Home > OS >  How to hide NGINX server information in elastic beanstalk express application?
How to hide NGINX server information in elastic beanstalk express application?

Time:05-09

I have been grappling with this problem for a few days now. No matter what I do my application server keeps returning the NGINX version in the HTTP response headers and it doesn't meet OWASP security recommendations:

The Dreaded Server Information Response Dreaded Server Info

I have tried to manually edit the server response in express in every which way I can think of, but the server version keeps showing up despite all of this: (express function attempting to remove server response headers in the overarching app.js file)

app.use(function(req, res, next) {
    res.removeHeader('server');
    res.removeHeader('Server');
    res.removeHeader("x-powered-by");
    res.header("X-powered-by", "Blood, sweat, and tears.");
    next();
});

I have tried a whole bunch of .ebextensions to modify the nginx.conf file manually on deployment but none with success... Such as that outlined here: How to hide nginx version in elastic beanstalk

Recently I have decided 'screw it, I'm just going to upload my own nginx.conf file' and have been putting that up, but still no success. Here is the nginx.conf file I'm sending to AWS EB in platform/nginx/conf.d

user                    nginx;
error_log               /var/log/nginx/error.log warn;
pid                     /var/run/nginx.pid;
worker_processes        auto;
worker_rlimit_nofile    33282;

events {
    worker_connections  1024;
}

http {
  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;

  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

  include       conf.d/*.conf;
  
  more_clear_headers Server;
  server_tokens off;
  more_set_headers 'Server: BLOOD_AND_SWEAT';

  map $http_upgrade $connection_upgrade {
      default     "upgrade";
  }

  server {
      listen        80 default_server;
      root /var/app/current/public;

      location / {
      }

      access_log    /var/log/nginx/access.log main;

      client_header_timeout 60;
      client_body_timeout   60;
      keepalive_timeout     60;
      gzip                  off;
      gzip_comp_level       4;

      more_clear_headers Server;
      server_tokens off;
      more_set_headers 'Server: BLOOD_AND_SWEAT';

      # Include the Elastic Beanstalk generated locations
      include conf.d/elasticbeanstalk/01_static.conf;
      include conf.d/elasticbeanstalk/healthd.conf;
  }
}

I have been trying everything and anything for days. What have I been doing wrong here? Why is this NGINX server information so hard to get rid of!!!??

I think I have made contact with the devil himself, and he cannot be slayed.

CodePudding user response:

From this document

http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens

You can just set server_tokens to off in http{ } section something like this:

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;
    #tcp_nopush     on;
    keepalive_timeout  65;
    #tcp_nodelay        on;

    server_tokens off;

    include /etc/nginx/conf.d/*.conf;
}

CodePudding user response:

Many thanks to Fahim from IntelG who found the problem here.

I had missed the dot in front of platform, As stated in the question above, I was saving the conf file in

platform/nginx/conf.d

should have been

.platform/nginx/conf.d

So much time wasted for such a stupid thing!!!

  • Related