Shulou(Shulou.com)06/03 Report--

Configure Nginx Hidden version number

In a production environment, the version number of Nginx needs to be hidden to avoid security

Leak of loophole

View method

● uses fiddler I tool to view the Nginx version number on the Windows client

Use the "curl-I URL" command in the CentOS system to view

The method of hiding version number in Nginx

● method of modifying configuration file

● modified source code method

Modification of configuration file method

The value of the server_ tokens option in 1.Nginx 's configuration file is set to off

[root@www conf] # vim nginx.conf.server_ tokens off;. [root@www conf] # nginx-t

two。 Restart the service, visit the website and use the curl-I command to detect

[root@www conf] # service nginx restart [root@www conf] # curl-1 http://192.1 68.9.209/HTTP/1.1200 OKServer: nginx

3. If the fastcgi param SERVER SOFTWARE option is configured in the php configuration file. Edit the php-fpm configuration file and change the value corresponding to fastcgi param SERVER SOFTWARE to

Fastcgi_ param SERVER_ SOFTWARE nginx; modified source code method

The Nginx source file / usr/src/nginx-1.12.0/src/core/nginx.h contains version information, which can be recompiled and installed at will, and the version information can be hidden.

Example:

# define NGINX_ _ VERSION "1.1.1", the modified version number is 1.1.1#define NGINX_ VER "IIS/", and the modified software type is IIS

Restart the service, visit the website and use the curl-I command to detect

Modify Nginx users and groups

The Nginx runtime process needs to be supported by users and groups to achieve access control when reading Web site files.

Nginx uses nobody user account and group account by default, which generally needs to be modified.

Method of modification

Specify users and groups during ● compilation and installation

● modifies the profile to specify users and groups

Modify profile method assignment

1. Create a new user account, such as nginx

two。 Modify the user option of the main profile to specify the user account

3. Restart the nginx service for the configuration to take effect

4. Use the ps aux command to view the process information of nginx and verify the running user

Account change effect

[root@www conf] # vi nginx.confuser nginx nginx; [root@www conf] # service nginx restart [root@www conf] # ps aux lgrep nginxroot 1300340.0 0.0 20220 620? Ss 19:41 0:00 nginx: master process/usr/local/sbin/nginxnginx 1300350.0 0.0 20664 1512? s 19:41 0:00 nginx: worker process configure Nginx web page caching time

When Nginx returns the web page data to the client, the caching time can be set to facilitate direct return when making requests for the same content in the future, avoid repeated requests, speed up the access speed for static web pages, and do not set caching time for dynamic web pages. You can use fiddler to view the web page caching time in the Windows client.

Setting method

You can modify the configuration file to add expired parameters for specific content in the http section, or the server section, or the location section

Example

Modify the configuration file of Nginx and add the expires parameter in the location section

Location ~\. (gifjpgliepglpnglbmplico) ${root html;expires 1d; example demonstration of hidden version number 1. Compile and install Nginx service

Step 1: remotely obtain the source code package on Windows and mount it to Linux

[root@localhost] # smbclient-L / / 192.168.235.1Enter SAMBA\ root's password: Sharename Type Comment- LNMP Disk [root@localhost ~] # mkdir / abc [root@localhost ~] # mount.cifs / / 192.168.235.1/LNMP / abcPassword for root@//192.168.235.1/LNMP: [root @ localhost ~] # ls / abcDiscuz_X3.4_SC_UTF8.zip nginx-1.12.2.tar.gzgame.jpg php-7.1.10.tar.bz2mysql-boost-5.7.20.tar.gz php-7.1.20.tar.gznginx-1.12.0.tar.gz

Step 2: decompress the source package

[root@localhost ~] # cd / abc [root@localhost abc] # tar zxvf nginx-1.12.0.tar.gz-C / opt [root@localhost abc] # ls / optnginx-1.12.0 rh

Step 3: download and install the compiler package

[root@localhost abc] # cd / opt [root@localhost opt] # yum install-y\ > gcc\ / / C language > gcc-c++\ / / C++ language > pcre-devel\ / / pcre language tool > zlib-devel / / compressed function Library

Step 4: create program users and configure Nginx service-related components

[root@localhost opt] # useradd-M-s / sbin/nologin nginx// Creator user nginx And limit its non-login terminal [root@localhost opt] # cd nginx-1.12.0/ [root@localhost nginx-1.12.0] #. / configure\ / configure nginx >-- prefix=/usr/local/nginx\ / / specify installation path >-- user=nginx\ / / specify user name >-- group=nginx\ / / specify the group to which the user belongs >-- with- Http_stub_status_module// installation status Statistics Module

Step 5: compile and install Nginx

[root@localhost nginx-1.12.0] # make & & make install

Step 6: optimize the Nginx service startup script and establish a command soft connection

[root@localhost nginx-1.12.0] # ln-s / usr/local/nginx/sbin/nginx / usr/local/sbin/ create nginx service command soft link to system command [root@localhost nginx-1.12.0] # systemctl stop firewalld.service / / turn off firewall [root@localhost nginx-1.12.0] # setenforce 0bat / turn off enhanced security function [root@localhost nginx-1.12.0] # nginx/ / input Nginx enables the service [root@localhost nginx-1.12.0] # netstat-ntap | grep 80 / / View port 80 of the service Shows that tcp 0 0 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 01. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. master * LISTEN 7520/nginx:

Step 7: systemctl manages the nginx script

[root@localhost ~] # vim / lib/systemd/system/nginx.service # # create a profile [Unit] Description=nginx # # describe After=network.target # # describe the service type [Service] Type=forking # # background running form PIDFile=/usr/local/nginx/logs/nginx.pid # # PID file location ExecStart=/usr/local/nginx/sbin/nginx # # start the service ExecReload=/usr/bin/kill-s HUP $MAINPID # # configure ExecStop=/usr/bin/kill-s QUIT $MAINPID # # according to PID overload to terminate the process PrivateTmp= true [install] WantedBy=multi-user.target [root@localhost ~] # chmod according to PID 754 / lib/systemd/system/nginx.service # # set execution permission [root@localhost ~] # systemctl stop nginx.service # # close nginx [root@localhost ~] # systemctl start nginx.service # # enable nginx II. Modify the profile method to hide the version number

Step 1: check the Nginx version number by default

[root@localhost] # curl-I http://192.168.235.158 # # View version number HTTP/1.1 200 OKServer: nginx/1.12.0## visible version number is 1.12.0Date: Wed, 13 Nov 2019 08:32:59 GMTContent-Type: text/htmlContent-Length: 612Last-Modified: Wed, 06 Nov 2019 01:53:19 GMTConnection: keep-aliveETag: "5dc2278f-264" Accept-Ranges: bytes

Step 2: modify the nginx.conf configuration file

[root@localhost ~] # vim / usr/local/nginx/conf/nginx.confhttp {include mime.types; default_type application/octet-stream; server_tokens off;## can add server_tokens to the paragraph of the http protocol by setting the value of the option to off

Step 3: verify that the Nginx version number is hidden

[root@localhost ~] # systemctl stop nginx.service [root@localhost ~] # systemctl start nginx.service [root@localhost ~] # curl-I http://192.168.235.158HTTP/1.1 200OKServer: nginx## visible version number has been hidden Date: Wed, 13 Nov 2019 09:18:00 GMTContent-Type: text/htmlContent-Length: 612Last-Modified: Wed, 06 Nov 2019 01:53:19 GMTConnection: keep-aliveETag: "5dc2278f-264" Accept-Ranges: bytes III. Modify the configuration source code method to forge the version number

Step 1: modify the nginx.conf configuration file

[root@localhost ~] # vim / usr/local/nginx/conf/nginx.conf... Server_tokens on; # # replace off with on

Step 2: modify the version information in the source file nginx.h

[root@localhost ~] # vim / opt/nginx-1.12.0/src/core/nginx.h#define NGINX_VERSION "1.1.1" # # change version information to 1.1.1

Step 3: recompile Nginx

[root@localhost ~] # cd / opt/nginx-1.12.0/ [root@localhost nginx-1.12.0] #. / configure\ >-- prefix=/usr/local/nginx\ >-- user=nginx\ >-- group=nginx\ >-- with-http_stub_status_ module [root @ localhost nginx-1.12.0] # make & & make install

Step 4: verify the fake Nginx version number

[root@localhost nginx-1.12.0] # curl-I http://192.168.235.158 HTTP/1.1 200OKServer: nginx/1.1.1## visible version number has been successfully changed to 1.1.1Date: Wed, 13 Nov 2019 10:20:23 GMTContent-Type: text/htmlContent-Length: 612Last-Modified: Wed 06 Nov 2019 01:53:19 GMTConnection: keep-aliveETag: "5dc2278f-264" Accept-Ranges: bytes webpage caching time example demonstration first step: copy the picture to the site directory [root@localhost nginx-1.12.0] # ls / abcDiscuz_X3.4_SC_UTF8.zip nginx-1.12.2.tar.gzgame.jpg php-7.1.10.tar.bz2mysql-boost-5.7.20.tar.gz Php-7.1.20.tar.gznginx-1.12.0.tar.gz [root@localhost nginx-1.12.0] # cp / abc/game.jpg / usr/local/nginx/html/ [root@localhost nginx-1.12.0] # cd / usr/local/nginx/html/ [root@localhost html] # ls50x.html game.jpg index.html step 2: modify Nginx's index.html page [root@localhost html] # vim index.htmlWelcome to nginx!

# # add image path under H2 tag step 3: modify Nginx .conf file [root@localhost html] # vim / usr/local/nginx/conf/nginx.confuser nginx nginx;## enter this line entry separately, specify user nginx, specify group nginx location ~\. (gif | jepg | jpg | bmp | png) ${root html; expires 1d # # the above image types are cached for one day} [root@localhost html] # systemctl stop nginx.service [root@localhost html] # systemctl start nginx.service step 4: open a Win10 virtual machine for verification

Install the fiddler.exe package grab software in the client and open a browser to visit the 192.168.235.158 web page

Thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.