0

I've got a stateless service running on asp.net core 2.1/kestrel. The service is secured and accessed from the outside via LB and SF Reverse Proxy. Service Fabric version is 6.3.187.9494.

I have a need to remove Server header completely from the response, and there was no problem to do this in the service itself by manipulating KestrelServerOptions.AddServerHeader, but seems like ReverseProxy adds up its own Service header which is Microsoft-HTTPAPI/2.0.

So here is how I check - I make a request to service's endpoint from the node it's running on, and I get no Server header. Then I do the same but via Reverse Proxy, and I get back - Server: Microsoft-HTTPAPI/2.0.

Reading through ApplicationGateway/Http settings, I've found property called RemoveServiceResponseHeaders -

Semi colon/ comma-separated list of response headers that will be removed from the service response; before forwarding it to the client. If this is set to empty string; pass all the headers returned by the service as-is. i.e do not overwrite the Date and Server

I've set that one to "Date; Server" and updated the cluster but no luck as I still get that Server header.

Any suggestions?

Diego Mendes
  • 10,631
  • 2
  • 32
  • 36
Kiryl
  • 1,416
  • 9
  • 21

1 Answers1

2

I am afraid you can't do it using the conventional 'RemoveServiceResponseHeaders' configuration in ServiceFabric. It will only remove the readers received from your service responses.

On windows, Service fabric HttpGateway runs on top of HTTP.sys kernel module, which is the responsible for this header, SF has no say in this.

Before I go further,

if you are removing this for security reasons, you should rethink about using the built in ApplicationGateway provided by SF, it will expose all you services and currently there is no control on which service are exposed through it, I think the risk is higher than just removing the server header, as it does not expose the real server name.

Going further,

To solve your issue, you have two options:

  1. You can play with HTTP.sys registry settings to remove it on the machine.

You will need to add the DisableServerHeader DWORD value in the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters and set it's value to 2.

enter image description here

This key controls how http.sys behaves with regards to appending the http response header "Server" for responses that it sends to clients. A value of 0, which is the default value, will use the header value the application provides to http.sys, or will append the default value of ‘Microsoft-HTTPAPI/2.0’ to the response header. A value of 1 will not append the "Server" header for responses generated by http.sys (responses ending in 400, 503, and other status codes). A value of 2 will prevent http.sys from appending a ‘Server’ header to the response. If a 'Server' header is present on the response, it will not be removed, if one is not present, it will not be added.

Please take a look into this answer with details on how to do it: GET request to IIS returns Microsoft-HttpApi/2.0

.

  1. Based on this description above, the response header contains 'Microsoft-HTTPAPI/2.0' because the default value is 0 and the original response does not contain a Server header, if you provide any value, it will be used instead. Also, configure SF to not remove the Server header from your response setting the RemoveServiceResponseHeaders config to something like "Date" only, because the default is "Date; Server"
Community
  • 1
  • 1
Diego Mendes
  • 10,631
  • 2
  • 32
  • 36
  • Thank you! I've also assumed that RemoveServiceResponseHeaders removes only my service's headers, but I was hoping something from Microsoft will weigh in. I'll play with the registry key and let you know if it helped. P.S. the scale set that it's opened via RP has only one service in it which doesn't not permit unauthenticated/unauthorised access. – Kiryl Oct 10 '18 at 12:21
  • 1
    By the way, I'm wondering if there is a way to automate the fix somehow... I mean, the only approach that worked for me is that I had to restart a node after changing the registry key as simply restarting http service wouldn't work("sc stop"/"net stop http" commands get stuck). Any thoughts? – Kiryl Oct 12 '18 at 10:43
  • https://blogs.technet.microsoft.com/stefan_stranger/2017/07/31/using-azure-custom-script-extension-to-execute-scripts-on-azure-vms/ – Diego Mendes Oct 12 '18 at 11:14
  • Yeah, I've thought about Desired State Configuration though, but the question is then when it gets applied? If http.sys gets up first, I'll have to restart machine anyway... – Kiryl Oct 12 '18 at 11:18
  • Same here: manipulating the registry key did the trick, I even managed automate setting the registry key using a CustomScriptExtension in the ARM template. However I still need to manually restart the VM scale set as the registry key is applied "too late" i.e. after http.sys is already running and "net stop http" gets stuck... – Torben Knerr Oct 01 '19 at 16:35
  • FYI - this is how I automated it via AzureRM template: https://gist.github.com/tknerr/30107e0242db5de280f2e0c16e837d6e (essentially it adds the registry key and triggers a reboot once the VM is initially created, but ignores it once it already exists) – Torben Knerr Oct 04 '19 at 14:31