Is there a way to remove apaches Reverse Proxy Request Headers?
Solution 1
corrected answer: there is no way to do that since its hardcoded
to fix this in the source code of mod_proxy_http.c search for the following part:
apr_table_mergen(r->headers_in, "X-Forwarded-Server",
r->server->server_hostname);
}
and immediately after that add this code:
// remove any X-Forwarded headers
apr_table_unset(r->headers_in, "X-Forwarded-For");
apr_table_unset(r->headers_in, "X-Forwarded-Host");
apr_table_unset(r->headers_in, "X-Forwarded-Server");
then compile by running apxs2 -cia mod_proxy_http.c
Solution 2
Since Apache 2, as this pretty answer says, the
ProxyAddHeaders Off
theoretically disables it. In my experiences, it had no effect. However, combined with
<Proxy *>
ProxyAddHeaders Off
</Proxy>
and, with
RequestHeader unset X-Forwarded-Host
RequestHeader unset X-Forwarded-For
RequestHeader unset X-Forwarded-Server
somewhere it started to work.
Solution 3
I had the same problem on httpd 2.2 on CentOS 5. Installing httpd 2.4 wasn't possible. But because of some reasons I couldn't switch to nginx completly. So I did it by inserting nginx proxy between httpd and the destination address. So I had: httpd(localhost:80/path
) -> nginx(localhost:81/path
) -> http://your.destination/path
. Installation steps are the following:
- Install nginx according to these instructions
- Configure nginx to avoid security problems.
-
Add an location in nginx that will remove those httpd's reverse proxy request headers. It can look like this:
location /path { proxy_set_header x-forwarded-for ""; proxy_set_header x-forwarded-host ""; proxy_set_header x-forwarded-server ""; proxy_pass http://your.destination/path; }
The Surrican
Updated on June 05, 2022Comments
-
The Surrican almost 2 years
When acting as a reverse proxy, apache adds x-forwarded headers as described here.
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers
In my configuration I have configured server A as a forward proxy. There is a rule like this:
RewriteRule proxy:(.*example.com)/(.*) $1.mysecondserver.com/$2 [P]
This rule lets the server request the resource from one of my other servers.
On the second server (origin) I have a virtual host container for the resource and another rewrite rule like this:
RewriteRule some-regex some-url [P]
It may not seem to make sense like this but there is a lot of other stuff going on that I left out as it is not part of the problem.
However that final request has these headers:
[X-Forwarded-For] => ip of 1st server [X-Forwarded-Host] => example.myseconserver.com [X-Forwarded-Server] => example.com
I want those headers gone.
I seem to be unable to unset them with mod_headers. I can add more entries to them, but I can not remove them.
Any ideas?
-
Mahendar Patel almost 11 yearsCan you elaborate on how you made mod_headers work to remove those headers? I can't seem to in apache 2.2 no matter what I try.
-
The Surrican almost 11 yearssorry, i un-checked this answer because it does not work. if i remember that correctly there is no way and i ended up patching the module! however i have long switched to nginx since.
-
Mahendar Patel almost 11 yearsI think I'll just use Apache 2.4 which allows you to to use ProxyAddHeaders, unless I need more granular control - in which case I will switch to nginx too :)
-
The Surrican over 10 yearsi agree with you that this is probably the better way, especially considering nginx
-
becomingwisest almost 9 yearsTo be clear, Apache 2.4 has httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyaddheaders which using ProxyAddHeaders Off should do as requested.
-
Kingofkech over 6 yearscan you give us more details on where to put the location /path ?
-
keypress over 6 yearsI have it in my "/etc/nginx/conf.d/default.conf" inside the "server" section. This is the way, you add "location" usually.