海运的博客

Squid安全设置隐藏版本及Header信息

发布时间:August 4, 2012 // 分类:Squid // No Comments

配置文件ACL后添加:

header_access X-Cache deny all
header_access X-Squid-Error deny all
header_access Via deny all
header_access Server deny all
header_access X-Cache deny all
header_access X-Cache-Lookup deny all

其它Header也可隐藏:

Accept         HTTP_ACCEPT
Accept-Charset         HTTP_ACCEPT-CHARSET
Accept-Encoding         HTTP_ACCEPT-ENCODING
Accept-Language         HTTP_ACCEPT-LANGUAGE
Accept-Ranges         HTTP_ACCEPT-RANGES
Age         HTTP_AGE
Allow         HTTP_ALLOW
Authorization         HTTP_AUTHORIZATION
Cache-Control         HTTP_CACHE-CONTROL
Connection         HTTP_CONNECTION
Content-Base         HTTP_CONTENT-BASE
Content-Disposition         HTTP_CONTENT-DISPOSITION
Content-Encoding         HTTP_CONTENT-ENCODING
Content-Language         HTTP_CONTENT-LANGUAGE
Content-Length         HTTP_CONTENT-LENGTH
Content-Location         HTTP_CONTENT-LOCATION
Content-MD5         HTTP_CONTENT-MD5
Content-Range         HTTP_CONTENT-RANGE
Content-Type         HTTP_CONTENT-TYPE
Cookie         HTTP_COOKIE
Date         HTTP_DATE
ETag         HTTP_ETAG
Expires         HTTP_EXPIRES
From         HTTP_FROM
Host         HTTP_HOST
If-Match         HTTP_IF-MATCH
If-Modified-Since         HTTP_IF-MODIFIED-SINCE
If-None-Match         HTTP_IF-NONE-MATCH
If-Range         HTTP_IF-RANGE
Last-Modified         HTTP_LAST-MODIFIED
Link         HTTP_LINK
Location         HTTP_LOCATION
Max-Forwards         HTTP_MAX-FORWARDS
Mime-Version         HTTP_MIME-VERSION
Pragma         HTTP_PRAGMA
Proxy-Authenticate         HTTP_PROXY-AUTHENTICATE
Proxy-Authentication-Info         HTTP_PROXY-AUTHENTICATION-INFO
Proxy-Authorization         HTTP_PROXY-AUTHORIZATION
Proxy-Connection         HTTP_PROXY-CONNECTION
Public         HTTP_PUBLIC
Range         HTTP_RANGE
Referer         HTTP_REFERER
Request-Range         HTTP_REQUEST-RANGE
Retry-After         HTTP_RETRY-AFTER
Server         HTTP_SERVER
Set-Cookie         HTTP_SET-COOKIE
Title         HTTP_TITLE
Transfer-Encoding         HTTP_TRANSFER-ENCODING
Upgrade         HTTP_UPGRADE
User-Agent         HTTP_USER-AGENT
Vary         HTTP_VARY
Via         HTTP_VIA
Warning         HTTP_WARNING
WWW-Authenticate         HTTP_WWW-AUTHENTICATE
Authentication-Info         HTTP_AUTHENTICATION-INFO
X-Cache         HTTP_X-CACHE
X-Cache-Lookup         HTTP_X-CACHE-LOOKUP
X-Forwarded-For         HTTP_X-FORWARDED-FOR
X-Request-URI         HTTP_X-REQUEST-URI
X-Squid-Error         HTTP_X-SQUID-ERROR
Negotiate         HTTP_NEGOTIATE
X-Accelerator-Vary         HTTP_X-ACCELERATOR-VARY
Other:         HTTP_OTHER:

Squid3.0版本使用参数:

reply_header_access Server deny all
reply_header_access X-Cache deny all
reply_header_access Warning deny all
reply_header_access Expires deny all
reply_header_access Cache-Control deny all
reply_header_access age deny all

参考:http://bbs.linuxtone.org/thread-131-1-1.html

HTTP代理级别及检测是否使用代理

发布时间:July 1, 2012 // 分类:PHP // No Comments

透明代理,Transparent Proxies

REMOTE_ADDR = 代理服务器 IP
HTTP_VIA = 代理服务器 IP (补充:这个字段由代理服务器填充,有时会填充网关信息等)
HTTP_X_FORWARDED_FOR = 您的真实 IP

匿名代理,Anonymous Proxies

REMOTE_ADDR = 代理服务器 IP
HTTP_VIA = 代理服务器 IP (补充:这个字段由代理服务器填充,有时会填充网关信息等)
HTTP_X_FORWARDED_FOR = 代理服务器 IP

高匿名代理,High Anonymity Proxies/Elite Proxies
REMOTE_ADDR = 代理服务器 IP
HTTP_VIA = 没数值或不显示
HTTP_X_FORWARDED_FOR = 没数值或不显示
PHP检测客户端是否使用代理:

<?php
header("Content-type: text/html; charset=utf-8");
if(!empty($_SERVER['HTTP_VIA']))    //使用了代理
{
  if(!isset($_SERVER['HTTP_X_FORWARDED_FOR']))
  {
    echo "Anonymous Proxies    普通匿名代理服务器";
    //代理IP地址为 $_SERVER['REMOTE_ADDR']
  }
  else
  {
    echo "Transparent Proxies 透明代理服务器";
    //代理IP地址为 $_SERVER['REMOTE_ADDR']
    //真实ip地址为 $_SERVER['HTTP_X_FORWARDED_FOR']
  }
}
else    
{
  echo "没有代理或者是高匿名代理";
  //真实ip地址为 $_SERVER['REMOTE_ADDR']
}

Nginx编译安装more_set_headers模块自定义head头信息

发布时间:May 9, 2012 // 分类:Nginx // No Comments

通过服务器的head头可以得到服务器的很多信息,这给服务器安全带来很大隐患,如:

curl -I https://www.haiyun.me
HTTP/1.1 301 Moved Permanently
Server: nginx/1.0.15
Date: Fri, 10 Feb 2012 10:43:42 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.17p1
location: forum.php

Nginx可以编译添加第三方模块more_set_headers来自定义或清除相关head信息。

cd /usr/local/src/
wget http://nginx.org/download/nginx-1.0.15.tar.gz
tar zxvf nginx-1.0.15.tar.gz
cd nginx-1.0.15
wget -O header.zip --no-check-certificate https://github.com/agentzh/headers-more-nginx-module/zipball/v0.17rc1
unzip header.zip 
./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-\
http_ssl_module --with-http_gzip_static_module --add-module=./agentzh-headers-more-nginx-module-3580526/
make && make install

应用示例,清除服务器及php信息,在配置文件http段添加以下:

more_clear_headers "X-Powered-By:";
more_clear_headers "Server:";

重新加载配置文件:

/etc/init.d/nginx reload

查看当前head头信息:

curl -I https://www.haiyun.me
HTTP/1.1 301 Moved Permanently
Date: Fri, 10 Feb 2012 10:58:38 GMT
Content-Type: text/html
Connection: keep-alive
location: forum.php

现在nginx及php信息都没了,当然也可自定义为其它信息。

分类
最新文章
最近回复
  • 海运: 地址格式和udpxy一样,udpxy和msd_lite能用这个就能用。
  • 1: 怎么用 编译后的程序在家里路由器内任意一台设备上运行就可以吗?比如笔记本电脑 m参数是笔记本的...
  • 孤狼: ups_status_set: seems that UPS [BK650M2-CH] is ...
  • 孤狼: 擦。。。。apcupsd会失联 nut在冲到到100的时候会ONBATT进入关机状态,我想想办...
  • 海运: 网络,找到相应的url编辑重发请求,firefox有此功能,其它未知。
  • knetxp: 用浏览器F12网络拦截或监听后编辑重发请求,修改url中的set为set_super,将POS...
  • Albert: 啊啊啊啊啊啊啊啊啊 我太激动了,终于好了英文区搜索了半天,翻遍了 pve 论坛没找到好方法,博...
  • jiangker: good, very helpful to me
  • fengfeng: N1 armbian 能有编译下内核吗。。我要开启can 不懂怎么操作
  • 1: 方法一ngtcp2要改下:./configure PKG_CONFIG_PATH=/usr/l...