By default, Nginx and Apache versions are displayed when you query HTTP headers. Website security is very important for any system or website administrator. For security reasons, it is recommended to hide the Nginx and Apache versions to make it harder for attackers to know what vulnerabilities can be exploited on your server.
In this post, we will show you how to hide Apache and Nginx versions on Oracle Linux 8.
Prerequisites
- A server running Oracle Linux 8 on the Atlantic.Net Cloud Platform
- A root password configured on your server
Step 1 – Create Atlantic.Net Cloud Server
First, log in to your Atlantic.Net Cloud Server. Create a new server, choosing Oracle Linux 8 as the operating system with at least 2GB RAM. Connect to your Cloud Server via SSH and log in using the credentials highlighted at the top of the page.
Once you are logged in to your server, run the following command to update your base system with the latest available packages.
dnf update -y
Step 2 – Verify Apache and Nginx Header Details
By default, Apache and Nginx will show the version on error pages and in the response header. You can check it using the CURL command:
curl --head http://localhost
You should see the Apache version information in the following output:
HTTP/1.1 200 OK Date: Thu, 11 Aug 2022 10:41:33 GMT Server: Apache/2.4.37 (Oracle Linux) Last-Modified: Thu, 11 Aug 2022 09:01:12 GMT ETag: "1600b-5e5f368464e7a" Accept-Ranges: bytes Content-Length: 90123 Content-Type: text/html; charset=UTF-8
To check the Nginx version information, run the following command:
curl --head http://localhost
You should see the Nginx version details in the following output:
HTTP/1.1 200 OK Server: nginx/1.14.1 Date: Thu, 11 Aug 2022 10:44:36 GMT Content-Type: text/html Content-Length: 3949 Last-Modified: Thu, 19 Sep 2019 18:38:36 GMT Connection: keep-alive ETag: "5d83cb2c-f6d" Accept-Ranges: bytes
Step 3 – Hide Apache Version
To hide the Apache version, you will need to edit the Apache configuration file and add the line “ServerTokens Prod”:
nano /etc/httpd/conf/httpd.conf
Add the following line at the end of the file:
ServerTokens Prod
Save and close the file, then restart the Apache service to apply the changes:
systemctl restart httpd
Next, check the Apache header using the following command:
curl --head http://localhost
You should see that there is no version shown:
HTTP/1.1 200 OK Date: Thu, 11 Aug 2022 10:42:25 GMT Server: Apache Last-Modified: Thu, 11 Aug 2022 09:01:12 GMT ETag: "1600b-5e5f368464e7a" Accept-Ranges: bytes Content-Length: 90123 Content-Type: text/html; charset=UTF-8
Step 4 – Hide Nginx Version
To hide the Nginx version, you will need to edit the Nginx configuration file and add the line “server_tokens off”:
nano /etc/nginx/nginx.conf
Add the following line after http {:
server_tokens off;
Save and close the file, then restart the Nginx service to apply the changes:
systemctl restart nginx
Next, check the Nginx header using the following command:
curl --head http://localhost
You should see that there is no version shown:
HTTP/1.1 200 OK Server: nginx Date: Thu, 11 Aug 2022 10:48:21 GMT Content-Type: text/html Content-Length: 3949 Last-Modified: Thu, 19 Sep 2019 18:38:36 GMT Connection: keep-alive ETag: "5d83cb2c-f6d" Accept-Ranges: bytes
Conclusion
In this tutorial, we explained how to hide the Apache and Nginx version on Oracle Linux 8. Hiding the Apache and Nginx version is one of the methods to protect your web server. You can now easily hide your Apache and Nginx versions in the production environment. Try it on dedicated hosting from Atlantic.Net!
