Remove or Replace Server Header in Swoole WebSocket Response - security

I have created a Swoole WebSocket server using the example given on the official OpenSwoole website:
https://openswoole.com/docs/modules/swoole-websocket-server#quick-start-example
The response header returned by the server to the client contains the Server: OpenSwoole 4.11.1 entry.
Connection: Upgrade
Sec-WebSocket-Accept: mABCD0joUS/Z/yPYqrqfa3+I2sT=
Sec-WebSocket-Version: 13
Server: OpenSwoole 4.11.1
Upgrade: websocket
Could we remove this server header line completely or replace it with a fake name like Server: XYZ?

Related

Docker + Nginx: Websocket returns 404 not found

I'm struggling on implementing a websocket connection between a SSL Server and the client.
Architecture:
Proxy: Nginx
Host: Docker (Swarm)
Webserver: Node.js (express)
Client (Postman, later vue.js)
Nginx settings (app.conf):
server {
listen 443;
listen [::]:443;
client_max_body_size 100M;
server_name search.app search.app.host.ads;
location / {
proxy_pass http://search-service:3020; # docker container
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
search-server (server.js)
async function startServer() {
// variable definition
server = express();
// set http server
let httpServer = http.createServer(server);
// init loaders -> websocket is defined here
loaders(server, httpServer);
}
search-service (websocket.js) (how is the websocket created?)
let wsSearch = new websocket.Server({ server: httpServer, path: "/socket/websocketSearch" });
The websocket is working properly on localhost using this url
ws://localhost:3020/socket/websocketSearch
After deploying on production site, the url will be
wss://search.app.host.ads/socket/websocketSearch
Trying to connect to production websocket using Postman returns following error:
Error: Unexpected server response: 404
Handshake Details
Request URL: https://search.app.host.ads/socket/websocketSearch
Request Method: GET
Status Code: 404 Not Found
Request Headers
Sec-WebSocket-Version: 13
Sec-WebSocket-Key: gzRuxZ2QYTOladlXSenjmw==
Connection: Upgrade
Upgrade: websocket
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Host: search.app.host.ads
Response Headers
Server: nginx/1.19.4
Date: Tue, 03 Aug 2021 13:07:45 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 161
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Origin: *
Content-Security-Policy: default-src 'none'
X-Content-Type-Options: "nosniff"
Which package do I use to implement websocket?
WS Version 7.5.3
I've followed several instructions like Nginx or related StackOverflow issues. However, I didn't manage to connect to my websocket.
Do you have any idea, where is my fault?
Thanks in advance.
If any further information is needed, I try to provide it.
Best regards

Tcp request failed with status 400 in Elastic Beanstalk Node Server with Nginx Proxy Server?

> 14.195.188.230 - - [18/Mar/2017:16:43:11 +0000] "(004026579154BP05000004026579154111213V0000.0000N00000.0000E000.0000000000.0010000000L0000021C)" 400 173 "-" "-" "-"
This is the error message that i received
HTTP/1.1 400 Bad Request
Server: nginx/1.10.1
Date: Sun, 19 Mar 2017 02:19:35 GMT
Content-Type: text/html
Content-Length: 173
Connection: close
<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.10.1</center>
</body>
</html>
This is the log that i can see in my nginx access log, I need this data in my node server.
(004026579154BP05000004026579154111213V0000.0000N00000.0000E000.0000000000.0010000000L0000021C)
1) I am using elastic Beanstalk, i don't know how can i pass the above value to my node server module? If its possible to get that value as http or https request inside my node express module.
2) If i have to run a net server, than in which port should i listen for tcp, and how nginx will know about that port, for http server port, i use process.env.port

Remove request from nginx error logs

How can we remove request url being logged in nginx error logs. For example it looks something like:
2015/09/01 15:26:03 [error] 30547#0: *208725 upstream prematurely closed connection while reading response header from upstream, client: 123.123.50.44, server: test.example.com, request: "GET /v1.3/status.json?...."
is it possible to drop request since it can have PII from the log(if present) so it looks something like:
2015/09/01 15:26:03 [error] 30547#0: *208725 upstream prematurely closed connection while reading response header from upstream, client: 123.123.50.44, server: test.example.com
I was able to configure access logs but couldn't find a way to customize error logs.
Edit:
Is there a way to stop logging only upstream errors?

cabal unable to handle redirect

I am trying to install cabal behind a firewall without success.
It seems that cabal does not support http redirect,
is there a way to fix it?
cabal update -v3
Downloading the latest package list from hackage.haskell.org
Sending:
GET http://hackage.haskell.org/packages/archive/00-index.tar.gz HTTP/1.1
User-Agent: cabal-install/1.20.0.2 (linux; x86_64)
Host: hackage.haskell.org
proxy uri host: proxy.swmed.edu, port: :3128
Creating new connection to proxy.swmed.edu:3128
Received:
HTTP/1.1 302 authenticationrequired
Via: 1.1 129.112.115.40 (McAfee Web Gateway 7.4.2.1.0.17593)
Date: Fri, 20 Jun 2014 17:00:56 GMT
Location:
https://m-proxy1.swmed.edu:10000/mwg-internal/de5fs23hu73ds/plugin?target=Auth&reason=Auth&ClientID=2152648114&ttl=43200&url=aHR0cDovL2hhY2thZ2UuaGFza2VsbC5vcmcvcGFja2FnZXMvYXJjaGl2ZS8wMC1pbmRleC50YXIuZ3o=&rnd=1403283656
Content-Type: text/html
Cache-Control: no-cache
Content-Length: 3678
Proxy-Connection: Keep-Alive
302 - redirect
Warning: http error: Unable to handle redirect, unsupported scheme:
https://m-proxy1.swmed.edu:10000/mwg-internal/de5fs23hu73ds/plugin?target=Auth&reason=Auth&ClientID=2152648114&ttl=43200&url=aHR0cDovL2hhY2thZ2UuaGFza2VsbC5vcmcvcGFja2FnZXMvYXJjaGl2ZS8wMC1pbmRleC50YXIuZ3o=&rnd=1403283656
cabal: Failed to download
http://hackage.haskell.org/packages/archive/00-index.tar.gz : ErrorMisc "Error
HTTP code: 302"
(Update) Jun 23, 2014
Follow #Sibi suggestion, I pasted a similar experience using cntlm-0.92.3.
Here is my config config.ini:
Proxy proxy.swmed.edu:3128
Listen 127.0.0.1:53124
I first tried to use:
./cntlm -c config.ini
then the same error happens:
cabal update -v3
Downloading the latest package list from hackage.haskell.org
Sending:
GET http://hackage.haskell.org/packages/archive/00-index.tar.gz HTTP/1.1
User-Agent: cabal-install/1.20.0.2 (linux; x86_64)
Host: hackage.haskell.org
proxy uri host: 127.0.0.1, port: :53124
Creating new connection to 127.0.0.1:53124
Received:
HTTP/1.1 302 authenticationrequired
Via: 1.1 129.112.115.43 (McAfee Web Gateway 7.4.2.1.0.17593)
Date: Mon, 23 Jun 2014 05:34:18 GMT
Location:
https://m-proxy4.swmed.edu:10000/mwg-internal/de5fs23hu73ds/plugin?target=Auth&reason=Auth&ClientID=1513153200&ttl=43200&url=aHR0cDovL2hhY2thZ2UuaGFza2VsbC5vcmcvcGFja2FnZXMvYXJjaGl2ZS8wMC1pbmRleC50YXIuZ3o=&rnd=1403501658
Content-Type: text/html
Cache-Control: no-cache
Content-Length: 3678
Proxy-Connection: Keep-Alive
Connection: close
302 - redirect
Warning: http error: Unable to handle redirect, unsupported scheme:
https://m-proxy4.swmed.edu:10000/mwg-internal/de5fs23hu73ds/plugin?target=Auth&reason=Auth&ClientID=1513153200&ttl=43200&url=aHR0cDovL2hhY2thZ2UuaGFza2VsbC5vcmcvcGFja2FnZXMvYXJjaGl2ZS8wMC1pbmRleC50YXIuZ3o=&rnd=1403501658
cabal: Failed to download
http://hackage.haskell.org/packages/archive/00-index.tar.gz : ErrorMisc "Error
HTTP code: 302"
NOTE: this question is not the same as authentication, as our proxy server does not need to be authenticated. This question is about http redirect problem.
(Update) June 23, 2014
Run the following command as #Sibi suggested:
./cntlm -M http://www.google.com -c config.ini -v
And the output can be found at http://pastebin.com/zAvZBDVu
Reading the logs, we see the proxy was via https not http, and the error was "unsupported scheme" since cabal prior to recent versions did not handle https. Https transports have been added to cabal in the most recent versions, so the issue should now be resolved.

HTTP request using telnet not getting any response

We are using the telnet mechanism to send http request to server and get the response.
We noticed a strange thing when using the telnet for sending the HTTP GET request.
The first method is working in most of the environments but it's not working in one of the environment. But The second method(instead of relative path, use the complete path) is working fine in this environment.
**
Method1:
**
(printf "GET /test.jsp HTTP/1.0\nAccept: */*\nUser-Agent: WatchDog\n\n"; sleep 9) | telnet xx.xx.xx.xx 8093
Trying xx.xxx.xx.xx...
Connected to xx.xx.xx.xx.
Escape character is '^]'.
Connection closed by foreign host.
**
Method2:
**
(printf "GET http://xx.xx.xx.xx:8093/test.jsp HTTP/1.0\nAccept: */*\nUser-Agent: WatchDog\n\n"; sleep 9) | telnet xx.xx.xx.xx 8093
Trying xx.xx.xx.xx...
Connected to xx.xx.xx.xx.
Escape character is '^]'.
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=91643475E80038EA8770CE6803EE320C; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: zh-US
Content-Length: 42
Date: Mon, 03 Dec 2012 04:25:09 GMT
Connection: close
The Server is Running
Connection closed by foreign host.
Why the method1 is not running in only one environment? do we need to check some thing in that environment?
Pls give your suggestions...
Thanks,
Sekhar
HTTP/1.0 (RFC 1945) specifies the line ending to be CR LF. Some servers may apply this rule over strictly. Try with sending the request with \r\n as line endings. Sending absolute URIs is also reserved for use by proxies (section 5.1.2 of RFC 1945).
If varying line endings and URI style doesn't help you'll have to look at the servers configuration/implementation, as I can not see anything wrong with method 1.
Apart from the line endings which must be \r\n and your accept header which should be */* instead of /, your first request doesn't have a host name.
An HTTP 1.1 server may deny HTTP requests that do not have a host set, either in the absolute request-URI or in a Host-header.

Resources