Skip to content

Removing 'server: istio-envoy' Header from Istio Responses

This document (000021891) is provided subject to the disclaimer at the end of this document.

Environment

  • SUSE Rancher 2.x
  • RKE2
  • Rancher-istio application

Situation

When routing a web application through Istio, the HTTP responses may include the header " server: istio-envoy". This may be flagged by security or compliance teams during audits.

Resolution

To remove the server header from the HTTP responses, apply the following EnvoyFilter configuration on the affected cluster:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ef-removeserver
  namespace: istio-system
spec:
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      listener:
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
        typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
          server_header_transformation: PASS_THROUGH
  - applyTo: ROUTE_CONFIGURATION
    patch:
      operation: MERGE
      value:
        response_headers_to_remove:
        - "server"
  • Ensure this filter is applied in the istio-system namespace or where your ingress gateway is running, depending on your specific deployment setup.
  • This solution uses an EnvoyFilter to remove the server header. The approach is based on community guidance shared in the following GitHub issue: GitHub Issue #13861 - Remove Server Header
  • The configuration uses server_header_transformation: PASS_THROUGH to avoid setting the default istio-envoy value, and explicitly removes the server header from response headers.

Additional Information

The rancher-istio application is planned for deprecation in upcoming Rancher releases. It is recommended to review the official deprecation notice and plan for migration accordingly.

SUSE Blog - Rancher Istio Will Be Deprecated

SUSE Announcement - Deprecation of Rancher Istio

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.