Hide/Replace Nginx Location Header?

Posted by Steven Ou on Server Fault See other posts from Server Fault or by Steven Ou
Published on 2011-11-14T20:13:36Z Indexed on 2011/11/15 9:55 UTC
Read the original article Hit count: 251

Filed under:
|
|
|

I am trying to pass a PCI compliance test, and I'm getting a single "high risk vulnerability".

The problem is described as:

Information on the machine which a web server is located is sometimes included in the header of a web page. Under certain circumstances that information may include local information from behind a firewall or proxy server such as the local IP address.

It looks like Nginx is responding with:

 Service: https 
 Received: HTTP/1.1 302 Found 
 Cache-Control: no-cache 
 Content-Type: text/html; charset=utf-8 
 Location: http://ip-10-194-73-254/ 
 Server: nginx/1.0.4 + Phusion Passenger 3.0.7 (mod_rails/mod_rack) 
 Status: 302 X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.7 
 X-Runtime: 0 
 Content-Length: 90 
 Connection: Close <html><body>You are being <a href="http://ip-10-194-73-254/">redirect    ed</a>.</body></html> 

I'm no expert, so please correct me if I'm wrong: but from what I gathered, I think the problem is that the Location header is returning http://ip-10-194-73-254/, which is a private address, when it should be returning our domain name (which is ravn.com).

So, I'm guessing I need to either hide or replace the Location header somehow? I'm a programmer and not a server admin so I have no idea what to do... Any help would be greatly appreciated! Also, might I add that we're running more than 1 server, so the configuration would need to be transferable to any server with any private address.

© Server Fault or respective owner

Related posts about security

Related posts about nginx