Following on from The Hooded Apache, I thought it was about time to cover Nginx configuration.

Nginx is not exempt from security issues, and as with apache certain versions can vulnerable to a specific attack, as such the first line of defense is you hide your nginx version.

This can be done via:

1
2
3
4

server {
    server_tokens off;
    ...
}

This changes the put from

1

Server: nginx/1.0.12

To

1

Server: nginx

You could if you are so inclined change the server string in the c code itself

src/http/ngx_http_header_filter_module.c

...
static char ngx_http_server_string[] = "Server: my_modified_server" CRLF;
static char ngx_http_server_full_string[] = "Server: my_modified_server/release_version" CRLF;
...

To err is human …

Sometimes standard responses can be used for service fingerprinting as such error documents could still give away your running server version even if you were to edit the header code as per above, again this could be done by modifying the C code to only return “” for each error page, in which case you will need to edit

src/http/ngx_http_special_response.c

...
static char ngx_http_error_301_page[] = "";

I’m not going to list all of them you should get the idea from the exmaple above; however this is not really required, you can also swap out the default error pages with standard configuration.

1

error_page 404 = /path/to/custom/404.html;

A strong Front …

Nginx ofetn gets used to proxy other services, as such you could be revealing the backend technologies in use due to the backend server sending headers such as X-Powered-By.

This where in your proxy configure options you can have nginx intercept and remove the headers being sent by the backend.

1

proxy_hide_headers X-Powered-By;