Edit / hide Nginx Server header under Alpine Linux

nginx remove server header
no package nginx plus-module-headers-more available
unable to locate package nginx plus-module-headers-more
nginx headers
nginx-module-headers-more
github headers more nginx module
hide nginx version
docker nginx

When I use curl --head to test my website, it returns the server information.

I followed this tutorial to hide the nginx server header. But when I run the command yum install nginx-module-security-headers , it returns yum: not found.

I also tried apk add nginx-module-security-headers, and it shows that the package is missing.

I have used nginx:1.17.6-alpine as my base docker image. Does anyone know how to hide the server from header under this Alpine?

I think I have an easier solution here: https://gist.github.com/hermanbanken/96f0ff298c162a522ddbba44cad31081. Big thanks to hermanbanken on Github for sharing this gist.

The idea is to create a multi stage build with the nginx alpine image to be a base for compiling the module. This turns into the following Dockerfile:

ARG VERSION=alpine
FROM nginx:${VERSION} as builder

ENV MORE_HEADERS_VERSION=0.33
ENV MORE_HEADERS_GITREPO=openresty/headers-more-nginx-module

# Download sources
RUN wget "http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" -O nginx.tar.gz && \
    wget "https://github.com/${MORE_HEADERS_GITREPO}/archive/v${MORE_HEADERS_VERSION}.tar.gz" -O extra_module.tar.gz

# For latest build deps, see https://github.com/nginxinc/docker-nginx/blob/master/mainline/alpine/Dockerfile
RUN  apk add --no-cache --virtual .build-deps \
    gcc \
    libc-dev \
    make \
    openssl-dev \
    pcre-dev \
    zlib-dev \
    linux-headers \
    libxslt-dev \
    gd-dev \
    geoip-dev \
    perl-dev \
    libedit-dev \
    mercurial \
    bash \
    alpine-sdk \
    findutils

SHELL ["/bin/ash", "-eo", "pipefail", "-c"]

RUN rm -rf /usr/src/nginx /usr/src/extra_module && mkdir -p /usr/src/nginx /usr/src/extra_module && \
    tar -zxC /usr/src/nginx -f nginx.tar.gz && \
    tar -xzC /usr/src/extra_module -f extra_module.tar.gz

WORKDIR /usr/src/nginx/nginx-${NGINX_VERSION}

# Reuse same cli arguments as the nginx:alpine image used to build
RUN CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p') && \
    sh -c "./configure --with-compat $CONFARGS --add-dynamic-module=/usr/src/extra_module/*" && make modules


# Production container starts here
FROM nginx:${VERSION}

COPY --from=builder /usr/src/nginx/nginx-${NGINX_VERSION}/objs/*_module.so /etc/nginx/modules/

.... skipped inserting config files and stuff ...

# Validate the config
RUN nginx -t

ngx_http_headers_more_filter_module wrong version in nginx , steps to reproduce docker file with FROM nginx:stable-alpine RUN apk update RUN issue: https://stackoverflow.com/questions/59189311/edit-hide-nginx- server-header-under-alpine-linux/60780597#60780597 This solves� nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful Reload and Restart Nginx Changes made in the configuration file will not be applied until the command to reload configuration is sent to nginx or it is restarted.

Alpine repo probably doesn't have the ngx_security_headers module but, the mentioned tutorial also provides an option of using Headers More module. You should be able to install this module in your alpine distro using the command:

apk add nginx-mod-http-headers-more

Hope it helps.

Source

How to remove the Server header in NGINX, How to hide the Server HTTP header in nginx and more: hide the fact of using nginx altogether. Solutions to prevent information disclosure. Install Nginx web server on Alpine Linux. Let us see all steps and commands in details to install Nginx, create users and set up your first web site on Alpine Linux. Step 1. Install the Nginx web server. First update your repo, run apk command as follows: # apk update Install the nginx server, run: # apk add nginx Sample outputs:

I found the alternate solution. The reason that it shows binary not compatible is because I have one nginx pre-installed under the target route, and it is not compatible with the header-more module I am using. That means I cannot simply install the third party library from Alpine package.

So I prepare a clean Alpine OS, and follow the GitHub repository to build Nginx from the source with additional feature. The path of build result is the prefix path you specified.

Can I hide all server / os info?, However, there are many hidden ways servers perform by accident via their If you have installed nginx using apt-get in Debian or Ubuntu, you might need to install You will have to compile it from source and change what's needed before Throw this in the http block and every request will be lacking a Server header. The default state of an NGINX server is to have the Server set. This returns something like Server: nginx/1.12.1.Here is a list of all the published exploits for nginx to give you an idea why you might not want Server header and the version published, NGINX vulnerabilities.

Remove Version from Server Header Banner in nginx, Mask Nginx version details from the HTTP Response Header. In default NGINX configuration, the Server header banner is ON which exposes� Hide Nginx Version. Note: This will only hide the server version number, but not the server signature (name). If you want to hide the server name, compile Nginx from sources and include the --build=name option to set a nginx build name. If you are running PHP in your Nginx web server, I suggest you to Hide PHP Version Number.

How to hide PHP 5/7 version when using Nginx, I am using PHP 5.6.xx and Nginx server on an Apline Linux server. PHP/5.6.32' or 'x-powered-by: PHP/7.3.6' HTTP header. information to attack or find vulnerabilities in your PHP version. to edit/create a file named custom.ini as per your Linux/Unix variant. this is for Alpine Linux and PHP v5.6.xx� Once Nginx package is installed on your Alpine Linux and User account and Home directory are also created. you can create a virtual hosts configuration file of Nginx server called www.mytest.com.conf under /etc/nginx/conf.d/ directory with your vi or vim text editor. type:

How To Install Nginx web server on Alpine Linux, This tutorial shows how to install nginx on Alpine Linux. ADVERTISEMENTS. Install Nginx web server on Alpine Linux. Let us see all steps and commands in details to install Nginx, create You need to edit the /etc/nginx/nginx.conf file: Directives to send expires headers and turn off 404 error logging. I've also read about nginx more_set_headers. Haven't tried it yet. Does it allow me to edit the headers? Apache has the Header edit directive which I was using previously, so I'm looking for something like that. TL;DR Is is possible to edit a header location using regex replace or similar in Nginx?

Comments
  • Now I faced another problem. nginx: [emerg] module "/etc/nginx/modules/ngx_http_headers_more_filter_module.so" is not binary compatible in /etc/nginx/nginx.conf:5
  • @wuchi : The ".so" file is present in /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so and not in /etc/nginx/modules/ngx_http_headers_more_filter_module.so as the error says. Can you try to find why it is pointing to the wrong directory?
  • I check both /usr/lib/nginx/modules and /etc/nginx/modules, and they all have ngx_http_headers_more_filter_module.so. I load the file by load_module modules/ngx_http_headers_more_filter_module.so;. Is this command causes pointing to wrong directory?
  • @wuchi : I'm not sure. I've never worked with nginx.