To hide nginx server response header - nginx

We have installed Nginx ingress controller through Helm. For our app we have maintained setting separately in the config maps. Application is working fine.
As far security concerns, we want to hide NGinx server and version details from the response header.
We explored a lot and we found below solutions -
Set server_tokens off. in the NGinx.conf file
Set server-tokens = false in the config map file on the AKS portal.
None of the solutions are working currently.
Any Ideas?

Related

Change nginx http servers blocks dynamically

I am doing a poc on nginx server. It would listen to ports and redirect the path to different domains. The servers I am adding is dynamic in nature.
server config blocks looks like below
attatched image
I have to fetch server name|port address from an api and create servers based on it. The number of servers may increase or decrease it is dynamic in nature.
What I tried was creating new-config.conf which is already included into nginx.conf. I am writing server config dynamically into new-config.conf and restarting nginx after it.
I need something like where I don't require to restart nginx and embed server config into nginx.conf

Nginx reverse proxy blocks large files to aiohttp server

Nginx used as reverse proxy on the app server for all requests to python aiohttp web application. Browser client uploading a file with size 220kb and above to the server fails through nginx. Without nginx in the loop the file upload works fine. There is no response from nginx when uploading a larger file and it just hangs, nginx only responds after killing the POST method. I have tried modifying different client buffer sizes and timeouts but that did not help.
Tried different options with the following configuration settings -> client_body_in_file_only clean;client_body_buffer_size 32K;client_max_body_size 30M;send_timeout 300s.
I do not have your setting, but here is the guide that may help you with aiohttp and NGINX. I use python-socketio and aiohttp and nginx:
Declare file upload size in web.Application(), this is easy to miss :)
web.Application(client_max_size=1024**2*30)
Check if your NGINX has both HTTP and https and declare at both places:
client_max_body_size 30M;
Uses Gunicorn or not does NOT matter but is highly recommended.
Hopes this helps.
Steve

nginx reverse proxy doesn't load application resources

I have 2 web services running on my machine (inside docker containers, but I think it doesn't matter), they are reachable by following addresses:
my.ip:1111
my.ip:2222
I launched nginx server on port 80 and I would like to configure reverse proxy to access my services by following aliases:
my.ip/app1
my.ip/app2
So, I added these entries to my /etc/nginx/conf.d/default.conf:
location /app1/ {
proxy_pass http://my.ip:1111/;
}
location /app2/ {
proxy_pass http://my.ip:2222/;
}
Proxy redirects corectly, because the main pages of web services are visible, so I know that the correct service tries to launch, but all .css/.js/etc resources are unavailable. Services get 404 on all resources, because they try to download them from "/" path, instead of "/app1/" (or :1111/)
Example from devtools console:
GET http://my.ip/app.js net::ERR_ABORTED 404 (Not Found)
(this resource is available on http://my.ip/app1/app.js or http://my.ip:1111/app.js)
I have read a lot of answers about this topic here, but none solution works for me. Any help will be appreciated, thanks!

nginx is dropping headers Microsoft Edge

On my Ubuntu deployment server Nginx is dropping a custom request header (a token), only if the request is coming from Microsoft Edge or Internet Explorer. Requests coming from Firefox, Chrome or Safari just work fine.
I've done a tcpdump to check the difference between the incoming requests, and the requests look exactly the same (only the User-Agent is different, which seems normal). All the browsers are sending the token to nginx
Because my header contains an underscore, I have in nginx.conf the line
underscores_in_headers on;
I am logging the header in access log of nginx,and it shows up for all browsers but IE.
Nginx is proxying to a Python Flask application, using gunicorn. In the Flask application I immediately log the incoming requests and the token is disappeared if the browser is IE. So apparently nginx drops the header before sending it to gunicorn.
Any advice what can cause this.
TLDR: Do you use a WAF? Maybe a WAF as a service?
I'd suggest you investigate your full infrastructure/routing topology. There may be load balancers/things in the path that you're not taking into account.
We literally just ran into this exact same issue at my work and your post was the only thing on the internet that sounded like our problem. We ended up figuring out the root cause.
Here's a simplified version of our topology from a DNS routing perspective:
newwebsite.company.com --> Web Application Firewall as a Service (if this fails it fails open) --> Nginx+ (with WAF plugin) --> Kubernetes Nginx Ingress Controller --> Custom Angular Javascript frontend hosted on Nginx Pod
legacywebsite.company.com --> F5 load balancer --> Windows IIS Web Server.
(There was a section of the new site that used the same backend server of the legacy website, and we'd see hidden 500 errors if we used Chrome Developer Tools.
We checked IIS logs and found out headers with underscores were getting stripped from the clients HTTP request b4 they'd get to the backend IIS server/we found out that we had to add underscores_in_headers on; to every Nginx Load Balancer in the path and that fixed it! ... or so we thought. It turned out the problem was fixed for every browser except for Internet Explorer / Microsoft Edge. (Your exact scenario)
The crazy thing is if you were on the one url path of the new site that would forward your traffic to the old site's load balancers, then you were going through a crazy amount of load balancers. (The nginx pod that hosted the Angular Javascript frontend would redirect you to the F5 load balancer). We discovered the root cause by process of elimination to get rid of that crazy amount of load balancers in the routing in a way that involved minimal testing. I edited my hostfile for newwebsite.company.com to bypass the WAF as a Service and point straight to the Nginx+ LB acting as a WAF, and it started working/no more 500 errors for IE/Edge.
Our theory is that our WAF as a Service was stripping out a HTTP header that has an underscore (which Win IIS web servers use), and they were only stripping out this HTTP header for Edge/IE. So we've got a ticket with them explaining the situation and directions for reproduceability.

Running jasperserver behind nginx: Potential CSRF attack

We are using nginx for https traffic offloading, proxying to a locally installed jasperserver (5.2) running on port 8080.
internet ---(https/443)---> nginx ---(http/8080)---> tomcat/jasperserver
When accessing the jasperserver directly on its port everything is fine. When accessing the service through nginx some functionalities are broken (e.g. editing a user in the jasperserver UI) and the jasperserver log has entries like this:
CSRFGuard: potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)
After some debugging we found the cause for this:
In its standard configuration nginx is not forwarding request headers that contain underscores in their name. Jasperserver (and the OWASP framework) however default to using underscores for transmitting the csrf token (JASPER_CSRF_TOKEN and OWASP_CSRFTOKEN respectively).
Solution is to either:
nginx: allow underscores in headers
server {
...
underscores_in_headers on;
jasperserver: change token configuration name in jasperserver-pro/WEB-INF/esapi/Owasp.CsrfGuard.properties
Also see here:
header variables go missing in production
http://wiki.nginx.org/HttpCoreModule#underscores_in_headers
Answered it myself - hopefully this is of some use to others,too
I had this issue with Jasperserver 5.5 AWS AMI
More specific:
/var/lib/tomcat7/webapps/jasperserver-pro/WEB-INF/esapi/Owasp.CsrfGuard.properties
Change:
org.owasp.csrfguard.TokenName=JASPER_CSRF_TOKEN
org.owasp.csrfguard.SessionKey=JASPER_CSRF_SESSION_KEY
To:
org.owasp.csrfguard.TokenName=JASPERCSRFTOKEN
org.owasp.csrfguard.SessionKey=JASPERCSRFSESSIONKEY
My version of Jasperserver looked slightly different, the CSRFguard files are located in jasperserver/WEB-INF/csrf
I edited the jrs.csrfguard.properties file.

Resources