Service Fabric - remove ReverseProxy Server header

Question

I've got a stateless service running on asp.net core 2.1/kestrel. The service is secured and accessed from the outside via LB and SF Reverse Proxy. Service Fabric version is 6.3.187.9494.

I have a need to  remove Server header completely from the response, and there was no problem to do this in the service itself by manipulating KestrelServerOptions.AddServerHeader, but seems like ReverseProxy adds up its own Service header which is Microsoft-HTTPAPI/2.0.

So here is how I check - I make a request to service's endpoint from the node it's running on, and I get no Server header. Then I do the same but via Reverse Proxy, and I get back - Server: Microsoft-HTTPAPI/2.0.

Reading through ApplicationGateway/Http settings, I've found property called RemoveServiceResponseHeaders - 

Semi colon/ comma-separated list of response headers that will be removed from the service response; before forwarding it to the client. If this is set to empty string; pass all the headers returned by the service as-is. i.e do not overwrite the Date and Server

I've set that one to "Date; Server" and updated the cluster but no luck as I still get that Server header.

Any suggestions?

Answer 1

Hi Kiryl. It looks like this is a limitation of the reverse proxy. 

See this issue for more details: https://github.com/Azure/service-fabric-issues/issues/216

As mentioned in that issue, the reverse proxy uses HTTP.SYS underneath so one possible workaround is to enable a setting in HTTP.SYS to disable the server header from its responses. This can be accomplished by setting the DisableServerHeader registry key under HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
to 1.

Please see "Server Header" section here for more details.
Note: This is a system wide config, so the Server header will be removed from all services that are using the HTTP.SYS stack. Please ensure you are okay with this before trying out the option.

Answer 2

Thank you! I've also got the same suggestion concerning the fix from StackOverflow. I'm wondering if there is a way to automate it somehow... I mean, the only approach that worked for me is that I had to restart a node after changing the registry key as simply restarting http service wouldn't work("sc stop"/"net stop http" commands get stuck). Any thoughts?

Answer 3

Unfortunately we don't offer the option to deploy a SF cluster using custom images. If that were the case, then you could configure the image with this registry key already modified. However, since that is not possible you would have to manually adjust that key on all the nodes. 

You could consider automating this using PowerShell. Such as connecting to the node using a remote powershell session and running the commands to modify the keys. Something like

$Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck
Enter-PSSession -ComputerName  "<<HOSTNAME>>" -port 5985 -Credential (Get-Credential) -SessionOption $Skip

Set-ItemProperty -Path 'HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters' -name "DisableServerHeader" -Value 1

You might need to modify this to make it work for SF but the idea is the same. 

Answer 4

Thanks a lot!