Note: Regardless of the type of virtual server supplied by default for a TKGI cluster with NSX-T i.e.
http or
https_terminated, the instructions below will be sufficient to address the security concern explained previously. We have tested this with NSX-T v2.5.1.0 and v2.5.2.2.
As an overview, the solution from the following instructions lists out how to add an LB rule to a virtual server by allowing the admin user to overwrite the configurations of a virtual server. The
overwrite piece is significant because, from the NSX-T Manager UI, it is not possible to add an LB rule as the UI operations do not pass the
"X-Allow-Overwrite: true" header that is required to be able to perform an overwrite operation.
The LB rule will modify the HTTP response headers so that if the
key name matches
"Server" and has a
value of
"NSX LB", then the LB will remove the header before sending out the response
Procedure
- Get the virtual server details (HTTP or HTTPS Terminated Layer 7). Make a copy of the output of the following command:
curl -v -k -u 'admin:<password>' -H "Content-Type:application/json" -X GET "https://<nsx-manager-vip-or-url>/api/v1/loadbalancer/virtual-servers/<id-of-virtual-server>"
Where
<id-of-virtual-server> - is the ID of the virtual server (Layer 7 HTTP or HTTPS Terminated).
- Create the JSON object with a rule to remove the HTTP response header (filename - update_virtual_server_with_lb_rule.json).
- Use the output obtained from the previous command to gather the old configurations - this is imperative because we do not want to change the old configurations as that might create unseen complications
- The following is an example of how the final JSON file will look before running the next command (some details will differ based on your environment).
- Note: The rules array is something that we will need to add to make sure that the virtual server has the rule to remove the HTTP Response Header named Server.
{
"virtual_server":{
"enabled":true,
"access_log_enabled":false,
"ip_address":"10.213.66.211",
"port":"80",
"ports":[
"80"
],
"ip_protocol":"TCP",
"application_profile_id":"4d1ff5e7-e16e-4d9b-874f-08ac26f7bae7",
"rule_ids":[
"f6ccd8eb-ac7c-436d-833a-078eeabd84b8"
],
"resource_type":"LbVirtualServer",
"id":"bbc5895c-137e-4256-b70e-21ad240c0681",
"display_name":"pks-e6ca470a-c159-4287-a080-b22fccf7550e-http",
"tags":[
{
"scope":"ncp/version",
"tag":"1.2.0"
},
{
"scope":"ncp/cluster",
"tag":"pks-e6ca470a-c159-4287-a080-b22fccf7550e"
},
{
"scope":"ncp/lb_vs_type",
"tag":"http"
},
{
"scope":"external_id",
"tag":"f34320e6-12e9-5b7e-b45f-712c04f45e4d"
},
{
"scope":"ext_pool_id",
"tag":"43980caa-e48b-4020-af64-bce402d96dd7"
}
],
"_create_user":"pks-e6ca470a-c159-4287-a080-b22fccf7550e",
"_create_time":1617732165309,
"_last_modified_user":"pks-e6ca470a-c159-4287-a080-b22fccf7550e",
"_last_modified_time":1617749072607,
"_system_owned":false,
"_protection":"REQUIRE_OVERRIDE",
"_revision":1
},
"rules":[
{
"resource_type":"LbRule",
"display_name":"HTTPResponseHeaderRemove",
"description":"Rule to remove HTTP response header Server",
"match_conditions":[
{
"type":"LbHttpResponseHeaderCondition",
"header_name":"Server",
"header_value":"NSX LB"
}
],
"match_strategy":"ALL",
"phase":"HTTP_RESPONSE_REWRITE",
"actions":[
{
"type":"LbHttpResponseHeaderDeleteAction",
"header_name":"Server"
}
]
}
]
}
- Update a load balancer virtual server with rules. This is the command that utilizes the file and its contents from the previous steps to update the virtual server:
curl -v -k -u 'admin:<password>' -H "Content-Type:application/json" -H "X-Allow-Overwrite: true" -X PUT "https://<nsx-manager-vip-or-url>/api/v1/loadbalancer/virtual-servers/<virtual-server-id>?action=update_with_rules" -d @update_virtual_server_with_lb_rule.json
- After the commands from the last step complete, you can verify in the NSX-T manager UI that the rule is present on the virtual server:
- After this, you can test Ingress using the Chrome developer tools to verify that the "Server" HTTP response header is no longer shown. Here is an example: