+1. Rajika
On Mon, Aug 12, 2013 at 9:25 PM, Sanjiva Weerawarana <[email protected]>wrote: > +1. > > > On Tue, Aug 13, 2013 at 12:21 AM, Hiranya Jayathilaka < > [email protected]> wrote: > >> I went through the HTTP spec, and it looks like the existing Synapse >> behavior is correct after all. Here's what the spec has to say: >> >> If the response is being forwarded through a proxy, the proxy application >> MUST NOT modify the Server response-header. Instead, it SHOULD include a >> Via field (as described in section >> 14.45<http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.45> >> ). >> >> Note: Revealing the specific software version of the server might >> allow the server machine to become more vulnerable to attacks >> against software that is known to contain security holes. Server >> implementors are encouraged to make this field a configurable >> option. >> >> So may we should keep the current default behavior and perhaps add the >> "Via" header to the response, as suggested. >> >> Thanks, >> Hiranya >> >> On Aug 11, 2013, at 10:41 PM, Hiranya Jayathilaka <[email protected]> >> wrote: >> >> On Aug 11, 2013, at 10:51 AM, Sanjiva Weerawarana <[email protected]> >> wrote: >> >> IMO the Server head should by default be set by Synapse to say "Apache >> Synapse vX.Y.Z" or something like that and have an option to forward that >> of the backend. >> >> >> +1 to the suggested default behavior. >> >> We already have a (undocumented) configuration option to control this. >> It's just that the current default behavior is to pass the "Server" header >> sent by the backend server. >> >> Thanks, >> Hiranya >> >> >> I guess we should probably look at what a reverse proxy like nginx does >> by default and do whatever they do .. as that's the role of Synapse in >> HTTP-HTTP routing. >> >> Sanjiva. >> >> >> On Sun, Aug 11, 2013 at 8:23 PM, Rajika Kumarasiri < >> [email protected]> wrote: >> >>> I meant it's better not to include that header by default since it can >>> be considered a security issue. But as you have suggested we also need a >>> way to configure the header. >>> >>> Rajika >>> >>> >>> On Sun, Aug 11, 2013 at 1:52 AM, Hiranya Jayathilaka < >>> [email protected]> wrote: >>> >>>> Hi Rajika, >>>> >>>> On Aug 10, 2013, at 10:42 PM, Rajika Kumarasiri < >>>> [email protected]> wrote: >>>> >>>> +1. Should be use-if-available. >>>> >>>> >>>> Are you implying that the current behavior is correct (i.e. passing the >>>> Http "Server" header to the client)? >>>> >>>> Thanks, >>>> Hiranya >>>> >>>> >>>> Rajika >>>> >>>> >>>> On Sun, Aug 11, 2013 at 12:30 AM, Hiranya Jayathilaka < >>>> [email protected]> wrote: >>>> >>>>> I noticed that both PT and NHTTP transports pass the "Server" header >>>>> sent from the backend server to the client. This is the default programmed >>>>> behavior, and it can be overridden if needed using a configuration >>>>> parameter. But is the default behavior correct? Shouldn't Synapse >>>>> completely hide the backend server details from the client? >>>>> >>>>> Thanks, >>>>> Hiranya >>>>> >>>>> -- >>>>> Hiranya Jayathilaka >>>>> Mayhem Lab/RACE Lab; >>>>> Dept. of Computer Science, UCSB; http://cs.ucsb.edu >>>>> E-mail: [email protected] <[email protected]>; Mobile: +1 (805) >>>>> 895-7443 >>>>> Blog: >>>>> http://techfeast-hiranya.**blogspot.com<http://techfeast-hiranya.blogspot.com/> >>>>> >>>>> >>>> >>>> -- >>>> Hiranya Jayathilaka >>>> Mayhem Lab/RACE Lab; >>>> Dept. of Computer Science, UCSB; http://cs.ucsb.edu >>>> E-mail: [email protected] <[email protected]>; Mobile: +1 (805) >>>> 895-7443 >>>> Blog: >>>> http://techfeast-hiranya.**blogspot.com<http://techfeast-hiranya.blogspot.com/> >>>> >>>> >>> >> >> >> -- >> Sanjiva Weerawarana, Ph.D. >> Founder, Director & Chief Scientist; Lanka Software Foundation; >> http://www.opensource.lk/ >> Founder, Chairman & CEO; WSO2; http://wso2.com/ >> >> Blog: http://sanjiva.weerawarana.org/ >> >> >> -- >> Hiranya Jayathilaka >> Mayhem Lab/RACE Lab; >> Dept. of Computer Science, UCSB; http://cs.ucsb.edu >> E-mail: [email protected] <[email protected]>; Mobile: +1 (805) >> 895-7443 >> Blog: >> http://techfeast-hiranya.**blogspot.com<http://techfeast-hiranya.blogspot.com/> >> >> >> -- >> Hiranya Jayathilaka >> Mayhem Lab/RACE Lab; >> Dept. of Computer Science, UCSB; http://cs.ucsb.edu >> E-mail: [email protected] <[email protected]>; Mobile: +1 (805) >> 895-7443 >> Blog: >> http://techfeast-hiranya.**blogspot.com<http://techfeast-hiranya.blogspot.com/> >> >> > > > -- > Sanjiva Weerawarana, Ph.D. > Founder, Director & Chief Scientist; Lanka Software Foundation; > http://www.opensource.lk/ > Founder, Chairman & CEO; WSO2; http://wso2.com/ > > Blog: http://sanjiva.weerawarana.org/ >
