通过服务器的head头可以得到服务器的很多信息,这给服务器安全带来很大隐患,如:
curl -I https://www.haiyun.me
HTTP/1.1 301 Moved Permanently
Server: nginx/1.0.15
Date: Fri, 10 Feb 2012 10:43:42 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.17p1
location: forum.php
Nginx可以编译添加第三方模块more_set_headers来自定义或清除相关head信息。
cd /usr/local/src/
wget http://nginx.org/download/nginx-1.0.15.tar.gz
tar zxvf nginx-1.0.15.tar.gz
cd nginx-1.0.15
wget -O header.zip --no-check-certificate https://github.com/agentzh/headers-more-nginx-module/zipball/v0.17rc1
unzip header.zip
./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-\
http_ssl_module --with-http_gzip_static_module --add-module=./agentzh-headers-more-nginx-module-3580526/
make && make install
应用示例,清除服务器及php信息,在配置文件http段添加以下:
more_clear_headers "X-Powered-By:";
more_clear_headers "Server:";
重新加载配置文件:
/etc/init.d/nginx reload
查看当前head头信息:
curl -I https://www.haiyun.me
HTTP/1.1 301 Moved Permanently
Date: Fri, 10 Feb 2012 10:58:38 GMT
Content-Type: text/html
Connection: keep-alive
location: forum.php
现在nginx及php信息都没了,当然也可自定义为其它信息。
标签:nginx, linux, header, nginx自定义head