Forum: NGINX HTTP header manipulation

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Nuno Magalhães (Guest)
on 2009-02-21 00:32
(Received via mailing list)
I thought i'd use a different thread instead of stealing Paul's...

HTTP-header manipulation is another type of exploit which does relate
to the webserver. On that, how can i prevent nginx from sending the
server name? I.e., given this:

[...]
GET / HTTP/1.1
Host: localhost
Accept: text/html

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 20 Feb 2009 22:08:31 GMT
Content-Type: text/html; charset=utf8
Transfer-Encoding: chunked
Connection: keep-alive

I'd like to remove or spoof that "Server .." line. I've done these
changes on my files:

/etc/nginx/nginx.conf
[...]
http {
[...]
server_tokens off;
[...]

/etc/nginx/fastcgi_params
[...]
fastcgi_param  SERVER_SOFTWARE    apache; #or whatever string
fastcgi_param  SERVER_NAME        again... some string here;

I'm also fiddling with error pages so they present my error pages,
which also includes "msie_padding on;" in .conf but this is its
default setting anyway.

However, the server name does still go out in the respose header. Am i
missing something in the config? Do i have to reboot/reHUP the server
again? Have to use PHP or something to filter the headers?

Nuno Magalhães
LU#484677
Maxim D. (Guest)
on 2009-02-21 02:21
(Received via mailing list)
Hello!

On Fri, Feb 20, 2009 at 10:17:41PM +0000, Nuno Magalhães wrote:

>
> HTTP/1.1 200 OK
> Server: nginx
> Date: Fri, 20 Feb 2009 22:08:31 GMT
> Content-Type: text/html; charset=utf8
> Transfer-Encoding: chunked
> Connection: keep-alive
>
> I'd like to remove or spoof that "Server .." line. I've done these
> changes on my files:

No way.  Switching off server_tokens is the only thing you may do
without nginx source code modification.

Personally I think that even switching off server_tokens is wrong
way to go.  It doesn't give you extra security but instead false
sense of it - at the cost of much more complicated debugging and
defeating your own security analysis.  It's much better to keep
your software up-to-date instead.

BTW, charset in the example above is wrong.  There is no "utf8"
charset, it's called "utf-8".  Full list of registered character
sets can be found here:

http://www.iana.org/assignments/character-sets.

> fastcgi_param  SERVER_NAME        again... some string here;
You don't trust even your own fastcgi apps?  Funny. :)

Maxim D.
Nuno Magalhães (Guest)
on 2009-02-21 02:56
(Received via mailing list)
> No way.  Switching off server_tokens is the only thing you may do
> without nginx source code modification.

However "nginx" does still appear in a 403 (i'm in the process of
editing the error pages). Eventually i added "add_headers Server
weee;" to my conf, but that didn't have any effect, even with a 200
OK.

> Personally I think that even switching off server_tokens is wrong
> way to go.  It doesn't give you extra security but instead false
> sense of it

It doesn't secure anything per se, but it's harder for people to
figure out which webserver is running and thus harder to find exploits
for said server.

> BTW, charset in the example above is wrong.  There is no "utf8"
> charset, it's called "utf-8".

Thanks!

> You don't trust even your own fastcgi apps?  Funny. :)

Being an internal service? Meh...

Nuno Magalhães
LU#484677
Merlin (Guest)
on 2009-02-24 04:52
(Received via mailing list)
On Fri, Feb 20, 2009 at 4:48 PM, Nuno Magalhães
<removed_email_address@domain.invalid>wrote:

> > Personally I think that even switching off server_tokens is wrong
> > way to go.  It doesn't give you extra security but instead false
> > sense of it
>
> It doesn't secure anything per se, but it's harder for people to
> figure out which webserver is running and thus harder to find exploits
> for said server.


HTTP fingerprinting is a very low wall.  If someone seriously capable is
attempting to exploit you, spoofing or removing your server string won't
matter in the least as they will employ fingerprinting techniques.  I'm
just
gonna leave this here...
http://www.net-square.com/httprint/httprint_paper.html

-Merlin
This topic is locked and can not be replied to.