Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Apache Server Etag header had an information discloser

Posted on 2016-10-11
6
49 Views
Last Modified: 2016-10-30
We recently had a scan done on our system and one of the findings was the title of this question. We are running windows 2008 r2 w/Apache.  The suggestion to fix the issue is "Modify the http Etag header of the web server to not include file inodes in the Etag header calculation".

I found some articles suggesting how to do this however Im not seeing what they do in there httpd.conf file. Any suggestions would be appreciated.

Thanks
0
Comment
Question by:bankadmin
  • 4
  • 2
6 Comments
 
LVL 26

Accepted Solution

by:
Dr. Klahn earned 500 total points (awarded by participants)
ID: 41838957
See http://www.askapache.com/htaccess/apache-speed-etags/, which gives an example that can be included in either a .htaccess file or in httpd.conf.

As a side note, this is not the only information leak out of Apache.  See also http://www.miim.com/thebside/security/serverfield2.html
0
 

Author Comment

by:bankadmin
ID: 41839021
the top one is an article I had found also. I cant find a htaaccess file on my server.
This server is running my admin console for AV and that is what installed the apache on the server as part of the console. Im certainly not a web admin so Im a little confused on what to look for next.
0
 
LVL 26

Expert Comment

by:Dr. Klahn
ID: 41839025
There will not be a .htaccess file unless you have installed one.  In that case, install the commands in the httpd.conf file.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:bankadmin
ID: 41839056
The httpd.conf file is 16 pages long 95%+ of it is commented out. Im not really sure where to enter the commands in the file. Are these the commands you are referring to? I

 Header unset ETag
FileETag None
0
 
LVL 26

Expert Comment

by:Dr. Klahn
ID: 41839070
Those are the ones.

imo:  If the httpd.conf is that large, and you don't know where to install the lines, then you should call in someone who knows Apache site configuration who can do this for you.  It will not do to just drop them in anywhere.
0
 
LVL 26

Expert Comment

by:Dr. Klahn
ID: 41865738
EE email requested stale question closure.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

As Wikipedia explains 'robots.txt' as -- the robot exclusion standard, also known as the Robots Exclusion Protocol or robots.txt protocol, is a convention to prevent cooperating web spiders and other web robots from accessing all or part of a websit…
Introduction As you’re probably aware the HTTP protocol offers basic / weak authentication, which in combination with the relevant configuration on your web server, provides the ability to password protect all or part of your host.  If you were not…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question