reverse_proxy leads to duplicate Server headers #6275
Description
When using Caddy’s reverse_proxy in front of a server that sets a Server header, Caddy prepends its own Server header rather than replacing it, leading to duplicate Server headers. This violates RFC 9110 §5.3:
This means that, aside from the well-known exception noted below, a sender MUST NOT generate multiple field lines with the same name in a message (whether in the headers or trailers) or append a field line when a field line of the same name already exists in the message, unless that field's definition allows multiple field line values to be recombined as a comma-separated list (i.e., at least one alternative of the field's definition allows a comma-separated list, such as an ABNF rule of #(values) defined in Section 5.6.1).
as Server is not defined as comma-separated.
Caddyfile for self-contained reproduction:
http://localhost:1234 {
reverse_proxy http://localhost:1235
}
http://localhost:1235 {
reverse_proxy http://localhost:1236
}
http://localhost:1236 {
header Server "MyServer"
respond "Hello"
}# caddy version
v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
# caddy run
2024/04/26 20:13:00.317 INFO using adjacent Caddyfile
2024/04/26 20:13:00.318 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2024/04/26 20:13:00.318 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc0000b6000"}
2024/04/26 20:13:00.319 INFO http.log server running {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2024/04/26 20:13:00.319 INFO http.log server running {"name": "srv1", "protocols": ["h1", "h2", "h3"]}
2024/04/26 20:13:00.319 INFO http.log server running {"name": "srv2", "protocols": ["h1", "h2", "h3"]}
2024/04/26 20:13:00.319 INFO autosaved config (load with --resume flag) {"file": "/root/.config/caddy/autosave.json"}
2024/04/26 20:13:00.319 INFO serving initial configuration
2024/04/26 20:13:00.365 WARN tls storage cleaning happened too recently; skipping for now {"storage": "FileStorage:/root/.local/share/caddy", "instance": "29a71809-9042-40ac-854b-3b22247b7194", "try_again": "2024/04/27 20:13:00.365", "try_again_in": 86399.999998755}
2024/04/26 20:13:00.365 INFO tls finished cleaning storage units
^Z
[1]+ Stopped caddy run
# bg
[1]+ caddy run &
# curl -i http://localhost:1234
HTTP/1.1 200 OK
Content-Length: 5
Content-Type: text/plain; charset=utf-8
Date: Fri, 26 Apr 2024 20:13:10 GMT
Server: Caddy
Server: Caddy
Server: MyServer
Hello