HTTP response header to indicate request was forwarded to another server by reverse proxy
-
07-02-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Given a system of services and a reverse proxy, such that requests may either be conclusively processed by the proxy or ultimately handled by any of the services behind the proxy.
Consideration has be given to the X-Forwarded-For, Forwarded, X-Forwarded-Host fields. Though they appear naturally fitting for the request phase, would it be confusing to use them in the response phase?
What header field is conventionally used to declare the host that primarily provided an HTTP response?
-- The motivation for including information on proxied servers is to ease debugging and application support process.
-- I don't believe an attacker benefits specially from learning that a service makes use of a reversed proxy. Proxied servers can be identified with aliases which cannot lead to direct access to them. In the image below, the proxied server has the alias 03.
A different implementation could use an alias as follows: X-Backend-Server: mickymouse. That's a pointless piece of information for anyone but it's author.
Solution
I think what you want is Via header. From the RFC,
The "Via" header field indicates the presence of intermediate protocols and recipients between the user agent and the server (on requests) or between the origin server and the client (on responses), similar to the "Received" header field in email
Regarding security concerns, you should use pseudonyms for internal servers. From the RFC:
An intermediary used as a portal through a network firewall SHOULD NOT forward the names and ports of hosts within the firewall region unless it is explicitly enabled to do so. If not enabled, such an intermediary SHOULD replace each received-by host of any host behind the firewall by an appropriate pseudonym for that host.
Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
OTHER TIPS
What header field is conventionally used to declare the host that primarily provided an HTTP response?
None
A reverse proxy serves resources on behalf of some other server. Revealing any details about the origin server is almost universally unwanted behavior, and could be a potential security risk.
It would be confusing to use X-Forwarded-For, Forwarded, and X-Forwarded-Host headers since these are used with forward proxies.
If you want to identify the origin server handling a request for debugging purposes then you are free to use whatever header you like. A better option might be to set a cookie, similar to a session cookie inserted by load balancers, that you can disable when no longer needed.
Finding an authoritative source is difficult since there is no official standard for this, but I offer the following.
By intercepting requests headed for your backend servers, a reverse proxy server protects their identities and acts as an additional defense against security attacks.
