External available web services show version info
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
Fix Committed
|
Medium
|
Sergii Golovatiuk |
Bug Description
Fuel master node and controllers with Horizon dashboard have default configurations files for Web services, and web services show the version info, we need to avoid this in production, when Fuel master or Horizon dashboard can be available from the external network.
This is minor security issue.
How to fix:
1) set in /etc/httpd/
2) add 'server_tokens off;' to http section in /etc/nginx/
Example of fix:
# Set production mode for Apache and nginx services
sed -i 's/ServerTokens OS/ServerTokens Prod/' /etc/httpd/
sed -i 's/http {/http {\n server_tokens off;/' /etc/nginx/
service httpd restart ; service nginx restart
Changed in fuel: | |
assignee: | nobody → Fuel Library Team (fuel-library) |
Changed in fuel: | |
status: | Confirmed → Triaged |
Changed in fuel: | |
assignee: | Fuel Library Team (fuel-library) → Stanislaw Bogatkin (sbogatkin) |
Changed in fuel: | |
assignee: | Stanislaw Bogatkin (sbogatkin) → Sergii Golovatiuk (sgolovatiuk) |
Changed in fuel: | |
status: | In Progress → Fix Committed |
Fix proposed to branch: master /review. openstack. org/119019
Review: https:/