getodk · alxndrsn · Dec 3, 2025 · Dec 2, 2025 · Dec 2, 2025 · Dec 2, 2025
diff --git a/files/nginx/odk.conf.template b/files/nginx/odk.conf.template
@@ -1,5 +1,6 @@
 server {
   listen 443 default_server ssl;
+  server_tokens off;
 
   ssl_certificate /etc/nginx/ssl/nginx.default.crt;
   ssl_certificate_key /etc/nginx/ssl/nginx.default.key;

diff --git a/files/nginx/redirector.conf b/files/nginx/redirector.conf
@@ -4,6 +4,7 @@ server {
     listen 80 reuseport;
     listen [::]:80 reuseport;
     server_name ${DOMAIN};
+    server_tokens off;
 
     # Anything requesting this particular URL should be served content from
     # Certbot's folder so the HTTP-01 ACME challenges can be completed for the
@@ -23,6 +24,7 @@ server {
 server {
     listen 80 default_server;
     listen [::]:80 default_server;
+    server_tokens off;
 
     return 421;
 }
diff --git a/files/nginx/setup-odk.sh b/files/nginx/setup-odk.sh
@@ -63,7 +63,8 @@ else
     echo "starting nginx for upstream ssl..."
   else
     # remove letsencrypt challenge reply, but keep 80 to 443 redirection
-    perl -i -ne 'print if $. < 7 || $. > 14' /etc/nginx/conf.d/redirector.conf
+    perl -i -ne 'print if $. < 8 || $. > 15' /etc/nginx/conf.d/redirector.conf
+
     echo "starting nginx for custom ssl and self-signed certs..."
   fi
   exec nginx -g "daemon off;"

diff --git a/test/nginx/run-tests.sh b/test/nginx/run-tests.sh
@@ -39,4 +39,15 @@ wait_for_http_response 5 localhost:9000 421
 
 npm run test:nginx
 
+log "Linting nginx config with gixy-ng..."
+# see: https://github.com/dvershinin/gixy
+docker_compose exec nginx bash -euc '
+apt update
+apt install -y python3-venv
+python3 -m venv .venv
+. .venv/bin/activate
+pip install gixy-ng
+gixy -lll
+'
+
 log "Completed OK."