[
https://issues.apache.org/jira/browse/AMQ-6951?focusedWorklogId=562231&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-562231
]
ASF GitHub Bot logged work on AMQ-6951:
---------------------------------------
Author: ASF GitHub Bot
Created on: 08/Mar/21 09:03
Start Date: 08/Mar/21 09:03
Worklog Time Spent: 10m
Work Description: lucastetreault removed a comment on pull request #615:
URL: https://github.com/apache/activemq/pull/615#issuecomment-792579893
Can one of the admins verify this patch?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 562231)
Time Spent: 0.5h (was: 20m)
> Hide embedded jetty version
> ---------------------------
>
> Key: AMQ-6951
> URL: https://issues.apache.org/jira/browse/AMQ-6951
> Project: ActiveMQ
> Issue Type: New Feature
> Affects Versions: 5.15.14
> Reporter: Marcos Moreno Martin
> Assignee: Matt Pavlovich
> Priority: Major
> Fix For: 5.17.0, 5.15.15, 5.16.2
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Hi,
> sorry in advance if this is something easy for jetty experts. We need some
> guidance or see if hiding the embedded jetty configuration is possible.
> We have not seen anywhere in the documentation how to hide the embedded jetty
> version. This is marked as a security thread by our penetration testers when
> we are using a web sockets transport on port 80. We have been playing around
> with the configuration file jetty.xml and the parameters, but no success. It
> has been addressed for other projects (see
> https://issues.apache.org/jira/browse/HADOOP-13414)
> So far we have been trying to change the configuration in jetty.xml.
> As far as we know, this should be the configuration for the property:
> {code:java}
> <bean id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
> <property name="sendServerVersion" value="false">
> </property>
> </bean>
> {code}
> However, this has no effect in the exposing of the version. We tried further
> and tried with a connection factory, but this also had no effect:
> {code:java}
> <bean id="invokeConnectors"
> class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
> <property name="targetObject" ref="Server" />
> <property name="targetMethod" value="setConnectors" />
> <property name="arguments">
> <list>
> <bean id="Connector" class="org.eclipse.jetty.server.ServerConnector">
> <constructor-arg ref="Server" />
> <constructor-arg>
> <list>
> <bean id="httpConnectionFactory"
> class="org.eclipse.jetty.server.HttpConnectionFactory">
> <constructor-arg ref="httpConfig"/>
> </bean>
> </list>
> </constructor-arg>
> <!-- see the jettyPort bean -->
> <property name="host" value="#{systemProperties['jetty.host']}" />
> <property name="port" value="#{systemProperties['jetty.port']}" />
> </bean>
> </list>
> </property>
> </bean>
> {code}
> Are we on the right track, or does it need to be addressed by the codebase of
> ActiveMQ?
> This is how we show the version:
> {code:java}
> #nmap -sV -p80 localhost
> Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-23 18:16 CEST
> Nmap scan report for localhost (127.0.0.1)
> Host is up (0.000098s latency).
> PORT STATE SERVICE VERSION
> 80/tcp open http Jetty 9.2.22.v20170606
> Service detection performed. Please report any incorrect results at
> https://nmap.org/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 11.34 seconds
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
