Blog

  • When you are running a web server, that web server is likely demonstrating the world what kind of server it is, and it's version. This data is overlooked by almost all people, except for hackers, who use this type of data to attack your web server. What's more, if the version of your web server is known to be powerless against a particular vulnerability, the hacker would simply need to exploit that part of your server.

    This blog will show you how to hide the server name and it's version number if you are using "nginx" as your web server.

    A typical nginx server returns this type of header :

    HTTP/1.1 200 OK
    Server: nginx/1.12
    Content-Type: text/html
    Content-Length: 1316
    ?Connection: keep-alive
    ETag: "5a71930d-524"
    Accept-Ranges: bytes
    
    

    This clearly shows the Server type and its version.
    Let us see how to configure Nginx to edit the server name from the header.

    The first step is to install nginx.

     

    To install nginx on ubuntu :

    sudo add-apt-repository ppa:nginx/stable
    sudo apt-get update
    sudo apt-get install nginx

    To see the typical nginx header, run the following command after starting the nginx service :

    ubuntu@ubuntu:~$ curl -I localhost
    
    HTTP/1.1 200 OK
    Server: nginx/1.12
    Content-Type: text/html
    Content-Length: 1316
    ?Connection: keep-alive
    ETag: "5a71930d-524"
    Accept-Ranges: bytes

    You can clearly see the server name and it's version.
    To hide the server name, nginx allows us to compile its dynamic modules.

    The dynamic module available to hide the server name is: headers-more-nginx-module

    Read more about it at :


    https://github.com/openresty/headers-more-nginx-module#readme

    Let us now move on to compile the dynamic module.

    To compile it, first, we have to download the source code of current nginx we have installed.

    In our case it's 1.12, so to download the source code of nginx

    ubuntu@ubuntu:~$ wget http://nginx.org/download/nginx-1.12.2.tar.gz
    ubuntu@ubuntu:~$ tar -xvzf nginx-1.12.2.tar.gz 

    Now, let us download the source code of the dynamic module we need to compile

    ubuntu@ubuntu:~$ git clone https://github.com/openresty/headers-more-nginx-module.git
    

    Since we have already installed nginx so while compiling dynamic module we also need to pass the flags which are already compiled with Nginx to avoid any conflict.
    To know the already compiled flags run "nginx -V" and copy all the contents.

    Now, go to the downloaded source code directory of nginx and run 

    ubuntu@ubuntu:~$  ./configure --add-dynamic-module=../headers-more-nginx-module   <paste the copied contents here>
    ubuntu@ubuntu:~$ make modules

    Now, in objs directory the "module.so" file will be created, copy the file to nginx modules directory

    ubuntu@ubuntu:~$ sudo cp objs/ngx_http_headers_more_filter_module.so /etc/nginx/modules

    Now, to let nginx know about the newly compiled module, add the following line in your nginx.conf file

    load_module modules/ngx_http_headers_more_filter_module.so;

    And in the HTTP block of the engine.conf, add

    server_tokens off;
    more_set_headers 'Server: Oodles'

    The final step is to restart the nginx service

    ubuntu@ubuntu:~$ sudo service nginx restart 
    ubuntu@ubuntu:~$ curl -I localhost
    
    HTTP/1.1 200 OK
    Server: Oodles
    Content-Type: text/html
    Content-Length: 1316
    ?Connection: keep-alive
    ETag: "5a71930d-524"
    Accept-Ranges: bytes

    The server name has been changed to oodles. Now nobody can know on which web server your website is running.

    Hope this gave you a good understanding of why and how we can change the server name from the nginx header.

     

Tags: nginx