-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(proxy) add configuration options to hide server tokens and latency tokens #2259
Conversation
…cy tokens * Add server_tokens and latency_tokens Kong configuration properties. Fix #1009
@@ -61,6 +61,8 @@ local CONF_INFERENCES = { | |||
cluster_advertise = {typ = "string"}, | |||
nginx_worker_processes = {typ = "string"}, | |||
upstream_keepalive = {typ = "number"}, | |||
server_tokens = {typ = "boolean"}, | |||
latency_tokens = {typ = "boolean"}, | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't those be called 'headers' instead of 'tokens'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Tieske it is debatable (both works for me): http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same here...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the conclusion, server_tokens
vs. server_headers
? Or something different?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
server_header
is kinda bad as it says "no headers at all", when off
. Something like kong_version_headers
and kong_latency_headers
could be better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just leave it at tokens.
@@ -61,6 +61,8 @@ local CONF_INFERENCES = { | |||
cluster_advertise = {typ = "string"}, | |||
nginx_worker_processes = {typ = "string"}, | |||
upstream_keepalive = {typ = "number"}, | |||
server_tokens = {typ = "boolean"}, | |||
latency_tokens = {typ = "boolean"}, | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same here...
assert.res_status(404, res) | ||
assert.equal(nil, res.headers[constants.HEADERS.UPSTREAM_LATENCY]) | ||
assert.equal(nil, res.headers[constants.HEADERS.PROXY_LATENCY]) | ||
end) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fyi, you could have done
assert.response(res).has.status(404)
assert.response(res).has.header(constants.HEADERS.UPSTREAM_LATENCY)
assert.response(res).has.header(constants.HEADERS.PROXY_LATENCY)
tests exactly the same, but provides more context when they fail.
@@ -19,6 +19,8 @@ admin_ssl = on | |||
admin_ssl_cert = NONE | |||
admin_ssl_cert_key = NONE | |||
upstream_keepalive = 60 | |||
server_tokens = on | |||
latency_tokens = on | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
those also need to be added to the kong/kong.conf.default
file including a description.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added.
}) | ||
|
||
assert.response(res).has.status(404) | ||
assert.response(res).has_not.header "via" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Those assertions are locking us in and will make it harder for us to switch to another mocking service. We should stop using them, as already raised in the style guide PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, I just changed them based on comments by @Tieske.
helpers.dao.apis:insert { | ||
name = "api-1", | ||
upstream_url = "http://localhost:9999/headers-inspect", | ||
hosts = "inexistent.com", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's really confusing to have this value set to inexistent.com
. Especially when also using 404.com
in the tests. How about header-inspect
? Also, this value should be a table for consistency's sake and potentially forward compatibility.
assert.response(res).has_not.header(constants.HEADERS.PROXY_LATENCY) | ||
end) | ||
|
||
it("should not be returned", function() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
... when no API matched (no proxy)
helpers.stop_kong() | ||
end) | ||
|
||
it("should not be returned", function() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
... when request was proxied
assert.response(res).has.header(constants.HEADERS.PROXY_LATENCY) | ||
end) | ||
|
||
it("should not be returned", function() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
when no API matched (no proxy)
|
||
teardown(helpers.stop_kong) | ||
|
||
it("should be returned", function() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
... when request was proxied
assert.not_equal(default_server_header, res.headers["server"]) | ||
end) | ||
|
||
it("should not return Kong 'Server' or 'Via' headers", function() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
when no API matched (no proxy)
…t/hide-kong-headers
…t/hide-kong-headers
CHANGELOG.md
Outdated
- :fireworks: `server_tokens` and `latency_tokens` configuration fields. | ||
Check the [0.10 Configuration Guide](https://getkong.org/docs/0.10.x/configuration/#server_tokens) | ||
to learn more. | ||
[#2259](https://github.com/Mashape/kong/pull/2259) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could explain a bit more what this change is about and respect the 80 cols limit as well. Maybe:
- Ability to hide Kong-specific response headers. Two new configuration fields:
`server_tokens` and `latency_tokens` will respectively toggle whether the `Server`
and `X-Kong-*-Latency` headers should be sent to downstream clients.
Also in general, there is no need to point to the configuration guide for new config fields, since the guide does not elaborate more on properties than the kong.conf.default
file,which already has a comment for each property.
@bungle @thibaultcha I don't see this mentioned in https://github.com/Mashape/kong/blob/master/CHANGELOG.md#unreleased - is it coming up soon? |
This is merged to next, and as such, is in the changelog of the next branch, and not the master one. |
Summary
Implementation of #1009, taking care of hiding Kong proxy headers using configuration properties.
Full changelog
Issues resolved
Fix #1009