|
如果安装了Nginx和PHP-FPM,默认情况下会公开PHP Powered-By标头,但是你可能需要隐藏PHP标头,例如X-Powered-By和X-CF-Powered-By,以限制暴露给公众的服务器信息,这是安全机制之一。你的Nginx配置的FastCGI部分禁用了X-Powered-By和X-CF-Powered-By PHP标头,要使用本方法,应该使用Nginx和PHP-FPM,以下是配置示例。
具体方法 对于通用nginx配置文件: ############ # Pass all .php files onto a php-fpm or php-cgi server ############ location ~ \.php$ { try_files $uri =404; include /etc/nginx/fastcgi_params; fastcgi_read_timeout 3600s; fastcgi_buffer_size 128k; fastcgi_connect_timeout 3s; fastcgi_send_timeout 120s; fastcgi_temp_file_write_size 256k; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass unix:/run/php-fpm/php7.3-fpm.sock; #fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; # Hide PHP headers fastcgi_hide_header X-Powered-By; fastcgi_hide_header X-CF-Powered-By; } 如果在单独的文件中有PHP-FPM配置,则应设置如下所示: $ cat /etc/nginx/nginxconfig.io/php_fastcgi.conf # 404 try_files $fastcgi_script_name =404; # default fastcgi_params include fastcgi_params; # fastcgi settings fastcgi_pass unix:/var/run/php-fpm/php7.3-fpm.sock; fastcgi_index index.php; fastcgi_buffers 8 16k; fastcgi_buffer_size 32k; # Hide PHP headers fastcgi_hide_header X-Powered-By; fastcgi_hide_header X-CF-Powered-By; # fastcgi params fastcgi_param DOCUMENT_ROOT $realpath_root; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param PHP_ADMIN_VALUE "open_basedir=$base/:/usr/lib/php/:/tmp/"; fastcgi_hide_header指令设置不会传递的其他字段,相反,如果需要允许传递字段,则可以使用fastcgi_pass_header指令。 验证的Nginx配置,如下命令: $ sudo nginx -t nginx:配置文件/etc/nginx/nginx.conf语法没问题。 nginx:配置文件/etc/nginx/nginx.conf测试成功。 重新启动Nginx以使更改生效: sudo systemctl restart nginx php-fpm
确认设置 这是我的网站curl在禁用标题之前的输出: $ curl -IL https://computingforgeeks.com HTTP/2 200 date: Sat, 20 Apr 2019 20:44:38 GMT content-type: text/html; charset=UTF-8 vary: Accept-Encoding x-powered-by: PHP/7.3.1 x-cf-powered-by: WP Rocket 3.2.4 link: https://computingforgeeks.com/wp-json/; rel="https://api.w.org/" x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: no-referrer-when-downgrade expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" server: cloudflare cf-ray: 4ca9f5130d66cb75-MBA 并在进行更改并重新启动Nginx之后: $ curl -IL https://computingforgeeks.com HTTP/2 200 date: Sat, 20 Apr 2019 20:44:38 GMT content-type: text/html; charset=UTF-8 vary: Accept-Encoding link: https://computingforgeeks.com/wp-json/; rel="https://api.w.org/" x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: no-referrer-when-downgrade expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" server: cloudflare cf-ray: 4ca9f5130d66cb75-MBA 可以确认输出中没有x-powered-by和x-cf-powered-by指令,可以从Inspect > Network > Headers > Response Headers下的浏览器中检查相同内容。
相关主题 |
