Can I hide all server / os info?

Solution 1:

You can stop it outputting the version of Nginx and OS by adding

server_tokens off;

to a http, server, or location context.

Or if you want to remove the Server header completely, you need to compile Nginx with the Headers More module in, as the header is hard coded in the Nginx source, and this module allows changing any http headers.

 more_clear_headers Server;

However, there are many hidden ways servers perform by accident via their implementation which may help identify the system. e.g. How it responds to a bad SSL request. I don't see a practical way of preventing this.

Some of the things I might suggest:

  • change error templates
  • block all ports except the services needed

Solution 2:

If you have installed nginx using apt-get in Debian or Ubuntu, you might need to install the package nginx-extras to set or clear "Server" header

Once this is done, you can add the lines below in nginx.conf (usually /etc/nginx/nginx.conf):

To clear the "Server" header altogether:

more_clear_headers Server;

To Set a custom string as "Server" 

more_set_headers 'Server: some-string-here';

Solution 3:

@Martin F. Yes it does. You will have to compile it from source and change what's needed before compiling the source.

I assume you downloaded the last stable version you decompressed it and you know where the files are. If that's the case, do the following:

nano src/http/ngx_http_header_filter_module.c

Then look for line 48 if I recall correctly.

static char ngx_http_server_string[] = "Server: nginx" CRLF;

Replace nginx with MyWhateverServerNameIWant e.g.

static char ngx_http_server_string[] = "Server: MyWhateverServerNameIWant" CRLF;

Then

nano src/core/nginx.h

look for the line

#define NGINX_VER          "nginx/" NGINX_VERSION

change "nginx/" to "MyWhateverServerNameIWant/" so it will read

#define NGINX_VER          "MyWhateverServerNameIWant" NGINX_VERSION

Finally if you want also change the version number

look for the line #define NGINX_VERSION "1.0.4"

and change "1.0.4" for whatever version you want. For example it will read

#define NGINX_VERSION      "5.5.5"

Hope it helps. Nevertheless. Securing a server goes far beyond not showing what's running. PHP is by nature insecure, and so is linux. Off course linux can be pretty secure if all needed measures are taken in order to achieve a decent security. As far as PHP is concerned I would recommend using Suoshin to help harden the security of your code.

Solution 4:

After a lot of time working out how to do a custom flavor of nginx on ubuntu I realized you can use the lua module for this.

On ubuntu 14.04 if you install the nginx-extras package you can remove the server header by using:

header_filter_by_lua 'ngx.header["server"] = nil';

Throw this in the http block and every request will be lacking a Server header.

If it doesn't work run nginx -V to verify that you have the lua module compiled into your copy of nginx. If not, there is likely an alternate package you can use to get it.

Solution 5:

Instead of the header_filter_by_lua it is recommended to use the new directive header_filter_by_lua_block which inlines the Lua source directly between curly braces ({}). With this it is not needed to escape special characters.

header_filter_by_lua_block { ngx.header["server"] = nil }

https://github.com/openresty/lua-nginx-module#header_filter_by_lua_block

Tags:

Nginx

Ubuntu

Recent Posts