一、前言
最近拿到一份网站的安全报告,其中有一个漏洞是说“在应用程序中发现不必要的 Http 响应头”,也就是在响应头中出现了下方的信息,有泄漏服务器信息的风险,因此在此记录一下解决过程。
此问题可以通过给Nginx安装专门的插件来修复,插件地址如下:GitHub - openresty/headers-more-nginx-module: Set, add, and clear arbitrary output headers in NGINX http servers
二、步骤
S1:安装插件
wget 'http://nginx.org/download/nginx-1.17.8.tar.gz'
tar -xzvf nginx-1.17.8.tar.gz
cd nginx-1.17.8/
# Here we assume you would install you nginx under /opt/nginx/.
./configure --prefix=/opt/nginx2 --add-module=/path/to/headers-more-nginx-module
make
sudo make install
S2:测试Nginx配置
➜ ~ /opt/nginx2/sbin/nginx -t
nginx: [alert] could not open error log file: open() "/opt/nginx2/logs/error.log" failed (13: Permission denied)
nginx: the configuration file /opt/nginx2/conf/nginx.conf syntax is ok
2023/12/28 11:56:20 [emerg] 1711176#0: open() "/opt/nginx2/logs/nginx.pid" failed (13: Permission denied)
nginx: configuration file /opt/nginx2/conf/nginx.conf test failed
根据异常提示处理完对应的异常。
S3:增加去除Server的配置
http {
more_set_headers 'Server: ';
more_set_headers 'server: ';
}