标题:Lighttpd、Nginx 、Apache 隐藏响应头信息的Server信息,apache和php的版本信息 出处:沧海一粟 时间:Tue, 08 Mar 2011 23:58:44 +0000 作者:jed 地址:http://www.dzhope.com/post/763/ 内容: Lighttpd、Nginx 、Apache 隐藏响应头信息的Server信息,apache和php的版本信息 web服务器的版本信息 一、隐藏Apache信息 默认情况下,很多Apache安装时会显示版本号及操作系统版本,甚至会显示服务器上安装的是什么样的Apache模块。这些信息可以为黑客所用,并且黑客还可以从中得知你所配置的服务器上的很多设置都是默认状态。 这里有两条语句,需要添加到httpd.conf文件中: ServerSignature Off ServerTokens Prod ServerSignature出现在Apache所产生的像404页面、目录列表等页面的底部。ServerTokens目录被用来判断Apache会在Server HTTP响应包的头部填充什么信息。如果把ServerTokens设为Prod,那么HTTP响应包头就会被设置成: Server:Apache 二、隐藏PHP信息 修改php.ini 将expose_php On 改为 expose_php Off 参考解决方案: 1. Lighttpd 1.4.20 src/response.c:108 改为: buffer_append_string_len(b, CONST_STR_LEN("Server: jufukeji")); 输出 Header: HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Date: Mon, 12 Jan 2009 13:54:02 GMT Server: jufukeji 2. Nginx 0.7.30 src/http/ngx_http_header_filter_module.c:48-49 改为: static char ngx_http_server_string[] = "Server: jufukeji" CRLF; static char ngx_http_server_full_string[] = "Server: jufukeji" CRLF; 输出 Header: HTTP/1.1 200 OK Server: jufukeji Date: Mon, 12 Jan 2009 14:01:10 GMT Content-Type: text/html Content-Length: 151 Last-Modified: Mon, 12 Jan 2009 14:00:56 GMT Connection: keep-alive Accept-Ranges: bytes 3. Cherokee 0.11.6 cherokee/version.c:93 添加: ret = cherokee_buffer_add_str (buf, "jufukeji"); return ret; 输出 Header: HTTP/1.1 200 OK Connection: Keep-Alive Keep-Alive: timeout=15 Date: Mon, 12 Jan 2009 14:54:39 GMT Server: jufukeji ETag: 496b54af=703 Last-Modified: Mon, 12 Jan 2009 14:33:19 GMT Content-Type: text/html Content-Length: 1795 4. Apache 2.2.11 server/core.c:2784 添加: ap_add_version_component(pconf, "jufukeji"); return; 输出 Header: HTTP/1.1 200 OK Date: Mon, 12 Jan 2009 14:28:10 GMT Server: jufukeji Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT ETag: "1920edd-2c-3e9564c23b600" Accept-Ranges: bytes Content-Length: 44 Content-Type: text/html 5. Squid 3.0 STABLE 11 src/globals.cc:58 改为: const char *const full_appname_string = "jufukeji"; 输出 Header: HTTP/1.0 400 Bad Request Server: jufukeji Mime-Version: 1.0 Date: Mon, 12 Jan 2009 15:25:15 GMT Content-Type: text/html Content-Length: 1553 Expires: Mon, 12 Jan 2009 15:25:15 GMT X-Squid-Error: ERR_INVALID_URL 0 X-Cache: MISS from 'cache.hutuworm.org' Via: 1.0 'cache.hutuworm.org' (jufukeji) Proxy-Connection: close 6. Tomcat 6.0.18 java/org/apache/coyote/http11/Constants.java:56 和 java/org/apache/coyote/ajp/Constants.java:236 均改为: ByteChunk.convertToBytes("Server: jufukeji" + CRLF); 输出 Header: HTTP/1.1 200 OK Server: jufukeji ETag: W/"7857-1216684872000" Last-Modified: Tue, 22 Jul 2008 00:01:12 GMT Content-Type: text/html Content-Length: 7857 Date: Mon, 12 Jan 2009 16:30:44 GMT 7. JBoss 5.0.0 GA a. tomcat/src/resources/web.xml:40 改为 jufukeji b. 下载 JBoss Web Server 2.1.1.GA srctar (http://www.jboss.org/jbossweb/downloads/jboss-web/) java/org/apache/coyote/http11/Constants.java:56 和 java/org/apache/coyote/ajp/Constants.java:236 均改为: ByteChunk.convertToBytes("Server: jufukeji" + CRLF); 将编译所得 jbossweb.jar 覆盖 JBoss 编译输出文件: JBOSS_SRC/build/output/jboss-5.0.0.GA/server/all/deploy/jbossweb.sar/jbossweb.jar JBOSS_SRC/build/output/jboss-5.0.0.GA/server/standard/deploy/jbossweb.sar/jbossweb.jar JBOSS_SRC/build/output/jboss-5.0.0.GA/server/default/deploy/jbossweb.sar/jbossweb.jar JBOSS_SRC/build/output/jboss-5.0.0.GA/server/web/deploy/jbossweb.sar/jbossweb.jar 输出 Header: HTTP/1.1 200 OK Server: jufukeji X-Powered-By: jufukeji Accept-Ranges: bytes ETag: W/"1581-1231842222000" Last-Modified: Tue, 13 Jan 2009 10:23:42 GMT Content-Type: text/html Content-Length: 1581 Date: Tue, 13 Jan 2009 10:30:42 GM Generated by Bo-blog 2.1.1 Release