Hide Nginx version number security and method

Nginx defaults to display version number, such as:

[root@bkjz ~]# curl -I www.45it.com HTTP/1.1 200 OK Server : nginx/0.8.44 Date: Tue, 13 Jul 2010 14:05:11 GMT Content-Type: text/html Content-Length: 8284 Last-Modified: Tue, 13 Jul 2010 12:00:13 GMT Connection: keep- Alive Keep-Alive: timeout=15 Accept-Ranges: bytes

This will show people that your server nginx version is 0.8.44. Some time ago, some Nginx version vulnerabilities broke out, that is, some versions. There are loopholes, and some versions do not. This exposed version number can easily become information available to attackers. So, from a security perspective, hiding the version number will be relatively safe!

Can the nginx version number be hidden? In fact, you can, see my steps below:

1, enter the directory of the nginx configuration file (this directory is determined according to the installation), open with vim editing

# vim nginx.conf

Add server_tokens off to http {—}; for example:

http { …… omitting sendfile on; tcp_nopush on; keepalive_timeout 60; tcp_nodelay on; server_tokens off; ……. Omit }

2. Edit the php-fpm configuration file, such as fastcgi.conf or fcgi.conf (this configuration file name can also be customized, modified according to the specific file name): Br>

Find: fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; Change to: fastcgi_param SERVER_SOFTWARE nginx;

3. Reload nginx configuration:

# /etc/init.d/nginx reload

This completely hides the nginx version number, that is, the 404, 501 and other pages will not display the nginx version.

Let's test it out:

[root@bkjz ~]# curl -I www.45it.com HTTP/1.1 200 OK Server: nginx Date: Tue, 13 Jul 2010 14:26: 56 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Vary: Accept-Encoding ……

The server information display tool in Firefox also cannot display the nginx version number ( In fact, this tool is also detected by the curl command):

OK, finished.