Bug 114735 - apache Header and RequestHeader
apache Header and RequestHeader
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: httpd (Show other bugs)
3.0
x86_64 Linux
medium Severity low
: ---
: ---
Assigned To: Joe Orton
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-02-01 21:51 EST by albunix
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-02-06 11:51:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description albunix 2004-02-01 21:51:19 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.4)
Gecko/20030624 Netscape/7.1 (ax)

Description of problem:
the Header and RequestHeader directives fail to set the server header
to the required value.

for example. 
with the ServerTokens directive set to 'OS' and with the following entires
Header unset Server
Header set Server "myApache"

RequestHeader unset Server
RequestHeader set Server "myApache"

should "shield" the version of the http server and simply serve
"myApache" whenever a request from netcraft.com or port80software.com
tools comes in.

however it fails to do so.  it did work correctly under the previous
RH8 x86 running httpd-2.0.40 with the exact previous settings




Version-Release number of selected component (if applicable):
httpd-2.0.40-26.ent

How reproducible:
Always

Steps to Reproduce:
1.edit the httpd.conf file and insert

Header unset Server
Header set Server "myApache"
RequestHeader unset Server
RequestHeader set Server "myApache"

2.make sure that the ServerTokens is set to 'OS' and NOT to 'Prod'

3.check your server headers with a tool called 'servermask' from
http://www.port80software.com/support/p80tools

it should say "myApache" instead of the generic Red Hat Apache 2.0.46 

    

Actual Results:  header check tools identifies our headers as the
stock ones bundled with RHEL 3.0 

Expected Results:  it should set the Server token to the correct token
given by the directive 

Header set Server "myApache"

Additional info:

i had the same config file with the 3 following directives running on 
rh8.0 with apache 2.0.40

ServerTokens OS
Header unset Server
Header set Server "myApache"
RequestHeader unset Server
RequestHeader set Server "myApache"

and whenever i did a check on the headers it correctly reported as
being server from a machine running "myApache"

now someone reported that 2.0.47 indeed fails on fedora 1 also but it
runs well on 2.0.48 also on fedora
Comment 1 Joe Orton 2004-02-06 11:51:01 EST
Thanks for the report.  It is actually the intended behaviour that
modules are not allowed to change the Server header; this rule was
relaxed in earlier versions of httpd-2.0 by mistake.  The Server
header cannot be overriden in this way from httpd-2.0.48 and later;
the httpd package in RHEL also includes the fix.

You can use "ServerTokens Prod" to configure simply "Server: Apache"
if you do not wish to reveal the OS or httpd version in that string.

Note You need to log in before you can comment on or make changes to this bug.