Home > Developer > Web Develop
First, introduce the method of hidden version number of Nginx.
Build a good nginx or Apache, for security we will hide their version number, this is the version of the Nginx, if you want to hide the Apache version number, then please click the previous link. Please see the nginx version number information hidden article.
Nginx defaults to show the version number, such as:
<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 12px ! important; line-height: 15px ! important; z-index: 0; opacity: 0; overflow: hidden;" readonly="" data-settings="dblclick">[ROOT@BKJZ ~]# curl-i www.nginx.org</textarea>| 1 | [root@bkjz ~]# curl-i www.nginx.org |
| 123456789 | HTTP/1.1 OK Server: nginx/0.8.44 Date: Tue, Jul : One GMT Content-Type: text/HTML Content-Length: 8284 last-Modified: Tue, Jul : xx: GMT Connection: Keep-alive Keep-Alive: Timeout= Accept-Ranges: bytes |
This will give people to see your server Nginx version is 0.8.44, some time before the release of some nginx version of the vulnerability, that is, some versions are vulnerable, and some versions do not. This exposes the version number to become the information that the attacker can exploit. Therefore, from a security point of view, the hidden version number will be relatively safe!
Can I hide the nginx version number? Actually can, look at the following steps:
1, enter the Nginx configuration file directory (this directory according to the installation of the decision), with vim edit open
<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 12px ! important; line-height: 15px ! important; z-index: 0; opacity: 0; overflow: hidden;" readonly="" data-settings="dblclick"># vim nginx.conf</textarea>| 1 | # Vim Nginx.conf |
Add server_tokens off in HTTP {-}, such as:
<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 12px ! important; line-height: 15px ! important; z-index: 0; opacity: 0; overflow: hidden;" readonly="" data-settings="dblclick">http {... Omit Sendfile on;tcp_nopush on;keepalive_timeout 60;tcp_nodelay on;server_tokens off; omit}</textarea>| 123456789 | http { ... Omit sendfile on tcp_nopush on keepalive_timeout 60 tcp_nodelay on server_tokens off ...... |
2, edit php-fpm configuration file, such as fastcgi.conf or fcgi.conf (this profile name can also be customized, modified according to the specific file name):
<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 12px ! important; line-height: 15px ! important; z-index: 0; opacity: 0; overflow: hidden;" readonly="" data-settings="dblclick">found: Fastcgi_param server_software nginx/$nginx _version, instead: Fastcgi_param server_software nginx;</textarea>| 1234 | Found:fastcgi_param server_software nginx/$nginx_version; Instead:fastcgi_param server_software nginx; |
3. Reload the Nginx configuration:
<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 12px ! important; line-height: 15px ! important; z-index: 0; opacity: 0; overflow: hidden;" readonly="" data-settings="dblclick">#/etc/init.d/nginx Reload</textarea>| 1 | #/etc/init.d/nginx Reload |
This completely hides the Nginx version number, that is, 404, 501 and other pages will not show the Nginx version.
Test it below:
<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 12px ! important; line-height: 15px ! important; z-index: 0; opacity: 0; overflow: hidden;" readonly="" data-settings="dblclick"># curl-i www.abc.netHTTP/1.1, OKServer:nginxDate:Tue, 14:26:56 gmtcontent-type:text/html; charset=u Tf-8connection:keep-alivevary:accept-encoding</textarea>| 1234567 | # curl-i Www.abc.netHTTP/1.1 OK Server: nginx Date: Tue, Jul : up to GMT Content-Type: text/HTML; CharSet=UTF-8 Connection: Keep-alive Vary: Accept-Encoding |
Second, the following is the Apache hidden version number method.
After the installation of Apache is generally the first time to turn off Apache version information and other information, some hackers will be exposed through Apache information targeted intrusion, in order to secure the server this information must be closed in a timely manner, configured as follows
1.Hide Apache Information1.1 Enable httpd-default.conf in master configuration
<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 12px ! important; line-height: 15px ! important; z-index: 0; opacity: 0; overflow: hidden;" readonly="" data-settings="dblclick"># VI/USR/LOCAL/APACHE2/CONF/HTTPD. conf//Find httpd-default.conf, delete the "#" in front of includes, and change to include the following conf/extra/httpd-default.conf</textarea>| 123 | # VI/USR/LOCAL/APACHE2/CONF/HTTPD. Conf//Find httpd-default.conf, delete "#" in front of includes, change to include Conf/extra/httpd as follows -default. conf |
1.2 Modifying httpd-default.conf
Files:/usr/local/apache2/conf/extra/httpd-default.conf
Found it
<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 12px ! important; line-height: 15px ! important; z-index: 0; opacity: 0; overflow: hidden;" readonly="" data-settings="dblclick">Servertokens fullserversignature</textarea> on| 12 | servertokens full serversignature on |
Change into
<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 12px ! important; line-height: 15px ! important; z-index: 0; opacity: 0; overflow: hidden;" readonly="" data-settings="dblclick">Servertokens prodserversignature off</textarea>| 1 2 | servertokens Prod serversignature off |
2.1 Before modification
Apache information is not hidden
2.2 After hiding
Hide Apache Information
3. EndConfiguration complete, very simple.
Security and methods for hiding Nginx/apache version numbers
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
