Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I want to hide server/PHP version details from hackers/spammers etc when they view an HTTP response etc.
X-Powered-By:PHP/5.2.6-1+Squeezy
I have read articles like > ducea.com/2006/06/15/apache-tips-tricks-hide-apache-software-version/
And others that say to add
ServerSignature Off
ServerTokens ProductOnly
To my Apache2.conf file, which I have done at the bottom of the file as well as turning off the expose_php option in php.ini etc
expose_php = Off
However even after reloads and restarts of Apache I still see this Response Header.
I am behind Cloudflare so don't know if they have the ability to override my settings or why they would want to.
Does the position of my directives in the Apache.conf file matter?
Are there other files I need to check?
What can I do to ensure this header is hidden from probers etc.
Thanks
I'll be honest in that you're fighting a losing battle here. You're using PHP 5.2.6, which is not only not the latest release of 5.2 (5.2.11), it's been EOL for 4+ years. It sounds like hackers are finding the header and attacking your machine. The problem is that even if you somehow remove the header this will not make your machine more secure. Any vulnerabilities in 5.2 are not being patched. All you're doing is making the problem less obvious.
Cloudflare does not add server headers, nor can they change your server settings.
As to turning it off, you probably did not edit the right file
settings from /etc/apache2/conf.d/security will overwrite ServerSignature / ServerTokens settings set in /etc/apache2/apache2.conf
I think you edited the wrong php.ini file. You have to edit /etc/php5/apache2/php.ini and then set expose_php to 'off' in order to make it work.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I've recently switched to my own cloudserver and not 100% sure what's the optimal settings to run mostly Wordpress sites would be. OS I'm running is CloudLinux 6.1 x64
A few things I'm not sure about:
Run PHP as: PHP as an Apache Module or PHP as CGI
And also if I should choose to activate "SSI".
The last thing I'm not so sure about is under PHP configurations, should I select to active "register_globals".
Any help would be greatly appreciated.
If you are using Apache, running PHP as an Apache module has performance benefit over running PHP as CGI.
SSI is server-side includes, and is likely referring to the feature of Apache. You do not need to enable this.
Regarding register_globals, absolutely do not enable this. It is a security flaw required for backwards compatibility of some ancient (10+ year old) PHP scripts. If this is even an option for you, your version of PHP is out of date and shouldn't be used. register_globals was removed in PHP 5.4. http://www.php.net/manual/en/security.globals.php
Fairly standard would be - run as Apache module, do not activate register_globals unless you know what you're doing and know why you need it, SSI is optional as well.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I'm using WAMP and wanted to know if it's ok for the forbidden page to show the services (Apache/PHP) and their version numbers? Is this standard practice?
Thanks
I think for a development system this is good practise while for a production system you should deactivate this feature. To do this you have to change the following lines in your httpd.conf/apache.conf:
ServerSignature off
ServerTokens prod
You would also have to set
expose_php off
in your php.ini to prevent php from showing the php version.
The names of services (Apache/PHP) and their version numbers shown on the 403 forbidden other error pages like that(404 not found, "Internal Server Error" etc.), is called server signature.
Since WAMP is local development environment there is no problem with it.
But for a production server, its not at all a good practice, since every version of Apache or PHP has some points of weaknesses. These maybe exploited by a malicious hacker.
You can disable the server signature by editing your apache2.conf/httpd.conf file.
Add following lines at the end of the file and restart apache
ServerSignature Off
ServerTokens Prod
Back to your question whether or not its a standard practice to show the server signature on error pages, well, for development environment its a standard practice. But for production servers "No its not a good or standard practice"
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I was wondering why my system says it is running the php from the /etc/php5/apache2/php.ini
directory when in fact it was running it from the /etc/php5/cli/php.ini .
When I did a phpinfo() on a file in the directory of the folder, I received this however the changes to the configuration file wasn't impacting the server until I searched the whole system for a php.ini file and found the php.ini file under the cli/ directory:
Hopefully you can see it. I wasn't sure exactly how to put in onto SO.
it's intentional so you can easily have different configuration depending on your runtime environment.
In your environment when php runs in command line mode it uses /etc/php5/cli/php.ini.
When you access it from browser php is running from apache. So then /etc/php5/apache2/php.ini is used.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
There may many reasons. But I can find only these.
By creating vhost we maintain same file structure in the server.
We can have several server instance in one machine.
But are these really matter ? I doubt myself.
What is the difference between keep separate folder in localhost vs having separated vhost in localhost and deploying to the server.
Is there any other reasons to add(or are these not the reasons at all ?)
Thanks in advance.
Because your first point is the biggest reason.
If you have http://localhost/devel vs http://devel.local your relative pathing can get all screwed up
If you had a developer who wanted to make a home link they may do Home
This will redirect you to root folder on localhost and you wont end up where you should be
it is also a separation of concerns. If you do a vhost you know you are only within that project. Another thing is if say you had a .htaccess file in localhost, it would affect settings in your project folder if you did not override the .htaccess in your project folder
Another reason is subdomains, you cannot really mimic subdomains with folders without using a .htaccess, it is much easier with vhosts
You always want to mimic production as closely as possible otherwise you will run into bugs on production that you will spend minutes/hours/days debugging that you might not have run into if you would have mimiced the environment in the first place
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 8 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
This question does not appear to be about programming within the scope defined in the help center.
Improve this question
I had mod_pagespeed installed on my previous server. I didn't use it and disallowed via .htaccess because after some testing it turned out that it actually slowed down my site. So it remained "disallowed" via .htaccess for a long time.
Today I moved to a new server and migrated user accounts using cPanel VHM migration feature. Supposedly it migrates only accounts and not configuration, but I have many problems now and I suspect this is primarily due to pagespeed. It's not installed on the new server because I dont need it, but somehow various logs and console messages show that pagespeed versions of files are still requested from time to time like the following "d14dafe2dc85d5ff8142236c3f55e0d4.pagespeed.jm.ReWsy_33cT.js" which causes random 404 errors and even 500 internal server errors.
How can it request pagespeed versions if pagespeed isnt installed? how is it possible? can anyone explain, please.
Ok, fixed it. It was DNS problem.. data was being loaded from both servers. That is, had to wait for DNS propagation to finish.