I don't want anyone to be able to detect that I'm using NGINX or even Ubuntu from the internet. There are tools out there (such as BuiltWith) which scan servers to detect what tools they're using. Also, some cracking tools might help with deteting. What's the best / closest to that I can get to hiding all this info from the outside?
Nginx – hide all server / os info
nginxUbuntu
Related Solutions
Correct way in new versions of nginx
Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls
I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:
server {
listen 80;
server_name my.domain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name my.domain.com;
# add Strict-Transport-Security to prevent man in the middle attacks
add_header Strict-Transport-Security "max-age=31536000" always;
[....]
}
Right, a more formal answer:
Don't start guessing on a ubuntu/debian system where to put things. Ubuntu has pretty up to date versions, and aptitude is a very good package manager. You really want your server to have the following traits:
- To be secure
- To be well organized, so that you know where things should be
- To have a repeatable configuration, by some method. ( This is why I am big on the packages. Even without puppet, you can get a list of packages that are installed, and in an emergency just install that list and you are back to where you were, if you were hacked for example )
For Nginx, here is a how I get an updated package quite soon after they come out:
https://launchpad.net/~stevecrozz/+archive/ppa
You mentioned that you were new. Use the package managers. In your case, aptitude. We used to build from source all the time, but since you did not mention 'firewall' or 'security' then time is short.
Software that you install locally to a system goes in /usr/local. /usr is owned by the package managers really.
As for /opt, I use it for really weird stuff, like macports on my laptop or things I'm trying out, like coldfusion server ...
Default nginx goes into /usr/local/nginx , which is very good since if you build from source , make uninstall ... most likely wont be there.
http://library.linode.com is a really good basic resource. Read that too.
Once the reality of app dev with simultaneous server admin sinks in, you might want to check out
http://puppetlabs.com and get hooked up with puppet. That's for later
The nginx I told you about has the following options:
nginx -V
nginx version: nginx/0.8.48
TLS SNI support enabled
configure arguments: --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-debug --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-0.8.48/modules/nginx-upstream-fair
Now, later in life you might want to recompile for some other modules. ( /usr/local ) ! But regardless, you'll see the debian/ubuntu way of laying this stuff out. at least. A beloved trick i use is to install some server I need to build and copy the base config files, then purge it.
Good luck. BTW create a user for yourself, research sudo, and disable root logins. First thing I do on a fresh server.
Best Answer
You can stop it outputting the version of Nginx and OS by adding
to a
http
,server
, orlocation
context.Or if you want to remove the Server header completely, you need to compile Nginx with the Headers More module in, as the header is hard coded in the Nginx source, and this module allows changing any http headers.
However, there are many hidden ways servers perform by accident via their implementation which may help identify the system. e.g. How it responds to a bad SSL request. I don't see a practical way of preventing this.
Some of the things I might suggest: