<div dir="ltr"># HG changeset patch<br># User Theodoros Tyrovouzis <<a href="mailto:teotyrov@gmail.com">teotyrov@gmail.com</a>><br># Date 1697653906 -10800<br>#      Wed Oct 18 21:31:46 2023 +0300<br># Node ID 112e223511c087fac000065c7eb99dd88e66b174<br># Parent  cdda286c0f1b4b10f30d4eb6a63fefb9b8708ecc<br>Add "server_identification" http option that hides server information disclosure in responses<br><br>In its responses, nginx by default sends a "Server" header which contains "nginx" and the nginx version. Most production systems would want this information hidden, as it is technical information disclosure (<a href="https://portswigger.net/web-security/information-disclosure">https://portswigger.net/web-security/information-disclosure</a>). nginx does provide the option "server_tokens off;" which hides the version, but in order to get rid of the header, nginx needs to be compiled with the headers_more module, for the option "more_clear_headers". This patch provides an http option for hiding that information, which also hides the server information from the default error responses.<br><br>An alternative would be to add a new option to server_tokens, e.g. "incognito".<br><br>diff -r cdda286c0f1b -r 112e223511c0 src/http/ngx_http_core_module.c<br>--- a/src/http/ngx_http_core_module.c Tue Oct 10 15:13:39 2023 +0300<br>+++ b/src/http/ngx_http_core_module.c   Wed Oct 18 21:31:46 2023 +0300<br>@@ -129,6 +129,13 @@<br> };<br> <br> <br>+static ngx_conf_enum_t ngx_http_core_server_identification[] = {<br>+    { ngx_string("off"), NGX_HTTP_SERVER_IDENTIFICATION_OFF },<br>+    { ngx_string("on"), NGX_HTTP_SERVER_IDENTIFICATION_ON },<br>+    { ngx_null_string, 0 }<br>+};<br>+<br>+<br> static ngx_conf_enum_t  ngx_http_core_if_modified_since[] = {<br>     { ngx_string("off"), NGX_HTTP_IMS_OFF },<br>     { ngx_string("exact"), NGX_HTTP_IMS_EXACT },<br>@@ -635,6 +642,13 @@<br>       offsetof(ngx_http_core_loc_conf_t, server_tokens),<br>       &ngx_http_core_server_tokens },<br> <br>+    { ngx_string("server_identification"),<br>+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,<br>+      ngx_conf_set_enum_slot,<br>+      NGX_HTTP_LOC_CONF_OFFSET,<br>+      offsetof(ngx_http_core_loc_conf_t, server_identification),<br>+      &ngx_http_core_server_identification },<br>+<br>     { ngx_string("if_modified_since"),<br>       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,<br>       ngx_conf_set_enum_slot,<br>@@ -3623,6 +3637,7 @@<br>     clcf->chunked_transfer_encoding = NGX_CONF_UNSET;<br>     clcf->etag = NGX_CONF_UNSET;<br>     clcf->server_tokens = NGX_CONF_UNSET_UINT;<br>+    clcf->server_identification = NGX_CONF_UNSET_UINT;<br>     clcf->types_hash_max_size = NGX_CONF_UNSET_UINT;<br>     clcf->types_hash_bucket_size = NGX_CONF_UNSET_UINT;<br> <br>@@ -3901,6 +3916,9 @@<br>     ngx_conf_merge_uint_value(conf->server_tokens, prev->server_tokens,<br>                               NGX_HTTP_SERVER_TOKENS_ON);<br> <br>+    ngx_conf_merge_uint_value(conf->server_identification, prev->server_identification,<br>+                              NGX_HTTP_SERVER_IDENTIFICATION_ON);<br>+<br>     ngx_conf_merge_ptr_value(conf->open_file_cache,<br>                               prev->open_file_cache, NULL);<br> <br>diff -r cdda286c0f1b -r 112e223511c0 src/http/ngx_http_core_module.h<br>--- a/src/http/ngx_http_core_module.h      Tue Oct 10 15:13:39 2023 +0300<br>+++ b/src/http/ngx_http_core_module.h   Wed Oct 18 21:31:46 2023 +0300<br>@@ -55,6 +55,10 @@<br> #define NGX_HTTP_KEEPALIVE_DISABLE_SAFARI  0x0008<br> <br> <br>+#define NGX_HTTP_SERVER_IDENTIFICATION_OFF      0<br>+#define NGX_HTTP_SERVER_IDENTIFICATION_ON       1<br>+<br>+<br> #define NGX_HTTP_SERVER_TOKENS_OFF      0<br> #define NGX_HTTP_SERVER_TOKENS_ON       1<br> #define NGX_HTTP_SERVER_TOKENS_BUILD    2<br>@@ -405,6 +409,7 @@<br>     ngx_flag_t    log_subrequest;          /* log_subrequest */<br>     ngx_flag_t    recursive_error_pages;   /* recursive_error_pages */<br>     ngx_uint_t    server_tokens;           /* server_tokens */<br>+    ngx_uint_t    server_identification;   /* server_identification */<br>     ngx_flag_t    chunked_transfer_encoding; /* chunked_transfer_encoding */<br>     ngx_flag_t    etag;                    /* etag */<br> <br>diff -r cdda286c0f1b -r 112e223511c0 src/http/ngx_http_header_filter_module.c<br>--- a/src/http/ngx_http_header_filter_module.c      Tue Oct 10 15:13:39 2023 +0300<br>+++ b/src/http/ngx_http_header_filter_module.c  Wed Oct 18 21:31:46 2023 +0300<br>@@ -283,7 +283,7 @@<br> <br>     clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);<br> <br>-    if (r->headers_out.server == NULL) {<br>+    if (r->headers_out.server == NULL && clcf->server_identification == NGX_HTTP_SERVER_IDENTIFICATION_ON) {<br>         if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {<br>             len += sizeof(ngx_http_server_full_string) - 1;<br> <br>@@ -452,7 +452,7 @@<br>     }<br>     *b->last++ = CR; *b->last++ = LF;<br> <br>-    if (r->headers_out.server == NULL) {<br>+    if (r->headers_out.server == NULL && clcf->server_identification == NGX_HTTP_SERVER_IDENTIFICATION_ON) {<br>         if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {<br>             p = ngx_http_server_full_string;<br>             len = sizeof(ngx_http_server_full_string) - 1;<br>diff -r cdda286c0f1b -r 112e223511c0 src/http/ngx_http_special_response.c<br>--- a/src/http/ngx_http_special_response.c     Tue Oct 10 15:13:39 2023 +0300<br>+++ b/src/http/ngx_http_special_response.c      Wed Oct 18 21:31:46 2023 +0300<br>@@ -39,6 +39,12 @@<br> ;<br> <br> <br>+static u_char ngx_http_error_tail_minimal[] =<br>+"</body>" CRLF<br>+"</html>" CRLF<br>+;<br>+<br>+<br> static u_char ngx_http_msie_padding[] =<br> "<!-- a padding to disable MSIE and Chrome friendly error page -->" CRLF<br> "<!-- a padding to disable MSIE and Chrome friendly error page -->" CRLF<br>@@ -680,17 +686,22 @@<br>     ngx_uint_t    msie_padding;<br>     ngx_chain_t   out[3];<br> <br>-    if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {<br>-        len = sizeof(ngx_http_error_full_tail) - 1;<br>-        tail = ngx_http_error_full_tail;<br>+    if (clcf->server_identification == NGX_HTTP_SERVER_IDENTIFICATION_ON) {<br>+        if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {<br>+            len = sizeof(ngx_http_error_full_tail) - 1;<br>+            tail = ngx_http_error_full_tail;<br> <br>-    } else if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_BUILD) {<br>-        len = sizeof(ngx_http_error_build_tail) - 1;<br>-        tail = ngx_http_error_build_tail;<br>+        } else if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_BUILD) {<br>+            len = sizeof(ngx_http_error_build_tail) - 1;<br>+            tail = ngx_http_error_build_tail;<br> <br>+        } else {<br>+            len = sizeof(ngx_http_error_tail) - 1;<br>+            tail = ngx_http_error_tail;<br>+        }<br>     } else {<br>-        len = sizeof(ngx_http_error_tail) - 1;<br>-        tail = ngx_http_error_tail;<br>+        len = sizeof(ngx_http_error_tail_minimal) - 1;<br>+        tail = ngx_http_error_tail_minimal;<br>     }<br> <br>     msie_padding = 0;<br>diff -r cdda286c0f1b -r 112e223511c0 src/http/v2/ngx_http_v2_filter_module.c<br>--- a/src/http/v2/ngx_http_v2_filter_module.c        Tue Oct 10 15:13:39 2023 +0300<br>+++ b/src/http/v2/ngx_http_v2_filter_module.c   Wed Oct 18 21:31:46 2023 +0300<br>@@ -217,7 +217,7 @@<br> <br>     clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);<br> <br>-    if (r->headers_out.server == NULL) {<br>+    if (r->headers_out.server == NULL && clcf->server_identification == NGX_HTTP_SERVER_IDENTIFICATION_ON) {<br> <br>         if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {<br>             len += 1 + nginx_ver_len;<br>@@ -421,7 +421,7 @@<br>         pos = ngx_sprintf(pos, "%03ui", r->headers_out.status);<br>     }<br> <br>-    if (r->headers_out.server == NULL) {<br>+    if (r->headers_out.server == NULL && clcf->server_identification == NGX_HTTP_SERVER_IDENTIFICATION_ON) {<br> <br>         if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {<br>             ngx_log_debug1(NGX_LOG_DEBUG_HTTP, fc->log, 0,<br>diff -r cdda286c0f1b -r 112e223511c0 src/http/v3/ngx_http_v3_filter_module.c<br>--- a/src/http/v3/ngx_http_v3_filter_module.c Tue Oct 10 15:13:39 2023 +0300<br>+++ b/src/http/v3/ngx_http_v3_filter_module.c   Wed Oct 18 21:31:46 2023 +0300<br>@@ -158,7 +158,7 @@<br> <br>     clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);<br> <br>-    if (r->headers_out.server == NULL) {<br>+    if (r->headers_out.server == NULL && clcf->server_identification == NGX_HTTP_SERVER_IDENTIFICATION_ON) {<br>         if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {<br>             n = sizeof(NGINX_VER) - 1;<br> <br>@@ -339,7 +339,7 @@<br>         b->last = ngx_sprintf(b->last, "%03ui", r->headers_out.status);<br>     }<br> <br>-    if (r->headers_out.server == NULL) {<br>+    if (r->headers_out.server == NULL && clcf->server_identification == NGX_HTTP_SERVER_IDENTIFICATION_ON) {<br>         if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {<br>             p = (u_char *) NGINX_VER;<br>             n = sizeof(NGINX_VER) - 1;<br></div>