在生产环境中,需要隐藏 Nginx 的版本号,以避免安全漏洞的泄漏
一旦有黑客知道Nginx版本号便可以利用Nginx漏洞进行攻击,严重影响到了公司的安全
查看隐藏版本号命令:curl -I http://ip地址
========================================================
安装Nginx后查看:
[root@localhost nginx-1.16.0]# curl -I http://192.168.200.120
HTTP/1.1 200 OK
Server: nginx/1.16.0
Date: Thu, 12 Sep 2019 03:55:10 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Thu, 12 Sep 2019 01:08:46 GMT
Connection: keep-alive
ETag: "5d799a9e-264"
Accept-Ranges: bytes
隐藏方法1【基于源码包】:(安装Nginx后要修改文件必须先卸载Nginx再安装)
[root@localhost ~]# killall -9 nginx //杀死nginx进程
[root@localhost ~]# rm -rf /usr/local/nginx/
[root@localhost ~]# cd /usr/src/nginx-1.16.0/
[root@localhost nginx-1.16.0]# make clean
rm -rf Makefile objs
[root@localhost nginx-1.16.0]# cd
[root@localhost ~]# rm -rf /usr/src/nginx-1.16.0/ //卸载完成
[root@localhost ~]# tar xf nginx-1.16.0.tar.gz -C /usr/src
[root@localhost ~]# cd /usr/src/nginx-1.16.0/
[root@localhost nginx-1.16.0]# vim src/core/nginx.h
修改文件前图示:
修改文件后图示:
[root@localhost nginx-1.16.0]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module
[root@localhost nginx-1.16.0]# make
[root@localhost nginx-1.16.0]# make install
[root@localhost nginx-1.16.0]# curl -I http://192.168.200.120
curl: (7) Failed connect to 192.168.200.120:80; 拒绝连接
[root@localhost nginx-1.16.0]# netstat -anpt | grep nginx
[root@localhost nginx-1.16.0]# nginx
[root@localhost nginx-1.16.0]# netstat -anpt | grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 21446/nginx: master
[root@localhost nginx-1.16.0]# curl -I http://192.168.200.120
HTTP/1.1 200 OK
Server: apache/2.4.31
Date: Thu, 12 Sep 2019 04:15:38 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Thu, 12 Sep 2019 04:13:25 GMT
Connection: keep-alive
ETag: "5d79c5e5-264"
Accept-Ranges: bytes
方法2【修改配置文件】(不卸载Nginx隐藏版本号,直接修改配置文件)
[root@localhost nginx-1.16.0]# curl -I http://192.168.200.115
HTTP/1.1 200 OK
Server: nginx/1.16.0 //原版本号
Date: Thu, 12 Sep 2019 05:38:07 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Thu, 12 Sep 2019 05:37:35 GMT
Connection: keep-alive
ETag: "5d79d99f-264"
Accept-Ranges: bytes
[root@localhost nginx-1.16.0]# vim /usr/local/nginx/conf/nginx.conf
在sendfile on;后添加一行命令:
server_tokens off;
[root@localhost nginx-1.16.0]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost nginx-1.16.0]# killall -HUP nginx //重新加载配置
[root@localhost nginx-1.16.0]# curl -I http://192.168.200.115
HTTP/1.1 200 OK
Server: nginx //修改后的版本号
Date: Thu, 12 Sep 2019 05:45:43 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Thu, 12 Sep 2019 05:37:35 GMT
Connection: keep-alive
ETag: "5d79d99f-264"
Accept-Ranges: bytes
修改php版本号
如果php配制文件中配置了 fastcgi_param SERVER_SOFTWARE 选项,则编辑php-fpm配置文件,将fastcgi_param SERVER_SOFTWARE对应值修改为 fastcgi_param SERVER_SOFTWARE nginx;