Today’s web servers need to be open source, developed with cloud‑friendly tools, and be best in adaptability and scalability

For that purpose, developing micro services-based applications operating with containers require NGINX.

What is NGINX?

NGINX is an open-source web server and is the most popular load balancer and caching tool.

That’s right; NGINX is used as a reverse proxy to forward client requests, a load balancer to distribute tasks, a mail proxy, and a tool for HTTP cache optimization and reduction of delay in browsing.

With such multitudes of purposes, NGINX makes it a requirement to add to its crucial performance skills. Also, it is added to web performance networks to maximize performance, such as Cloudflare- NGINX. Hence most organizations are looking forward to integrating NGINX more and more.

With such impending purposes, we must hide NGINX version or any web server. This need is because privacy is the first concern, secure data encryption is the second reason, high download speed is the third, and more numbers to add in terms of pros alone.

Image Source: morioh.com

So, how to do it?

The old version of Nginx:

For using an old version of Nginx and wanting to hide Nginx version openly, you can avail of the Nginx server tokens directive in your Nginx configuration. This directive hides the version in your HTTP headers and default error pages.

To do this, just set the server_tokens to off. It is ‘on’ by default. 

To check the current NGINX Server Header Information

The terminal command curl –head yourdomain.com can check your current server information.

You can also use the HTTP / HTTPS Header Check tool by Webconfs, security headers, and Mozilla observatory. To do this, you will have to enter the terminal to change server settings.

Hide Nginx version:

• To access the Nginx hide version, go to the HTTP status code, and the default configuration would have the version number; hide it, and you are good to go.
• This step will make it harder for cyber-attacks to infect servers. This solution applies to the Nginx version on Linux or UNIX.

Editing the NGINX configuration file:

• To edit the configuration file, go to the # HTTP Options and ## lines.
• Now add the new line server_tokens off. The Nginx server tokens directive shows the Nginx version number and its Operating system on error pages and in the header field of the “Server” HTTP response.
• Now you can check the server information and verify if it is working.
• After completing, save the file and restart the Nginx server so that the changes reflect.

Image Source: www.tecmint.com

What to remember while hiding Nginx Version

The step mentioned above will only hide the server version number. It doesn’t hide the server signature or the name. 

How to hide the server name 

• To hide the server signature or the name, compile Nginx from sources. Include the –build=name option to set an Nginx to build a signature or name.
• In the case of running the PHP scripting language in your Nginx web server, you have to hide the PHP version number.

To Hide PHP Version Number

To do this, we must first load the PHP configuration file. Therefore, creating a backup of your PHP configuration file is essential.

• Then, make changes to the PHP configuration file. If you can’t find the location of this configuration file on your server, run the command grep “Loaded configuration file” to find it.
• Then, locate the keyword expose_php and set its value to ‘off.’
• Save the changes and restart to see if the changes reflect in the web server.

Checking if the PHP Version Number is hidden

To check if the HTTP response header is still displaying the PHP version number

-head –mime_header http://localhost

-head –mime_header http://server-address 

Here, the –head sends the HEAD request for the mime headers, and the –mime_header displays the MIME header of the document along with its source.

How to hide the use of NGINX altogether

As we hide the Server header, we might notice the default error pages by NGINX still display the “Nginx” word.

Use NGINX-MOD

Use NGINX-MOD and specify the server_tokens none; in the Nginx server tokens configuration.

Note that only NGINX-MOD supports this none value for the server_tokens directive.

Source code change

You can also obtain NGINX hide version by recompiling it from the sources and by adjusting NGINX sources. This step prevents NGINX software information disclosure. Then you can recompile NGINX.

(This step is discouraged as it is said to outdate the NGINX version and the slow web server.)

GetPageSpeed servers

GetPageSpeed provisioned servers, and any similar servers performing monthly maintenance can hide the Server header for you.

Such servers make use of the Citrus Stack. That panel-less server stack is high-performance driven and already includes NGINX-MOD as the web server by default. Now you can alter the web server_tokens to ‘none’ as we discussed.

Hide the Server header

Use third-party modules such as ngx_security_headers. To install the module, access the RPM repository available for NGINX.

Now change your nginx.conf to hide_server_tokens on;

This step eliminates the Server header from the responses.

Using Headers More module

To achieve results, you can also adjust your nginx.conf to more_clear_headers Server.

This change eliminates the Server header from the responses.

Alternatives or Minor Changes to Help

 Similar to NGINX hide version, you can use other alternatives minor changes to help achieve similar results.

Block HTTP User Agents in Nginx

• You can also block HTTP User Agents in Nginx by placing a server block definition with rules.
• You can replace your server’s IP with 192.168.0.25 and choose a different string for the –user-agent switch of wget.
• This change can prevent web crawlers and bots from contacting system resources.

Limit the number of IP connections

• Use the limit_conn_zone to limit the number of IP connections outside the server block and in an HTTP context.
• Use the limit_conn to limit the number of IP connections in an HTTP context, server block, or location context directives.
• You can set the maximum number of connections to limit the number of IP connections and even reduce the number to 1.

Filter the access log for information

• You can also filter the access log for information on the Client IP, HTTP request type, Resource request, Server block which answers the request, and Browser type. 

Avoid SSL and update to new versions/TLS

• Shun SSL in any of its versions. The security vulnerabilities made it completely replaceable by 2019. Instead, use TLS. 
• Place the ssl_protocols TLSv1 TLSv1.1 TLSv1.2 in a server or HTTP context. To do this, use file ssl.conf in your virtual host file or a separate file via the include directive.

Overall, the results show using Nginx-MOD is essential to install new directives and make source code changes. With such help, you won’t need to worry further about how to hide NGINX version.