Embedded jetty exposing version

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Embedded jetty exposing version

moreno
We have not seen anywhere in the documentation of ActiveMQ how to hide the
embedded jetty version. This is marked as a security thread by our
penetration testers when we are using a web sockets transport on port 80. We
have been playing around with the configuration file jetty.xml and the
parameters, but no success. It has been addressed for other projects (see
https://issues.apache.org/jira/browse/HADOOP-13414) by a patch in the code,

So far we have been trying to change the configuration in jetty.xml.

After searching for jetty properties, this is how we configured the property
for the property:

*<bean id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
  <property name="sendServerVersion" value="false">
  </property>
</bean>*

However, this has no effect in the exposing of the version. We tried further
with a connection factory, but this also had no effect:

*<bean id="invokeConnectors"
class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
  <property name="targetObject" ref="Server" />
  <property name="targetMethod" value="setConnectors" />
  <property name="arguments">
    <list>
      <bean id="Connector" class="org.eclipse.jetty.server.ServerConnector">
        <constructor-arg ref="Server" />
        <constructor-arg>
        <list>
          <bean id="httpConnectionFactory"      
class="org.eclipse.jetty.server.HttpConnectionFactory">
            <constructor-arg ref="httpConfig"/>
          </bean>
        </list>
      </constructor-arg>


<property name="host" value="#{systemProperties['jetty.host']}" />
<property name="port" value="#{systemProperties['jetty.port']}" />
</bean>

    </list>
  </property>
</bean>*
Are we on the right track, or does it need to be addressed by the codebase
of ActiveMQ?

This is how we show the version:

*#nmap -sV -p80 localhost
Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-23 18:16 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000098s latency).

PORT STATE SERVICE VERSION
80/tcp open http Jetty 9.2.22.v20170606

Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.34 seconds*

Here a link to the ActiveMQ ticket (we were recommended to post here):
https://issues.apache.org/jira/browse/AMQ-6951



--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Reply | Threaded
Open this post in threaded view
|

Re: Embedded jetty exposing version

Tim Bain
This is going to require a code change; you're not going to be able to
Spring-inject the fix you're looking for.

org.apache.activemq.transport.discovery.http.EmbeddedJettyServer.start()
creates its Server by calling new (no Spring injection), and the code of
that method doesn't provide any means to specify an HttpConfiguration. So
if you want to change this behavior, it will require a code change.

Tim

On Tue, Apr 24, 2018 at 3:16 AM, moreno <[hidden email]> wrote:

> We have not seen anywhere in the documentation of ActiveMQ how to hide the
> embedded jetty version. This is marked as a security thread by our
> penetration testers when we are using a web sockets transport on port 80.
> We
> have been playing around with the configuration file jetty.xml and the
> parameters, but no success. It has been addressed for other projects (see
> https://issues.apache.org/jira/browse/HADOOP-13414) by a patch in the
> code,
>
> So far we have been trying to change the configuration in jetty.xml.
>
> After searching for jetty properties, this is how we configured the
> property
> for the property:
>
> *<bean id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
>   <property name="sendServerVersion" value="false">
>   </property>
> </bean>*
>
> However, this has no effect in the exposing of the version. We tried
> further
> with a connection factory, but this also had no effect:
>
> *<bean id="invokeConnectors"
> class="org.springframework.beans.factory.config.
> MethodInvokingFactoryBean">
>   <property name="targetObject" ref="Server" />
>   <property name="targetMethod" value="setConnectors" />
>   <property name="arguments">
>     <list>
>       <bean id="Connector" class="org.eclipse.jetty.
> server.ServerConnector">
>         <constructor-arg ref="Server" />
>         <constructor-arg>
>         <list>
>           <bean id="httpConnectionFactory"
> class="org.eclipse.jetty.server.HttpConnectionFactory">
>             <constructor-arg ref="httpConfig"/>
>           </bean>
>         </list>
>       </constructor-arg>
>
>
> <property name="host" value="#{systemProperties['jetty.host']}" />
> <property name="port" value="#{systemProperties['jetty.port']}" />
> </bean>
>
>     </list>
>   </property>
> </bean>*
> Are we on the right track, or does it need to be addressed by the codebase
> of ActiveMQ?
>
> This is how we show the version:
>
> *#nmap -sV -p80 localhost
> Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-23 18:16 CEST
> Nmap scan report for localhost (127.0.0.1)
> Host is up (0.000098s latency).
>
> PORT STATE SERVICE VERSION
> 80/tcp open http Jetty 9.2.22.v20170606
>
> Service detection performed. Please report any incorrect results at
> https://nmap.org/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 11.34 seconds*
>
> Here a link to the ActiveMQ ticket (we were recommended to post here):
> https://issues.apache.org/jira/browse/AMQ-6951
>
>
>
> --
> Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-
> f2341805.html
>