ScaleScaleScaleScale

Tips / Nginx


How To Customize Your Nginx Server Name

In a previous post, you learned about how to hide the Nginx version from the HTTP headers. While that is basically security trough obscurity, it’s something that lot of devs are looking for.

Following that line of thought, today you will go deeper and learn how to hide or customize the Nginx server name completely, instead of only the version number.

Why Is Hiding the Nginx Name or Version Important?

As previously mentioned, this is not actually a security hardening tip because we are only hiding information from the headers (there are other ways to know if you are using Nginx besides this). However, it is still important to prevent attackers from exploiting particular vulnerabilities for old Nginx versions.

How Can You Set a Custom Name for Your Nginx Server?

This can only be done by modifying the source code of Nginx. Pre-compiled packages for different distros, like .deb or .rpm, already include the Nginx and version number variables.

Fetch your current Nginx version usign curl. Example:

curl -I http://www.yoursite.com/
[my@shell ~]$ curl -I http://www.yoursite.com/
HTTP/1.1 200 OK
Server: nginx/1.8.0
Vary: Accept-Encoding,Cookie
X-Cacheable: SHORT
Cache-Control: max-age=600, must-revalidate
X-Cache: HIT: 114
Content-Type: text/html; charset=UTF-8
X-Cache-Group: normal
Date: Thu, 30 Jul 2015 14:50:29 GMT
X-Pingback: http://www.yoursite.com/xmlrpc.php
Keep-Alive: timeout=20
X-Type: default
Transfer-Encoding: chunked
Connection: Keep-Alive

You can get the details of the server name and version with a simple curl request. Now, you can hide that and rename your server to something different.

Download the Nginx Source Code:

wget http://nginx.org/download/nginx-1.8.0.tar.gz
tar -xvpzf nginx-1.8.0.tar.gz
cd nginx-*

Edit this file right at line #49: src/http/ngx_http_header_filter_module.c

nano -w +49 src/http/ngx_http_header_filter_module.c

Find these lines:

static char ngx_http_server_string[] = "Server: nginx" CRLF;
static char ngx_http_server_full_string[] = "Server:" NGINX_VER CRLF;

Modify those to match these new ones:

static char ngx_http_server_string[] = "Server: YourCustomName" CRLF;
static char ngx_http_server_full_string[] = "Server: YourCustomName" CRLF;

Modify “YourCustomName” as you want. You can place anything there. It could be the name of your website, product, company, etc.

Recompile Nginx from the Source Code

Make sure to include all of the common modules for your app needs when you run ./configure. These are the most common ones included in the pre-compiled binaries:

./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_spdy_module --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'

Configure, make and make install.

Replace “your_custom_modules” with the ones you need,  and run these commands:

./configure your_custom_modules
make
make install

Restart Nginx:

service nginx restart

Now, use curl one more time:

[my@shell ~]$ curl -I http://www.yoursite.com/
HTTP/1.1 200 OK
Server: MyServernginx/1.8.0
Vary: Accept-Encoding,Cookie
X-Cacheable: SHORT
Cache-Control: max-age=600, must-revalidate
X-Cache: HIT: 114
Content-Type: text/html; charset=UTF-8
X-Cache-Group: normal
Date: Thu, 30 Jul 2015 14:50:29 GMT
X-Pingback: http://www.yoursite.com/xmlrpc.php
Keep-Alive: timeout=20
X-Type: default
Transfer-Encoding: chunked
Connection: Keep-Alive

Now, you should see Server: MyServernginx/1.8.0. However, it should still display the Nginx version. If you also want to hide your Nginx version, just add this line under your http block configuration:

nano -w /etc/nginx/nginx.conf

Then set:

http {
...
server_tokens off;
....
}

Restart Nginx to apply changes:

service nginx restart

Conclusion

Remember that hiding your server name and version won’t protect you from web attacks. It will just make things a little bit difficult for your attackers. If you need to secure your Nginx installation, refer to our Nginx security guide.

Popular search terms:

  • nginx change server name
  • static char ngx_http_server_string[]
  • https://www scalescale com/tips/nginx/customize-nginx-server-name/
  • name nginx
profile

Esteban Borges

Linux Geek, Webperf Addict, Nginx Fan. CTO @Infranetworking