背景

为提升线上环境的安全性,常见的做法之一是隐藏Nginx的版本号,以减少潜在攻击者的信息收集。尽管可以通过 server_tokens off 参数来隐藏版本号,但这仍然会暴露当前使用的是Nginx服务。为了更彻底地解决这个问题,需要深入源代码进行处理。以下介绍具体操作

下载源码

  • 下载源码
1
2
3
[root@C8_201 ~]# mkdir /opt/soft
[root@C8_201 ~]# cd /opt/soft
[root@C8_201 soft]# wget http://nginx.org/download/nginx-1.16.1.tar.gz
  • 解压至当前目录
1
[root@C8_201 soft]# tar -zxvf nginx-1.16.1.tar.gz

改源文件

  • 我们将源码文件修改后,再进行编译安装
1
2
3
[root@C8_201 soft]# cd nginx-1.16.1/
[root@C8_201 nginx-1.16.1]# cd src/core/
[root@C8_201 core]# vim nginx.h #修改13,14,22行。
1
2
3
4
5
6
7
8
9
10
...
14 #define NGINX_VER          "nues" NGINX_VERSION
 15 
 16 #ifdef NGX_BUILD
 17 #define NGINX_VER_BUILD    NGINX_VER " (" NGX_BUILD ")"
 18 #else
 19 #define NGINX_VER_BUILD    NGINX_VER
 20 #endif
 21 
 22 #define NGINX_VAR          "nues"
1
2
3
[root@C8_201 core]# cd ..
[root@C8_201 src]# cd http/
[root@C8_201 http]# vi ngx_http_header_filter_module.c  #修改第49行
1
2
3
4
49  static u_char ngx_http_server_string[] = "Server: nues" CRLF;
50  
51  static u_char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
52  static u_char ngx_http_server_build_string[] = "Server: " NGINX_VER_BUILD CRLF;
1
[root@C8_201 http]# vi ngx_http_special_response.c #修改第36行
1
2
35 static u_char ngx_http_error_tail[] =
36 "<hr><center>nues</center>" CRLF

编译安装

1
2
3
[root@C8_201 ~]# yum install -y gcc make zlib-devel pcre-devel openssl-devel
[root@C8_201 ~]# cd /opt/soft/nginx-1.16.1/
[root@C8_201 nginx-1.16.1]# ./configure --prefix=/usr/local/nginx --conf-path=/usr/local/nginx/nginx.conf --error-log-path=/usr/local/nginx/logs/error.log --http-log-path=/usr/local/nginx/logs/access.log --pid-path=/usr/local/nginx/nginx.pid --lock-path=/usr/local/nginx/nginx.lock --user=appadmin --group=appadmin --with-http_ssl_module --with-http_v2_module --with-http_dav_module --with-http_stub_status_module --with-threads --with-file-aio
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Configuration summary
  + using threads
  + using system PCRE library
  + using system OpenSSL library
  + using system zlib library

  nginx path prefix: "/usr/local/nginx"
  nginx binary file: "/usr/local/nginx/sbin/nginx"
  nginx modules path: "/usr/local/nginx/modules"
  nginx configuration prefix: "/usr/local/nginx"
  nginx configuration file: "/usr/local/nginx/nginx.conf"
  nginx pid file: "/usr/local/nginx/nginx.pid"
  nginx error log file: "/usr/local/nginx/logs/error.log"
  nginx http access log file: "/usr/local/nginx/logs/access.log"
  nginx http client request body temporary files: "client_body_temp"
  nginx http proxy temporary files: "proxy_temp"
  nginx http fastcgi temporary files: "fastcgi_temp"
  nginx http uwsgi temporary files: "uwsgi_temp"
  nginx http scgi temporary files: "scgi_temp"

启动服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@C8_201 ~]# cd /usr/local/nginx/sbin/
[root@C8_201 sbin]# ./nginx
nginx: [emerg] getpwnam("appadmin") failed  ## 这里是个坑,需要把nginx.conf的\#user nobody; 改成注释删除,改成具体用户
[root@C8_201 sbin]# ls
nginx
[root@C8_201 sbin]# vi /usr/local/nginx/nginx.conf
[root@C8_201 sbin]# ./nginx 

[root@C8_201 sbin]# ps -C nginx --header
    PID TTY          TIME CMD
 264942 ?        00:00:00 nginx
 264943 ?        00:00:00 nginx
[root@C8_201 sbin]# ss -tnlp|grep 80
LISTEN    0         128                0.0.0.0:80               0.0.0.0:*        users:(("nginx",pid=264943,fd=9),("nginx",pid=264942,fd=9))

关闭防火墙或放行80端口

1
2
3
4
[root@C8_201 sbin]# firewall-cmd --permanent --zone=public --add-port=80/tcp
success
[root@C8_201 sbin]# firewall-cmd --reload
success

验证效果

1
2
3
4
5
6
7
8
9
10
[root@C8_201 sbin]# curl -I 127.0.0.1
HTTP/1.1 200 OK
Server: nues1.00
Date: Wed, 30 Aug 2023 08:32:32 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 30 Aug 2023 08:26:07 GMT
Connection: keep-alive
ETag: "64eefd1f-264"
Accept-Ranges: bytes