I'm running Mod_Security and I'm using the SecServerSignature to customize the Server header that Apache returns. This part works fine, however I'm also running mod_fcgid which appends "mod_fcgid/2.3.5" to the header.
Is there any way I can turn this off? Setting ServerSignature off doesn't do anything. I was able to get it to go away by changing the ServerTokens but that removed the customization I had added.
Use ServerTokens in a config file.
ServerTokens
This directive configures what you return as the Server HTTP response Header. The default is 'Full' which sends information about the OS-Type and compiled in modules.
Set to one of: Full | OS | Minor | Minimal | Major | Prod
where Full conveys the most information, and Prod the least.
I suggest to set it to Prod, then they will only see that you are using Apache Server at domain.com Port 80.
Don't forget to restart/reload the Apache config files!
https://httpd.apache.org/docs/2.2/mod/core.html#servertokens
ServerTokens is what manipulates the Server response header. (ServerSignature is used for server generated documents.)
However, if you want to completely control the Server header I would suggest using the Header option:
Header set Server "Apache/2 my_customizations"
as an example.
You may need to reorder the module loading in Apache so mod_security loads after mod_fcgi.
Read the "Server identity masking" section of the mod_security docs.
http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/06-special_features.html
Two notes: Mod_security will show the real server signature in the error_log which will be different than the one given to the public.
Second, the document also explains that SecServerSignature directive only works with ServerTokens set to "Full"
Mark
