Docker-nginx: Adding headers-more-module

Created on 12 Aug 2016  路  9Comments  路  Source: nginxinc/docker-nginx

I am wondering if you could also include the headers more module in the image? I'd like to do some extra header manipulation (like removing the Server header), and I am sure that I am not alone.

Most helpful comment

@thresheek please consider this legitimate use-case for being able to remove the server headers:

PCI compliance scans fail when you return identifying information like this in requests. So by not allowing/supporting this nginx is forcing projects needing to support nginx to either install an external module to do it OR change solutions entirely.

P.S. It'd be great if Nginx supported the removal of these headers out of the box, and therefore wouldn't need to be concerned with the quality of a 3rd party module.

All 9 comments

No, we will not provide third-party modules in this image as we cannot guarantee their quality.

Also this exact use case hurts NGINX - you're skewing the stats, and we would really like for stats to grow, not shrink.

Other web servers offer this feature and I think nginx should also allow that by default. Stats will grow anyway if Nginx user base grows.

Also this exact use case hurts NGINX - you're skewing the stats, and we would really like for stats to grow, not shrink.

@thresheek So this is why I am spending a few hours figuring out how to add headers-more-module to an alpine container? Thanks... was about to give up and go a head with server_tokens off;, but you have motivated me to continue.

@thresheek please consider this legitimate use-case for being able to remove the server headers:

PCI compliance scans fail when you return identifying information like this in requests. So by not allowing/supporting this nginx is forcing projects needing to support nginx to either install an external module to do it OR change solutions entirely.

P.S. It'd be great if Nginx supported the removal of these headers out of the box, and therefore wouldn't need to be concerned with the quality of a 3rd party module.

Can you link me to the exact specification that requires no Server: header be sent? Thank you.

@thresheek it's more about reducing the attack surface by removing the disclosure of data that would make identifying which specific versions are running, that could have vulnerabilities, etc. The specific PCI section is 1.3.x and it talks about ensuring that you do not disclose the internal IP addresses used by devices that would send data to the _outside world_. In general, the practice of limiting the disclosure of information is quite common.

The Server header is an nginx security flaw and oversight driven only by chest-beating. I agree that it's not the place of the docker image to solve this regardless of the maintainers of this repo's opinions. Server header is not only useless, it's is a mistake and needs to be removed. The solution is to fork this repo into something like docker-nginx-secure for those of us who know better than to let brats sniff us out within the first minute of a published vulnerability (which is only a matter of time). Those with headers-more will have a couple hours more.

Aguing with stats really let me rethink my decision to use xingx as a secure reverse proxy at a customers site.

EDIT: Closing this issue was ok, because of 3rd party module.

One of the things about docker, I think I am learning, is the "graph model" approach. I tried to install the alpine package, but the nginx versions provided are different, and the images are built from source, always. That sounds like a pain. I think this is where the "don't solve a problem that's already been solved" saying comes into play. Someone else has already had this issue, so there should be a published image that solves part of my problem. I had already swapped out a standard nginx image for vlche/nginx-waf to provide myself with ModSecurity. Was it as simple as that sounds? No, it was a config nightmare, but that will surely happen anyway. This image uses the core nginx image as its base. But I can then swap this out for one like this (there will be others, this was just the first result and I am yet to try it as I'm baking a pie as I type :) ) that already has the more-headers module installed.

This doesn't effect the question of whether or not the core image should have this feature available by default, but it seems in core nginx this feature is only available to commercial subscribers, and if the issue is having this available to you in an alpine docker image, I hope someone else like me finds this thought useful.

Was this page helpful?
0 / 5 - 0 ratings