nginx网站安全

1.隐藏版本信息

1.在nginx.conf里面添加

 
在 http{

     server_tokens off;
}

 2.在当前的conf目录下编辑php-fpm配置文件,如fastcgi.conf或fcgi.conf。(这个配置文件名也可以自定义的,根据具体文件名修改):

找到

fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
改为:
fastcgi_param SERVER_SOFTWARE nginx;

 3.reload即可生效配置!

 

2、隐藏server信息

实现方案 : 需要重新编译nginx

1.进入解压出来的nginx 源码 目录(不是nginx的安装目录)

vi src/http/ngx_http_header_filter_module.c  # 49-50行

2.编辑:

内容:
static char ngx_http_server_string[] = "Server: nginx" CRLF;
static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;

更改为:
static char ngx_http_server_string[] = "Server: X-Web" CRLF;
static char ngx_http_server_full_string[] = "Server:X-Web " CRLF;

3. make &&make install

4.程序重新编译完后,要reload不会生效,需要用kill命令杀死原来的进程,再重新启动,

隐藏响应头部的x-powered-By

将php.ini文件中的 expose_php = Off
将nginx.conf中的 proxy_hide_header  X-Powered-By;
升级nginx:nginx/1.10.3 --> Tengine/2.3.3
将php.ini文件中的cgi.fix_pathinfo的值设置为0
将php-fpm.conf中的security.limit_extensions后的值设置为.php

修改完后重新启动后nginx,再看header里面Server信息变成了自定义的名字,不再显示nginx信息了。

 

 5.自动跳转到https

    server {
        listen 80;
        server_name www.xxx.com xxx.com;
        rewrite ^(.*) https://$server_name$1 permanent;
    }

    server {
        listen   443 ssl;
        server_name www.xxx.com xxx.com;

        ssl_certificate /etc/nginx/ssl/xxx.com.crt;
        ssl_certificate_key /etc/nginx/ssl/xxx.com.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES25
6-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RS
A-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;

        #charset koi8-r;

        #add_header X-Frame-Options allow-from 10.200.201.240;

        access_log /var/log/nginx/fytx.log fytx_log;
        error_log /var/log/nginx/fytx.log_error;
        #if ($host = "www.fytx.cc"){
        #     rewrite ^/(.*)$ http://$host/$1 permanent;
        #}
        location / {
            root   /usr/share/nginx/html;
            index  index.php;
        }
    }

 

posted @ 2022-08-25 16:45  chenjianwen  阅读(75)  评论(0编辑  收藏  举报