Configure Nginx hidden version number
In the production environment, the version number of Nginx needs to be hidden to avoid the leakage of security vulnerabilities
View method
-
Use fiddler tool to view Nginx version number in Windows client
- Use "curl-i web address" command to view in CentOS system
The method of hiding version number in Nginx
- Modify profile method
- Modify source code law
Compile and install nginx service
1. Share the toolkit on the host
2. Mount the toolkit to Linux system through Samba service
[root@localhost ~]# mkdir /mnt/tools
[root@localhost ~]# smbclient -L //192.168.100.50/
Enter SAMBA\root's password:
OS=[Windows 10 Enterprise LTSC 2019 17763] Server=[Windows 10 Enterprise LTSC 2019 6.3]
Sharename Type Comment
--------- ---- -------
IPC$ IPC Long-range IPC
share Disk
tools Disk
Users Disk
Connection to 192.168.100.50 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
NetBIOS over TCP disabled -- no workgroup available
[root@localhost ~]# mount.cifs //192.168.100.50/tools /mnt/tools/
Password for root@//192.168.100.50/tools:
[root@localhost ~]# 3. Extract the nginx service source code package to the "/ opt /" directory
[root@localhost ~]# cd /mnt/tools/ [root@localhost tools]# ls awstats-7.6.tar.gz extundelete-0.2.4.tar.bz2 forbid.png jdk-8u191-windows-x64.zip LAMP-C7 picture.jpg cronolog-1.6.2-14.el7.x86_64.rpm fiddler.exe intellijideahahau2018.rar john-1.8.0.tar.gz LNMP [root@localhost tools]# cd LNMP/ [root@localhost LNMP]# ls Discuz_X3.4_SC_UTF8.zip mysql-boost-5.7.20.tar.gz nginx-1.12.2.tar.gz php-7.1.10.tar.bz2 php-7.1.20.tar.gz [root@localhost LNMP]# tar zxvf nginx-1.12.2.tar.gz -C /opt/ ...............//Omit decompression process [root@localhost LNMP]#
4. Install the toolkit required for compilation
[root@localhost ~]# yum install gcc gcc-c++ pcre-devel zlib-devel -y ...........//Omit installation process [root@localhost ~]#
5. Switch to the nginx service source package directory and create a nginx user
[root@localhost LNMP]# cd /opt/ [root@localhost opt]# ls nginx-1.12.2 rh [root@localhost opt]# cd nginx-1.12.2/ [root@localhost nginx-1.12.2]# ls auto CHANGES CHANGES.ru conf configure contrib html LICENSE man README src [root@localhost nginx-1.12.2]# [root@localhost nginx-1.12.2]# Useradd - M - S / SBIN / nologin nginx / / - M do not create home directory [root@localhost nginx-1.12.2]# id nginx uid=1001(nginx) gid=1001(nginx) group=1001(nginx) [root@localhost nginx-1.12.2]#
6. Configure nginx service
[root@localhost nginx-1.12.2]# ./configure \ > --prefix=/usr/local/nginx \ //Installation path > --user=nginx \ //Belong to > --group=nginx \ //Generic group > --with-http_stub_status_module //Enable statistics module
7. Compile and install nginx service
[root@localhost nginx-1.12.2]# make && make install ..........//Ellipsis process [root@localhost nginx-1.12.2]#
8. Set up the soft link of nginx service command in the directory easy to be identified by the system
[root@localhost nginx-1.12.2]# ln -s /usr/local/nginx/sbin/* /usr/local/sbin / / / establish soft link [root@localhost nginx-1.12.2]# nginx -t / / profile test nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@localhost nginx-1.12.2]#
9. Make nginx service management script (select any one)
Script 1: manage through "systemctl" command
[root@localhost nginx-1.12.2]# cd /lib/systemd/system [root@localhost system]# vim nginx.service [Unit] Description=nginx After=network.target [Service] Type=forking PIDFile=/usr/local/nginx/logs/nginx.pid ExecStart=/usr/local/nginx/sbin/nginx ExecReload=/usr/bin/kill -s HUP $MAINPID ExecStop=/usr/bin/kill -s QUIT $MAINPID PrivateTmp=true [Install] WantedBy=multi-user.target [root@localhost system]# chmod 754 nginx.service / / add execution permission [root@localhost system]# systemctl start nginx.service / / start the service [root@localhost system]# netstat -ntap | grep 80 / / view tcp80 port tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 52924/nginx: master [root@localhost system]# [root@localhost system]# systemctl stop firewalld.service / / turn off the firewall [root@localhost system]# setenforce 0 [root@localhost system]#
Script 2: manage through the "service" command
[root@nginx nginx-1.12.2]# vim /etc/init.d/nginx
#!/bin/bash
# chkconfig: - 99 20
# description: Nginx Service Control Script
PROG="/usr/local/nginx/sbin/nginx"
PIDF="/usr/local/nginx/logs/nginx.pid"
case "$1" in
start)
$PROG
;;
stop)
kill -s QUIT $(cat $PIDF)
;;
restart)
$0 stop
$0 start
;;
reload)
kill -s HUP $(cat $PIDF)
;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac
exit 0
[root@nginx nginx-1.12.2]#
[root@nginx nginx-1.12.2]# chmod +x /etc/init.d/nginx / / add execution permission
[root@nginx nginx-1.12.2]# chkconfig --add nginx / / add to make the service recognize the nginx service
[root@nginx nginx-1.12.2]#
[root@nginx nginx-1.12.2]# service nginx start / / start the service
[root@nginx nginx-1.12.2]# netstat -ntap | grep 80 / / view tcp80 port
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 58696/nginx: master
[root@nginx nginx-1.12.2]#
[root@nginx nginx-1.12.2]# systemctl stop firewalld.service / / turn off the firewall
[root@nginx nginx-1.12.2]# setenforce 0
[root@nginx nginx-1.12.2]# Modify profile method
1. View IP address
[root@localhost nginx-1.12.2]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.52.131 netmask 255.255.255.0 broadcast 192.168.52.255
inet6 fe80::8629:c3e2:139c:884a prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:7a:41:33 txqueuelen 1000 (Ethernet)
RX packets 53364 bytes 74679913 (71.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 16068 bytes 1016893 (993.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 02. View version number
[root@localhost nginx-1.12.2]# curl -I http://192.168.52.131/ HTTP/1.1 200 OK Server: nginx/1.12.2 //Version number Date: Wed, 13 Nov 2019 07:10:22 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Wed, 13 Nov 2019 07:03:51 GMT Connection: keep-alive ETag: "5dcbaad7-264" Accept-Ranges: bytes [root@localhost nginx-1.12.2]#
3. Modify the configuration file
[root@localhost nginx-1.12.2]# vim /usr/local/nginx/conf/nginx.conf
http {
include mime.types;
default_type application/octet-stream;
server_tokens off; //Add, turn off version number display4. Check the version number again
[root@localhost nginx-1.12.2]# service nginx restart [root@localhost nginx-1.12.2]# curl -I http://192.168.52.131/ HTTP/1.1 200 OK Server: nginx //Version number is no longer displayed Date: Wed, 13 Nov 2019 07:15:09 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Wed, 13 Nov 2019 07:03:51 GMT Connection: keep-alive ETag: "5dcbaad7-264" Accept-Ranges: bytes [root@localhost nginx-1.12.2]#
Modify source code law
1. Modify the configuration file
[root@localhost nginx-1.12.2]# vim /usr/local/nginx/conf/nginx.conf
http {
include mime.types;
default_type application/octet-stream;
server_tokens on; //Turn on version number display2. Revision number
[root@localhost nginx-1.12.2]# vim src/core/nginx.h #define nginx_version 1012002 #Define nginx? Version "1.1.1" / / modify the version number to 1.1.1 #define NGINX_VER "nginx/" NGINX_VERSION
3. Reconfigure nginx service
[root@localhost nginx-1.12.2]# ls auto CHANGES CHANGES.ru conf configure contrib html LICENSE man README src [root@localhost nginx-1.12.2]# ./configure \ > --prefix=/usr/local/nginx \ > --user=nginx \ > --group=nginx \ > --with-http_stub_status_module ........//Omit configuration process
4. Recompile and install nginx service
[root@localhost nginx-1.12.2]# make && make install .........//Omit compilation process [root@localhost nginx-1.12.2]#
5. Open the service and view the version number
[root@localhost nginx-1.12.2]# service nginx restart / / start the service [root@localhost nginx-1.12.2]# curl -I http://192.168.52.131/ / / view version HTTP/1.1 200 OK Server: nginx/1.1.1 //Version number camouflaged successfully Date: Wed, 13 Nov 2019 07:35:32 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Wed, 13 Nov 2019 07:03:51 GMT Connection: keep-alive ETag: "5dcbaad7-264" Accept-Ranges: bytes