web server及其相关的应用默认会显示版本头信息,这样会很不安全。为避免一些不必要的麻烦,现把常用的一些应用隐藏版本信息的方法总结下。实现这个目的,一般有两种方法:一种是通过配置文件修改;一种是通过修改源文件。这里比较推荐后一种方法。

一、关闭版本显示的方法

隐藏 Apache 版本信息

1vim /etc/apache2/apache2.conf 或 /etc/httpd/conf/httpd.conf添加如下信息
2ServerTokens ProductOnly
3ServerSignature Off

重启 apache,现在 http 头里面只看到:Server: Apache

隐藏 nginx 版本信息

#vi nginx.conf 在http 加上 server_tokens off;

如下:

1http {
2……省略配置
3sendfile on;
4tcp_nopush on;
5keepalive_timeout 65;
6tcp_nodelay on;
7server_tokens off;
8…….省略配置
9}

隐藏 PHP 版本

1修改php.ini
2expose_php On
3改成
4expose_php Off

重启apache后,php版本在http头中隐藏了。

二、直接修改源代码,编绎出别人不认识的版本

1. Lighttpd 1.4.20

1src/response.c:108 改为:
2buffer_append_string_len(b, CONST_STR_LEN("Server: 361way"));
3输出 Header:
4HTTP/1.1 404 Not Found
5Content-Type: text/html
6Content-Length: 345
7Date: Mon, 12 Jan 2009 13:54:02 GMT
8Server: 361way

2. Nginx 0.7.30

 1src/http/ngx_http_header_filter_module.c:48-49 改为:
 2static char ngx_http_server_string[] = "Server: 361way" CRLF;
 3static char ngx_http_server_full_string[] = "Server: 361way" CRLF;
 4输出 Header:
 5HTTP/1.1 200 OK
 6Server: 361way
 7Date: Mon, 12 Jan 2009 14:01:10 GMT
 8Content-Type: text/html
 9Content-Length: 151
10Last-Modified: Mon, 12 Jan 2009 14:00:56 GMT
11Connection: keep-alive
12Accept-Ranges: bytes

nginx还有一处是在src/core/nginx.h头文件里定义的版本号,也可以修改掉。

3. Cherokee 0.11.6

 1cherokee/version.c:93 添加:
 2ret = cherokee_buffer_add_str (buf, "361way");
 3return ret;
 4输出 Header:
 5HTTP/1.1 200 OK
 6Connection: Keep-Alive
 7Keep-Alive: timeout=15
 8Date: Mon, 12 Jan 2009 14:54:39 GMT
 9Server: 361way
10ETag: 496b54af=703
11Last-Modified: Mon, 12 Jan 2009 14:33:19 GMT
12Content-Type: text/html
13Content-Length: 1795

4. Apache 2.2.11

 1server/core.c:2784 添加:
 2ap_add_version_component(pconf, "361way");
 3return;
 4输出 Header:
 5HTTP/1.1 200 OK
 6Date: Mon, 12 Jan 2009 14:28:10 GMT
 7Server: 361way
 8Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
 9ETag: "1920edd-2c-3e9564c23b600"
10Accept-Ranges: bytes
11Content-Length: 44
12Content-Type: text/html

5. Squid 3.0 STABLE 11

 1src/globals.cc:58 改为:
 2const char *const full_appname_string = "361way";
 3输出 Header:
 4HTTP/1.0 400 Bad Request
 5Server: 361way
 6Mime-Version: 1.0
 7Date: Mon, 12 Jan 2009 15:25:15 GMT
 8Content-Type: text/html
 9Content-Length: 1553
10Expires: Mon, 12 Jan 2009 15:25:15 GMT
11X-Squid-Error: ERR_INVALID_URL 0
12X-Cache: MISS from 'cache.hutuworm.org'
13Via: 1.0 'cache.hutuworm.org' (361way)
14Proxy-Connection: close

6. Tomcat 6.0.18

 1java/org/apache/coyote/http11/Constants.java:56 和 java/org/apache/coyote/ajp/Constants.java:236 均改为:
 2ByteChunk.convertToBytes("Server: 361way" + CRLF);
 3输出 Header:
 4HTTP/1.1 200 OK
 5Server: 361way
 6ETag: W/"7857-1216684872000"
 7Last-Modified: Tue, 22 Jul 2008 00:01:12 GMT
 8Content-Type: text/html
 9Content-Length: 7857
10Date: Mon, 12 Jan 2009 16:30:44 GMT

7. JBoss 5.0.0 GA

 1a. tomcat/src/resources/web.xml:40 改为 361way
 2b. 下载 JBoss Web Server 2.1.1.GA srctar (http://www.jboss.org/jbossweb/downloads/jboss-web/)
 3java/org/apache/coyote/http11/Constants.java:56 和 java/org/apache/coyote/ajp/Constants.java:236 均改为:
 4ByteChunk.convertToBytes("Server: 361way" + CRLF);
 5将编译所得 jbossweb.jar 覆盖 JBoss 编译输出文件:
 6JBOSS_SRC/build/output/jboss-5.0.0.GA/server/all/deploy/jbossweb.sar/jbossweb.jar
 7JBOSS_SRC/build/output/jboss-5.0.0.GA/server/standard/deploy/jbossweb.sar/jbossweb.jar
 8JBOSS_SRC/build/output/jboss-5.0.0.GA/server/default/deploy/jbossweb.sar/jbossweb.jar
 9JBOSS_SRC/build/output/jboss-5.0.0.GA/server/web/deploy/jbossweb.sar/jbossweb.jar
10输出 Header:
11HTTP/1.1 200 OK
12Server: 361way
13X-Powered-By: 361way
14Accept-Ranges: bytes
15ETag: W/"1581-1231842222000"
16Last-Modified: Tue, 13 Jan 2009 10:23:42 GMT
17Content-Type: text/html
18Content-Length: 1581
19Date: Tue, 13 Jan 2009 10:30:42 GM