Add configuration flag to hide kong headers

[elruwen]

Hi!

If I currently do a kong request, the response contains the following headers: 'server': 'Apache-Coyote/1.1', 'via': 'kong/0.6.1', 'x-kong-proxy-latency': '0', 'x-kong-upstream-latency': '79'}

Server is the value from the upstream server, the rest is set by kong. While this is nice for debugging, I would prefer to hide those values from the public.

I would be nice to have a configuration flag to turn the exposure off.

Cheers Ruwen

[BrianHutchison]

+1

[thibaultcha]

This also overlaps with #324, just in case someone is looking into it.

[markyjones]

I suspect others have already found work arounds for this but the simplest I have found is to add the following statements to the /etc/kong/kong.yml file to modify the nginx configuration.

        # Add additional response headers
        header_filter_by_lua_block {
           kong.header_filter()
           ngx.header["Server"] = nil
           ngx.header["Via"] = nil
           ngx.header["X-Kong-Proxy-Latency"] = nil
           ngx.header["X-Kong-Upstream-Latency"] = nil
        }

[manchuck]

Where would this go in the kong.conf for 0.9.1?

[mleace]

Try modifying /usr/local/share/lua/5.1/kong/templates/kong/templates/nginx_kong.lua and restart Kong.

[elruwen]

Hmm we run Kong on EC2 instances and simply install the kong rpm. Of course we can write some script, package it and let it do this modification. But it would be nice if there is a cleaner way.

[gabel]

The response transfer plugin can only remove the X-Powered-By header but all others seem to be added later.

@elruwen You can have a look at https://github.com/Mashape/kong/issues/1842#issuecomment-262719479 perhaps this is a better way to solve it.

[thibaultcha]

2259 was just merged and allows to do this thanks to @bungle. Expect this to be released in the coming weeks. Thanks!

[ankit2894]

I tried adding above mentioned configuration nginx_kong.conf file and restarted the kong server in the meanwhile the file got overwritten with the default configuration and my changes disappeared. Please help me starting kong server with custom nginx_kong.conf.

[elruwen]

We are doing currently the following:

There is the file /usr/local/share/lua/5.1/kong/templates/nginx.lua (the exact path might be different on your system).

We added to the http section the following lines:

    more_clear_headers 'Server';
    server_tokens off;

[Edenshaw]

I found a solution for Kong 1.4.X (using database deployment, meaning there's no kong.yaml)

Execute elruwen's solution by editing the following file:

sudo vim /usr/local/share/lua/5.1/kong/templates/nginx.lua

You will find something like this:

http {
>  if #proxy_listeners > 0 or #admin_listeners > 0 then
    include 'nginx-kong.conf';
> end
}

Modify it by adding elruwnen's line, like this (if you add the line server_tokens off; kong won't start):

http {
>  if #proxy_listeners > 0 or #admin_listeners > 0 then
    include 'nginx-kong.conf';
> end
more_clear_headers 'Server';
}

Go and edit your kong.conf file:

sudo vim /etc/kong/kong.conf

Search for the headers section and edit it:

From this:

headers = server_tokens, latency_tokens

to this:

headers = off

restart kong

[Kishorelk]

How to remove the headers server:0.13.1 version

[SteveRuben]

How to remove the headers Server: kong/2.0.0 and use our own certificat in nginx

[hishamhm]

@Tryptich @Kishorelk See the documentation for the headers entry at: https://docs.konghq.com/2.1.x/configuration/#headers

It shouldn't be necessary to edit the nginx template, editing kong.conf should be sufficient. Note that in that case, by disabling Kong's Server header, it will still proxy the Server value provided by the upstream service.