Stop response from sending server version
1,409 views
Skip to first unread message
jlezard
Feb 3, 2012, 9:49:29 AM2/3/12
to spray-user
Hello,
After cloning spray template and adding a directive, I tried the
following:
--------------------
telnet ipaddress port
GET /getSomething HTTP/1.0
(on purpose I am going for an error here) in reply I get:
HTTP/1.1 404 Not Found
Content-Type: text/plain
Content-Length: 57
Server: Jetty(8.0.3.v20111011)
Request is missing required query parameter 'userId'Connection closed
by foreign host.
--------------------
Some say this is not good: much too much information is replied and
returning server version is potentially dangerous. So I got along to
try and change things.
Long story is below, short story is how to make this reply as concise
as possible and not reveal all the information like server name...?
Thanks a lot,
Joe
Long story:
For configurying Jetty it seems (https://github.com/siasia/xsbt-web-
plugin/wiki) one should add to the spray-template a build.sbt file
(Build.scala and build.sbt add up according to (https://github.com/
harrah/xsbt/wiki/Getting-Started-Full-Def) with the following content:
customConfiguration in container.Configuration := true
configurationFiles in container.Configuration := Seq(file("./src/main/
webapp/WEB-INF/jetty.xml"))
So now in my WEB-INF folder I have jetty.xml file and a web.xml file.
Then according to (http://attenuated-perspicacity.blogspot.com/2009/09/
jetty-61x-hardening.html) one can edit the jetty.xml by adding:
<Set name="sendServerVersion">false</Set>
Then saddly it says:
----------
telnet ipaddress port
GET /getSomething HTTP/1.0
HTTP ERROR: 404
Problem accessing /. Reason: Servlet Not Initialized
---------
So it seems it reads the jetty.xml file but it doesn't understand how
to get the servlet started. My handler in jetty looks like.
<Set name="handler">
<New id="Handlers"
class="org.eclipse.jetty.server.handler.HandlerCollection">
<Set name="handlers">
<Array type="org.eclipse.jetty.server.Handler">
<Item>
<New id="SprayHandler"
class="org.eclipse.jetty.servlet.ServletContextHandler">
<Set name="contextPath">/</Set>
<Call name="addServlet">
<Arg>cc.spray.connectors.Jetty7ConnectorServlet</Arg>
<Arg>/*</Arg>
</Call>
</New>
</Item>
<Item>
<New id="DefaultHandler"
class="org.eclipse.jetty.server.handler.DefaultHandler"/>
</Item>
</Array>
</Set>
</New>
</Set>
Although this must seem fairly obvious I am very new to this jetty
mumbo jumbo.
Any hint/help very much appreciated,
Thanks,
Joe
After cloning spray template and adding a directive, I tried the
following:
--------------------
telnet ipaddress port
GET /getSomething HTTP/1.0
(on purpose I am going for an error here) in reply I get:
HTTP/1.1 404 Not Found
Content-Type: text/plain
Content-Length: 57
Server: Jetty(8.0.3.v20111011)
Request is missing required query parameter 'userId'Connection closed
by foreign host.
--------------------
Some say this is not good: much too much information is replied and
returning server version is potentially dangerous. So I got along to
try and change things.
Long story is below, short story is how to make this reply as concise
as possible and not reveal all the information like server name...?
Thanks a lot,
Joe
Long story:
For configurying Jetty it seems (https://github.com/siasia/xsbt-web-
plugin/wiki) one should add to the spray-template a build.sbt file
(Build.scala and build.sbt add up according to (https://github.com/
harrah/xsbt/wiki/Getting-Started-Full-Def) with the following content:
customConfiguration in container.Configuration := true
configurationFiles in container.Configuration := Seq(file("./src/main/
webapp/WEB-INF/jetty.xml"))
So now in my WEB-INF folder I have jetty.xml file and a web.xml file.
Then according to (http://attenuated-perspicacity.blogspot.com/2009/09/
jetty-61x-hardening.html) one can edit the jetty.xml by adding:
<Set name="sendServerVersion">false</Set>
Then saddly it says:
----------
telnet ipaddress port
GET /getSomething HTTP/1.0
HTTP ERROR: 404
Problem accessing /. Reason: Servlet Not Initialized
---------
So it seems it reads the jetty.xml file but it doesn't understand how
to get the servlet started. My handler in jetty looks like.
<Set name="handler">
<New id="Handlers"
class="org.eclipse.jetty.server.handler.HandlerCollection">
<Set name="handlers">
<Array type="org.eclipse.jetty.server.Handler">
<Item>
<New id="SprayHandler"
class="org.eclipse.jetty.servlet.ServletContextHandler">
<Set name="contextPath">/</Set>
<Call name="addServlet">
<Arg>cc.spray.connectors.Jetty7ConnectorServlet</Arg>
<Arg>/*</Arg>
</Call>
</New>
</Item>
<Item>
<New id="DefaultHandler"
class="org.eclipse.jetty.server.handler.DefaultHandler"/>
</Item>
</Array>
</Set>
</New>
</Set>
Although this must seem fairly obvious I am very new to this jetty
mumbo jumbo.
Any hint/help very much appreciated,
Thanks,
Joe
Mathias
Feb 6, 2012, 6:20:21 AM2/6/12
to spray...@googlegroups.com
Joe,
I'm not that familiar with configuring Jetty, but I could image that switching to "jetty.xml"-based config in your case "disables" the configuration via the web.xml,
which is why Jetty doesn't see Servlet configuration anymore...
Maybe someone with more Jetty experience can chip in ?
Cheers,
Mathias
---
mat...@spray.cc
http://www.spray.cc
Chris Carrier
Feb 6, 2012, 12:43:51 PM2/6/12
to spray...@googlegroups.com
Hey Joe have you tried adding your web.xml into your config as well?
Something like:
Something like:
configurationFiles in container.Configuration :=
Seq(file("./src/main/webapp/WEB-INF/jetty.xml"),
file(./src/main/webapp/WEB-INF/web.xml))
This is just a thought I've not tried it.
Chris
jlezard
Feb 12, 2012, 1:39:25 PM2/12/12
to spray-user
Hello Chris,hello Mathias,
So I had given a try to adding the web.xml to the configurationFiles,
when I did it gave me the error:
er:start: java.lang.IllegalStateException: Unknown configuration type:
web-app in org.eclipse.jetty.xml.XmlConfiguration@891d76
Note that I really have no preference for using Jetty over some other
server. I checked out spray-can server it also replies the server
version, is there a way to change this ?
---------
HTTP/1.1 200 OK
Content-Type: text/plain
Server: spray-can/0.9.2
Date: Sun, 12 Feb 2012 18:34:13 GMT
Content-Length: 5
---------
From what I am told sending the server name is a security issue, maybe
I was told wrong ?
Thanks a lot,
Joe
On Feb 6, 6:43 pm, Chris Carrier <ctcarr...@gmail.com> wrote:
> Hey Joe have you tried adding your web.xml into your config as well?
> Something like:
>
> configurationFiles in container.Configuration :=
> Seq(file("./src/main/webapp/WEB-INF/jetty.xml"),
> file(./src/main/webapp/WEB-INF/web.xml))
>
> This is just a thought I've not tried it.
>
> Chris
>
>
>
>
>
>
>
> On Mon, Feb 6, 2012 at 3:20 AM, Mathias <math...@spray.cc> wrote:
> > Joe,
>
> > I'm not that familiar with configuring Jetty, but I could image that switching to "jetty.xml"-based config in your case "disables" the configuration via the web.xml,
> > which is why Jetty doesn't see Servlet configuration anymore...
>
> > Maybe someone with more Jetty experience can chip in ?
>
> > Cheers,
> > Mathias
>
> > ---
> > math...@spray.cc
So I had given a try to adding the web.xml to the configurationFiles,
when I did it gave me the error:
er:start: java.lang.IllegalStateException: Unknown configuration type:
web-app in org.eclipse.jetty.xml.XmlConfiguration@891d76
Note that I really have no preference for using Jetty over some other
server. I checked out spray-can server it also replies the server
version, is there a way to change this ?
---------
HTTP/1.1 200 OK
Content-Type: text/plain
Server: spray-can/0.9.2
Date: Sun, 12 Feb 2012 18:34:13 GMT
Content-Length: 5
---------
From what I am told sending the server name is a security issue, maybe
I was told wrong ?
Thanks a lot,
Joe
On Feb 6, 6:43 pm, Chris Carrier <ctcarr...@gmail.com> wrote:
> Hey Joe have you tried adding your web.xml into your config as well?
> Something like:
>
> configurationFiles in container.Configuration :=
> Seq(file("./src/main/webapp/WEB-INF/jetty.xml"),
> file(./src/main/webapp/WEB-INF/web.xml))
>
> This is just a thought I've not tried it.
>
> Chris
>
>
>
>
>
>
>
> On Mon, Feb 6, 2012 at 3:20 AM, Mathias <math...@spray.cc> wrote:
> > Joe,
>
> > I'm not that familiar with configuring Jetty, but I could image that switching to "jetty.xml"-based config in your case "disables" the configuration via the web.xml,
> > which is why Jetty doesn't see Servlet configuration anymore...
>
> > Maybe someone with more Jetty experience can chip in ?
>
> > Cheers,
> > Mathias
>
> > ---
Mathias
Feb 12, 2012, 2:53:44 PM2/12/12
to spray...@googlegroups.com
Joe,
you can change the spray-can server header by setting the
"spray-can.server.server-header" config value in you akka.conf.
If you set it to the empty string ("") then the HttpServer will not render a Server header at all.
Cheers,
Mathias
---
mat...@spray.cc
http://www.spray.cc
Reply all
Reply to author
Forward
0 new messages