It may not be the strongest security measure, but many administrators are not quite sure about HTTP headers like Server or X-Powered-By. There seems to be just one reason why this header has to be in a HTTP response: It makes life easier for a hacker. So why not just remove it? Or even fake a false server? In fakt there is no technical need for this headers. We have a NetScaler, the ultimate magic HTTP box, so let’s do it!
I use this as an example. One of my students sent a message asking me how to invoke policy labels.
Replacing server headers may not be the big security profit expected: every (real) hacker will be able to recognise your server, just by using it. But it is a good example for NetScaler policy labels.
There are at least 3 policies to create:
add rewrite action wr_act_del_X-Powered-By delete_http_header X-Powered-By
add rewrite policy wr_pol_del_X-Powered-By true wr_act_del_X-Powered-By
this will remove the X-Powered-By header.
add rewrite action rw_act_deleteServer delete_http_header Server
add rewrite policy rw_pol_deleteServer true rw_act_deleteServer
will delete the server header, and
add rewrite action rw_act_insert_server insert_http_header Server “\”whateverserveryoulike\””
add rewrite policy rw_pol_insertServer true rw_act_insert_server
will insert the fake header. (I did not take screen shots of all of them as this is very similar to X-Powered-By). Of course we may fake some more headers if we like. I just reduce to this 3 headers to keep things simple.
We than have to bind this policies globally to all our HTTP load balancers on our NetScaler. I’m a lazy guy, so I prefer to avoid unnecessary work when ever possible. Policy labels may make work easier and faster, so I started to love them!
There is just one draw back about policy labels: you have to invoke them using a policy. There is no chance to invoke them in any other way. so I create a dummy policy:
add rewrite policy rw_pol_dummy true NOREWRITE
This policy will get used to invoke my NetScaler policy label.
So my next one will be creating the policy label.
add rewrite policylabel rw_label_serverinfo http_res
bind rewrite policylabel rw_label_serverinfo rw_pol_deleteServer 100 NEXT
bind rewrite policylabel rw_label_serverinfo wr_pol_del_X-Powered-By 110 NEXT
bind rewrite policylabel rw_label_serverinfo rw_pol_insertServer 120 NEXT
Don’t forge these NEXT. Next will invoke the next following policy. Failing to do so will result in only the 1st policy being executed, the rest skipped!
And, last not least, we have to invoke this policy label.
bind rewrite global rw_pol_dummy 100 NEXT -type RES_DEFAULT -invoke policylabel rw_label_serverinfo
I hope this helps. And maybe you’ll very soon share my love for policy labels 🙂
Pretty nice how policy labels can represent a group of policies. Is there a way to bind a rewrite policy label like this with a content switch vIP instead of the global policy?
I never ever bind policies globally. Just create a policy doing nothing, expression would be true, bind it to your vServer and invoke the policy label during binding. Easy like that 😉
Ok so pardon my newbie question, but what does the global keyword in this command signify?
“bind rewrite global rw_pol_dummy 100 NEXT -type RES_DEFAULT -invoke policylabel rw_label_serverinfo”