Welcome! Log In Create A New Profile

Advanced

[PATCH] http option for server identification removal

Teo Tyrov
October 18, 2023 02:40PM
# HG changeset patch
# User Theodoros Tyrovouzis <teotyrov@gmail.com>
# Date 1697653906 -10800
# Wed Oct 18 21:31:46 2023 +0300
# Node ID 112e223511c087fac000065c7eb99dd88e66b174
# Parent cdda286c0f1b4b10f30d4eb6a63fefb9b8708ecc
Add "server_identification" http option that hides server information
disclosure in responses

In its responses, nginx by default sends a "Server" header which contains
"nginx" and the nginx version. Most production systems would want this
information hidden, as it is technical information disclosure (
https://portswigger.net/web-security/information-disclosure). nginx does
provide the option "server_tokens off;" which hides the version, but in
order to get rid of the header, nginx needs to be compiled with the
headers_more module, for the option "more_clear_headers". This patch
provides an http option for hiding that information, which also hides the
server information from the default error responses.

An alternative would be to add a new option to server_tokens, e.g.
"incognito".

diff -r cdda286c0f1b -r 112e223511c0 src/http/ngx_http_core_module.c
--- a/src/http/ngx_http_core_module.c Tue Oct 10 15:13:39 2023 +0300
+++ b/src/http/ngx_http_core_module.c Wed Oct 18 21:31:46 2023 +0300
@@ -129,6 +129,13 @@
};


+static ngx_conf_enum_t ngx_http_core_server_identification[] = {
+ { ngx_string("off"), NGX_HTTP_SERVER_IDENTIFICATION_OFF },
+ { ngx_string("on"), NGX_HTTP_SERVER_IDENTIFICATION_ON },
+ { ngx_null_string, 0 }
+};
+
+
static ngx_conf_enum_t ngx_http_core_if_modified_since[] = {
{ ngx_string("off"), NGX_HTTP_IMS_OFF },
{ ngx_string("exact"), NGX_HTTP_IMS_EXACT },
@@ -635,6 +642,13 @@
offsetof(ngx_http_core_loc_conf_t, server_tokens),
&ngx_http_core_server_tokens },

+ { ngx_string("server_identification"),
+
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_enum_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_core_loc_conf_t, server_identification),
+ &ngx_http_core_server_identification },
+
{ ngx_string("if_modified_since"),

NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_conf_set_enum_slot,
@@ -3623,6 +3637,7 @@
clcf->chunked_transfer_encoding = NGX_CONF_UNSET;
clcf->etag = NGX_CONF_UNSET;
clcf->server_tokens = NGX_CONF_UNSET_UINT;
+ clcf->server_identification = NGX_CONF_UNSET_UINT;
clcf->types_hash_max_size = NGX_CONF_UNSET_UINT;
clcf->types_hash_bucket_size = NGX_CONF_UNSET_UINT;

@@ -3901,6 +3916,9 @@
ngx_conf_merge_uint_value(conf->server_tokens, prev->server_tokens,
NGX_HTTP_SERVER_TOKENS_ON);

+ ngx_conf_merge_uint_value(conf->server_identification,
prev->server_identification,
+ NGX_HTTP_SERVER_IDENTIFICATION_ON);
+
ngx_conf_merge_ptr_value(conf->open_file_cache,
prev->open_file_cache, NULL);

diff -r cdda286c0f1b -r 112e223511c0 src/http/ngx_http_core_module.h
--- a/src/http/ngx_http_core_module.h Tue Oct 10 15:13:39 2023 +0300
+++ b/src/http/ngx_http_core_module.h Wed Oct 18 21:31:46 2023 +0300
@@ -55,6 +55,10 @@
#define NGX_HTTP_KEEPALIVE_DISABLE_SAFARI 0x0008


+#define NGX_HTTP_SERVER_IDENTIFICATION_OFF 0
+#define NGX_HTTP_SERVER_IDENTIFICATION_ON 1
+
+
#define NGX_HTTP_SERVER_TOKENS_OFF 0
#define NGX_HTTP_SERVER_TOKENS_ON 1
#define NGX_HTTP_SERVER_TOKENS_BUILD 2
@@ -405,6 +409,7 @@
ngx_flag_t log_subrequest; /* log_subrequest */
ngx_flag_t recursive_error_pages; /* recursive_error_pages */
ngx_uint_t server_tokens; /* server_tokens */
+ ngx_uint_t server_identification; /* server_identification */
ngx_flag_t chunked_transfer_encoding; /* chunked_transfer_encoding
*/
ngx_flag_t etag; /* etag */

diff -r cdda286c0f1b -r 112e223511c0
src/http/ngx_http_header_filter_module.c
--- a/src/http/ngx_http_header_filter_module.c Tue Oct 10 15:13:39 2023
+0300
+++ b/src/http/ngx_http_header_filter_module.c Wed Oct 18 21:31:46 2023
+0300
@@ -283,7 +283,7 @@

clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);

- if (r->headers_out.server == NULL) {
+ if (r->headers_out.server == NULL && clcf->server_identification ==
NGX_HTTP_SERVER_IDENTIFICATION_ON) {
if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {
len += sizeof(ngx_http_server_full_string) - 1;

@@ -452,7 +452,7 @@
}
*b->last++ = CR; *b->last++ = LF;

- if (r->headers_out.server == NULL) {
+ if (r->headers_out.server == NULL && clcf->server_identification ==
NGX_HTTP_SERVER_IDENTIFICATION_ON) {
if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {
p = ngx_http_server_full_string;
len = sizeof(ngx_http_server_full_string) - 1;
diff -r cdda286c0f1b -r 112e223511c0 src/http/ngx_http_special_response.c
--- a/src/http/ngx_http_special_response.c Tue Oct 10 15:13:39 2023 +0300
+++ b/src/http/ngx_http_special_response.c Wed Oct 18 21:31:46 2023 +0300
@@ -39,6 +39,12 @@
;


+static u_char ngx_http_error_tail_minimal[] =
+"</body>" CRLF
+"</html>" CRLF
+;
+
+
static u_char ngx_http_msie_padding[] =
"<!-- a padding to disable MSIE and Chrome friendly error page -->" CRLF
"<!-- a padding to disable MSIE and Chrome friendly error page -->" CRLF
@@ -680,17 +686,22 @@
ngx_uint_t msie_padding;
ngx_chain_t out[3];

- if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {
- len = sizeof(ngx_http_error_full_tail) - 1;
- tail = ngx_http_error_full_tail;
+ if (clcf->server_identification == NGX_HTTP_SERVER_IDENTIFICATION_ON) {
+ if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {
+ len = sizeof(ngx_http_error_full_tail) - 1;
+ tail = ngx_http_error_full_tail;

- } else if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_BUILD) {
- len = sizeof(ngx_http_error_build_tail) - 1;
- tail = ngx_http_error_build_tail;
+ } else if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_BUILD) {
+ len = sizeof(ngx_http_error_build_tail) - 1;
+ tail = ngx_http_error_build_tail;

+ } else {
+ len = sizeof(ngx_http_error_tail) - 1;
+ tail = ngx_http_error_tail;
+ }
} else {
- len = sizeof(ngx_http_error_tail) - 1;
- tail = ngx_http_error_tail;
+ len = sizeof(ngx_http_error_tail_minimal) - 1;
+ tail = ngx_http_error_tail_minimal;
}

msie_padding = 0;
diff -r cdda286c0f1b -r 112e223511c0 src/http/v2/ngx_http_v2_filter_module.c
--- a/src/http/v2/ngx_http_v2_filter_module.c Tue Oct 10 15:13:39 2023 +0300
+++ b/src/http/v2/ngx_http_v2_filter_module.c Wed Oct 18 21:31:46 2023 +0300
@@ -217,7 +217,7 @@

clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);

- if (r->headers_out.server == NULL) {
+ if (r->headers_out.server == NULL && clcf->server_identification ==
NGX_HTTP_SERVER_IDENTIFICATION_ON) {

if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {
len += 1 + nginx_ver_len;
@@ -421,7 +421,7 @@
pos = ngx_sprintf(pos, "%03ui", r->headers_out.status);
}

- if (r->headers_out.server == NULL) {
+ if (r->headers_out.server == NULL && clcf->server_identification ==
NGX_HTTP_SERVER_IDENTIFICATION_ON) {

if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, fc->log, 0,
diff -r cdda286c0f1b -r 112e223511c0 src/http/v3/ngx_http_v3_filter_module.c
--- a/src/http/v3/ngx_http_v3_filter_module.c Tue Oct 10 15:13:39 2023 +0300
+++ b/src/http/v3/ngx_http_v3_filter_module.c Wed Oct 18 21:31:46 2023 +0300
@@ -158,7 +158,7 @@

clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);

- if (r->headers_out.server == NULL) {
+ if (r->headers_out.server == NULL && clcf->server_identification ==
NGX_HTTP_SERVER_IDENTIFICATION_ON) {
if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {
n = sizeof(NGINX_VER) - 1;

@@ -339,7 +339,7 @@
b->last = ngx_sprintf(b->last, "%03ui", r->headers_out.status);
}

- if (r->headers_out.server == NULL) {
+ if (r->headers_out.server == NULL && clcf->server_identification ==
NGX_HTTP_SERVER_IDENTIFICATION_ON) {
if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {
p = (u_char *) NGINX_VER;
n = sizeof(NGINX_VER) - 1;
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] http option for server identification removal

Teo Tyrov 197 October 18, 2023 02:40PM

Re: [PATCH] http option for server identification removal

Aleksandar Lazic via nginx-devel 61 October 18, 2023 03:06PM

Re: [PATCH] http option for server identification removal

Teo Tyrov 63 October 19, 2023 09:18AM

Re: [PATCH] http option for server identification removal

Antoine Bonavita 87 October 19, 2023 09:50AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 267
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready