Shulou(Shulou.com)06/02 Report--

Nginx Page Optimization (1) configure Nginx Hidden version number

In a production environment, the version number of Nginx needs to be hidden to avoid leakage of security vulnerabilities.

View method

Use the fiddler tool to view the Nginx version number on the Windows client to view the hidden version number of Nginx in the CentOS system using the "curl-I URL" command to modify the configuration file method modify the source code method to modify the configuration file method Nginx the value of the server_ tokens option in the configuration file is set to off [root@www conf] # vi nginx.conf.server_ tokens off / / disable the version number. [root@www conf] # nginx-t restart the service, visit the website and use the curl-I command to detect [root@www conf] # service nginx restart [root@www conf] # curl-| http://192.168.9.209/HTTP/1.1 200OKServer: nginx if the fastcgi_param SERVER_ SOFTWARE option is configured in the php configuration file. Edit the php-fpm configuration file and change the value corresponding to fastcgi_param SERVER_ SOFTWARE to fastcgi_param SERVER_ SOFTWARE nginx Configure the instance [root@localhost nginx] # curl-I http://192.168.144.133/ use the command to view the version number HTTP/1.1 200OKServer: nginx/1.12.2 / / display the version number Date: Thu, 14 Nov 2019 06:52:14 GMTContent-Type: text/htmlContent-Length: 634Last-Modified: Thu 14 Nov 2019 06:24:32 GMTConnection: keep-aliveETag: "5dccf320-27a" Accept-Ranges: bytes [root@localhost nginx] # vim conf/nginx.conf / / enter the editing configuration file. / / omit some of the contents. Http {include mime.types Default_type application/octet-stream; server_tokens off / / add entry close version number. / / omit part of the content.: wq [root@localhost nginx] # systemctl restart nginx.service [root@localhost nginx] # curl-I http://192.168.144.133HTTP/1.1 200 OKServer: nginx / / version number Hidden Date: Thu, 14 Nov 2019 06:56:51 GMTContent-Type: text/htmlContent-Length: 634Last-Modified: Thu 14 Nov 2019 06:24:32 GMTConnection: keep-aliveETag: "5dccf320-27a" Accept-Ranges: bytes modify source method Nginx source code file / usr/src/nginx-1.12.0/src/core/nginx.h contains version information You can set it up at will.

Recompile the installation and hide the version information

Example:

# define NGINX_ VERSION "1.1.1" modified version number is 1.1.1#define NGINX VER "IIS/". Modify the software type to IIS restart service. Visit the website and use the curl-I command to detect the configuration instance [root@localhost ~] # vim / usr/local/nginx/conf/nginx.conf / / Edit the nginx configuration file. / / omit part of the content. Http {include mime.types Default_type application/octet-stream; server_tokens on / / Open the hidden version number entry set above. / / omit part of the content.: wq [root@localhost ~] # cd / opt/nginx-1.12.2/src/core/ to change the version number information [root@localhost core] # vim nginx.h#define nginx_version 1012002#define NGINX_VERSION "1.1 in the decompressed source package. 1 "/ / change version # define NGINX_VER" nginx/ "NGINX_VERSION: WQ [root @ localhost core] # cd / optnginx-1.12.2/ [root@localhost nginx-1.12.2] #. / configure-- prefix=/usr/local/nginx-- user=nginx-- group=nginx-- with-http_stub_status_module / / reconfigure nginxchecking for OS + Linux 3.10.0-693.el7.x86_64 x86_64checking for C compiler... Found + using GNU C compiler + gcc version: 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC). / / omit part of the content. Nginx http fastcgi temporary files: "fastcgi_temp" nginx http uwsgi temporary files: "uwsgi_temp" nginx http scgi temporary files: "scgi_temp" [root@localhost nginx-1.12.2] # make & & make install / / remake and install nginx [root @ localhost nginx-1.12.2] # systemctl restart nginx.service / / restart the nginx service [root@localhost nginx-1.12.2] # curl-I http://192.168. 144.133 / / View version number HTTP/1.1 200OKServer: nginx/1.1.1 / / version number change Date: Thu 14 Nov 2019 07:11:08 GMTContent-Type: text/htmlContent-Length: 634Last-Modified: Thu, 14 Nov 2019 06:24:32 GMTConnection: keep-aliveETag: "5dccf320-27a" Accept-Ranges: bytes modify Nginx users and groups Nginx runtime process requires user and group support To achieve access control when reading website files Nginx uses nobody user account and group account by default, and generally needs to modify the method of compilation and installation to specify users and groups to modify configuration files to specify users and groups to compile and install.

Create user accounts and group accounts, such as nginx

When compiling and installing-- user and-- group specify the running user and group account of the Nginx service to modify the configuration file, specify the new user account, such as nginx modify the main configuration file user option, specify the user account to restart the nginx service, make the configuration effective, use the ps aux command to view the process information of nginx, and verify the effect of running user account change [root@www conf] # vi nginx.confuser nginx nginx [root@www conf] # service nginx restart [root@www conf] # ps aux | grep nginxroot 130034 0.0 20220? Ss 19:41 0:00 nginx: master process/usr/local/sbin/nginxnginx 130035 0.0 0.0 20664 1512? S 19:41 0:00 nginx: worker process configure Nginx web page caching time when Nginx returns the web page data to the client, the caching time can be set to facilitate direct return in the future when making requests for the same content, avoiding repeated requests, speeding up the access speed and setting the caching time for static web pages. If you do not set the caching time for dynamic web pages, you can use fiddler in the Windows client to view the web page cache time setting method to modify the configuration file. Add an example of an expired parameter for a specific content in the http segment, or server segment, or location segment to modify the configuration file of Nginx, and add the expires parameter location ~\. (gif | ipg | jepg | png | bmp | ico) ${root html in the location segment. Expires 1d } configure instance [root@localhost ~] # systemctl stop firewalld.service / / disable firewall [root@localhost ~] # setenforce 0 / disable enhanced security function [root@localhost ~] # systemctl start nginx.service / / start nginx service [root@localhost ~] # netstat-ntap | grep 80 / / check whether the service port is enabled or not 00 0.0.0.0 mkdir abc 80 0.0.0.0 LISTEN 1684/nginx: master [root@localhost ~] # mkdir abc [root@localhost ~] # mount.cifs / / 192.168.100.10/lamp-c7 abc/ Mount the host image folder to the abc directory Password for root@//192.168.100.10/lamp-c7: [root@localhost ~] # cd abc/ enter the abc directory [root@localhost abc] # lsapr-1.6.2.tar.gz Discuz_X2.5_SC_UTF8.zip miao.jpgapr-util-1.6.0.tar.gz error.png mysql-5.6.26.tar.gzawstats-7.6.tar.gz httpd-2.4 .29.tar.bz2 nginx-1.12.0.tar.gzcronolog-1.6.2-14.el7.x86_64.rpm LAMP-php5.6.txt php-5.6.11.tar.bz2 [root@localhost abc] # cp miao.jpg / usr/local/nginx/html/ copy the image to the nginx service site [root@localhost abc] # cd / usr/local/nginx/html/ enter the site directory [root@localhost html] # ls50x.html index.html miao.jpg [root@localhost html] # vim index.html / / Edit web content Welcome to nginx! Body {width: 35eme; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif;} Welcome to nginx!

/ / add a picture

If you see this page, the nginx web server is successfully installed andworking. Further configuration is required.

For online documentation and support please refer tonginx.org.Commercial support is available atnginx.com.

Thank you for using nginx.

: wq [root@localhost nginx] # vim conf/nginx.conf / / Edit configuration.. / / omit part of the content. Events {worker_connections 1024;} http {include mime.types; default_type application/octet-stream .. / / omit part of the content. # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # location ~\. (gif | jepg | jpg | ico | bmp | png) ${/ / Edit cache entry root html; expires 1d }}.. / omit part of the content.: wq [root@localhost nginx] # systemctl restart nginx.service / / restart the nginx service to access the web page in the client and use the packet grabbing tool to check whether the cache time is turned on

Configure Nginx to realize connection timeout in the enterprise website, in order to avoid the same customer occupying the connection for a long time and causing a waste of resources, you can set the corresponding connection timeout parameter to control the connection access time. Use the Fiddler tool to view the connection parameter timeout parameter explanation

Keepalive_ timeout

Set the connection duration timeout. You can only set this parameter. The default is 75 seconds. It can be set according to the situation of the website, or closed, and can be set in http segment, server segment, or location segment.

Client header_ timeout

Specify the Client body _ timeout for waiting for the request header to be sent by the client set the request body read timeout configuration instance [root@localhost nginx-1.12.2] # cd / usr/local/nginx/conf/ enter the nginx configuration file directory [root@localhost conf] # vim nginx.conf / / Edit the configuration file. / / omit some of the contents. Http {include mime.types; default_type application/octet-stream Server_tokens on; # log_format main'$remote_addr-$remote_user [$time_local] "$request" #'$status $body_bytes_sent "$http_referer" # "$http_user_agent" $http_x_forwarded_for "; # access_log logs/access.log main; sendfile on; # tcp_nopush on; # keepalive_timeout 0 Keepalive_timeout 65 180; / add client timeout 180 seconds client_header_timeout 80; / / set client header timeout client_body_timeout 80; / / set client topic content timeout # gzip on; server {listen 80; server_name localhost ... / omit part of the content.: wq [root@localhost conf] # systemctl restart nginx.service / / restart the service

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.