My setup:
- OS: Ubuntu 11.04
- HTTP Server: nginx 1.2.1
- compiled with the HttpHeadersMore module
- processing PHP via php-fastcgi
- (other irrelevant software – ruby, python, etc)
My problem:
I'm trying to completely mask the software which serves the pages (partly security, mostly because it's fun), I've managed to change the server name and remove the X-Powered-By header which php-fastcgi adds, but I'm having trouble removing three headers:
Client-Date: Thu, 14 Jun 2012 20:32:34 GMT
Client-Peer: 205.186.146.37:80
Client-Response-Num: 1
I have used more_clear_headers from the HttpHeadersMore module but that has no effect, despite being able to remove the X-Powered-By headers.
This is in my http block
more_set_headers "Server: Tesco Value";
more_clear_headers "X-Powered-By";
more_clear_headers "Client-*";
more_clear_headers "Client-Date";
more_clear_headers "Client-Response-Num";
more_clear_headers "Client-Peer";
more_clear_headers "X-Pingback";
add_header X-Required-Volume-Setting 11;
add_header X-Required-Speed 88mph;
# NEW: added in thanks to the answer from @kworr - but still doesn't work
fastcgi_hide_header "Client-Date";
fastcgi_hide_header "Client-Response-Num";
fastcgi_hide_header "Client-Peer";
If you run HEAD slightlymore.co.uk you'll see that neither explicit nor wildcard rules get rid of the header. I'm guessing that these headers are set after the output-header-filter phase – but I'd like to know if anyone has any more information on this, and especially if anyone has a solution.
UPDATE
@kworr suggested that fastcgi_hide_header might be what I'm looking for – but still doesn't work. Perhaps it's just my system?
Best Answer
Those headers were not present in the HTTP response at all. Neither nginx nor php-fpm ever sent them, so trying to block them is pointless.
They are synthetic response headers added to the response by your user agent, libwww-perl.
If you don't wish to see them, make HTTP requests with some other library, such as libcurl.