[PATCH] http option for server identification removal

Teo Tyrov teotyrov at gmail.com
Wed Oct 18 18:38:24 UTC 2023


# HG changeset patch
# User Theodoros Tyrovouzis <teotyrov at gmail.com>
# Date 1697653906 -10800
#      Wed Oct 18 21:31:46 2023 +0300
# Node ID 112e223511c087fac000065c7eb99dd88e66b174
# Parent  cdda286c0f1b4b10f30d4eb6a63fefb9b8708ecc
Add "server_identification" http option that hides server information
disclosure in responses

In its responses, nginx by default sends a "Server" header which contains
"nginx" and the nginx version. Most production systems would want this
information hidden, as it is technical information disclosure (
https://portswigger.net/web-security/information-disclosure). nginx does
provide the option "server_tokens off;" which hides the version, but in
order to get rid of the header, nginx needs to be compiled with the
headers_more module, for the option "more_clear_headers". This patch
provides an http option for hiding that information, which also hides the
server information from the default error responses.

An alternative would be to add a new option to server_tokens, e.g.
"incognito".

diff -r cdda286c0f1b -r 112e223511c0 src/http/ngx_http_core_module.c
--- a/src/http/ngx_http_core_module.c Tue Oct 10 15:13:39 2023 +0300
+++ b/src/http/ngx_http_core_module.c Wed Oct 18 21:31:46 2023 +0300
@@ -129,6 +129,13 @@
 };


+static ngx_conf_enum_t ngx_http_core_server_identification[] = {
+    { ngx_string("off"), NGX_HTTP_SERVER_IDENTIFICATION_OFF },
+    { ngx_string("on"), NGX_HTTP_SERVER_IDENTIFICATION_ON },
+    { ngx_null_string, 0 }
+};
+
+
 static ngx_conf_enum_t  ngx_http_core_if_modified_since[] = {
     { ngx_string("off"), NGX_HTTP_IMS_OFF },
     { ngx_string("exact"), NGX_HTTP_IMS_EXACT },
@@ -635,6 +642,13 @@
       offsetof(ngx_http_core_loc_conf_t, server_tokens),
       &ngx_http_core_server_tokens },

+    { ngx_string("server_identification"),
+
 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_enum_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_core_loc_conf_t, server_identification),
+      &ngx_http_core_server_identification },
+
     { ngx_string("if_modified_since"),

 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
       ngx_conf_set_enum_slot,
@@ -3623,6 +3637,7 @@
     clcf->chunked_transfer_encoding = NGX_CONF_UNSET;
     clcf->etag = NGX_CONF_UNSET;
     clcf->server_tokens = NGX_CONF_UNSET_UINT;
+    clcf->server_identification = NGX_CONF_UNSET_UINT;
     clcf->types_hash_max_size = NGX_CONF_UNSET_UINT;
     clcf->types_hash_bucket_size = NGX_CONF_UNSET_UINT;

@@ -3901,6 +3916,9 @@
     ngx_conf_merge_uint_value(conf->server_tokens, prev->server_tokens,
                               NGX_HTTP_SERVER_TOKENS_ON);

+    ngx_conf_merge_uint_value(conf->server_identification,
prev->server_identification,
+                              NGX_HTTP_SERVER_IDENTIFICATION_ON);
+
     ngx_conf_merge_ptr_value(conf->open_file_cache,
                               prev->open_file_cache, NULL);

diff -r cdda286c0f1b -r 112e223511c0 src/http/ngx_http_core_module.h
--- a/src/http/ngx_http_core_module.h Tue Oct 10 15:13:39 2023 +0300
+++ b/src/http/ngx_http_core_module.h Wed Oct 18 21:31:46 2023 +0300
@@ -55,6 +55,10 @@
 #define NGX_HTTP_KEEPALIVE_DISABLE_SAFARI  0x0008


+#define NGX_HTTP_SERVER_IDENTIFICATION_OFF      0
+#define NGX_HTTP_SERVER_IDENTIFICATION_ON       1
+
+
 #define NGX_HTTP_SERVER_TOKENS_OFF      0
 #define NGX_HTTP_SERVER_TOKENS_ON       1
 #define NGX_HTTP_SERVER_TOKENS_BUILD    2
@@ -405,6 +409,7 @@
     ngx_flag_t    log_subrequest;          /* log_subrequest */
     ngx_flag_t    recursive_error_pages;   /* recursive_error_pages */
     ngx_uint_t    server_tokens;           /* server_tokens */
+    ngx_uint_t    server_identification;   /* server_identification */
     ngx_flag_t    chunked_transfer_encoding; /* chunked_transfer_encoding
*/
     ngx_flag_t    etag;                    /* etag */

diff -r cdda286c0f1b -r 112e223511c0
src/http/ngx_http_header_filter_module.c
--- a/src/http/ngx_http_header_filter_module.c Tue Oct 10 15:13:39 2023
+0300
+++ b/src/http/ngx_http_header_filter_module.c Wed Oct 18 21:31:46 2023
+0300
@@ -283,7 +283,7 @@

     clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);

-    if (r->headers_out.server == NULL) {
+    if (r->headers_out.server == NULL && clcf->server_identification ==
NGX_HTTP_SERVER_IDENTIFICATION_ON) {
         if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {
             len += sizeof(ngx_http_server_full_string) - 1;

@@ -452,7 +452,7 @@
     }
     *b->last++ = CR; *b->last++ = LF;

-    if (r->headers_out.server == NULL) {
+    if (r->headers_out.server == NULL && clcf->server_identification ==
NGX_HTTP_SERVER_IDENTIFICATION_ON) {
         if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {
             p = ngx_http_server_full_string;
             len = sizeof(ngx_http_server_full_string) - 1;
diff -r cdda286c0f1b -r 112e223511c0 src/http/ngx_http_special_response.c
--- a/src/http/ngx_http_special_response.c Tue Oct 10 15:13:39 2023 +0300
+++ b/src/http/ngx_http_special_response.c Wed Oct 18 21:31:46 2023 +0300
@@ -39,6 +39,12 @@
 ;


+static u_char ngx_http_error_tail_minimal[] =
+"</body>" CRLF
+"</html>" CRLF
+;
+
+
 static u_char ngx_http_msie_padding[] =
 "<!-- a padding to disable MSIE and Chrome friendly error page -->" CRLF
 "<!-- a padding to disable MSIE and Chrome friendly error page -->" CRLF
@@ -680,17 +686,22 @@
     ngx_uint_t    msie_padding;
     ngx_chain_t   out[3];

-    if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {
-        len = sizeof(ngx_http_error_full_tail) - 1;
-        tail = ngx_http_error_full_tail;
+    if (clcf->server_identification == NGX_HTTP_SERVER_IDENTIFICATION_ON) {
+        if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {
+            len = sizeof(ngx_http_error_full_tail) - 1;
+            tail = ngx_http_error_full_tail;

-    } else if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_BUILD) {
-        len = sizeof(ngx_http_error_build_tail) - 1;
-        tail = ngx_http_error_build_tail;
+        } else if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_BUILD) {
+            len = sizeof(ngx_http_error_build_tail) - 1;
+            tail = ngx_http_error_build_tail;

+        } else {
+            len = sizeof(ngx_http_error_tail) - 1;
+            tail = ngx_http_error_tail;
+        }
     } else {
-        len = sizeof(ngx_http_error_tail) - 1;
-        tail = ngx_http_error_tail;
+        len = sizeof(ngx_http_error_tail_minimal) - 1;
+        tail = ngx_http_error_tail_minimal;
     }

     msie_padding = 0;
diff -r cdda286c0f1b -r 112e223511c0 src/http/v2/ngx_http_v2_filter_module.c
--- a/src/http/v2/ngx_http_v2_filter_module.c Tue Oct 10 15:13:39 2023 +0300
+++ b/src/http/v2/ngx_http_v2_filter_module.c Wed Oct 18 21:31:46 2023 +0300
@@ -217,7 +217,7 @@

     clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);

-    if (r->headers_out.server == NULL) {
+    if (r->headers_out.server == NULL && clcf->server_identification ==
NGX_HTTP_SERVER_IDENTIFICATION_ON) {

         if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {
             len += 1 + nginx_ver_len;
@@ -421,7 +421,7 @@
         pos = ngx_sprintf(pos, "%03ui", r->headers_out.status);
     }

-    if (r->headers_out.server == NULL) {
+    if (r->headers_out.server == NULL && clcf->server_identification ==
NGX_HTTP_SERVER_IDENTIFICATION_ON) {

         if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {
             ngx_log_debug1(NGX_LOG_DEBUG_HTTP, fc->log, 0,
diff -r cdda286c0f1b -r 112e223511c0 src/http/v3/ngx_http_v3_filter_module.c
--- a/src/http/v3/ngx_http_v3_filter_module.c Tue Oct 10 15:13:39 2023 +0300
+++ b/src/http/v3/ngx_http_v3_filter_module.c Wed Oct 18 21:31:46 2023 +0300
@@ -158,7 +158,7 @@

     clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);

-    if (r->headers_out.server == NULL) {
+    if (r->headers_out.server == NULL && clcf->server_identification ==
NGX_HTTP_SERVER_IDENTIFICATION_ON) {
         if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {
             n = sizeof(NGINX_VER) - 1;

@@ -339,7 +339,7 @@
         b->last = ngx_sprintf(b->last, "%03ui", r->headers_out.status);
     }

-    if (r->headers_out.server == NULL) {
+    if (r->headers_out.server == NULL && clcf->server_identification ==
NGX_HTTP_SERVER_IDENTIFICATION_ON) {
         if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {
             p = (u_char *) NGINX_VER;
             n = sizeof(NGINX_VER) - 1;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20231018/3c264bfa/attachment.htm>


More information about the nginx-devel mailing list