Note: only tested on Ubuntu 20.04.3 LTS. Should work with other versions of Ubuntu Server as well as distros based on Ubuntu or Debian.
Based on reading it seems to not be so easy for other distros however. If you use a distro not derived from Ubuntu or Debian you may need to compile Nginx yourself.
But assuming you're running an Ubuntu server, all you need to do is run this command:
sudo apt install libnginx-mod-http-headers-more-filter
A lot of guides online (see Stack Overflow link above) suggested you needed to install the entire nginx-extra
package. Nope, you can just install that one extra module, no need to install a load of extra stuff you don't want.
When you run any web server or reverse proxy, it sends a string in the HTTP header that basically tells any piece of software connecting to it the name and version by default.
Most of the time there is no benefit at all to broadcasting this information for the internet to see as it's not something browsers or apps need to know, but it is useful info to adversaries who may wish to attempt to gain unauthorised access to your server ("hack" into it).
As such, it's a good idea to stop your server from broadcasting this information everywhere.
The standard Nginx package you get when you type sudo apt install nginx
into Ubuntu doesn't provide a feature that allows you to do this. It does provide a simple setting that hides the version which is helpful, but it still shows you are running Nginx.
So let's apply that function to hide the version, then use the newly exposed config option from libnginx-mod-http-headers-more-filter
to change the Nginx string in the HTTP header too!
sudo apt install libnginx-mod-http-headers-more-filter
sudo nano /etc/nano/nginx.conf
- Scroll down a little until you see the line
# server_tokens off;
- Remove the # so it just says
server_tokens off;
- Now make a new line below it and paste
more_set_headers "Server: Molly Percocet";
- Not a Future fan? I question your taste, but feel free to change the string to say whatever you like, just make sure you keep the
Server:
bit there. Somore_set_headers "Server: Chase a check never chase a bitch";
will work butmore_set_headers "Chase a check never chase a bitch";
will likely throw an error. - Save that file
- Optionally, if you want different virtualhosts, subdomains, etc to show different server strings, you can add a
more_set_headers
directive to individual configuration files too. This wayfoo.example.com
andbar.example.com
can show different server versions. Or if you run multiple domains from the same VPS you can also makefoo.com
andbar.com
show different server strings on their respective HTTP headers too. You get the idea. - When you're done just run
sudo systemctl restart nginx
and your changes will take effect instantly. - You can check it's working here: https://httpstatus.io or by running
curl -I https://example.com
If, even after rebooting the server fully, you still don't see the custom string, and you installed the module and set the directives correctly in the configs, what is showing instead? Is it Nginx or the name of the web app you're reverse proxying to?
If you are using Nginx as a reverse proxy, open up the config file for the reverse proxy and look for a line that says proxy_pass_header Server;
and try commenting it out or just deleting it. If you are only setting the new server name in the individual config files, not the global nginx.conf
file, also make sure you set both server_tokens off;
and more_set_headers "Server: Blah Blah Blah";
inside the reverse proxy block, even if they're already set outside of it.
That not the problem? Run sudo systemctl status nginx
to get a better idea of what's going on. Nginx as a rule provides useful error messages so if it doesn't make sense to you, odds are pasting it into Google/DDG will net a solution.
While this does allow you to fully customise the server name provided by the HTTP header, the Nginx
string will still show up in error messages. To fix this just install custom error pages. There's many nicely designed custom ones on GitHub. These are quite comprehensive and minimalist like an error message should be. They're not branded with the name of your server software at all. And as they're simple HTML files they're easy to customise to your own needs too. This can be automated with the template if you have Jekyll installed.
To actually install them on your Nginx server you can follow the basic tutorial here.
Bish bash bosh m8.
I remember looking this up ages ago and only seeing a page from Nginx saying you needed to buy Nginx Plus to do this. Had no idea it was as easy as installing one package and adding a single line to the configuration. Amazing work cheers and Merry Christmas!