Apache servers will not reporting version anymore

In order to make it more difficult to know which httpd server is running, here is a change to reduce the ServerTokens OS to ServerTokens Prod and the ServerSignature On to ServerSignature Off. This removes ServerName and version report on page footer and reduces the detail of the httpd server running in the headers to "Apache". These options can be overwritten by an user variable Change-Id: I1aaffaa3b6b7d6574aefac65b6027e62240a702b Closes-Bug: #1484256
2015-08-19 14:19:32 +02:00 · 2015-08-19 14:19:32 +02:00 · 1d2c19d840
commit 1d2c19d840
parent 87655627ff
4 changed files with 42 additions and 0 deletions
--- a/playbooks/roles/os_horizon/defaults/main.yml
+++ b/playbooks/roles/os_horizon/defaults/main.yml
@ -49,6 +49,8 @@ horizon_lib_dir: /usr/local/lib/python2.7/dist-packages
 horizon_endpoint_type: internalURL

 horizon_server_name: "horizon"
+horizon_apache_servertokens: "Prod"
+horizon_apache_serversignature: "Off"
 horizon_log_level: info
 horizon_dropdown_max_items: 30
 horizon_time_zone: UTC
--- a/playbooks/roles/os_horizon/tasks/horizon_apache.yml
+++ b/playbooks/roles/os_horizon/tasks/horizon_apache.yml
@ -63,3 +63,21 @@
  notify: Restart apache2
  tags:
    - horizon-apache-config
+
+- name: Ensure Apache ServerTokens
+  lineinfile:
+    dest: "/etc/apache2/conf-available/security.conf"
+    regexp: '^ServerTokens'
+    line: "ServerTokens {{ horizon_apache_servertokens }}"
+  notify: Restart apache2
+  tags:
+    - horizon-apache-config
+
+- name: Ensure Apache ServerSignature
+  lineinfile:
+    dest: "/etc/apache2/conf-available/security.conf"
+    regexp: '^ServerSignature'
+    line: "ServerSignature {{ horizon_apache_serversignature }}"
+  notify: Restart apache2
+  tags:
+    - horizon-apache-config
--- a/playbooks/roles/os_keystone/defaults/main.yml
+++ b/playbooks/roles/os_keystone/defaults/main.yml
@ -124,6 +124,8 @@ keystone_service_adminurl: "{{ keystone_service_adminurl_v3 }}"

 ## Apache setup
 keystone_apache_log_level: info
+keystone_apache_servertokens: "Prod"
+keystone_apache_serversignature: "Off"
 keystone_wsgi_threads: "{{ ansible_processor_vcpus | default(2) // 2 }}"
 keystone_wsgi_processes: "{{ ansible_processor_vcpus | default(1) }}"

--- a/playbooks/roles/os_keystone/tasks/keystone_apache.yml
+++ b/playbooks/roles/os_keystone/tasks/keystone_apache.yml
@ -57,6 +57,26 @@
  tags:
    - keystone-httpd

+- name: Ensure Apache ServerTokens
+  lineinfile:
+    dest: "/etc/apache2/conf-available/security.conf"
+    regexp: '^ServerTokens'
+    line: "ServerTokens {{ keystone_apache_servertokens }}"
+  notify:
+    - Restart Apache
+  tags:
+    - keystone-httpd
+
+- name: Ensure Apache ServerSignature
+  lineinfile:
+    dest: "/etc/apache2/conf-available/security.conf"
+    regexp: '^ServerSignature'
+    line: "ServerSignature {{ keystone_apache_serversignature }}"
+  notify:
+    - Restart Apache
+  tags:
+    - keystone-httpd
+
 - name: Enable/disable mod_ssl for apache2
  apache2_module:
    name: ssl