如何在AWS Load Balancer响应中禁用Apache HTTP标头信息?
我在Apache服务器上使用AWS Elastic Beanstalk部署了一个node.js环境.我在环境上运行了PCI扫描,但遇到2个失败:
I have a node.js environment deployed using AWS Elastic Beanstalk on an Apache server. I have run a PCI scan on the environment and I'm getting 2 failures:
- Apache ServerTokens信息披露
- Web服务器HTTP标头信息公开
自然地,我想我需要使用以下内容更新httpd.conf文件:
Naturally I'm thinking I need to update the httpd.conf file with the following:
ServerSignature Off
ServerTokens Prod
但是,鉴于Elastic Beanstalk和Elastic Load Balancer的性质,一旦环境扩展,添加新服务器,重新启动等,实例配置将被覆盖.
However, given the nature of Elastic Beanstalk and Elastic Load Balancers, as soon as the environment scales, adds new servers, reboots etc the instance config will be overwritten.
我还尝试将以下内容放入.htaccess文件中:
I have also tried putting the following into an .htaccess file:
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]
# Security hardening for PCI
Options -Indexes
ServerSignature Off
# Dissallow iFrame usage outside of loylap.com for PCI Security Scan
Header set X-Frame-Options SAMEORIGIN
在节点js端,我使用头盔"包来应用一些安全措施,同时我也使用"express-force-https"包来确保应用程序强制执行https.但是,这些似乎仅在Express应用程序启动后和重定向之后才生效.
On the node js side I use the "helmet" package to apply some security measures, I also use the "express-force-https" package to ensure the application is enforcing https. However, these only seem to be taking effect after the Express application is initiated and after the redirect.
我为HTTP(端口80)和HTTPS(端口443)设置了Elastic Load Balancer侦听器,但是HTTP请求立即路由到HTTPS.
I have Elastic Load Balancer listeners set up for both HTTP (port 80) and HTTPS (port 443), however the HTTP requests are immediately routed to HTTPS.
当我运行以下curl命令时:
When I run the following curl command:
curl -I https://myenvironment.com --head
我收到以下行的答复:
Server: Apache
但是,当我在http端点上运行相同的请求时(即在重定向等之前):
However when I run the same request on the http endpoint (i.e. before redirects etc):
curl -I http://myenvironment.com --head
我得到一个响应,其中显示了有关服务器的更多信息,从而导致PCI故障:
I get a response that discloses more information about my server than it should, and hence the PCI failure:
Server: Apache/2.4.34 (Amazon)
如何强制我的环境限制HTTP以及HTTPS上的http标头响应?
How can I force my environment to restrict the http header response on HTTP as well as HTTPS?
使用ebextensions致使@stdunbar指导我找到正确的解决方案.
Credit to @stdunbar for leading me to the correct solution here using ebextensions.
该解决方案对我来说如下:
The solution worked for me as follows:
- 在项目根目录中创建一个名为
.ebextensions/01_server_hardening.config的文件 - 在文件中添加以下内容:
files:
"/etc/httpd/conf.d/03_server_hardening.conf":
mode: "000644"
owner: root
group: root
content: |
ServerSignature Off
ServerTokens Prod
container_commands:
01_reload_httpd:
command: "sudo service httpd reload"(注意:缩进在此YAML文件中很重要-2个空格,而不是上面的代码中的制表符).
(Note: the indentation is important in this YAML file - 2 spaces rather than tabs in the above code).
在弹性beantalk部署期间,这将在/etc/httpd/conf.d文件夹中创建一个新的conf文件,该文件被设置为默认情况下扩展ELB中的httpd.conf设置.
During elastic beanstalk deployment, that will create a new conf file in /etc/httpd/conf.d folder which is set up to extend the httpd.conf settings in ELB by default.
该内容手动关闭ServerSignature并将ServerTokens设置为Prod,从而达到PCI标准.
The content manually turns off the ServerSignature and sets the ServerTokens to Prod, achieving the PCI standard.
运行container命令会强制httpd重新启动(对于该特定版本的Amazon linux-ubuntu和其他版本将需要它们自己的标准 reload ).
Running the container command forces a httpd reboot (for this particular version of Amazon linux - ubuntu and other versions would require their own standard reload).
将新命令部署到我的EB环境后,我的curl命令在HTTP和HTTPS上按预期运行.
After deploying the new commands to my EB environment, my curl commands run as expected on HTTP and HTTPS.