Apache: Get rid of Keep-Alive entry in the headers list

Question

I'm using LAMP (Linux, Apache, MySQL, PHP) server.

Currently the server sends the response with next Headers list. I want to eliminate Keep-Alive entry for security reasons, to have Headers list without it. Is it possible to prevent sending the Keep-Alive entry in the Headers list?

Current Response Headers:

Cache-Control   private, no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Connection  Keep-Alive
Content-Encoding    gzip
Content-Type    text/html; charset=UTF-8
Date    Thu, 13 Mar 2014 01:43:49 GMT
Expires Thu, 13 Mar 2014 01:43:49 GMT
Keep-Alive  timeout=5, max=200
Last-Modified   Thu, 13 Mar 2014 01:43:49 GMT
Pragma  no-cache
Server  Apache
Transfer-Encoding   chunked
Vary    Accept-Encoding
X-DNS-Prefetch-Control  off
X-Frame-Options sameorigin

Response Headers I Would Like Instead:

Cache-Control   private, no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Connection  Keep-Alive
Content-Encoding    gzip
Content-Type    text/html; charset=UTF-8
Date    Thu, 13 Mar 2014 01:43:49 GMT
Expires Thu, 13 Mar 2014 01:43:49 GMT
Last-Modified   Thu, 13 Mar 2014 01:43:49 GMT
Pragma  no-cache
Server  Apache
Transfer-Encoding   chunked
Vary    Accept-Encoding
X-DNS-Prefetch-Control  off
X-Frame-Options sameorigin

Answer 1

Is it possible to prevent sending the Keep-Alive entry in the Headers list?

To my knowledge, no. The whole purpose of the Keep-Alive header is to communicate the need for a persistent connection to the client. So getting rid of the headers gets rid of the main form of communication between the client & the server.

That said, you might be able to get it unset by using unset in your Apache config or .htaccess as explained here . I emphasize might since I have had header directives not behave as expected in some versions of Apache. But assuming good faith, first be sure the headers module is enabled. In Ubuntu 12.04 you would do this:

sudo a2enmod headers

And then add this to your Apache config or .htaccess :

<IfModule mod_headers.c>
  Header unset Keep-Alive
</IfModule>

Now restart Apache:

sudo service apache2 restart

More details on the header directive are here .

Answer 2

There are a few ways to this in apache:

1. Server-wide using the KeepAlive directive ( KeepAlive ). However you can not have this in per-directory configuration files, so setting KeepAlive Off will turn off keep alive for the entire server.

2. Using SetEnv or SetEnvIf with mod_env, and set the nokeepalive environmental variable. This will turn off keepalive for the location where the environmental is set, or the rule that is matched by SetEnvIf (depending with you use). eg

   can be in HTACCESS

   SetEnv nokeepalive 1

3. Using mod_rewrite to again set the environmental for a specific rule, eg

   RewriteRule some-file.html - [E=nokeepalive:1]

4. Using PHP (or any other server site language) and sending the header Connection: close . This will cause Apache to omit the Keep-Alive header, since the connection is no longer keepalive. eg

   php

   header('Connection: close');

5. Use mod_headers to set the connection header to close again, eg

   Header set Connection "close"

I personally have not tested the last one, but it should work.

Answer 3

KeepAlive behavior (availability and timeouts) is directly configurable: http://httpd.apache.org/docs/2.4/mod/core.html#keepalive

Changing this is primarily an aspect of performance rather than security, but you're free to test the implications in your own environment.