httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Fran├žois" <francois.pe...@gmail.com>
Subject Re: [PATCH 40026] ServerTokens Off
Date Fri, 04 Aug 2006 04:40:32 GMT
If I recall correctly, the part of the core responsible for adding the HTTP
header "Server:" is :

    /* keep the set-by-proxy server header, otherwise
     * generate a new server header */
    if (r- proxyreq != PROXYREQ_NONE) {
        server = apr_table_get(r- headers_out, "Server");
        if (server) {
            form_header_field(&h, "Server", server);
        }
    }
    else {
        form_header_field(&h, "Server", ap_get_server_version());
    }

It does not look the type of proxyreq (PROXYREQ_PROXY, PROXYREQ_REVERSE or
PROXYREQ_RESPONSE), so if httpd is configured as a proxy, if I'm not
mistaking about this part of the code, and if you use mod_header, you can
change this "Server:" too. (Yes I'm too lazy to do the test right now).

2006/8/3, William A. Rowe, Jr. <wrowe@rowe-clan.net>:
>
> Fran├žois wrote:
> >
> >> If the response is being forwarded through a proxy, the proxy
> application
> >> MUST NOT modify the Server response-header.
> >
> > I think that if you configure your httpd in a [reverse] proxy mode,
> > mod_header allow you to modify "Server:", so it is not a problem if a
> > new directive allows users to change this, at it could already be
> > modified with an existing module.
>
> if you mean, in a "reverse" proxy mode, you are right.  A reverse proxy
> deliberately doesn't follow the RFC, it's transparent, and would be
> entirely
> appropriate to modify any headers as if this machine were the origin
> server.
>
> But not in the case of "forward" proxy mode - that's what the RFC spelled
> out.
>
>
>


-- 
*Francois Pesce*

Mime
View raw message