I am not sure if this is the right sub, but yesterday I was having some issues with login with my user and was getting 403 error if I am not wrong and noticed that the NGINX version is exposed, which is a bad practice.

So if someone from the admins of Lemmy.world see this message, maybe they can change the NGINX config and hide the version flag by setting “server_tokens off;”.

  • RuudA
    link
    491 year ago

    Thanks for the tip, I changed it.

  • @corroded
    link
    491 year ago

    This really should be the default behavior, IMO.

      • @half
        link
        211 year ago

        My pet theory is that NGINX was designed by a pen-tester who realized that all they needed to do to make the majority of SMBs expose their web servers to the internet was outperform Apache

      • @Sir_Simon_Spamalot
        link
        01 year ago

        They’re not THAT bad…

        Besides, the distro packager could also do something about it.

  • @s38b35M5
    link
    36
    edit-2
    1 year ago

    They likely won’t see this unless you tag them or cross post to [email protected]

    That said, I suspect the version is what’s standard in the docker image, so hidden or not, it’s easy to discover.

    Edit: on the other hand, does the latest nginx get pulled at time of creation?

    • tool
      link
      fedilink
      91 year ago

      Edit: on the other hand, does the latest nginx get pulled at time of creation?

      It depends on how you have your docker compose file set up. If you pin the version, no, it’s never going to get updated unless a new version with that exact tag is released. If you omit the tag, it’s going to default to whatever is tagged as latest in the image repository, and that’s only going to actually update the image when you either manually pull the image or relaunch the compose stack.

      If you want it to auto-update without relaunching the stack or manually pulling the latest image, you’d have to set up something like Watchtower and have it monitor that container.

    • @filisterOP
      link
      81 year ago

      Ugh, I didn’t know, thanks for tagging them.

    • @filisterOP
      link
      31 year ago

      I clicked on the link but I can’t contact or write them anything.

  • squiblet
    link
    fedilink
    161 year ago

    Might as well hide the version, but if someone is going to try an exploit, they’ll just try it and see whether it works.

      • Midas
        link
        fedilink
        101 year ago

        Obscuring version numbers is best practice. Trying exploits isn’t always trivial and by knowing the exact version number of the software it can be made a whole lot easier. Good post by OP though I do think it should’ve been a DM to Ruud.