Want more timely Centmin Mod News Updates?
Become a Member

Nginx [PATCH] Nginx server header removal

Discussion in 'Nginx and PHP-FPM news & discussions' started by buik, Jun 13, 2018.

Tags:
  1. buik

    buik “The best traveler is one without a camera.”

    1,962
    513
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,632
    Local Time:
    5:42 PM
    Nginx server header removal.

    Showing which web-server software you currently use, is almost asking for problems, in the case of a none automated, targeted attack. The attacker does not even have to do research. He/she just needs to review the headers and plan a focused attack.

    One of the easiest first steps to undertake, is to prevent the web server from showing its used software via the server header.

    You could use a module like: headers-more-nginx-module to disable or replace the server header. However, why compile, test and configure an extra module if it is also possible to change the upstream code with only a few simple lines. No module, not a multitude of code changes. Only one single patch.

    Less is more!
    This patch will remove Nginx as server header.
    Tested with Nginx 1.15.0.

    Nginx server header removal patch

     
  2. eva2000

    eva2000 Administrator Staff Member

    51,967
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    1:42 AM
    Nginx 1.25.x
    MariaDB 10.x
    Yeah true. Though Centmin Mod already includes headers more nginx module to be able to change server header so no real extra work for users and headers more nginx module is useful too :)
     
  3. buik

    buik “The best traveler is one without a camera.”

    1,962
    513
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,632
    Local Time:
    5:42 PM
    I know.
    Used the headers more nginx module before.

    I have re-analyzed my Nginx stack and came to the conclusion that I just use headers more to mask the server header only.

    Doing a simple patch is enough in that case.
    After I realized that i couldn't find a patch, compatible with Nginx 1.15 and available yet that covers both the HTTP 1.1 and HTTP/2 header (a lot of patches only cover the HTTP 1.1 side).

    I made this simple patch.

    Given the number of my patches that are scattered here and there.
    There is always enthusiasm for it. Hence this post.
     
  4. eva2000

    eva2000 Administrator Staff Member

    51,967
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    1:42 AM
    Nginx 1.25.x
    MariaDB 10.x
    Well thanks for sharing .. always appreciated :D
     
  5. buik

    buik “The best traveler is one without a camera.”

    1,962
    513
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,632
    Local Time:
    5:42 PM
    Hmm to bad but as expected, it is true about web-server promoting in server header form.

    As written by me before:
    Valentin Bartenev of Nginx:
     
    Last edited: Jun 13, 2018
  6. eva2000

    eva2000 Administrator Staff Member

    51,967
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    1:42 AM
    Nginx 1.25.x
    MariaDB 10.x
    Yeah that's partly why Centmin Mod has it, though it's also a diagnostic tool for doing curl header checks to make sure the expected Centmin Mod Nginx is in use.

    i.e. if you place Centmin Mod Nginx behind a CDN or cloudflare, incapsula, sucuri like reverse proxy and need to verify which web server is serving the content. Or if someone accidentally had yum installed a distro nginx prior to Centmin Mod Nginx install and has conflicting nginx servers being used. Hence, the server header can be used for advertising but also as diagnostic identification tool :)
     
  7. buik

    buik “The best traveler is one without a camera.”

    1,962
    513
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,632
    Local Time:
    5:42 PM
    Certainly, there are several reasons why you would like to change the server header.
    It could be security, it could be redundant systems, load balancers etc.

    That is why it is very annoying that you can not change the nginx server header by default. Keep referring to 1 as developer is one-sided. There is so much more than that.
     
  8. eva2000

    eva2000 Administrator Staff Member

    51,967
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    1:42 AM
    Nginx 1.25.x
    MariaDB 10.x
    Yeah true about not being able to change it by default. Though the argument in that linked ticket for not considering headers more nginx module as valid workaround due to needing to recompile nginx would also preclude your header removal patch too as you'd need to recompile nginx heh :)

    Centmin Mod Nginx users don't have to mess around at all as headers more nginx module is installed by default anyway :)
     
  9. buik

    buik “The best traveler is one without a camera.”

    1,962
    513
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,632
    Local Time:
    5:42 PM
    Props to Centminmod. As default users, won't have to worry about removing the default Nginx server header. As it is changed at the beginning. :)
     
  10. buik

    buik “The best traveler is one without a camera.”

    1,962
    513
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,632
    Local Time:
    5:42 PM
  11. buik

    buik “The best traveler is one without a camera.”

    1,962
    513
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,632
    Local Time:
    5:42 PM
  12. eva2000

    eva2000 Administrator Staff Member

    51,967
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    1:42 AM
    Nginx 1.25.x
    MariaDB 10.x
  13. buik

    buik “The best traveler is one without a camera.”

    1,962
    513
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,632
    Local Time:
    5:42 PM
    Patch is still popular with downloads on a daily basis, hence an update.
    As written before: This patch will remove the Nginx header as server header.
    Tested with Nginx 1.16.0.
     
  14. buik

    buik “The best traveler is one without a camera.”

    1,962
    513
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,632
    Local Time:
    5:42 PM
  15. eva2000

    eva2000 Administrator Staff Member

    51,967
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    1:42 AM
    Nginx 1.25.x
    MariaDB 10.x
    thanks mate :)
     
  16. buik

    buik “The best traveler is one without a camera.”

    1,962
    513
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,632
    Local Time:
    5:42 PM
    I am still not a fan of using lots of additional Nginx modules,
    when this is also easy to patch with just a few lines of code.
    1. An update to Nginx 1.20.2 stable
    2. New Nginx 1.21.6+quic-http/3
    Nginx server header removal patch
     
    Last edited: Jan 28, 2022
  17. eva2000

    eva2000 Administrator Staff Member

    51,967
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    1:42 AM
    Nginx 1.25.x
    MariaDB 10.x
    Thanks for sharing the updates - so you testing which Nginx QUIC/HTTP3 implementation base with that patch?
     
  18. buik

    buik “The best traveler is one without a camera.”

    1,962
    513
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,632
    Local Time:
    5:42 PM
    The QUIC/HTTP3 implementation by Nginx itself.

    Nginx+quiche+BoringSSL is less interesting in my opinion because.
    • You have to add quite some extra code that is actually intended and tested only for Nginx 1.16. There is quite a difference between 1.16 and 1.21 code-wise.
      Although there is a backport.
    • You have to add and use new dependencies with quiche and BoringSSL.
      Logical for Cloudflare itself as it seems to use quiche and BoringSSL as a base for several of Cloudflare's products. But as we only use quiche and BoringSSL for Nginx.
    • There are two extra apps (quiche and BoringSSL) + backported code to debug in case of errors and problems.
    • Again, more specific to that. BoringSSL is not of interest because it does not support OCSP stapling nor dual certificate support. In addition it is not advised to use in production (general use) by the developers itself.
    • It seems that Cloudflare has its own BoringSSL fork with OCSP stapling et al.
      But as long as it is not released nor open source.
      And I don't expect Cloudflare to release it either.
    I personally would not choose Nginx+quiche+BoringSSL, should HTTP/3 be a requirement.
    Written as of today.
     
    Last edited: Jan 28, 2022
  19. buik

    buik “The best traveler is one without a camera.”

    1,962
    513
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,632
    Local Time:
    5:42 PM
    To complete the story.
    You can use the QUIC/HTTP3 implementation by Nginx.
    And compile it with OpenSSL 1.1.1+quic.

    That way you still use the stable OpenSSL 1.1.1 with quic and as few code changes as possible. As the name suggests, it is OpenSSL+quic. No superfluous blabla.
     
  20. eva2000

    eva2000 Administrator Staff Member

    51,967
    11,976
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,473
    Local Time:
    1:42 AM
    Nginx 1.25.x
    MariaDB 10.x
    Definitely makes since to stick with OpenSSL based fork with QUIC - especially for OCSP stapling support :) Dual RSA + ECDSA SSL certificate support still remains ?