mjhjmtu

One of the HTTP headers that the Apache httpd sends back with response data is "Server". For example, my web server machine is relatively up-to-date Arch Linux. It sends back headers closely resembling the following:

HTTP/1.1 404 Not Found
Date: Thu, 10 Apr 2014 17:19:27 GMT
Server: Apache/2.4.9 (Unix)
Content-Length: 1149
Connection: close
Content-Type: text/html

I have ServerSignature off in /etc/httpd/conf/httpd.conf, but the "Server:" header still appears. I have experimented with mod_headers. I have it enabled, and I've tried a few things:

<IfModule headers_module>
Header set ProcessingTime "%D"
Header set Server BigJohn
</IfModule>

After stopping and starting httpd with the above configuration, the HTTP headers include something like ProcessingTime: 1523, but the "Server:" header line remains unchanged. So I know that "mod_headers" is installed and enabled, and working, but not as I desire.

I see that something called "mod_security" claims to do this, but I don't want all the rest of the baggage that mod_security carries with it.

UPDATE:

Once you get mod_security installed, you only need a few directives:

<IfModule security2_module>
SecRuleEngine on
ServerTokens Full
SecServerSignature "Microsoft-IIS/6.0"
</IfModule>

That's for mod_security 2.7.7

The server ID/token header is controlled by "ServerTokens" directive (provided by mod_core). Aside from modifying the Apache HTTPD source code, or using mod_security module, there is no other way to fully suppress the server ID header.

With the mod_security approach, you can disable all of the module's directives/functions in the modsecurity.conf file, and leverage only the server header ID directive without any additional "baggage."

mod_security is great, but you don't really need it to achieve your goal.

after all mods have been included in httpd.conf you can simply unset the headers of your choosing.

Header unset Server

ServerSignature Off
ServerTokens Prod

http://httpd.apache.org/docs/2.4/mod/core.html#serversignature

Just updating this for people who are still looking. I was having trouble getting the Server line in the HTTP header changed. This advice should work for Debian branch distros with systemd and Apache 2.4.7. Specifically, I am using Ubuntu Server LTS 14.04.03. Some advice I found was to do

grep -Ri servertokens /etc/apache2

This led me to /etc/apache2/conf-available/security.conf where both ServerTokens and ServerSignature were specified. Therefore, any changes I was making to /etc/apache2/apache2.conf were being overwritten by the directives already specified in security.conf.

I simply changed the directives in security.conf and Apache started working as I wanted.

ServerTokens Prod
ServerSignature Off

On the topic of Header unset Server, I found a bug report where the Apache devs said it is a won't fix issue. Apparently for them it is a philosophical issue, despite that the specification for HTTP/1.1, RFC 2616 authored in part by Tim Berners-Lee, saying that the Server tag is optional.

I really wanted to set the Server tag to "Unknown" to make our Qualys scans happy. So, I installed mod_security, now called libapache2-modsecurity, following this DigitalOcean tutorial. Best of luck, I hope I helped for all you future readers.

I've tested something on Oracle HTTP Server 11.1.1.9 (which is built on Apache 2.2.22) that worked for me, to some extent..

Setting the "ServerTokens" to "none" seems to remove the "Server" header value, although the header itself keeps being sent in the response, but now it has a null value.

ServerTokens none

The response header would look like this:

HTTP/1.1 200 OK

Date: Mon, 28 Dec 2015 07:02:45 GMT

Server:

Last-Modified: Sun, 27 Dec 2015 07:29:13 GMT

.

.