Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there a way to remove apaches Reverse Proxy Request Headers?

When acting as a reverse proxy, apache adds x-forwarded headers as described here.

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers

In my configuration I have configured server A as a forward proxy. There is a rule like this:

RewriteRule proxy:(.*example.com)/(.*) $1.mysecondserver.com/$2 [P]

This rule lets the server request the resource from one of my other servers.

On the second server (origin) I have a virtual host container for the resource and another rewrite rule like this:

RewriteRule some-regex some-url [P]

It may not seem to make sense like this but there is a lot of other stuff going on that I left out as it is not part of the problem.

However that final request has these headers:

[X-Forwarded-For] => ip of 1st server
[X-Forwarded-Host] => example.myseconserver.com
[X-Forwarded-Server] => example.com

I want those headers gone.

I seem to be unable to unset them with mod_headers. I can add more entries to them, but I can not remove them.

Any ideas?

like image 603
The Surrican Avatar asked Sep 05 '11 19:09

The Surrican


2 Answers

Since Apache 2, as this pretty answer says, the

ProxyAddHeaders Off

theoretically disables it. In my experiences, it had no effect. However, combined with

<Proxy *>
  ProxyAddHeaders Off
</Proxy>

and, with

  RequestHeader unset X-Forwarded-Host
  RequestHeader unset X-Forwarded-For
  RequestHeader unset X-Forwarded-Server

somewhere it started to work.

like image 97
peterh Avatar answered Oct 22 '22 15:10

peterh


I had the same problem on httpd 2.2 on CentOS 5. Installing httpd 2.4 wasn't possible. But because of some reasons I couldn't switch to nginx completly. So I did it by inserting nginx proxy between httpd and the destination address. So I had: httpd(localhost:80/path) -> nginx(localhost:81/path) -> http://your.destination/path. Installation steps are the following:

  1. Install nginx according to these instructions
  2. Configure nginx to avoid security problems.
  3. Add an location in nginx that will remove those httpd's reverse proxy request headers. It can look like this:

    location /path {
        proxy_set_header x-forwarded-for "";
        proxy_set_header x-forwarded-host "";
        proxy_set_header x-forwarded-server "";
        proxy_pass http://your.destination/path;
    }
    
like image 35
keypress Avatar answered Oct 22 '22 13:10

keypress