NGINX: hiding version
Recently, I learned about the importance of hiding the NGINX version, which is information attackers can use. Let's hide it.
Two spots
Headers
The information can be extracted from headers. For example, we can extract the following info using the docker image.
$ curl --head localhost HTTP/1.1 200 OK Server: nginx/1.25.3 Date: Sat, 24 Feb 2024 21:59:54 GMT Content-Type: text/html Content-Length: 1579 Last-Modified: Fri, 23 Feb 2024 20:02:11 GMT Connection: keep-alive ETag: "65d8f9c3-62b" Accept-Ranges: bytes
To hide this info, I will add server_tokens off; directive to the default configuration. This is the result:
$ curl --head localhost HTTP/1.1 200 OK Server: nginx Date: Sat, 24 Feb 2024 22:00:56 GMT Content-Type: text/html Content-Length: 1579 Last-Modified: Fri, 23 Feb 2024 20:02:11 GMT Connection: keep-alive ETag: "65d8f9c3-62b" Accept-Ranges: bytes
404 error
The default 404 error shows the NGINX version on the HTML. It just needs to be replaced by a custom one.
Copy & paste
Dockerfile
# syntax=docker/dockerfile:1 FROM nginx:alpine # set a nginx version COPY nginx.conf /etc/nginx/conf.d/default.conf COPY 404.html /usr/share/nginx/html
nginx.conf
server {
listen 80;
server_name localhost;
server_tokens off;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 404 /404.html;
location = /404.html {
root /usr/share/nginx/html;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
404.html
<!DOCTYPE html> <html> <head> <title>Oh oh, 404!</title> <style> html { color-scheme: light dark; } body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Page not found!</h1> <p>Sorry, the page you are looking does not exist.</p> <p><a href="javascript:history.back()">Go Back</a></p> </body> </html>
References
https://www.cyberciti.biz/faq/hide-nginx-version-in-linux-and-unix/