I patch those files before compile nginx.<br>But I want know how an attacker can found the right server/version<br>I´m really curiously.<br><br><div class="gmail_quote">On Fri, Jul 4, 2008 at 5:10 PM, Paul <<a href="mailto:paul@gtcomm.net">paul@gtcomm.net</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">These files contain the responses with the server name/type<br>
src/http/ngx_http_special_response.c<br>
src/http/ngx_http_header_filter_module.c<br>
<br>
<br>
<br>
Marcos Neves wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d">
Can you explain me why it´s not more secure?<br>
<br></div><div class="Ih2E3d">
On Fri, Jul 4, 2008 at 4:28 PM, Almir Karic <<a href="mailto:almir@kiberpipa.org" target="_blank">almir@kiberpipa.org</a> <mailto:<a href="mailto:almir@kiberpipa.org" target="_blank">almir@kiberpipa.org</a>>> wrote:<br>
<br>
i have server_tokens off; and neither the headers nor the 404<br>
error<br>
page seem to contain the nginx version.<br>
<br>
FWIW, don't fool yourself that by not showing the version is any<br>
more secure than with the<br>
version displayed.<br>
<br>
On Fri, Jul 04, 2008 at 09:05:43PM +0200, Thomas wrote:<br>
> For hiding Nginx from error pages, do I need to tweak the source<br>
code<br>
> or is there an option somewhere for that?<br>
><br>
<br>
<br>
<br>
<br>
-- <br>
Marcos Neves<br>
+55 44 3263-8132<br>
+55 44 9918-8488 <br>
</div></blockquote>
<br>
<br>
</blockquote></div><br><br clear="all"><br>-- <br>Marcos Neves<br>+55 44 3263-8132<br>+55 44 9918-8488