Nginx安全相关配置-自定义Nginx版本信息
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
一.启动ngxin服务后在浏览器访问nginx的版本号
1>.启动服务
[root@node101.yinzhengjie.org.cn ~]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 128 :::22 :::*
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# nginx
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 *:443 *:*
LISTEN 0 128 :::22 :::*
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
2>.浏览器访问nginx,观察响应报文,可以查看到nginx的版本信息
二.隐藏Nginx服务器版本以提高安全性
1>.编辑主配置文件
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf/nginx.conf
worker_processes 4;
worker_cpu_affinity 00000001 00000010 00000100 00001000;
events {
worker_connections 100000;
use epoll;
accept_mutex on;
multi_accept on;
}
http {
include mime.types;
default_type text/html;
server_tokens off; #此处咱们可以隐藏Nginx的版本号
charset utf-8;
log_format my_access_json '{"@timestamp":"$time_iso8601",' '"host":"$server_addr",' '"clientip":"$remote_addr",' '"size":$body_bytes_sent,' '"re
sponsetime":$request_time,' '"upstreamtime":"$upstream_response_time",' '"upstreamhost":"$upstream_addr",' '"http_host":"$host",' '"uri":"$uri",' '"domain":"$host",' '"xff":"$http_x_forwarded_for",' '"referer":"$http_referer",' '"tcp_xff":"$proxy_protocol_addr",' '"http_user_agent":"$http_user_agent",' '"status":"$status"}';
access_log logs/access_json.log my_access_json;
ssl_certificate /yinzhengjie/softwares/nginx/certs/www.yinzhengjie.org.cn.crt;
ssl_certificate_key /yinzhengjie/softwares/nginx/certs/www.yinzhengjie.org.cn.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
include /yinzhengjie/softwares/nginx/conf.d/*.conf;
}
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# nginx -s reload
[root@node101.yinzhengjie.org.cn ~]#
2>.浏览器访问nginx,观察响应报文,可以查看到没有nginx的版本信息但是依旧写着Nginx
三.自定义Nginx版本信息
1>.停掉nginx服务器
[root@node101.yinzhengjie.org.cn ~]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 *:443 *:*
LISTEN 0 128 :::22 :::*
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# nginx -s stop
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 128 :::22 :::*
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
2>.查看nginx的源码文件,内部定义了nginx的版本号
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cd /usr/local/src/nginx-1.14.2/
[root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]#
[root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# vim src/http/ngx_http_header_filter_module.c #如下图所示,我们看见在nginx的源码中已经写死了,我们需要左响应的修改。
3>.自定义nginx版本信息
4>.重新编译nginx软件
[root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# vim src/http/ngx_http_header_filter_module.c
[root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]#
[root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# grep yinzhengjie src/http/ngx_http_header_filter_module.c #自定义nginx源码中的Server信息
static u_char ngx_http_server_string[] = "Server: yinzhengjie2019" CRLF;
[root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]#
[root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# nginx -V #查看当前nginx的编译参数,一会需要重新编译最好每个参数都不要落下。
nginx version: nginx/1.14.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/yinzhengjie/softwares/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip
_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module
[root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]#
[root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# ./configure --prefix=/yinzhengjie/softwares/nginx --user=nginx --group=nginx --with-ht
tp_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream
--with-stream_ssl_module --with-stream_realip_module #重新配置nginx
......
[root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# echo $?
0
[root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]#
[root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# make -j 4 && make install #重新编译并安装nginx软件
......
[root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# echo $?
0
[root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]#
5>.启动nginx并访问浏览器
[root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 128 :::22 :::*
[root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]#
[root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# nginx
[root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]#
[root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 *:443 *:*
LISTEN 0 128 :::22 :::*
[root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]#
[root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]#