Hide Nginx configuration version number
In a production environment, we need to hide Nginx version number in order to avoid security
vulnerabilities leak
Check method
● fiddler I use with the Windows client view Nginx version number
using "curl -I URL" in order to view the CentOS system
Nginx version number of hidden methods
● modify the configuration file method
● modify the source code law
Modify the configuration file method
Value server_ tokens options 1.Nginx profile is off
[root@www conf]# vim nginx.conf
.....
server_ tokens off;
.....
[root@www conf]# nginx -t
2. restart the service, visit the Web site using curl -I command detection
[root@www conf]# service nginx restart
[root@www conf]# curl -1 http://192.1 68.9.209/
HTTP/1.1200 OK
Server: nginx
3. If php configuration file to configure the FastCGI param SERVER SOFTWARE option. Php-fpm edit profile, the FastCGI param SERVER SOFTWARE modified to a value corresponding to
fastcgi_ param SERVER_ SOFTWARE nginx ;
Modify the source code law
Nginx /usr/src/nginx-1.12.0/src/core/nginx.h source file contains version information, you can freely set the re-compiled and installed hidden version information
Example:
#define NGINX_ _VERSION“1.1.1” ,修改版本号为1.1.1
#define NGINX_ VER "IIS/" ,修改软件类型为IIS
Restart the service, visit the Web site using curl -I command detection
Nginx modify users and groups
Nginx running process needs the support of users and groups, in order to achieve access control to a Web site to read the file
Nginx nobody default user accounts and group accounts, generally have to be modified
Method modified
● specify a user group and compile mounted
● modify the configuration file with the specified user group
Modify the configuration file specifies the method
1. Create a new user account, such as nginx
2. Modify the main configuration file user option, specify a user account
3. Restart nginx service, enable the configuration
4. Use the ps aux command to see nginx processes information, verify the operation of the user
account change effects
[root@www conf]# vi nginx.conf
user nginx nginx;
[root@www conf]# service nginx restart
[root@www conf]# ps aux lgrep nginx
root 1300340.0 0.0 20220 620? Ss 19:41 0:00 nginx: master process
/usr/local/sbin/nginx
nginx 1300350.0 0.0 20664 1512 ?S 19:41 0:00 nginx: worker process
Nginx web caching configuration time
When Nginx Web page data back to the client, you can set the cache time, to facilitate direct return when requesting a later date the same content, avoid duplication request to speed up the access speed as for static pages set up for dynamic pages do not set the cache time can be used to view the web page cache time fiddler in the Windows client
Setting method
Can modify the configuration file, add parameters to specific content expired at http segment, or server segment, segment or location
Examples
Nginx modify configuration files, adding expires parameter in the location section
location ~ \.(gifjpgliepglpnglbmplico)$ {
root html;
expires 1d;
Hide the version number of examples demonstrate
First, compile and install Nginx Service
The first step: get a remote source packages on Windows, Linux and mount onto the
[root@localhost ~]# smbclient -L //192.168.235.1
Enter SAMBA\root's password:
Sharename Type Comment
--------- ---- -------
LNMP Disk
[root@localhost ~]# mkdir /abc
[root@localhost ~]# mount.cifs //192.168.235.1/LNMP /abc
Password for root@//192.168.235.1/LNMP:
[root@localhost ~]# ls /abc
Discuz_X3.4_SC_UTF8.zip nginx-1.12.2.tar.gz
game.jpg php-7.1.10.tar.bz2
mysql-boost-5.7.20.tar.gz php-7.1.20.tar.gz
nginx-1.12.0.tar.gz
The second step: extract the source package
[root@localhost ~]# cd /abc
[root@localhost abc]# tar zxvf nginx-1.12.0.tar.gz -C /opt
[root@localhost abc]# ls /opt
nginx-1.12.0 rh
Step three: Download and install the compiler Package
[root@localhost abc]# cd /opt
[root@localhost opt]# yum install -y \
> gcc \ //C语言
> gcc-c++ \ //c++语言
> pcre-devel \ //pcre语言工具
> zlib-devel //压缩函数库
Step Four: Create the user program and configure Nginx services related components
[root@localhost opt]# useradd -M -s /sbin/nologin nginx
//创建程序用户nginx,并限定其不可登录终端
[root@localhost opt]# cd nginx-1.12.0/
[root@localhost nginx-1.12.0]# ./configure \
//配置nginx
> --prefix=/usr/local/nginx \
//指定安装路径
> --user=nginx \
//指定用户名
> --group=nginx \
//指定用户所属组
> --with-http_stub_status_module
//安装状态统计模块
Step five: Compiling and Installing Nginx
[root@localhost nginx-1.12.0]# make && make install
Step Six: Nginx optimization service startup script, and establish command soft connection
[root@localhost nginx-1.12.0]# ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/
//创建nginx服务命令软链接到系统命令
[root@localhost nginx-1.12.0]# systemctl stop firewalld.service
//关闭防火墙
[root@localhost nginx-1.12.0]# setenforce 0
//关闭增强型安全功能
[root@localhost nginx-1.12.0]# nginx
//输入nginx 开启服务
[root@localhost nginx-1.12.0]# netstat -ntap | grep 80 //查看服务的80 端口,显示已开启
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 7520/nginx: master
Step Seven: systemctl management script nginx
[root@localhost ~]# vim /lib/systemd/system/nginx.service ##创建配置文件
[Unit]
Description=nginx ##描述
After=network.target ##描述服务类型
[Service]
Type=forking ##后台运行形式
PIDFile=/usr/local/nginx/logs/nginx.pid ##PID文件位置
ExecStart=/usr/local/nginx/sbin/nginx ##启动服务
ExecReload=/usr/bin/kill -s HUP $MAINPID ##根据PID重载配置
ExecStop=/usr/bin/kill -s QUIT $MAINPID ##根据PID终止进程
PrivateTmp=true
[Install]
WantedBy=multi-user.target
[root@localhost ~]# chmod 754 /lib/systemd/system/nginx.service ##设置执行权限
[root@localhost ~]# systemctl stop nginx.service ##关闭nginx
[root@localhost ~]# systemctl start nginx.service ##开启nginx
Second, modify the configuration file method to hide the version number
Step 1: Check the version number of Nginx default
[root@localhost ~]# curl -I http://192.168.235.158 ##查看版本号
HTTP/1.1 200 OK
Server: nginx/1.12.0
##可见版本号为1.12.0
Date: Wed, 13 Nov 2019 08:32:59 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 06 Nov 2019 01:53:19 GMT
Connection: keep-alive
ETag: "5dc2278f-264"
Accept-Ranges: bytes
Step two: modify the configuration file nginx.conf
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
http {
include mime.types;
default_type application/octet-stream;
server_tokens off;
##在http协议段落中加入server_ tokens选项的值设置为off即可
The third step: verifying the version number of hidden Nginx
[root@localhost ~]# systemctl stop nginx.service
[root@localhost ~]# systemctl start nginx.service
[root@localhost ~]# curl -I http://192.168.235.158
HTTP/1.1 200 OK
Server: nginx
##可见版本号已被隐藏
Date: Wed, 13 Nov 2019 09:18:00 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 06 Nov 2019 01:53:19 GMT
Connection: keep-alive
ETag: "5dc2278f-264"
Accept-Ranges: bytes
Third, modify the configuration of the source code version numbers hidden Law Act
The first step: modify the configuration file nginx.conf
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
...
server_tokens on;
##将off替换成on
Step two: modify the source code version information in the file nginx.h
[root@localhost ~]# vim /opt/nginx-1.12.0/src/core/nginx.h
#define NGINX_VERSION "1.1.1"
##更改版本信息为1.1.1
The third step: recompile Nginx
[root@localhost ~]# cd /opt/nginx-1.12.0/
[root@localhost nginx-1.12.0]# ./configure \
> --prefix=/usr/local/nginx \
> --user=nginx \
> --group=nginx \
> --with-http_stub_status_module
[root@localhost nginx-1.12.0]# make && make install
Step four: Verify the version number of hidden Nginx
[root@localhost nginx-1.12.0]# curl -I http://192.168.235.158
HTTP/1.1 200 OK
Server: nginx/1.1.1
##可见版本号已成功更改为1.1.1
Date: Wed, 13 Nov 2019 10:20:23 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 06 Nov 2019 01:53:19 GMT
Connection: keep-alive
ETag: "5dc2278f-264"
Accept-Ranges: bytes
Web cache instances demo time
The first step: Copy pictures to the site directory
[root@localhost nginx-1.12.0]# ls /abc
Discuz_X3.4_SC_UTF8.zip nginx-1.12.2.tar.gz
game.jpg php-7.1.10.tar.bz2
mysql-boost-5.7.20.tar.gz php-7.1.20.tar.gz
nginx-1.12.0.tar.gz
[root@localhost nginx-1.12.0]# cp /abc/game.jpg /usr/local/nginx/html/
[root@localhost nginx-1.12.0]# cd /usr/local/nginx/html/
[root@localhost html]# ls
50x.html game.jpg index.html
Step two: modify the index.html page Nginx
[root@localhost html]# vim index.html
<h1>Welcome to nginx!</h1>
<img src="game.jpg"/>
##在h1标签下添加图片路径
The third step: Modify Nginx .conf file
[root@localhost html]# vim /usr/local/nginx/conf/nginx.conf
user nginx nginx;
##单独输入此行条目,指定用户nginx,指定组nginx
location ~\.(gif|jepg|jpg|ico|bmp|png)$ {
root html;
expires 1d;
##上述图片类型图片缓存一天
}
[root@localhost html]# systemctl stop nginx.service
[root@localhost html]# systemctl start nginx.service
Step four: Open a Win10 virtual machine verification
Fiddler.exe capture software installed in the client, and open the web browser to access the 192.168.235.158