Search code examples
apacheamazon-web-servicesamazon-elastic-beanstalk

How to disable Apache HTTP Header info in AWS Load Balancer Response?

I have a node.js environment deployed using AWS Elastic Beanstalk on an Apache server. I have run a PCI scan on the environment and I'm getting 2 failures:

  • Apache ServerTokens Information Disclosure
  • Web Server HTTP Header Information Disclosure

Naturally I'm thinking I need to update the httpd.conf file with the following:

ServerSignature Off
ServerTokens Prod

However, given the nature of Elastic Beanstalk and Elastic Load Balancers, as soon as the environment scales, adds new servers, reboots etc the instance config will be overwritten.

I have also tried putting the following into an .htaccess file:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]

# Security hardening for PCI
Options -Indexes
ServerSignature Off

# Dissallow iFrame usage outside of loylap.com for PCI Security Scan
Header set X-Frame-Options SAMEORIGIN

On the node js side I use the "helmet" package to apply some security measures, I also use the "express-force-https" package to ensure the application is enforcing https. However, these only seem to be taking effect after the Express application is initiated and after the redirect.

I have Elastic Load Balancer listeners set up for both HTTP (port 80) and HTTPS (port 443), however the HTTP requests are immediately routed to HTTPS.

When I run the following curl command:

curl -I https://myenvironment.com --head

I get an acceptable response with the following line:

Server: Apache

However when I run the same request on the http endpoint (i.e. before redirects etc):

curl -I http://myenvironment.com --head

I get a response that discloses more information about my server than it should, and hence the PCI failure:

Server: Apache/2.4.34 (Amazon)

How can I force my environment to restrict the http header response on HTTP as well as HTTPS?

Solution

  • Credit to @stdunbar for leading me to the correct solution here using ebextensions.

    The solution worked for me as follows:

    1. Create a file in the project root called .ebextensions/01_server_hardening.config
    2. Add the following content to the file:
    files:
  "/etc/httpd/conf.d/03_server_hardening.conf":
    mode: "000644"
    owner: root
    group: root
    content: |
      ServerSignature Off
      ServerTokens Prod

container_commands:
  01_reload_httpd:
    command: "sudo service httpd reload"

    (Note: the indentation is important in this YAML file - 2 spaces rather than tabs in the above code).

    During elastic beanstalk deployment, that will create a new conf file in /etc/httpd/conf.d folder which is set up to extend the httpd.conf settings in ELB by default.

    The content manually turns off the ServerSignature and sets the ServerTokens to Prod, achieving the PCI standard.

    Running the container command forces a httpd reboot (for this particular version of Amazon linux - ubuntu and other versions would require their own standard reload).

    After deploying the new commands to my EB environment, my curl commands run as expected on HTTP and HTTPS.