Header -Server ignored

1. My Caddy version ( caddy version ):

v2.0.0 h1:pQSaIJGFluFvu8KDGDODV8u4/QRED/OPyIR+MWYYse8=

2. How I run Caddy:

caddy run

3 System environment:

Windows 10

4 The problem I’m facing:

I am running version 2.0.0 and have header -Server on top. It still shows the Caddy header when I test it. I am using redir .

domain1.com, domain2.net, domain3.org {
  header -Server
  tls ema@il.address
  basicauth /foo/* {
    test p@s$w0rd
  basicauth /bar/* {
    test p@s$w0rd
  redir /foo /foo/ 308
  redir /bar /bar/ 308
  reverse_proxy /foo/*
  reverse_proxy /bar/*
  log stdout

Hey Alex, what happens if you replace both the reverse proxy lines with a single respond Hello line - does the header still appear?

(Also, just FYI, hiding the server header doesn’t really grant you any improvements to security. It’s still often trivial to figure out which server is running with other methods. It only makes it harder for us to know how widely the project is being used, which makes it harder for us to know how to better improve it.)

If I replace those lines. the output is:

HTTP/2 200 
content-length: 5
date: Tue, 26 May 2020 18:32:48 GMT

Okay, since the Server header doesn’t exist with this configuration, it is the backend servers that is setting that header.

Hmmm, it’s unclear to me whether this is correct behavior or not. Should the header directive change the headers sent from an upstream server? (The reverse_proxy directive has the header_down subdirective to deal with that, for now.)

I know you’ll probably say “Yes” since you obviously expected it to work, but I am still wondering if this would be the correct behavior or not.

The backend server is running Server Microsoft-HTTPAPI/2.0.

I think you should discuss this with someone else who has more experience in this than me…

1 Like

In the meantime, you can use the header_down subdirective in the reverse_proxy directive to strip headers that originate upstream.

Should I file a bug report or is it fine like the way it is now?

Sure, but I haven’t decided it’s a bug yet. If you file an issue we’ll be less likely to forget about it.

1 Like

Will do, thank you. :slight_smile:

This topic was automatically closed after 90 days. New replies are no longer allowed.