Security and methods for hiding Nginx version numbers

Nginx The default is to display the version number, such as:

[ROOT@BKJZ ~]# curl-i www.45it.com

http/1.1 OK

server:nginx/0.8.44

Date:tue, 14:05:11 GMT

Content-type:text/html

content-length:8284

Last-modified:tue, 12:00:13 GMT

Connection:keep-alive

Keep-alive:timeout=15

Accept-ranges:bytes

This will give people see your server Nginx version is 0.8.44, some time ago some nginx version of the vulnerability, that is, some versions have vulnerabilities, and some versions do not. This exposed version number becomes easily available to attackers. So, from a security standpoint, the hidden version number is relatively safe!

The Nginx version number can be hidden? In fact, look at my steps below:

1, enter the Nginx configuration file directory (this directory according to the installation decision), with vim edit open

# Vim Nginx.conf

Add Server_tokens off in HTTP {-}; Such as:

HTTP {

...... Omitted

Sendfile on;

Tcp_nopush on;

Keepalive_timeout 60;

Tcp_nodelay on;

Server_tokens off;

... omit.

}

2, edit php-fpm configuration file, such as fastcgi.conf or fcgi.conf (this profile name can also be customized, according to the specific file name modified):

Found it:

Fastcgi_param server_software nginx/$nginx _version;

To

Fastcgi_param Server_software Nginx;

3, Reload Nginx configuration:

#/etc/init.d/nginx Reload

This completely hides the Nginx version number, that is, 404, 501 and other pages will not show the Nginx version.

The following test:

[ROOT@BKJZ ~]# curl-i www.45it.com

http/1.1 OK

Server:nginx

Date:tue, 14:26:56 GMT

content-type:text/html; Charset=utf-8

Connection:keep-alive

Vary:accept-encoding

......

Firefox in the server information display tool can not display the Nginx version number (in fact, this tool is also used curl command detection) as shown:

OK, finished.