Lighttpd,Nginx,Apache 隐藏响应头Server版本信息及安全

web server及其相关的应用默认会显示版本头信息,这样会很不安全。为避免一些不必要的麻烦,现把常用的一些应用隐藏版本信息的方法总结下。实现这个目的,一般有两种方法:一种是通过配置文件修改;一种是通过修改源文件。这里比较推荐后一种方法。

一、关闭版本显示的方法

隐藏 Apache 版本信息
vim /etc/apache2/apache2.conf 或 /etc/httpd/conf/httpd.conf 添加如下信息

ServerTokens ProductOnly
ServerSignature Off

重启 apache 现在 http 头里面只看到:
Server: Apache

隐藏 Nginx 版本信息 vim nginx.conf
在 http 加上 server_tokens off;
如下:

http {
……省略配置
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
tcp_nodelay on;
server_tokens off;
…….省略配置
}
http { ……省略配置 sendfile on; tcp_nopush on; keepalive_timeout 65; tcp_nodelay on; server_tokens off; …….省略配置 }

隐藏 PHP 版本 php.ini

expose_php On

改成

expose_php Off

重启apache后,php版本在http头中隐藏了。

二、直接修改源代码,编绎出别人不认识的版本

参考解决方案: 1. Lighttpd 1.4.20

src/response.c:108

改为:

buffer_append_string_len(b, CONST_STR_LEN("Server: 361way"));

输出 Header:

HTTP/1.1 404 Not Found
Content-Type: text/html
Content-Length: 345
Date: Mon, 12 Jan 2017 13:54:02 GMT
Server: 361way

2. Nginx 1.12

src/http/ngx_http_header_filter_module.c:48-49

改为:

static char ngx_http_server_string[] = "Server: 361way" CRLF;
static char ngx_http_server_full_string[] = "Server: 361way" CRLF;

输出 Header:

HTTP/1.1 200 OK
Server: 361way
Date: Mon, 12 Jan 2017 14:01:10 GMT
Content-Type: text/html
Content-Length: 151
Last-Modified: Mon, 12 Jan 2017 14:00:56 GMT
Connection: keep-alive
Accept-Ranges: bytes

Nginx 还有一处是在头文件里定义的版本号,也可以修改掉。

3. Cherokee 0.11.6

cherokee/version.c:93 添加:
ret = cherokee_buffer_add_str (buf, "361way");
return ret;

输出 Header:

HTTP/1.1 200 OK
Connection: Keep-Alive
Keep-Alive: timeout=15
Date: Mon, 12 Jan 2017 14:54:39 GMT
Server: 361way
ETag: 496b54af=703
Last-Modified: Mon, 12 Jan 2017 14:33:19 GMT
Content-Type: text/html
Content-Length: 1795

4. Apache 2.2.11

server/core.c:2784

添加:

ap_add_version_component(pconf, "361way");
return;

输出 Header:

HTTP/1.1 200 OK
Date: Mon, 12 Jan 2017 14:28:10 GMT
Server: 361way
Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
ETag: "1920edd-2c-3e9564c23b600"
Accept-Ranges: bytes
Content-Length: 44
Content-Type: text/html

5. Squid 3.0 STABLE 11

src/globals.cc:58

改为:

const char *const full_appname_string = "fooher_com";

输出 Header:

HTTP/1.0 400 Bad Request
Server: fooher_com
Mime-Version: 1.0
Date: Mon, 12 Jan 2017 15:25:15 GMT
Content-Type: text/html
Content-Length: 1553
Expires: Mon, 12 Jan 2009 15:25:15 GMT
X-Squid-Error: ERR_INVALID_URL 0
X-Cache: MISS from 'www.fooher.com'
Via: 1.0 'www.fooher.com' (fooher_com)
Proxy-Connection: close

6. Tomcat 6.0.18

java/org/apache/coyote/http11/Constants.java:56 和 java/org/apache/coyote/ajp/Constants.java:236

均改为:

ByteChunk.convertToBytes("Server: fooher_com" + CRLF);

输出 Header:

HTTP/1.1 200 OK
Server: fooher_com
ETag: W/"7857-1216684872000"
Last-Modified: Tue, 22 Jul 2008 00:01:12 GMT
Content-Type: text/html
Content-Length: 7857
Date: Mon, 12 Jan 2017 16:30:44 GMT

7. JBoss 5.0.0 GA

a. tomcat/src/resources/web.xml:40

改为 fooher_com

b. 下载 JBoss Web Server 2.1.1.GA srctar (http://www.jboss.org/jbossweb/downloads/jboss-web/)
java/org/apache/coyote/http11/Constants.java:56 和 java/org/apache/coyote/ajp/Constants.java:236

均改为:

ByteChunk.convertToBytes("Server: fooher_com" + CRLF);

将编译所得 jbossweb.jar 覆盖 JBoss 编译输出文件:

JBOSS_SRC/build/output/jboss-5.0.0.GA/server/all/deploy/jbossweb.sar/jbossweb.jar
JBOSS_SRC/build/output/jboss-5.0.0.GA/server/standard/deploy/jbossweb.sar/jbossweb.jar
JBOSS_SRC/build/output/jboss-5.0.0.GA/server/default/deploy/jbossweb.sar/jbossweb.jar
JBOSS_SRC/build/output/jboss-5.0.0.GA/server/web/deploy/jbossweb.sar/jbossweb.jar

输出 Header:

HTTP/1.1 200 OK
Server: fooher_com
X-Powered-By: fooher_com
Accept-Ranges: bytes
ETag: W/"1581-1231842222000"
Last-Modified: Tue, 13 Jan 2017 10:23:42 GMT
Content-Type: text/html
Content-Length: 1581
Date: Tue, 13 Jan 2017 10:30:42 GM

如果你自己有空最好测试一下 上面修改不一定正确