Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(proxy) add configuration options to hide server tokens and latency tokens #2259

Merged
merged 13 commits into from
Mar 31, 2017

Conversation

bungle
Copy link
Member

@bungle bungle commented Mar 25, 2017

Summary

Implementation of #1009, taking care of hiding Kong proxy headers using configuration properties.

Full changelog

  • Add server_tokens and latency_tokens Kong configuration properties.

Issues resolved

Fix #1009

…cy tokens

* Add server_tokens and latency_tokens Kong configuration properties.

Fix #1009
@@ -61,6 +61,8 @@ local CONF_INFERENCES = {
cluster_advertise = {typ = "string"},
nginx_worker_processes = {typ = "string"},
upstream_keepalive = {typ = "number"},
server_tokens = {typ = "boolean"},
latency_tokens = {typ = "boolean"},

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't those be called 'headers' instead of 'tokens'

Copy link
Member Author

@bungle bungle Mar 27, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same here...

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the conclusion, server_tokens vs. server_headers? Or something different?

Copy link
Member Author

@bungle bungle Mar 27, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

server_header is kinda bad as it says "no headers at all", when off. Something like kong_version_headers and kong_latency_headers could be better.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just leave it at tokens.

@@ -61,6 +61,8 @@ local CONF_INFERENCES = {
cluster_advertise = {typ = "string"},
nginx_worker_processes = {typ = "string"},
upstream_keepalive = {typ = "number"},
server_tokens = {typ = "boolean"},
latency_tokens = {typ = "boolean"},

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same here...

assert.res_status(404, res)
assert.equal(nil, res.headers[constants.HEADERS.UPSTREAM_LATENCY])
assert.equal(nil, res.headers[constants.HEADERS.PROXY_LATENCY])
end)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fyi, you could have done

assert.response(res).has.status(404)
assert.response(res).has.header(constants.HEADERS.UPSTREAM_LATENCY)
assert.response(res).has.header(constants.HEADERS.PROXY_LATENCY)

tests exactly the same, but provides more context when they fail.

@@ -19,6 +19,8 @@ admin_ssl = on
admin_ssl_cert = NONE
admin_ssl_cert_key = NONE
upstream_keepalive = 60
server_tokens = on
latency_tokens = on

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

those also need to be added to the kong/kong.conf.default file including a description.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added.

@Tieske Tieske added pr/ready (but hold merge) No more concerns, but do not merge yet (probably a conflict of interest with another PR or release) and removed pr/status/needs review labels Mar 27, 2017
})

assert.response(res).has.status(404)
assert.response(res).has_not.header "via"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Those assertions are locking us in and will make it harder for us to switch to another mocking service. We should stop using them, as already raised in the style guide PR.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I just changed them based on comments by @Tieske.

helpers.dao.apis:insert {
name = "api-1",
upstream_url = "http://localhost:9999/headers-inspect",
hosts = "inexistent.com",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's really confusing to have this value set to inexistent.com. Especially when also using 404.com in the tests. How about header-inspect? Also, this value should be a table for consistency's sake and potentially forward compatibility.

assert.response(res).has_not.header(constants.HEADERS.PROXY_LATENCY)
end)

it("should not be returned", function()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

... when no API matched (no proxy)

helpers.stop_kong()
end)

it("should not be returned", function()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

... when request was proxied

assert.response(res).has.header(constants.HEADERS.PROXY_LATENCY)
end)

it("should not be returned", function()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when no API matched (no proxy)


teardown(helpers.stop_kong)

it("should be returned", function()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

... when request was proxied

assert.not_equal(default_server_header, res.headers["server"])
end)

it("should not return Kong 'Server' or 'Via' headers", function()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when no API matched (no proxy)

CHANGELOG.md Outdated
- :fireworks: `server_tokens` and `latency_tokens` configuration fields.
Check the [0.10 Configuration Guide](https://getkong.org/docs/0.10.x/configuration/#server_tokens)
to learn more.
[#2259](https://github.com/Mashape/kong/pull/2259)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could explain a bit more what this change is about and respect the 80 cols limit as well. Maybe:

- Ability to hide Kong-specific response headers. Two new configuration fields:
  `server_tokens` and `latency_tokens` will respectively toggle whether the `Server`
  and `X-Kong-*-Latency` headers should be sent to downstream clients.

Also in general, there is no need to point to the configuration guide for new config fields, since the guide does not elaborate more on properties than the kong.conf.default file,which already has a comment for each property.

@thibaultcha thibaultcha merged commit fd18d0d into next Mar 31, 2017
@thibaultcha thibaultcha deleted the feat/hide-kong-headers branch March 31, 2017 20:19
@coopr
Copy link
Contributor

coopr commented Apr 27, 2017

@bungle @thibaultcha I don't see this mentioned in https://github.com/Mashape/kong/blob/master/CHANGELOG.md#unreleased - is it coming up soon?

@thibaultcha
Copy link
Member

This is merged to next, and as such, is in the changelog of the next branch, and not the master one.

thibaultcha pushed a commit that referenced this pull request Apr 28, 2017
Add two new configuration properties `server_tokens` and
`latency_tokens` to toggle `Server` and `X-Kong-*-Latency` response
headers.

From #2259
Fix #1009
thibaultcha pushed a commit that referenced this pull request Apr 29, 2017
Add two new configuration properties `server_tokens` and
`latency_tokens` to toggle `Server` and `X-Kong-*-Latency` response
headers.

From #2259
Fix #1009
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
pr/ready (but hold merge) No more concerns, but do not merge yet (probably a conflict of interest with another PR or release)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants