How to hide Jetty version from responses?

Hi everyone!

I’d like to hide Jetty version from Jitsi error responses.

For example, if an error response is returned from the JVB it will show something like this in the browser:

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 405 HTTP method GET is not supported by this URL</title>
</head>
<body><h2>HTTP ERROR 405 HTTP method GET is not supported by this URL</h2>
<table>
<tr><th>URI:</th><td> ... </td></tr>
<tr><th>STATUS:</th><td>405</td></tr>
<tr><th>MESSAGE:</th><td>HTTP method GET is not supported by this URL</td></tr>
<tr><th>SERVLET:</th><td>org.jitsi.videobridge.websocket.ColibriWebSocketServlet-24c4ddae</td></tr>
</table>
<hr><a href="https://eclipse.org/jetty">Powered by Jetty:// 9.4.35.v20201120</a><hr/>

</body>
</html>

I don’t want to expose the Jetty version and want to hide the Powered by Jetty ... part for security concerns.

After checking a few stackoverflow posts about this topic, I’ve found that it’s possible via setting jetty.httpConfig.sendServerVersion=false but I couldn’t find how to do that in JVB code.

Hi,

I try to hide jetty version also but cannot solve problem that you mentioned. Any suggestions are welcomed :slight_smile:

I’ve tried with Jitsi and it also shows the Jetty version.

Here is the full URL:
https://meet-jit-si-eu-central-1a-s12-jvb-40-102-116.jitsi.net/colibri-ws/default-id/37c6cf8b15f147d5/ad81ae50?pwd=2jhdjde57i3m77pbcniecqnd80

We currently don’t have code to set this jetty option, but we would accept it as a contribution. If anyone is interested in making a PR I’ll help out and review. You’d start here:

I think what’s needed is to apply sendServerVersion to the HttpConfiguration, but that needs to be tested.

Boris

1 Like

You can intercept the error messages coming from the proxy in nginx

location ~ ^/colibri-ws/default-id/(.*) {
   ...
   ...
   proxy_intercept_errors on;
   error_page 405 /body.html;
}

body.html is an empty page in /usr/share/jitsi-meet. You can use your custom one.

3 Likes

I’ve created a PR.
Could you please review it when you’re available?