How do you change the server header returned by nginx?

Question

There's an option to hide the version so it will display only nginx, but is there a way to hide that too so it will not show anything or change the header?

Answer 1

Like Apache, this is a quick edit to the source and recompile. From Calomel.org:

The Server: string is the header which is sent back to the client to tell them what type of http server you are running and possibly what version. This string is used by places like Alexia and Netcraft to collect statistics about how many and of what type of web server are live on the Internet. To support the author and statistics for Nginx we recommend keeping this string as is. But, for security you may not want people to know what you are running and you can change this in the source code. Edit the source file src/http/ngx_http_header_filter_module.c at look at lines 48 and 49. You can change the String to anything you want.

## vi src/http/ngx_http_header_filter_module.c (lines 48 and 49)
static char ngx_http_server_string[] = "Server: MyDomain.com" CRLF;
static char ngx_http_server_full_string[] = "Server: MyDomain.com" CRLF;

March 2011 edit: Props to Flavius below for pointing out a new option, replacing Nginx's standard HttpHeadersModule with the forked HttpHeadersMoreModule. Recompiling the standard module is still the quick fix, and makes sense if you want to use the standard module and won't be changing the server string often. But if you want more than that, the HttpHeadersMoreModule is a strong project and lets you do all sorts of runtime black magic with your HTTP headers.

Answer 2

If you are using nginx to proxy a back-end application and want the back-end to advertise its own Server: header without nginx overwriting it, then you can go inside of your server {…} stanza and set:

proxy_pass_header Server;

That will convince nginx to leave that header alone and not rewrite the value set by the back-end.

Answer 3

The last update was a while ago, so here is what worked for me on Ubuntu:

sudo apt-get update
sudo apt-get install nginx-extras

Then add the following two lines to the http section of nginx.conf, which is usually located at /etc/nginx/nginx.conf:

sudo nano /etc/nginx/nginx.conf
server_tokens off; # removed pound sign
more_set_headers 'Server: Eff_You_Script_Kiddies!';

Also, don't forget to restart nginx with sudo service nginx restart.

Answer 4

Simple, edit /etc/nginx/nginx.conf and remove comment from

#server_tokens off;

Search for http section.

Answer 5

It’s very simple: Add these lines to server section:

server_tokens off;
more_set_headers 'Server: My Very Own Server';

Answer 6

There is a special module: http://wiki.nginx.org/NginxHttpHeadersMoreModule

This module allows you to add, set, or clear any output or input header that you specify.

This is an enhanced version of the standard headers module because it provides more utilities like resetting or clearing "builtin headers" like Content-Type, Content-Length, and Server.

It also allows you to specify an optional HTTP status code criteria using the -s option and an optional content type criteria using the -t option while modifying the output headers with the more_set_headers and more_clear_headers directives...

Answer 7

Install Nginx Extras

sudo apt-get update
sudo apt-get install nginx-extras

Server details can be removed from response by adding following two lines in the nginx.conf (under http section)

more_clear_headers Server;
server_tokens off;

Answer 8

If you're okay with just changing the header to another string five letters or fewer, you can simply patch the binary.

sed -i 's/nginx\r/thing\r/' `which nginx`

Which, as a solution, has a few notable advantages. Namely, that you can allow your nginx versioning to be handled by the package manager (so, no compiling from source) even if nginx-extras isn't available for your distro, and you don't need to worry about any of the additional code of something like nginx-extras being vulnerable.

Of course, you'll also want to set the option server_tokens off, to hide the version number, or patch that format string as well.

I say "five letters or fewer" because of course you can always replace:

nginx\r\0

with

bob\r\0\r\0

leaving the last two bytes unchanged.

If you actually want more than five characters, you'll want to leave server_tokens on, and replace the (slightly longer) format string, although again there's an upper limit on that length imposed by the length of the format string - 1 (for the carriage return).

...If none of the above makes sense to you, or you've never patched a binary before, you may want to stay away from this approach, though.

Answer 9

The only way is to modify the file src/http/ngx_http_header_filter_module.c . I changed nginx on line 48 to a different string.

What you can do in the nginx config file is to set server_tokens to off. This will prevent nginx from printing the version number.

To check things out, try curl -I http://vurbu.com/ | grep Server

It should return

Server: Hai

Answer 10

After I read Parthian Shot's answer, I dig into /usr/sbin/nginx binary file. Then I found out that the file contains these three lines.

Server: nginx/1.12.2
Server: nginx/1.12.2
Server: nginx

Basically first two of them are meant for server_tokens on; directive (Server version included). Then I change the search criteria to match those lines within the binary file.

sed -i 's/Server: nginx/Server: thing/' `which nginx`

After I dig farther I found out that the error message produced by nginx is also included in this file.

<hr><center>nginx</center>

There are three of them, one without the version, two of them included the version. So I run the following command to replace nginx string within the error message.

sed -i 's/center>nginx/center>thing/' `which nginx`

Answer 11

According to nginx documentation it supports custom values or even the exclusion:

Syntax: server_tokens on | off | build | string;

but sadly only with a commercial subscription:

Additionally, as part of our commercial subscription, starting from version 1.9.13 the signature on error pages and the “Server” response header field value can be set explicitly using the string with variables. An empty string disables the emission of the “Server” field.

Answer 12

I know the post is kinda old, but I have found a solution easy that works on Debian based distribution without compiling nginx from source.

First install nginx-extras package

sudo apt install nginx-extras

Then load the nginx http headers more module by editing nginx.conf and adding the following line inside the server block

load_module modules/ngx_http_headers_more_filter_module.so;

Once it's done you'll have access to both more_set_headers and more_clear_headers directives.

Answer 13

Are you asking about the Server header value in the response? You can try changing that with an add_header directive, but I'm not sure if it'll work. http://wiki.codemongers.com/NginxHttpHeadersModule