Server header on upgrade request

fmarcia · February 6, 2022, 12:35am

1. Caddy version (`caddy version`):

v2.4.6

2. How I run Caddy:

a. System environment:

systemd on archlinux

b. Command:

systemctl start caddy

c. Service/unit/compose file:

N/A

d. My complete Caddyfile or JSON config:

{
    admin off
    auto_https disable_redirects
    email user@domain.tld
}

(common) {
	header {
		-server
		permissions-policy interest-cohort=()
		strict-transport-security max-age=31536000
	}
	encode gzip
}

(proxy) {
	import common
	@shared path /favicon.ico /robots.txt
	reverse_proxy @shared https://www.domain.tld {
		header_up Host {http.reverse_proxy.upstream.hostport}
	}
	tls user@domain.tld
	reverse_proxy 127.0.0.1:{args.0}
}

http:// {
	import common
	redir https://{host}{uri} permanent
}

www.domain.tld {
    import common
    file_server
	root * /srv/http/www
}

app.domain.tld {
	import proxy 3001
}

3. The problem I’m having:

I try to hide the HTTP server I am using for security reasons and use header -server directive for this purpose. It’s fine with this configuration but not when using websocket: it is still in the response to the upgrade request with app.domain.tld. Is there a way to remove it?

4. Error messages and/or full log output:

N/A

5. What I already tried:

search the doc,
search this forum,
search with ddg and google.

6. Links to relevant resources:

N/A

francislavoie · February 6, 2022, 6:31am

You don’t gain anything security-wise from removing that header. Knowing which server software is serving the request doesn’t really change how an attacker might attempt exploits.

If it actually mattered in terms of security, we wouldn’t have the header set by default.

It has practical benefit for debugging, helping to know whether you actually hit the server you expected (e.g. instead of your legacy apache server maybe).

I think what’s going on is when you use the - header operation, it implicitly turns on defer, so header operations are delayed until when the response is being written out (i.e. after proxying).

But since websockets is implemented by hijacking the connection, anything that’s deferred will never happen, since it’s being turned into a TCP pipe by the reverse_proxy module.

I don’t think there’s currently a way via Caddyfile to make - operations not be deferred (because it rarely makes sense to remove a header before any has been written by some terminal HTTP handler), but Server would be the only case where that would make sense because Caddy sets that header first-thing in the request handling pipeline.

You could adapt your config to JSON and remove the "defer": true if you really care (but I don’t think you should care).

fmarcia · February 6, 2022, 10:27am

Thank you for your detailed answer.

system · March 8, 2022, 12:35am

This topic was automatically closed after 30 days. New replies are no longer allowed.