添加隐藏header文件

weiliang-ms · weiliang-ms · commit bb1be75a4068 · 2021-10-16T13:05:27.000+08:00
diff --git a/README.md b/README.md
@@ -39,9 +39,21 @@
   - [ ] [upstream开启keepalive](book/03配置调优/09upstream开启keepalive.md)
   - [ ] [尽可能精准配置location](book/03配置调优/10尽可能精准配置location.md)
 - 加固列表
-  - [x] 安装最新版nginx
+  - [x] 安装最新版`nginx`
+  - [x] 使用最新版本`openssl`
   - [x] [使用非特权用户运行nginx](book/04安全加固/02使用非特权用户运行nginx.md)
+  - [x] [隐藏版本信息](book/04安全加固/04隐藏nginx版本信息.md)
   - [ ] [保护敏感资源](book/04安全加固/03保护敏感资源.md)
+  - [ ] ssl加固(TODO)
+  
+
+## TODO
+
+- [ ] 自定义异常页
+- [ ] lua块
+- [ ] waf功能
+- [ ] 全局黑名单
+- [ ] debug
 
 ### 构建介质
 
diff --git a/book/04安全加固/04隐藏nginx版本信息.md b/book/04安全加固/04隐藏nginx版本信息.md
@@ -0,0 +1,22 @@
+### 隐藏版本信息
+[Hide Nginx version number](https://github.com/trimstray/nginx-admins-handbook/blob/master/doc/RULES.md#rationale-39)
+- [更多nginx文档](https://weiliang-ms.github.io/nginx/)
+- [更多linux相关文档](https://weiliang-ms.github.io/wl-awesome/)
+
+> 隐藏版本信息(已内置)
+
+```nginx configuration
+server_tokens off;
+```
+
+> 修改`server`信息(已内置)
+
+```nginx configuration
+more_set_headers "Server: Unknown";
+```
+
+> 错误页
+
+TODO
+
+
diff --git a/book/04安全加固/05配置ACL规则.md b/book/04安全加固/05配置ACL规则.md
diff --git a/book/04安全加固/06隐藏上游代理header头信息.md b/book/04安全加固/06隐藏上游代理header头信息.md
@@ -0,0 +1,45 @@
+### 隐藏上游代理报头
+
+[Hide upstream proxy headers](https://github.com/trimstray/nginx-admins-handbook/blob/master/doc/RULES.md#rationale-41)
+- [更多nginx文档](https://weiliang-ms.github.io/nginx/)
+- [更多linux相关文档](https://weiliang-ms.github.io/wl-awesome/)
+
+当`nginx`被用来反向代理上游服务器(比如一个`PHP-fpm`实例)时，
+隐藏在上游响应中发送的某些报头(比如PHP运行的版本)是有益的。
+
+可以使用`proxy_hide_header`(或Lua模块)来隐藏/删除上游服务器返回到你的`nginx`反向代理(并最终返回到客户端)的头文件。
+
+> 使用方式
+
+代理`http`服务的`location`块添加`include /etc/nginx/conf/conf.d/hide-headers.rule;`配置
+
+```nginx configuration
+upstream ddd-server {
+server 11.11.11.11:80;
+server 11.11.11.12:80; 
+}
+server {
+    listen 8081;
+    location /ddd {
+        include /etc/nginx/conf/conf.d/hide-headers.rule;
+        proxy_pass http://ddd-server;
+    }
+}
+```
+
+`/etc/nginx/conf/conf.d/hide-headers.rule`: 
+
+```nginx configuration
+proxy_hide_header X-Application-Context;
+proxy_hide_header Access-Control-Allow-Origin;
+proxy_hide_header X-Powered-By;
+proxy_hide_header X-AspNetMvc-Version;
+proxy_hide_header X-Drupal-Cache;
+proxy_hide_header X-Powered-By;
+proxy_hide_header Server;
+proxy_hide_header X-AspNet-Version;
+proxy_hide_header X-Drupal-Dynamic-Cache;
+proxy_hide_header X-Generator;
+proxy_hide_header X-Runtime;
+proxy_hide_header X-Rack-Cache;
+```
diff --git a/rpmbuild/SOURCES/conf/conf.d/hide-headers.rule b/rpmbuild/SOURCES/conf/conf.d/hide-headers.rule
@@ -0,0 +1,12 @@
+proxy_hide_header X-Application-Context;
+proxy_hide_header Access-Control-Allow-Origin;
+proxy_hide_header X-Powered-By;
+proxy_hide_header X-AspNetMvc-Version;
+proxy_hide_header X-Drupal-Cache;
+proxy_hide_header X-Powered-By;
+proxy_hide_header Server;
+proxy_hide_header X-AspNet-Version;
+proxy_hide_header X-Drupal-Dynamic-Cache;
+proxy_hide_header X-Generator;
+proxy_hide_header X-Runtime;
+proxy_hide_header X-Rack-Cache;
diff --git a/rpmbuild/SOURCES/conf/conf.d/http.proxy b/rpmbuild/SOURCES/conf/conf.d/http.proxy
@@ -10,16 +10,4 @@ add_header Cache-Control "no-cache, no-store";
 add_header Referrer-Policy "same-origin";
 add_header X-XSS-Protection "1; mode=block";
 add_header X-Content-Type-Options "nosniff";
-proxy_hide_header X-Application-Context;
-proxy_hide_header Access-Control-Allow-Origin;
-proxy_hide_header X-Powered-By;
-proxy_hide_header X-AspNetMvc-Version;
-proxy_hide_header X-Drupal-Cache;
-proxy_hide_header X-Powered-By;
-proxy_hide_header Server;
-proxy_hide_header X-AspNet-Version;
-proxy_hide_header X-Drupal-Dynamic-Cache;
-proxy_hide_header X-Generator;
-proxy_hide_header X-Runtime;
-proxy_hide_header X-Rack-Cache;
 
