On Mon, 2004-02-02 at 07:35, Nathan R. Valentine wrote: > Attached is a patch against 2.5.4 to suppress version information in > HTTP SERVER headers and the HTML error pages. My intent was to hide > server and version info from automated port and vulnerability scanners. > An attacker doing targetted server fingerprinting will likely notice > that the X-Squid* headers are still in place but will have to fall back > to some other method to determine the Squid version. > > To suppress version info, place the following in /etc/squid.conf: > > httpd_suppress_version_string on > > I have tested the patch briefly on my home HTTP reverse cache. I have > not tested it with any protocol other than HTTP.
Please open a bug and attach the patch there. Currently no core developer has reviewed it. I don't have time right now to do so, and having an open feature request will let us not forget about the patch. Rob -- GPG key available at: <http://www.robertcollins.net/keys.txt>.
signature.asc
Description: This is a digitally signed message part
