feat(router): make server_token flag configurable

Make server_token flag in nginx configurable via Kubernetes
annotation.

Author: Lachlan Evenson

README.md

@@ -247,6 +247,7 @@ _Note that Kubernetes annotation maps are all of Go type `map[string]string`.  A
 | <a name="error-log-level"></a>deis-router | deployment | [router.deis.io/nginx.errorLogLevel](#error-log-level) | `"error"` | Log level used in the nginx `error_log` setting (valid values are: `debug`, `info`, `notice`, `warn`, `error`, `crit`, `alert`, and `emerg`). |
 | <a name="platform-domain"></a>deis-router | deployment | [router.deis.io/nginx.platformDomain](#platform-domain) | N/A | This defines the router's platform domain.  Any domains added to a routable application _not_ containing the `.` character will be assumed to be subdomains of this platform domain.  Thus, for example, a platform domain of `example.com` coupled with a routable app counting `foo` among its domains will result in router configuration that routes traffic for `foo.example.com` to that application. |
 | <a name="use-proxy-protocol"></a>deis-router | deployment | [router.deis.io/nginx.useProxyProtocol](#use-proxy-protocol) | `"false"` | PROXY is a simple protocol supported by nginx, HAProxy, Amazon ELB, and others.  It provides a method to obtain information about a request's originating IP address from an external (to Kubernetes) load balancer in front of the router.  Enabling this option allows the router to select the originating IP from the HTTP `X-Forwarded-For` header. |
+| <a name="disable-server-tokens"></a>deis-router | deployment | [router.deis.io/nginx.disableServerTokens](#disable-server-tokens) | `"false"` | Enables or disables emitting nginx version in error messages and in the “Server” response header field. |
 | <a name="enforce-whitelists"></a>deis-router | deployment | [router.deis.io/nginx.enforceWhitelists](#enforce-whitelists) | `"false"` | Whether to _require_ application-level whitelists that explicitly enumerate allowed clients by IP / CIDR range.  With this enabled, each app will drop _all_ requests unless a whitelist has been defined. |
 | <a name="default-whitelist"></a>deis-router | deployment | [router.deis.io/nginx.defaultWhitelist](#default-whitelist) | N/A | A default (router-wide) whitelist expressed as  a comma-delimited list of addresses (using IP or CIDR notation).  Application-specific whitelists can either extend or override this default. |
 | <a name="whitelist-mode"></a>deis-router | deployment | [router.deis.io/nginx.whitelistMode](#whitelist-mode) | `"extend"` | Whether application-specific whitelists should extend or override the router-wide default whitelist (if defined).  Valid values are `"extend"` and `"override"`. |

model/model.go

@@ -48,6 +48,7 @@ type RouterConfig struct {
 	ErrorLogLevel            string      `key:"errorLogLevel" constraint:"^(debug|info|notice|warn|error|crit|alert|emerg)$"`
 	PlatformDomain           string      `key:"platformDomain" constraint:"(?i)^([a-z0-9]+(-[a-z0-9]+)*\\.)+[a-z0-9]+(-*[a-z0-9]+)+$"`
 	UseProxyProtocol         bool        `key:"useProxyProtocol" constraint:"(?i)^(true|false)$"`
+	DisableServerTokens      bool        `key:"disableServerTokens" constraint:"(?i)^(true|false)$"`
 	EnforceWhitelists        bool        `key:"enforceWhitelists" constraint:"(?i)^(true|false)$"`
 	DefaultWhitelist         []string    `key:"defaultWhitelist" constraint:"^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))?(\\s*,\\s*)?)+$"`
 	WhitelistMode            string      `key:"whitelistMode" constraint:"^(extend|override)$"`
@@ -71,6 +72,7 @@ func newRouterConfig() *RouterConfig {
 		GzipConfig:               newGzipConfig(),
 		BodySize:                 "1m",
 		ProxyRealIPCIDRs:         []string{"10.0.0.0/8"},
+		DisableServerTokens:      false,
 		ErrorLogLevel:            "error",
 		UseProxyProtocol:         false,
 		EnforceWhitelists:        false,

model/model_validation_test.go

@@ -103,6 +103,14 @@ func TestValidUseProxyProtocol(t *testing.T) {
 	testValidValues(t, newTestRouterConfig, "UseProxyProtocol", "useProxyProtocol", []string{"true", "false", "TRUE", "FALSE"})
 }
 
+func TestValidServerTokens(t *testing.T) {
+	testValidValues(t, newTestRouterConfig, "DisableServerTokens", "disableServerTokens", []string{"true", "false", "TRUE", "FALSE"})
+}
+
+func TestInvalidServerTokens(t *testing.T) {
+	testInvalidValues(t, newTestRouterConfig, "DisableServerTokens", "disableServerTokens", []string{"0", "-1", "foobar"})
+}
+
 func TestInvalidEnforceWhitelists(t *testing.T) {
 	testInvalidValues(t, newTestRouterConfig, "EnforceWhitelists", "enforceWhitelists", []string{"0", "-1", "foobar"})
 }

nginx/config.go

@@ -48,6 +48,9 @@ http {
 
 	client_max_body_size {{ $routerConfig.BodySize }};
 
+	{{ if $routerConfig.DisableServerTokens -}}
+	server_tokens off;
+	{{- end}}
 	{{ range $realIPCIDR := $routerConfig.ProxyRealIPCIDRs -}}
 	set_real_ip_from {{ $realIPCIDR }};
 	{{ end -}}

nginx/config_test.go

@@ -1,13 +1,17 @@
 package nginx
 
 import (
+	"bytes"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"path/filepath"
 	"reflect"
+	"regexp"
 	"testing"
+	"text/template"
 
+	"github.com/Masterminds/sprig"
 	"github.com/deis/router/model"
 )
 
@@ -218,3 +222,66 @@ func checkCertAndKey(crtPath string, keyPath string, expectedCertContents string
 
 	return nil
 }
+
+func TestDisableServerTokens(t *testing.T) {
+	routerConfig := &model.RouterConfig{
+		WorkerProcesses:          "auto",
+		MaxWorkerConnections:     "768",
+		TrafficStatusZoneSize:    "1m",
+		DefaultTimeout:           "1300s",
+		ServerNameHashMaxSize:    "512",
+		ServerNameHashBucketSize: "64",
+		GzipConfig: &model.GzipConfig{
+			Enabled:     true,
+			CompLevel:   "5",
+			Disable:     "msie6",
+			HTTPVersion: "1.1",
+			MinLength:   "256",
+			Proxied:     "any",
+			Types:       "application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component",
+			Vary:        "on",
+		},
+		BodySize:          "1m",
+		ProxyRealIPCIDRs:  []string{"10.0.0.0/8"},
+		ErrorLogLevel:     "error",
+		UseProxyProtocol:  false,
+		EnforceWhitelists: false,
+		WhitelistMode:     "extend",
+		SSLConfig: &model.SSLConfig{
+			Enforce:           false,
+			Protocols:         "TLSv1 TLSv1.1 TLSv1.2",
+			SessionTimeout:    "10m",
+			UseSessionTickets: true,
+			BufferSize:        "4k",
+			HSTSConfig: &model.HSTSConfig{
+				Enabled:           false,
+				MaxAge:            15552000, // 180 days
+				IncludeSubDomains: false,
+				Preload:           false,
+			},
+		},
+
+		DisableServerTokens: true,
+	}
+
+	var b bytes.Buffer
+
+	tmpl, err := template.New("nginx").Funcs(sprig.TxtFuncMap()).Parse(confTemplate)
+
+	if err != nil {
+		t.Fatalf("Encountered an error: %v", err)
+	}
+
+	err = tmpl.Execute(&b, routerConfig)
+
+	if err != nil {
+		t.Fatalf("Encountered an error: %v", err)
+	}
+
+	validDirective := regexp.MustCompile(`(?m)^(\s*)server_tokens off;$`)
+
+	if !validDirective.Match(b.Bytes()) {
+		t.Errorf("Expected: 'server_tokens off' in the configuration. Actual: no match")
+	}
+
+}