DEV Community

Serhat Teker
Serhat Teker

Posted on • Originally published at tech.serhatteker.com on

Hide NGINX Version

By default, the Nginx version displayed when you query HTTP headers generated by the Nginx server.

For instance below config taken from Docker Nginx 1.18 Stable image:

# /etc/nginx/nginx.conf
user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}
Enter fullscreen mode Exit fullscreen mode

If we send request to the server we get a headers like below:

$ http --headers localhost:8080

HTTP/1.1 200 OK
Accept-Ranges: bytes
Connection: keep-alive
Content-Length: 612
Content-Type: text/html
Date: Fri, 30 Oct 2020 15:05:27 GMT
ETag: "5e9eea60-264"
Last-Modified: Tue, 21 Apr 2020 12:43:12 GMT
Server: nginx/1.18.0
Enter fullscreen mode Exit fullscreen mode

I used httpie but you can use curl as well:

$ curl -I localhost:8080
Enter fullscreen mode Exit fullscreen mode

Hiding

In order to hide Nginx server header info we need to add server_tokens off; to the config file.

# /etc/nginx/nginx.conf
user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    # Here we add
    server_tokens off;

    include /etc/nginx/conf.d/*.conf;
}
Enter fullscreen mode Exit fullscreen mode

Now if you send request you will see:

HTTP/1.1 200 OK
Accept-Ranges: bytes
Connection: keep-alive
Content-Length: 612
Content-Type: text/html
Date: Fri, 30 Oct 2020 15:05:27 GMT
ETag: "5e9eea60-264"
Last-Modified: Tue, 21 Apr 2020 12:43:12 GMT
Server: nginx
Enter fullscreen mode Exit fullscreen mode

INFO

We can set server_tokens in http, server, or location context only.

All done!

Top comments (0)