New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
reverse_proxy
leads to duplicate Server
headers
#6275
Comments
This is working as intended. This behaviour makes it a really useful debugging tool to determine how the request was routed. If you want to drop the Server header, you can just do |
That was initially intentional, but RFC 9110 didn't exist at the time either. We can probably update our behavior now that RFC 9110 clearly states that origin servers generate this header, not proxies. It is extremely useful for simple debugging/tracing, but that can also be done with something like |
Oh, Francis beat me to it. (Dang GitHub not telling me there's a reply while I'm typing.) I'm going to reopen this until we fix it. |
Nginx's opinion is that a reverse proxy (not "proxy", as in forward) is an origin, and therefore generates its own Server header. In fact, Nginx's default behaviour is to ignore upstream's |
That's true, but also antiquated. RFC 9110 conveniently defines origin servers (as opposed to intermediates) for us: https://www.rfc-editor.org/rfc/rfc9110.html#name-origin-server |
Now, I'm one to be quick to want to comply with the standard. So is Francis. So Francis and I discussed this in Slack, and I actually find his arguments quite compelling.
While I definitely don't want to cause breakage, I can see both sides of the argument here. The RFC does seem to say that there should only be 1 Server header, but distinguishing comma-separated lists from space-separated lists seems silly in this context. It also seems that a reverse proxy is, in itself, an origin, even before considering the de-facto standard behavior today. The presence of our Server header is also extremely useful in helping people. Is the current behavior causing some sort of problem? |
When using Caddy’s
reverse_proxy
in front of a server that sets aServer
header, Caddy prepends its ownServer
header rather than replacing it, leading to duplicateServer
headers. This violates RFC 9110 §5.3:as
Server
is not defined as comma-separated.Caddyfile
for self-contained reproduction:The text was updated successfully, but these errors were encountered: