Uploaded image for project: 'ActiveMQ Classic'
  1. ActiveMQ Classic
  2. AMQ-6951

Hide embedded jetty version

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 5.15.14
    • 5.15.15, 5.16.2, 5.17.0
    • None
    • None

    Description

      Hi,

      sorry in advance if this is something easy for jetty experts. We need some guidance or see if hiding the embedded jetty configuration is possible.

      We have not seen anywhere in the documentation how to hide the embedded jetty version. This is marked as a security thread by our penetration testers when we are using a web sockets transport on port 80. We have been playing around with the configuration file jetty.xml and the parameters, but no success. It has been addressed for other projects (see https://issues.apache.org/jira/browse/HADOOP-13414)

       So far we have been trying to change the configuration in jetty.xml.

      As far as we know, this should be the configuration for the property:

      <bean id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<property name="sendServerVersion" value="false">
</property>
</bean>

      However, this has no effect in the exposing of the version. We tried further and tried with a connection factory, but this also had no effect:

      <bean id="invokeConnectors" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetObject" ref="Server" />
<property name="targetMethod" value="setConnectors" />
<property name="arguments">
<list>
<bean id="Connector" class="org.eclipse.jetty.server.ServerConnector">
<constructor-arg ref="Server" />
<constructor-arg>
   <list>
      <bean id="httpConnectionFactory"       class="org.eclipse.jetty.server.HttpConnectionFactory">
      <constructor-arg ref="httpConfig"/>
      </bean>
   </list>
</constructor-arg>

<!-- see the jettyPort bean -->
<property name="host" value="#{systemProperties['jetty.host']}" />
<property name="port" value="#{systemProperties['jetty.port']}" />
</bean>

</list>
</property>
</bean>

      Are we on the right track, or does it need to be addressed by the codebase of ActiveMQ? 

      This is how we show the version:

      #nmap -sV -p80 localhost
Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-23 18:16 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000098s latency).

PORT STATE SERVICE VERSION
80/tcp open http Jetty 9.2.22.v20170606

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.34 seconds

      Attachments

        Issue Links

          is cloned by

          New Feature - A new feature of the product, which has yet to be developed. AMQ-6952 CLONE - Hide embedded jetty version

          • Major - Major loss of function.
          • Closed

          Activity

            People

              mattrpav Matt Pavlovich
              marcos.moreno Marcos Moreno Martin
              Votes:
              2 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h
                  1h