在生产环境中,需要隐藏Nginx
的版本号,以避免安全漏洞的泄漏
查看方法
fiddler
工具在Windows
客户端查看Nginx
版本号CentOS
系统中使用"curl -I 网址”
命令查看Nginx
的配置文件中的server_ tokens
选项的值设置为off
[root@www conf]# vi nginx.conf
.....
server_ tokens off; //关闭版本号
.....
[root@www conf]# nginx -t
curl -I
命令检测[root@www conf]# service nginx restart
[root@www conf]# curl -| http://192.168.9.209/
HTTP/1.1 200 OK
Server: nginx
php
配置文件中配置了fastcgi_param SERVER_ SOFTWARE
选项.php-fpm
配置文件,将fastcgi_param SERVER_ SOFTWARE
对应的值修改为
fastcgi_param SERVER_ SOFTWARE nginx
;[root@localhost nginx]# curl -I http://192.168.144.133/ //使用命令查看版本号
HTTP/1.1 200 OK
Server: nginx/1.12.2 //显示版本号
Date: Thu, 14 Nov 2019 06:52:14 GMT
Content-Type: text/html
Content-Length: 634
Last-Modified: Thu, 14 Nov 2019 06:24:32 GMT
Connection: keep-alive
ETag: "5dccf320-27a"
Accept-Ranges: bytes
[root@localhost nginx]# vim conf/nginx.conf //进入编辑配置文件
...//省略部分内容...
http {
include mime.types;
default_type application/octet-stream;
server_tokens off; //添加条目关闭版本号
...//省略部分内容...
:wq
[root@localhost nginx]# systemctl restart nginx.service
[root@localhost nginx]# curl -I http://192.168.144.133
HTTP/1.1 200 OK
Server: nginx //版本号隐藏
Date: Thu, 14 Nov 2019 06:56:51 GMT
Content-Type: text/html
Content-Length: 634
Last-Modified: Thu, 14 Nov 2019 06:24:32 GMT
Connection: keep-alive
ETag: "5dccf320-27a"
Accept-Ranges: bytes
Nginx
源码文件/usr/src/nginx-1.12.0/src/core/nginx.h
包含了版本信息,可以随意设置重新编译安装,隐藏版本信息
示例:
#define NGINX_ VERSION“1.1.1" 修改版本号为1.1.1
#define NGINX VER "IIS/" 修改软件类型为IIS
curl -I
命令检测[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf //编辑nginx配置文件
...//省略部分内容...
http {
include mime.types;
default_type application/octet-stream;
server_tokens on; //打开上面设置的隐藏版本号条目
...//省略部分内容...
:wq
[root@localhost ~]# cd /opt/nginx-1.12.2/src/core/ //到解压的源码包中更改版本号信息
[root@localhost core]# vim nginx.h
#define nginx_version 1012002
#define NGINX_VERSION "1.1.1" //更改版本号
#define NGINX_VER "nginx/" NGINX_VERSION
:wq
[root@localhost core]# cd /optnginx-1.12.2/
[root@localhost nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module //重新配置nginx
checking for OS
+ Linux 3.10.0-693.el7.x86_64 x86_64
checking for C compiler ... found
+ using GNU C compiler
+ gcc version: 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
...//省略部分内容...
nginx http fastcgi temporary files: "fastcgi_temp"
nginx http uwsgi temporary files: "uwsgi_temp"
nginx http scgi temporary files: "scgi_temp"
[root@localhost nginx-1.12.2]# make && make install //重新制作安装nginx
[root@localhost nginx-1.12.2]# systemctl restart nginx.service //重新启动nginx服务
[root@localhost nginx-1.12.2]# curl -I http://192.168.144.133 //查看版本号
HTTP/1.1 200 OK
Server: nginx/1.1.1 //版本号变更
Date: Thu, 14 Nov 2019 07:11:08 GMT
Content-Type: text/html
Content-Length: 634
Last-Modified: Thu, 14 Nov 2019 06:24:32 GMT
Connection: keep-alive
ETag: "5dccf320-27a"
Accept-Ranges: bytes
Nginx
运行时进程需要有用户与组的支持,以实现对网站文件读取时进行访问控制Nginx
默认使用nobody
用户账号与组账号,一般也要进行修改创建用户账号与组账号,如nginx
--user
与--group
指定Nginx
服务的运行用户与组账号nginx
user
选项,指定用户账号nginx
服务, 使配置生效ps aux
命令查看nginx
的进程信息,验证运行用户账号改变效果[root@www conf]# vi nginx.conf
user nginx nginx;
[root@www conf]# service nginx restart
[root@www conf]# ps aux | grep nginx
root 130034 0.0 0.0 20220 620 ? Ss 19:41 0:00 nginx: master process
/usr/local/sbin/nginx
nginx 130035 0.0 0.0 20664 1512 ? S 19:41 0:00 nginx: worker process
Nginx
将网页数据返回给客户端后,可设置缓存的时间,以方便在日后进行相同内容的请求时直接返回,避免重复请求,加快了访问速度Windows
客户端中使用fiddler
查看网页缓存时间http
段、 或者server
段、 或者location
段加入对特定内容的过期参数location ~\.(gif|ipg|jepg|png|bmp|ico)$ {
root html;
expires 1d;
}
[root@localhost ~]# systemctl stop firewalld.service //关闭防火墙
[root@localhost ~]# setenforce 0 //关闭增强性安全功能
[root@localhost ~]# systemctl start nginx.service //启动nginx服务
[root@localhost ~]# netstat -ntap | grep 80 //查看服务端口是否开启
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1684/nginx: master
[root@localhost ~]# mkdir abc
[root@localhost ~]# mount.cifs //192.168.100.10/lamp-c7 abc/ //将宿主机图片文件夹挂载到abc目录
Password for root@//192.168.100.10/lamp-c7:
[root@localhost ~]# cd abc/ //进入abc目录
[root@localhost abc]# ls
apr-1.6.2.tar.gz Discuz_X2.5_SC_UTF8.zip miao.jpg
apr-util-1.6.0.tar.gz error.png mysql-5.6.26.tar.gz
awstats-7.6.tar.gz httpd-2.4.29.tar.bz2 nginx-1.12.0.tar.gz
cronolog-1.6.2-14.el7.x86_64.rpm LAMP-php5.6.txt php-5.6.11.tar.bz2
[root@localhost abc]# cp miao.jpg /usr/local/nginx/html/ //将图片复制到nginx服务站点
[root@localhost abc]# cd /usr/local/nginx/html/ //进入站点目录
[root@localhost html]# ls
50x.html index.html miao.jpg
[root@localhost html]# vim index.html //编辑网页内容
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h2>Welcome to nginx!</h2>
<img src="miao.jpg"/> //添加图片
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
:wq
[root@localhost nginx]# vim conf/nginx.conf //编辑配置
..//省略部分内容...
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
..//省略部分内容...
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~\.(gif|jepg|jpg|ico|bmp|png)$ { //编辑缓存条目
root html;
expires 1d;
}
}
..//省略部分内容...
:wq
[root@localhost nginx]# systemctl restart nginx.service //重启nginx服务
Keepalive_ timeout
Client header_ timeout
[root@localhost nginx-1.12.2]# cd /usr/local/nginx/conf/ //进入nginx配置文件目录
[root@localhost conf]# vim nginx.conf //编辑配置文件
...//省略部分内容...
http {
include mime.types;
default_type application/octet-stream;
server_tokens on;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65 180; //添加客户端超时时间180秒
client_header_timeout 80; //设置客户端头部超时时间
client_body_timeout 80; //设置客户端主题内容超时时间
#gzip on;
server {
listen 80;
server_name localhost;
...//省略部分内容...
:wq
[root@localhost conf]# systemctl restart nginx.service //重启服务
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。