Details

    • Type: Feature Request
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 2.4 GA, SaaS
    • Fix Version/s: 2.5.1
    • Component/s: Gateway
    • Labels:

      Description

      For security reasons, it's sometimes desired to NOT include the openresty version number in response headers and error response bodies.

      For example take note of '1.13.6.2' in the Server header and response body:

      HTTP/1.1 504 Gateway Time-out
      Server: openresty/1.13.6.2
      Date: Thu, 28 Feb 2019 16:20:43 GMT
      Content-Type: text/html
      Content-Length: 189
      Connection: keep-alive
      
      <html>
      <head><title>504 Gateway Time-out</title></head>
      <body bgcolor="white">
      <center><h1>504 Gateway Time-out</h1></center>
      <hr><center>openresty/1.13.6.2</center>
      </body>
      </html>
      

      To prevent this, you can set `server_tokens off;` in the nginx conf in the http block.

      Results in:

      HTTP/1.1 504 Gateway Time-out
      Date: Thu, 28 Feb 2019 16:09:40 GMT
      Content-Type: text/html
      Content-Length: 180
      Connection: keep-alive
      
      <html>
      <head><title>504 Gateway Time-out</title></head>
      <body bgcolor="white">
      <center><h1>504 Gateway Time-out</h1></center>
      <hr><center>openresty</center>
      </body>
      </html>
      

      Ideally this would be set via SERVER_TOKENS=off or some such environment variable.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                rhn-support-spoole Shannon Poole
                Developer:
                Michal Cichra
              • Votes:
                1 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: