爲了防止nginx出現軟件漏洞,咱們要對nginx軟件服務增強一些安全性,下面就介紹一下基本的安全優化
一、隱藏nginx版本號:
想要隱藏,首先咱們要了解所使用軟件的版本號,咱們能夠在Linux中查看這個版本號,方法以下:html
[root@Nginx ~]# curl -I 127.0.0.1 # 查看方法 HTTP/1.1 401 Unauthorized Server: nginx/1.6.3 # 版本信息:爲nginx/1.6.3 Date: Fri, 23 Mar 2018 02:42:46 GMT Content-Type: text/html Content-Length: 194 Connection: keep-alive WWW-Authenticate: Basic realm="brian training"
當咱們在windows上面訪問一個不存在的地址就會拋出下面的404錯誤,也直接的暴露了web服務的版本信息nginx
這樣確定是不安全的,咱們就要把敏感信息隱藏起來web
修改nginx.conf主配置文件(添加紅色標記):windows
worker_processes 1; error_log logs/error.log; events { worker_connections 1024; } http { include mime.types; server_tokens off; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; sendfile on; keepalive_timeout 65; include www_date/brian.conf; include www_date/brianzjz.conf; include www_date/status.conf; }
server_tokens參數說明:安全
語法:server_tokens on | off; on爲開啓,off關閉 默認值:server_tokens on; 爲開啓狀態 位置:http、server、location ; 爲server_tokens 參數可存放的位置
修改完成後檢查語法:bash
[root@Nginx conf]# ../sbin/nginx -t nginx: the configuration file /opt/nginx//conf/nginx.conf syntax is ok nginx: configuration file /opt/nginx//conf/nginx.conf test is successful
平滑重啓:app
[root@Nginx conf]# ../sbin/nginx -s reload
測試結果:curl
[root@Nginx conf]# curl -I 127.0.0.1 HTTP/1.1 401 Unauthorized Server: nginx # 很明顯敏感版本號已經隱藏 Date: Fri, 23 Mar 2018 03:01:54 GMT Content-Type: text/html Content-Length: 188 Connection: keep-alive WWW-Authenticate: Basic realm="brian training"
二、修改nginx的版本信息:
咱們上面剛剛只是對敏感的版本號作了隱藏 爲了更加的安全咱們能夠把剩下的nginx也隱藏或者修改,這個就須要去修改nginx的源碼了(這個修改是沒有參數和入口的),修改方法以下:tcp
一、首先咱們要依次的修改三個源碼文件:(注:這裏所說的源碼文件是沒有編譯過的文件,就是咱們把安裝包解壓後的原始文件)
文件路徑在:測試
nginx.h文件:路徑:/home/nginx/tools/nginx-1.6.3/src/core/nginx.h ngx_http_header_filter_module.c文件: 路徑:/home/nginx/tools/nginx-1.6.3/src/http/ngx_http_header_filter_module.c ngx_http_special_response.c文件:路徑:/home/nginx/tools/nginx-1.6.3/src/http/ngx_http_special_response.c
二、下面就對每一個文件進行修改:
nginx.h文件原始內容:(只取咱們要修改的信息)
[root@Nginx core]# sed -n "13,17p" /home/nginx/tools/nginx-1.6.3/src/core/nginx.h # 對nginx.h文件取出咱們想要的信息 #define NGINX_VERSION "1.6.3" # 版本號 #define NGINX_VER "nginx/" NGINX_VERSION # 軟件名 #define NGINX_VAR "NGINX" # 軟件名 #define NGX_OLDPID_EXT ".oldbin"
nginx.h文件修改後的內容:
[root@Nginx core]# sed -n "13,17p" /home/nginx/tools/nginx-1.6.3/src/core/nginx.h #define NGINX_VERSION "10.10.10" #define NGINX_VER "Brian/" NGINX_VERSION #define NGINX_VAR "Brian" #define NGX_OLDPID_EXT ".oldbin"
ngx_http_header_filter_module.c文件原始內容:(只取咱們要修改的內容)
[root@Nginx core]# grep -n 'Server: nginx' /home/nginx/tools/nginx-1.6.3/src/http/ngx_http_header_filter_module.c 49:static char ngx_http_server_string[] = "Server: nginx" CRLF; # 修改最後一個nginx,爲咱們想要修改的內容
ngx_http_header_filter_module.c文件修改後內容:
[root@Nginx core]# sed -i 's#Server: nginx#Server: Brian#g' /home/nginx/tools/nginx-1.6.3/src/http/ngx_http_header_filter_module.c # 修改 [root@Nginx core]# grep -n 'Server: Brian' /home/nginx/tools/nginx-1.6.3/src/http/ngx_http_header_filter_module.c # 查看結果 49:static char ngx_http_server_string[] = "Server: Brian" CRLF;
ngx_http_special_response.c文件原始內容:(只取咱們要修改的內容)
[root@Nginx core]# sed -n "21,30p" /home/nginx/tools/nginx-1.6.3/src/http/ngx_http_special_response.c static u_char ngx_http_error_full_tail[] = "<hr><center>" NGINX_VER "</center>" CRLF # 此處要修改 "</body>" CRLF "</html>" CRLF ; static u_char ngx_http_error_tail[] = "<hr><center>nginx</center>" CRLF # 此處要修改 "</body>" CRLF
ngx_http_special_response.c文件修改後內容:
[root@Nginx core]# sed -n "21,30p" /home/nginx/tools/nginx-1.6.3/src/http/ngx_http_special_response.c static u_char ngx_http_error_full_tail[] = "<hr><center>" NGINX_VER "(http://www.cnblogs.com/brianzhu/)</center>" CRLF "</body>" CRLF "</html>" CRLF ; static u_char ngx_http_error_tail[] = "<hr><center>Brian</center>" CRLF "</body>" CRLF
三、修改完成後,咱們就能夠編譯安裝了(以前已經編譯好的,能夠從新編譯安裝,過程詳情:點擊這裏)
四、編譯完成後,咱們就能夠檢測語法、啓動nginx 、測試了:
[root@Nginx nginx]# sbin/nginx -t # 語法檢查 nginx: the configuration file /opt/nginx//conf/nginx.conf syntax is ok nginx: configuration file /opt/nginx//conf/nginx.conf test is successful [root@Nginx nginx]# sbin/nginx # 啓動 [root@Nginx nginx]# netstat -lntup | grep nginx # 檢查啓動狀態 tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 31719/nginx: master
五、測試:(看最後的顯示結果,已經改爲咱們在源碼文件中 修改後的樣子了)
Linux測試:
[root@Nginx conf]# curl -I 127.0.0.1 HTTP/1.1 401 Unauthorized Server: Brian/10.10.10 # 已經修改爲功 Date: Fri, 23 Mar 2018 06:12:59 GMT Content-Type: text/html Content-Length: 231 Connection: keep-alive WWW-Authenticate: Basic realm="brian training"
三、更改nginx服務的默認用戶:
這裏簡單的說一下更改默認用戶的方法,其目的也是爲了保證安全:
在修改默認用戶以前,必須保證用戶在系統中存在:
[root@Nginx conf]# useradd nginx -s /sbin/nologin -M # 建立用戶 [root@Nginx conf]# id nginx # 檢查用戶 uid=1000(nginx) gid=1000(nginx) 組=1000(nginx)
一、編譯的時候指定:(在對源碼解壓後在編譯安裝的時候指定用戶,牽扯到安裝的知識了,具體的安裝:點擊這裏)
[root@Nginx nginx-1.6.3]# ./configure --user=nginx --group=nginx --prefix=/opt/nginx-1.6.3/ --with-http_stub_status_module --with-http_ssl_module
二、修改配置文件:(修改主配置文件nginx.conf)
[root@Nginx conf]# cat nginx.conf
user nginx nginx; # 添加本行
worker_processes 1;
error_log logs/error.log;
events {
worker_connections 1024;
}
http {
include mime.types;
server_tokens on;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
sendfile on;
keepalive_timeout 65;
include www_date/brian.conf;
include www_date/brianzjz.conf;
include www_date/status.conf;
}
三、檢查效果:
[root@Nginx conf]# ps -ef | grep nginx | grep -v grep root 31719 1 0 14:05 ? 00:00:00 nginx: master process sbin/nginx nginx 31732 31719 0 14:11 ? 00:00:00 nginx: worker process