Nginx: Hide server signature - nginx

I have read a lot of questions on StackOverflow. For many people they were helpful, but for me not.
I need to hide the server name, or at least change it.
I wrote a docker file, to download a dynamic module and inject it into the configuration in the next step.
ARG VERSION=alpine
FROM nginx:${VERSION} as builder
ENV MORE_HEADERS_VERSION=0.34
ENV MORE_HEADERS_GITREPO=openresty/headers-more-nginx-module
RUN wget "http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" -O nginx.tar.gz && \
wget "https://github.com/${MORE_HEADERS_GITREPO}/archive/v${MORE_HEADERS_VERSION}.tar.gz" -O extra_module.tar.gz
RUN apk add --no-cache --virtual .build-deps \
gcc \
libc-dev \
make \
openssl-dev \
pcre-dev \
zlib-dev \
linux-headers \
libxslt-dev \
gd-dev \
geoip-dev \
perl-dev \
libedit-dev \
mercurial \
bash \
alpine-sdk \
findutils
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
RUN rm -rf /usr/src/nginx /usr/src/extra_module && mkdir -p /usr/src/nginx /usr/src/extra_module && \
tar -zxC /usr/src/nginx -f nginx.tar.gz && \
tar -xzC /usr/src/extra_module -f extra_module.tar.gz
WORKDIR /usr/src/nginx/nginx-${NGINX_VERSION}
RUN CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p') && \
sh -c "./configure --with-compat $CONFARGS --add-dynamic-module=/usr/src/extra_module/*" && make modules
FROM nginx:${VERSION}
COPY --from=builder /usr/src/nginx/nginx-${NGINX_VERSION}/objs/*_module.so /etc/nginx/modules/
COPY devops/nginx/nginx.conf /etc/nginx/
EXPOSE 81 82
CMD ["nginx", "-g", "daemon off;"]
Then, I added the module into the nginx.conf file. (I also tried to load the module without "")
load_module "modules/ngx_http_headers_more_filter_module.so";
And finally, I wrote into http block
http{
more_clear_headers server;
more_set_headers "server: hidden";
server_tokens off;
proxy_pass_header server; //Tried to add it for reverse proxying, but it did not work
}
Only server_tokens off; works. I have removed nginx version, but not it's signature. more_clear_headers and more_set_headers do not affect it. What am I missing?
P.s. Checked the modules folder in the server, and my module loaded correctly
P.p.s. Tried Server with capital S, and it did not work either. (As many suggested, but my response returns it with lowercase)

Related

Access to the path /usr/share\OPC Foundation\pki\own is denied - this happens when deploying the OPC UA server

I have a Dockerfile for a DOTNET application with multi layered image where my first image creates the artifacts and my second image copies the artifacts from first and used for deployment.
I am creating a docker user and a group to avoid the root permission to the user.
when i deploy the application in the kubernetes cluster it doesn't run with the user created.
I am facing issue in accessing the default OPC UA server certificate path and can anyone tell me how to achieve this without providing the root permission to the user.
I also tried to change the location of the certificate in the configmap so that i can store in the image.
FROM mcr.microsoft.com/dotnet/core/sdk:3.1-focal AS build
# passing the root and nuget TLS certificates for the package to download
COPY ./CIdependencies/rootca.cer /etc/ssl/certs/rootca.cer
COPY ./CIdependencies/nuget.cer /etc/ssl/certs/nuget.cer
WORKDIR /etc/ssl/certs
RUN openssl x509 -inform DER -in nuget.cer -out nuget.crt \
&& openssl x509 -inform PEM -in rootca.cer -out rootca.crt \
&& update-ca-certificates \
&& echo $PWD
WORKDIR /src
EXPOSE 62501
COPY ["OPCUAServer.csproj", ""]
RUN dotnet restore "./OPCUAServer.csproj"
COPY . .
WORKDIR "/src/."
RUN dotnet build "OPCUAServer.csproj" -c Release -o /app/build \
&& dotnet publish "OPCUAServer.csproj" -c Release -o /app/publish
FROM ubuntu:20.04
ARG GIT_COMMIT
ARG DS_VERSION=0.0.0.0
# passing the root certificates for the package to download
COPY ./CIdependencies/zscaler-rootca.cer /etc/ssl/certs/rootca.cer
LABEL Name=OPCUAServer Version=$DS_VERSION git_commit=$GIT_COMMIT
#runtime-deps and runtime
RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
&& rm -rf /var/lib/apt/lists/*
ENV \
# Configure web servers to bind to port 80 when present
ASPNETCORE_URLS=http://+:8079 \
# Enable detection of running in a container
DOTNET_RUNNING_IN_CONTAINER=true
# Install .NET Core and ASPdotnet.3.1. focal
RUN dotnet_version=3.1.18 \
# passing the root certificates for the package to download
&& curl -fsl --cacert /etc/ssl/certs/rootca.cer --output dotnet.tar.gz https://dotnetcli.azureedge.net/dotnet/Runtime/$dotnet_version/dotnet-runtime-$dotnet_version-linux-x64.tar.gz \
&& dotnet_sha512='6f06dbc4625fa8a0e64ffb9269b5f657e369fd28e7f27bfd05d4f422c6aa95847b5089d70760024bdf1100990dbbffce220a' \
&& echo "$dotnet_sha512 dotnet.tar.gz" | sha512sum -c - \
&& mkdir -p /usr/share/dotnet \
&& tar -ozxf dotnet.tar.gz -C /usr/share/dotnet \
&& rm dotnet.tar.gz \
&& ln -s /usr/share/dotnet/dotnet /usr/bin/dotnet \
&& aspnetcore_version=3.1.18 \
&& curl -fsl --cacert /etc/ssl/certs/zscaler-rootca.cer --output aspnetcore.tar.gz https://dotnetcli.azureedge.net/dotnet/aspnetcore/Runtime/$aspnetcore_version/aspnetcore-runtime-$aspnetcore_version-linux-x64.tar.gz \
&& aspnetcore_sha512='be29a7611941d9b20d5d3ece64d3ce3c2342ba24bf0382eed3625713ce89957fa15671403af16ccb588397fc0b27e7f028952213e08db6' \
&& echo "$aspnetcore_sha512 aspnetcore.tar.gz" | sha512sum -c - \
&& tar -ozxf aspnetcore.tar.gz -C /usr/share/dotnet ./shared/Microsoft.AspNetCore.App \
&& rm aspnetcore.tar.gz
# Create a user, group and providing permission to access the built files
WORKDIR /app
RUN groupadd -r opc && useradd --no-log-init -r -g opc opc
USER opc
COPY --from=build --chown=opc:opc /app/publish .
ENTRYPOINT ["dotnet", "OPCUAServer.dll"]
From the error message, it is permission issue. Please just grant full permission to your folder and you can test it again.

How to run only one thing as root in docker

I'm trying to create a Dockerfile which runs as non-root user.
When i building this all works fine, but nginx cannot write the log file because it dosen't have enough permissions. Can I, when building a Docker, give root permissions only for nginx?
I'm trying chmod, chown for blocked directories. Doesn't work
FROM php:7.1-fpm-alpine
RUN apk add --no-cache shadow
RUN apk add --no-cache --virtual .ext-deps \
openssl \
unzip \
libjpeg-turbo-dev \
libwebp-dev \
libpng-dev \
freetype-dev \
libmcrypt-dev \
imagemagick-dev \
nodejs-npm \
nginx \
git \
inkscape
# imagick
RUN apk add --update --no-cache autoconf g++ imagemagick-dev libtool make pcre-dev \
&& pecl install imagick \
&& docker-php-ext-enable imagick \
&& apk del autoconf g++ libtool make pcre-dev
# Install Blackfire
RUN version=$(php -r "echo PHP_MAJOR_VERSION.PHP_MINOR_VERSION;") \
&& curl -A "Docker" -o /tmp/blackfire-probe.tar.gz -D - -L -s https://blackfire.io/api/v1/releases/probe/php/linux/amd64/$version \
&& tar zxpf /tmp/blackfire-probe.tar.gz -C /tmp \
&& mv /tmp/blackfire-*.so $(php -r "echo ini_get('extension_dir');")/blackfire.so \
&& printf "extension=blackfire.so\nblackfire.agent_socket=tcp://blackfire:8707\n" > $PHP_INI_DIR/conf.d/blackfire.ini
RUN apk add -y icu-dev \
&& docker-php-ext-configure intl \
&& docker-php-ext-install intl
RUN docker-php-ext-configure pdo_mysql && \
docker-php-ext-configure opcache && \
docker-php-ext-configure exif && \
docker-php-ext-configure pdo && \
docker-php-ext-configure zip && \
docker-php-ext-configure gd \
--with-jpeg-dir=/usr/include --with-png-dir=/usr/include --with-webp-dir=/usr/include --with-freetype-dir=/usr/include && \
docker-php-ext-configure sockets && \
docker-php-ext-configure mcrypt
RUN docker-php-ext-install pdo zip pdo_mysql opcache exif gd sockets mcrypt && \
docker-php-source delete
RUN ln -s /usr/bin/php7 /usr/bin/php && \
curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer && \
mkdir -p /run/nginx
COPY ./init.sh /
COPY ./default.conf /etc/nginx/conf.d/default.conf
COPY ./.env /
RUN chmod +x /init.sh
EXPOSE 80
RUN addgroup -g 1001 node \
&& adduser -u 1001 -G node -s /bin/sh -D node
ARG UID=1001
ARG GID=1001
ENV UID=${UID}
ENV GID=${GID}
RUN usermod -u $UID node \
&& groupmod -g $GID node
RUN chown 1001:1001 /var/lib/nginx -R
RUN mkdir -p /var/tmp/nginx
RUN chown 1001:1001 /var/tmp/nginx -R
USER node
ENTRYPOINT [ "/init.sh" ]
There are quite a few unknowns in your question, for example, the contents of your default.conf file. By default the nginx logs are stored in /var/log/nginx, but I'll assume you're overriding that in the configuration.
The next thing is that the master process of nginx needs to be run as root if you wan't it to be able to bind to system ports (0 - 1023) so in case you are using nginx as a web server and intend to use ports 80 and 443 you should stick with running the nginx process as root.
In case you plan to use other ports and are set on the idea of running the master process as non-root, then you can check this answer for suggestions on how to do that - https://stackoverflow.com/a/42329561/5359953
I am using the term master process a lot here, because nginx spawns worker processes to handle the actual requests and those can be run as a different user (Defined in the nginx configuration file)
I found the solution. I just changed RUN chown 1001:1001 /var/lib/nginx -R to RUN chown -R 1001:1001 /var/. Thats works fine
RUN chown -R 1001:1001 /var/
sometimes it's will be actually bad decision.
u can try add permissions like this
RUN chown -R 1001:1001 /var/tmp/nginx
RUN chown -R 1001:1001 /var/lib/nginx
RUN chown -R 1001:1001 /var/log/nginx
RUN chown -R 1001:1001 /run/nginx
I guess RUN chown 1001:1001 /var/lib/nginx -R work wrong because I set the flag -R too late

docker run can't find application

my project structure is:
/docker-test
/app
/static
....
/templates
....
-__init__.py
....
-nginx.conf
-supervisord.conf
-uwsgi.ini
-Dockerfile
-app.py
-requirements.txt
I normally run the app by going into /docker-test>python app.py
Dockerfile:
FROM python:2.7
# Install uWSGI
RUN pip install uwsgi
# Standard set up Nginx
ENV NGINX_VERSION 1.9.11-1~jessie
RUN apt-key adv --keyserver hkp://pgp.mit.edu:80 --recv-keys 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 \
&& echo "deb http://nginx.org/packages/mainline/debian/ jessie nginx" >> /etc/apt/sources.list \
&& apt-get update \
&& apt-get install -y ca-certificates nginx=${NGINX_VERSION} gettext-base \
&& rm -rf /var/lib/apt/lists/*
# forward request and error logs to docker log collector
RUN ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log
EXPOSE 80 443
# Finished setting up Nginx
# Make NGINX run on the foreground
RUN echo "daemon off;" >> /etc/nginx/nginx.conf
# Remove default configuration from Nginx
RUN rm /etc/nginx/conf.d/default.conf
# Copy the modified Nginx conf
COPY nginx.conf /etc/nginx/conf.d/
# Copy the base uWSGI ini file to enable default dynamic uwsgi process number
COPY uwsgi.ini /etc/uwsgi/
# Install Supervisord
RUN apt-get update && apt-get install -y supervisor \
&& rm -rf /var/lib/apt/lists/*
# Custom Supervisord config
COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
COPY . /deploy
WORKDIR /deploy
RUN pip install -r /deploy/requirements.txt
CMD ["/usr/bin/supervisord"]
app.py:
#!flask/bin/python
from app import app
from flask import url_for
if __name__ == '__main__':
app.run(host='0.0.0.0', debug=True, port=80)
app.add_url_rule('/favicon.ico', edirect_to=url_for('static', filename='favicon.ico'))
supervidord.conf:
[supervisord]
nodaemon=true
[program:uwsgi]
command=/usr/local/bin/uwsgi --ini /etc/uwsgi/uwsgi.ini --ini /deploy/uwsgi.ini
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
[program:nginx]
command=/usr/sbin/nginx
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
nginx.conf:
server {
location / {
include uwsgi_params;
uwsgi_pass unix:///tmp/uwsgi.sock;
}
}
uwsgi.ini:
[uwsgi]
wsgi-file=/app.py
socket = /tmp/uwsgi.sock
chown-socket = nginx:nginx
chmod-socket = 664
cheaper = 2
processes = 16
I am able to docker build and run without issue.
I get 500 error when trying to access the app in chrome:
no python application found
What is your current working directory? This just sounds like wsgi-file=/app.py should be wsgi-file=./app.py or you need to reference the correct absolute location such as wsgi-file=/deploy/app/app.py.

Transfer Large Files Asynchronously In Flask

What is the best approach for transfer large files Asynchronously in Flask? I have read this article. But I want to know if there is a way to do this without using celery?
Flask is a synchronous framework, you can try flask+gevent and streaming responses like explained here: http://flask.pocoo.org/docs/0.12/patterns/streaming/.
Anyway, if you want to upload properly very large files, I suggest you to use a different approach. Instead of trying to do asynchronous networking with a synchronous framework try delegating the transfer with Nginx upload_module, like explained here: http://blog.thisisfeifan.com/2013/03/nginx-upload-module-vs-flask.html
Nginx is faster and won't load up the files in memory, a thing that regular frameworks like Flask or Django even in Asynchronous mode will do. Remember to configure flask to receive after upload POST with directive upload_pass. The only caveat is that you'll have to learn how to compile a full fledge Nginx from source, here an example of working Dockerfile:
FROM buildpack-deps:jessie
##### NGINX #####
# Base Stuff
RUN apt-get update && apt-get install -y -qq \
libssl-dev
# Nginx with upload_module and upload_progress_module
# "Stable version".
ENV ZLIB_VERSION 1.2.11
ENV PCRE_VERSION 8.39
ENV NGX_UPLOAD_MODULE_VERSION 2.2
ENV NGX_UPLOAD_PROGRESS_VERSION 0.9.1
ENV NGX_HEADERS_MORE_VERSION 0.32
ENV NGX_SPPEDPAGE_VERSION 1.11.33.4
ENV NGINX_VERSION 1.11.8
RUN cd /tmp \
&& wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz \
&& tar xvf nginx-${NGINX_VERSION}.tar.gz \
&& wget https://github.com/openresty/headers-more-nginx-module/archive/v${NGX_HEADERS_MORE_VERSION}.tar.gz \
&& tar -xzvf v${NGX_HEADERS_MORE_VERSION}.tar.gz \
&& wget https://github.com/pagespeed/ngx_pagespeed/archive/latest-stable.tar.gz \
&& tar -xzvf latest-stable.tar.gz \
&& wget https://dl.google.com/dl/page-speed/psol/${NGX_SPPEDPAGE_VERSION}.tar.gz \
&& tar -xzvf ${NGX_SPPEDPAGE_VERSION}.tar.gz \
&& mv psol ngx_pagespeed-latest-stable/ \
&& git clone -b ${NGX_UPLOAD_MODULE_VERSION} https://github.com/Austinb/nginx-upload-module \
&& wget http://zlib.net/zlib-${ZLIB_VERSION}.tar.gz \
&& tar xvf zlib-${ZLIB_VERSION}.tar.gz \
&& wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-${PCRE_VERSION}.tar.bz2 \
&& tar -xjf pcre-${PCRE_VERSION}.tar.bz2 \
&& wget https://github.com/masterzen/nginx-upload-progress-module/archive/v${NGX_UPLOAD_PROGRESS_VERSION}.tar.gz \
&& tar xvf v${NGX_UPLOAD_PROGRESS_VERSION}.tar.gz \
&& cd nginx-${NGINX_VERSION} \
&& ./configure \
--with-pcre=../pcre-${PCRE_VERSION}/ \
--with-zlib=../zlib-${ZLIB_VERSION}/ \
--add-module=../nginx-upload-module \
--add-module=../nginx-upload-progress-module-${NGX_UPLOAD_PROGRESS_VERSION} \
--add-module=../ngx_pagespeed-latest-stable \
--add-module=../headers-more-nginx-module-${NGX_HEADERS_MORE_VERSION} \
--with-select_module \
--with-poll_module \
--with-file-aio \
--with-http_ssl_module \
--with-ipv6 \
--with-pcre-jit \
--with-http_gzip_static_module \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--user=nginx --group=nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --with-cpu-opt=CPU -- with-ld-opt="-Wl,-E" \
&& make \
&& make install
EXPOSE 80 443
CMD ["nginx", "-g", "daemon off;"]
NOTE: Please in this image is lacking the provision of nginx.conf and default.conf.

how to upload JAR to Nexus OSS 3?

How to perform an upload of a jar via curl the Nexus 3?
I tried using the link tips but without success.
Here are my attempts:
curl -v -F r = -F releases hasPom = true and = -F jar -F file = #. / v12.1.0.1 / pom.xml -F file = #. / v12.1.0.1 / ojdbc7.jar -u admin: admin123 http: // localhost: 8081 / repository / maven releases
curl -v -F r = -F releases hasPom = false -F and -F jar = g = com.oracle.jdbc -F = ojdbc7 -F v = 1.0 p = -F jar -F file = #. / v12 .1.0.1 / ojdbc7.jar -u admin: admin123 http: // localhost: 8081 / repository / maven releases
Both have 400 Bad Request.
Contents of directory
cert_for_nexus.pem
curl.exe
pom.xml
utils-1.0.jar
Nexus v3 is configured for http
curl -v -u admin:admin123 --upload-file pom.xml http://localhost:8081/nexus/repository/maven-releases/org/foo/utils/1.0/utils-1.0.pom
curl -v -u admin:admin123 --upload-file utils-1.0.jar http://localhost:8081/nexus/repository/maven-releases/org/foo/utils/1.0/utils-1.0.jar
Nexus v3 is configured for https
prerequisite: must have curl with SSL enabled (link - left menu)
curl -v --cacert cert_for_nexus.pem -u admin:admin123 --upload-file pom.xml https://localhost:8443/nexus/repository/maven-releases/org/foo/utils/1.0/utils-1.0.pom
curl -v --cacert cert_for_nexus.pem -u admin:admin123 --upload-file utils-1.0.jar https://localhost:8443/nexus/repository/maven-releases/org/foo/utils/1.0/utils-1.0.jar
Contents of pom.xml
<project>
<modelVersion>4.0.0</modelVersion>
<groupId>org.foo</groupId>
<artifactId>utils</artifactId>
<version>1</version>
</project>
EDIT: fixed -u order for both https examples
You could use nexus-cli.
docker run -ti -v $(pwd):$(pwd):ro sjeandeaux/nexus-cli:0.2.0 \
-repo=http://nexus:8081/repository/maven-releases \
-user=admin \
-password=admin123 \
-file=$(pwd)/upload.jar \
-groupID=your.group \
-artifactID=yourArtifactID \
-version=0.1.0 \
-hash md5 \
-hash sha1
I've modified your code as below. Please try this.
curl -v -F r=releases -F hasPom=false -F e=jar -F g=com.oracle.jdbc -F a=ojdbc7 -F v=1.0 -F p=jar -F file=#"./v12.1.0.1/ojdbc7.jar" -u admin:admin123 http://localhost:8081/nexus/service/local/artifact/maven/content
Also I would suggest using the full path rather than relative path. Can you share where you are using this curl snippet? Any CI tool like Jenkins?

Resources