Nginx [PATCH] Nginx server header removal

Nginx server header removal.

Showing which web-server software you currently use, is almost asking for problems, in the case of a none automated, targeted attack. The attacker does not even have to do research. He/she just needs to review the headers and plan a focused attack.

One of the easiest first steps to undertake, is to prevent the web server from showing its used software via the server header.

You could use a module like: headers-more-nginx-module to disable or replace the server header. However, why compile, test and configure an extra module if it is also possible to change the upstream code with only a few simple lines. No module, not a multitude of code changes. Only one single patch.

Less is more!
This patch will remove Nginx as server header.
Tested with Nginx 1.15.0.

Nginx server header removal patch

---

 

I know.
Used the headers more nginx module before.

I have re-analyzed my Nginx stack and came to the conclusion that I just use headers more to mask the server header only.

Doing a simple patch is enough in that case.
After I realized that i couldn't find a patch, compatible with Nginx 1.15 and available yet that covers both the HTTP 1.1 and HTTP/2 header (a lot of patches only cover the HTTP 1.1 side).

I made this simple patch.

Given the number of my patches that are scattered here and there.
There is always enthusiasm for it. Hence this post.

 

Hmm to bad but as expected, it is true about web-server promoting in server header form.

As written by me before:

Valentin Bartenev of Nginx:

 

Certainly, there are several reasons why you would like to change the server header.
It could be security, it could be redundant systems, load balancers etc.

That is why it is very annoying that you can not change the nginx server header by default. Keep referring to 1 as developer is one-sided. There is so much more than that.

 

Props to Centminmod. As default users, won't have to worry about removing the default Nginx server header. As it is changed at the beginning.

 

Just like patch number 1.
This additional patch will remove the same server header for the Google edition of Nginx.

Nginx Google server header removal patch

More information about the Optimized Nginx software by Google developers

You could use the nginx-remove-server-header.patch from the first post, if using the vanilla Nginx 1.15.0.

 

Patch is still popular, hence an update.
As written before: This patch will remove the Nginx header as server header.
Tested with Nginx 1.15.11.

nginx-remove-server-header.patch · master · buik / nginx · GitLab

 

Patch is still popular with downloads on a daily basis, hence an update.
As written before: This patch will remove the Nginx header as server header.
Tested with Nginx 1.16.0.

 

Multiple dowloads per day.
Therefore an update to Nginx 1.17.0.

With this patch the Nginx header will disappear.

 

I am still not a fan of using lots of additional Nginx modules,
when this is also easy to patch with just a few lines of code.

1. An update to Nginx 1.20.2 stable
2. New Nginx 1.21.6+quic-http/3

Nginx server header removal patch

 

The QUIC/HTTP3 implementation by Nginx itself.

Nginx+quiche+BoringSSL is less interesting in my opinion because.

• You have to add quite some extra code that is actually intended and tested only for Nginx 1.16. There is quite a difference between 1.16 and 1.21 code-wise.
  Although there is a backport.
• You have to add and use new dependencies with quiche and BoringSSL.
  Logical for Cloudflare itself as it seems to use quiche and BoringSSL as a base for several of Cloudflare's products. But as we only use quiche and BoringSSL for Nginx.
• There are two extra apps (quiche and BoringSSL) + backported code to debug in case of errors and problems.
• Again, more specific to that. BoringSSL is not of interest because it does not support OCSP stapling nor dual certificate support. In addition it is not advised to use in production (general use) by the developers itself.
• It seems that Cloudflare has its own BoringSSL fork with OCSP stapling et al.
  But as long as it is not released nor open source.
  And I don't expect Cloudflare to release it either.

I personally would not choose Nginx+quiche+BoringSSL, should HTTP/3 be a requirement.
Written as of today.

 

To complete the story.
You can use the QUIC/HTTP3 implementation by Nginx.
And compile it with OpenSSL 1.1.1+quic.

That way you still use the stable OpenSSL 1.1.1 with quic and as few code changes as possible. As the name suggests, it is OpenSSL+quic. No superfluous blabla.