在Web服务器中如何隐藏PHP的版本号
时间:2019-11-20 08:53:32 来源:igfitidea点击:
在Nginx服务器中,如何隐藏PHP的版本信息:X-Powered-By:PHP/6.4.32?
如何隐藏PHP版本号?
如何查看WEB服务中PHP的版本
需要使用curl命令,如下所示:
curl -IL https://some-server-ip-OR-domain-name/ curl -IL https://server1.theitroad.local/
输出示例:
HTTP/2 200 server: nginx date: Sun, 23 Jun 2019 20:48:48 GMT content-type: text/html; charset=UTF-8 x-powered-by: PHP/7.3.6 expires: Thu, 19 Nov 2019 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate pragma: no-cache x-robots-tag: noindex, noarchive strict-transport-security: max-age=15768000
可以看到 x-powered-by: PHP/7.3.6, 如果这个版本的PHP有新的漏洞,网站很容易被攻击。
隐藏PHP版本
不建议直接修改php.ini,
所以我们创建一个custom.ini来进行设置:
- Alpine Linux and PHP v5.6.xx : /etc/php5/conf.d/custom.ini
- Alpine Linux and PHP v7.xx : /etc/php7/conf.d/custom.ini
- Debian/Ubuntu Linux and PHP v7.xx : /etc/php/7.0/fpm/conf.d/custom.ini
- RHEL/Fedora/CentOS Linux : /etc/php.d/custom.ini
如果不知道php安装在哪里,可以使用php命令查看:
$ php -i | more $ php -i | grep -i -A4 'Additional .ini files parsed' $ php-fpm5 -i | grep -i -A4 'Additional .ini files parsed' $ php-fpm7.0 -i | grep -i -A4 'Additional .ini files parsed'
输出示例:
Configuration File (php.ini) Path => /etc/php/7.0/fpm Loaded Configuration File => /etc/php/7.0/fpm/php.ini Scan this dir for additional .ini files => /etc/php/7.0/fpm/conf.d Additional .ini files parsed => /etc/php/7.0/fpm/conf.d/10-mysqlnd.ini, /etc/php/7.0/fpm/conf.d/10-opcache.ini, /etc/php/7.0/fpm/conf.d/10-pdo.ini,
将下面内容添加到custom.ini,例如:
echo 'expose_php = off' >> /etc/php5/conf.d/custom.ini echo 'expose_php = off' >> /etc/php7/conf.d/custom.ini
重启PHP服务
语法取决于您的PHP版本:
### Alpine linux $ sudo /etc/init.d/php-fpm restart $ sudo /etc/init.d/php-fpm7 restart ### RHEL/CentOS 5.x/6.x $ sudo service php-fpm restart ### RHEL/CentOS 7.x $ sudo systemctl restart php-fpm ### Debian/Ubuntu Linux $sudo service php7.0-fpm restart ### FreeBSD $ sudo service php-fpm restart
检查确认
使用curl命令检查PHP版本号是否已经被隐藏:
$ curl -IL https://some-server-ip-OR-domain-name/ $ curl -IL https://server1.theitroad.local/
输出示例:
HTTP/2 200 server: nginx date: Sun, 23 Jun 2019 20:56:01 GMT content-type: text/html; charset=UTF-8 set-cookie: PHPSESSID=q49sd1armm17j7a8l658538n74; path=/ expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate
