If you want to hide a header from a junctioned server, it is possible to remove it using a HTTP Transformation rule.
The steps to making a HTTP Transformation rule are fairly well documented here:
On the appliance, you need to either create the XSL HTTP Transformation rule and upload it, or you can edit it on the box.
What is missing from the documentation is more examples. So I’ve posted an example here of removing the “X-Powered-By” header from the server.
<?xml version="1.0" encoding="UTF-8"?> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"> <!--Firstly, strip any space elements --> <xsl:strip-space elements="*" /> <!-- Perform a match on the root of the document. Output the required HTTPResponseChange elements and then process templates. --> <xsl:template match="/"> <HTTPResponseChange> <xsl:apply-templates /> </HTTPResponseChange> </xsl:template> <!-- Match on the Headers. Remove the x-powered-by header if it exists. --> <xsl:template match="//HTTPResponse/Headers"> <xsl:choose> <xsl:when test="Header/@name='x-powered-by'"> <Header action="remove" name="x-powered-by"> <xsl:value-of select="node()" /> </Header> </xsl:when> </xsl:choose> </xsl:template> </xsl:stylesheet>
Once uploaded to the server, deploy the changes and you can then make the transformation rule available to the WebSEAL instance.
Edit the WebSEAL configuration file under the [http-transformations] stanza.
[http-transformations] # The http-transformations stanza is used to house configuration information # whichis necessary for thesupport of WebSEAL HTTP transformations. # WebSEAL HTTP transformations are used to modify HTTP requests and # HTTP responses (excluding the HTTP body) using XSLT. # To enable the HTTP transformations for a particular object a POP should # be attached to the appropriate part of the object space. This POP # should contain an extended attribute(s) with name of 'HTTPTransformation' # and a value of 'Request=<resource-name>' and/or 'Response=<resource-name>'. # # HTTP transformation resources canbe defined by specifying the resource name # and the path to the resource file. # # Format is: #<resource-name> = <path-to-resource-xsl-file> # The following files are currently available for this configuration entry: # If you have deployed your XSL correctly it should be listed here # - another.xsl removeheader = another.xsl
The resource removeheader is now available for our http transformation POP.
Create a new POP, with an extended attribute “HTTPTransformation” and the value of “Response=removeheader”, and attach to the desired object space object.
XSL is not always the simplest thing to troubleshoot, so I recommend watching the WebSEAL message log, for example:
2014-06-30-17:38:19.907+10:00I----- 0x38B9A4B4 webseald ERROR wns httperrs XMLHTTPMessage.cpp 379 0x7f645216f700 -- DPWNS1204E The XML element Header was missing from the document generated by a HTTP transformation operation.
2014-06-30-17:43:12.772+10:00I----- 0x1005B3B5 webseald ERROR acl authzn HTTPTransformationRule.cpp 83 0x7f77fe301720 -- HPDAC0949E Validation of the rule text for rule object "/var/pdweb/shared/xslt/http-transformation/another.xsl" failed. Error code 0xffffffff was returned along with error message "XSLT Error: Element 'xsl:when' not parented by 'xsl:choose'. (/var/pdweb/shared/xslt/http-transformation/another.xsl, line 59, column 50.)--"
And additional logging can be found by enabling trace on the component:
server task <instance> trace set pdweb.http.transformation 9 file path=trace.log
Are you looking to supress the “Server” header too? WebSEAL can do this easily with configuration, see the WebSEAL configuration option:
#---------------------- # SUPPRESSING SERVER IDENTITY #---------------------- # WebSEAL writes a Server header with the value "WebSEAL/version.number" # with most responses (except those from a junctioned server). # Including this header can be suppressed by setting this to "yes". suppress-server-identity = yes # For responses that were from a junctioned server, WebSEAL writes the Server # header sent in the response from the backend. If the backend response did not # include a Server header, then WebSEAL will not write any Server header to the # client. # Writing this header can be suppressed by setting this to "yes". suppress-backend-server-identity = yes