search

mailcow / mailcow-dockerized

mailcow: dockerized - 🐮 + 🐋 = 💕
https://mailcow.email
GNU General Public License v3.0
8.97k stars 1.18k forks source link

Hide nginx version #5234

Open zawadaa opened 1 year ago

zawadaa commented 1 year ago

Summary

Two cases: Headers:

curl -I mail.servercow.de
HTTP/1.1 301 Moved Permanently
Server: nginx/1.23.4
Date: Tue, 16 May 2023 11:40:09 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://mail.servercow.de/

and body:

curl mail.servercow.de
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.23.4</center>
</body>
</html>

Headers are easy server_tokens off; but where I can disable nginx version in php code?

Motivation

Security. IMO it's always better to show less.

Additional context

No response

Unterstrichmoepunterstrich commented 12 months ago

Hello @zawadaa that should be easy to realize without doing it in PHP. I tried it right now on a current Nginx. First install libnginx-mod-http-headers-more-filter on Debian based systems.

Add in your in nginx.conf (or one included file): 

http {
         server_tokens off;
         more_set_headers 'Server:';
}

and then you get

curl -I localhost
HTTP/1.1 200 OK
Date: Sat, 18 Nov 2023 00:18:00 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Fri, 17 Nov 2023 00:39:06 GMT
Connection: keep-alive
ETag: "6556b62a-267"
Accept-Ranges: bytes

Edit: I modified the nginx:alpine container and installed libnginx-mod-http-headers-more-filter. But I don't have an idea where the http block is. I added it in data/conf/nginx/site.conf

map $http_x_forwarded_proto $client_req_scheme {
     default $scheme;
     https https;
     more_set_headers 'Server:'; #new
}

Do you have any ideas?