search

mholt / caddy-ratelimit

HTTP rate limiting module for Caddy 2
Apache License 2.0
254 stars 17 forks source link

Plugin does not honor the header directive #3

Closed cemremengu closed 3 years ago

cemremengu commented 3 years ago

In our caddy file we remove the server header with -Server. However when plugin returns a 429 error, it also adds back the Server header not respecting the config. How can we prevent this?

{
    order rate_limit before basicauth
}
:8443 {
    tls /etc/ssl/my.crt /etc/ssl/my.key
    header {
        -Server
        Strict-Transport-Security max-age=31536000;
        X-Content-Type-Options nosniff
        X-Frame-Options DENY
        Referrer-Policy no-referrer-when-downgrade
        X-XSS-Protection "1; mode=block"
    }
    encode gzip
    log {
        output discard
    }
    reverse_proxy http://my-api:8080
    rate_limit {
            distributed
            zone static_example {
                key    static
                events 5
                window 1m
            }
    }
}
francislavoie commented 3 years ago

I think after rate_limit, it goes through the error handler chain if the request was rejected. So I think you'll need to configure handle_errors as well and remove the header in there.

cemremengu commented 3 years ago

Here is a solution with handle_errors:

    handle_errors {
        @429
        header {
            -Server
        }
        respond @429 "The service cannot be reached. Please wait a while!"
    }