I2P

Invisible Internet Project


Ticket #452 (closed enhancement: no response)

Opened 2 years ago

Last modified 5 weeks ago

http headers not filtered (server x-powered-by etc)

Reported by: dream Owned by: dream
Priority: minor Milestone: 0.9
Component: apps/i2ptunnel Version: 0.8.4
Keywords: Cc:

Description

The i2ptunnel http server tunnel should have a whitelist of headers it lets through. Among other things, you have to custom patch Apache not to send a "Server: apache" header.

Change History

Changed 2 years ago by zzz

  • priority changed from major to minor
  • type changed from defect to enhancement
  • component changed from unspecified to apps/i2ptunnel
  • milestone changed from 0.8.5 to 0.8.6

"Server" is filtered since 0.8.3. In fact it's code related to that change that is causing the trac login problems (ticket #396 )

As discussed elsewhere (zzz.i2p, or on forum.i2p threads related to irongeek's talk iirc) it's hard to anonymize a server with filtering. Error pages, for example, often contain detailed version info.

I was initially against filtering 'Server' as I thought it didn't do much. But Mathias convinced me that it was easy and we might as well do something. Since we are still having login problems I guess it wasn't so easy.

I don't think we can do it with a whitelist, it would break too much. But extending the blacklist to include a couple others like x-powered-by might be good... once we fix the trac login problem!

Changed 21 months ago by zzz

  • milestone changed from 0.8.6 to 0.9

Trac login problem was fixed a couple releases ago. Server: is now filtered. Would you please make a list of all other headers that you propose to filter?

Changed 18 months ago by zzz

  • owner set to dream
  • status changed from new to assigned

reassigning to dream for a response

Changed 5 weeks ago by zzz

  • status changed from assigned to closed
  • resolution set to no response
Note: See TracTickets for help on using tickets.