo	Fix Released	Low	Jesse Pretorius	OpenStack-Ansible 11.2.0
Trunk	Fix Released	Low	Jean-Philippe Evrard	OpenStack-Ansible liberty-3

Bug Description

One thing we may want to make sure we do is limit the container from revealing it's hostname: <address>Apache/2.4.7 (Ubuntu) Server at 578127-infra02_horizon_container-044e45f2 Port 443</address>

To hide the version the default should probably be to include the directive "ServerTokens Prod" in /etc/apache2/conf.d/security and perhaps make it configurable.

Similarly the ServerName directive within the virtual host template should be configurable perhaps with a default of the service name instead of the current behavior which includes the full container name.

Currently limited to Horizon and Keystone.

See original description

Steve Lewis (steve-lewis) on 2015-08-12

description:	updated
description:	updated
description:	updated

Steve Lewis (steve-lewis) on 2015-08-13

tags:

added: low-hanging-fruit

Revision history for this message

Jesse Pretorius (jesse-pretorius) wrote on 2015-08-18:

This affects both Horizon and Keystone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-19: Fix proposed to os-ansible-deployment (master)

Fix proposed to branch: master
Review: https://review.openstack.org/214606

Changed in openstack-ansible:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-20: Fix merged to os-ansible-deployment (master)

Reviewed: https://review.openstack.org/214606
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=1d2c19d8409ad53bb5ca7bf180f433f05af91afe
Submitter: Jenkins
Branch: master

commit 1d2c19d8409ad53bb5ca7bf180f433f05af91afe
Author: Jean-Philippe Evrard <email address hidden>
Date: Wed Aug 19 14:19:32 2015 +0200

Apache servers will not reporting version anymore

    In order to make it more difficult to know which
    httpd server is running, here is a change to
    reduce the ServerTokens OS to ServerTokens Prod
    and the ServerSignature On to ServerSignature Off.

    This removes ServerName and version report
    on page footer and reduces the detail of the httpd
    server running in the headers to "Apache".

These options can be overwritten by an user variable

Change-Id: I1aaffaa3b6b7d6574aefac65b6027e62240a702b
Closes-Bug: #1484256

Changed in openstack-ansible:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-20: Fix merged to os-ansible-deployment (kilo)

Reviewed: https://review.openstack.org/215071
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=02ae2f2f66a35f113c38eba08811330fd9273454
Submitter: Jenkins
Branch: kilo

commit 02ae2f2f66a35f113c38eba08811330fd9273454
Author: Jean-Philippe Evrard <email address hidden>
Date: Wed Aug 19 14:19:32 2015 +0200

Apache servers will not reporting version anymore

    This removes ServerName and version report
    on page footer and reduces the detail of the httpd
    server running in the headers to "Apache".

These options can be overwritten by an user variable

    Change-Id: I1aaffaa3b6b7d6574aefac65b6027e62240a702b
    Closes-Bug: #1484256
    (cherry picked from commit 1d2c19d8409ad53bb5ca7bf180f433f05af91afe)

Jesse Pretorius (jesse-pretorius) on 2015-09-03

tags:

removed: low-hanging-fruit

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2016-03-18: Fix included in openstack/openstack-ansible 11.2.11

This issue was fixed in the openstack/openstack-ansible 11.2.11 release.

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-03-25: Fix included in openstack/openstack-ansible 11.2.12

This issue was fixed in the openstack/openstack-ansible 11.2.12 release.

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2016-05-03: Fix included in openstack/openstack-ansible 11.2.14

This issue was fixed in the openstack/openstack-ansible 11.2.14 release.