Hello - we have been dinged on our network penetration test because one of
our Nginx web servers is returning the internal IP in the HTTP location
response header. This is our only Nginx server that is not acting as a
reverse proxy, so I'm at a bit of a loss on how to disable Nginx returning
the Internal IP?
Here is the bulk of our config:
server {
listen 192.168.1.2:80;
server_name mydomain.com www.mydomain.com
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 192.168.1.2:443 ssl http2;
server_name mydomain.com www.mydomain.com
ssl on;
ssl_certificate /etc/nginx/ssl/mycert.crt;
ssl_certificate_key /etc/nginx/ssl/mykey.key
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-A[...]
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_stapling on;
resolver 8.8.8.8 8.8.4.4 ipv6=off;
location / {
add_header X-Frame-Options SAMEORIGIN;
add_header Strict-Transport-Security
max-age=31536[...]
root /usr/share/nginx/html/;
index index.html;
}
}
[+] Location Header: https://192.168.1.2/images/
[+] Result for my.external.ip.address found Internal IP: 192.168.1.2
Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,270932,270932#msg-270932
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
