Le Blog Utux

HTTP 200 GET /

How to remove server_tokens in Azure Application Gateway

Rédigé par uTux Aucun commentaire

In Azure, the Application Gateway is basically a reverse proxy, passing traffic to some backends. While testing the SSL certificate of a listener with ssllabs, I have been surprised by the "HTTP server signature" field: Nexus/2.14.10-01. Indeed, the backend was a Nexus service, but I was expecting to see the server signature of the Application Gateway (which is Nginx), or nothing, but not the backend.

Turns out the HTTP response contains the following header:

< HTTP/1.1 200 OK
< Server: Nexus/2.14.10-01
[...]

Many sysadmins and organizations consider this as a security issue, giving attackers information about the server. While I do not totally agree with this statement (Obfuscation), I often disable this information. This is simple with Nginx and Apache, but what about Azure Application Gateway?

Application Gateway -> Your application gateway -> Rewrites -> + Rewrite set

Name and Association
  • Name: give a name to your rewrite set. Ie: DisableServerTokens.
  • Associated routing rules: Select the rule associated to your backend(s)
Rewrite rule configuration
  • Rewrite rule name: give a name to your rewrite rule name. Ie: DisableServerHeader.
  • Action type: Delete
  • Header type: Response
  • Header name: Common header
  • Common header: Server

Then Save your modifications. This should remove the "Server" HTTP header.

Ansible filter by Azure tag

Rédigé par uTux Aucun commentaire

It took me some time to figure out how to use Azure tags as a filter for Ansible. Well it's not that hard, azure_rm.py will automatically generate groups based on tags with this pattern:

  • Tag: role:webserver
  • Becomes group: role_webserver

Yes, that's the trick, ":" becomes "_". Let's say you want to run a playbook only on machines tagged with role:webserver, just use the following command:

$ ansible-playbook -i azure_rm.py playbook.yml --limit role_webserver
Fil RSS des articles de ce mot clé