怎样修改Nginx的响应头信息

2019年10月11日 | 分类: 【技术】

隐藏 nginx 版本信息:

参考:https://blog.csdn.net/qq_21460229/article/details/71056630
参考:https://blog.csdn.net/qq_28602957/article/details/54928490

编辑 /usr/local/nginx/conf/nginx.conf ,在 http 标签段内加上:

server_tokens off;

编辑 /usr/local/nginx/conf/fastcgi_params :

fastcgi_param  SERVER_SOFTWARE    ChaoOS;

隐藏 PHP 版本信息

需要编辑 /usr/local/php/etc/php.ini :

expose_php Off

隐藏 server 信息:

需要编辑 nginx 源代码(不是nginx的安装目录)后,重新编译 nginx 。

参考:https://amon.org/nginx

方案1:ngx_http_header_filter_module (实证未遂)

参考:https://amon.org/ngx_http_header_filter_module

方案2:headers-more-nginx-module (实证成功)

参考:https://amon.org/headers-more-nginx-module

结论:

结论:隐藏版本信息及软件信息不是服务器安全的最终方案,但是必要的初级方案。

there are many hidden ways servers perform by accident via their implementation which may help identify the system. e.g. How it responds to a bad SSL request. I don’t see a practical way of preventing this.

Look at nmap’s OS detection for instance – this looks at the target hosts’s responses to IP/TCP requests and is able to determine the OS that way. It’s really not worth putting effort into this.

Better to secure your server as best as you can rather than relying on security through obscurity.

Server tokens only turn off the version number. Nginx does not allow for completely removing the header.

Of course security through obscurity does nothing for your security itself but it sure as hell will at least protect against the most mundane, simplistic attack vectors – security through obscurity is a necessary step, it may be the first one and should never be the last security measurement -skipping it completely is a very bad mistake, even the most secure webservers can be cracked if a version-specific attack vector is known.

要想真正的优化和安全考虑,还是应该好好读读源代码,踏踏实实做好细节工作!

参考:https://stackoverflow.com/questions/24594971/how-to-changehide-the-nginx-server-signature
参考:https://serverfault.com/questions/214242/can-i-hide-all-server-os-info
参考:https://www.cnblogs.com/linkenpark/p/7283205.html