NGINX Phusion Passenger server_tokens: off; and proxy_hide_header X-Powered-By; do not seem to wor-CodePudding

With the following /etc/nginx/sites-available/default file configurations, it seems I am unable to get the Server header to remove the Phusion Passenger version. This may be working as expected since its successfully removing the nginx version, but its not removing the Phusion Passenger details

I am also unable to hide the X-Powered-By header

this is an example verbose curl response

$  curl https://my.website.com -v
...
> GET / HTTP/1.1
> Host: my.website.com
> User-Agent: curl/7.79.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: application/json
< Date: Mon, 13 Jun 2022 22:01:50 GMT
< Server: nginx   Phusion Passenger(R) 6.0.14
< Status: 200 OK
< Vary: Accept-Encoding, Origin
< X-Powered-By: Phusion Passenger(R) 6.0.14
< Content-Length: 52
< Connection: keep-alive
< 
* Connection #0 to host my.website.com left intact
"OK"

/etc/nginx/sites-available/default

server {
  listen 80 default_server;
  listen [::]:80 default_server;

  if ($http_x_forwarded_proto = 'http'){
    return 301 https://$host$request_uri;
  }

  passenger_enabled  on;
  root ...;

  server_name _;
  server_tokens off;

  location ~ /\.(?!well-known) {
    deny all;
  }

  location / {
    proxy_hide_header X-Powered-By;

    passenger_ruby          ...;
    passenger_base_uri      /;
    passenger_app_root      ...;
    passenger_document_root ...;
    passenger_min_instances ...;
  }
}

CodePudding user response：

Got the following answer from Phusion themselves

passenger_show_version_in_header off;

https://www.phusionpassenger.com/docs/references/config_reference/nginx/#passenger_show_version_in_header