zoukankan      html  css  js  c++  java
  • Nginx安全相关配置-自定义Nginx版本信息

               Nginx安全相关配置-自定义Nginx版本信息

                                              作者:尹正杰

    版权声明:原创作品,谢绝转载!否则将追究法律责任。

    一.启动ngxin服务后在浏览器访问nginx的版本号

    1>.启动服务

    [root@node101.yinzhengjie.org.cn ~]# ss -ntl
    State       Recv-Q Send-Q                             Local Address:Port                                            Peer Address:Port              
    LISTEN      0      128                                            *:22                                                         *:*                  
    LISTEN      0      128                                           :::22                                                        :::*                  
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# nginx 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ss -ntl
    State       Recv-Q Send-Q                             Local Address:Port                                            Peer Address:Port              
    LISTEN      0      128                                            *:80                                                         *:*                  
    LISTEN      0      128                                            *:22                                                         *:*                  
    LISTEN      0      128                                            *:443                                                        *:*                  
    LISTEN      0      128                                           :::22                                                        :::*                  
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 

    2>.浏览器访问nginx,观察响应报文,可以查看到nginx的版本信息

    二.隐藏Nginx服务器版本以提高安全性

    1>.编辑主配置文件

    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf/nginx.conf
    worker_processes  4;
    worker_cpu_affinity 00000001 00000010 00000100 00001000; 
     
    events {
       worker_connections  100000;
       use epoll;
       accept_mutex on;
       multi_accept on; 
    }
       
       http {
         include       mime.types;
           
         default_type  text/html;
        
         server_tokens off;                #此处咱们可以隐藏Nginx的版本号 
          
         charset utf-8;
       
         log_format my_access_json '{"@timestamp":"$time_iso8601",' '"host":"$server_addr",' '"clientip":"$remote_addr",' '"size":$body_bytes_sent,' '"re
    sponsetime":$request_time,' '"upstreamtime":"$upstream_response_time",' '"upstreamhost":"$upstream_addr",' '"http_host":"$host",' '"uri":"$uri",' '"domain":"$host",' '"xff":"$http_x_forwarded_for",' '"referer":"$http_referer",' '"tcp_xff":"$proxy_protocol_addr",' '"http_user_agent":"$http_user_agent",' '"status":"$status"}';   
        access_log logs/access_json.log my_access_json;
     
        ssl_certificate /yinzhengjie/softwares/nginx/certs/www.yinzhengjie.org.cn.crt;
        ssl_certificate_key /yinzhengjie/softwares/nginx/certs/www.yinzhengjie.org.cn.key;
        ssl_session_cache shared:sslcache:20m;
        ssl_session_timeout 10m;
      
        include /yinzhengjie/softwares/nginx/conf.d/*.conf;
    }
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# nginx -t
    nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
    nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
    [root@node101.yinzhengjie.org.cn ~]#
    [root@node101.yinzhengjie.org.cn ~]# nginx -s reload
    [root@node101.yinzhengjie.org.cn ~]#

    2>.浏览器访问nginx,观察响应报文,可以查看到没有nginx的版本信息但是依旧写着Nginx

    三.自定义Nginx版本信息

    1>.停掉nginx服务器

    [root@node101.yinzhengjie.org.cn ~]# ss -tnl
    State       Recv-Q Send-Q                             Local Address:Port                                            Peer Address:Port              
    LISTEN      0      128                                            *:80                                                         *:*                  
    LISTEN      0      128                                            *:22                                                         *:*                  
    LISTEN      0      128                                            *:443                                                        *:*                  
    LISTEN      0      128                                           :::22                                                        :::*                  
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# nginx -s stop
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ss -tnl
    State       Recv-Q Send-Q                             Local Address:Port                                            Peer Address:Port              
    LISTEN      0      128                                            *:22                                                         *:*                  
    LISTEN      0      128                                           :::22                                                        :::*                  
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 

    2>.查看nginx的源码文件,内部定义了nginx的版本号

    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cd /usr/local/src/nginx-1.14.2/
    [root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# 
    [root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# vim src/http/ngx_http_header_filter_module.c     #如下图所示,我们看见在nginx的源码中已经写死了,我们需要左响应的修改。

    3>.自定义nginx版本信息

    4>.重新编译nginx软件

    [root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# vim src/http/ngx_http_header_filter_module.c 
    [root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# 
    [root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# grep yinzhengjie src/http/ngx_http_header_filter_module.c       #自定义nginx源码中的Server信息
    static u_char ngx_http_server_string[] = "Server: yinzhengjie2019" CRLF;
    [root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# 
    [root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# nginx -V            #查看当前nginx的编译参数,一会需要重新编译最好每个参数都不要落下。
    nginx version: nginx/1.14.2
    built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) 
    built with OpenSSL 1.0.2k-fips  26 Jan 2017
    TLS SNI support enabled
    configure arguments: --prefix=/yinzhengjie/softwares/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip
    _module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module
    [root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# 
    [root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# ./configure --prefix=/yinzhengjie/softwares/nginx --user=nginx --group=nginx --with-ht
    tp_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream 
    --with-stream_ssl_module --with-stream_realip_module                          #重新配置nginx
    ......
    [root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# echo $?
    0
    [root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# 
    [root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# make -j 4 && make install    #重新编译并安装nginx软件
    ......
    [root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# echo $?
    0
    [root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# 

    5>.启动nginx并访问浏览器

    [root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# ss -ntl
    State       Recv-Q Send-Q                             Local Address:Port                                            Peer Address:Port              
    LISTEN      0      128                                            *:22                                                         *:*                  
    LISTEN      0      128                                           :::22                                                        :::*                  
    [root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# 
    [root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# nginx 
    [root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# 
    [root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# ss -ntl
    State       Recv-Q Send-Q                             Local Address:Port                                            Peer Address:Port              
    LISTEN      0      128                                            *:80                                                         *:*                  
    LISTEN      0      128                                            *:22                                                         *:*                  
    LISTEN      0      128                                            *:443                                                        *:*                  
    LISTEN      0      128                                           :::22                                                        :::*                  
    [root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# 
    [root@node101.yinzhengjie.org.cn /usr/local/src/nginx-1.14.2]# 

  • 相关阅读:
    VMware三个版本workstation、server、esxi的区别
    vmwarevsphere与vmwareworkstation的区别
    PubMed、MEDLINE和PMC
    1000个并发线程,10台机器,每台机器4核,设计线程池大小(转)
    Internet与Intranet
    VMware安装操作系统鼠标失灵
    超详细SQL SERVER 2016跨网段和局域网发布订阅配置图解和常见问题
    一篇理解什么是CanSet, CanAddr?
    collection v1.3.1升级全记录
    我写的诗
  • 原文地址:https://www.cnblogs.com/yinzhengjie/p/12057860.html
Copyright © 2011-2022 走看看