From 2a51301a5db074edc9060a99b07b56faa48d8714 Mon Sep 17 00:00:00 2001 From: Jose Diaz-Gonzalez Date: Thu, 1 Jan 2015 15:03:43 -0500 Subject: [PATCH 1/3] Disable server tokens in nginx. Closes #857 --- plugins/nginx-vhosts/templates/nginx.conf | 1 + plugins/nginx-vhosts/templates/nginx.ssl.conf | 2 ++ 2 files changed, 3 insertions(+) diff --git a/plugins/nginx-vhosts/templates/nginx.conf b/plugins/nginx-vhosts/templates/nginx.conf index 8ed426275..06b12ac56 100644 --- a/plugins/nginx-vhosts/templates/nginx.conf +++ b/plugins/nginx-vhosts/templates/nginx.conf @@ -2,6 +2,7 @@ server { listen [::]:80; listen 80; server_name $NOSSL_SERVER_NAME; + server_tokens off; location / { proxy_pass http://$APP; proxy_http_version 1.1; diff --git a/plugins/nginx-vhosts/templates/nginx.ssl.conf b/plugins/nginx-vhosts/templates/nginx.ssl.conf index 5cde7484a..53164b353 100644 --- a/plugins/nginx-vhosts/templates/nginx.ssl.conf +++ b/plugins/nginx-vhosts/templates/nginx.ssl.conf @@ -2,6 +2,7 @@ server { listen [::]:80; listen 80; server_name $NOSSL_SERVER_NAME; + server_tokens off; return 301 https://$SSL_SERVER_NAME\$request_uri; } @@ -9,6 +10,7 @@ server { listen [::]:443 ssl spdy; listen 443 ssl spdy; server_name $SSL_SERVER_NAME; + server_tokens off; $SSL_DIRECTIVES keepalive_timeout 70; From e95d1e8602e47e0f19708cedc7f1d77a2e296c62 Mon Sep 17 00:00:00 2001 From: Michael Hobbs Date: Fri, 2 Jan 2015 17:21:57 -0800 Subject: [PATCH 2/3] add test to validate server_tokens is off --- tests/unit/nginx-vhosts.bats | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/tests/unit/nginx-vhosts.bats b/tests/unit/nginx-vhosts.bats index 8eda6458c..db00a7ce5 100644 --- a/tests/unit/nginx-vhosts.bats +++ b/tests/unit/nginx-vhosts.bats @@ -4,15 +4,23 @@ load test_helper setup() { create_app - setup_test_tls - deploy_app } teardown() { destroy_app } +@test "nginx (no server tokens)" { + deploy_app + run /bin/bash -c "curl -s -D - $(dokku url $TEST_APP) -o /dev/null | egrep '^Server' | egrep '[0-9]+'" + echo "output: "$output + echo "status: "$status + assert_failure +} + @test "nginx:build-config (with SSL CN mismatch)" { + setup_test_tls + deploy_app run /bin/bash -c "dokku domains $TEST_APP | grep node-js-app.dokku.me" echo "output: "$output echo "status: "$status From ab7f9f11615d351d86e89f5d50e831e2db8335c4 Mon Sep 17 00:00:00 2001 From: Jose Diaz-Gonzalez Date: Sat, 3 Jan 2015 21:41:18 -0500 Subject: [PATCH 3/3] Move `server_tokens off` to the global nginx conf --- plugins/nginx-vhosts/install | 1 + plugins/nginx-vhosts/templates/nginx.conf | 1 - plugins/nginx-vhosts/templates/nginx.ssl.conf | 2 -- 3 files changed, 1 insertion(+), 3 deletions(-) diff --git a/plugins/nginx-vhosts/install b/plugins/nginx-vhosts/install index 9e30c5359..a2dfc49d6 100755 --- a/plugins/nginx-vhosts/install +++ b/plugins/nginx-vhosts/install @@ -44,6 +44,7 @@ events { } http { + server_tokens off; sendfile on; tcp_nopush on; tcp_nodelay on; diff --git a/plugins/nginx-vhosts/templates/nginx.conf b/plugins/nginx-vhosts/templates/nginx.conf index 06b12ac56..8ed426275 100644 --- a/plugins/nginx-vhosts/templates/nginx.conf +++ b/plugins/nginx-vhosts/templates/nginx.conf @@ -2,7 +2,6 @@ server { listen [::]:80; listen 80; server_name $NOSSL_SERVER_NAME; - server_tokens off; location / { proxy_pass http://$APP; proxy_http_version 1.1; diff --git a/plugins/nginx-vhosts/templates/nginx.ssl.conf b/plugins/nginx-vhosts/templates/nginx.ssl.conf index 53164b353..5cde7484a 100644 --- a/plugins/nginx-vhosts/templates/nginx.ssl.conf +++ b/plugins/nginx-vhosts/templates/nginx.ssl.conf @@ -2,7 +2,6 @@ server { listen [::]:80; listen 80; server_name $NOSSL_SERVER_NAME; - server_tokens off; return 301 https://$SSL_SERVER_NAME\$request_uri; } @@ -10,7 +9,6 @@ server { listen [::]:443 ssl spdy; listen 443 ssl spdy; server_name $SSL_SERVER_NAME; - server_tokens off; $SSL_DIRECTIVES keepalive_timeout 70;