Nginx基本的安全优化
为了防止nginx出现软件漏洞,我们要对nginx软件服务加强一些安全性,下面就介绍一下基本的安全优化
1、隐藏nginx版本号:
想要隐藏,首先我们要了解所使用软件的版本号,我们可以在Linux中查看这个版本号,方法如下:
[root@Nginx ~]# curl -I 127.0.0.1 # 查看方法 HTTP/1.1 401 Unauthorized Server: nginx/1.6.3 # 版本信息:为nginx/1.6.3 Date: Fri, 23 Mar 2018 02:42:46 GMT Content-Type: text/html Content-Length: 194 Connection: keep-alive WWW-Authenticate: Basic realm="brian training"
当我们在windows上面访问一个不存在的地址就会抛出下面的404错误,也直接的暴露了web服务的版本信息
这样肯定是不安全的,我们就要把敏感信息隐藏起来
修改nginx.conf主配置文件(添加红色标记):
worker_processes 1; error_log logs/error.log; events { worker_connections 1024; } http { include mime.types; server_tokens off; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; sendfile on; keepalive_timeout 65; include www_date/brian.conf; include www_date/brianzjz.conf; include www_date/status.conf; }
server_tokens参数说明:
语法:server_tokens on | off; on为开启,off关闭 默认值:server_tokens on; 为开启状态 位置:http、server、location ; 为server_tokens 参数可存放的位置
修改完成后检查语法:
[root@Nginx conf]# ../sbin/nginx -t nginx: the configuration file /opt/nginx//conf/nginx.conf syntax is ok nginx: configuration file /opt/nginx//conf/nginx.conf test is successful
平滑重启:
[root@Nginx conf]# ../sbin/nginx -s reload
测试结果:
[root@Nginx conf]# curl -I 127.0.0.1 HTTP/1.1 401 Unauthorized Server: nginx # 很明显敏感版本号已经隐藏 Date: Fri, 23 Mar 2018 03:01:54 GMT Content-Type: text/html Content-Length: 188 Connection: keep-alive WWW-Authenticate: Basic realm="brian training"
2、修改nginx的版本信息:
我们上面刚刚只是对敏感的版本号做了隐藏 为了更加的安全我们可以把剩下的nginx也隐藏或者修改,这个就需要去修改nginx的源码了(这个修改是没有参数和入口的),修改方法如下:
1、首先我们要依次的修改三个源码文件:(注:这里所说的源码文件是没有编译过的文件,就是我们把安装包解压后的原始文件)
文件路径在:
nginx.h文件:路径:/home/nginx/tools/nginx-1.6.3/src/core/nginx.h ngx_http_header_filter_module.c文件: 路径:/home/nginx/tools/nginx-1.6.3/src/http/ngx_http_header_filter_module.c ngx_http_special_response.c文件:路径:/home/nginx/tools/nginx-1.6.3/src/http/ngx_http_special_response.c
2、下面就对每个文件进行修改:
nginx.h文件原始内容:(只取我们要修改的信息)
[root@Nginx core]# sed -n "13,17p" /home/nginx/tools/nginx-1.6.3/src/core/nginx.h # 对nginx.h文件取出我们想要的信息 #define NGINX_VERSION "1.6.3" # 版本号 #define NGINX_VER "nginx/" NGINX_VERSION # 软件名 #define NGINX_VAR "NGINX" # 软件名 #define NGX_OLDPID_EXT ".oldbin"
nginx.h文件修改后的内容:
[root@Nginx core]# sed -n "13,17p" /home/nginx/tools/nginx-1.6.3/src/core/nginx.h #define NGINX_VERSION "10.10.10" #define NGINX_VER "Brian/" NGINX_VERSION #define NGINX_VAR "Brian" #define NGX_OLDPID_EXT ".oldbin"
ngx_http_header_filter_module.c文件原始内容:(只取我们要修改的内容)
[root@Nginx core]# grep -n 'Server: nginx' /home/nginx/tools/nginx-1.6.3/src/http/ngx_http_header_filter_module.c 49:static char ngx_http_server_string[] = "Server: nginx" CRLF; # 修改最后一个nginx,为我们想要修改的内容
ngx_http_header_filter_module.c文件修改后内容:
[root@Nginx core]# sed -i 's#Server: nginx#Server: Brian#g' /home/nginx/tools/nginx-1.6.3/src/http/ngx_http_header_filter_module.c # 修改 [root@Nginx core]# grep -n 'Server: Brian' /home/nginx/tools/nginx-1.6.3/src/http/ngx_http_header_filter_module.c # 查看结果 49:static char ngx_http_server_string[] = "Server: Brian" CRLF;
ngx_http_special_response.c文件原始内容:(只取我们要修改的内容)
[root@Nginx core]# sed -n "21,30p" /home/nginx/tools/nginx-1.6.3/src/http/ngx_http_special_response.c static u_char ngx_http_error_full_tail[] = "<hr><center>" NGINX_VER "</center>" CRLF # 此处要修改 "</body>" CRLF "</html>" CRLF ; static u_char ngx_http_error_tail[] = "<hr><center>nginx</center>" CRLF # 此处要修改 "</body>" CRLF
ngx_http_special_response.c文件修改后内容:
[root@Nginx core]# sed -n "21,30p" /home/nginx/tools/nginx-1.6.3/src/http/ngx_http_special_response.c static u_char ngx_http_error_full_tail[] = "<hr><center>" NGINX_VER "(http://www.cnblogs.com/brianzhu/)</center>" CRLF "</body>" CRLF "</html>" CRLF ; static u_char ngx_http_error_tail[] = "<hr><center>Brian</center>" CRLF "</body>" CRLF
3、修改完成后,我们就可以编译安装了(之前已经编译好的,可以重新编译安装,过程详情:点击这里)
4、编译完成后,我们就可以检测语法、启动nginx 、测试了:
[root@Nginx nginx]# sbin/nginx -t # 语法检查 nginx: the configuration file /opt/nginx//conf/nginx.conf syntax is ok nginx: configuration file /opt/nginx//conf/nginx.conf test is successful [root@Nginx nginx]# sbin/nginx # 启动 [root@Nginx nginx]# netstat -lntup | grep nginx # 检查启动状态 tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 31719/nginx: master
5、测试:(看最后的显示结果,已经改成我们在源码文件中 修改后的样子了)
Linux测试:
[root@Nginx conf]# curl -I 127.0.0.1 HTTP/1.1 401 Unauthorized Server: Brian/10.10.10 # 已经修改成功 Date: Fri, 23 Mar 2018 06:12:59 GMT Content-Type: text/html Content-Length: 231 Connection: keep-alive WWW-Authenticate: Basic realm="brian training"
3、更改nginx服务的默认用户:
这里简单的说一下更改默认用户的方法,其目的也是为了保证安全:
在修改默认用户之前,必须保证用户在系统中存在:
[root@Nginx conf]# useradd nginx -s /sbin/nologin -M # 创建用户 [root@Nginx conf]# id nginx # 检查用户 uid=1000(nginx) gid=1000(nginx) 组=1000(nginx)
1、编译的时候指定:(在对源码解压后在编译安装的时候指定用户,牵扯到安装的知识了,具体的安装:点击这里)
[root@Nginx nginx-1.6.3]# ./configure --user=nginx --group=nginx --prefix=/opt/nginx-1.6.3/ --with-http_stub_status_module --with-http_ssl_module
2、修改配置文件:(修改主配置文件nginx.conf)
[root@Nginx conf]# cat nginx.conf
user nginx nginx; # 添加本行
worker_processes 1;
error_log logs/error.log;
events {
worker_connections 1024;
}
http {
include mime.types;
server_tokens on;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
sendfile on;
keepalive_timeout 65;
include www_date/brian.conf;
include www_date/brianzjz.conf;
include www_date/status.conf;
}
3、检查效果:
[root@Nginx conf]# ps -ef | grep nginx | grep -v grep root 31719 1 0 14:05 ? 00:00:00 nginx: master process sbin/nginx nginx 31732 31719 0 14:11 ? 00:00:00 nginx: worker process
朱敬志(brian),成功不是将来才有的,而是从决定去做的那一刻起,持续累积而成。
