Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] http option for server identification removal

Antoine Bonavita
October 19, 2023 09:50AM
Teo,

You might want to have a look at: https://trac.nginx.org/nginx/ticket/936

If my understanding is correct, this feature is already offered as part of
Nginx Plus.

Hope this helps,

A.

On Thu, Oct 19, 2023 at 3:16 PM Teo Tyrov <teotyrov@gmail.com> wrote:

> Sorry, I forgot to add the mailing list to the recipients
>
> Best,
> Thodoris
>
> On Wed, Oct 18, 2023 at 11:17 PM Aleksandar Lazic <al-nginx@none.at>
> wrote:
>
>> Hi Teo.
>>
>> On 2023-10-18 (Mi.) 21:18, Teo Tyrov wrote:
>> > Hello Alex,
>> >
>> > This directive removes only the version, so it is still disclosed that
>> > the nginx server is used. I would be asked to remove the entire header
>> > in my previous company, which as far as I know, is not possible without
>> > external modules.
>>
>> got it.
>>
>> > On Wed, Oct 18, 2023 at 10:05 PM Aleksandar Lazic <al-nginx@none.at
>> > <mailto:al-nginx@none.at>> wrote:
>> >
>> > Hi Teo.
>> >
>> > On 2023-10-18 (Mi.) 20:38, Teo Tyrov wrote:
>> > > # HG changeset patch
>> > > # User Theodoros Tyrovouzis <teotyrov@gmail.com
>> > <mailto:teotyrov@gmail.com> <mailto:teotyrov@gmail.com
>> > <mailto:teotyrov@gmail.com>>>
>> > > # Date 1697653906 -10800
>> > > # Wed Oct 18 21:31:46 2023 +0300
>> > > # Node ID 112e223511c087fac000065c7eb99dd88e66b174
>> > > # Parent cdda286c0f1b4b10f30d4eb6a63fefb9b8708ecc
>> > > Add "server_identification" http option that hides server
>> > information
>> > > disclosure in responses
>> > >
>> > > In its responses, nginx by default sends a "Server" header which
>> > > contains "nginx" and the nginx version. Most production systems
>> > would
>> > > want this information hidden, as it is technical information
>> > disclosure
>> > > (https://portswigger.net/web-security/information-disclosure
>> > https://portswigger.net/web-security/information-disclosure).
>> nginx
>> > > does provide the option "server_tokens off;" which hides the
>> > version,
>> > > but in order to get rid of the header, nginx needs to be compiled
>> > with
>> > > the headers_more module, for the option "more_clear_headers".
>> > This patch
>> > > provides an http option for hiding that information, which also
>> > hides
>> > > the server information from the default error responses.
>> > >
>> > > An alternative would be to add a new option to server_tokens,
>> e.g.
>> > > "incognito".
>> >
>> > What's wrong with this directive?
>> >
>> http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens <
>> http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens>
>> >
>> > [snipp]
>> >
>> > Regards
>> > Alex
>> >
>>
>> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx-devel
>
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] http option for server identification removal

Teo Tyrov 189 October 18, 2023 02:40PM

Re: [PATCH] http option for server identification removal

Aleksandar Lazic via nginx-devel 58 October 18, 2023 03:06PM

Re: [PATCH] http option for server identification removal

Teo Tyrov 60 October 19, 2023 09:18AM

Re: [PATCH] http option for server identification removal

Antoine Bonavita 81 October 19, 2023 09:50AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 151
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready