昨天老大說:“看一個網站的管理員專業不專業就看header返回的信息”,當時我一頭霧水。原來當客戶端連接到Apache服務器的時候,Apache一般會返回服務器版本、非缺省模塊等信息,會被***利用,例如:
解決方法:
- Connection close
- Content-Type text/html; charset=UTF-8
- Date Wed, 29 Feb 2012 07:51:08 GMT
- P3P CP="CAO PSA OUR"
- Server Apache/2.2.21 (Unix)
- Transfer-Encoding chunked
- X-Powered-By PHP/5.3.9
你可以在Apache的配置文件裏面作如下設置讓它返回的關於服務器的信息減少到最少:
#修改httpd-default.conf 的如下內容,修改後header將取消X-Powered-By PHP/5.3.9的顯示
- ServerTokens Prod
- ServerSignature Off
注意:這樣設置以後Apache還會返回一定的服務器信息,比如:
Server: Apache
但是這個不會對服務器安全產生太多的影響,因爲很多掃描軟件是掃描的時候是不顧你服務器返回的頭部信息的。你如果想把服務器返回的相關信息變成百度的一樣:
Server BWS/1.0
那麼你就要去修改源碼了。
具體方法如下:
一、修改Apache的幾個源代碼文件
- 修改: httpd-2.2.21/include/ap_release.h
- #define AP_SERVER_BASEVENDOR"這裏填寫開發組織名,例如:Microsoft Corp."
- #defineAP_SERVER_BASEPRODUCT"這裏填寫服務器軟件名,例如:Microsoft-IIS"
- #defineAP_SERVER_MAJORVERSION "主版本,例如:5"
- #defineAP_SERVER_MINORVERSION "次版本,例如:0"
- #defineAP_SERVER_PATCHLEVEL "修正版本,例如:1"
- 修改: httpd-2.2.21/os/os2/os.h
- #define PLATFORM "這裏填寫操作系統的名稱,例如:Win32"
二、重新編譯apache,添加壓縮模塊
- cd httpd-2.2.21
- ./configure --prefix=/usr/local/apache --enable-so --enable-expires --enable-mime-magic --enable-threads --enable-rewrite --disable-env --disable-actions --disable-asis --disable-setenvif --disable-version --disable-userdir --disable-authz-groupfile --disable-authn-file --disable-authz-user --disable-include --disable-filter --disable-cgid --disable-cgi --enable-ssl --with-ssl --enable-setenvif --with-mpm=prefork --enable-headers=shared --enable-deflate=shared
- make&&make install
編輯httpd.conf加入如下內容
- LoadModule deflate_module modules/mod_deflate.so
- LoadModule headers_module modules/mod_headers.so
- <IfModule mod_deflate.c>
- SetOutputFilter DEFLATE #開啓壓縮
- #不壓縮的文件類型
- SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary
- SetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
- SetEnvIfNoCase Request_URI .(?:pdf|mov|avi|mp3|mp4|rm)$ no-gzip dont-vary
- #要壓縮的文件類型
- AddOutputFilterByType DEFLATE text/*
- AddOutputFilterByType DEFLATE application/x-httpd-php application/x-httpd-fastphp
- # Netscape 4.x has some problems...
- BrowserMatch ^Mozilla/4 gzip-only-text/html
- # Netscape 4.06-4.08 have some more problems
- BrowserMatch ^Mozilla/4\.0[678] no-gzip
- # MSIE masquerades as Netscape, but it is fine
- BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
- # Don't compress images
- SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
- # Make sure proxies don't deliver the wrong content
- Header append Vary User-Agent env=!dont-vary
- </IfModule>
- #以下內容控制瀏覽器緩存時間及header信息,
- <IfModule mod_expires.c>
- ExpiresActive on #瀏覽器緩存開啓
- #ExpiresDefault "access plus 1 month" #設置默認過期時間爲1個月
- #ExpiresByType text/html "access plus 1 months" #動態網站不推薦開啓此項
- ExpiresByType text/css "access plus 1 months"
- ExpiresByType image/gif "access plus 1 months"
- ExpiresByType image/x-icon "access plus 1 month"
- ExpiresByType image/jpeg "access plus 1 months"
- ExpiresByType image/jpg "access plus 1 months"
- ExpiresByType image/png "access plus 1 months"
- EXpiresByType application/x-shockwave-flash "access plus 1 months"
- EXpiresByType application/javascript "access plus 1 months"
- Header unset Pragma
- FileETag None
- Header unset ETag
- Header set Cache-Control "private"
- <FilesMatch "\.(js|css|ico|pdf|flv|jpg|jpeg|png|gif|mp3|mp4|swf)$">
- #Header set Expires "Wen, 29 Feb 2012 14:14:00 GMT"
- #Header set Cache-Control must-revalidate,post-check=0,pre-check=0
- Header unset Last-Modified
- </FilesMatch>
- </IfModule>
效果:
- Cache-Control private
- Connection close
- Content-Encoding gzip
- Content-Type text/html; charset=UTF-8
- Date Wed, 29 Feb 2012 07:04:23 GMT
- P3P CP="CAO PSA OUR"
- Server FBS
- Transfer-Encoding chunked
- Vary Accept-Encoding,User-Agent
參考網址:
- http://yolcy.blog.163.com/blog/static/105307937201022471913971/
- http://hi.baidu.com/%C8%FD%BE%D6%CE%AA%B6%FE/blog/item/30dae1325363ed92a8018e5c.html