"server_tokens off" still showing server software
Igor Sysoev
is at rambler-co.ru
Mon Mar 10 21:43:35 MSK 2008
On Mon, Mar 10, 2008 at 06:20:15PM +0000, Igor Clark wrote:
> We're running a site for a large company using 0.5.35. Their IT
> security team insists that the "Server: nginx" HTTP header must be
> removed. I've set "server_tokens off" in both http and server
> sections, and the version number is no longer shown, but I still get
> "Server: nginx".
>
> I need to remove this completely, as they may actually insist we
> change server software if this is not done.
>
> Is there a way to do this through config?
>
> In the meantime, as I don't have time to learn the ngx code well
> enough to add a config directive of my own, I've *removed* the
> following lines in src/http/ngx_http_header_filter_module.c, rebuilt,
> and the header is, obviously, no longer sent.
>
> But will this cause other problems?
>
> 48: static char ngx_http_server_string[] = "Server: nginx" CRLF;
> 49: static char ngx_http_server_full_string[] = "Server: " NGINX_VER
> CRLF;
>
> 127: { ngx_string("Server"), offsetof(ngx_http_headers_out_t,
> server) },
>
> 243: if (r->headers_out.server == NULL) {
> 244: len += clcf->server_tokens ?
> sizeof(ngx_http_server_full_string) - 1:
> 245:
> sizeof(ngx_http_server_string) - 1;
> 246: }
>
> 284: + r->server_name.len
>
> 295: + r->server_name.len
>
> 369: if (r->headers_out.server == NULL) {
> 370: if (clcf->server_tokens) {
> 371: p = (u_char *) ngx_http_server_full_string;
> 372: len = sizeof(ngx_http_server_full_string) - 1;
> 373:
> 374: } else {
> 375: p = (u_char *) ngx_http_server_string;
> 376: len = sizeof(ngx_http_server_string) - 1;
> 377: }
> 378:
> 379: b->last = ngx_cpymem(b->last, p, len);
> 380: }
>
> 447: b->last = ngx_copy(b->last, r->server_name.data, r-
> >server_name.len);
>
> I hope this doesn't go against the whole nginx philosophy - I'm
> normally quite proud about nginx server tokens!
> But if it's either "do this or use Apache", then I'd rather do this ...
The removing this code will not cause other problems.
As to disabling Server header via configuration file, I do it only
after Apache team does the same thing. I believe it will never be.
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list