Hello, I was trying to follow some instructions to improve the server security yet I am not sure why it is not working. I have "Apache/2.2.22 (Debian)" Debian 7.11 What I was trying to insert into apache2.conf is as follows: Code: # START - Disable server signature # # ServerSignature Off # END - Disable server signature # # START - Security Headers - X-Content-Type: nosniff # X-Content-Type-Options: nosniff # END - Security Headers - X-Content-Type: nosniff # START - Security Headers - X-Frame-Options # X-Frame-Options: SAMEORIGIN # END - Security Headers - X-Frame-Options # START - Security Headers - X-XSS-Protection # Header always set X-XSS-Protection: 1; mode=block # X-Xss-Protection "1; mode=block" # END - Security Headers - X-XSS-Protection Whenever I added those line I can not reload apache. [FAIL] Reloading web server config: apache2 failed! What am I doing wrong? Here is the only error I find in logs: [Sun Oct 09 11:39:02 2016] [error] python_init: Python version mismatch, expected '2.7.2+', found '2.7.3'. [Sun Oct 09 11:39:02 2016] [error] python_init: Python executable found '/usr/bin/python'. [Sun Oct 09 11:39:02 2016] [error] python_init: Python path being used '/usr/lib/python2.7/:/usr/lib/python2.7/plat-linux2:/usr/lib/python2.7/lib-tk:/usr/lib/python2.7/lib-old:/usr/lib/python2.7/lib-dynload'. Thanks in advance,
All lines in the above config are commented out, so it should not have any influence on the apache config. My guess is that you changed something else as well (might be days before) without restarting apache at that time which now causes apache to fail.
Hi Till, Thanks for the quick response, my apologies that I posted what is there now to get the apache working here is what I want to do that breaks and that is the reason I comment them out. Code: # START - Disable server signature # ServerSignature Off # END - Disable server signature # # START - Security Headers - X-Content-Type: nosniff X-Content-Type-Options: nosniff # END - Security Headers - X-Content-Type: nosniff # START - Security Headers - X-Frame-Options X-Frame-Options: SAMEORIGIN # END - Security Headers - X-Frame-Options # START - Security Headers - X-XSS-Protection Header always set X-XSS-Protection: 1; mode=block # X-Xss-Protection "1; mode=block" # END - Security Headers - X-XSS-Protection Concerning the X-XSS-Protection, I am alternating between two rules Code: Header always set X-XSS-Protection: 1; mode=block or Code: X-Xss-Protection "1; mode=block" but no luck with either. Thanks,
Did you enable mod_header in apache? It might also be that there are other modules necessary or that the config options are not available in your apache version. You should check in the apache manual which modules and apache versions are required for these commands and if your setup has these modules and the right apache version installed.
