# HG changeset patch # User Theodoros Tyrovouzis <teoty...@gmail.com> # Date 1697653906 -10800 # Wed Oct 18 21:31:46 2023 +0300 # Node ID 112e223511c087fac000065c7eb99dd88e66b174 # Parent cdda286c0f1b4b10f30d4eb6a63fefb9b8708ecc Add "server_identification" http option that hides server information disclosure in responses
In its responses, nginx by default sends a "Server" header which contains "nginx" and the nginx version. Most production systems would want this information hidden, as it is technical information disclosure ( https://portswigger.net/web-security/information-disclosure). nginx does provide the option "server_tokens off;" which hides the version, but in order to get rid of the header, nginx needs to be compiled with the headers_more module, for the option "more_clear_headers". This patch provides an http option for hiding that information, which also hides the server information from the default error responses. An alternative would be to add a new option to server_tokens, e.g. "incognito". diff -r cdda286c0f1b -r 112e223511c0 src/http/ngx_http_core_module.c --- a/src/http/ngx_http_core_module.c Tue Oct 10 15:13:39 2023 +0300 +++ b/src/http/ngx_http_core_module.c Wed Oct 18 21:31:46 2023 +0300 @@ -129,6 +129,13 @@ }; +static ngx_conf_enum_t ngx_http_core_server_identification[] = { + { ngx_string("off"), NGX_HTTP_SERVER_IDENTIFICATION_OFF }, + { ngx_string("on"), NGX_HTTP_SERVER_IDENTIFICATION_ON }, + { ngx_null_string, 0 } +}; + + static ngx_conf_enum_t ngx_http_core_if_modified_since[] = { { ngx_string("off"), NGX_HTTP_IMS_OFF }, { ngx_string("exact"), NGX_HTTP_IMS_EXACT }, @@ -635,6 +642,13 @@ offsetof(ngx_http_core_loc_conf_t, server_tokens), &ngx_http_core_server_tokens }, + { ngx_string("server_identification"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_enum_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_core_loc_conf_t, server_identification), + &ngx_http_core_server_identification }, + { ngx_string("if_modified_since"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, ngx_conf_set_enum_slot, @@ -3623,6 +3637,7 @@ clcf->chunked_transfer_encoding = NGX_CONF_UNSET; clcf->etag = NGX_CONF_UNSET; clcf->server_tokens = NGX_CONF_UNSET_UINT; + clcf->server_identification = NGX_CONF_UNSET_UINT; clcf->types_hash_max_size = NGX_CONF_UNSET_UINT; clcf->types_hash_bucket_size = NGX_CONF_UNSET_UINT; @@ -3901,6 +3916,9 @@ ngx_conf_merge_uint_value(conf->server_tokens, prev->server_tokens, NGX_HTTP_SERVER_TOKENS_ON); + ngx_conf_merge_uint_value(conf->server_identification, prev->server_identification, + NGX_HTTP_SERVER_IDENTIFICATION_ON); + ngx_conf_merge_ptr_value(conf->open_file_cache, prev->open_file_cache, NULL); diff -r cdda286c0f1b -r 112e223511c0 src/http/ngx_http_core_module.h --- a/src/http/ngx_http_core_module.h Tue Oct 10 15:13:39 2023 +0300 +++ b/src/http/ngx_http_core_module.h Wed Oct 18 21:31:46 2023 +0300 @@ -55,6 +55,10 @@ #define NGX_HTTP_KEEPALIVE_DISABLE_SAFARI 0x0008 +#define NGX_HTTP_SERVER_IDENTIFICATION_OFF 0 +#define NGX_HTTP_SERVER_IDENTIFICATION_ON 1 + + #define NGX_HTTP_SERVER_TOKENS_OFF 0 #define NGX_HTTP_SERVER_TOKENS_ON 1 #define NGX_HTTP_SERVER_TOKENS_BUILD 2 @@ -405,6 +409,7 @@ ngx_flag_t log_subrequest; /* log_subrequest */ ngx_flag_t recursive_error_pages; /* recursive_error_pages */ ngx_uint_t server_tokens; /* server_tokens */ + ngx_uint_t server_identification; /* server_identification */ ngx_flag_t chunked_transfer_encoding; /* chunked_transfer_encoding */ ngx_flag_t etag; /* etag */ diff -r cdda286c0f1b -r 112e223511c0 src/http/ngx_http_header_filter_module.c --- a/src/http/ngx_http_header_filter_module.c Tue Oct 10 15:13:39 2023 +0300 +++ b/src/http/ngx_http_header_filter_module.c Wed Oct 18 21:31:46 2023 +0300 @@ -283,7 +283,7 @@ clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - if (r->headers_out.server == NULL) { + if (r->headers_out.server == NULL && clcf->server_identification == NGX_HTTP_SERVER_IDENTIFICATION_ON) { if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) { len += sizeof(ngx_http_server_full_string) - 1; @@ -452,7 +452,7 @@ } *b->last++ = CR; *b->last++ = LF; - if (r->headers_out.server == NULL) { + if (r->headers_out.server == NULL && clcf->server_identification == NGX_HTTP_SERVER_IDENTIFICATION_ON) { if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) { p = ngx_http_server_full_string; len = sizeof(ngx_http_server_full_string) - 1; diff -r cdda286c0f1b -r 112e223511c0 src/http/ngx_http_special_response.c --- a/src/http/ngx_http_special_response.c Tue Oct 10 15:13:39 2023 +0300 +++ b/src/http/ngx_http_special_response.c Wed Oct 18 21:31:46 2023 +0300 @@ -39,6 +39,12 @@ ; +static u_char ngx_http_error_tail_minimal[] = +"</body>" CRLF +"</html>" CRLF +; + + static u_char ngx_http_msie_padding[] = "<!-- a padding to disable MSIE and Chrome friendly error page -->" CRLF "<!-- a padding to disable MSIE and Chrome friendly error page -->" CRLF @@ -680,17 +686,22 @@ ngx_uint_t msie_padding; ngx_chain_t out[3]; - if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) { - len = sizeof(ngx_http_error_full_tail) - 1; - tail = ngx_http_error_full_tail; + if (clcf->server_identification == NGX_HTTP_SERVER_IDENTIFICATION_ON) { + if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) { + len = sizeof(ngx_http_error_full_tail) - 1; + tail = ngx_http_error_full_tail; - } else if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_BUILD) { - len = sizeof(ngx_http_error_build_tail) - 1; - tail = ngx_http_error_build_tail; + } else if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_BUILD) { + len = sizeof(ngx_http_error_build_tail) - 1; + tail = ngx_http_error_build_tail; + } else { + len = sizeof(ngx_http_error_tail) - 1; + tail = ngx_http_error_tail; + } } else { - len = sizeof(ngx_http_error_tail) - 1; - tail = ngx_http_error_tail; + len = sizeof(ngx_http_error_tail_minimal) - 1; + tail = ngx_http_error_tail_minimal; } msie_padding = 0; diff -r cdda286c0f1b -r 112e223511c0 src/http/v2/ngx_http_v2_filter_module.c --- a/src/http/v2/ngx_http_v2_filter_module.c Tue Oct 10 15:13:39 2023 +0300 +++ b/src/http/v2/ngx_http_v2_filter_module.c Wed Oct 18 21:31:46 2023 +0300 @@ -217,7 +217,7 @@ clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - if (r->headers_out.server == NULL) { + if (r->headers_out.server == NULL && clcf->server_identification == NGX_HTTP_SERVER_IDENTIFICATION_ON) { if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) { len += 1 + nginx_ver_len; @@ -421,7 +421,7 @@ pos = ngx_sprintf(pos, "%03ui", r->headers_out.status); } - if (r->headers_out.server == NULL) { + if (r->headers_out.server == NULL && clcf->server_identification == NGX_HTTP_SERVER_IDENTIFICATION_ON) { if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) { ngx_log_debug1(NGX_LOG_DEBUG_HTTP, fc->log, 0, diff -r cdda286c0f1b -r 112e223511c0 src/http/v3/ngx_http_v3_filter_module.c --- a/src/http/v3/ngx_http_v3_filter_module.c Tue Oct 10 15:13:39 2023 +0300 +++ b/src/http/v3/ngx_http_v3_filter_module.c Wed Oct 18 21:31:46 2023 +0300 @@ -158,7 +158,7 @@ clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - if (r->headers_out.server == NULL) { + if (r->headers_out.server == NULL && clcf->server_identification == NGX_HTTP_SERVER_IDENTIFICATION_ON) { if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) { n = sizeof(NGINX_VER) - 1; @@ -339,7 +339,7 @@ b->last = ngx_sprintf(b->last, "%03ui", r->headers_out.status); } - if (r->headers_out.server == NULL) { + if (r->headers_out.server == NULL && clcf->server_identification == NGX_HTTP_SERVER_IDENTIFICATION_ON) { if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) { p = (u_char *) NGINX_VER; n = sizeof(NGINX_VER) - 1;
_______________________________________________ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel
