This post is rather a note to myself just in case the next time I want to recompile a new nginx server (I recently compiled a new nginx release in order to enable support for the new brotli encoding and http2 protocol)
The exact file that you need to change is :
/nginx-1.13.7/src/http/ngx_http_header_filter_module.c
Here’s a snippet of what you need to change:
static u_char ngx_http_server_string[] = "Server: yourservername" CRLF;
static u_char ngx_http_server_full_string[] = "Server: yourservername/1.0" CRLF;
static u_char ngx_http_server_build_string[] = "Server: " NGINX_VER_BUILD CRLF;
replace NGINX_VER and NGINX_VER_FULL with your own string.
IMPORTANT: Do not redefine NGINX_VER constant!
Do not redefine NGINX_VER constants as it would be used in various installation scripts after compilation. For example, the Let’s Encrypt “certbot” tool is dependent on the factory setting of NGINX_VER constant.
BONUS: Change default error page
You can further confuse various network scanners by changing the nginx built-in default error page. Although you can change 4xx and 5xx error page easily in server configuration. Nmap is known to detect nginx installation by looking into the nginx built-in error page.
In order to prevent nmap from further detecting your webserver version and configuration, you can change the default built-in error page using through this file:
/nginx-1.13.7/src/ngx_http_special_response.c
Look for these lines:
static u_char ngx_http_error_full_tail[] =
"<p> </p><hr><center>Copyright © 2018 Mohammad Hafiz bin Ismail (mypapit at gmail.com )" CRLF
"<br /><small><a href=\"https://blog.mypapit.net\">Mypapit Personal Blog</a></small></center>" CRLF
"</body>" CRLF
"</html>" CRLF
;
And change the HTML tags accordingly to suit your need, note that you can remove NGINX_VER_BUILD entirely to hide your NGINX version.
You can also customized the built in HTTP code special response, from this :
static char ngx_http_error_502_page[] =
"<html>" CRLF
"<head><title>502 Bad Gateway</title></head>" CRLF
"<body bgcolor=\"white\">" CRLF
"<center><h1>502 Bad Gateway</h1></center>" CRLF
;
to include the “Viewport” meta-tag in order to support mobile devices:
static char ngx_http_error_502_page[] =
"<html>" CRLF
"<head>" CRLF
"<link href=\"https://fonts.googleapis.com/css?family=Lato|Slabo+27px\" rel=\"stylesheet\" />" CRLF
"<meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">" CRLF
"<title>502 Bad Gateway</title></head>" CRLF
"<body>" CRLF
"<h1>502 Bad Gateway</h1>" CRLF
"<p>Somebody just fucked up at our end :(</p>" CRLF
;
Just make sure you test the nginx configuration after compiling before deploying it in production environment.
Further Reading: Compiling nginx
A rather complete nginx compiling guide can be found from these websites:
- How to Compile Nginx From Source on Ubuntu 16.04
- Install Nginx from source code on Ubuntu 14.04 LTS