How to disable Nginx test page in CentminMod? By default, when you install CentminMod, it will create a Nginx test page.
When you access the server’s IP address on the browser, it will display the HTML test page of CentminMod.
Is this good? Let’s take a look.
Why must disable Nginx test page in CentminMod?
Table of Contents
With the experience of operating Linux server systems, I have worked with many different Linux systems.
To secure Linux servers, system administrators like me must hide information about the system. Make it hard to identify.
Hackers who want to attack a system will try to gather as much information about the target as possible.
And if you leave this page to Nginx test page, hackers can easily realize that you are using CentOS server and are using CentminMod to manage it. Hackers can rely on the vulnerabilities of CentminMod to exploit your server.
Therefore, we must disable it from the internet environment.
How to disable Nginx test page in CentminMod
First, you need to know where this page is configured in the server.
The Nginx test page is located in:
/usr/local/nginx/html/index.htmlThe vhost configuration file of test page in:
/usr/local/nginx/conf/conf.d/virtual.confAfter knowing where it is, we will now start the job.
Note: First, you need to create your website on CentminMod server first, use Let’s Encrypt as much as possible.
Recommended Reading: How to use Let’s Encrypt SSL in CentminMod
Next, we delete the virtual.conf configuration file.
rm -f /usr/local/nginx/conf/conf.d/virtual.confAnd then, create a file:
nano /usr/local/nginx/conf/conf.d/virtual.confWith the following content:
server {
listen 80 default_server;
listen 443 ssl default_server;
server_name _;
ssl_certificate /usr/local/nginx/conf/ssl/yourwebsite.com/yourwebsite.com.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/yourwebsite.com/yourwebsite.com.key;
return 444;
access_log /var/log/nginx/localhost.access.log combined buffer=256k flush=5m;
error_log /var/log/nginx/localhost.error.log error;
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
#allow youripaddress;
deny all;
}
}Look at the line return 444. Why is that?
I have encountered a case where a hacker took advantage of the vulnerability of server_name in web server Nginx to list the websites in that server.
Therefore, with the above configuration, if server_name is not configured in the CentminMod server. When accessing, you will get 444 code instead of randomly accessing the websites in the server.
And finally, you reload the Nginx configuration.
service nginx reloadConclusion
Personally, I think you need to disable Nginx test page in CentminMod. This helps your server becomes safer against hackers. Try to hide your system as much as possible.
(This is an article from my old blog that has been inactive for a long time, I don’t want to throw it away so I will keep it and hope it helps someone).
Thanks for sharing. However, is this best practice all the way?
I mean – why not just disable / replace the default index page?
Also the conf file provided ought to be explained a bit better IMO.
I suppose the domain reference (“yourwebsite.com”) should be replaced with an already installed domain via CMM. But what if more than one website on server – should those other domains be updated in the cert conf file as well or is one reference enough?
Anyway, I run CF as a proxy which is pretty standard for CMM and tried your solution. After disabling cf. instructions here the subdomain used for CMM setup obviously displays a 503 error page. Should this not be handled more eloquently at the domain DNS level e.g. with a CF page rule permanent 301 redirect to other domain on server…?
Please share extended best practice as per your expeience.