search

luraproject / lura

Ultra performant API Gateway with middlewares. A project hosted at The Linux Foundation
https://luraproject.org
Other
6.29k stars 564 forks source link

ENH: Ability to remove all X-Krakend* headers from response #727

Open meshenka opened 2 months ago

meshenka commented 2 months ago

The Krakend Gateway leaks it technology, i want to remove completely X-Krakend, X-Krakend-Completed and any X-Krakend headers from the response

Describe the solution you'd like a router configuration to be able to remove those headers

Describe alternatives you've considered I already obfuscate the gateway version, outside of this new configuration the only option i can think of is putting an nginx in front of krakend to remove those header

Additional context

curl -v https://*********                      
* Host *******:443 was resolved.
* IPv6: (none)
* IPv4: **.***.**.***
*   Trying **********:443...
* Connected to ******** (********) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=**********
*  start date: Jul  9 20:08:55 2024 GMT
*  expire date: Oct  7 21:02:47 2024 GMT
*  subjectAltName: host "**************" matched cert's "*************"
*  issuer: C=US; O=Google Trust Services; CN=WR3
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://*************
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: **********]
* [HTTP/2] [1] [:path: *******]
* [HTTP/2] [1] [user-agent: curl/8.6.0]
* [HTTP/2] [1] [accept: */*]
> GET /****** HTTP/2
> Host: **************
> User-Agent: curl/8.6.0
> Accept: */*
> 
< HTTP/2 200 
< content-security-policy: default-src 'self';
< content-type: application/json; charset=utf-8
< referrer-policy: no-referrer
< vary: Origin
< x-content-type-options: nosniff
< x-correlation-id: **********************
< x-frame-options: DENY
< x-krakend: Version *****-v2.17.1
< x-krakend-completed: true
< x-xss-protection: 1; mode=block
< date: Fri, 12 Jul 2024 13:48:13 GMT
< via: 1.1 google
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
<

< x-krakend: Version *****-v2.17.1 < x-krakend-completed: true

needs to go away

related to https://github.com/luraproject/lura/issues/445 but not quite what i need

meshenka commented 2 months ago

just submit a first idea, not sure it should be done like that. Let me know

alombarte commented 1 week ago

Hi @meshenka ,

Thanks for the associated PR #728. The truth is that Lura is not KrakenD. When KrakenD donated the framework to the Linux Foundation, a significant effort was made to "rebrand" everything in the source code and set it to Lura. KrakenD strings were removed from everywhere. This is the last thing standing, and it must go away.

While KrakenD (Enterprise) allows you to remove these headers (https://www.krakend.io/docs/enterprise/service-settings/response-headers-modifier/#example-remove-x-krakend-headers), and this is irrelevant to this conversation, Lura should not have any KrakenD string in the source code.

The future of Lura is removing all the routers and leaving the core packages only because it is not viable to maintain them all. The krakend headers will disappear from Lura when this is done.