Update nginx.conf to disable server tokens

[neoKushan]

Server tokens include the version of nginx in the response headers. Disabling them will hide the version.

---

• I have read the contributing guideline and understand that I have made the correct modifications

---

Description:

With server tokens enabled, the server will respond with the nginx version in every response.

Example (using curl -I -L www.example.com):

HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0
Date: Thu, 08 Apr 2021 22:36:27 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://www.example.com/

By disabling tokens, the response doesn't contain the version:

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Thu, 08 Apr 2021 22:41:42 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://www.example.com/

In the interests of security, there's probably no good reason to give away more information on the nginx version than necessary, especially with utilities like https://www.shodan.io/ constantly scanning the IPv4 space for vulnerable software versions.

I realise this is security by obscurity and it's better for users to keep their software up to date, but in the event of a major nginx bug it should at least make it harder for a would-be attacker to exploit users of this container.

I have read the contribution guidelines, it's not clear if I would need to make an update to a changelog somewhere so please correct me if I do.

Benefits of this PR and context:

It is a minor increase to security.

How Has This Been Tested?

I've tested and deployed the change to my own environment, using curl -I -L www.example.com before and after the change.

Source / References:

http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens

[github-actions]

Thanks for opening this pull request! Be sure to follow the pull request template!

[LinuxServer-CI]

I am a bot, here are the test results for this PR:
https://ci-tests.linuxserver.io/lspipepr/swag/1.14.0-pkg-3de043cc-pr-104/index.html
https://ci-tests.linuxserver.io/lspipepr/swag/1.14.0-pkg-3de043cc-pr-104/shellcheck-result.xml

[chessmango]

As much as I agree with this setting and use it myself, it's not a default with a 'vanilla' Nginx build: https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens

As things stand, I'd call its inclusion, albeit commented, 'good enough' as far as things go. Perhaps a less departed-from-Nginx-mainline way to handle this would be to call it out explicitly in README/other documentation, to provide awareness rather than prescription?

[neoKushan]

@chessmango This is probably more my lack of understanding of the ideals behind SWAG itself, but is there a goal to retain "vanilla" nginx settings, or a reason for doing so other than remaining close to upstream nginx?

I'm not precious about the change, as you say it's an easy enough one for a user to do and maybe it would be good to bring more attention to it (As well as other ways to lock down and better secure your reverse proxy that I'm sure I've missed myself), it just seemed like an easy win!

[nemchik]

This will be addressed in #115 where I am mostly bringing our nginx.conf file inline with the upstream alpine nginx.conf file provided with the package.

Thanks for the PR!