Hide/Replace Nginx Location Header?
Posted
by
Steven Ou
on Server Fault
See other posts from Server Fault
or by Steven Ou
Published on 2011-11-14T20:13:36Z
Indexed on
2011/11/15
9:55 UTC
Read the original article
Hit count: 256
I am trying to pass a PCI compliance test, and I'm getting a single "high risk vulnerability".
The problem is described as:
Information on the machine which a web server is located is sometimes included in the header of a web page. Under certain circumstances that information may include local information from behind a firewall or proxy server such as the local IP address.
It looks like Nginx is responding with:
Service: https
Received: HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Location: http://ip-10-194-73-254/
Server: nginx/1.0.4 + Phusion Passenger 3.0.7 (mod_rails/mod_rack)
Status: 302 X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.7
X-Runtime: 0
Content-Length: 90
Connection: Close <html><body>You are being <a href="http://ip-10-194-73-254/">redirect ed</a>.</body></html>
I'm no expert, so please correct me if I'm wrong: but from what I gathered, I think the problem is that the Location
header is returning http://ip-10-194-73-254/
, which is a private address, when it should be returning our domain name (which is ravn.com).
So, I'm guessing I need to either hide or replace the Location
header somehow? I'm a programmer and not a server admin so I have no idea what to do... Any help would be greatly appreciated! Also, might I add that we're running more than 1 server, so the configuration would need to be transferable to any server with any private address.
© Server Fault or respective owner