Service Fabric - 删除 ReverseProxy 服务器 header 'Microsoft-HTTPAPI/2.0'
Service Fabric - Remove ReverseProxy Server header 'Microsoft-HTTPAPI/2.0'
我在 asp.net 核心 2.1/kestrel 上有一个无状态服务 运行。该服务是安全的,可以通过 LB 和 SF 反向代理从外部访问。 Service Fabric 版本为 6.3.187.9494。
我需要从响应中完全删除服务器 header,通过操作 KestrelServerOptions.AddServerHeader 在服务本身中执行此操作没有问题,但似乎 ReverseProxy 加起来自己的 Service header 即 Microsoft-HTTPAPI/2.0.
所以这是我检查的方式 - 我从 运行 所在的节点向服务端点发出请求,但没有得到服务器 header。然后我做同样的事情,但通过反向代理,我回来了 - 服务器:Microsoft-HTTPAPI/2.0.
通读ApplicationGateway/Http
设置,我发现 属性 调用了 RemoveServiceResponseHeaders -
Semi colon/ comma-separated list of response headers that will be
removed from the service response; before forwarding it to the client.
If this is set to empty string; pass all the headers returned by the
service as-is. i.e do not overwrite the Date and Server
我已经将那个设置为 "Date; Server" 并更新了集群,但运气不好,因为我仍然得到那个服务器 header。
有什么建议吗?
恐怕您无法使用 ServiceFabric 中的常规 'RemoveServiceResponseHeaders' 配置来完成此操作。它只会删除从您的服务响应中收到的读者。
在 windows 上,Service fabric HttpGateway 在 HTTP.sys 内核模块之上运行,这是对此负责header,顺丰对此没有发言权
Before I go further,
if you are removing this for security reasons, you should rethink about using the built in ApplicationGateway provided by SF, it will expose all you services and currently there is no control on which service are exposed through it, I think the risk is higher than just removing the server header, as it does not expose the real server name.
更进一步,
要解决您的问题,您有两种选择:
- 你可以玩HTTP.sys注册表settings在机器上删除它。
您需要在注册表项 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters 中添加 DisableServerHeader DWORD 值并将其值设置为 2。
This key controls how http.sys behaves with regards to appending the
http response header "Server" for responses that it sends to clients.
A value of 0, which is the default value, will use the header value
the application provides to http.sys, or will append the default value
of ‘Microsoft-HTTPAPI/2.0’ to the response header. A value of 1 will
not append the "Server" header for responses generated by http.sys
(responses ending in 400, 503, and other status codes). A value of 2
will prevent http.sys from appending a ‘Server’ header to the
response. If a 'Server' header is present on the response, it will not
be removed, if one is not present, it will not be added.
请查看此答案并详细了解操作方法:GET request to IIS returns Microsoft-HttpApi/2.0
.
- 根据上面的描述,响应 header 包含 'Microsoft-HTTPAPI/2.0' 因为默认值为 0 并且原始响应不包含服务器 header,如果您提供任何值,它将被使用。此外,将 SF 配置为不从您的响应中删除服务器 header,将 RemoveServiceResponseHeaders 配置设置为仅类似于“日期”的内容,因为默认值为“日期;服务器”
我在 asp.net 核心 2.1/kestrel 上有一个无状态服务 运行。该服务是安全的,可以通过 LB 和 SF 反向代理从外部访问。 Service Fabric 版本为 6.3.187.9494。
我需要从响应中完全删除服务器 header,通过操作 KestrelServerOptions.AddServerHeader 在服务本身中执行此操作没有问题,但似乎 ReverseProxy 加起来自己的 Service header 即 Microsoft-HTTPAPI/2.0.
所以这是我检查的方式 - 我从 运行 所在的节点向服务端点发出请求,但没有得到服务器 header。然后我做同样的事情,但通过反向代理,我回来了 - 服务器:Microsoft-HTTPAPI/2.0.
通读ApplicationGateway/Http 设置,我发现 属性 调用了 RemoveServiceResponseHeaders -
Semi colon/ comma-separated list of response headers that will be removed from the service response; before forwarding it to the client. If this is set to empty string; pass all the headers returned by the service as-is. i.e do not overwrite the Date and Server
我已经将那个设置为 "Date; Server" 并更新了集群,但运气不好,因为我仍然得到那个服务器 header。
有什么建议吗?
恐怕您无法使用 ServiceFabric 中的常规 'RemoveServiceResponseHeaders' 配置来完成此操作。它只会删除从您的服务响应中收到的读者。
在 windows 上,Service fabric HttpGateway 在 HTTP.sys 内核模块之上运行,这是对此负责header,顺丰对此没有发言权
Before I go further,
if you are removing this for security reasons, you should rethink about using the built in ApplicationGateway provided by SF, it will expose all you services and currently there is no control on which service are exposed through it, I think the risk is higher than just removing the server header, as it does not expose the real server name.
更进一步,
要解决您的问题,您有两种选择:
- 你可以玩HTTP.sys注册表settings在机器上删除它。
您需要在注册表项 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters 中添加 DisableServerHeader DWORD 值并将其值设置为 2。
This key controls how http.sys behaves with regards to appending the http response header "Server" for responses that it sends to clients. A value of 0, which is the default value, will use the header value the application provides to http.sys, or will append the default value of ‘Microsoft-HTTPAPI/2.0’ to the response header. A value of 1 will not append the "Server" header for responses generated by http.sys (responses ending in 400, 503, and other status codes). A value of 2 will prevent http.sys from appending a ‘Server’ header to the response. If a 'Server' header is present on the response, it will not be removed, if one is not present, it will not be added.
请查看此答案并详细了解操作方法:GET request to IIS returns Microsoft-HttpApi/2.0
.
- 根据上面的描述,响应 header 包含 'Microsoft-HTTPAPI/2.0' 因为默认值为 0 并且原始响应不包含服务器 header,如果您提供任何值,它将被使用。此外,将 SF 配置为不从您的响应中删除服务器 header,将 RemoveServiceResponseHeaders 配置设置为仅类似于“日期”的内容,因为默认值为“日期;服务器”