Header -Server ignored

Zkitzo · May 26, 2020, 5:29pm

1. My Caddy version ( `caddy version` ):

v2.0.0 h1:pQSaIJGFluFvu8KDGDODV8u4/QRED/OPyIR+MWYYse8=

2. How I run Caddy:

caddy run

3 System environment:

Windows 10

4 The problem I’m facing:

I am running version 2.0.0 and have header -Server on top. It still shows the Caddy header when I test it. I am using redir .

domain1.com, domain2.net, domain3.org {
  header -Server
  tls ema@il.address
  basicauth /foo/* {
    test p@s$w0rd
  }
  basicauth /bar/* {
    test p@s$w0rd
  }
  redir /foo /foo/ 308
  redir /bar /bar/ 308
  reverse_proxy /foo/* 127.0.0.1:1337
  reverse_proxy /bar/* 127.0.0.1:7331
  log stdout
}

github.com/caddyserver/caddy

v2: header directive is ignored if redir is matched

opened 09:09AM - 14 Mar 20 UTC

closed 03:06PM - 22 Mar 20 UTC

sepbot

Consider the following `Caddyfile` ``` :80 { header Hello World redir …https://github.com } :81 { header Hello World } ``` The first block will redirect but ignore the `header` directive: ``` # http GET 'http://127.0.0.1:80' HTTP/1.1 302 Found Content-Length: 0 Date: Sat, 14 Mar 2020 08:50:16 GMT Location: https://github.com Server: Caddy ``` The second directive works as expected: ``` # http GET 'http://127.0.0.1:81' HTTP/1.1 200 OK Content-Length: 0 Date: Sat, 14 Mar 2020 08:50:20 GMT Hello: World Server: Caddy ``` Caddy version: `v2.0.0-beta.17 h1:x+Ur3uX83j+STerOWsrLDlknXe7z71VnO5xD+H2OwAw=` The only prior discussion I was able to find is https://github.com/caddyserver/caddy/issues/1926#issuecomment-483314510 which suggests that redirection and manipulation of headers within the same block should be possible. However the comment was posted prior to any v2 releases as far as I can see, which is why I have created this as a new issue instead of bumping the closed one.

matt · May 26, 2020, 5:50pm

Hey Alex, what happens if you replace both the reverse proxy lines with a single respond Hello line - does the header still appear?

(Also, just FYI, hiding the server header doesn’t really grant you any improvements to security. It’s still often trivial to figure out which server is running with other methods. It only makes it harder for us to know how widely the project is being used, which makes it harder for us to know how to better improve it.)

Zkitzo · May 26, 2020, 6:33pm

If I replace those lines. the output is:

HTTP/2 200 
content-length: 5
date: Tue, 26 May 2020 18:32:48 GMT

matt · May 26, 2020, 6:43pm

Okay, since the Server header doesn’t exist with this configuration, it is the backend servers that is setting that header.

Hmmm, it’s unclear to me whether this is correct behavior or not. Should the header directive change the headers sent from an upstream server? (The reverse_proxy directive has the header_down subdirective to deal with that, for now.)

I know you’ll probably say “Yes” since you obviously expected it to work, but I am still wondering if this would be the correct behavior or not.

Zkitzo · May 26, 2020, 6:52pm

The backend server is running Server Microsoft-HTTPAPI/2.0.

I think you should discuss this with someone else who has more experience in this than me…

matt · May 26, 2020, 9:19pm

In the meantime, you can use the header_down subdirective in the reverse_proxy directive to strip headers that originate upstream.

Zkitzo · May 26, 2020, 11:00pm

Should I file a bug report or is it fine like the way it is now?

matt · May 26, 2020, 11:01pm

Sure, but I haven’t decided it’s a bug yet. If you file an issue we’ll be less likely to forget about it.

Zkitzo · May 26, 2020, 11:02pm

Will do, thank you.

system · August 24, 2020, 5:29pm

This topic was automatically closed after 90 days. New replies are no longer allowed.

Header -Server ignored

1. My Caddy version ( caddy version ):

2. How I run Caddy:

3 System environment:

4 The problem I’m facing:

1. My Caddy version ( `caddy version` ):