From 7a78645e3bc034da80743fc275f55ad31d500c52 Mon Sep 17 00:00:00 2001 From: Rolf Schmidt Date: Tue, 11 Feb 2020 17:10:43 +0100 Subject: [PATCH] Enhancement: Harden default reverse proxy configuration to not send it's name and version number to the client. --- contrib/apache2/zammad.conf | 3 +++ contrib/apache2/zammad_ssl.conf | 9 ++++++++- contrib/nginx/zammad.conf | 3 +++ contrib/nginx/zammad_ssl.conf | 6 ++++++ 4 files changed, 20 insertions(+), 1 deletion(-) diff --git a/contrib/apache2/zammad.conf b/contrib/apache2/zammad.conf index 8a15a3b97..03a26e095 100644 --- a/contrib/apache2/zammad.conf +++ b/contrib/apache2/zammad.conf @@ -6,6 +6,9 @@ # replace 'localhost' with your fqdn if you want to use zammad from remote ServerName localhost + # security - prevent information disclosure about server version + ServerTokens Prod + ## don't loose time with IP address lookups HostnameLookups Off diff --git a/contrib/apache2/zammad_ssl.conf b/contrib/apache2/zammad_ssl.conf index 84f352656..24d482ef4 100644 --- a/contrib/apache2/zammad_ssl.conf +++ b/contrib/apache2/zammad_ssl.conf @@ -9,6 +9,10 @@ ServerName example.com + + # security - prevent information disclosure about server version + ServerTokens Prod + Redirect permanent / https://example.com @@ -25,6 +29,9 @@ # replace 'localhost' with your fqdn if you want to use zammad from remote ServerName localhost + # security - prevent information disclosure about server version + ServerTokens Prod + ## don't loose time with IP address lookups HostnameLookups Off @@ -46,7 +53,7 @@ ProxyPass /robots.txt ! ProxyPass /ws ws://127.0.0.1:6042/ ProxyPass / http://127.0.0.1:3000/ - + # Use settings below if proxying does not work and you receive HTTP-Errror 404 # if you use the settings below, make sure to comment out the above two options # This may not apply to all systems, applies to openSuse diff --git a/contrib/nginx/zammad.conf b/contrib/nginx/zammad.conf index 72c59cdf3..836164574 100644 --- a/contrib/nginx/zammad.conf +++ b/contrib/nginx/zammad.conf @@ -16,6 +16,9 @@ server { # replace 'localhost' with your fqdn if you want to use zammad from remote server_name localhost; + # security - prevent information disclosure about server version + server_tokens off; + root /opt/zammad/public; access_log /var/log/nginx/zammad.access.log; diff --git a/contrib/nginx/zammad_ssl.conf b/contrib/nginx/zammad_ssl.conf index ed17d0d48..60349efb9 100644 --- a/contrib/nginx/zammad_ssl.conf +++ b/contrib/nginx/zammad_ssl.conf @@ -21,6 +21,9 @@ server { server_name example.com; + # security - prevent information disclosure about server version + server_tokens off; + access_log /var/log/nginx/zammad.access.log; error_log /var/log/nginx/zammad.error.log; @@ -38,6 +41,9 @@ server { server_name example.com; + # security - prevent information disclosure about server version + server_tokens off; + ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem; ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem;