Nginx去除Server HTTP头，之headers-more-nginx-module使用

网络安全中，为了不泄露敏感信息，一般会屏蔽服务器类型(当然，这时最基础的步骤)。

1、Nginx移除版本信息

如果想关掉 Nginx 关于 OS 和 Nginx 版本的信息，可以简单得再 Nginx 上设置一个：

server_tokens off;

配置类似于：

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

http {
    keepalive_timeout   65;
    types_hash_max_size 2048;
	server_tokens off;
    server {
		... ...

    }
}

但是返回给客户端的信息，还是存在Nginx服务器类型信息（虽然没有透露版本了）：

Server ：nginx

 

2、完全移除Server HTTP 头

组件：headers-more-nginx-module

GitHub： https://github.com/openresty/headers-more-nginx-module

 

2.1 下载

# 举例目录/app/tools
cd /app/tools/
#下载插件
wget https://github.com/openresty/headers-more-nginx-module/archive/v0.33.tar.gz
#解压
tar -zxvf v0.33.tar.gz

2.2 加载模块

# 查看安装参数命令(取出：configure arguments:)
/app/nginx/sbin/nginx -V
# 在nginx资源目录编译
cd /app/nginx-1.12.2/
# 将上面取出的configure arguments后面追加 --add-module=/app/tools/headers-more-nginx-module-0.33
./configure --prefix=/app/nginx112 --add-module=/app/tools/headers-more-nginx-module-0.33
# 编辑，切记没有make install
make
# 备份
cp /app/nginx112/sbin/nginx /app/nginx112/sbin/nginx.bak 
# 覆盖(覆盖提示输入y)
cp -f /app/nginx-1.12.2/objs/nginx /app/nginx112/sbin/nginx

2.3 修改配置

vim /app/nginx112/conf/nginx.conf
# 添加配置(在http模块)
more_clear_headers 'Server';

上面配置只是将http响应头中的Server:nginx/1.12.2清除，详细使用方案可阅读 参考文档,
支持添加·修改·清除响应头的操作，

2.4 重启nginx

/app/nginx112/sbin/nginx -s stop
/app/nginx112/sbin/nginx

直接使用reload可能会无效

 

3、headers-more-nginx-module其他说明

Synopsis

 # set the Server output header
 more_set_headers 'Server: my-server';

 # set and clear output headers
 location /bar {
     more_set_headers 'X-MyHeader: blah' 'X-MyHeader2: foo';
     more_set_headers -t 'text/plain text/css' 'Content-Type: text/foo';
     more_set_headers -s '400 404 500 503' -s 413 'Foo: Bar';
     more_clear_headers 'Content-Type';

     # your proxy_pass/memcached_pass/or any other config goes here...
 }

 # set output headers
 location /type {
     more_set_headers 'Content-Type: text/plain';
     # ...
 }

 # set input headers
 location /foo {
     set $my_host 'my dog';
     more_set_input_headers 'Host: $my_host';
     more_set_input_headers -t 'text/plain' 'X-Foo: bah';

     # now $host and $http_host have their new values...
     # ...
 }

 # replace input header X-Foo *only* if it already exists
 more_set_input_headers -r 'X-Foo: howdy';

Description

This module allows you to add, set, or clear any output or input header that you specify.

This is an enhanced version of the standard headers module because it provides more utilities like resetting or clearing "builtin headers" like Content-Type, Content-Length, and Server.

It also allows you to specify an optional HTTP status code criteria using the -s option and an optional content type criteria using the -t option while modifying the output headers with the more_set_headers and more_clear_headers directives. For example,

 more_set_headers -s 404 -t 'text/html' 'X-Foo: Bar';

You can also specify multiple MIME types to filter out in a single -t option. For example,

more_set_headers -t 'text/html text/plain' 'X-Foo: Bar';

Never use other paramemters like charset=utf-8 in the -t option values; they will not work as you would expect.

Input headers can be modified as well. For example

 location /foo {
     more_set_input_headers 'Host: foo' 'User-Agent: faked';
     # now $host, $http_host, $user_agent, and
     #   $http_user_agent all have their new values.
 }

The option -t is also available in the more_set_input_headers and more_clear_input_headers directives (for request header filtering) while the -s option is not allowed.

Unlike the standard headers module, this module's directives will by default apply to all the status codes, including 4xx and 5xx.

Back to TOC

 

参考：

https://github.com/openresty/headers-more-nginx-module

https://segmentfault.com/a/1190000018418253