Login/Register
standard way to disable X-powered-by header in Passenger?
Asked Answered
Solved rubyhttp-headerspassenger
P

5

15

I couldn't find any way to disable Passenger's X-Powered-By header:

X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.11

Is it possible to do that without modifying its sources and removing headers on the HTTP server level?

Peri answered 28/11, 2011 at 15:3 Comment(11)
i'm just curious, why do you want to disable these?Pansy
@MarianTheisen One valid reason IMO is thatit makes the headers portion of the HTTP response heavier, and it's the only part of the request that can't be gzip'd...Spalding
Very quick Google seach provided successful answer: groups.google.com/group/phusion-passenger/browse_thread/thread/…Spalding
@Spalding a quick view at the link tells me that it falls into 'filtering headers out in HTTP server'Peri
@MarianTheisen b/c having this kind of headers will fail a security audit of your applicationPeri
@Oleg: Filtering the headers out is equivalent to removing them, though apparently for some reason that's not sufficient in your case?Spalding
@Spalding filtering/removing/disabling whatever, I'm just trying to find a solution that would not require modification of my HTTP server config files, loading extra modules etcPeri
You didn't specify which server you're using with passenger. Looking at the source it looks like nginx has a configuration item to strip the version string out, passenger_show_version_in_header, but it still adds a powered by Phusion header.Blacken
@Blacken I did it on purpose because any "HTTP server" solution would be a workaround - 'filtering out' HTTP headers that were added by Passenger, and it will also require additional configuration of the HTTP server, while the pure solution would be telling Passenger not to add the headers (if that's possible at all -- that's what I'm trying to understand)Peri
@Oleg Thanks, thats interesting to know.Pansy
@MarianTheisen I just failed a client security audit on exactly this point (and only this point, which is good!)Yearlong
C
7

Short answer: no.

There is no configuration option in passenger to disable the X-Powered-by, so you need to do one of

  • filter
  • edit source
  • monkeypatch

passenger code:

  #RequestHandler::process_request
  headers_output = [
    STATUS, status.to_i.to_s, CRLF,
    X_POWERED_BY, @passenger_header, CRLF
  ]

  #AbstractRequestHandler::initialize
  @passenger_header   = determine_passenger_header

  #AbstractRequestHandler::determine_passenger_header
  def determine_passenger_header
    header = "Phusion Passenger (mod_rails/mod_rack)"
    if @options["show_version_in_header"]
      header << " #{VERSION_STRING}"
    end
    if File.exist?("#{SOURCE_ROOT}/enterprisey.txt") ||
       File.exist?("/etc/passenger_enterprisey.txt")
      header << ", Enterprise Edition"
    end
    return header
  end
Culmination answered 28/11, 2011 at 18:35 Comment(8)
the patch seems to be primitive, why haven't they implemented something like that? do you think it would be worth sending it to them?Peri
I bet it's a configuration parameter if you use with their paid support level.Culmination
...and I thought it is was Java world that was getting too commercialized... :)Peri
Thanks for posting this - quite helpful. We ended up just cutting this out of the Passenger source.Servomechanism
This answer is no more true as passenger_show_version_in_header off; now exists.Apprehensive
@AnthonyO. - that hides the version number, but not the "x-powered-by" headerCulmination
Yes, for that, one could use the shadowbq's answer by using more_clear_headers on Nginx or Header always unset on ApacheApprehensive
@AnthonyO. - read the comment thread to shadowbq's answer or the comment thread to the question. The question specifically said 'without removing headers at HTTP server level', meaning nginx/apache. So the answer is still "No".Culmination
B
21

On Apache you can unset headers:

# Hide/Remove the Passenger Headers
Header always unset "X-Powered-By"
Header always unset "X-Runtime"

It will not remove all names (since services such as Plesk will still append their name), but Passenger can be removed this way.

Kudos to John Trupiano: https://groups.google.com/forum/?fromgroups=#!topic/phusion-passenger/LKAKH0PEyW0

Balenciaga answered 17/1, 2013 at 15:14 Comment(1)
You need the headers module to do that a2enmod headersGlyptic
M
12

Short answer: YES.

update: 2018

Use proxy_hide_header if downstream, or use more_clear_headers

Original Answer

I leave the fact that I use nginx+passenger .. but you can completely remove them with

remove_header X-Header-Name-To-Remove;

So you can remove both by

server {
    ...
    remove_header X-Powered-By;
    remove_header X-Runtime;
    ...
    }

This removes all the headers, it can also be in a location directive instead of server.

..

Here are my common directives, as I leave 'apache prod' equiv on mine. 

server {
    ...
    remove_header X-Runtime;
    server_tokens off;
    passenger_show_version_in_header off;
    ...
}

Provides a service header like..

Server:nginx + Phusion Passenger
X-Powered-By:Phusion Passenger

This is the closest equiv of apache2 ServerTokens Prod directive that I can do.

Mindamindanao answered 17/1, 2014 at 3:57 Comment(7)
if I get it right you're saying that there's is a way to remove version number, but not the header itselfPeri
You can do both. (see adjusted answer)Mindamindanao
this certainly works, I thought the op requested that it not require modification in the front-end proxy server.Culmination
Ok sorry, while passenger_show_version_in_header is passenger configuration, remove_header is ngnix directive, and makes this answer not very correctPeri
Actually, on my Ubuntu 12.04.4 LTS, remove_header didn't work. I used more_clear_headers of HttpHeadersMoreModule (from nginx-extras package) and it worked !Apprehensive
nothing much to be done without HttpHeadersMoreModule (recompiling nginx)Heinrik
nginx: [emerg] unknown directive "remove_header"Supertanker
C
7

Short answer: no.

There is no configuration option in passenger to disable the X-Powered-by, so you need to do one of

  • filter
  • edit source
  • monkeypatch

passenger code:

  #RequestHandler::process_request
  headers_output = [
    STATUS, status.to_i.to_s, CRLF,
    X_POWERED_BY, @passenger_header, CRLF
  ]

  #AbstractRequestHandler::initialize
  @passenger_header   = determine_passenger_header

  #AbstractRequestHandler::determine_passenger_header
  def determine_passenger_header
    header = "Phusion Passenger (mod_rails/mod_rack)"
    if @options["show_version_in_header"]
      header << " #{VERSION_STRING}"
    end
    if File.exist?("#{SOURCE_ROOT}/enterprisey.txt") ||
       File.exist?("/etc/passenger_enterprisey.txt")
      header << ", Enterprise Edition"
    end
    return header
  end
Culmination answered 28/11, 2011 at 18:35 Comment(8)
the patch seems to be primitive, why haven't they implemented something like that? do you think it would be worth sending it to them?Peri
I bet it's a configuration parameter if you use with their paid support level.Culmination
...and I thought it is was Java world that was getting too commercialized... :)Peri
Thanks for posting this - quite helpful. We ended up just cutting this out of the Passenger source.Servomechanism
This answer is no more true as passenger_show_version_in_header off; now exists.Apprehensive
@AnthonyO. - that hides the version number, but not the "x-powered-by" headerCulmination
Yes, for that, one could use the shadowbq's answer by using more_clear_headers on Nginx or Header always unset on ApacheApprehensive
@AnthonyO. - read the comment thread to shadowbq's answer or the comment thread to the question. The question specifically said 'without removing headers at HTTP server level', meaning nginx/apache. So the answer is still "No".Culmination
D
6

more_clear_headers 'Server' 'X-Powered-By' 'X-Runtime'; works for me as mentioned in http://www.michaelrigart.be/en/blog/nginx-and-passenger-install-in-production-environment.html.

Depicture answered 11/9, 2015 at 10:35 Comment(1)
you need to make sure that ngx_headers_more github.com/openresty/… module activeMeris
G
4

To completely remove X-Powered-By and Server headers from Nginx+Passenger and not just hide versions, add this to your http block in nginx.conf:

server_tokens off;
more_clear_headers Server;
more_clear_headers X-Powered-By;

You could also set your own:

more_set_headers "Server: ACME";

This will work even if passenger_show_version_in_header off; is not set, but it might be smart to add it as well in case.

Remember to restart the server for these to take affect. You should test your config before restart though: sudo nginx -t.

Information via calvin.my

Grivation answered 11/7, 2017 at 8:1 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.