Is there a way to remove apaches Reverse Proxy Request Headers?

Asked 5/9, 2011 at 19:53 Answered 19/4, 2018 at 16:19

Solved apache mod-rewrite apache2 mod-proxy mod-headers

When acting as a reverse proxy, apache adds x-forwarded headers as described here.

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers

In my configuration I have configured server A as a forward proxy. There is a rule like this:

RewriteRule proxy:(.*example.com)/(.*) $1.mysecondserver.com/$2 [P]

This rule lets the server request the resource from one of my other servers.

On the second server (origin) I have a virtual host container for the resource and another rewrite rule like this:

RewriteRule some-regex some-url [P]

It may not seem to make sense like this but there is a lot of other stuff going on that I left out as it is not part of the problem.

However that final request has these headers:

[X-Forwarded-For] => ip of 1st server
[X-Forwarded-Host] => example.myseconserver.com
[X-Forwarded-Server] => example.com

I want those headers gone.

I seem to be unable to unset them with mod_headers. I can add more entries to them, but I can not remove them.

Any ideas?

Intimacy answered 5/9, 2011 at 19:53 Comment(2)

The only way known to me is RequestHeader from mod_headers: use to delete these headers, e.g. RequestHeader unset X-Forwarded-For. This directive has lower priority and runs after mod_rewrite just before the request is run by its handler in the fixup phase. I'm not sure about X-Forwarded-* headers, but it works fine for User Agent and similar headers -- no problems removing them – Kristine 5/9, 2011 at 23:45

that is just what i tried but those headers seem not to be editable this way – Intimacy 6/9, 2011 at 18:27

corrected answer: there is no way to do that since its hardcoded

to fix this in the source code of mod_proxy_http.c search for the following part:

    apr_table_mergen(r->headers_in, "X-Forwarded-Server",
                 r->server->server_hostname);
}

and immediately after that add this code:

// remove any X-Forwarded headers
apr_table_unset(r->headers_in, "X-Forwarded-For");
apr_table_unset(r->headers_in, "X-Forwarded-Host");
apr_table_unset(r->headers_in, "X-Forwarded-Server");

then compile by running apxs2 -cia mod_proxy_http.c

Intimacy answered 8/4, 2012 at 23:18 Comment(5)

Can you elaborate on how you made mod_headers work to remove those headers? I can't seem to in apache 2.2 no matter what I try. – Fealty 25/7, 2013 at 15:31

sorry, i un-checked this answer because it does not work. if i remember that correctly there is no way and i ended up patching the module! however i have long switched to nginx since. – Intimacy 26/7, 2013 at 14:20

I think I'll just use Apache 2.4 which allows you to to use ProxyAddHeaders, unless I need more granular control - in which case I will switch to nginx too :) – Fealty 27/7, 2013 at 17:28

i agree with you that this is probably the better way, especially considering nginx – Intimacy 5/9, 2013 at 9:7

To be clear, Apache 2.4 has httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyaddheaders which using ProxyAddHeaders Off should do as requested. – Amazonite 27/5, 2015 at 17:59

Since Apache 2, as this pretty answer says, the

ProxyAddHeaders Off

theoretically disables it. In my experiences, it had no effect. However, combined with

<Proxy *>
  ProxyAddHeaders Off
</Proxy>

and, with

  RequestHeader unset X-Forwarded-Host
  RequestHeader unset X-Forwarded-For
  RequestHeader unset X-Forwarded-Server

somewhere it started to work.

Dennett answered 19/4, 2018 at 16:19 Comment(0)

corrected answer: there is no way to do that since its hardcoded

to fix this in the source code of mod_proxy_http.c search for the following part:

    apr_table_mergen(r->headers_in, "X-Forwarded-Server",
                 r->server->server_hostname);
}

and immediately after that add this code:

// remove any X-Forwarded headers
apr_table_unset(r->headers_in, "X-Forwarded-For");
apr_table_unset(r->headers_in, "X-Forwarded-Host");
apr_table_unset(r->headers_in, "X-Forwarded-Server");

then compile by running apxs2 -cia mod_proxy_http.c

Intimacy answered 8/4, 2012 at 23:18 Comment(5)

Can you elaborate on how you made mod_headers work to remove those headers? I can't seem to in apache 2.2 no matter what I try. – Fealty 25/7, 2013 at 15:31

I think I'll just use Apache 2.4 which allows you to to use ProxyAddHeaders, unless I need more granular control - in which case I will switch to nginx too :) – Fealty 27/7, 2013 at 17:28

i agree with you that this is probably the better way, especially considering nginx – Intimacy 5/9, 2013 at 9:7

To be clear, Apache 2.4 has httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyaddheaders which using ProxyAddHeaders Off should do as requested. – Amazonite 27/5, 2015 at 17:59

I had the same problem on httpd 2.2 on CentOS 5. Installing httpd 2.4 wasn't possible. But because of some reasons I couldn't switch to nginx completly. So I did it by inserting nginx proxy between httpd and the destination address. So I had: httpd(localhost:80/path) -> nginx(localhost:81/path) -> http://your.destination/path. Installation steps are the following:

Install nginx according to these instructions
Configure nginx to avoid security problems.

Add an location in nginx that will remove those httpd's reverse proxy request headers. It can look like this:

location /path {
    proxy_set_header x-forwarded-for "";
    proxy_set_header x-forwarded-host "";
    proxy_set_header x-forwarded-server "";
    proxy_pass http://your.destination/path;
}

Brabazon answered 12/4, 2016 at 12:5 Comment(2)

can you give us more details on where to put the location /path ? – Boardinghouse 15/1, 2018 at 10:43

I have it in my "/etc/nginx/conf.d/default.conf" inside the "server" section. This is the way, you add "location" usually. – Brabazon 28/1, 2018 at 18:32

Recommended topics

Hot tags