How to remove Server: awselb/2.0 Header ? | Answered

by
remove server awselb/2.0 header from ALB response

Hola experts !

Let’s come to the answer directly.

“Server: awselb/2.0” will always be set in the response when a query is sent directly from the ALB instead of the target. If target is capable of responding the query, ELB will set with actual server value. For example, “Server: Apache/2.4.51. That being said, It is currently not possible to remove this header from responses sent by the ALB.

AWS Team has got the voice from many of their customers regarding this and is now working to get that header removed from ALB response but there isn’t any such ETA as of now. Once there is a fix out, I will update the blog asap.

Is there any way or workaround to get ‘awselb/2.0’ header removed ?

Yes, there is a workaround which is pretty easy to implement. A possible workaround would be to add a layer in front of the ALB.

If you add a proxy in front of the ALB, a client request would first go through the reverse proxy server, then it would be forwarded to the ALB and finally sent to the target. The response will go back to the ALB where the ALB will add the required headers and forward it to the proxy server. You can then configure the proxy server to remove the server response header and forward the response to the client. Please note that adding a proxy server may increase latency and also make it a single point of failure

You can simply use Cloudfront in front of ALB. Re-Point your site URL to Cloudfront IP/FQDN (which is prior pointing to ALB FQDN). Now you will be getting ‘server : cloudfront’ in response instead of ‘awselb/2.0’.

Don’t worry about CloudFront adding its own header as it does not leak any information about the backend server therefore not giving the attacker any new information that they don’t know because they already know that they are connecting to a CloudFront IP address 🙂

What if I want to set my own custom response header and don’t want ‘cloudfront’ header ?

No Worries ! You could use CloudFront and Lambda@Edge which can modify the server response headers to client requests. CloudFront could be integrated with Lambda@Edge to customize the Response Header returned to the client.

By default, CloudFront will send the response to the client with “Server” as “CloudFront”, but this can be stripped from the header using Lambda@Edge. When CloudFront receives an HTTP response from the origin server (which would be ALB in your case), if there is an origin-response trigger associated with the cache behavior, you can modify the HTTP response to override that was returned from the origin.

Steps to achieve it :

  • Create an Amazon CloudFront distribution:
  • Open the CloudFront console.
  • Choose “Create Distribution.”
  • Select the Web distribution type.
  • Configure the origin settings:
  1. Set the ALB as the origin server.
  2. Configure the appropriate protocol and port for communication with the ALB. e. Configure additional settings as needed (such as caching behavior, security settings, etc.). f. Review and create the CloudFront distribution.

Once the CloudFront distribution is created, you can proceed to integrate it with Lambda@Edge to modify the ‘server’ response header:

  1. In the CloudFront console, go to the “Behaviors” tab of your CloudFront distribution.
  2. Select the behavior you want to modify the response header for.
  3. Under the “Lambda Function Associations” section, choose “Edit.”
  4. Choose “Viewer Response” from the “Lambda Function Associations” dropdown.
  5. Select “Deploy to Lambda@Edge” and choose the region where you want to deploy the Lambda function.
  6. Write the Lambda function code to modify the ‘server’ response header. You can use the event object to access and modify the response headers.
  7. Save and deploy the Lambda function.

Sample Lambda function written for your reference. Please feel free to modify it according to your usecase.

exports.handler = async (event) => {
const response = event.Records[0].cf.response;
// Modify the ‘server’ response header
response.headers[‘server’] = [{ key: ‘Server’, value: ‘MyCustomServer’ }];
return response;
};

NOTE : Do configure the function’s execution role with appropriate permissions to access CloudFront resources.

Test the setup:

  • Wait for the CloudFront distribution and Lambda@Edge deployment to propagate (it may take some time).
  • b. Access your application using the CloudFront distribution URL.
  • c. Inspect the response headers, and you should see the modified ‘server’ response header.

Please feel free to checkout AWS official document regarding :

AWS Lambda with CloudFront Lambda@Edge : https://docs.aws.amazon.com/lambda/latest/dg/lambda-edge.html 

Updating HTTP responses in origin response triggers : https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-updating-http-responses.html 

I hope you will find this article helpful. If any issue comes or for any other query, just feel free to comment it and we will try to address it soon.

Cheers !

Leave a comment