Foreman » Smart Proxy

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1404867
Description of problem:

foreman-proxy sends back a "Server" header with http requests, exposing the version of webrick and openssl.

Nessus will claim that the server is suseptable to CVEs that have already been backported into openssl, since it performs its check based on the reported version and not the release. For example, 1.0.1e-60 has a lot of fixes backported, but nessus only sees "1.0.1e" and complains.

While this particular behavior is a nessus issue, it is generally better to not report the server's openssl version in the header in the first place.

Version-Release number of selected component (if applicable): 6.2.4, foreman-proxy-1.11.0.6-1.el7sat.noarch,

How reproducible: every time

Steps to Reproduce:
 1. curl -v http://<hostname>:8000
 2. look for Server header in response

Actual results:

< Server: WEBrick/1.3.1 (Ruby/2.0.0/2015-12-16) OpenSSL/1.0.1e

Expected results:

blank field, or no field at all

Additional info:

This is very similar to upstream issue https://github.com/theforeman/smart-proxy/pull/402 which is waiting on the contributor for an update.

the following simple patch to /usr/share/foreman-proxy/lib/launcher.rb seems to do the trick:

--- launcher.rb 2016-12-14 16:44:44.245330301 -0500
 +++ launcher.rb.new     2016-12-14 16:44:33.002000676 -0500
 @ -28,6 +28,7 @
          :Host => SETTINGS.bind_host,
          :Port => SETTINGS.http_port,
          :Logger => ::Proxy::LogBuffer::Decorator.instance,
 +        :ServerSoftware => "",
          :daemonize => false)
      end

@ -57,6 +58,7 @
            :SSLCertificate => load_ssl_certificate(SETTINGS.ssl_certificate),
            :SSLCACertificateFile => SETTINGS.ssl_ca_file,
            :SSLOptions => ssl_options,
 +          :ServerSoftware => "",
            :daemonize => false)
        end
      end