0

嗨,在我的 rails 应用程序中,我正在使用 nginx/1.0.6,Phusion Passenger 来托管我的 rails 应用程序。但是出于安全问题,我想停止在公共网络上显示标头。现在,当我运行以下 curl 命令时。`

curl -I http://domain.name

它给了我以下痕迹:

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Status: 200
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.9
ETag: "b7da2b7b2fa6349"
X-UA-Compatible: IE=Edge,chrome=1
X-Runtime: 1.193656
Set-Cookie: demand_session=BAh7ByIQX2NzcmZfdG9rZW4iMUVMREdHRDJGcHhnVzhWNTNsRGhGSWRyNmRQbWZZSnpyZGcwbFYx3D%3D--eb470df0951aac0e6612861ef30ed7a699d073a0; path=/; HttpOnly
Cache-Control: max-age=0, private, must-revalidate
Server: nginx/1.0.6 + Phusion Passenger 3.0.9 (mod_rails/mod_rack)

但我想隐藏这些标题:要显示的服务器、Set-Cookie、X-Powered-By、X-UA-Compatible、ETag、Cache-ControlCache-Control。

4

2 回答 2

4

使用passenger_show_version_in_header offserver_tokens off

于 2013-01-25T09:24:41.263 回答
3

If you are using proxy you can use and configure directive proxy_hide_header from proxy module by that:

proxy_hide_header X-Powered-By;
proxy_hide_header X-UA-Compatible;
proxy_hide_header X-Runtime;
proxy_hide_header ETag;

# and so on...

But this directive allow you only to hide headers coming from proxy server. For response headers coming from main server not proxy you can use directive set and variable $sent_http_HEADER where HEADER means header name you would like to set. Here an example:

set $sent_http_x_powered_by your_value;
set $sent_http_etag your_value;
set $sent_http_cache_control your_value;

# and so on...

But take in consideration two things: 1. Set directive works only in server,location and if blocks, 2. As you can read in comments to your question it's not realy good idea to hide or change some headers like Cache-Control because they aren't only information but have impact on browser and user clients work.

于 2013-01-25T07:01:25.203 回答