18 Nov 08 Creating a Custom ServerSignature in Apache
By default, Apache reveals its version number a couple of ways. Most often, the server version is returned in server response headers although it is also printed in the default footer of directory listings generated via the handy mod_autoindex module.
Revealing the server type and version number can make it easy to identify servers vulnerable to attacks affecting a given web server version. By hiding or changing the server signature, a system wont be inherently more secure, but it will make it less visible considering most machines will more easily give up their version numbers. Perhaps you want to display a message to the users in an auto-indexed sectioned of your website. You can setup a "readme" file and tell apache to include it as a footer to auto-index pages with the ReadmeName directive. What if you wanted to hard code a message, or even display a message after a readme file has been included?
Need to modify the Apache source...
First, these directives will disable the display of version numbers & installed modules:
ServerSignature Off
ServerTokens Prod
Now to customize the sig, there is a function called ap_psignature, this is what generates the ServerSignature default footer. I never intended to use the "Email" feature of the signature, so I removed it.
This is what the function looks like after I've modified it to include a link to the homepage of the site (source version 2.2.10), change to suit.
Open: server/core.c
Look for: ap_psignature
AP_DECLARE(const char *) ap_psignature(const char *prefix, request_rec *r) { char sport[20]; core_dir_config *conf; conf = (core_dir_config *)ap_get_module_config(r->per_dir_config, &core_module); if ((conf->server_signature == srv_sig_off) || (conf->server_signature == srv_sig_unset)) { return ""; } apr_snprintf(sport, sizeof sport, "%u", (unsigned) ap_get_server_port(r)); return apr_pstrcat(r->pool, prefix, " Visit our homepage: <a href="", ap_escape_html(r->pool, ap_get_server_name(r)), "\">" , ap_escape_html(r->pool, ap_get_server_name(r)) , "</a>", "\n", NULL); }
To always display the default footer, even when a Readme file is used (it will appear below the readme block).
Open: modules/generators/mod_autoindex.c
Find this and comment it out:
if (!suppress_sig) { ap_rputs(ap_psignature("", r), r); }
Now you want to build the application as you normally would when compiling from source. Start it up after the install and you should see your message appear on generated autoindex pages! Changing the source is never a first option, but luckily Apache is open source and easy to modify!
