Bug 114735 - apache Header and RequestHeader
Summary: apache Header and RequestHeader
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: httpd   
(Show other bugs)
Version: 3.0
Hardware: x86_64 Linux
Target Milestone: ---
Assignee: Joe Orton
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2004-02-02 02:51 UTC by albunix
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-02-06 16:51:01 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description albunix 2004-02-02 02:51:19 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.4)
Gecko/20030624 Netscape/7.1 (ax)

Description of problem:
the Header and RequestHeader directives fail to set the server header
to the required value.

for example. 
with the ServerTokens directive set to 'OS' and with the following entires
Header unset Server
Header set Server "myApache"

RequestHeader unset Server
RequestHeader set Server "myApache"

should "shield" the version of the http server and simply serve
"myApache" whenever a request from netcraft.com or port80software.com
tools comes in.

however it fails to do so.  it did work correctly under the previous
RH8 x86 running httpd-2.0.40 with the exact previous settings

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.edit the httpd.conf file and insert

Header unset Server
Header set Server "myApache"
RequestHeader unset Server
RequestHeader set Server "myApache"

2.make sure that the ServerTokens is set to 'OS' and NOT to 'Prod'

3.check your server headers with a tool called 'servermask' from

it should say "myApache" instead of the generic Red Hat Apache 2.0.46 


Actual Results:  header check tools identifies our headers as the
stock ones bundled with RHEL 3.0 

Expected Results:  it should set the Server token to the correct token
given by the directive 

Header set Server "myApache"

Additional info:

i had the same config file with the 3 following directives running on 
rh8.0 with apache 2.0.40

ServerTokens OS
Header unset Server
Header set Server "myApache"
RequestHeader unset Server
RequestHeader set Server "myApache"

and whenever i did a check on the headers it correctly reported as
being server from a machine running "myApache"

now someone reported that 2.0.47 indeed fails on fedora 1 also but it
runs well on 2.0.48 also on fedora

Comment 1 Joe Orton 2004-02-06 16:51:01 UTC
Thanks for the report.  It is actually the intended behaviour that
modules are not allowed to change the Server header; this rule was
relaxed in earlier versions of httpd-2.0 by mistake.  The Server
header cannot be overriden in this way from httpd-2.0.48 and later;
the httpd package in RHEL also includes the fix.

You can use "ServerTokens Prod" to configure simply "Server: Apache"
if you do not wish to reveal the OS or httpd version in that string.

Note You need to log in before you can comment on or make changes to this bug.