nginx.conf:
server_tokens off;
Why could this get ignored, the header is still sent:
Server: nginx
No, other included config files do not contain server_tokens configuration.
Yes, I did restart all services.
To cite the docs on the server_tokens directive:
Enables or disables emitting nginx version in error messages and in the “Server” response header field.
According to the docs, it thus doesn't prevent the generation of the Server header but only prevents the addition of the exact version. If you want to completely remove the servers header, you could use the ngx_headers_more module.
"The setting works as documented"
The above is kinda insane... (Sorry Hulgar Just, but if you don't understand the rant you should probably not answer.)
Nginx doesn't need to broadcast out its version and the server OS, basically ever, outside of debug situations, shouldn't actually be a question. nor should people wanting to stop that insane behavior be a problem to anyone who knows anything about infosec.
As it stands site failures even with the "feature' enabled, results in disclosure of information that is unnecessary for visitors. The absolute best you can do is disable it in all your site configs, but when they die you still have a problem. Patching is the only way at the moment sadly...
Related
This must be very common knowledge I can't seem to get. I don't even know the keywords to explain this. I'll use what I understand till now. So here is the situation I'm in,
localhost:5000 ('/') takes to a base page. I set localhost/api as location in nginx to the same port. So going to localhost/api is the same thing as going to localhost:5000.
Now as usual, some UI is there with some text box and different buttons. Normally, form-action for some button goes to ('/run') endpoint and the process continues. But after setting nginx, I expected this localhost/api/run in url box of browser but got localhost/run instead. This is the issue.
Here what I added to /etc/nginx/sites-available/default
location /api {
proxy_pass http://127.0.0.1:5000/;
}
I must tell you I know little to nothing about nginx (you already got that I guess). I just know what it is use for. I'd really appreciate a quick and general solution to this, and if someone could direct me to a playground for learning nginx would be wonderfull.
I've searched Google / this forum for this but can't find anything relevant so apologies in advance if this has been covered elsewhere.
I've enabled Opcache on my server and have GeoIP enabled.
The default fastcgi_cache_key directive is:
fastcgi_cache_key "$scheme$request_method$host$request_uri";
How can this be modified to include the user country (from GeoIP) so that each country has a separate cache entry for each page?
As far as I'm aware, the GeoIP headers are set in the server {} block which is loaded after /etc/nginx/nginx.conf (where the fastcgi_cache_key) is set.
Additionally, I've tried setting the fastcgi_cache_key in the individual site conf file but this only works when only 1 site is enabled.
Have I missed a really simple step here?
Many thanks,
James
I have set up my nginx.conf file to use proxy caching from tutorials I have found online. However, I am trying to figure out how to check if it is actually working. I've read somewhere that adding add_header X-Cache-Status $upstream_cache_status; to the config file in the server section should add a caching header to a response that will show if it was from cache (has values of either a HIT, MISS or EXPIRED). However, I'm wondering WHERE I can actually view this header(and its value) as well as if this is the right way/if there is another way. I'm very new to web in general so sorry if this is a noob question. Thanks!
You have it the right way, to see the headers send back you need to check in your http client. Obviously how to do it, if you can do it, will depend on your client
Here some easy ways to see the headers:
1. curl --head http://your-adress
2. wget --server-response http://your-adress
3. in firefox, install the [liveheaders][1] addon,
go the <url>, rightclick->View page info->headers
4. in opera open dragonfly with ctrl+i
go to network->make request part of the tool,
enter http://your-adress,
the result with headers will be shown in the response field
Is it possible to change your server name in HTTP Response Headers from nginx to something else. I want to do it to confuse prying eyes and enhanced security.
You will need to go into the core code, find where this is, change this and recompile Nginx.
Not worth the trouble really.
There is the server tokens directive that will hide the version number. http://wiki.nginx.org/HttpCoreModule#server_tokens.
Not much use in terms of security either really but at least not so much trouble to achieve.
I'm seeing several exceptions a day on a very low traffic site. The exceptions look like this:
Missing host to link to! Please provide the :host parameter,
set default_url_options[:host], or set :only_path to true
actionpack (3.1.1) lib/action_dispatch/http/url.rb:25:in `url_for'
-------------------------------
Request:
-------------------------------
* URL : http:///
This is abridged for clarity, but there are no other significant identifying details. There is no user agent or referer for instance. What appears to be going on is that these are HTTP/1.0 requests lacking the Host header. Now it's strange to me that this exception even occurs, because the domain name in question is canonicalized by nginx using 301s, therefore it's impossible to even reach the Rails app without using the correct domain.
I don't understand why Rails would depend on that header anyway, since it seems Nginx should be passing through the more reliable canonical domain, however I am not familiar with Rack internals. If anyone has any guidance for how to best solve this I would appreciate it.
Is there a good reason Rails/Rack is depending on this header?
Is there potentially a Rack bug here?
Should I inject the header with a middleware?
Should I hack something in Rails to suppress it?
Should I configure Nginx to reject HTTP/1.0 requests?
It may be impossible to reach the application without the client using the correct domain, but that's not the issue here. The issue is the server knowing the correct domain. Without a Host header and without a fully-qualified URL, how can the server know what host the client requested?