/ Zope / Apsis / Pound Mailing List / Archive / 2005 / 2005-12 / HTTP header manipulation in Pound

[ << ] [ >> ]

[ Status on starving a backend? / "Silvio ... ] [ config.c:531: error: `facilitynames' undeclared / ... ]

HTTP header manipulation in Pound
"Michael J. Tubby G8TIC" <mike.tubby(at)thorcom.co.uk>		 2005-12-03 21:38:26 [ SNIP ] 
All,

I've been looking at using Pound for an web based mapping application
where we must use a server farm of MS IIS 6.0 on the back-end :o(

One of the things we need to do is to 'anonymise' the server's HTTP
headers, it would be "really good(tm)" if we could manipulate the out
bound HTTP headers by deleting them, adding new ones or replacing
them... using something like:

    HeaderDelete: <name>
    HeaderAdd: <name> <value>
    HeaderReplace: <name> <new-value>

So we would manipulate a typical IIS response:

    HTTP/1.1 200 OK
    Connection: close
    Date: Sat, 19 Nov 2005 17:24:53 GMT
    Server: Microsoft-IIS/6.0
    P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR
SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    Content-Length: 22171

with configuration commands like:

    HeaderDelete: Connection
    HeaderReplace: Server NutScrape/3.1415/CPM-2.2
    HeaderDelete: P3P
    HeaderReplace: X-Powered-By Zilog-Z80
    HeaderDelete: X-AspNet-Version
    HeaderAdd: X-Organization Bill Gates Fan Club
    HeaderDelete: Cache-Control

making the HTTP headers sent back to the client read like this:

    HTTP/1.1 200 OK
    Date: Sat, 19 Nov 2005 17:24:53 GMT
    Server: NutScrape/3.1415/CPM-2.2
    X-Powered-By: Zilog-Z80
    X-Organization: Bill Gates Fan Club
    Content-Type: text/html; charset=utf-8
    Content-Length: 22171

Clearly this could be used in such a way that it would break clients and sites
(if
misused or misunderstood) but it would be powerful for hiding the true identity
of
the server technology behind Pound (ie. 'cloaking' the server) -- in some cases
this
may improve security (by deflecting certain types of attack) and allow sites to
be
anonymous for example when scanned by Netcraftfor server type, etc.

Any thoughts?


Mike
Attachments:  
text.html text/html 4745 Bytes
Re: [Pound Mailing List] HTTP header manipulation in Pound
FX <gentoo(at)sbcglobal.net>		 2005-12-03 22:10:02 [ SNIP ] 
Michael J. Tubby G8TIC wrote:

>One of the things we need to do is to 'anonymise' the server's HTTP
>headers, it would be "really good(tm)" if we could manipulate the out
>bound HTTP headers by deleting them, adding new ones or replacing
>them... using something like:
>
>    HeaderDelete: <name>
>    HeaderAdd: <name> <value>
>    HeaderReplace: <name> <new-value>
>  
>

Interesting...

Would be even more useful if it took "s/old/new/" syntax:

HeaderRegex: <name> <regex>

One example on why this is useful:

If a client request goes thru 2 different pound servers before reaching 
the backend, the <regex> can strip out the known internal IP addresses 
in X-Forwarded-For.  This allows the backend to receive only one ip 
address in the X-Forwarded-For which can then be utilized for enforcing 
application-specific limits.
Re: [Pound Mailing List] HTTP header manipulation in Pound
"Michael J. Tubby G8TIC" <mike.tubby(at)thorcom.co.uk>		 2005-12-04 11:46:38 [ SNIP ] 
That's a very good idea for the 'replace' option (at the exepnse of a few
CPU cycles) - use full-blown regex handling... the library for which is 
here:

    http://www.pcre.org/

but we need a method for completely removing a header line or adding
one, so something like

    HeaderDelete: <name>
    HeaderAdd: <name> <value>
    HeaderRegex: s/<pattern1>/<pattern2>

could do the job...

Mike

----- Original Message ----- 
From: "FX" <gentoo(at)sbcglobal.net>
To: <pound(at)apsis.ch>
Sent: Saturday, December 03, 2005 9:10 PM
Subject: Re: [Pound Mailing List] HTTP header manipulation in Pound


> Michael J. Tubby G8TIC wrote:
>
>>One of the things we need to do is to 'anonymise' the server's HTTP
>>headers, it would be "really good(tm)" if we could manipulate the out
>>bound HTTP headers by deleting them, adding new ones or replacing
>>them... using something like:
>>
>>    HeaderDelete: <name>
>>    HeaderAdd: <name> <value>
>>    HeaderReplace: <name> <new-value>
>>
>
> Interesting...
>
> Would be even more useful if it took "s/old/new/" syntax:
>
> HeaderRegex: <name> <regex>
>
> One example on why this is useful:
>
> If a client request goes thru 2 different pound servers before reaching 
> the backend, the <regex> can strip out the known internal IP addresses in 
> X-Forwarded-For.  This allows the backend to receive only one ip address 
> in the X-Forwarded-For which can then be utilized for enforcing 
> application-specific limits.
>
> -- 
> To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
>
http://www.apsis.ch/pound/pound_list/archive/2005/2005-12/1133642306000/1133644202000
>
Re: [Pound Mailing List] HTTP header manipulation in Pound
Andrew Taylor <andrew.taylor(at)rentokil-initial.com>		 2005-12-04 14:58:01 [ SNIP ] 
> One of the things we need to do is to 'anonymise' the server's HTTP
> headers, it would be "really good(tm)" if we could manipulate the out
> bound HTTP headers by deleting them, adding new ones or replacing
> them... using something like:

I agree very much with this. This would be a very useful feature for us.
We "hide" a variety of back-end servers behind pound and the ability to
restrict and customise the headers sent out would be a very useful
security feature.

Regards,

Andrew Taylor

Technical Development
Corporate Information Technology
Rentokil Initial
Tel: 01342 327 171 x247
Fax: 01342 332 551
MailBoxer