How can I remove Elastic Beanstalk Apache server header from static content?

Question

I have an Elastic Beanstalk AML 2 setup, running an Apache proxy server.

I have successfully minimised the server header from GET request to / by extending the httpd.conf via the following file

.platform/httpd/conf.d/httpd.conf

the contents are:

ServerSignature Off
ServerTokens Prod

This works for the page request, and only reports 'Apache' as my server token/signature.

But requests for static content (such as images, css, js) still report the full signature.

How can I apply the same to static content?

Answer 1

In a standard AWS beanstalk environment with Apache httpd configured, all web content (static and dynamic) will be served through httpd (httpd acts as a proxy for requests sent to tomcat or other dynamic web content).

And as ServerSignature and ServerTokens are global configuration settings, if this setting change works for some pages, it should work for all static content too.

I experienced a similar issue to you after applying the same Apache settings, but this was because the browser was serving static content from its own cache (and the server header shown was from the original request before I changed Apache). I fixed this by doing a hard reload / flush cache on my browser.

You can verify httpd is working, by connecting to your EC2 server via ssh and running

# Check page (update to the dynamic page you want to test)
curl -I localhost/path/mypage
# Check image/css (update path to the static resource you want to test)
curl -I localhost/img/test.png

# In Apache/Tomcat, you can view the Tomcat page directly
# (but note that your browser will not see this directly, it will be proxied via httpd)
curl -I localhost:8080/path/mypage