istio: Unable to remove server header
Bug description I should be able to remove/disable the server: istio-envoy when using istio
Expected behavior
using the following configuration on a virtual service, I should be able to
Headers: Response: Remove: server
Steps to reproduce the bug Add a gateway that routes to a virtual service
Version (include the output of istioctl version --remote
and kubectl version
)
1.1.4
1.13
How was Istio installed? Helm
Environment where bug was observed (cloud vendor, OS, etc) Local kubernetes cluster on macos docker
Affected product area (please put an X in all that apply)
[ ] Configuration Infrastructure [ ] Docs [ ] Installation [X ] Networking [ ] Performance and Scalability [ ] Policies and Telemetry [ ] Security [ ] Test and Release [ ] User Experience
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 29
- Comments: 53 (17 by maintainers)
Without lua:
What is the status of this? Our secops team wants us to override this for all responses.
@kyessenov Our security/compliance team has an issue with it.
This really needs a much simpler solution for anyone working at scale; probably a single configuration variable.
Most good security/audit teams — and the compliance checks that come along with them — will grade down any servers exposing
server
as information exposure. As it stands, most users are now exposing implementation data viacurl
to public clients.nginx
does it withserver_tokens off;
, apache withServerSignature Off
, etc etc.In Istio 1.7.2, the following filter configuration worked for me:
I’m testing something like:
notice that the example codes on current
EnvoyFilter
documents does not work on istio 1.3.0 , current MEGER operation only acceptconfig
as input.How can we reopen this issue?
In case if anyone still needs this, I used these filters to remove the
server
and thex-envoy-upstream-service-time
headers (istio 1.9.0)How to remove header in latest envoy version, works for me, FYI (istio1.15.5)
It is a form of CWE-200: Information Exposure (ref: https://cwe.mitre.org/data/definitions/200.html)
This type of leaking of technology choices in HTTP responses allows threat actors to enumerate target environments using certain tools and versions and target them when vulnerabilities are identified. This is why both internal SecOps teams and external pen testers will routinely flag Server banners that include tech choices and version numbers as low to medium issues for engineering teams to address.
How to change server in latest envoy version, works for me. FYI (istio1.15.5)
@httran13 I just tried your envoyfilter on 1.8.3 and it’s working for me:
If we launched Istio 1.0 today, yes. At this point making backwards incompat changes like this is hard though. Ambient will probably default to this.
@nrjpoddar good news! thx guys!
We discussed this during Feb 11 2021 Networking WG meeting and agreed on configuring Envoy to always set Server header value as
PASS_THROUGH
instead of the currently configured override value.@nrjpoddar I think it will be enough for istio to setting
server_header_transformation
toPASS_THROUGH
by default. Then we will add, remove, or override any headers withVirtualService
if needed or passing headers through from applications.Thanks @jsolv Why is the VS needed? Isn’t the passthrough settings alone sufficient?
Just to clarify patch by @softcane above… this does not actually guarantee removal of the server header; what it does do is it stops envoy from overwriting the server header that came back from upstream, hence the phrase PASS_THROUGH.
Also note that from Envoy 1.7.0 it looks like these headers can be suppressed after all… https://www.envoyproxy.io/docs/envoy/v1.7.0/api-v2/config/filter/http/router/v2/router.proto
This envoy filter will remove the server header in the response.
@pingz Thank you for the solution. It does work on Istio 1.3.4. P.S. Please add the
apiVersion
field to your yaml example.