1

I have compiled modsecurity and headers_more_module with nginx(1.13.6) on my ubuntu server. When modsecurity is not enabled at the nginx configuration, I am able to hide the origin server's name in the server responses:

Server: nginx

However, when modsecurity is enabled, I am getting the header in every response. How can I disable showing the server's signature with modsecurity enabled? Is there anything that should be modified in the modsecurity configuration to achieve this?

TrickyExplorer
  • 89
  • 1
  • 3
  • 11

3 Answers3

1

If you are on Ubuntu the following should work:

  1. Install nginx-extras

    sudo apt-get install nginx-extras

  2. Edit /etc/nginx/nginx.conf and in the http block add:

    http {
    more_set_headers "Server: My_Custom_Server_Name";
    server_tokens off;
}

  3. Restart nginx

    sudo service nginx restart
eKKiM
  • 1,483
  • 9
  • 22
  • I am on an ubuntu server. But, nginx-extras will work only if nginx was installed using apt-get. I have manually compiled nginx. Also, I need a solution for removing the header in the presence of modsecurity rather than just nginx. – TrickyExplorer May 24 '18 at 10:02
  • Also worked for me on a Raspberry Pi. – ArtOfWarfare Jun 01 '21 at 22:59
0

If using ModSecurity v2.0 - v2.9, add this to the .conf file:

 SecServerSignature FakeServer
Luca Gibelli
  • 2,611
  • 1
  • 21
  • 29
  • Should I recompile modsecurity again to add this? I added this after compiling it and now I am getting 2 headers, "Server: nginx and Server: FakeServer". – TrickyExplorer May 24 '18 at 09:40
  • Could you please tell me when(to tweak the modsecurity configuration during compilation) and exactly which config file to add SecServerSignature? – TrickyExplorer May 24 '18 at 10:08
0

Recompiling nginx with modsecurity-nginx connector worked. Followed this link to do this: compile nginx and modsecurity with nginx-modsecurity connector and included headers_more_module while compiling nginx.

TrickyExplorer
  • 89
  • 1
  • 3
  • 11