如何在nginx中隐藏x-powered-by/x-cf-powered-by nginx
时间:2020-02-23 14:33:09 来源:igfitidea点击:
如果我们安装了nginx和php-fpm,则默认情况下逐个逐个标题。
但我们可能需要隐藏PHP标题这样的X-Power-By和X-CF Powered-by,以限制公众公开的服务器信息。
这是安全机制之一。
对于Nginx配置的FastCGI部分,禁用了X-Power-by and x-CFWove-by PHP标题。
要使用本教程,我们应该使用nginx和php-fpm。
以下是配置示例。
对于通用nginx配置文件。
############
# Pass all .php files onto a php-fpm or php-cgi server
############
location ~ \.php${
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_read_timeout 3600s;
fastcgi_buffer_size 128k;
fastcgi_connect_timeout 3s;
fastcgi_send_timeout 120s;
fastcgi_temp_file_write_size 256k;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/run/php-fpm/php7.3-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
# Hide PHP headers
fastcgi_hide_header X-Powered-By;
fastcgi_hide_header X-CF-Powered-By;
}
如果在单独的文件中有PHP-FPM配置,则应设置如下。
$cat /etc/nginx/nginxconfig.io/php_fastcgi.conf # 404 try_files $fastcgi_script_name =404; # default fastcgi_params include fastcgi_params; # fastcgi settings fastcgi_pass unix:/var/run/php-fpm/php7.3-fpm.sock; fastcgi_index index.php; fastcgi_buffers 8 16k; fastcgi_buffer_size 32k; # Hide PHP headers fastcgi_hide_header X-Powered-By; fastcgi_hide_header X-CF-Powered-By; # fastcgi params fastcgi_param DOCUMENT_ROOT $realpath_root; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param PHP_ADMIN_VALUE "open_basedir=$base/:/usr/lib/php/:/tmp/";
fastcgi_hide_header指令设置将无法传递的其他字段。
如果相反,如果需要允许字段的传递,则可以使用FastCGI_PASS_HEADERDIOREIVE。
验证nginx配置。
$sudo nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
重新启动nginx以使更改生效。
sudo systemctl restart nginx php-fpm
确认设置
这是我的卷曲的输出在禁用标题之前。
$curl -IL https://theitroad.com HTTP/2 200 date: Sat, 20 Apr 2019 20:44:38 GMT content-type: text/html; charset=UTF-8 vary: Accept-Encoding x-powered-by: PHP/7.3.1 x-cf-powered-by: WP Rocket 3.2.4 link: https://theitroad.com/wp-json/; rel="https://api.w.org/" x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: no-referrer-when-downgrade expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" server: cloudflare cf-ray: 4ca9f5130d66cb75-MBA
在改变和重新启动nginx之后。
$curl -IL https://theitroad.com HTTP/2 200 date: Sat, 20 Apr 2019 20:44:38 GMT content-type: text/html; charset=UTF-8 vary: Accept-Encoding link: https://theitroad.com/wp-json/; rel="https://api.w.org/" x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: no-referrer-when-downgrade expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" server: cloudflare cf-ray: 4ca9f5130d66cb75-MBA
你可以确认没有 x-powered-by和 x-cf-powered-by输出指令。
可以从Inspect> Network>标题>响应标头的浏览器从浏览器检查相同。
