How to hide tinyproxy version information?

tinyproxy / tinyproxy

tinyproxy - a light-weight HTTP/HTTPS proxy daemon for POSIX operating systems

GNU General Public License v2.0

4.8k stars 660 forks source link

How to hide tinyproxy version information? #424

Open xiaomuwu831 opened 2 years ago

xiaomuwu831 commented 2 years ago

The tinyproxy version I am using is 1.11.0. I want to hide the version information of tinyproxy. like this:

curl -I localhost:8888

HTTP/1.0 400 Bad Request
Server: tinyproxy/1.11.0
Content-Type: text/html

I want to hide "Server: tinyproxy/1.11.0".

rofl0r commented 2 years ago

in src/html-error.c, remove this line

"Server: %s/%s\r\n" and below it, replace

code, message, PACKAGE, VERSION,

with

code, message,

rofl0r commented 2 years ago

you might also want to patch similar line in src/utils.c "Server: " PACKAGE "/" VERSION,

generally i think it's bad practice for internet services to publish their exact version number, which makes it easy for hackers to target them for exploits. so maybe we should add something to disable this completely.

xiaomuwu831 commented 2 years ago

I installed the tinyproxy in ubuntu EC2. use command "apt-get install tinyproxy".

if I want to hide version information, Is it possible to modify executable files "/usr/sbin/tinyproxy" only?

rofl0r commented 2 years ago

it's theoretically possible with a hexeditor but since you'd need to compile anyway to see where the changes kick in, it's better to just compile it from source.