隐藏Nginx标识和版本号：彻底消除安全隐患

背景

为提升线上环境的安全性，常见的做法之一是隐藏Nginx的版本号，以减少潜在攻击者的信息收集。尽管可以通过 server_tokens off 参数来隐藏版本号，但这仍然会暴露当前使用的是Nginx服务。为了更彻底地解决这个问题，需要深入源代码进行处理。以下介绍具体操作

下载源码

• 下载源码

[root@C8_201 ~]# mkdir /opt/soft
[root@C8_201 ~]# cd /opt/soft
[root@C8_201 soft]# wget http://nginx.org/download/nginx-1.16.1.tar.gz

• 解压至当前目录

[root@C8_201 soft]# tar -zxvf nginx-1.16.1.tar.gz 

改源文件

• 我们将源码文件修改后，再进行编译安装

[root@C8_201 soft]# cd nginx-1.16.1/
[root@C8_201 nginx-1.16.1]# cd src/core/
[root@C8_201 core]# vim nginx.h #修改13,14,22行。

...
14 #define NGINX_VER          "nues" NGINX_VERSION
 15 
 16 #ifdef NGX_BUILD
 17 #define NGINX_VER_BUILD    NGINX_VER " (" NGX_BUILD ")"
 18 #else
 19 #define NGINX_VER_BUILD    NGINX_VER
 20 #endif
 21 
 22 #define NGINX_VAR          "nues"

[root@C8_201 core]# cd ..
[root@C8_201 src]# cd http/
[root@C8_201 http]# vi ngx_http_header_filter_module.c  #修改第49行

49  static u_char ngx_http_server_string[] = "Server: nues" CRLF;
50  
51  static u_char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
52  static u_char ngx_http_server_build_string[] = "Server: " NGINX_VER_BUILD CRLF;

[root@C8_201 http]# vi ngx_http_special_response.c #修改第36行

35 static u_char ngx_http_error_tail[] =
36 "<hr><center>nues</center>" CRLF

编译安装

[root@C8_201 ~]# yum install -y gcc make zlib-devel pcre-devel openssl-devel
[root@C8_201 ~]# cd /opt/soft/nginx-1.16.1/
[root@C8_201 nginx-1.16.1]# ./configure --prefix=/usr/local/nginx --conf-path=/usr/local/nginx/nginx.conf --error-log-path=/usr/local/nginx/logs/error.log --http-log-path=/usr/local/nginx/logs/access.log --pid-path=/usr/local/nginx/nginx.pid --lock-path=/usr/local/nginx/nginx.lock --user=appadmin --group=appadmin --with-http_ssl_module --with-http_v2_module --with-http_dav_module --with-http_stub_status_module --with-threads --with-file-aio

Configuration summary
  + using threads
  + using system PCRE library
  + using system OpenSSL library
  + using system zlib library

  nginx path prefix: "/usr/local/nginx"
  nginx binary file: "/usr/local/nginx/sbin/nginx"
  nginx modules path: "/usr/local/nginx/modules"
  nginx configuration prefix: "/usr/local/nginx"
  nginx configuration file: "/usr/local/nginx/nginx.conf"
  nginx pid file: "/usr/local/nginx/nginx.pid"
  nginx error log file: "/usr/local/nginx/logs/error.log"
  nginx http access log file: "/usr/local/nginx/logs/access.log"
  nginx http client request body temporary files: "client_body_temp"
  nginx http proxy temporary files: "proxy_temp"
  nginx http fastcgi temporary files: "fastcgi_temp"
  nginx http uwsgi temporary files: "uwsgi_temp"
  nginx http scgi temporary files: "scgi_temp"

启动服务

[root@C8_201 ~]# cd /usr/local/nginx/sbin/
[root@C8_201 sbin]# ./nginx
nginx: [emerg] getpwnam("appadmin") failed  ## 这里是个坑，需要把nginx.conf的\#user nobody; 改成注释删除，改成具体用户
[root@C8_201 sbin]# ls
nginx
[root@C8_201 sbin]# vi /usr/local/nginx/nginx.conf
[root@C8_201 sbin]# ./nginx 

[root@C8_201 sbin]# ps -C nginx --header
    PID TTY          TIME CMD
 264942 ?        00:00:00 nginx
 264943 ?        00:00:00 nginx
[root@C8_201 sbin]# ss -tnlp|grep 80
LISTEN    0         128                0.0.0.0:80               0.0.0.0:*        users:(("nginx",pid=264943,fd=9),("nginx",pid=264942,fd=9))         

关闭防火墙或放行80端口

[root@C8_201 sbin]# firewall-cmd --permanent --zone=public --add-port=80/tcp
success
[root@C8_201 sbin]# firewall-cmd --reload
success

验证效果

[root@C8_201 sbin]# curl -I 127.0.0.1
HTTP/1.1 200 OK
Server: nues1.00
Date: Wed, 30 Aug 2023 08:32:32 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 30 Aug 2023 08:26:07 GMT
Connection: keep-alive
ETag: "64eefd1f-264"
Accept-Ranges: bytes