Learn about Centmin Mod LEMP Stack today
Register Now

Nginx [PATCH] Nginx server header removal

Discussion in 'Nginx and PHP-FPM news & discussions' started by bassie, Jun 13, 2018.

Tags:
  1. bassie

    bassie Active Member

    905
    216
    43
    Apr 29, 2016
    Ratings:
    +639
    Local Time:
    4:13 PM
    Nginx server header removal.

    Showing which web-server software you currently use, is almost asking for problems, in the case of a none automated, targeted attack. The attacker does not even have to do research. He/she just needs to review the headers and plan a focused attack.

    One of the easiest first steps to undertake, is to prevent the web server from showing its used software via the server header.

    You could use a module like: headers-more-nginx-module to disable or replace the server header. However, why compile, test and configure an extra module if it is also possible to change the upstream code with only a few simple lines. No module, not a multitude of code changes. Only one single patch.

    Less is more!
    This patch will remove Nginx as server header.
    Tested with Nginx 1.15.0.

    Nginx server header removal patch
     
    • Agree Agree x 2
  2. eva2000

    eva2000 Administrator Staff Member

    35,603
    7,841
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,085
    Local Time:
    12:13 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Yeah true. Though Centmin Mod already includes headers more nginx module to be able to change server header so no real extra work for users and headers more nginx module is useful too :)
     
  3. bassie

    bassie Active Member

    905
    216
    43
    Apr 29, 2016
    Ratings:
    +639
    Local Time:
    4:13 PM
    I know.
    Used the headers more nginx module before.

    I have re-analyzed my Nginx stack and came to the conclusion that I just use headers more to mask the server header only.

    Doing a simple patch is enough in that case.
    After I realized that i couldn't find a patch, compatible with Nginx 1.15 and available yet that covers both the HTTP 1.1 and HTTP/2 header (a lot of patches only cover the HTTP 1.1 side).

    I made this simple patch.

    Given the number of my patches that are scattered here and there.
    There is always enthusiasm for it. Hence this post.
     
    • Like Like x 1
  4. eva2000

    eva2000 Administrator Staff Member

    35,603
    7,841
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,085
    Local Time:
    12:13 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Well thanks for sharing .. always appreciated :D
     
  5. bassie

    bassie Active Member

    905
    216
    43
    Apr 29, 2016
    Ratings:
    +639
    Local Time:
    4:13 PM
    Hmm to bad but as expected, it is true about web-server promoting in server header form.

    As written by me before:
    Valentin Bartenev of Nginx:
     
    Last edited: Jun 13, 2018
  6. eva2000

    eva2000 Administrator Staff Member

    35,603
    7,841
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,085
    Local Time:
    12:13 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Yeah that's partly why Centmin Mod has it, though it's also a diagnostic tool for doing curl header checks to make sure the expected Centmin Mod Nginx is in use.

    i.e. if you place Centmin Mod Nginx behind a CDN or cloudflare, incapsula, sucuri like reverse proxy and need to verify which web server is serving the content. Or if someone accidentally had yum installed a distro nginx prior to Centmin Mod Nginx install and has conflicting nginx servers being used. Hence, the server header can be used for advertising but also as diagnostic identification tool :)
     
  7. bassie

    bassie Active Member

    905
    216
    43
    Apr 29, 2016
    Ratings:
    +639
    Local Time:
    4:13 PM
    Certainly, there are several reasons why you would like to change the server header.
    It could be security, it could be redundant systems, load balancers etc.

    That is why it is very annoying that you can not change the nginx server header by default. Keep referring to 1 as developer is one-sided. There is so much more than that.
     
  8. eva2000

    eva2000 Administrator Staff Member

    35,603
    7,841
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,085
    Local Time:
    12:13 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Yeah true about not being able to change it by default. Though the argument in that linked ticket for not considering headers more nginx module as valid workaround due to needing to recompile nginx would also preclude your header removal patch too as you'd need to recompile nginx heh :)

    Centmin Mod Nginx users don't have to mess around at all as headers more nginx module is installed by default anyway :)
     
  9. bassie

    bassie Active Member

    905
    216
    43
    Apr 29, 2016
    Ratings:
    +639
    Local Time:
    4:13 PM
    Props to Centminmod. As default users, won't have to worry about removing the default Nginx server header. As it is changed at the beginning. :)
     
    • Like Like x 1
  10. bassie

    bassie Active Member

    905
    216
    43
    Apr 29, 2016
    Ratings:
    +639
    Local Time:
    4:13 PM
    • Like Like x 1
..