发表新帖
发表新帖

How to prevent Gunicorn from returning a 'Server' http header?

后端 未结
关注
6 1109
走了就别回头了
走了就别回头了 2021-02-05 06:51

I would like to mask the version or remove the header altogether.

6条回答
  • 时光取名叫无心
    时光取名叫无心 (楼主)
    2021-02-05 07:38

    This doesn't directly answer to the question but could address the issue as well and without monkey patching gunicorn.

    If you are using gunicorn behind a reverse proxy, as it usually happens, you can set, add, remove or perform a replacement in a response header coming downstream from the backend. In our case the Server header.

    I guess every Webserver should have an equivalent feature.

    For example, in Caddy 2 (currently in beta) it would be something as simple as:

    https://localhost {
    reverse_proxy unix//tmp/foo.sock {
        header_down Server intentionally-undisclosed-12345678
    }
}

    For completeness I still add a minimal (but fully working) Caddyfile to handle Server header modification even in manual http->https redirect process (Caddy 2 does it automatically, if you don't override it), which could a bit tricky to figure it out correctly.

    http://localhost {
    # Fact: the `header` directive has less priority than `redir` (which means
    # it's evaluated later), so the header wouldn't be changed (and Caddy would
    # shown instead of the faked value).
    #
    # To override the directive ordering only for this server, instead of
    # change the "order" option globally, put the configuration inside a
    # route directive.
    # ref.
    #   https://caddyserver.com/docs/caddyfile/options
    #   https://caddyserver.com/docs/caddyfile/directives/route
    #   https://caddyserver.com/docs/caddyfile/directives#directive-order
    route {
        header Server intentionally-undisclosed-12345678
        redir https://{host}{uri}
    }
}

https://localhost {
    reverse_proxy unix//tmp/foo.sock {
        header_down Server intentionally-undisclosed-12345678
    }
}

    To check if it works just use curl as curl --insecure -I http://localhost and curl --insecure -I http://localhost (--insecure because localhost certs are automatically generated as self signed).

    It's so simple to setup that you could also think to use it in development (with gunicorn --reload), especially if it resembles your staging/production environment.

    0 讨论(0)
 看不清?
提交回复
热议问题