The Apache Haus Forum

Advanced search  

News:

Welcome to Apache Haus Distribution Forum

Sorry Guest, you are banned from posting and sending personal messages on this forum.
Error: S4296
This ban is not set to expire.
Pages: [1]   Go Down

Author Topic: X-Distributed-by in header response  (Read 3577 times)

itspeaks

  • Newbie
  • *
  • Offline Offline
  • Posts: 9
X-Distributed-by in header response
« on: May 05, 2015, 09:08:58 AM »

Hi,

I have a requirement to remove as much identifying data from the headers as possible.

I've been searching like mad for the item that generates the Header item "X-Distributed-by".

With Default settings, the line appears twice in my http response:
X-Distributed-by   AHC
X-Distributed-by   AHC

I've tried using   "Header unset X-Distributed-by " but then it only appears once.


below is my config...

<IfModule mod_headers.c>
   Header append Vary User-Agent env=!dont-vary
   Header unset Via
   Header unset X-Distributed-by
   Header set Server " "
   </IfModule>


Any suggestions?

Running: Apache/2.4.12 (Win32) PHP/5.3.29
Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 849
Re: X-Distributed-by in header response
« Reply #1 on: May 05, 2015, 04:46:32 PM »

I've never seen it twice. Are you running one as a frontend proxying to another on the backend? Do it to both.
Logged

itspeaks

  • Newbie
  • *
  • Offline Offline
  • Posts: 9
Re: X-Distributed-by in header response
« Reply #2 on: May 06, 2015, 12:49:24 AM »

Thanks Greg - I am running a proxy Server and application server with FCGID.

Even with that setup on both servers the X-Distributed-by header still comes back with AHC as the Value.

My biggest issue is that I can't find documentation on where this tag comes from or what AHC stands for (I'm hoping it has something to do with Apache Haus!)

I need to be able to explain if it is a security risk exposing the distribution.

Thanks again.
Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 849
Re: X-Distributed-by in header response
« Reply #3 on: May 06, 2015, 01:34:50 AM »

It does. I'm surprised it cannot be removed however in the manner you have tried.

2.4.13 & 2.2.30 will not have it. These are scheduled for next week but anytime I've predicted (based on talk on the dev mailing list) I've never been right.

I happened to read something just last week on this very subject. Of course the aim was to hide the fact you may have old versions running and not just of Apache. My feelings are these people looking for vulnerable software versions throw everything at you anyway, I get scans looking for all sorts of stuff I do not even have. Because of this, obscurity will not protect you. Only staying up to date on your software will.

Regardless of my opinion on the above, it will be gone next release. That decision was already made.
Logged

itspeaks

  • Newbie
  • *
  • Offline Offline
  • Posts: 9
Re: X-Distributed-by in header response
« Reply #4 on: May 06, 2015, 06:43:30 AM »

Great to hear! Thanks! :)
Logged
Pages: [1]   Go Up
 

Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13