Hello - we have been dinged on our network penetration test because one of our Nginx web servers is returning the internal IP in the HTTP location response header. This is our only Nginx server that is not acting as a reverse proxy, so I'm at a bit of a loss on how to disable Nginx returning the Internal IP?
Here is the bulk of our config: server { listen 192.168.1.2:80; server_name mydomain.com www.mydomain.com location / { return 301 https://$server_name$request_uri; } } server { listen 192.168.1.2:443 ssl http2; server_name mydomain.com www.mydomain.com ssl on; ssl_certificate /etc/nginx/ssl/mycert.crt; ssl_certificate_key /etc/nginx/ssl/mykey.key ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-A[...] ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_stapling on; resolver 8.8.8.8 8.8.4.4 ipv6=off; location / { add_header X-Frame-Options SAMEORIGIN; add_header Strict-Transport-Security max-age=31536[...] root /usr/share/nginx/html/; index index.html; } } [+] Location Header: https://192.168.1.2/images/ [+] Result for my.external.ip.address found Internal IP: 192.168.1.2 Posted at Nginx Forum: https://forum.nginx.org/read.php?2,270932,270932#msg-270932 _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx