从对HTTPS的第一个重定向请求中删除Azure Web App上的响应服务器标头 [英] Remove response Server header on Azure Web App from the first redirect request to HTTPS

问题描述

我正在尝试从Azure Web App(带有ASP Net核心应用程序)中删除响应服务器标头

I’m trying to remove the response Server header from an Azure Web App ( with an ASP Net core application )

经过多次尝试更改 web.config 并使用中间件删除应用程序代码中的标头之后，Microsoft并没有放弃并将响应标头设置为Server:Microsoft-IIS/10.0: )

After many tries of changing the web.config and removing the header in app code using a middleware, Microsoft doesn’t give up and set the response header to Server: Microsoft-IIS/10.0 :)

仅当我尝试通过http(不是https)访问服务器时，问题才会出现.来自服务器的响应代码是301，这是唯一具有Server标头的响应.

The problem appears only when I’m trying to access the server on http (not https). Response code from the server is 301, and this is the only response that has the Server header.

检查日志，我找不到对http://的任何请求，这也许就是为什么我无法删除标头的原因，因为该请求未在我的应用程序代码中处理.

Checking the logs I was not able to find any request to http://, and perhaps this is why I’m not able to remove header, because the request is not process in my application code.

我正在考虑的一种解决方案是禁用天蓝色的仅HTTPS ，并在我的代码中重定向到https(我已经测试过并且可以正常工作-服务器标头已删除)

A solution that I’m thinking is to disable the azure HTTPS only and do the redirect to https in my code (I tested and is working - server header is removed)

是否有另一种解决方法而不禁用仅HTTPS选项?

这是我尝试过的

Startup.cs

    public void Configure(IApplicationBuilder app)
    {
        app.Use(async (context, next) =>
        {
            context.Response.Headers.Add("server", string.Empty)
        }
        app.UseHttpsRedirection();
    }

web.config

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.web>
        <httpRuntime enableVersionHeader="false" />
        <!-- Removes ASP.NET version header.  -->
    </system.web>
    <system.webServer>
        <httpProtocol>
            <customHeaders>
                <remove name="Server" />
                <remove name="X-Powered-By" />
            </customHeaders>
            <redirectHeaders>
                <clear />
            </redirectHeaders>      
        </httpProtocol>
        <security>
            <requestFiltering removeServerHeader="true" />
            <!-- Removes Server header in IIS10 or later and also in Azure Web Apps -->
        </security>
        <rewrite>  
            <outboundRules>
                <rule name="Change Server Header"> <!-- if you're not removing it completely -->
                  <match serverVariable="RESPONSE_Server" pattern=".+" />
                    <action type="Rewrite" value="Unknown" />
                </rule>
            </outboundRules> 
        </rewrite>      

    </system.webServer>
</configuration>

推荐答案

更新

当请求http://的URL时，IIS将对其进行处理，这次没有代码.因此，我们无法通过代码来控制它，我们只能在服务器上进行设置，例如某些脚本或工具.但是在Azure上，我们无法直接作为物理服务器运行，因此在探索之后，我建议可以使用Front Door来解决此问题.通过代理隐藏服务器信息应该是更好的方法.

When the URL of http:// is requested, IIS will process it, this time without code. So we can't control it by the code, we can only set it on the server, such as some scripts or tools. But on Azure, we have no way to directly operate as a physical server, so after exploration, I suggest that Front Door can be used to deal with this problem. Hiding server information through proxy should be a better way.

在测试之后，服务器信息被隐藏，您可以参考此

After my test, the server information is hidden, you can refer to this document . We can see from the picture that there is no 301 redirect request, and no server information in other requests.

重要

您需要在程序中修改Global.asax.cs和Web.config文件.

You need to modify Global.asax.cs and Web.config file in your program.

在Global.asax.cs中.

In Global.asax.cs.

 public class MvcApplication : System.Web.HttpApplication
 {
    protected void Application_Start()
    {
        AreaRegistration.RegisterAllAreas();
        FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
        RouteConfig.RegisterRoutes(RouteTable.Routes);
        BundleConfig.RegisterBundles(BundleTable.Bundles);
        MvcHandler.DisableMvcResponseHeader = true;
        PreSendRequestHeaders += Application_PreSendRequestHeaders;
    }

    protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
    {
        //HttpContext.Current.Response.Headers.Remove("Server");
        HttpContext.Current.Response.Headers.Set("Server","N/A");
    }
 }

然后在Web.config中.

And In Web.config.

<system.webServer>
  <modules runAllManagedModulesForAllRequests="true" >
  </modules>  
  <httpProtocol>
    <customHeaders>
       <remove name="X-Powered-By" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

然后，您可以部署您的应用程序.经过上面的代码修改，访问接口或静态资源可以看到服务器信息已被修改，当然，也可以通过Remove将其删除.

Then u can deploy your app. After the above code modification, access to the interface or static resources can see that the server information is modified, of course, it can also be deleted by Remove.

您还可以通过http状态代码处理特殊事件.

You also can handle special event by http status code.

protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
{
     //HttpContext.Current.Response.Headers.Remove("Server");
     int StatusCode= HttpContext.Current.Response.StatusCode;
     // handle like http status code 301 
     HttpContext.Current.Response.Headers.Set("Server","N/A");
}

这篇关于从对HTTPS的第一个重定向请求中删除Azure Web App上的响应服务器标头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！