Nginx Optimization - Hide Version Number and Page Cache Time

Configure Nginx Hidden Version Number

In a production environment, you need to hide the Nginx version number to avoid security
Leakage of vulnerability

View Method
< Use fiddler I to view Nginx version number on Windows client
Use "curl-I web address" command to view in CentOS system

Nginx Hide Version Number Method
Modify Profile Method
Modify Source Code Method

Modify Profile Method

1.The server_ tokens option in the configuration file of Nginx is set to off

[root@www conf]# vim nginx.conf
.....
server_ tokens off;
.....
[root@www conf]# nginx -t

2. Restart the service, visit the website and use curl-I command to detect

[root@www conf]# service nginx restart
[root@www conf]# curl -1 http://192.1 68.9.209/
HTTP/1.1200 OK
Server: nginx

3. If the fastcgi param SERVER SOFTWARE option is configured in the PHP configuration file.Then edit the php-fpm configuration file and change the value of fastcgi param SERVER SOFTWARE to

fastcgi_ param SERVER_ SOFTWARE nginx ;

Modify Source Code Method

The Nginx source file/usr/src/nginx-1.12.0/src/core/nginx.h contains version information and can be recompiled and installed at will, hiding version information

Example:

#define NGINX_ _VERSION "1.1.1", modified version number is 1.1.1
 #define NGINX_ VER "IIS/", modify the software type to IIS

Restart the service, visit the website and use curl-I command to detect

Modify Nginx users and groups

Nginx runtime processes require user and group support to allow access control when reading Web site files

Nginx uses Noody user and group accounts by default and generally needs to be modified

Modified Method
Compile and install with users and groups specified
Modify the profile to specify users and groups

Modify Profile Method Specification

1. Create a new user account, such as nginx
2. Modify the main profile user option to specify a user account
3. Restart nginx service for configuration to take effect
4. Use the ps aux command to view nginx's process information and verify the running user
Account Change Effect

[root@www conf]# vi nginx.conf
user nginx nginx;
[root@www conf]# service nginx restart
[root@www conf]# ps aux lgrep nginx
root        1300340.0 0.0 20220 620? Ss 19:41 0:00 nginx: master process
/usr/local/sbin/nginx
nginx   1300350.0 0.0 20664 1512 ?S 19:41 0:00 nginx: worker process

Configure Nginx Web Cache Time

When Nginx returns web page data to the client, it can set the caching time to facilitate the direct return of requests for the same content in the future, avoid duplicate requests, speed up access generally for static web page settings, do not set caching time for dynamic web pages, and use fiddler to view web page caching time in Windows client

Setup Method

Configuration files can be modified to include expiration parameters for specific content in http, server, or location segments

Example

Modify Nginx's configuration file to include expires in the location section

location ~ \.(gifjpgliepglpnglbmplico)$ {
root html;
expires 1d;

Hide Version Number Instance Demo

1. Compile and install Nginx services

Step 1: Get the source package on Windows remotely and mount it on Linux

[root@localhost ~]# smbclient -L //192.168.235.1
Enter SAMBA\root's password: 
Sharename       Type      Comment
---------       ----      -------
LNMP            Disk  

[root@localhost ~]# mkdir /abc
[root@localhost ~]# mount.cifs //192.168.235.1/LNMP /abc
Password for root@//192.168.235.1/LNMP:  
[root@localhost ~]# ls /abc
Discuz_X3.4_SC_UTF8.zip    nginx-1.12.2.tar.gz
game.jpg                   php-7.1.10.tar.bz2
mysql-boost-5.7.20.tar.gz  php-7.1.20.tar.gz
nginx-1.12.0.tar.gz

Step 2: Unzip the source package

[root@localhost ~]# cd /abc
[root@localhost abc]# tar zxvf nginx-1.12.0.tar.gz -C /opt
[root@localhost abc]# ls /opt
nginx-1.12.0  rh

Step 3: Download and install the compilation package

[root@localhost abc]# cd /opt
[root@localhost opt]# yum install -y \
> gcc \             //C Language
> gcc-c++ \         //c++ Language
> pcre-devel \      //pcre language tool
> zlib-devel        //Compression function library

Step 4: Create program users and configure components related to the Nginx service

[root@localhost opt]# useradd -M -s /sbin/nologin nginx
//Create program user nginx and restrict it to non-logon terminals
[root@localhost opt]# cd nginx-1.12.0/
[root@localhost nginx-1.12.0]# ./configure \            
//Configure nginx
> --prefix=/usr/local/nginx \       
//Specify Installation Path                        
> --user=nginx \
//Specify User Name
> --group=nginx \
//Specify the group to which the user belongs
> --with-http_stub_status_module
//Installation Status Statistics Module

Step 5: Compile and install Nginx

[root@localhost nginx-1.12.0]# make && make install

Step 6: Optimize the Nginx service startup script and establish a command soft connection

[root@localhost nginx-1.12.0]# ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/ 
//Create nginx Service Commands Soft Link to System Commands
[root@localhost nginx-1.12.0]# systemctl stop firewalld.service 
//Close Firewall
[root@localhost nginx-1.12.0]# setenforce 0
//Turn off enhanced security features
[root@localhost nginx-1.12.0]# nginx 
//Enter nginx to start the service
[root@localhost nginx-1.12.0]# Netstat-ntap | grep 80 //view service 80 port, show open
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      7520/nginx: master

Step 7: systemctl Manages nginx Scripts

[root@localhost ~]# vim /lib/systemd/system/nginx.service      ##create profile

[Unit]
Description=nginx                                            ##describe
After=network.target                                        ##Describe service type
[Service]
Type=forking                                                    ##Background running mode
PIDFile=/usr/local/nginx/logs/nginx.pid            ##PID file location
ExecStart=/usr/local/nginx/sbin/nginx              ##Start Services
ExecReload=/usr/bin/kill -s HUP $MAINPID    ##Based on PID overload configuration
ExecStop=/usr/bin/kill -s QUIT $MAINPID       ##Terminate process based on PID
PrivateTmp=true
[Install]
WantedBy=multi-user.target

[root@localhost ~]# chmod 754 /lib/systemd/system/nginx.service     ##Set Execution Permissions
[root@localhost ~]# systemctl stop nginx.service       ##Close nginx 
[root@localhost ~]# systemctl start nginx.service       ##Open nginx

2. Modify Profile Law to Hide Version Number

Step 1: View the Nginx version number by default

[root@localhost ~]# curl -I http://192.168.235.158 ##View Version Number
HTTP/1.1 200 OK
Server: nginx/1.12.0
##Visible version number is 1.12.0
Date: Wed, 13 Nov 2019 08:32:59 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 06 Nov 2019 01:53:19 GMT
Connection: keep-alive
ETag: "5dc2278f-264"
Accept-Ranges: bytes

Step 2: Modify the nginx.conf configuration file

[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf

http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;
##Set the value of the server_ tokens option to off in the http protocol paragraph

Step 3: Verify that the Nginx version number is hidden

[root@localhost ~]# systemctl stop nginx.service 
[root@localhost ~]# systemctl start nginx.service
[root@localhost ~]# curl -I http://192.168.235.158
HTTP/1.1 200 OK
Server: nginx
##Visible version number is hidden
Date: Wed, 13 Nov 2019 09:18:00 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 06 Nov 2019 01:53:19 GMT
Connection: keep-alive
ETag: "5dc2278f-264"
Accept-Ranges: bytes

3. Modify Configuration Source Code Method to Hide Version Number

Step 1: Modify the nginx.conf configuration file

[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
...
 server_tokens on;
 ##Replace off with on

Step 2: Modify the version information in the source file nginx.h

[root@localhost ~]# vim /opt/nginx-1.12.0/src/core/nginx.h

#define NGINX_VERSION      "1.1.1"
##Change version information to 1.1.1

Step 3: Recompile Nginx

[root@localhost ~]# cd /opt/nginx-1.12.0/

[root@localhost nginx-1.12.0]# ./configure \
> --prefix=/usr/local/nginx \
> --user=nginx \
> --group=nginx \
> --with-http_stub_status_module

[root@localhost nginx-1.12.0]# make && make install

Step 4: Verify that the Nginx version number is hidden

[root@localhost nginx-1.12.0]# curl -I http://192.168.235.158 
HTTP/1.1 200 OK
Server: nginx/1.1.1
##Visible version number successfully changed to 1.1.1
Date: Wed, 13 Nov 2019 10:20:23 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 06 Nov 2019 01:53:19 GMT
Connection: keep-alive
ETag: "5dc2278f-264"
Accept-Ranges: bytes

Web Cache Time Instance Demo

Step 1: Copy the picture to the site directory

[root@localhost nginx-1.12.0]# ls /abc
Discuz_X3.4_SC_UTF8.zip    nginx-1.12.2.tar.gz
game.jpg                   php-7.1.10.tar.bz2
mysql-boost-5.7.20.tar.gz  php-7.1.20.tar.gz
nginx-1.12.0.tar.gz
[root@localhost nginx-1.12.0]# cp /abc/game.jpg /usr/local/nginx/html/
[root@localhost nginx-1.12.0]# cd /usr/local/nginx/html/
[root@localhost html]# ls
50x.html  game.jpg  index.html

Step 2: Modify Nginx's index.html page

[root@localhost html]# vim index.html

<h1>Welcome to nginx!</h1>
<img src="game.jpg"/>
##Add picture path under h1 tag

Step 3: Modify the Nginx.conf file

[root@localhost html]# vim /usr/local/nginx/conf/nginx.conf

user nginx nginx;
##Enter this line entry separately, specify user nginx, specify group nginx

 location ~\.(gif|jepg|jpg|ico|bmp|png)$ {
            root html;
            expires 1d;
            ##Picture type pictures cached for one day
        }

[root@localhost html]# systemctl stop nginx.service
[root@localhost html]# systemctl start nginx.service

Step 4: Turn on a Win10 virtual machine to verify

Install the fiddler.exe package software on the client and open the browser to visit the 192.168.235.158 Web page

Thanks for reading!!!

Keywords: Linux Nginx curl vim PHP

Added by freshneco on Wed, 13 Nov 2019 21:10:09 +0200

Popular Keywords

©2024 Programming VIP