目录
-
版本号隐藏
配置文件添加配置:
http {
···
server_tokens off;
···
}
官方参数资料:http://nginx.org/en/docs/http/ngx_http_core_module.html
-
软件名更改
要实现软件名及版本号的修改,需要对源码文件进行改动后,编译安装;
所需修改文件分别是:
nginx-1.12.1/src/core/nginx.h
nginx-1.12.1/src/http/ngx_http_header_filter_module.c
nginx-1.12.1/src/http/ngx_http_special_response.c
源码文件如下:
[root@c1 ~/nginx-1.12.1/src/core]# sed -n '13,17p' nginx.h
#define NGINX_VERSION "1.12.1"
#define NGINX_VER "nginx/" NGINX_VERSION
#ifdef NGX_BUILD
#define NGINX_VER_BUILD NGINX_VER " (" NGX_BUILD ")"
#else
#define NGINX_VER_BUILD NGINX_VER
#endif
#define NGINX_VAR "NGINX"
#define NGX_OLDPID_EXT ".oldbin"
修改后如下:
#define NGINX_VERSION "5.1.8"
#define NGINX_VER "KZH/" NGINX_VERSION
#ifdef NGX_BUILD
#define NGINX_VER_BUILD NGINX_VER " (" NGX_BUILD ")"
#else
#define NGINX_VER_BUILD NGINX_VER
#endif
#define NGINX_VAR "KZH"
#define NGX_OLDPID_EXT ".oldbin"
源码文件如下:
[root@c1 ~/nginx-1.12.1/src/http]# sed -n '49p' ngx_http_header_filter_module.c
static u_char ngx_http_server_string[] = "Server: nginx" CRLF;
修改后如下:
static u_char ngx_http_server_string[] = "Server: KZH" CRLF;
源码文件如下:
[root@c1 ~/nginx-1.12.1/src/http]# sed -n '21,38p' ngx_http_special_response.c
static u_char ngx_http_error_full_tail[] =
"<hr><center>" NGINX_VER "</center>" CRLF
"</body>" CRLF
"</html>" CRLF
;
static u_char ngx_http_error_build_tail[] =
"<hr><center>" NGINX_VER_BUILD "</center>" CRLF
"</body>" CRLF
"</html>" CRLF
;
static u_char ngx_http_error_tail[] =
"<hr><center>nginx</center>" CRLF
"</body>" CRLF
"</html>" CRLF
修改后如下:
static u_char ngx_http_error_full_tail[] =
"<hr><center>" NGINX_VER "(http://cnblogs.com/kazihuo)</center>" CRLF
"</body>" CRLF
"</html>" CRLF
;
static u_char ngx_http_error_build_tail[] =
"<hr><center>" NGINX_VER_BUILD "</center>" CRLF
"</body>" CRLF
"</html>" CRLF
;
static u_char ngx_http_error_tail[] =
"<hr><center>KZH</center>" CRLF
"</body>" CRLF
"</html>" CRLF
[root@c1 ~/nginx-1.12.1]# ./configure --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module --prefix=/usr/local/kzh/
[root@c1 ~/nginx-1.12.1]# make && make install
[root@c1 /usr/local/kzh/sbin]# ./nginx
源码文件显示:
[root@c1 ~]# curl -I 192.168.10.11:80
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 07 Dec 2017 01:12:27 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 06 Dec 2017 19:15:30 GMT
Connection: keep-alive
ETag: "5a2841d2-264"
Accept-Ranges: bytes
修改后页面显示:
[root@c1 ~]# curl -I 192.168.10.11:88
HTTP/1.1 200 OK
Server: KZH/5.1.8
Date: Thu, 07 Dec 2017 01:12:31 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Thu, 07 Dec 2017 00:44:19 GMT
Connection: keep-alive
ETag: "5a288ee3-264"
Accept-Ranges: bytes
-
日志轮滚
# cat /server/scripts/cut_log.sh
#/bin/bash
cd /usr/local/nginx/logs/ && /bin/mv access.log access-$(date -d "-1 day" +%F).log
/usr/local/nginx/sbin/nginx -s reload
# crontab -l
1 * * * * /bin/sh /server/scripts/cut_log.sh
-
关闭指定日志
实际工作中,日志写入消耗磁盘I/O,对于负载均衡器健康节点检查或特定文件日志不需记录;
用location标签匹配不记录日志的元素扩展名,关闭其日志:
-
日志权限设置
日志目录权限给了NGINX用户,会成为安全隐患:
# chown -R root.root /usr/local/nginx/logs/
# chown -R 700 /usr/local/nginx/logs/
-
目录访问控制
eg1:配置Nginx,禁止解析指定目录下的指定程序:
对上述目录的限制必须写在Nginx处理PHP服务配置的前面,如下:
eg2:禁止访问*.txt和*.doc文件:
eg3:禁止访问单个目录:
禁止访问多个目录:
eg4:禁止访问目录并返回指定HTTP状态码:
应用场景:对于集群的共享存储,一般是存放静态资源文件,所以可以禁止执行指定扩展名的程序,例:.php .sh .pl .py
-
限制IP访问
eg1:只允许指定IP访问该目录,且支持PHP解析:
eg2:限制指定IP或IP段访问:
-------------------------------------------------------------
转载请保留此段声明,且在文章页面明显位置给出原文链接,谢谢!
------------------------------------------------------------------------------
如果觉得这篇文章对你有小小的帮助的话,记得在右下角点个“推荐”哦,博主在此感谢!
------------------------------------------------------------------------------
