Setup Headers More Nginx Module Using Dynamic Compilation

Posted By Jatin Gupta | 28-Feb-2018

When you are running a web server, that web server is likely demonstrating the world what kind of server it is, and it's version. This data is overlooked by almost all people, except for hackers, who use this type of data to attack your web server. What's more, if the version of your web server is known to be powerless against a particular vulnerability, the hacker would simply need to exploit that part of your server.

This blog will show you how to hide the server name and it's version number if you are using "nginx" as your web server.

A typical nginx server returns this type of header :

HTTP/1.1 200 OK
Server: nginx/1.12
Content-Type: text/html
Content-Length: 1316
?Connection: keep-alive
ETag: "5a71930d-524"
Accept-Ranges: bytes

This clearly shows the Server type and its version.
Let us see how to configure Nginx to edit the server name from the header.

The first step is to install nginx.

 

To install nginx on ubuntu :

sudo add-apt-repository ppa:nginx/stable
sudo apt-get update
sudo apt-get install nginx

To see the typical nginx header, run the following command after starting the nginx service :

ubuntu@ubuntu:~$ curl -I localhost
HTTP/1.1 200 OK
Server: nginx/1.12
Content-Type: text/html
Content-Length: 1316
?Connection: keep-alive
ETag: "5a71930d-524"
Accept-Ranges: bytes

You can clearly see the server name and it's version.
To hide the server name, nginx allows us to compile its dynamic modules.

The dynamic module available to hide the server name is: headers-more-nginx-module

Read more about it at :


https://github.com/openresty/headers-more-nginx-module#readme

Let us now move on to compile the dynamic module.

To compile it, first, we have to download the source code of current nginx we have installed.

In our case it's 1.12, so to download the source code of nginx

ubuntu@ubuntu:~$ wget http://nginx.org/download/nginx-1.12.2.tar.gz
ubuntu@ubuntu:~$ tar -xvzf nginx-1.12.2.tar.gz 

Now, let us download the source code of the dynamic module we need to compile

ubuntu@ubuntu:~$ git clone https://github.com/openresty/headers-more-nginx-module.git

Since we have already installed nginx so while compiling dynamic module we also need to pass the flags which are already compiled with Nginx to avoid any conflict.
To know the already compiled flags run "nginx -V" and copy all the contents.

Now, go to the downloaded source code directory of nginx and run 

ubuntu@ubuntu:~$  ./configure --add-dynamic-module=../headers-more-nginx-module   <paste the copied contents here>
ubuntu@ubuntu:~$ make modules

Now, in objs directory the "module.so" file will be created, copy the file to nginx modules directory

ubuntu@ubuntu:~$ sudo cp objs/ngx_http_headers_more_filter_module.so /etc/nginx/modules

Now, to let nginx know about the newly compiled module, add the following line in your nginx.conf file

load_module modules/ngx_http_headers_more_filter_module.so;

And in the HTTP block of the engine.conf, add

server_tokens off;
more_set_headers 'Server: Oodles'

The final step is to restart the nginx service

ubuntu@ubuntu:~$ sudo service nginx restart 
ubuntu@ubuntu:~$ curl -I localhost

HTTP/1.1 200 OK
Server: Oodles
Content-Type: text/html
Content-Length: 1316
?Connection: keep-alive
ETag: "5a71930d-524"
Accept-Ranges: bytes

The server name has been changed to oodles. Now nobody can know on which web server your website is running.

Hope this gave you a good understanding of why and how we can change the server name from the nginx header.

 

Request for Proposal

Recaptcha is required.

Sending message..