Forum Discussion

ryan_111816's avatar
ryan_111816
Icon for Nimbostratus rankNimbostratus
Dec 16, 2009

Strip HTTP Server Header

I'm trying to find an iRule which will strip out the Server header from my server's HTTP responses. I've found the following rule under the samples section: http://devcentral.f5.com/wiki/default.aspx/iRules/ServerResourceCloaking.html

 

 

That rule will do what I want to do, but it requires that I specify a list of accepted headers, and then it will strip any headers not in that list. Since I have quite a few virtual servers with different applications behind each one, this would require that I come up with a different list and iRule for each. What I'd rather have is a simple rule that just looks for and strips the Server header. Then I can just apply that rule to all of my virtual servers.

 

 

Just for clarification, I'm wanting to strip the header that identifies the server type. Here's a few common examples:

 

Server: Microsoft-IIS/6.0

 

Server: Apache/2.2.3(Red Hat)

 

 

Thanks for any assistance.
application delivery
dev
devops
iRules

6 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Dec 16, 2009
    Hi Ryan,

    That would be pretty straightforward: 

     
 when HTTP_RESPONSE { 
  
     Remove all instances of the Server header 
    HTTP::header remove Server 
  
 }

    You might also want to remove the X- headers as they can contain app identifying signatures (like x-powered-by for example). 

     
 when HTTP_RESPONSE { 
  
     Remove all instances of the Server header 
    HTTP::header remove Server 
  
     Remove all headers starting with x- 
    foreach header_name [HTTP::header names] { 
  
       if {[string match -nocase x-* $header_name]}{ 
  
          HTTP::header remove $header_name 
       } 
    } 
 }

    Aaron
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Dec 17, 2009
    Hi Matt,

     

     

    That sounds like a good idea. If you do get an RFE CR, can you post it so we an add a subcase or two?

     

     

    Thanks,

     

    Aaron
  • L4L7_53191's avatar
    L4L7_53191
    Icon for Nimbostratus rankNimbostratus
    Dec 17, 2009
    I've just opened a case on this, and I'll definitely post the CR number if I get one opened up. I suspect if this all works, it'll be included in a feature release, so this thread will serve as an example of the best way to solve this problem.

     

     

    Thanks for the post @ryan and for the solution Aaron!

     

     

    -Matt
  • ryan_111816's avatar
    ryan_111816
    Icon for Nimbostratus rankNimbostratus
    Feb 11, 2010
    Hi guys. I have a follow-up question on this. As I mentioned, the rules works great, but only for HTTP virtual servers. Maybe I'm missing something here, but how would I apply the rule to an HTTPS virtual server?
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 12, 2010
    Hi Ryan,

     

     

    If you want to inspect or modify the HTTP headers or content on an SSL connection, you'd need to decrypt the SSL on LTM using a client SSL profile.

     

     

    Aaron