Solved

Apache Server Etag header had an information discloser

Posted on 2016-10-11
6
23 Views
Last Modified: 2016-10-30
We recently had a scan done on our system and one of the findings was the title of this question. We are running windows 2008 r2 w/Apache.  The suggestion to fix the issue is "Modify the http Etag header of the web server to not include file inodes in the Etag header calculation".

I found some articles suggesting how to do this however Im not seeing what they do in there httpd.conf file. Any suggestions would be appreciated.

Thanks
0
Comment
Question by:bankadmin
  • 4
  • 2
6 Comments
 
LVL 24

Accepted Solution

by:
Dr. Klahn earned 500 total points (awarded by participants)
ID: 41838957
See http://www.askapache.com/htaccess/apache-speed-etags/, which gives an example that can be included in either a .htaccess file or in httpd.conf.

As a side note, this is not the only information leak out of Apache.  See also http://www.miim.com/thebside/security/serverfield2.html
0
 

Author Comment

by:bankadmin
ID: 41839021
the top one is an article I had found also. I cant find a htaaccess file on my server.
This server is running my admin console for AV and that is what installed the apache on the server as part of the console. Im certainly not a web admin so Im a little confused on what to look for next.
0
 
LVL 24

Expert Comment

by:Dr. Klahn
ID: 41839025
There will not be a .htaccess file unless you have installed one.  In that case, install the commands in the httpd.conf file.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:bankadmin
ID: 41839056
The httpd.conf file is 16 pages long 95%+ of it is commented out. Im not really sure where to enter the commands in the file. Are these the commands you are referring to? I

 Header unset ETag
FileETag None
0
 
LVL 24

Expert Comment

by:Dr. Klahn
ID: 41839070
Those are the ones.

imo:  If the httpd.conf is that large, and you don't know where to install the lines, then you should call in someone who knows Apache site configuration who can do this for you.  It will not do to just drop them in anywhere.
0
 
LVL 24

Expert Comment

by:Dr. Klahn
ID: 41865738
EE email requested stale question closure.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my time as an SEO for the last 2 years and in the questions I have assisted with on here I have always seen the need to redirect from non-www urls to their www versions. For instance redirecting http://domain.com (http://domain.com) to http…
It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now