I went through the HTTP spec, and it looks like the existing Synapse behavior
is correct after all. Here's what the spec has to say:
If the response is being forwarded through a proxy, the proxy application MUST
NOT modify the Server response-header. Instead, it SHOULD include a Via field
(as described in section 14.45).
Note: Revealing the specific software version of the server might
allow the server machine to become more vulnerable to attacks
against software that is known to contain security holes. Server
implementors are encouraged to make this field a configurable
option.
So may we should keep the current default behavior and perhaps add the "Via"
header to the response, as suggested.
Thanks,
Hiranya
On Aug 11, 2013, at 10:41 PM, Hiranya Jayathilaka <[email protected]> wrote:
> On Aug 11, 2013, at 10:51 AM, Sanjiva Weerawarana <[email protected]>
> wrote:
>
>> IMO the Server head should by default be set by Synapse to say "Apache
>> Synapse vX.Y.Z" or something like that and have an option to forward that of
>> the backend.
>
> +1 to the suggested default behavior.
>
> We already have a (undocumented) configuration option to control this. It's
> just that the current default behavior is to pass the "Server" header sent by
> the backend server.
>
> Thanks,
> Hiranya
>
>>
>> I guess we should probably look at what a reverse proxy like nginx does by
>> default and do whatever they do .. as that's the role of Synapse in
>> HTTP-HTTP routing.
>>
>> Sanjiva.
>>
>>
>> On Sun, Aug 11, 2013 at 8:23 PM, Rajika Kumarasiri
>> <[email protected]> wrote:
>> I meant it's better not to include that header by default since it can be
>> considered a security issue. But as you have suggested we also need a way to
>> configure the header.
>>
>> Rajika
>>
>>
>> On Sun, Aug 11, 2013 at 1:52 AM, Hiranya Jayathilaka <[email protected]>
>> wrote:
>> Hi Rajika,
>>
>> On Aug 10, 2013, at 10:42 PM, Rajika Kumarasiri
>> <[email protected]> wrote:
>>
>>> +1. Should be use-if-available.
>>
>> Are you implying that the current behavior is correct (i.e. passing the Http
>> "Server" header to the client)?
>>
>> Thanks,
>> Hiranya
>>
>>>
>>> Rajika
>>>
>>>
>>> On Sun, Aug 11, 2013 at 12:30 AM, Hiranya Jayathilaka
>>> <[email protected]> wrote:
>>> I noticed that both PT and NHTTP transports pass the "Server" header sent
>>> from the backend server to the client. This is the default programmed
>>> behavior, and it can be overridden if needed using a configuration
>>> parameter. But is the default behavior correct? Shouldn't Synapse
>>> completely hide the backend server details from the client?
>>>
>>> Thanks,
>>> Hiranya
>>>
>>> --
>>> Hiranya Jayathilaka
>>> Mayhem Lab/RACE Lab;
>>> Dept. of Computer Science, UCSB; http://cs.ucsb.edu
>>> E-mail: [email protected]; Mobile: +1 (805) 895-7443
>>> Blog: http://techfeast-hiranya.blogspot.com
>>>
>>>
>>
>>
>> --
>> Hiranya Jayathilaka
>> Mayhem Lab/RACE Lab;
>> Dept. of Computer Science, UCSB; http://cs.ucsb.edu
>> E-mail: [email protected]; Mobile: +1 (805) 895-7443
>> Blog: http://techfeast-hiranya.blogspot.com
>>
>>
>>
>>
>>
>> --
>> Sanjiva Weerawarana, Ph.D.
>> Founder, Director & Chief Scientist; Lanka Software Foundation;
>> http://www.opensource.lk/
>> Founder, Chairman & CEO; WSO2; http://wso2.com/
>>
>> Blog: http://sanjiva.weerawarana.org/
>
> --
> Hiranya Jayathilaka
> Mayhem Lab/RACE Lab;
> Dept. of Computer Science, UCSB; http://cs.ucsb.edu
> E-mail: [email protected]; Mobile: +1 (805) 895-7443
> Blog: http://techfeast-hiranya.blogspot.com
>
--
Hiranya Jayathilaka
Mayhem Lab/RACE Lab;
Dept. of Computer Science, UCSB; http://cs.ucsb.edu
E-mail: [email protected]; Mobile: +1 (805) 895-7443
Blog: http://techfeast-hiranya.blogspot.com
