Forum Discussion

Rahul_More's avatar
Rahul_More
Icon for Cirrus rankCirrus
Oct 28, 2020

Remove the "Server" header

Hi Guys,

 

I have below irule created into LTM and enabled for virtual servers. but I need to remove the "Server" header.

 

Device version: BIG-IP 14.1.2.6

 

when HTTP_RESPONSE { 

 

  # Remove all instances of the Server header 

  HTTP::header remove Server 

 

  # Remove all headers starting with x- or server

  foreach header_name [HTTP::header names] { 

 

    if { $header_name starts_with "x-" or $header_name starts_with "X-"} {

if { [class match $header_name equals asm_remove_server_response_dg] } {

     HTTP::header remove $header_name 

    } 

  } 

 }

}

 

Can you guys please help to create request header irule for VS ?

 

ASM Advanced WAF
LTM
security
  • Rahul_More's avatar
    Rahul_More
    Nov 09, 2020

    Hi Dario and Jaikumar,

     

    Thank you for your responses and sharing all possible resolutions for this problem.

     

    I have double checked this and found., there are two different LTMs (Internal and External),. One is WAF enabled and other is not.

     

    1. When users are accessing from external network the traffic comes to the public IP address of site which is NAT'ed with the external VIP address (External LTM) and that device is WAF enabled and also ASM irule associated.
    2. In other side, when accessing from internal private network, the traffic goes to split brain DNS where local host A record is configured for another virtual server which is completely different than (Point 1) virtual server and pool member addresses.

     

    In short, The external traffic is coming to External LTM (WAF enabled) and internal private network traffic is going to Internal LTM (WAF not enabled).

     

    Hence, the HTTP "Server" header is only appearing to the internal network users and not for external clients.

     

     , The both solutions which you have provided are pretty good and for this scenario, the second solution is best one to apply.

     

    Once again thank you for all your help.

     

    Regards,

    Rahul

  • Dario_Garrido's avatar
    Dario_Garrido
    Icon for MVP rankMVP
    Oct 28, 2020

    Hello Rahul.

     

    "Server" (or "X-Server") is a response header, not a request header.

    REF - https://en.wikipedia.org/wiki/List_of_HTTP_header_fields

     

    Regards,

    Dario.

    • Rahul_More's avatar
      Rahul_More
      Icon for Cirrus rankCirrus
      Oct 28, 2020

      Hi Dario,

       

      Thanks for sharing the reference site to clear the request /response confusion.

       

      Standard Response Field:

      Server A name for the server Server: Apache/2.4.1 (Unix) Permanent

       

      Could you please help in this either modification or new irule for Server header?

       

      Regards,

      Rahul

       

      • Lidev's avatar
        Lidev
        Icon for MVP rankMVP
        Oct 28, 2020

        Hi Rahul,

         

        more simple, use a Local Traffic Policy to Remove your HTTP Header like below :

        Regards

  • Rahul_More's avatar
    Rahul_More
    Icon for Cirrus rankCirrus
    Nov 10, 2020

    Yes, that's true. I will follow the same to from now onwards. Thanks again :-)​