Enhancement: Harden default reverse proxy configuration to not send it's name and version number to the client.

2020-02-11 17:10:43 +01:00 · 2020-02-11 17:10:43 +01:00 · 7a78645e3b
commit 7a78645e3b
parent deaac071cb
4 changed files with 20 additions and 1 deletions
--- a/contrib/apache2/zammad.conf
+++ b/contrib/apache2/zammad.conf
@ -6,6 +6,9 @@
    # replace 'localhost' with your fqdn if you want to use zammad from remote
    ServerName localhost

+    # security - prevent information disclosure about server version
+    ServerTokens Prod
+
    ## don't loose time with IP address lookups
    HostnameLookups Off

--- a/contrib/apache2/zammad_ssl.conf
+++ b/contrib/apache2/zammad_ssl.conf
@ -9,6 +9,10 @@

 <VirtualHost *:80>
    ServerName example.com
+
+    # security - prevent information disclosure about server version
+    ServerTokens Prod
+
    Redirect permanent / https://example.com
 </VirtualHost>

@ -25,6 +29,9 @@
    # replace 'localhost' with your fqdn if you want to use zammad from remote
    ServerName localhost

+    # security - prevent information disclosure about server version
+    ServerTokens Prod
+
    ## don't loose time with IP address lookups
    HostnameLookups Off

@ -46,7 +53,7 @@
    ProxyPass /robots.txt !
    ProxyPass /ws ws://127.0.0.1:6042/
    ProxyPass / http://127.0.0.1:3000/
-    
+
    # Use settings below if proxying does not work and you receive HTTP-Errror 404
    # if you use the settings below, make sure to comment out the above two options
    # This may not apply to all systems, applies to openSuse
--- a/contrib/nginx/zammad.conf
+++ b/contrib/nginx/zammad.conf
@ -16,6 +16,9 @@ server {
    # replace 'localhost' with your fqdn if you want to use zammad from remote
    server_name localhost;

+    # security - prevent information disclosure about server version
+    server_tokens off;
+
    root /opt/zammad/public;

    access_log /var/log/nginx/zammad.access.log;
--- a/contrib/nginx/zammad_ssl.conf
+++ b/contrib/nginx/zammad_ssl.conf
@ -21,6 +21,9 @@ server {

  server_name example.com;

+  # security - prevent information disclosure about server version
+  server_tokens off;
+
  access_log /var/log/nginx/zammad.access.log;
  error_log /var/log/nginx/zammad.error.log;

@ -38,6 +41,9 @@ server {

  server_name example.com;

+  # security - prevent information disclosure about server version
+  server_tokens off;
+
  ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem;
  ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem;