How to strip headers?

1. Output of caddy version:

v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=

2. How I run Caddy:

This is not running as a service but I invoke the binary as a command line tool. This is due to my CICD processes.

a. System environment:

Windows Server 2022 Virtual Machine.

b. Command:

caddy validate --adapter caddyfile --config $_.FullName 

c. Service/unit/compose file:

Paste full file contents here.
Make sure backticks stay on their own lines,
and the post looks nice in the preview pane. -->

d. My complete Caddy config: # Your site's domain name

# Load balance between three backends with custom health checks
reverse_proxy {
	lb_policy       random_choose 2
	health_uri     /healthz
	health_interval 10s

	header {
	  header_down -Access-Control-Allow-Origin

3. The problem I’m having:

This is a simple one hopefully. I am struggling to know what the config for stripping headers should be given the error (See next section).

4. Error messages and/or full log output:

caddy : {"level":"info","ts":1667409469.0259826,"msg":"using provided 
At line:1 char:1
+ caddy validate --adapter caddyfile --config .\killergaminggamingautom ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: ({"level":"info"...r":"caddyfile"}:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
Error: adapting config using caddyfile: parsing caddyfile tokens for 'reverse_proxy': 
.\killergaminggamingautomation-caddyfile:9 - Error during parsing: unrecognized subdirective header

5. What I already tried:

6. Links to relevant resources:

I think header_down is the culprit


header {
1 Like

Ah yes let me try that!

Make sure it’s outside of the reverse_proxy block; header_down and header_up are for use inside the block, but header is a separate directive that needs to go outside.

Ah fixed it with that suggestion! The error made it obvious the structure is not right.

1 Like

FYI, there’s no benefit to removing the Server header. It doesn’t reveal any information that attackers couldn’t otherwise figure out trivially. If it was somehow harmful to security, we wouldn’t have included it in the first place.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.