Ood-portal.conf security headers location

What is the best way to add apache directives that turn on and off security features? For example, we normally add things like this:

  • FileETag None
  • TraceEnable off
  • Header unset “X-Powered-By”
  • Header unset “Via”
  • Header unset “ETag”

to our apache configs. I have been abusing the ssl: yaml tag in my ood_portal.yml file as it seems to get the flags in there appropriately. Is there another tag I should be using? or should I be placing items like that in another config file completely, and not configure it with Open OnDemand?

What directive do you usually put those under? Is it under the entire VirtualHost or the Directory or a Location? If you are overloading the ssl tag I’m guessing you put these for the entire VirtualHost. You could also overload the auth directive to embed those settings under the various Location and LocationMatch blocks that require authentication.

There is an issue for this: Support adding arbitrary Apache directives to sections of ood-portal.conf · Issue #708 · OSC/ondemand · GitHub - if that proposed solution looks like it might work, let us know and we can try and get this into future 2.1 release