Forum Discussion

ecce_297791's avatar
ecce_297791
Icon for Altocumulus rankAltocumulus
Aug 10, 2018

Modify Server string in HTTP response header

I want to secure a few applications by not showing the technical details of the servers in the HTTP response header. Easy task, I thought.

I created a HTTP profile, changed the Server Agent Name to a random string and applied it to the VS. But the HTTP response header still look like this:

$ curl -I http://10.1.10.20                                                                                        Fri Aug 10 13:58:47 2018
HTTP/1.1 200 OK
Date: Fri, 10 Aug 2018 11:22:20 GMT
Server: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.12 OpenSSL/1.0.1f
X-Powered-By: PHP/5.5.9-1ubuntu4.12
Connection: close
Content-Type: text/html

This is the http profile:

ltm profile http /Common/http_custom {
    app-service none
    defaults-from /Common/http
    insert-xforwarded-for enabled
    proxy-type reverse
    server-agent-name CookieMonsterServer
}

According to this manual: "When you create an HTTP profile, you can specify the string used as the server name in traffic generated by the BIG-IP system. The default value is BigIP."

Here is the VS:

ltm virtual /Common/p80.vs {
    destination /Common/10.1.10.20:80
    ip-protocol tcp
    mask 255.255.255.255
    pool /Common/p80.pool
    profiles {
        /Common/http_custom { }
        /Common/tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}

BIGIP VE 13.1.1. What am I missing?

2 Replies

  • Hi,

    This feature will just replace the Server header for F5 generated replies.

    You can strip the header server using an irule :

    when HTTP_RESPONSE {
        HTTP::header remove Server
    }
    
    • ecce's avatar
      ecce
      Icon for Cirrostratus rankCirrostratus

      Exactly. But is replaces nothing. Thats my problem.