Shulou(Shulou.com)06/03 Report--

Optimizing Hidden version Information based on nginx system on CentOS7

After you first install the nginx service on CentOS7, you can view the current nginx version information:

[root@localhost init.d] # curl-I http://192.168.234.174 / / View current version information HTTP/1.1 200 OKServer: nginx/1.12.0 / / current nginx version information Date: Sat, 30 Jun 2018 06:23:15 GMTContent-Type: text/htmlContent-Length: 612Last-Modified: Sat, 30 Jun 2018 06:17:15 GMTConnection: keep-aliveETag: "5b37206b-264" Accept-Ranges: bytes

In order to avoid the disclosure of version information and cause unnecessary trouble, here are two ways to hide version information:

Based on the method that the nginx service has been installed

Modify the main configuration file of nginx

[root@localhost init.d] # vim / usr/local/nginx/conf/nginx.conf. Omit http {include mime.types; default_type application/octet-stream; server_tokens off; / / add and turn off version display

Reload the configuration of nginx and view the version information again

[root@localhost init.d] # service nginx reload / / Reload nginx's configuration file [root@localhost init.d] # curl-I http://192.168.234.174HTTP/1.1 200 OKServer: nginx / / you can see here that the current version information has been hidden Date: Sat, 30 Jun 2018 06:35:14 GMTContent-Type: text/htmlContent-Length: 612Last-Modified: Sat 30 Jun 2018 06:17:15 GMTConnection: keep-aliveETag: "5b37206b-264" Accept-Ranges: bytes based on methods that the nginx service has not yet installed

First, modify the source code of nginx to make people think that we are using a different version.

[root@localhost init.d] # vim / opt/nginx-1.12.0/src/core/nginx.h / / modify the source code package. Omit # define nginx_version 1012000#define NGINX_VERSION "1.12.0" / / modify to 1.1.1

Then compile and install

[root@localhost init.d] # cd / opt/nginx-1.12.0/ [root@localhost nginx-1.12.0] #. / configure\ >-- prefix=/usr/local/nginx\ >-- user=nginx\ >-- group=nginx\ >-- with-http_stub_status_module / / compile and install [root@localhost nginx-1.12.0] # make & & make install [root@localhost conf] # vim nginx.confhttp {include mime.types Default_type application/octet-stream; server_tokens on / / enable the display of version information [root@localhost conf] # service nginx stop [root@localhost conf] # service nginx start / / restart the nginx service [root@localhost conf] # curl-I http://192.168.234.174HTTP/1.1 200 OKServer: nginx/1.1.1 / / you can see that the version information of nginx has been tampered with Date: Sat, 30 Jun 2018 07:03:56 GMTContent-Type: text/htmlContent-Length: 612Last-Modified: Sat 30 Jun 2018 06:17:15 GMTConnection: keep-aliveETag: "5b37206b-264" Accept-Ranges: bytes modify users and groups [root@localhost conf] # vim / usr/local/nginx/conf/nginx.conf#user nobody / / change nobody to nginx nginx Modify cache time [root@localhost conf] # vim / usr/local/nginx/conf/nginx.conf... ... Omit location / {root html; index index.html index.htm;} / / add location ~\. Below (gif | jpg | png | bmp | ico) ${root html; expires 1d } [root@localhost conf] # cd / usr/local/nginx/html/ [root@localhost html] # cp / abc/Apache/ai.jpg / usr/local/nginx/html/ copy a picture to the directory of the html site [root@localhost html] # service nginx stop [root@localhost html] # service nginx start / / restart the nginx service

Then use a win7 client with fiddler tools installed to access the nginx server at this point

Then you can see that the caching time of the picture here has been changed to one day.

Log segmentation [root@localhost ~] # vim / optday fenge.shenge.log segmentation Bash # Filename:fenge.shd=$ (date-d "- 1 day"+% log") # shows the time of the day before pid_path= "/ usr/local/nginx/logs/nginx.pid" # save path of split log pid_path= "/ usr/local/nginx/logs/nginx.pid" # process sequence number of log [- d $logs_path] | | mkdir-p $logs_path mv / usr/local/nginx/logs/access.log ${logs_path} / test.com-access.log-$d# move the access log to generate different log files each day based on the date kill-USR1 $(cat $log) # interrupt the creation of log files It is convenient to cut and move find $logs_path-mtime + 30 in turn next time | xargs rm-rf # delete the log file from 30 days ago [root@localhost opt] # chmod + x fenge.sh / / give the log partition script an execution right [root@localhost opt] #. / fenge.sh / / execute the script [root@localhost opt] # cd / var/log/nginx/ View the log file of nginx [root@localhost nginx] # lstest.com-access.log-20180629 / / A log file from the previous day will be generated here

It can also be added as a periodic scheduled task

[root@localhost nginx] # crontab-e0 1 * / opt/fenge.sh / / so that the log segmentation task is generated periodically, so we don't need to manually execute the script every day. Connection timeout [root@localhost nginx] # vim / usr/local/nginx/conf/nginx.conf... ... Omit # keepalive_timeout 0; keepalive_timeout 65; / / delete this line and add keepalive_timeout 65 180; client_header_timeout 80; client_body_timeout 80 below; [root@localhost nginx] # nginx-t / / check syntax [root@localhost nginx] # service nginx stop [root@localhost nginx] # service nginx start / / restart nginxfuwu

Then also use a win7 client with fiddler tools installed to access the nginx server

Hotlink protection

First of all, in the hotlink protection configuration, we need to prepare two win7 clients (the network card mode is NAT,IP address automatic acquisition), one (win7) for hotlink operation and the other (win7-1) as the access side.

To start the configuration of embezzled links, first of all, steal the win7 to open the IIS service and write a home page.

This is testworthy website! / / Home page content

/ / websites and pictures that carry out piracy

Then install the DNS service on CentOS7 and modify the configuration

[root@localhost nginx] # yum install bind-y [root@localhost nginx] # vim / etc/named.conf / / modify the main configuration file listen-on port 53 {127.0.0.1;}; / 127.0.0.1 to anyallow-query {localhost;} / / localhost modified to any [root@localhost nginx] # vim / etc/named.rfc1912.zones / / modify the zone configuration file / / add the following configuration zone "benet.com" IN {type master; file "benet.com.zone"; allow-update {none;};}; zone "test.com" IN {type master; file "test.com.zone"; allow-update {none;};} [root@localhost nginx] # cd / var/named/ [root@localhost named] # cp-p named.localhost benet.com.zone [root@localhost named] # vim benet.com.zone / / modify the regional database file to delete the last line, add www IN A 192.168.234.174 / / parse the IP [root @ bogon named] # cp-p benet.com.zone test.com.zone [root@localhost named] # vim test.com.zone pointing to the nginx server after modifying the www of the last line Point to the IP of the hotlink server, namely www IN A 192.168.234.180 / / this is the IP of win7

Here, the operation of the hotlink is completed, and we can see the effect.

Visit www.test.com

Visit www.benet.com

Next, configure hotlink protection configuration.

[root@bogon html] # vim / usr/local/nginx/conf/nginx.conf... ... Omit adding / / location ~ *\. (jpg | gif | swf) ${valid_referers none blocked * .benet.com benet.com; if ($invalid_referer) {rewrite ^ / http://www.benet.com/error.png; }} [root@bogon named] # cd / usr/local/nginx/html/ [root@bogon html] # cp / abc/LNMP/error.png. / / add a redirected image [root@bogon html] # service nginx stop [root@bogon html] # service nginx start / / restart the nginx service

After the hotlink protection operation is completed, we will use the win7-1 client to access and view the results (clear the cache before access):

Visit www.test.com

Visit www.benet.com

So the hotlink protection is complete.

These are all the optimized configurations of nginx on CentOS7. Please watch your comments and likes!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.