this post was submitted on 18 Jul 2023
175 points (96.8% liked)

General Discussion

12038 readers
272 users here now

Welcome to Lemmy.World General!

This is a community for general discussion where you can get your bearings in the fediverse. Discuss topics & ask questions that don't seem to fit in any other community, or don't have an active community yet.


πŸͺ† About Lemmy World


🧭 Finding CommunitiesFeel free to ask here or over in: [email protected]!

Also keep an eye on:

For more involved tools to find communities to join: check out Lemmyverse!


πŸ’¬ Additional Discussion Focused Communities:


Rules

Remember, Lemmy World rules also apply here.0. See: Rules for Users.

  1. No bigotry: including racism, sexism, homophobia, transphobia, or xenophobia.
  2. Be respectful. Everyone should feel welcome here.
  3. Be thoughtful and helpful: even with β€˜silly’ questions. The world won’t be made better by dismissive comments to others on Lemmy.
  4. Link posts should include some context/opinion in the body text when the title is unaltered, or be titled to encourage discussion.
  5. Posts concerning other instances' activity/decisions are better suited to [email protected] or [email protected] communities.
  6. No Ads/Spamming.
  7. No NSFW content.

founded 1 year ago
MODERATORS
 

I am not sure if this is the right sub, but yesterday I was having some issues with login with my user and was getting 403 error if I am not wrong and noticed that the NGINX version is exposed, which is a bad practice.

So if someone from the admins of Lemmy.world see this message, maybe they can change the NGINX config and hide the version flag by setting "server_tokens off;".

all 18 comments
sorted by: hot top controversial new old
[–] ruud 49 points 1 year ago

Thanks for the tip, I changed it.

[–] corroded 49 points 1 year ago (1 children)

This really should be the default behavior, IMO.

[–] s38b35M5 36 points 1 year ago* (last edited 1 year ago) (3 children)

They likely won't see this unless you tag them or cross post to [email protected]

That said, I suspect the version is what's standard in the docker image, so hidden or not, it's easy to discover.

Edit: on the other hand, does the latest nginx get pulled at time of creation?

[–] [email protected] 9 points 1 year ago

Edit: on the other hand, does the latest nginx get pulled at time of creation?

It depends on how you have your docker compose file set up. If you pin the version, no, it's never going to get updated unless a new version with that exact tag is released. If you omit the tag, it's going to default to whatever is tagged as latest in the image repository, and that's only going to actually update the image when you either manually pull the image or relaunch the compose stack.

If you want it to auto-update without relaunching the stack or manually pulling the latest image, you'd have to set up something like Watchtower and have it monitor that container.

[–] filister 8 points 1 year ago (1 children)

Ugh, I didn't know, thanks for tagging them.

[–] s38b35M5 5 points 1 year ago (2 children)

I didn't tag anyone--its a link to the support community. If you don't get any traction in a day or so, you can look at some of the names of admins posting in there and tag them with "@[email protected]"

[–] [email protected] 7 points 1 year ago (2 children)
[–] TheSpookiestUser 6 points 1 year ago

Huh, it sure did. Neat!

[–] [email protected] 2 points 1 year ago

@JackbyDev @s38b35M5 @TheSpookiestUser completely off topic Jackby: your avatar kicks ass!

[–] TheSpookiestUser 3 points 1 year ago (1 children)

Does this actually work to notify someone on Lemmy?

[–] [email protected] 4 points 1 year ago

@user@instance is how you're supposed to mention a user. There is a space in the inbox for mentions so I assume it works.

[–] filister 3 points 1 year ago

I clicked on the link but I can't contact or write them anything.

[–] [email protected] 16 points 1 year ago (1 children)

Might as well hide the version, but if someone is going to try an exploit, they'll just try it and see whether it works.

[–] [email protected] 18 points 1 year ago (1 children)

Yeah, this post is giving me "security through obscurity" vibes.

[–] [email protected] 10 points 1 year ago

Obscuring version numbers is best practice. Trying exploits isn't always trivial and by knowing the exact version number of the software it can be made a whole lot easier. Good post by OP though I do think it should've been a DM to Ruud.