CHEF-28367: Chef Infra Server - suppress version/banner disclosure

[lbakerchef]

Summary

Fixes information disclosure vulnerability where Chef Infra Server was exposing full package version details publicly via the /version endpoint, and advertising the nginx version in response headers.

Jira Ticket

CHEF-28367

Changes Made

• omnibus nginx config (nginx_chef_api_lb.conf.erb): Replaced the location /version block (which served version-manifest.txt) with deny all; return 404. This single template renders both chef_http_lb.conf and chef_https_lb.conf.
• Habitat nginx config (chef_http_lb_common): Same change - /version endpoint now returns 404 instead of serving the version manifest.
• Habitat nginx.conf: Added server_tokens off; to suppress the nginx version number from Server: response headers. (The omnibus build already had this set.)

Testing

Verified on a freshly built Chef Infra Server instance:

• curl -sk https://localhost/version returns HTTP 404 with Chef custom error page, no version data
• curl -skI https://localhost/ - Server: header contains no nginx version number

$ curl -skI https://localhost/version
HTTP/1.1 404 Not Found
Date: Tue, 31 Mar 2026 01:51:31 GMT
Content-Type: text/html
Content-Length: 1084
Connection: keep-alive
ETag: "69cb24ce-43c"
Cache-Control: no-store
Pragma: no-cache

$ sudo chef-server-ctl test
Finished in 3 minutes 25.7 seconds (files took 16.14 seconds to load)
174 examples, 0 failures, 2 pending

AI Assistance

This work was completed with AI assistance following Progress AI policies.

[netlify]

👷 Deploy Preview for chef-server processing.

Name	Link
🔨 Latest commit	ccdc1d8
🔍 Latest deploy log	https://app.netlify.com/projects/chef-server/deploys/69cb29f58735f900089670b2

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud