5

My setup:

  • OS: Ubuntu 11.04
  • HTTP Server: nginx 1.2.1
  • (other irrelevant software - ruby, python, etc)

My problem:

I'm trying to completely mask the software which serves the pages (partly security, mostly because it's fun), I've managed to change the server name and remove the X-Powered-By header which php-fastcgi adds, but I'm having trouble removing three headers:

Client-Date: Thu, 14 Jun 2012 20:32:34 GMT
Client-Peer: 205.186.146.37:80
Client-Response-Num: 1

I have used more_clear_headers from the HttpHeadersMore module but that has no effect, despite being able to remove the X-Powered-By headers.

This is in my http block

more_set_headers "Server: Tesco Value";
more_clear_headers "X-Powered-By";
more_clear_headers "Client-*";
more_clear_headers "Client-Date";
more_clear_headers "Client-Response-Num";
more_clear_headers "Client-Peer";
more_clear_headers "X-Pingback";

add_header X-Required-Volume-Setting 11;
add_header X-Required-Speed 88mph;

# NEW: added in thanks to the answer from @kworr - but still doesn't work
fastcgi_hide_header "Client-Date";
fastcgi_hide_header "Client-Response-Num";
fastcgi_hide_header "Client-Peer";

If you run HEAD slightlymore.co.uk you'll see that neither explicit nor wildcard rules get rid of the header. I'm guessing that these headers are set after the output-header-filter phase - but I'd like to know if anyone has any more information on this, and especially if anyone has a solution.

UPDATE

@kworr suggested that fastcgi_hide_header might be what I'm looking for - but still doesn't work. Perhaps it's just my system?

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
clinton3141
  • 163
  • 1
  • 6

3 Answers3

1

Those headers were not present in the HTTP response at all. Neither nginx nor php-fpm ever sent them, so trying to block them is pointless.

They are synthetic response headers added to the response by your user agent, libwww-perl.

If you don't wish to see them, make HTTP requests with some other library, such as libcurl.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
0

I had this problem today.

I solved the problem with fastcgi_param and set blank ('') value for fastcgi-variable, created from prefix HTTP_ + uppercased request header.

Example for header Client-Peer:

fastcgi_param HTTP_CLIENT_PEER '';
Dave M
  • 4,514
  • 22
  • 31
  • 30
Denis
  • 1
-1

I think fastcgi_hide_header is what you really need.

kworr
  • 1,055
  • 8
  • 14
  • I tried that but it doesn't seem to work either. I tried replacing `more_clear_headers`, using it as well as `more_clear_headers`, and tried all the different contexts, but the headers are still there :( Question updated accordingly. – clinton3141 Jun 17 '12 at 17:15
  • Your Nginx has to include the "headers more" [module](https://github.com/openresty/headers-more-nginx-module). You can check if it's built using with "nginx -V" - look for "headers-more-nginx-module" in the output. Building Nginx is [easy](https://www.photographerstechsupport.com/tutorials/hosting-wordpress-on-aws-tutorial-part-2-setting-up-aws-for-wordpress-with-rds-nginx-hhvm-php-ssmtp/#nginx-source). Once that's done this is an example of a working way to clear headers : more_clear_headers Server; – Tim May 02 '17 at 20:14