3

I have a Rails application served using Apache 2 and Phusion Passenger. As a security measure I'm trying to supress all server-related HTTP headers. I've successfully turned off the Apache ones, but I'm having trouble using mod_headers to supress the Passenger ones. I've enabled mod_headers using the a2enmod command and restarted the Apache process, but the X-Powered-By and X-Runtime headers still appear.

This is my vhost file:

<VirtualHost *:80>

  ServerAdmin webmaster@example.com
  ServerName  example.com
  ServerAlias www.example.com

  DocumentRoot /home/deploy/public_html/railsapp/current/public

  LogLevel warn
  ErrorLog /home/deploy/public_html/railsapp/shared/log/error.log
  CustomLog /home/deploy/public_html/railsapp/shared/log/access.log combined

  # Suppress Phusion Passenger HTTP headers
  <Location *>
    <IfModule mod_headers.c>
      Header unset X-Runtime
      Header unset X-Powered-By
    </IfModule>
  </Location>
</VirtualHost>
  • What am I doing wrong?
John Topley
  • 2,045
  • 3
  • 16
  • 17

3 Answers3

4

From the mod_headers docs:

The directives provided by mod_headers can occur almost anywhere within the server configuration. They are valid in the main server config and virtual host sections, inside , and sections, and within .htaccess files.

If you want this to apply to the whole vhost, why put it inside <Location> tags? Just put the directives inside the main vhost config.

<VirtualHost *:80>

  ServerAdmin webmaster@example.com
  ServerName  example.com
  ServerAlias www.example.com

  DocumentRoot /home/deploy/public_html/railsapp/current/public

  LogLevel warn
  ErrorLog /home/deploy/public_html/railsapp/shared/log/error.log
  CustomLog /home/deploy/public_html/railsapp/shared/log/access.log combined

  <IfModule mod_headers.c>
    Header unset X-Runtime
    Header unset X-Powered-By
  </IfModule>

</VirtualHost>

I haven't tested this so apologies in advance if it's incorrect.

  • 1
    Thanks Andrew. I think I misread the docs regarding the elements. I had to use "Header always unset..." to get it to work. – John Topley Aug 02 '09 at 14:20
1

I don't have an Apache install to hand but <Location *> looks suspect. The docs say:

The URL may use wildcards. In a wild-card string, ? matches any single character, and * matches any sequences of characters. Neither wildcard character matches a / in the URL-path.

I suspect you're not matching any URLs. Try:

<Location />
  <IfModule mod_headers.c>
    Header unset X-Runtime
    Header unset X-Powered-By
  </IfModule>
</Location>
markdrayton
  • 2,429
  • 1
  • 20
  • 24
  • Thanks Mark. I tried this, but unfortunately it doesn't work. – John Topley Aug 02 '09 at 09:11
  • Hm! Tried running in debug mode? httpd -X -c "LogLevel debug" might throw something up. You could also try removing the IfModule in case the module is silently failing to load for some reason. Also, see this: http://groups.google.com/group/phusion-passenger/browse_thread/thread/2ca00a1f43c4c96d?pli=1 – markdrayton Aug 02 '09 at 12:52
1

Leaving aside that it's still really easy to determine the server, at least to corse versions even eithout headers, and the "script kiddies" just try all attacks and don't bother to check versions anyway.

What happens if you remove the line, just leave the commands.

I'd wonder if it's even being loaded, try adding a static header to verify.

LapTop006
  • 6,466
  • 19
  • 26