With the following /etc/nginx/sites-available/default file configurations, it seems I am unable to get the Server header to remove the Phusion Passenger version. This may be working as expected since its successfully removing the nginx version, but its not removing the Phusion Passenger details
I am also unable to hide the X-Powered-By header
this is an example verbose curl response
$ curl https://my.website.com -v
...
> GET / HTTP/1.1
> Host: my.website.com
> User-Agent: curl/7.79.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: application/json
< Date: Mon, 13 Jun 2022 22:01:50 GMT
< Server: nginx + Phusion Passenger(R) 6.0.14
< Status: 200 OK
< Vary: Accept-Encoding, Origin
< X-Powered-By: Phusion Passenger(R) 6.0.14
< Content-Length: 52
< Connection: keep-alive
<
* Connection #0 to host my.website.com left intact
"OK"
/etc/nginx/sites-available/default
server {
listen 80 default_server;
listen [::]:80 default_server;
if ($http_x_forwarded_proto = 'http'){
return 301 https://$host$request_uri;
}
passenger_enabled on;
root ...;
server_name _;
server_tokens off;
location ~ /\.(?!well-known) {
deny all;
}
location / {
proxy_hide_header X-Powered-By;
passenger_ruby ...;
passenger_base_uri /;
passenger_app_root ...;
passenger_document_root ...;
passenger_min_instances ...;
}
}
Got the following answer from Phusion themselves
passenger_show_version_in_header off;