Is there a way to remove apaches Reverse Proxy Request Headers?

apache mod-rewrite apache2 mod-proxy mod-headers

16,880

Solution 1

corrected answer: there is no way to do that since its hardcoded

to fix this in the source code of mod_proxy_http.c search for the following part:

    apr_table_mergen(r->headers_in, "X-Forwarded-Server",
                 r->server->server_hostname);
}

and immediately after that add this code:

// remove any X-Forwarded headers
apr_table_unset(r->headers_in, "X-Forwarded-For");
apr_table_unset(r->headers_in, "X-Forwarded-Host");
apr_table_unset(r->headers_in, "X-Forwarded-Server");

then compile by running apxs2 -cia mod_proxy_http.c

Solution 2

Since Apache 2, as this pretty answer says, the

ProxyAddHeaders Off

theoretically disables it. In my experiences, it had no effect. However, combined with

<Proxy *>
  ProxyAddHeaders Off
</Proxy>

and, with

  RequestHeader unset X-Forwarded-Host
  RequestHeader unset X-Forwarded-For
  RequestHeader unset X-Forwarded-Server

somewhere it started to work.

Solution 3

I had the same problem on httpd 2.2 on CentOS 5. Installing httpd 2.4 wasn't possible. But because of some reasons I couldn't switch to nginx completly. So I did it by inserting nginx proxy between httpd and the destination address. So I had: httpd(localhost:80/path) -> nginx(localhost:81/path) -> http://your.destination/path. Installation steps are the following:

Install nginx according to these instructions
Configure nginx to avoid security problems.

Add an location in nginx that will remove those httpd's reverse proxy request headers. It can look like this:

location /path {
    proxy_set_header x-forwarded-for "";
    proxy_set_header x-forwarded-host "";
    proxy_set_header x-forwarded-server "";
    proxy_pass http://your.destination/path;
}

16,880

Author by

The Surrican

Updated on June 05, 2022

Comments

The Surrican almost 2 years
When acting as a reverse proxy, apache adds x-forwarded headers as described here.

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers

In my configuration I have configured server A as a forward proxy. There is a rule like this:
```
RewriteRule proxy:(.*example.com)/(.*) $1.mysecondserver.com/$2 [P]
```
This rule lets the server request the resource from one of my other servers.

On the second server (origin) I have a virtual host container for the resource and another rewrite rule like this:
```
RewriteRule some-regex some-url [P]
```
It may not seem to make sense like this but there is a lot of other stuff going on that I left out as it is not part of the problem.

However that final request has these headers:
```
[X-Forwarded-For] => ip of 1st server
[X-Forwarded-Host] => example.myseconserver.com
[X-Forwarded-Server] => example.com
```
I want those headers gone.

I seem to be unable to unset them with mod_headers. I can add more entries to them, but I can not remove them.

Any ideas?
Mahendar Patel almost 11 years

Can you elaborate on how you made mod_headers work to remove those headers? I can't seem to in apache 2.2 no matter what I try.
The Surrican almost 11 years

sorry, i un-checked this answer because it does not work. if i remember that correctly there is no way and i ended up patching the module! however i have long switched to nginx since.
Mahendar Patel almost 11 years

I think I'll just use Apache 2.4 which allows you to to use ProxyAddHeaders, unless I need more granular control - in which case I will switch to nginx too :)
The Surrican over 10 years

i agree with you that this is probably the better way, especially considering nginx
becomingwisest almost 9 years

To be clear, Apache 2.4 has httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyaddheaders which using ProxyAddHeaders Off should do as requested.
Kingofkech over 6 years

can you give us more details on where to put the location /path ?
keypress over 6 years

I have it in my "/etc/nginx/conf.d/default.conf" inside the "server" section. This is the way, you add "location" usually.