Nginx PHP Version hidden

After configuring a server, it is not easy to worry about it, shortly after the outbreak of PHP 5.3.9 version of the vulnerability is also a panic, so it is necessary to regularly focus on security bulletins and upgrade the server in a timely manner. In general, the first step in hacking a server is to gather information, such as your software version, which will be the basis for targeted attacks in the next step. So it is very necessary to hide this information to a certain extent, this article will briefly explain how to hide the Nginx version number and PHP version number on the network.

1. Hide the Nginx version number, Nginx version number is mainly in two places, one is the HTTP header, there is a server:nginx/1. x.x similar to expose the Web server Software name and version number, this is the most Web server is most likely to expose the version number of the place, the second place is the Nginx error page, such as 404 page did not find, and this is if the user does not specify the page, then nginx own page will have version stamp.

Fortunately for these two places the version number is hidden, Nginx provides a simple way to one step, refer to Server_tokens. This is achieved by configuring server_tokens off in the HTTP section of the configuration file.

HTTP { # ... Omit some configuration server_tokens off; }

Finally, don't forget to refresh the current configuration with the command nginx-s reload . When you are finished, you can view the response header or error page of all the pages, and see if you see only the nginx words and don't see the version number? What the? You want to get rid of nginx, too? Oh, this is afraid of trouble, need to change Nginx source code and then recompile, interested in children's shoes can refer to the "Linux/vps Environment Nginx Security Configuration (1)".

2. Hide the PHP version number, where is the easy-to-expose version number of PHP? In fact, it is also in the HTTP header, similar to x-powered-by:php/5.2.11 this form exists, we may think it will be nginx problem, and go to nginx inside to find the relevant configuration, hehe, In fact, this is in the PHP configuration file php.ini changes, open php.ini, find the following description:

;;;;;;;;;;;;;;;;;; miscellaneous;;;;;;;;;;;;;;;;;; ; Decides whether PHP may expose the fact that it's installed on the server; (e.g. by adding it signature to the WEB server header). It is no security; Threat in any-to-do, but it makes it possible-determine whether you use PHP; On your server or not.; http://php.net/expose-phpexpose_php = On

Change expose_php = on to expose_php = Off and, of course, there is another way for the Apache server to try the header directly in the. htaccess file unset x-powered-by, delete the x-powered-by section, but I still recommend changing the expose_php of php.ini.

Nginx PHP Version hidden