search

emissary-ingress / emissary

open source Kubernetes-native API gateway for microservices built on the Envoy Proxy
https://www.getambassador.io
Apache License 2.0
4.35k stars 680 forks source link

Unable to remove `Server` header #2386

Open riker09 opened 4 years ago

riker09 commented 4 years ago

Describe the bug

I cannot remove the Server header from the responses.

To Reproduce Steps to reproduce the behavior:

  1. Create the host, service and mapping from the getting started examples
  2. Modify the Mapping 
    apiVersion: getambassador.io/v2
kind: Mapping
metadata:
name: quote-backend
namespace: volker
spec:
remove_response_headers:
- x-envoy-upstream-service-time
- server
add_response_headers:
server: MyServerHeaderValue
prefix: /backend/
service: quote
  3. curl the response with curl -I https://your-server.org/backend/
  4. See Server header is still there 
    HTTP/1.1 200 OK
content-type: application/json
date: Fri, 06 Mar 2020 12:10:01 GMT
content-length: 163
server: envoy

Expected behavior Server header value should be MyServerHeaderValue

Versions (please complete the following information):

Additional context

This is an ongoing issue: https://github.com/datawire/ambassador/issues/307#issuecomment-412501905

[EDIT] I tried all combinations: Removing the server header. Adding a server header (overwriting). Removing the header and adding a new one. All show the same behaviour.

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

riker09 commented 4 years ago

This is certainly one way to get rid of open issues. Auto-close them by a bot because they were never acknowledged.

I know this is not a super high priority issue, but total neglectance makes me wonder how serious you are about your open source engagement.

balixiao commented 4 years ago

@riker09 It looks like Envoy doesn't support removing server header from response. But you can use ambassador Module to change the server value.

apiVersion: getambassador.io/v2
kind: Module
metadata:
  name: ambassador
spec:
  config:
    server_name: MyServerHeaderValue
stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

doc-olliday commented 3 years ago

Hi, we face the same issue. Even the definition of another server_name value in Module doesn't work. It still sends the response header 'server: envoy'

Are there any news on that?

derek-burdick commented 2 years ago

Hi, this is a very common security requirement. Can you please look at adding support for server_header_transformation=PASS_THROUGH?

aromero15 commented 2 years ago

Hi, is there any work in progress to add support for this requirement? Removing server name from header response

mmzip01 commented 1 year ago

any update on this? we also need to dynamically set this value

cindymullins-dw commented 1 year ago

Server_name on the Module should be the setting for this but it sounds like that is not working least at in some cases. Just for context, this a primarily a security concern to hide the software/source of the server response?

riker09 commented 1 year ago

this a primarily a security concern to hide the software/source of the server response?

It is for me (at least)