When running a web server, security and privacy are key considerations. By default, Nginx reveals its server name in the HTTP headers, which can provide attackers with information about your server software. To enhance security, you might want to hide or customize this information. In this guide, I'll show you how to hide the server name in Nginx by using the Headers More module.
Step 1: Download and Extract the Headers More Module
First, navigate to the /usr/local/src/ directory where we'll download the Headers More module.
[root@siddhesh ~]# cd /usr/local/src/Download the Headers More module from GitHub:
[root@siddhesh src]# wget https://github.com/openresty/headers-more-nginx-module/archive/refs/tags/v0.37.zipOnce the download is complete, unzip the file:
[root@siddhesh src]# unzip v0.37.zipStep 2: Reconfigure Nginx with the Headers More Module
Now, navigate to the Nginx source directory. If you've followed previous steps to install Nginx from source, you should already have this directory available.
[root@siddhesh src]# cd nginx-1.25.0Next, reconfigure Nginx to include the Headers More module. This step adds the module to Nginx, allowing you to modify or hide headers such as the server name.
[root@siddhesh nginx-1.25.0]# ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-zlib=/usr/local/src/zlib-1.3.1 --with-openssl=/usr/local/src/openssl-3.0.14 --add-module=/usr/local/src/headers-more-nginx-module-0.37Step 3: Compile and Install Nginx
After configuring Nginx with the new module, compile and install it.
[root@siddhesh nginx-1.25.0]# make
[root@siddhesh nginx-1.25.0]# make installStep 4: Restart Nginx
To apply the changes, restart the Nginx service.
[root@siddhesh ~]# systemctl restart nginxStep 5: Hide the Server Name
Now that the Headers More module is installed, you can use it to hide or customize the server name in your HTTP headers. To do this, add the following directive to your Nginx configuration file (typically found at /etc/nginx/nginx.conf):
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
server_tokens off;
more_set_headers 'Server: BuilddevopsServer';
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
}This directive will replace the default Server header with BuilddevopsServer. You can change BuilddevopsServer to any value you prefer, or leave it blank to completely hide the server name.
Step 6: Verify the Configuration
Finally, you can verify that your server name is hidden or customized by using the curl command:
Before :
[root@siddhesh ~]# curl -I http://localhost
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 08 Aug 2024 10:03:25 GMT
Content-Type: text/html
Content-Length: 7620
Last-Modified: Wed, 21 Feb 2024 13:12:33 GMT
Connection: keep-alive
ETag: "65d5f6c1-1dc4"
Accept-Ranges: bytes
[root@siddhesh ~]#After :
[root@siddhesh ~]# curl -I http://localhost
HTTP/1.1 200 OK
Date: Thu, 08 Aug 2024 10:02:43 GMT
Content-Type: text/html
Content-Length: 7620
Last-Modified: Wed, 21 Feb 2024 13:12:33 GMT
Connection: keep-alive
ETag: "65d5f6c1-1dc4"
Server: BuilddevopsServer
Accept-Ranges: bytes
[root@siddhesh ~]#This command will return the HTTP headers, allowing you to check that the Server header is set to your custom value or is hidden as configured.
Conclusion
By following these steps, you've successfully hidden or customized the server name in Nginx using the Headers More module. This small but important change can help improve the security and privacy of your web server, making it less prone to attacks that target specific server software.
Comments