Blogging Techstacks

Back before PCI, we used to be able to display things like the type and version of the web server software we were running on our sites.  We wanted everyone to know that we were using Apache or IIS or Netscape Enterprise Server.  We wanted to make sure that NetCraft could view that information, too.  Software writers, both commercial and open-source, easily accomodated our wishes, setting version information up right in the header.  For some, outputting this information in a Server header and footer page was not enough, so a new HTTP Header was introduced called "X-Powered-By".  Unfortunately, displaying the OS, Web, or App Server information is considered an information disclosure vulnerability now so we all need to now configure our servers so this information is not provided.

JBoss inserts an X-Powered-By header in every HTTP response header; typically providing juicy bits of information like the Servlet specification that JBoss complies with, the JBoss app server version number, a build number, and the version of tomcat or jboss web that the app server utilizes.  If you need to know how to suppress the X-Powered-By header in JBoss, read on and note that the technique varies depending upon the version of JBoss you are running.

JBoss 4.2.X

Suppressing the X-Powered-By header in JBoss 4.2.x can be done by modifying the web.xml file located in ${jboss.home}/server/${server.instance.name}/deploy/jboss-web.deployer/conf/.  For example, if you are using the 'default' instance and running jboss 4.2.3 from /usr/local, the path to the configuration file would be /usr/local/jboss-4.2.3.GA/server/default/deploy/jboss-web.deployer/conf/.  Locate the Common Filter Configuration line (line 25 on a stock 'default' server instance configuration file) and comment out the lines for the init-param, param-name, and param-value entries.  Example below

  <!-- ================== Common filter Configuration ==================== -->
    <filter>
       <filter-name>CommonHeadersFilter</filter-name>
       <filter-class>org.jboss.web.tomcat.filters.ReplyHeaderFilter</filter-class>
    <!--   <init-param> -->
    <!--      <param-name>X-Powered-By</param-name>  -->
    <!--      <param-value>Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807     181439)/JBossWeb-2.0</param-value>  -->
    <!--   </init-param>  -->
    </filter>

Restart JBoss and the header will no longer show up.

JBoss 5.0

The web.xml file that needs to be updated is located in a different location than with JBoss 4,2 but the technique is the same. To suppress the X-Powered-By header under JBoss 5.0, comment out the init-param, param-name, and param-value line entries from the web.xml located in ${jboss.home}server/${server.instance.name}/deployers/jbossweb.deployer/.

  <!-- ================== Common filter Configuration ==================== -->
    <filter>
       <filter-name>CommonHeadersFilter</filter-name>
       <filter-class>
          org.jboss.web.tomcat.filters.ReplyHeaderFilter</filter-class>
    <!--   <init-param>  -->
    <!--      <param-name>X-Powered-By</param-name>  -->
    <!--      <param-value>Servlet 2.5; JBoss-5.0/JBossWeb-2.1</param-value>  -->
    <!--   </init-param>  -->
    

Once you have made the configuration changes, restart JBoss so they can take effect.

JBoss 6.0

In order to suppress the X-Powered-By header in JBoss 6, you no longer make changes to web.xml files but instead modify the catalina.properties file included with your server instance.  Edit the catalina.properties file located in ${jboss.home}/server/${server.instance.name}/deploy/jbossweb.sar/.  Locate the property named: org.apache.catalina.connector.X_POWERED_BY and set its value to false.  Restart the server and you're all set.

Related Content
Tomcat/JBoss: Suppressing Server Identity - Part One
Tomcat/JBoss: Suppressing Server Identity - Part Two

Back on January 20th, 2011, Ross Mason, MuleSoft Founder, posted an article on the company blog, From the Mule's Mouth, titled "Systems Admins. R.I.P.?", which became popular this week due to it being posted on many aggregation sites and is filled with some lively commentary by many sysadmins around the world.

As I sit here waiting for the Cloud to rapture me off to the Choir Invisible, I can't help but think of those that fell before us. Who can forget back in the mid-70's when Digital Equipment Corporation's proclaimed the death of the mainframe with the introduction of mini computers and the effect it had on mainframe systems engineers.  There are none left.  They are all gone.  Remember when Microsoft introduced Windows NT Server?  That's the day we lost all the UNIX administrators. 

Perhaps they were the lucky ones because the hype around Cloud Computing is so great, this may be one of the greatest extinction events ever.   

All kidding aside, I do feel sorry for the MuleSoft systems administrator alluded to in the article. When the founder of your company publicly wonders what you do, you have a very tough job.

I removed the blogroll on the site because visits to those links were almost non-existent.  However, I have come across a few links over the past month that other systems engineers/administrators might find useful and/or interesting.  I sure did.

• WhichLoadsFaster.com -  A site that allows you to run a basic performance comparison between two sites to see which site loads faster.  For example, say you want to compare the page load times for this blog vs. TomcatExpert.com.  Although they're still faster, I have been able to determine that several of the changes I've made to the blog over the past week have placed me closer to them in terms of page download speeds.
• Martin Melin has created an online, mod_rewrite rule tester, which allows you to test rewrite rules on-the-fly.  Pretty neat!
• LinkedIn open-sourced their Glu tool, which is a tool that allows automated deployments across any platform.  I haven't worked with it yet but it looks interesting.