I have been grappling with this problem for a few days now. No matter what I do my application server keeps returning the NGINX version in the HTTP response headers and it doesn’t meet OWASP security recommendations:
The Dreaded Server Information Response
I have tried to manually edit the server response in express in every which way I can think of, but the server version keeps showing up despite all of this: (express function attempting to remove server response headers in the overarching app.js file)
app.use(function(req, res, next) {
res.removeHeader('server');
res.removeHeader('Server');
res.removeHeader("x-powered-by");
res.header("X-powered-by", "Blood, sweat, and tears.");
next();
});
I have tried a whole bunch of .ebextensions to modify the nginx.conf file manually on deployment but none with success… Such as that outlined here: How to hide nginx version in elastic beanstalk
Recently I have decided ‘screw it, I’m just going to upload my own nginx.conf file’ and have been putting that up, but still no success. Here is the nginx.conf file I’m sending to AWS EB in platform/nginx/conf.d
user nginx;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 33282;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
include conf.d/*.conf;
more_clear_headers Server;
server_tokens off;
more_set_headers 'Server: BLOOD_AND_SWEAT';
map $http_upgrade $connection_upgrade {
default "upgrade";
}
server {
listen 80 default_server;
root /var/app/current/public;
location / {
}
access_log /var/log/nginx/access.log main;
client_header_timeout 60;
client_body_timeout 60;
keepalive_timeout 60;
gzip off;
gzip_comp_level 4;
more_clear_headers Server;
server_tokens off;
more_set_headers 'Server: BLOOD_AND_SWEAT';
# Include the Elastic Beanstalk generated locations
include conf.d/elasticbeanstalk/01_static.conf;
include conf.d/elasticbeanstalk/healthd.conf;
}
}
I have been trying everything and anything for days.
What have I been doing wrong here? Why is this NGINX server information so hard to get rid of!!!??
I think I have made contact with the devil himself, and he cannot be slayed.
3
Answers
Many thanks to Fahim from IntelG who found the problem here.
I had missed the dot in front of platform, As stated in the question above, I was saving the conf file in
platform/nginx/conf.d
should have been
.platform/nginx/conf.d
So much time wasted for such a stupid thing!!!
From this document
http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
You can just set server_tokens to off in http{ } section something like this:
In case you ever used this approach to hide the version of nginx, looks like the latest platform version and solution stack Node.js 16 AL2 version 5.7.0
includes
server_tokens off;
by defaultwhich causes a conflict with the value we included in
.platform/nginx/conf.d
Until you remove it, the upgrade will fail.