Comment 2 Martin Östlund 2024-03-07 09:32:14 CET

Well, Apache, Nginx, and PHP do not hide *our Server header*, but theirs :)

Comment 5 Samuel Mannehed 2024-07-11 16:07:42 CEST

At least version 2.4.57 of Apache on RHEL 9 doesn't allow you to fully remove the `Server` header:

https://httpd.apache.org/docs/current/mod/core.html#servertokens

When set to the least verbose setting (`ServerTokens Prod`) I get the following response from Apache:

$ curl -I http://lab-109:80                                                                                                    16:06:22
HTTP/1.1 403 Forbidden
Date: Thu, 11 Jul 2024 14:06:33 GMT
Server: Apache
Last-Modified: Mon, 09 Aug 2021 11:43:42 GMT
ETag: "1715-5c91ee59c9780"
Accept-Ranges: bytes
Content-Length: 5909
Content-Type: text/html; charset=UTF-8

Comment 6 Samuel Mannehed 2024-07-11 16:15:13 CEST

Same with nginx 1.20 on RHEL 9:

https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens

The header remains even with `server_tokens off;` and the web server response still shows the name "nginx":

$ curl -I http://lab-109:80
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 11 Jul 2024 14:13:28 GMT
Content-Type: text/html
Content-Length: 5909
Last-Modified: Mon, 09 Aug 2021 11:43:42 GMT
Connection: keep-alive
ETag: "611114ee-1715"
Accept-Ranges: bytes

Comment 7 Samuel Mannehed 2024-07-11 16:16:35 CEST

Given how both Apache and nginx work, I think it's safe to say that the standard behavior for this type of configuration to only remove the version numbers.

Comment 8 Samuel Mannehed 2024-07-11 16:24:37 CEST

I think that, if ThinLinc were configured to limit ServerTokens (or whatever we choose to call the parameter) in Web Access & Web Admin, it should simply respond with `Server: ThinLinc`.

Comment 9 Samuel Mannehed 2024-07-15 13:54:02 CEST

> * The configuration parameter could also hide the ThinLinc version shown in the footer of the Web Access and Web Admin pages.

We discussed if this setting also should hide the ThinLinc version (and copyright year?) in the footer of Web Admin and Web Access.

It was decided, for now, that this won't be included. Our view is that this setting is mostly about bureaucracy and making security scanners quiet. Hiding the ThinLinc version doesn't provide any real protection.

> * The configuration could allow granularity in what information is included in the Server header.

It was decided that we will use an on/off boolean for now. We don't see much value in the in-between steps.

Comment 10 Samuel Mannehed 2024-07-15 14:01:55 CEST

Regarding the name of the configuration parameter, two names were discussed:

1. /tlwebaccess/server_tokens & /tlwebadmin/server_tokens

  + Self-explanatory name for admins who are used to Apache & Nginx.
  - Not very extensible if we want to include other functionality under this parameter in the future.

2. /tlwebaccess/expose_version & /tlwebadmin/expose_version

  + Extensible name, which could include other functionality in the future (like hiding the footer version in the UI).
  - Would users expect the first version of this parameter to hide the ThinLinc version everywhere?

We decided to continue with 1, since it seems to be something of a web server standard configuration parameter name.

Comment 11 Samuel Mannehed 2024-07-15 14:30:19 CEST

The correct configuration path for Web Access would be "/webaccess/server_tokens".

Comment 15 Samuel Mannehed 2024-07-16 13:20:40 CEST

This has now been committed to the Ericsson branch.

Commit r41057 applies cleanly to regular ThinLinc. Note that after merging r41057 into regular ThinLinc we also need to add release notes.

Comment 18 Emelie 2024-10-01 11:26:53 CEST

MUST

* ThinLinc must offer configuration that allows the Python version number to be hidden from the Server-header in the web server response. ✅

* Any new configuration must be documented. ✅

* The default behavior must be the same as the current behavior regarding the web server response from ThinLinc. ✅

SHOULD

* ThinLinc should offer configuration that allows the ThinLinc version number to be hidden from the Server-header in the web server response. ✅

* The configuration parameter should be named in such a way that administrators recognize it from other common web servers. ✅

COULD

* The configuration parameter could also hide the ThinLinc version shown in the footer of the Web Access and Web Admin pages. ❌

* The configuration could allow granularity in what information is included in the Server header. ❌

Comment 19 Emelie 2024-10-01 11:28:23 CEST

This should now be fixed. We have tested it by verifying that $ curl -I https://x.x.x.x doesn't send the Python or Thinlinc version when server_tokens is set to false.

Comment 20 Samuel Mannehed 2024-10-01 17:31:13 CEST

Verified server build 3711 on RHEL9. I did the following:

* Installed build 3711
* Browsed to both Web Access and Web Administration in Chrome, and opened the
  network tab to check the "Response Header" of several requests.
* By default, the server header for each response looks like this:
  Server: ThinLinc/4.17.0post-3711 BaseHTTP/0.6 Python/3.9.18
* I then disabled server_tokens for both Web Access and Web Administration:
  $ sudo tl-config /webaccess/server_tokens=false
  $ sudo tl-config /webaccess/server_tokens=false
  $ sudo systemctl restart tlwebaccess tlwebadm
* After that, the server header in Chrome's network tab looks like this:
  Server: ThinLinc

All good!

Furthermore, the documentation (both in the TAG and in the .hconf-file) looks good. I think it's suitable that these configuration parameters aren't mentioned in the main Web Access or Web Administration chapters. Simply explaining what they are about in the parameter appendix is sufficient.

The commits also look good. The new code fits in well with the surrounding code, and I have no suggestions on modifications. The new unit tests are good, and cover what was changed.

I had one question regarding the release notes, in our commits-list, but I don't see that as a reason to hold off closing this bug.