nginx_hide_version

How to hide nginx version

I don’t want people to know what is my web server version for better security. By default, nginx sent the version in header likeĀ ServerTokensĀ and ServerSignature on apache. Hiding web server version can use to avoid nginx security issue detection from nginx security advisories.

It’s so simple to hide nginx version of disable server signature on nginx by turn off server tokens in basic configuration of nginx.conf like below:

  http {

    log_format main      '$remote_addr - $remote_user [$time_local]  '
      '"$request" $status $bytes_sent '
      '"$http_referer" "$http_user_agent" '
      '"$gzip_ratio"';

    log_format download   '$http_x_forwarded_for [$remote_addr] - $remote_user [$time_local]  '
      '"$request" $status $bytes_sent '
      '"$http_referer" "$http_user_agent" '
      '"$http_range" "$sent_http_content_range"';

    access_log  logs/nginx_access.log  main;
    error_log   logs/nginx_error.log   debug;

    server_tokens off;
#    next nginx configuration...

Then restart or reload nginx service using the following command:

# service nginx restart

For make sure that this setup is work, I can user curl or telnet, see below for examples:

# telnet blog.pnyet.web.id 80
Trying 111.68.119.146...
Connected to blog.pnyet.web.id.
Escape character is '^]'.
HEAD / HTTP /1.0400 Bad Request
400 Bad Request
nginx
Connection closed by foreign host.

When I’m using curl, see below

[email protected]:~$ curl -I http://blog.pnyet.web.id
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 11 Nov 2012 18:24:51 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
Set-Cookie: PHPSESSID=qbf20a15njid53h5s2h5f89l01; path=/
X-Pingback: http://blog.pnyet.web.id/xmlrpc.php

Hope this help :)

Leave a Reply

Your email address will not be published. Required fields are marked *


*