15

I couldn't find any way to disable Passenger's X-Powered-By header:

X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.11

Is it possible to do that without modifying its sources and removing headers on the HTTP server level?

Oleg Mikheev
  • 17,186
  • 14
  • 73
  • 95
  • i'm just curious, why do you want to disable these? – Marian Theisen Nov 28 '11 at 15:05
  • @MarianTheisen One valid reason IMO is thatit makes the headers portion of the HTTP response heavier, and it's the only part of the request that can't be gzip'd... – Romain Nov 28 '11 at 15:06
  • Very quick Google seach provided successful answer: http://groups.google.com/group/phusion-passenger/browse_thread/thread/2ca00a1f43c4c96d?pli=1 – Romain Nov 28 '11 at 15:07
  • @Romain a quick view at the link tells me that it falls into 'filtering headers out in HTTP server' – Oleg Mikheev Nov 28 '11 at 15:10
  • 2
    @MarianTheisen b/c having this kind of headers will fail a security audit of your application – Oleg Mikheev Nov 28 '11 at 15:11
  • @Oleg: Filtering the headers out is equivalent to removing them, though apparently for some reason that's not sufficient in your case? – Romain Nov 28 '11 at 15:14
  • @Romain filtering/removing/disabling whatever, I'm just trying to find a solution that would not require modification of my HTTP server config files, loading extra modules etc – Oleg Mikheev Nov 28 '11 at 15:18
  • You didn't specify which server you're using with passenger. Looking at the source it looks like nginx has a configuration item to strip the version string out, passenger_show_version_in_header, but it still adds a powered by Phusion header. – Khronos Nov 28 '11 at 15:31
  • @Khronos I did it on purpose because any "HTTP server" solution would be a workaround - 'filtering out' HTTP headers that were added by Passenger, and it will also require additional configuration of the HTTP server, while the pure solution would be telling Passenger not to add the headers (if that's possible at all -- that's what I'm trying to understand) – Oleg Mikheev Nov 28 '11 at 15:39
  • @Oleg Thanks, thats interesting to know. – Marian Theisen Nov 29 '11 at 07:29
  • 1
    @MarianTheisen I just failed a client security audit on exactly this point (and only this point, which is good!) – TerryS Jan 16 '13 at 15:24

5 Answers5

21

On Apache you can unset headers:

# Hide/Remove the Passenger Headers
Header always unset "X-Powered-By"
Header always unset "X-Runtime"

It will not remove all names (since services such as Plesk will still append their name), but Passenger can be removed this way.

Kudos to John Trupiano: https://groups.google.com/forum/?fromgroups=#!topic/phusion-passenger/LKAKH0PEyW0

Robert
  • 1,936
  • 27
  • 38
12

Short answer: YES.

update: 2018

Use proxy_hide_header if downstream, or use more_clear_headers

Original Answer

I leave the fact that I use nginx+passenger .. but you can completely remove them with

remove_header X-Header-Name-To-Remove;

So you can remove both by

server {
    ...
    remove_header X-Powered-By;
    remove_header X-Runtime;
    ...
    }

This removes all the headers, it can also be in a location directive instead of server.

..

Here are my common directives, as I leave 'apache prod' equiv on mine. 

server {
    ...
    remove_header X-Runtime;
    server_tokens off;
    passenger_show_version_in_header off;
    ...
}

Provides a service header like..

Server:nginx + Phusion Passenger
X-Powered-By:Phusion Passenger

This is the closest equiv of apache2 ServerTokens Prod directive that I can do.

shadowbq
  • 1,232
  • 1
  • 16
  • 29
  • if I get it right you're saying that there's is a way to remove version number, but not the header itself – Oleg Mikheev Jan 17 '14 at 05:34
  • You can do both. (see adjusted answer) – shadowbq Jan 17 '14 at 16:01
  • this certainly works, I thought the op requested that it not require modification in the front-end proxy server. – klochner Jan 20 '14 at 19:38
  • Ok sorry, while `passenger_show_version_in_header` is passenger configuration, `remove_header` is ngnix directive, and makes this answer not very correct – Oleg Mikheev Jan 21 '14 at 07:31
  • Actually, on my Ubuntu 12.04.4 LTS, `remove_header` didn't work. I used `more_clear_headers` of [HttpHeadersMoreModule](http://wiki.nginx.org/HttpHeadersMoreModule) (from `nginx-extras` package) and it worked ! – Anthony O. Feb 24 '14 at 14:41
  • nothing much to be done without HttpHeadersMoreModule (recompiling nginx) – Ben Jun 25 '15 at 21:29
  • 3
    `nginx: [emerg] unknown directive "remove_header"` – Ian Vaughan Mar 30 '16 at 23:19
7

Short answer: no.

There is no configuration option in passenger to disable the X-Powered-by, so you need to do one of

  • filter
  • edit source
  • monkeypatch

passenger code:

  #RequestHandler::process_request
  headers_output = [
    STATUS, status.to_i.to_s, CRLF,
    X_POWERED_BY, @passenger_header, CRLF
  ]

  #AbstractRequestHandler::initialize
  @passenger_header   = determine_passenger_header

  #AbstractRequestHandler::determine_passenger_header
  def determine_passenger_header
    header = "Phusion Passenger (mod_rails/mod_rack)"
    if @options["show_version_in_header"]
      header << " #{VERSION_STRING}"
    end
    if File.exist?("#{SOURCE_ROOT}/enterprisey.txt") ||
       File.exist?("/etc/passenger_enterprisey.txt")
      header << ", Enterprise Edition"
    end
    return header
  end
Community
  • 1
  • 1
klochner
  • 8,077
  • 1
  • 33
  • 45
  • 1
    the patch seems to be primitive, why haven't they implemented something like that? do you think it would be worth sending it to them? – Oleg Mikheev Nov 29 '11 at 15:03
  • I bet it's a configuration parameter if you use with their paid support level. – klochner Nov 29 '11 at 16:11
  • 1
    ...and I thought it is was Java world that was getting too commercialized... :) – Oleg Mikheev Nov 29 '11 at 18:20
  • Thanks for posting this - quite helpful. We ended up just cutting this out of the Passenger source. – shedd Apr 27 '12 at 15:05
  • 2
    This answer is no more true as [`passenger_show_version_in_header off;`](http://www.modrails.com/documentation/Users%20guide%20Nginx.html#_passenger_show_version_in_header_lt_on_off_gt) now exists. – Anthony O. Feb 24 '14 at 14:45
  • @AnthonyO. - that hides the version number, but not the "x-powered-by" header – klochner Feb 24 '14 at 21:11
  • Yes, for that, one could use the [shadowbq's answer](http://stackoverflow.com/a/21177575/535203) by using `more_clear_headers` on Nginx or `Header always unset` on Apache – Anthony O. Feb 25 '14 at 11:07
  • @AnthonyO. - read the comment thread to shadowbq's answer or the comment thread to the question. The question specifically said 'without removing headers at HTTP server level', meaning nginx/apache. So the answer is still "No". – klochner Feb 26 '14 at 03:57
6

more_clear_headers 'Server' 'X-Powered-By' 'X-Runtime'; works for me as mentioned in http://www.michaelrigart.be/en/blog/nginx-and-passenger-install-in-production-environment.html.

Max
  • 61
  • 1
  • 1
  • you need to make sure that ngx_headers_more https://github.com/openresty/headers-more-nginx-module#more_clear_headers module active – simo Feb 09 '21 at 16:31
4

To completely remove X-Powered-By and Server headers from Nginx+Passenger and not just hide versions, add this to your http block in nginx.conf:

server_tokens off;
more_clear_headers Server;
more_clear_headers X-Powered-By;

You could also set your own:

more_set_headers "Server: ACME";

This will work even if passenger_show_version_in_header off; is not set, but it might be smart to add it as well in case.

Remember to restart the server for these to take affect. You should test your config before restart though: sudo nginx -t.

Information via calvin.my

Mikael Korpela
  • 460
  • 4
  • 9