Skip to content

Instantly share code, notes, and snippets.

@X448NAX

X448NAX/hide-modify-nginx-server-string.md

Created December 25, 2021 08:20
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save X448NAX/4ec53b4501b3dc5cfb430617c9d09660 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save X448NAX/4ec53b4501b3dc5cfb430617c9d09660 to your computer and use it in GitHub Desktop.
Download ZIP
How to hide and customise the server info in the HTTP header for Nginx on Ubuntu server (good security practice and a bit of fun)
Raw
hide-modify-nginx-server-string.md

How to hide and customise the Nginx server string in the HTTP header on Ubuntu

Note: only tested on Ubuntu 20.04.3 LTS. Should work with other versions of Ubuntu Server as well as distros based on Ubuntu or Debian.

Based on reading it seems to not be so easy for other distros however. If you use a distro not derived from Ubuntu or Debian you may need to compile Nginx yourself.

But assuming you're running an Ubuntu server, all you need to do is run this command:

sudo apt install libnginx-mod-http-headers-more-filter

A lot of guides online (see Stack Overflow link above) suggested you needed to install the entire nginx-extra package. Nope, you can just install that one extra module, no need to install a load of extra stuff you don't want.

What is this for?

When you run any web server or reverse proxy, it sends a string in the HTTP header that basically tells any piece of software connecting to it the name and version by default.

Most of the time there is no benefit at all to broadcasting this information for the internet to see as it's not something browsers or apps need to know, but it is useful info to adversaries who may wish to attempt to gain unauthorised access to your server ("hack" into it).

As such, it's a good idea to stop your server from broadcasting this information everywhere.

The standard Nginx package you get when you type sudo apt install nginx into Ubuntu doesn't provide a feature that allows you to do this. It does provide a simple setting that hides the version which is helpful, but it still shows you are running Nginx.

So let's apply that function to hide the version, then use the newly exposed config option from libnginx-mod-http-headers-more-filter to change the Nginx string in the HTTP header too!

How to do it - TL;DR version

  1. sudo apt install libnginx-mod-http-headers-more-filter
  2. sudo nano /etc/nano/nginx.conf
  3. Scroll down a little until you see the line # server_tokens off;
  4. Remove the # so it just says server_tokens off;
  5. Now make a new line below it and paste more_set_headers "Server: Molly Percocet";
  6. Not a Future fan? I question your taste, but feel free to change the string to say whatever you like, just make sure you keep the Server: bit there. So more_set_headers "Server: Chase a check never chase a bitch"; will work but more_set_headers "Chase a check never chase a bitch"; will likely throw an error.
  7. Save that file
  8. Optionally, if you want different virtualhosts, subdomains, etc to show different server strings, you can add a more_set_headers directive to individual configuration files too. This way foo.example.com and bar.example.com can show different server versions. Or if you run multiple domains from the same VPS you can also make foo.com and bar.com show different server strings on their respective HTTP headers too. You get the idea.
  9. When you're done just run sudo systemctl restart nginx and your changes will take effect instantly.
  10. You can check it's working here: https://httpstatus.io or by running curl -I https://example.com

Can I seriously just make it say whatever I want?

Server Name

Yep!

It's not working!

If, even after rebooting the server fully, you still don't see the custom string, and you installed the module and set the directives correctly in the configs, what is showing instead? Is it Nginx or the name of the web app you're reverse proxying to?

If you are using Nginx as a reverse proxy, open up the config file for the reverse proxy and look for a line that says proxy_pass_header Server; and try commenting it out or just deleting it. If you are only setting the new server name in the individual config files, not the global nginx.conf file, also make sure you set both server_tokens off; and more_set_headers "Server: Blah Blah Blah"; inside the reverse proxy block, even if they're already set outside of it.

That not the problem? Run sudo systemctl status nginx to get a better idea of what's going on. Nginx as a rule provides useful error messages so if it doesn't make sense to you, odds are pasting it into Google/DDG will net a solution.

Important note

While this does allow you to fully customise the server name provided by the HTTP header, the Nginx string will still show up in error messages. To fix this just install custom error pages. There's many nicely designed custom ones on GitHub. These are quite comprehensive and minimalist like an error message should be. They're not branded with the name of your server software at all. And as they're simple HTML files they're easy to customise to your own needs too. This can be automated with the template if you have Jekyll installed.

To actually install them on your Nginx server you can follow the basic tutorial here.

Bish bash bosh m8.

@Paper-Folding
Copy link

Paper-Folding commented Nov 27, 2025

"sudo apt install libnginx-mod-http-headers-more-filter"

Not working on Ubuntu 24.04.1

The following packages have unmet dependencies:
 libnginx-mod-http-headers-more-filter : Depends: nginx-abi-1.24.0-1
E: Unable to correct problems, you have held broken packages.

I'm currently using nginx/1.27.2 from the following repo:

/etc/apt/sources.list.d/nginx.list
deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/mainline/ubuntu noble nginx

Same here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment