From 1bacbe1f71863fd63ca3b13a85027797ec07ffda Mon Sep 17 00:00:00 2001
From: Katharina Przybill <30441792+kathap@users.noreply.github.com>
Date: Fri, 19 Apr 2024 17:26:39 +0200
Subject: [PATCH] Remove nginx from response headers and error responses

We observed that the server name (Nginx) is leaked in the header and in the body of an error message.

To enhance the security posture of the web application and mitigate the risk associated with information
disclosure, it is strongly recommended to not share the server name and/or version in any response
information. This does include any type of error messages.

Solution: adjust NGINX sources by using sed to perform an in-place substitution of the server name before building nginx
---
 packages/nginx/packaging        | 5 +++++
 packages/nginx_webdav/packaging | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/packages/nginx/packaging b/packages/nginx/packaging
index 032f52e58d..00c26e5e3e 100644
--- a/packages/nginx/packaging
+++ b/packages/nginx/packaging
@@ -15,6 +15,11 @@ popd
 echo "Extracting nginx..."
 tar xzvf nginx/nginx-1.25.2.tar.gz
 
+sed -i 's@"nginx/"@"-/"@g' nginx-1.25.2/src/core/nginx.h
+sed -i 's@r->headers_out.server == NULL@0@g' nginx-1.25.2/src/http/ngx_http_header_filter_module.c
+sed -i 's@r->headers_out.server == NULL@0@g' nginx-1.25.2/src/http/v2/ngx_http_v2_filter_module.c
+sed -i 's@<hr><center>nginx</center>@@g' nginx-1.25.2/src/http/ngx_http_special_response.c
+
 echo "Building nginx..."
 pushd nginx-1.25.2
   ./configure \
diff --git a/packages/nginx_webdav/packaging b/packages/nginx_webdav/packaging
index 6b7adaefa0..48e4a50d0b 100644
--- a/packages/nginx_webdav/packaging
+++ b/packages/nginx_webdav/packaging
@@ -20,6 +20,11 @@ tar xzvf nginx/nginx-1.25.2.tar.gz
 echo "Extracting webdav extensions"
 tar xzvf nginx/nginx-dav-ext-module-3.0.0.tar.gz
 
+sed -i 's@"nginx/"@"-/"@g' nginx-1.25.2/src/core/nginx.h
+sed -i 's@r->headers_out.server == NULL@0@g' nginx-1.25.2/src/http/ngx_http_header_filter_module.c
+sed -i 's@r->headers_out.server == NULL@0@g' nginx-1.25.2/src/http/v2/ngx_http_v2_filter_module.c
+sed -i 's@<hr><center>nginx</center>@@g' nginx-1.25.2/src/http/ngx_http_special_response.c
+
 echo "Building nginx..."
 pushd nginx-1.25.2
   ./configure \