Nginx基本安全优化
- 调整参数隐藏nginx软件版本号信息
- 更改源码隐藏Nginx软件名及版本号
调整参数隐藏Nginx软件版本号信息
优点:
- 隐藏或者消除web服务对用户显示的敏感信息
- 减少服务被攻击的可能,暴露服务框架以及版本名可能增加被(漏洞)攻击的可能
- 加强服务器的安全性
在nginx配置中,可以通过server_tokens off;指令实现版本号的隐藏,配置
root # cat ~/workspaces/nginx/nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
server_tokens off; # 隐藏版本号的配置
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}测试
# 自定义配置,隐藏版本号
docker run -d --name nginx1 -v ~/workspaces/nginx/nginx.conf:/etc/nginx/nginx.conf -p8080:80 nginx:latest
# 默认配置
docker run -d --name nginx2 -p8081:80 nginx:latest通过curl -I http://localhost:8080与curl -I http://localhost:8081对比查看,这样就完成版本号的隐藏
更改源码隐藏Nginx软件名及版本号
隐藏或者修改nginx软件的名称以及版本号,可以通过修改nginx的源码实现,大致需要修改nginx的三个文件:
自定义修改nginx的软件名:
- $(nginx_source_dir)/src/core/nginx.h
- $(nginx_source_dir)/src/http/ngx_http_header_filter_module.c
自定义nginx的版本号以及添加个性化配置信息:
- $(nginx_source_dir)/src/http/ngx_http_special_response.c
首先,我们运行一个版本为nginx:1.18的镜像,使用默认的配置
docker run -d --name nginx3 -p8082:80 nginx:1.18在浏览器中访问一个不存在的资源http://localhost:8082/1显示如下界面
下面我们使用Dockerfile构建nginx源码,然后通过docker build指令完成镜像构建,下面是构建nginx:1.18的Dockerfile
FROM debian:stretch-slim
MAINTAINER Marionxue@devopsman.cn "云原生生态圈"
RUN useradd www && \
mkdir -p /logs/nginx/ /webserver/nginx /webserver/nginx/conf/upsync && \
chown -R www:www /logs/nginx/ /webserver/nginx && \
echo 'deb http://mirrors.163.com/debian/ stretch main non-free contrib' > /etc/apt/sources.list && \
echo 'deb http://mirrors.163.com/debian/ stretch-updates main non-free contrib' >> /etc/apt/sources.list && \
echo 'deb-src http://mirrors.163.com/debian/ stretch main non-free contrib' >> /etc/apt/sources.list && \
echo 'deb-src http://mirrors.163.com/debian/ stretch-updates main non-free contrib' >> /etc/apt/sources.list && \
echo 'deb-src http://mirrors.163.com/debian/ stretch-backports main non-free contrib' >> /etc/apt/sources.list && \
echo 'deb-src http://mirrors.163.com/debian-security/ stretch/updates main non-free contrib' >> /etc/apt/sources.list && \
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
apt-get update && \
apt-get install -y wget vim net-tools unzip libjemalloc-dev && \
apt-get build-dep -y nginx
RUN \
cd /usr/local/src/ && \
wget -c http://nginx.org/download/nginx-1.18.0.tar.gz && \
wget -c https://www.openssl.org/source/old/1.0.2/openssl-1.0.2m.tar.gz && \
wget -c https://github.com/simplresty/ngx_devel_kit/archive/v0.3.1rc1.tar.gz && \
wget -c https://github.com/openresty/lua-nginx-module/archive/v0.10.11.tar.gz && \
wget -c https://github.com/xiaokai-wang/nginx_upstream_check_module/archive/master.zip -O nginx_upstream_check_module.zip && \
wget -c https://github.com/weibocom/nginx-upsync-module/archive/master.zip -O nginx-upsync-module.zip && \
tar zxf ./nginx-1.18.0.tar.gz && rm nginx-1.18.0.tar.gz && \
tar zxf ./openssl-1.0.2m.tar.gz && rm openssl-1.0.2m.tar.gz && \
tar zxf ./v0.3.1rc1.tar.gz && rm v0.3.1rc1.tar.gz && \
tar zxf ./v0.10.11.tar.gz && rm v0.10.11.tar.gz && \
unzip ./nginx_upstream_check_module.zip && rm nginx_upstream_check_module.zip && \
unzip ./nginx-upsync-module.zip && rm nginx-upsync-module.zip
# 自定义修改Nginx的软件名称、版本号以及添加一些额外的信息(云原生生态圈: https://www.devopsman.cn)
RUN sed -i '13 s#1.18.0#v1.0#g' /usr/local/src/nginx-1.18.0/src/core/nginx.h && \
sed -i '14 s#nginx#CloudNativeEcosystem#g' /usr/local/src/nginx-1.18.0/src/core/nginx.h && \
sed -i '22 s#\"NGINX\"#\"CloudNativeEcosystem\"#g' /usr/local/src/nginx-1.18.0/src/core/nginx.h && \
sed -i '49 s#nginx#CloudNativeEcosystem#g' /usr/local/src/nginx-1.18.0/src/http/ngx_http_header_filter_module.c && \
sed -i '22 s#\" NGINX_VER \"#\" NGINX_VER \"\(CloudNativeEcosystem: https:\/\/www\.devopsman\.cn\)#g' /usr/local/src/nginx-1.18.0/src/http/ngx_http_special_response.c && \
sed -i '36 s#nginx#CloudNativeEcosystem#g' /usr/local/src/nginx-1.18.0/src/http/ngx_http_special_response.c
RUN \
cd /usr/local/src/nginx-1.18.0 &&\
patch -p1 < /usr/local/src/nginx_upstream_check_module-master/check_1.12.1+.patch &&\
./configure \
--prefix=/webserver/nginx \
--user=www --group=www --with-pcre \
--with-stream \
--with-http_v2_module \
--with-http_ssl_module \
--with-ld-opt=-ljemalloc \
--with-http_realip_module \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--http-log-path=/logs/nginx/access.log \
--error-log-path=/logs/nginx/error.log \
--with-openssl=/usr/local/src/openssl-1.0.2m \
--add-module=/usr/local/src/ngx_devel_kit-0.3.1rc1 \
--add-module=/usr/local/src/lua-nginx-module-0.10.11 \
--add-module=/usr/local/src/nginx_upstream_check_module-master \
--add-module=/usr/local/src/nginx-upsync-module-master && \
make && \
make install
EXPOSE 80
WORKDIR /webserver/nginx/sbin
CMD ["./nginx","-g","daemon off;"]下面我们使用docker build进行构建自定义镜像nginx:cnesf
docker build -t nginx:cnesf -f Dockerfile .
...
---> 78b6e2cc7fc5
Step 9/9 : CMD ["./nginx","-g","daemon off;"]
---> Running in fb2968e2b3d0
Removing intermediate container fb2968e2b3d0
---> c5800a6f04fd
Successfully built c5800a6f04fd
Successfully tagged nginx:cnesf然后我们使用nginx:cnesf运行一个容器
docker run -d --name nginx -v ~/workspaces/nginx/nginx.conf:/etc/nginx/nginx.conf -p80:80 nginx:cnesf然后通过curl和浏览器访问测试,查看一下效果
☸️ kubernetes-admin@kubernetes🔥 public-service ~/Documents/devopsnotes/workspace/code.devopsman.cn/nginx 🐳 👉 curl -I http://localhost:80
HTTP/1.1 200 OK
Server: CloudNativeEcosystem/v1.0
Date: Sat, 10 Oct 2020 16:18:52 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Sat, 10 Oct 2020 16:18:39 GMT
Connection: keep-alive
ETag: "5f81dedf-264"
Accept-Ranges: bytes
这样就通过隐藏或者修改nginx的服务名称、版本号等实现Nginx基本安全优化了。
