moneyslow.com

Nginx头信息中x-powered-by如何去掉隐藏PHP版本 version 8/7/5

php对输入的安全性处理函数trim、stripslashes、htmlspecialchars

php对输入的安全性处理函数trim、stripslashes、htmlspecialchars

检测php版本:

php -v
php --version

显示如下:

PHP 8.1.12 (cli) (built: Oct 26 2022 10:00:44) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.1.12, Copyright (c) Zend Technologies
    with Zend OPcache v8.1.12, Copyright (c), by Zend Technologies

使用curl命令查看web server给出的http头信息
curl -IL https://你的域名/
显示如下:

HTTP/2 200 
server: nginx
date: Sun, 23 Jun 2019 20:48:48 GMT
content-type: text/html; charset=UTF-8
x-powered-by: PHP/8.1.12
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-robots-tag: noindex, noarchive
strict-transport-security: max-age=15768000
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-whome: l-cbz01
referrer-policy: no-referrer-when-downgrade

上面红色的部分,我们要想办法隐藏起来,在php中要进行参数设置,但是我推荐你自定义一个配置文件custom.ini,不要用php.ini ,有很多种情况会覆盖它。
下面的经验你直接采用即可:

  1. Alpine Linux and PHP v5.6.xx : /etc/php5/conf.d/custom.ini
  2. Alpine Linux and PHP v7.xx : /etc/php7/conf.d/custom.ini (for PHP 8.1.xx edit the /etc/php81/conf.d/custom.ini)
  3. Debian/Ubuntu Linux and PHP v7.xx : /etc/php/7.0/fpm/conf.d/custom.ini
  4. RHEL/Fedora/CentOS Linux : /etc/php.d/custom.ini
  5. OpenSUSE or SUSE Linux : /etc/php7/conf.d/custom.ini

但是自己服务器的php配置目录在哪里呢?给你多个命令方法:

php -i | more
php -i | grep -i -A4 'Additional .ini files parsed'
php-fpm5 -i | grep -i -A4 'Additional .ini files parsed'
php-fpm7.0 -i | grep -i -A4 'Additional .ini files parsed'
php-fpm8.0 -i | grep -i -A4 'Additional .ini files parsed'

比如我的结果如下:

Configuration File (php.ini) Path => /etc/php/7.0/fpm
Loaded Configuration File => /etc/php/7.0/fpm/php.ini
Scan this dir for additional .ini files => /etc/php/7.0/fpm/conf.d
Additional .ini files parsed => /etc/php/7.0/fpm/conf.d/10-mysqlnd.ini,
/etc/php/7.0/fpm/conf.d/10-opcache.ini,
/etc/php/7.0/fpm/conf.d/10-pdo.ini,

那现在就来生成一个自己的custom.ini文件吧:

##############################################
## this is for Alpine Linux and PHP v5.6.xx ##
##############################################
echo 'expose_php = off' >> /etc/php5/conf.d/custom.ini

如果你使用 Alpine Linux and PHP 7.x:

echo 'expose_php = off' >> /etc/php7/conf.d/custom.ini

接下来重启你的php服务吧,取决你的版本,下面是很多个例子参考:

### [ Alpine linux restart php-fpm ] ##
sudo /etc/init.d/php-fpm restart
### [ RHEL/CentOS 5.x/6.x restart php-fpm ] ##
sudo service php-fpm restart
### [ RHEL/CentOS 7.x restart php-fpm ] ##
sudo systemctl restart php-fpm
### [ Debian/Ubuntu Linux latest restart php-fpm ] ##
sudo service php7.0-fpm restart
### [ FreeBSD restart php-fpm ] ##
sudo service php-fpm restart
### [ Alpine Linux restart php-fpm7/php-fpm81 ] ##
sudo /etc/init.d/php-fpm7 restart
sudo /etc/init.d/php-fpm81 restart
### [ SUSE/OpenSUSE Linux restart php-fpm7 ] ##
sudo systemctl restart php-fpm.service

好了,再次用 curl -IL https://你的域名/ 来验证,比如我的例子:

HTTP/2 200 
server: nginx
date: Sun, 23 Jun 2019 20:56:01 GMT
content-type: text/html; charset=UTF-8
set-cookie: PHPSESSID=q49sd1armm17j7a8l658538n74; path=/
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-robots-tag: noindex, noarchive
strict-transport-security: max-age=15768000
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-whome: l-cbz01
referrer-policy: no-referrer-when-downgrade

看看到了吧,上面没有php的版本号了,你甚至可以用nmap来扫描验证:

nmap -sV --script=http-php-version server-ip-here
nmap -sV --script=http-php-version

结果:

Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-24 02:26 IST
Nmap scan report for newsletter.cyberciti.biz (96.126.119.5)
Host is up (0.26s latency).
rDNS record for 96.126.119.5: nb-96-126-119-5.dallas.nodebalancer.linode.com
Not shown: 998 closed ports
PORT    STATE SERVICE  VERSION
80/tcp  open  http     nginx
|_http-server-header: nginx
443/tcp open  ssl/http nginx
|_http-server-header: nginx
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.20 seconds
Exit mobile version