Service Fabric - Remove ReverseProxy Server header 'Microsoft-HTTPAPI/2.0'
I've got a stateless service running on asp.net core 2.1/kestrel. The service is secured and accessed from the outside via LB and SF Reverse Proxy. Service Fabric version is 6.3.187.9494.
I have a need to remove Server header completely from the response, and there was no problem to do this in the service itself by manipulating KestrelServerOptions.AddServerHeader, but seems like ReverseProxy adds up its own Service header which is Microsoft-HTTPAPI/2.0.
So here is how I check - I make a request to service's endpoint from the node it's running on, and I get no Server header. Then I do the same but via Reverse Proxy, and I get back - Server: Microsoft-HTTPAPI/2.0.
Reading through ApplicationGateway/Http settings, I've found property called RemoveServiceResponseHeaders -
Semi colon/ comma-separated list of response headers that will be removed from the service response; before forwarding it to the client. If this is set to empty string; pass all the headers returned by the service as-is. i.e do not overwrite the Date and Server
I've set that one to "Date; Server" and updated the cluster but no luck as I still get that Server header.
Any suggestions?
I am afraid you can't do it using the conventional 'RemoveServiceResponseHeaders' configuration in ServiceFabric. It will only remove the readers received from your service responses.
On windows, Service fabric HttpGateway runs on top of HTTP.sys kernel module, which is the responsible for this header, SF has no say in this.
Before I go further,
if you are removing this for security reasons, you should rethink about using the built in ApplicationGateway provided by SF, it will expose all you services and currently there is no control on which service are exposed through it, I think the risk is higher than just removing the server header, as it does not expose the real server name.
Going further,
To solve your issue, you have two options:
- You can play with HTTP.sys registry settings to remove it on the machine.
You will need to add the DisableServerHeader DWORD value in the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters and set it's value to 2.
This key controls how http.sys behaves with regards to appending the http response header "Server" for responses that it sends to clients. A value of 0, which is the default value, will use the header value the application provides to http.sys, or will append the default value of ‘Microsoft-HTTPAPI/2.0’ to the response header. A value of 1 will not append the "Server" header for responses generated by http.sys (responses ending in 400, 503, and other status codes). A value of 2 will prevent http.sys from appending a ‘Server’ header to the response. If a 'Server' header is present on the response, it will not be removed, if one is not present, it will not be added.
Please take a look into this answer with details on how to do it: GET request to IIS returns Microsoft-HttpApi/2.0
.
- Based on this description above, the response header contains 'Microsoft-HTTPAPI/2.0' because the default value is 0 and the original response does not contain a Server header, if you provide any value, it will be used instead. Also, configure SF to not remove the Server header from your response setting the RemoveServiceResponseHeaders config to something like "Date" only, because the default is "Date; Server"
- Unable to locate executable file: 'bash'. Please verify either the file path exists
- "We're sorry, your sql database is unavailable" What does this mean exactly in Azure SQL?
- How do I login to an Azure AD Joined VM using Azure AD Credentials on an Windows Server 2019?
- Migrating from validate-jwt to validate-azure-ad-token policy
- Azure C# Cosmos DB: Property "id" is missing when it's actually present
- Azure Permission - needed for creating resource group - RBAC
- Can the Azure Service Bus be delayed before retrying a message?
- azure documentdb create document duplicates Id property
- JWT validation failure error in azure apim
- How to Add JVM Arguments in Azure Application Service?
- Azure App Service and Application Insights where is performance test?
- Is it possible to have a non-interactive code that logs in to Azure and creates users in Microsoft Entra ID?
- Change Default Service Version of Microsoft Azure Blob - PHP
- Microsoft Graph: How to filter users by domain name
- Azure App Service Plan CPU Spikes to 100%
- Unable to Authenticate to DevOps API with Angual MSAL
- Query all Azure WAF rules using Azure Resource Graph Explorer
- Azure Databricks: Not able to parameterize keys option of dlt.apply_changes
- ASP.NET Core 3.1 Azure AD Authentication throws OptionsValidationException
- Attaching a private static ip address to Azure Container Instance
- Azure Synapse severless SQL pool - query execution fails
- How to login via Service Principal having Federated Credentials rather than Client Secrets
- Where can I find the resource id of an Azure function app in the Azure portal?
- How to forward access-control-allow-origin header from a Web App to a Front Door?
- Basic SQL commands in Terraform
- Linux Azure Webjob in nodejs referring to node.exe
- Running Azure functions locally gives "No runtime" error after .NET7 upgrade
- Azure DataSync tables not showing up
- Azure ML: Unable to find workspace
- unable to start 'Docker for windows' on Azure Win 10 VM