Modify "server" header

[dontcrash]

It is possible to use SecServerSignature/ServerSignature to modify the server header to not give potential attackers extra info?

[franbuehler]

We're already setting the ServerTokens to Prod. This is the right directive to set the response header.
But this only affects the server header set by the Apache reverse proxy.
If the backend sends its own Server response header, this one is returned.

If we want to override the server response header sent by the backend with the server header Server: Apache we need to do an unset. We could add this to our container:

echo -e "\nHeader unset Server" >> conf/extra/httpd-default.conf

What do you think @theseion and @fzipi?

[theseion]

I think I'd rather add three new environment variables APACHE_SERVER_TOKENS, APACHE_SERVER_SIGNATURE, and MODSEC_SERVER_SIGNATURE and give the user full control over the proxy.
And then, of course, an additional variable UNSET_PROXIED_HEADERS (or something like that), that takes a list of headers to unset, as you suggest. Ideally, this could also be used to achieve a similar effect for nginx.

[franbuehler]

Good suggestion, thank you!
To be honest, I was thinking of environment variables too.
I'll try and open a PR for that. I would like to work with our containers a bit more again. I'll self assign this issue.

[fzipi]

Any news on this?

[franbuehler]

I have a PR ready, but I'm not able to build the container locally to test it.
The Build at GitHub has the same problem: #151

[fzipi]

@franbuehler Any news on this one? Was this solved by #151?

[theseion]

I think this issue should have been fixed with #151. Not sure if something's still missing though.

[franbuehler]

Almost done ;-)
I need to implement step 2 and 3 of my plan.
But I didn't work on this. I will do.

[fzipi]

Ping @franbuehler ...

[audunru]

For nginx, I've been able to build additional modules using a Dockerfile such as this to get rid of the Server header. It's based on the modsecurity-crs-docker image, and builds the module using the same version of nginx so that you don't run into problems with different versions that you can get if you try to install the modules using apk.

This example is using ngx_security_headers, but I've also tried headers-more and it works just as well.

ARG MODSECURITY_TAG="3.3-nginx-alpine-202312070812"

FROM owasp/modsecurity-crs:${MODSECURITY_TAG} as build

ARG SECURITY_HEADERS_VERSION="0.1.0"

RUN apk add --no-cache alpine-sdk pcre-dev pcre2-dev

RUN wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz
RUN tar -xzvf nginx-${NGINX_VERSION}.tar.gz

RUN wget https://github.com/GetPageSpeed/ngx_security_headers/archive/refs/tags/${SECURITY_HEADERS_VERSION}.tar.gz
RUN tar -xzvf ${SECURITY_HEADERS_VERSION}.tar.gz

RUN cd nginx-${NGINX_VERSION}; \
  ./configure --with-compat \
    --add-dynamic-module=../ngx_security_headers-${SECURITY_HEADERS_VERSION}; \
  make modules; \
  cp objs/ngx_http_security_headers_module.so /etc/nginx/modules/;

FROM owasp/modsecurity-crs:${MODSECURITY_TAG}

COPY --from=build /etc/nginx/modules/ngx_http_security_headers_module.so /etc/nginx/modules/ngx_http_security_headers_module.so

You will also have to update your nginx config to load the module and configure it.

[fzipi]

Awesome @audunru! Do you want to push a PR that might help fixing this one?

[fzipi]

ping @franbuehler @audunru

[franbuehler]

Still on my table. I want to start working on this!

[fzipi]

Hey @franbuehler. Do you have time to work on this, do we close, what's next?