Hide Nginx configuration version number

In a production environment, we need to hide Nginx version number in order to avoid security
vulnerabilities leak

Check method
● fiddler I use with the Windows client view Nginx version number
using "curl -I URL" in order to view the CentOS system

Nginx version number of hidden methods
● modify the configuration file method
● modify the source code law

Modify the configuration file method

Value server_ tokens options 1.Nginx profile is off

[root@www conf]# vim nginx.conf
.....
server_ tokens off;
.....
[root@www conf]# nginx -t

2. restart the service, visit the Web site using curl -I command detection

[root@www conf]# service nginx restart
[root@www conf]# curl -1 http://192.1 68.9.209/
HTTP/1.1200 OK
Server: nginx

3. If php configuration file to configure the FastCGI param SERVER SOFTWARE option. Php-fpm edit profile, the FastCGI param SERVER SOFTWARE modified to a value corresponding to

fastcgi_ param SERVER_ SOFTWARE nginx ;

Modify the source code law

Nginx /usr/src/nginx-1.12.0/src/core/nginx.h source file contains version information, you can freely set the re-compiled and installed hidden version information

Example:

#define NGINX_ _VERSION“1.1.1” ，修改版本号为1.1.1
#define NGINX_ VER "IIS/" ，修改软件类型为IIS

Restart the service, visit the Web site using curl -I command detection

Nginx modify users and groups

Nginx running process needs the support of users and groups, in order to achieve access control to a Web site to read the file

Nginx nobody default user accounts and group accounts, generally have to be modified

Method modified
● specify a user group and compile mounted
● modify the configuration file with the specified user group

Modify the configuration file specifies the method

1. Create a new user account, such as nginx
2. Modify the main configuration file user option, specify a user account
3. Restart nginx service, enable the configuration
4. Use the ps aux command to see nginx processes information, verify the operation of the user
account change effects

[root@www conf]# vi nginx.conf
user nginx nginx;
[root@www conf]# service nginx restart
[root@www conf]# ps aux lgrep nginx
root        1300340.0 0.0 20220 620? Ss 19:41 0:00 nginx: master process
/usr/local/sbin/nginx
nginx   1300350.0 0.0 20664 1512 ?S 19:41 0:00 nginx: worker process

Nginx web caching configuration time

When Nginx Web page data back to the client, you can set the cache time, to facilitate direct return when requesting a later date the same content, avoid duplication request to speed up the access speed as for static pages set up for dynamic pages do not set the cache time can be used to view the web page cache time fiddler in the Windows client

Setting method

Can modify the configuration file, add parameters to specific content expired at http segment, or server segment, segment or location

Examples

Nginx modify configuration files, adding expires parameter in the location section

location ~ \.(gifjpgliepglpnglbmplico)$ {
root html;
expires 1d;

Hide the version number of examples demonstrate

First, compile and install Nginx Service

The first step: get a remote source packages on Windows, Linux and mount onto the

[root@localhost ~]# smbclient -L //192.168.235.1
Enter SAMBA\root's password: 
Sharename       Type      Comment
---------       ----      -------
LNMP            Disk  

[root@localhost ~]# mkdir /abc
[root@localhost ~]# mount.cifs //192.168.235.1/LNMP /abc
Password for root@//192.168.235.1/LNMP:  
[root@localhost ~]# ls /abc
Discuz_X3.4_SC_UTF8.zip    nginx-1.12.2.tar.gz
game.jpg                   php-7.1.10.tar.bz2
mysql-boost-5.7.20.tar.gz  php-7.1.20.tar.gz
nginx-1.12.0.tar.gz

The second step: extract the source package

[root@localhost ~]# cd /abc
[root@localhost abc]# tar zxvf nginx-1.12.0.tar.gz -C /opt
[root@localhost abc]# ls /opt
nginx-1.12.0  rh

Step three: Download and install the compiler Package

[root@localhost abc]# cd /opt
[root@localhost opt]# yum install -y \
> gcc \             //C语言
> gcc-c++ \         //c++语言
> pcre-devel \      //pcre语言工具
> zlib-devel        //压缩函数库

Step Four: Create the user program and configure Nginx services related components

[root@localhost opt]# useradd -M -s /sbin/nologin nginx
//创建程序用户nginx,并限定其不可登录终端
[root@localhost opt]# cd nginx-1.12.0/
[root@localhost nginx-1.12.0]# ./configure \            
//配置nginx
> --prefix=/usr/local/nginx \       
//指定安装路径                        
> --user=nginx \
//指定用户名
> --group=nginx \
//指定用户所属组
> --with-http_stub_status_module
//安装状态统计模块

Step five: Compiling and Installing Nginx

[root@localhost nginx-1.12.0]# make && make install

Step Six: Nginx optimization service startup script, and establish command soft connection

[root@localhost nginx-1.12.0]# ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/ 
//创建nginx服务命令软链接到系统命令
[root@localhost nginx-1.12.0]# systemctl stop firewalld.service 
//关闭防火墙
[root@localhost nginx-1.12.0]# setenforce 0
//关闭增强型安全功能
[root@localhost nginx-1.12.0]# nginx 
//输入nginx 开启服务
[root@localhost nginx-1.12.0]# netstat -ntap | grep 80      //查看服务的80 端口,显示已开启
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      7520/nginx: master

Step Seven: systemctl management script nginx

[root@localhost ~]# vim /lib/systemd/system/nginx.service      ##创建配置文件

[Unit]
Description=nginx                                            ##描述
After=network.target                                        ##描述服务类型
[Service]
Type=forking                                                    ##后台运行形式
PIDFile=/usr/local/nginx/logs/nginx.pid            ##PID文件位置
ExecStart=/usr/local/nginx/sbin/nginx              ##启动服务
ExecReload=/usr/bin/kill -s HUP $MAINPID    ##根据PID重载配置
ExecStop=/usr/bin/kill -s QUIT $MAINPID       ##根据PID终止进程
PrivateTmp=true
[Install]
WantedBy=multi-user.target

[root@localhost ~]# chmod 754 /lib/systemd/system/nginx.service     ##设置执行权限
[root@localhost ~]# systemctl stop nginx.service       ##关闭nginx 
[root@localhost ~]# systemctl start nginx.service       ##开启nginx

Second, modify the configuration file method to hide the version number

Step 1: Check the version number of Nginx default

[root@localhost ~]# curl -I http://192.168.235.158      ##查看版本号
HTTP/1.1 200 OK
Server: nginx/1.12.0
##可见版本号为1.12.0
Date: Wed, 13 Nov 2019 08:32:59 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 06 Nov 2019 01:53:19 GMT
Connection: keep-alive
ETag: "5dc2278f-264"
Accept-Ranges: bytes

Step two: modify the configuration file nginx.conf

[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf

http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;
##在http协议段落中加入server_ tokens选项的值设置为off即可

The third step: verifying the version number of hidden Nginx

[root@localhost ~]# systemctl stop nginx.service 
[root@localhost ~]# systemctl start nginx.service
[root@localhost ~]# curl -I http://192.168.235.158
HTTP/1.1 200 OK
Server: nginx
##可见版本号已被隐藏
Date: Wed, 13 Nov 2019 09:18:00 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 06 Nov 2019 01:53:19 GMT
Connection: keep-alive
ETag: "5dc2278f-264"
Accept-Ranges: bytes

Third, modify the configuration of the source code version numbers hidden Law Act

The first step: modify the configuration file nginx.conf

[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
...
 server_tokens on;
 ##将off替换成on

Step two: modify the source code version information in the file nginx.h

[root@localhost ~]# vim /opt/nginx-1.12.0/src/core/nginx.h

#define NGINX_VERSION      "1.1.1"
##更改版本信息为1.1.1

The third step: recompile Nginx

[root@localhost ~]# cd /opt/nginx-1.12.0/

[root@localhost nginx-1.12.0]# ./configure \
> --prefix=/usr/local/nginx \
> --user=nginx \
> --group=nginx \
> --with-http_stub_status_module

[root@localhost nginx-1.12.0]# make && make install

Step four: Verify the version number of hidden Nginx

[root@localhost nginx-1.12.0]# curl -I http://192.168.235.158 
HTTP/1.1 200 OK
Server: nginx/1.1.1
##可见版本号已成功更改为1.1.1
Date: Wed, 13 Nov 2019 10:20:23 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 06 Nov 2019 01:53:19 GMT
Connection: keep-alive
ETag: "5dc2278f-264"
Accept-Ranges: bytes

Web cache instances demo time

The first step: Copy pictures to the site directory

[root@localhost nginx-1.12.0]# ls /abc
Discuz_X3.4_SC_UTF8.zip    nginx-1.12.2.tar.gz
game.jpg                   php-7.1.10.tar.bz2
mysql-boost-5.7.20.tar.gz  php-7.1.20.tar.gz
nginx-1.12.0.tar.gz
[root@localhost nginx-1.12.0]# cp /abc/game.jpg /usr/local/nginx/html/
[root@localhost nginx-1.12.0]# cd /usr/local/nginx/html/
[root@localhost html]# ls
50x.html  game.jpg  index.html

Step two: modify the index.html page Nginx

[root@localhost html]# vim index.html

<h1>Welcome to nginx!</h1>
<img src="game.jpg"/>
##在h1标签下添加图片路径

The third step: Modify Nginx .conf file

[root@localhost html]# vim /usr/local/nginx/conf/nginx.conf

user nginx nginx;
##单独输入此行条目,指定用户nginx,指定组nginx

 location ~\.(gif|jepg|jpg|ico|bmp|png)$ {
            root html;
            expires 1d;
            ##上述图片类型图片缓存一天
        }

[root@localhost html]# systemctl stop nginx.service
[root@localhost html]# systemctl start nginx.service

Step four: Open a Win10 virtual machine verification

Fiddler.exe capture software installed in the client, and open the web browser to access the 192.168.235.158

Here Insert Picture Description

Nginx optimization --- hide the version number and Web cache time