Anti-fingerprinting Configuration for NGINX

Anti-Fingerprinting-Configuration-for-NGINX.md

https://tomrichards.net/2022/08/anti-fingerprinting-configuration-for-nginx/

default.nginxconf

map "" $empty {
    default "";
}

# Forcibly turn off the server header.
more_clear_headers 'Server';

# Default server that forcibly drops the connection
server {
    listen 443 ssl http2 default_server;

    # Don't accept the HTTPS handshake.
    ssl_reject_handshake on;
    ssl_certificate data:$empty;     # Note: Specifying certs/keys is optional for this default server block
    ssl_certificate_key data:$empty; # as long as there is at least one other server block with valid certs.

    # Disable special HTTP->HTTPS error page.
    error_page 497 = @empty_err;

    location @empty_err {
        return 444;
    }

    return 444;
}

# Real server here
server {
    listen       443 ssl http2;
    server_name  example.org;

    # ...
}

docker-compose.yml

version: '3.8'
services:
  web:
    build: .
    ports:
      - "8443:443"
    volumes:
      - ./default.nginxconf:/etc/nginx/http.d/default.conf:ro

Dockerfile

FROM alpine:3.16

RUN set -ex; \
    apk add nginx nginx-mod-http-headers-more; \
    ln -sf /dev/stdout /var/log/nginx/access.log; \
    ln -sf /dev/stderr /var/log/nginx/error.log

EXPOSE 443

STOPSIGNAL SIGQUIT

CMD ["nginx", "-g", "daemon off;"]