I have been grappling with this problem for a few days now. No matter what I do my application server keeps returning the NGINX version in the HTTP response headers and it doesn't meet OWASP security recommendations:
The Dreaded Server Information Response
I have tried to manually edit the server response in express in every which way I can think of, but the server version keeps showing up despite all of this: (express function attempting to remove server response headers in the overarching app.js file)
app.use(function(req, res, next) {
res.removeHeader('server');
res.removeHeader('Server');
res.removeHeader("x-powered-by");
res.header("X-powered-by", "Blood, sweat, and tears.");
next();
});
I have tried a whole bunch of .ebextensions to modify the nginx.conf file manually on deployment but none with success... Such as that outlined here: How to hide nginx version in elastic beanstalk
Recently I have decided 'screw it, I'm just going to upload my own nginx.conf file' and have been putting that up, but still no success. Here is the nginx.conf file I'm sending to AWS EB in platform/nginx/conf.d
user nginx;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 33282;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
include conf.d/*.conf;
more_clear_headers Server;
server_tokens off;
more_set_headers 'Server: BLOOD_AND_SWEAT';
map $http_upgrade $connection_upgrade {
default "upgrade";
}
server {
listen 80 default_server;
root /var/app/current/public;
location / {
}
access_log /var/log/nginx/access.log main;
client_header_timeout 60;
client_body_timeout 60;
keepalive_timeout 60;
gzip off;
gzip_comp_level 4;
more_clear_headers Server;
server_tokens off;
more_set_headers 'Server: BLOOD_AND_SWEAT';
# Include the Elastic Beanstalk generated locations
include conf.d/elasticbeanstalk/01_static.conf;
include conf.d/elasticbeanstalk/healthd.conf;
}
}
I have been trying everything and anything for days.
What have I been doing wrong here? Why is this NGINX server information so hard to get rid of!!!??
I think I have made contact with the devil himself, and he cannot be slayed.
From this document
http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
You can just set server_tokens to off in http{ } section something like this:
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#tcp_nodelay on;
server_tokens off;
include /etc/nginx/conf.d/*.conf;
}
Many thanks to Fahim from IntelG who found the problem here.
I had missed the dot in front of platform, As stated in the question above, I was saving the conf file in
platform/nginx/conf.d
should have been
.platform/nginx/conf.d
So much time wasted for such a stupid thing!!!
Related
Background, I'd been using just Node/expressJS over https like so
const httpsOptions = {
key: fs.readFileSync('config/example_com.key'),
cert: fs.readFileSync('config/example_com.crt'),
ca: [
fs.readFileSync('config/COMODORSAAddTrustCA.crt'),
fs.readFileSync('config/COMODORSADomainValidationSecureServerCA.crt')
]
};
https.createServer(httpsOptions, app).listen(port, function () {
});
All has been working fine - https establishing fine. Now I have a goal to establish to i) help with the server load; and ii) route to a static page that says "Too many people here now, please try again later" if there is too much traffic (rather than crashing the site).
To do that, I'm just trying to migrate to nginx as reverse proxy on the same server and same everything and it just won't do at all!
Latest I tried, it's "403 Forbidden" when I go to https://www.example.com/images/picture.jpg
Can anyone please help proofread my current setup?
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 443 ssl default_server;
listen [::]:443 default_server;
server_name example.com www.example.com;
ssl on;
ssl_certificate /home/ec2-user/MIP/config/example_com.crt;
ssl_certificate_key /home/ec2-user/MIP/config/example_com.key;
if ($http_host = www.example) {
return 302 https://example.com$request_uri;
}
root /home/ec2-user/MIP/views;
include /etc/nginx/default.d/*.conf;
location / {
return 302 https://www.example.com$request_uri;
}
location /images/ {
root /home/ec2-user/MIP/public;
}
}
}
Yes, I do have a .jpg file at /home/ec2-user/MIP/public/images/picture.jpg and I've done chmod +r on this file.
Also, for the record, for now, I have sudo killall node because otherwise when I do "sudo service nginx start", it'd complain "Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details."
Many thanks in advance
[UPDATE]
For the record, I've actually got the routing to external link bit working by:
location /images/ {
return 302 https://<bucketName>.s3-us-west-2.amazonaws.com/public$request_uri;
}
Now only struggling with serving internal content from an absolute path - which's been giving me 403 Forbidden despite I've done chown -R on the public folder, and have done chmod +r on the file too
location /js/ {
root /home/ec2-user/MIP/public/;
}
I ve installed nginx 1.12.1 as a reverse proxy with a working Apache httpd 2.4.25 x64
I have a vmware virtual machine with centOs 6.9. I ve a working stack apache httpd 2.4.25 ---(mod_jk 1.2.42)---Tomcat 7.0.81---(jdbc)---MySQL server 5.7.19.
Now i ve installed and configure Nginx to work in front of Apache (reverse proxy).
It does not work since three days, (using curl or mozilla browser).
The error message is 400 Bad Request: Request Header Or Cookie Too Large
could someone help me?
Here is my /etc/nginx/nginx.conf
user nginx;
worker_processes 4;
error_log /var/log/nginx/error.core.log warn;
pid /var/run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request"
' '$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.core.log main;
sendfile on;
keepalive_timeout 65;
client_max_body_size 200M;
client_body_buffer_size 32k;
client_header_buffer_size 64k;
large_client_header_buffers 4 64k;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
include /etc/nginx/conf.d/*.conf;
}
my default server config:
server {
listen 80;
server_name localhost;
charset utf-8;
access_log /var/log/nginx/access.http.mydomain.log;
error_log /var/log/nginx/error.http.mydomain.log;
location / {
proxy_pass http://127.0.0.1:8080/;
root /opt/rh/httpd24/root/var/www/html/html;
index index.html index.htm;
include /etc/nginx/conf.d/proxy.inc;
client_max_body_size 10m;
client_body_buffer_size 128k;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
I struggled for few hours to fix this issue but still it doesn't work. The error I see in my browser is:
POST /users 502 (Bad Gateway)
I know that it's the problem of setting nginx and unicorn, but I can't solve it. By the way, I deployed my code using digital ocean. Here is my config file
Unicorn config (nginx.conf):
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
server_names_hash_bucket_size 64;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
# Load config files from the /etc/nginx/conf.d directory
# The default server is in conf.d/default.conf
include /etc/nginx/conf.d/*.conf;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
}
Unicorn config file (/var/nginx/unicorn.conf):
upstream unicorn {
server unix:/tmp/unicorn.sock fail_timeout=0;
}
server {
listen 80;
listen 443 ssl;
ssl_certificate /root/certs/server.crt;
ssl_certificate_key /root/certs/server.key;
client_max_body_size 4G;
keepalive_timeout 15;
root /var/www/quoine/current/public;
try_files $uri #unicorn;
location ~ ^/assets|app/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
location = /app/ {
rewrite $uri $uri/index.html;
}
location = /app/index.html {
add_header Pragma "no-cache";
add_header Cache-Control "no-cache, no-store, max-age=0, must-revalidate";
add_header Expires "Fri, 01 Jan 1990 00:00:00 GMT";
}
location #unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_pass http://unicorn;
}
if (-f $document_root/system/maintenance.html) {
return 503;
}
error_page 500 502 504 /500.html;
location = /500.html {
root /var/www/quoine/current/public;
}
error_page 503 #maintenance;
location #maintenance {
rewrite ^(.*)$ /system/maintenance.html break;
}
}
I'm using Rails 3. If any one got any idea about this problem, please tell me. It takes me 3 hours without any progress. Thanks
Can you provide the config you've got for unicorn too (the files you've provided are both for nginx). An example of what it should look like is in the first part of the "Configuring Servers" entry here: https://www.digitalocean.com/community/tutorials/how-to-deploy-rails-apps-using-unicorn-and-nginx-on-centos-6-5
I ran across this trying to figure out why I was getting 502 errors after using the 1-click install for Digital Ocean - and using a different version of Ruby.
I found my answer by looking at this guide: https://www.digitalocean.com/community/tutorials/how-to-use-the-1-click-ruby-on-rails-on-ubuntu-14-04-image
My issue was the following from the guide:
Once you have the location of Ruby that you are using by default,
change /etc/default/unicorn pathnames to include /usr/local/rvm/rubies
subfolder and /usr/local/rvm/gems subfolders for the newly installed
version as well as location of unicorn
Hope this helps helps someone
It used to be so easy to set header expiration with apache mod_headers, but I am having a hard time to figure out where to add it in nginx confi file.
This is my nginx.conf:
#user nginx;
worker_processes 1;
#error_log /var/log/nginx/error.log;
#error_log /var/log/nginx/error.log notice;
#error_log /var/log/nginx/error.log info;
#pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#tcp_nodelay on;
tcp_nodelay on;
gzip on;
gzip_http_version 1.1;
#gzip_http_version 1.0;
gzip_vary on;
gzip_comp_level 6;
gzip_proxied any;
gzip_types text/plain text/html text/css application/x-javascript text/xml;
#gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
server_tokens off;
include /etc/nginx/conf.d/*.conf;
}
Where should I add the header expiration part like
location ~* \.(js|css)$ {
expires 30d;
}
I tried adding it inside "http" or including in another block "server", but it generates errors like unknown directive "server" or "location".
It is as easy to add expires headers in nginx. You need to place your location block inside a server block. There must be a default file in /your/nginx_dir/sites-enabled/.
If it is you can edit it directly and add your location block inside it, or you can copy the the whole content of the default file inside the http block of your nginx.conf.
If you choose to edit the default file in place, don't forget to add a line like this in your nginx.conf
include /etc/nginx/sites-enabled/*;
If you can't find the default file, just edit your nginx.conf so it will look like this
#....
server_tokens off;
#up to here the conf is the same as yours
#edit starts here, just add this server block
server {
#default_server is not necessary but is useful if you have many servers
#and want to capture requests where the host header doesn't match any server name
listen 80 default_server;
#requests with host header that matches server name will be handled by this server
server_name your.domain.com localhost;
#change your document root accordingly
root /path/to/your/html/root;
#you can have as many location blocks as you need
location ~* \.(js|css)$ {
expires 30d;
}
}
#end of conf changes
include /etc/nginx/conf.d/*.conf;
Since you are coming from apache, just think of nginx's server as apache's VirtualHost. Don't forget to reload nginx after each change in the conf files
check inside /etc/nginx/conf.d/ you'll probably find a file called default then you'll find the location / inside here.
The current app I am running is working just fine in production on its ubuntu server. But now I've had to configure a Red Hat Enterprise Linux 5.5 server to deploy the app to and I am running into some issues. First of all some specs:
rails version: 3.2.11
ruby: 1.9.3-p194
http server nginx + unicorn
managing ruby environment with rbenv
deploy method: capistrano
My nginx.conf and unicorn config file are based on Ryan Bate's videos. So I managed to get almost everything configured. I can deploy, connect to the database, etc.. However, when I visit my app's page, all of the assets fail to load. And when I go into my console it says they failed because of a 403 Forbidden error. I checked and the assets are in the correct place: apps/my_app/shared/assets. But I keep getting this 403 error.
What I've tried so far:
checked the permissions to parent folders and the actual asset files. They all had at least read permissions for everyone
changed config.assets.compile to true
Followed instructions here rails deployment using nginx & unicorn: 403 forbidden error, which recommends removing the default files in conf.d and symlinking my custom nginx config file to /etc/nginx/conf.d as opposed to .../sites-enabled
Any thoughts or ideas why I am getting a 403?
Edit 1: add /etc/nginx/nginx.conf file
Not sure if this helps but this is what the nginx.conf file (under /etc/nginx) looks like (not my custom nginx file):
events {
worker_connections 1024;
}
#----------------------------------------------------------------------
# HTTP Core Module
#
# http://wiki.nginx.org/NginxHttpCoreModule
#
#----------------------------------------------------------------------
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
#
# The default server
#
server {
listen 80;
server_name _;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 404 /404.html;
location = /404.html {
root /usr/share/nginx/html;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Load config files from the /etc/nginx/conf.d directory
include /etc/nginx/conf.d/*.conf;
}
Also, I noticed that under /etc/nginx there are nginx.conf and nginx.conf.default files, does anyone know the difference? Maybe the issue could be there?
Edit 2: Add entry from nginx log file
So I found this in the nginx log file. So maybe it is a permissions issue that could be fixed with a chmod?
2013/03/24 20:50:53 [error] 10851#0: *5 open() "/home/webapp/apps/my_app/current/public/assets/application-db22bc3811b126e586f5e82e794e7ee4.css" failed (13: Permission denied)
Edit 3: Update /etc/nginx/nginx.conf
user nginx;
worker_processes 2;
# error_log logs/error.log;
# error_log logs/error.log notice;
# error_log logs/error.log info;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log;
sendfile on;
#tcp_nopush on;
keepalive_timeout 60;
gzip on;
include /etc/nginx/conf.d/*.conf;
# INSIDE THE /etc/ngin/conf.d/*.conf FILE #
server {
listen 80 default deferred;
# server_name example.com;
root /home/webapp/apps/my_app/current/public;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri #unicorn;
location #unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://unicorn;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 10;
}
}
So I managed to fix this. In part to advice in this article http://nginxlibrary.com/403-forbidden-error/
for all the directories leading up to all the asset files, I set the directory permissions to chmod 775. And then for all the assets (application.js, etc...) inside apps/my_app/shared/assets I gave the files this permission chmod 775.
And that did the trick. In the article I linked to, the author mentions the need for the asset files to have both read and execute permissions, not just read.