This is an automated email from the ASF dual-hosted git repository.
alexott pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/zeppelin.git
The following commit(s) were added to refs/heads/master by this push:
new f9ab6bb [ZEPPELIN-4586] Add option to avoid sending Jetty version on
headers and on 300/400 pages
f9ab6bb is described below
commit f9ab6bbdd8a03c863c3f39b9fd8abf1d57cd9880
Author: Javier Fuentes <j.fuente...@icloud.com>
AuthorDate: Mon Apr 13 15:00:12 2020 -0400
[ZEPPELIN-4586] Add option to avoid sending Jetty version on headers and on
300/400 pages
### What is this PR for?
A few sentences describing the overall goals of the pull request's commits.
First time? Check out the contributing guide -
https://zeppelin.apache.org/contribution/contributions.html
### What type of PR is it?
[Improvement]
### What is the Jira issue?
* https://issues.apache.org/jira/browse/ZEPPELIN-4586
### How should this be tested?
* Travis should pass
With default`zeppelin.server.send.jetty.name = true`
```
$ curl -i localhost:8080/nonexisting
HTTP/1.1 404 Not Found
Date: Fri, 31 Jan 2020 19:16:33 GMT
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: authorization,Content-Type
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, HEAD, DELETE
X-FRAME-OPTIONS: SAMEORIGIN
X-XSS-Protection: 1
X-Content-Type-Options: nosniff
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 328
Server: Jetty(9.4.18.v20190429)
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 404 Not Found</title>
</head>
<body><h2>HTTP ERROR 404</h2>
<p>Problem accessing /nonexisting. Reason:
<pre> Not Found</pre></p><hr><a href="http://eclipse.org/jetty";>Powered
by Jetty:// 9.4.18.v20190429</a><hr/>
</body>
</html>
```
By changing to false `zeppelin.server.send.jetty.name = false`
```
$ curl -i localhost:8080/nonexisting
HTTP/1.1 404 Not Found
Date: Fri, 31 Jan 2020 19:15:57 GMT
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: authorization,Content-Type
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, HEAD, DELETE
X-FRAME-OPTIONS: SAMEORIGIN
X-XSS-Protection: 1
X-Content-Type-Options: nosniff
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 243
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 404 Not Found</title>
</head>
<body><h2>HTTP ERROR 404</h2>
<p>Problem accessing /nonexisting. Reason:
<pre> Not Found</pre></p>
</body>
</html>
```
### Questions:
* Does the licenses files need update?
No
* Is there breaking changes for older versions?
No
* Does this needs documentation?
Yes
Author: Javier Fuentes <j.fuente...@icloud.com>
Author: Javier <jfuen...@hortonworks.com>
Closes #3622 from javierivanov/ZEPPELIN-SENDVERSION and squashes the
following commits:
44e047495 [Javier Fuentes] fixed template
b72075708 [Javier Fuentes] fixes
430b92d38 [Javier] added parameter and doc
---
conf/zeppelin-site.xml.template | 8 ++++++++
docs/setup/security/http_security_headers.md | 12 +++++++++++-
.../java/org/apache/zeppelin/conf/ZeppelinConfiguration.java | 5 +++++
.../main/java/org/apache/zeppelin/server/ZeppelinServer.java | 2 +-
4 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/conf/zeppelin-site.xml.template b/conf/zeppelin-site.xml.template
index 604a8eb..d355003 100755
--- a/conf/zeppelin-site.xml.template
+++ b/conf/zeppelin-site.xml.template
@@ -559,6 +559,14 @@
<!--
<property>
+ <name>zeppelin.server.send.jetty.name</name>
+ <value>false</value>
+ <description>If set to false, will not show the Jetty version to prevent
Fingerprinting</description>
+</property>
+-->
+
+<!--
+<property>
<name>zeppelin.server.jetty.request.header.size</name>
<value>8192</value>
<description>Http Request Header Size Limit (to prevent HTTP
413)</description>
diff --git a/docs/setup/security/http_security_headers.md
b/docs/setup/security/http_security_headers.md
index b93e0e1..95dcd2d 100644
--- a/docs/setup/security/http_security_headers.md
+++ b/docs/setup/security/http_security_headers.md
@@ -121,4 +121,14 @@ The below property to mask Jetty server version is enabled
by default and config
</property>
```
-The value can be any "String". Removing this property from configuration will
cause Zeppelin to send correct Jetty server version.
\ No newline at end of file
+The value can be any "String". Removing this property from configuration will
cause Zeppelin to send correct Jetty server version.
+
+Also, it can be removed the from response headers and from 300/400/500 HTTP
response pages.
+
+```xml
+<property>
+ <name>zeppelin.server.send.jetty.name</name>
+ <value>false</value>
+ <description>If set to false, will not show the Jetty version to prevent
Fingerprinting</description>
+</property>
+```
diff --git
a/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
b/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
index 8ce9ac3..5637e1c 100644
---
a/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
+++
b/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
@@ -684,6 +684,10 @@ public class ZeppelinConfiguration extends
XMLConfiguration {
return getString(ConfVars.ZEPPELIN_SERVER_JETTY_NAME);
}
+ public boolean sendJettyName() {
+ return getBoolean(ConfVars.ZEPPELIN_SERVER_SEND_JETTY_NAME);
+ }
+
public Integer getJettyRequestHeaderSize() {
return getInt(ConfVars.ZEPPELIN_SERVER_JETTY_REQUEST_HEADER_SIZE);
}
@@ -983,6 +987,7 @@ public class ZeppelinConfiguration extends XMLConfiguration
{
ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED("zeppelin.server.default.dir.allowed",
false),
ZEPPELIN_SERVER_XFRAME_OPTIONS("zeppelin.server.xframe.options",
"SAMEORIGIN"),
ZEPPELIN_SERVER_JETTY_NAME("zeppelin.server.jetty.name", " "),
+ ZEPPELIN_SERVER_SEND_JETTY_NAME("zeppelin.server.send.jetty.name", true),
ZEPPELIN_SERVER_JETTY_THREAD_POOL_MAX("zeppelin.server.jetty.thread.pool.max",
400),
ZEPPELIN_SERVER_JETTY_THREAD_POOL_MIN("zeppelin.server.jetty.thread.pool.min",
8),
ZEPPELIN_SERVER_JETTY_THREAD_POOL_TIMEOUT("zeppelin.server.jetty.thread.pool.timeout",
30),
diff --git
a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
index ec11e4b..fa8e6b8 100644
---
a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
+++
b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
@@ -314,13 +314,13 @@ public class ZeppelinServer extends ResourceConfig {
ServerConnector connector;
HttpConfiguration httpConfig = new HttpConfiguration();
httpConfig.addCustomizer(new ForwardedRequestCustomizer());
+ httpConfig.setSendServerVersion(conf.sendJettyName());
if (conf.useSsl()) {
LOG.debug("Enabling SSL for Zeppelin Server on port {}", sslPort);
httpConfig.setSecureScheme("https");
httpConfig.setSecurePort(sslPort);
httpConfig.setOutputBufferSize(32768);
httpConfig.setResponseHeaderSize(8192);
- httpConfig.setSendServerVersion(true);
HttpConfiguration httpsConfig = new HttpConfiguration(httpConfig);
SecureRequestCustomizer src = new SecureRequestCustomizer();
