server-tokens not honoured?

[omerlh]

I'm trying to disable the server:nginx response header, and look like setting the following in the config map should do that:

server-tokens: "False"

I'm using the following helm chart values.yaml to deploy it:

config:
    proxy-hide-headers: "Server, X-Powered-By, X-AspNet-Version, X-AspNet-Mvc-Version"
    server-tokens: "False"
    ssl-protocols: "TLSv1.2 TLSv1.1 TLSv1"

And look like it should work, but when testing it (accessing the /helthz endpoint), I still see this header. Could you help me figure out what I'm missing?

[pleshakov]

@omerlh
server-tokens: "False" doesn't disable emitting server response header, it only changes the header value by stripping the NGINX version, for example, nginx/1.13.3 becomes nginx.

It might be the case that you're using this Ingress controller -- https://github.com/kubernetes/ingress-nginx , as we don't provide a helm chart. Please refer to its documentation, as some differences exist between the Ingress controllers.

[omerlh]

Thanks, this is the behavior I noticed. I'll look if there is a way to remove this header at all, or change it value.

[pleshakov]

It is possible to remove or change this header. However, this features is available only in NGINX Plus, the commercial version of NGINX.

[omerlh]

Ok, thanks!

[bfin]

@omerlh The ingress-nginx controller is built with the headers-more-nginx-module so you can use the more_clear_headers directive to completely remove the server output header:

more_clear_headers Server;

https://github.com/openresty/headers-more-nginx-module#more_clear_headers

[iponnam]

@omerlh
You can apply the following to the configmap referred in your ingress-controller

kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-configuration
  namespace: ingress-nginx
  labels:
    app: ingress-nginx
data:
   proxy-hide-headers: "Server"
   server-tokens: "False"

[omerlh]

I did something similar, this is part of the values.yaml I used:

config:
    proxy-hide-headers: "Server, X-Powered-By, X-AspNet-Version, X-AspNet-Mvc-Version"
    server-tokens: "False"
    http-snippet: |
      more_set_headers "Server: ";

And it is working pretty well :)

[xetorixik]

@omerlh @pleshakov It is possible to remove the entire Nginx server header,
quit simple with a small patch as the Nginx source is open.

No need to purchase an expensive NGINX Plus license as it can be solved easily.

Therefore. I was looking for the same solution and came across this post.
Because I have found a solution, it is neat to share it with you guys.

I found this patch at the following thread: https://community.centminmod.com/threads/patch-nginx-server-header-removal.14976/

Overall once again. It is quite simple. Apply patch and you are done!

[iponnam]

@xetorixik thank you .

[xetorixik]

No thanks to you @iponnam . It took me a while to find a solution. I know how frustrating it can be if there is no solution available. P.s. as because I am subscribed to the channel of Buik. There is another patch update. Good luck.

[bfin]

@iponnam @xetorixik If you use the k8s-maintained nginx controller, you don't need a patch for this.

Per my earlier comment, the k8s-maintained nginx controller includes the headers-more module so this can be accomplished with the more_clear_headers directive.

LIke @omerlh suggested, you can accomplish this by including an http-snippet in the controller values:

controller:
  config:
    http-snippet: |
      more_clear_headers Server;

Setting server-tokens: false uses the set_header directive, so you still end up with a Server header but the value is blank. Using the more_clear_headers directive completely removes the Server header.

And as of the v0.17.0 release (still in development), server-tokens: false has been updated to use this behavior. See this merged PR for more info.

[tomkerkhove]

@bfin Thanks - Worked fine for me!

[mnpenner]

Just FYI, more_clear_headers is [now] automatically applied when you set server-tokens: "false":

https://github.com/kubernetes/ingress-nginx/blob/1ecc0b3e86554bae8a747e4023ed630a93460901/rootfs/etc/nginx/template/nginx.tmpl#L305-L308

[Shaun-Harrison]

@omerlh

Hi, from your code snippet it looks like you are using helm to deploy your charts, is this right?

Im currently using helm to deploy to a google kubernetes cluster, but struggling to get the x-powered-by hide working

My values.xml is ;

nginx-ingress:
  controller:
    config:
      # https://github.com/nginxinc/kubernetes-ingress/issues/226
      # Disables showing PHP verion
      proxy-hide-headers: "X-Powered-By"
      fastcgi-hide-headers: "X-Powered-By"
      # Disables showing nginx verion
      server-tokens: "False"
      # Above works for NGINX Plus so may need the following
      http-snippet: |
        more_set_headers "Server: ";

But still can't get it to hide the php version

[Shaun-Harrison]

@omerlh

Hi, from your code snippet it looks like you are using helm to deploy your charts, is this right?

Im currently using helm to deploy to a google kubernetes cluster, but struggling to get the x-powered-by hide working

My values.xml is ;

nginx-ingress:
  controller:
    config:
      # https://github.com/nginxinc/kubernetes-ingress/issues/226
      # Disables showing PHP verion
      proxy-hide-headers: "X-Powered-By"
      fastcgi-hide-headers: "X-Powered-By"
      # Disables showing nginx verion
      server-tokens: "False"
      # Above works for NGINX Plus so may need the following
      http-snippet: |
        more_set_headers "Server: ";

But still can't get it to hide the php version

Looks like I've finally cracked this

    config:
      # https://github.com/nginxinc/kubernetes-ingress/issues/226
      # Disables showing PHP verion
      hide-headers: "Server, X-Powered-By"        
      # Disables showing nginx verion
      server-tokens: "False"
      # Above works for NGINX Plus so may need the following
      http-snippet: |
        more_set_headers "Server: ";

[ccurdt]

Using the helm chart from https://kubernetes.github.io/ingress-nginx, the correct configuration is

controller:
  config:
    # https://github.com/nginxinc/kubernetes-ingress/issues/226
    # Disables showing PHP verion
    hide-headers: "X-Powered-By"
    # Disables showing nginx verion
    server-tokens: "False"

@see kubernetes/ingress-nginx@466ba7d#diff-9d5b1b69cf78e84e6d53c19a176fa404dd4bb4fe7cfaabdc491ef725bcc8daed

[brianehlert]

Thanks for the update on this 5 year old thread @ccurdt
However, be aware that the Helm chart for ingress-nginx is not compatible with this project.

I believe the way to handle this with this project would be to use snippets.