NGINX Reverse Proxy: Backend Server Exposure

TL;DR

Yes, an NGINX reverse proxy can reveal the backend server if not configured correctly when serving dynamic content. This is usually due to error pages exposing internal details or improper header handling. We’ll cover how to prevent this.

Solution Guide

1. Understand the Risk
• When NGINX encounters an issue communicating with your backend server (e.g., 502 Bad Gateway, 504 Timeout), it might display a default error page that includes information about the backend server’s address and port.
• Incorrectly configured headers can also leak backend details to clients. For example, the Server header might show the backend application server instead of NGINX.
2. Custom Error Pages

The most important step is creating custom error pages that don’t reveal internal information.

• Edit your NGINX configuration file (usually in /etc/nginx/sites-available/ or similar).
• Use the error_page directive to specify a custom HTML page for common error codes.

server {
  ...
  error_page 502 504 /custom_error.html;
  location = /custom_error.html {
    root /var/www/errors;
    internal;
  }
}

• Create a simple custom_error.html file in the specified directory (e.g., /var/www/errors/custom_error.html) with a user-friendly message.
• Important: The internal; directive prevents direct access to your error page from outside, enhancing security.
3. Hide Backend Server Information in Headers

Control the headers NGINX sends to clients.

• Use the server_tokens off; directive in your http block to hide the NGINX version. This is a basic step but helpful.

http {
  ...
  server_tokens off;
}

• Remove or modify the Server header using the proxy_hide_header Server; directive within your location block.

location / {
  proxy_pass http://backend_server:8080;
  proxy_hide_header Server;
}

• Add a custom Server header to identify NGINX as the proxy, masking the backend.

location / {
  proxy_pass http://backend_server:8080;
  add_header X-Proxyed-By "NGINX Proxy";
  proxy_hide_header Server;
}

4. Check Your Configuration
• After making changes, test your configuration.
• Use a tool like curl -I to inspect the headers returned by NGINX. Verify that backend server information is not present.
• Simulate errors (e.g., stop the backend server temporarily) and check if the custom error page is displayed without revealing internal details.
5. Consider Additional Security Measures
• Implement a Web Application Firewall (WAF) to protect against common web attacks, including those that attempt to reveal server information.
• Regularly update NGINX and your backend software to patch security vulnerabilities.
• Use strong authentication and authorization mechanisms for access to your backend services.