top of page
Writer's pictureSiddhesh Kadam

How to Hide the Server Name in Nginx Using the Headers More Module


How to Hide the Server Name in Nginx Using the Headers More Module

When running a web server, security and privacy are key considerations. By default, Nginx reveals its server name in the HTTP headers, which can provide attackers with information about your server software. To enhance security, you might want to hide or customize this information. In this guide, I'll show you how to hide the server name in Nginx by using the Headers More module.


Step 1: Download and Extract the Headers More Module

First, navigate to the /usr/local/src/ directory where we'll download the Headers More module.

[root@siddhesh ~]# cd /usr/local/src/

Download the Headers More module from GitHub:

Once the download is complete, unzip the file:

[root@siddhesh src]# unzip v0.37.zip

Step 2: Reconfigure Nginx with the Headers More Module

Now, navigate to the Nginx source directory. If you've followed previous steps to install Nginx from source, you should already have this directory available.

[root@siddhesh src]# cd nginx-1.25.0

Next, reconfigure Nginx to include the Headers More module. This step adds the module to Nginx, allowing you to modify or hide headers such as the server name.

[root@siddhesh nginx-1.25.0]# ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-zlib=/usr/local/src/zlib-1.3.1 --with-openssl=/usr/local/src/openssl-3.0.14 --add-module=/usr/local/src/headers-more-nginx-module-0.37

Step 3: Compile and Install Nginx

After configuring Nginx with the new module, compile and install it.

[root@siddhesh nginx-1.25.0]# make
[root@siddhesh nginx-1.25.0]# make install

Step 4: Restart Nginx

To apply the changes, restart the Nginx service.

[root@siddhesh ~]# systemctl restart nginx

Step 5: Hide the Server Name

Now that the Headers More module is installed, you can use it to hide or customize the server name in your HTTP headers. To do this, add the following directive to your Nginx configuration file (typically found at /etc/nginx/nginx.conf):

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    server_tokens off;
    more_set_headers 'Server: BuilddevopsServer';
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
}

This directive will replace the default Server header with BuilddevopsServer. You can change BuilddevopsServer to any value you prefer, or leave it blank to completely hide the server name.


Step 6: Verify the Configuration

Finally, you can verify that your server name is hidden or customized by using the curl command:


Before :

[root@siddhesh ~]# curl -I http://localhost
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 08 Aug 2024 10:03:25 GMT
Content-Type: text/html
Content-Length: 7620
Last-Modified: Wed, 21 Feb 2024 13:12:33 GMT
Connection: keep-alive
ETag: "65d5f6c1-1dc4"
Accept-Ranges: bytes
[root@siddhesh ~]#

After :

[root@siddhesh ~]# curl -I http://localhost
HTTP/1.1 200 OK
Date: Thu, 08 Aug 2024 10:02:43 GMT
Content-Type: text/html
Content-Length: 7620
Last-Modified: Wed, 21 Feb 2024 13:12:33 GMT
Connection: keep-alive
ETag: "65d5f6c1-1dc4"
Server: BuilddevopsServer
Accept-Ranges: bytes
[root@siddhesh ~]#

This command will return the HTTP headers, allowing you to check that the Server header is set to your custom value or is hidden as configured.


Conclusion

By following these steps, you've successfully hidden or customized the server name in Nginx using the Headers More module. This small but important change can help improve the security and privacy of your web server, making it less prone to attacks that target specific server software.

Komentarze

Oceniono na 0 z 5 gwiazdek.
Nie ma jeszcze ocen

Oceń
bottom of page