Hello - we have been dinged on our network penetration test because one of our Nginx web servers is returning the internal IP in the HTTP location response header. This is our only Nginx server that is not acting as a reverse proxy, so I'm at a bit of a loss on how to disable Nginx returning the Internal IP?
Here is the bulk of our config:
server {
listen 192.168.1.2:80;
server_name mydomain.com www.mydomain.com
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 192.168.1.2:443 ssl http2;
server_name mydomain.com www.mydomain.com
ssl on;
ssl_certificate /etc/nginx/ssl/mycert.crt;
ssl_certificate_key /etc/nginx/ssl/mykey.key
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-A[...]
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_stapling on;
resolver 8.8.8.8 8.8.4.4 ipv6=off;
location / {
add_header X-Frame-Options SAMEORIGIN;
add_header Strict-Transport-Security max-age=31536[...]
root /usr/share/nginx/html/;
index index.html;
}
}
[+] Location Header: https://192.168.1.2/images/
[+] Result for my.external.ip.address found Internal IP: 192.168.1.2