#1011 closed enhancement (duplicate)
Allow changing 'Server' header in HTTP/2
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-core | Version: | 1.11.x |
Keywords: | http2, h2 | Cc: | |
uname -a: | Linux 8a48a48b517f 4.4.14-moby #1 SMP Wed Jun 29 10:00:58 UTC 2016 x86_64 Linux | ||
nginx -V: |
nginx version: nginx/1.11.2
built by gcc 5.3.0 (Alpine 5.3.0) built with OpenSSL 1.0.2 (compatible; BoringSSL) (running with BoringSSL) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --with-cc-opt='-g -O3 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -I ../boringssl/.openssl/include/' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -L ../boringssl/.openssl/lib' --conf-path=/etc/nginx/nginx.conf --error-log-path=/dev/stderr --http-log-path=/dev/stdout --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/run/nginx/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --user=nobody --group=nobody --with-http_ssl_module --with-http_realip_module --with-http_gunzip_module --with-http_gzip_static_module --with-threads --with-stream --with-stream_ssl_module --with-file-aio --with-http_v2_module --with-http_spdy_module --with-ipv6 --with-pcre --with-pcre-jit --without-http_ssi_module --without-http_userid_module --without-http_autoindex_module --without-http_status_module --without-http_geo_module --without-http_split_clients_module --without-http_referer_module --without-http_proxy_module --without-http_uwsgi_module --without-http_scgi_module --without-http_memcached_module --without-http_limit_conn_module --without-http_limit_req_module --without-http_empty_gif_module --without-http_browser_module --without-http_upstream_hash_module --without-http_upstream_ip_hash_module --without-http_upstream_least_conn_module --without-http_upstream_keepalive_module --without-http_upstream_zone_module --add-module=/tmp/ngx_brotli_module |
Description
Commit 531e6fbfd6c785a7b42c285c12d3f0721cc989c7 introduced HPACK Huffman encoding for response headers which hardcoded 'Server' header response for HTTP/2 connections. This ticket is about making changes to that and making 'u_char nginx' in 'ngx_http_v2_filter_module.c' editable
Attachments (1)
Change History (12)
comment:1 by , 8 years ago
comment:2 by , 8 years ago
Resolution: | → duplicate |
---|---|
Status: | new → closed |
comment:3 by , 8 years ago
This ticket is completely different from ticket #936, which talks about a configuration option to remove 'Server' header completely. This ticket purposes that there should be a const NGINX_NAME
like NGINX_VER
in src/core/nginx.h
and all of the occurrences of string 'nginx' and the HPACK representation of it should be replaced/derived from that, not hardcoded everywhere.
comment:5 by , 8 years ago
Could you clarify the purpose of this change? Your patch breaks the HTTP/2 module.
follow-up: 8 comment:6 by , 8 years ago
@vbart I've just updated the patch and have confirmed it to be working with HTTP/2. The purpose of this patch is to replace all client-facing instances of server name and version. Previously, if you wanted to change 'Server' header in your build of NGINX, you would have to change it from a lot of different places and there was no consistency. And because the server name for HTTP/2 was in HPACK representation, it was a little tricky to replace.
This patch enables us to change the Server Name and Version from one one place (src/core/nginx.h
) and it will be reflected in every client-facing place, like the Server
header in all protocols and server name at the bottom of special pages.
This patch creates consistency between Server
headers of different protocols.
comment:7 by , 8 years ago
Nevermind, there was an issue with HTTP/2 module but it has been fixed. Please forgive my ignorance, I'm new with C.
by , 8 years ago
Attachment: | nginx_server_name.patch added |
---|
Replace occurrences of string 'nginx' and NGINX_VER with new constants
follow-up: 9 comment:8 by , 8 years ago
Replying to raeesiqbal@…:
The purpose of this patch is to replace all client-facing instances of server name and version.
And that's why this ticket is closed as duplicate of #936.
comment:9 by , 8 years ago
Replying to mdounin:
And that's why this ticket is closed as duplicate of #936.
Description of #936 says "It would be helpful if there was a configuration setting beyond "server_tokens off" that would completely suppress the the 'server' header." But this change is about the ability to change 'server' header and the footer signature of special pages easily and creating consistency between the 'server' header in different protocols.
comment:10 by , 8 years ago
And the summary of the #936 says "For security purposes it is necessary to remove or change the "server" header", which is essentially identical to what you are trying to suggest.
Either way, it's very unlikely to be implemented, as rationale for such changes is either seriously flowed or has nothing to do with nginx. For those who really need this feature (or think so) we have it available in the commercial version.
Duplicate of #936.
Please also note that referring to identifiers in a mirrored/converted github repo is a bad idea, they are not expected to be used for anything, and can disappear at any time. Development of nginx is in Mercurial as available from http://hg.nginx.org/nginx/.