search

NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface
https://nginxproxymanager.com
MIT License
20.81k stars 2.41k forks source link

Hide Server: openresty from HTTP headers #1061

Open oxismailxo opened 3 years ago

oxismailxo commented 3 years ago

Hello NPM community,

is it possible to hide Server: openresty from the HTTP headers? if yes how?, please

image

Thank you in advance .

l4rm4nd commented 3 years ago

Usually one would modify the /etc/nginx/nginx.conf and do

server_tokens                 "";

However, this only works for commercial nginx versions and not for nginx proxy manager. You would have to compile from source and patch the disclosed version information. Alternatively, you would have to install additional modules like nginx-extras, which allows stuff like this.

Note that hiding server banners is security through obscurity. You should rather focus on a proper patch management process to keep your assets updated with the most recent patch releases. Disclosing openresty in a server's HTTP response does not introduce any security issues.

Currently, the configuration specifies a best practice directive such

server_tokens                 off;

This successfully hides the exact version number of openresty. This is sufficient from a security perspective.

oxismailxo commented 3 years ago

Alright @l4rm4nd, thank you so much for the clarification & the detailed answer!

I appreciate your help.

jc21 commented 3 years ago

Great response @l4rm4nd

FYI openresty is compiled for NPM here should anyone feel like suggesting tweaks in future.

l4rm4nd commented 3 years ago

Great response @l4rm4nd

FYI openresty is compiled for NPM here should anyone feel like suggesting tweaks in future.

So if one really wants to alter the disclosed openresty product name, it should be possible via an additional build option in build-openresty. Just define your custom name like MyCustomServerName and specify it for the ./configure call:

./configure \
       ...
        --build=MyCustomServerName \
       ...
jc21 commented 3 years ago

Yeah it's possible. You can open a PR on the docker-nginx-full project to test that and CI will build it for you. Beware that builds take over an hour with all the architectures to build for.

github-actions[bot] commented 3 months ago

Issue is now considered stale. If you want to keep it open, please comment :+1: