diff --git a/sources/tech/20170124 How to Hide PHP Version Number in HTTP Header.md b/sources/tech/20170124 How to Hide PHP Version Number in HTTP Header.md deleted file mode 100644 index 7230fad4f3..0000000000 --- a/sources/tech/20170124 How to Hide PHP Version Number in HTTP Header.md +++ /dev/null @@ -1,101 +0,0 @@ -translating---geeekpi - -How to Hide PHP Version Number in HTTP Header -============================================================ - -The PHP configuration, by default allows the server HTTP response header ‘**X-Powered-By**‘ to display the PHP version installed on a server. - -For server security reasons (though not a major threat to worry about), it is recommended that you disable or hide this information from attackers who might be targeting your server by wanting to know whether you are running PHP or not. - -Assuming a particular version of PHP installed on your server has security holes, and on the other side, attackers get to know this, it will become much easier for them to exploit vulnerabilities and gain access in to the sever through scripts. - -In my previous article, I’ve shown [how to Hide apache version number][1], where you’ve seen how to turn-off apache installed version. But if you are running PHP in your apache web server you need to hide PHP installed version also, and this is what we going show in this article. - -Therefore, in this post, we will explain how to hide or turn-off showing PHP version number in server HTTP response header. - -This setting can be configured in the loaded PHP configuration file. In case you do not know the location of this config file on your server, run the command below to find it: - -``` -$ php -i | grep "Loaded Configuration File" -``` -PHP Configuration File Location -``` ----------------- On CentOS/RHEL/Fedora ---------------- -Loaded Configuration File => /etc/php.ini ----------------- On Debian/Ubuntu/Linux Mint ---------------- -Loaded Configuration File => /etc/php/7.0/cli/php.ini -``` - -Before making any changes to PHP configuration file, I suggest you to first make a backup of your PHP config file like so: - -``` ----------------- On CentOS/RHEL/Fedora ---------------- -$ sudo cp /etc/php.ini /etc/php.ini.orig ----------------- On Debian/Ubuntu/Linux Mint ---------------- -$ sudo cp /etc/php/7.0/cli/php.ini /etc/php/7.0/cli/php.ini.orig -``` - -Then open the file [using your favorite editor][2] with super user privileges like so: - -``` ----------------- On CentOS/RHEL/Fedora ---------------- -$ sudo vi /etc/php.ini ----------------- On Debian/Ubuntu/Linux Mint ---------------- -$ sudo vi /etc/php/7.0/cli/php.ini -``` - -Locate the keyword `expose_php` and set its value to **Off**: - -``` -expose_php = off -``` - -Save the file and exit. Afterwards, restart the web server as follows: - -``` ----------------- On SystemD ---------------- -$ sudo systemctl restart httpd -$ sudo systemctl restart apache2 ----------------- On SysVInit ---------------- -$ sudo service httpd restart -$ sudo service apache2 restart -``` - -Last but not least, check if the server HTTP response header is still showing your PHP version number using the command below. - -``` -$ lynx -head -mime_header http://localhost -OR -$ lynx -head -mime_header http://server-address -``` - -where the flags: - -1. `-head` – sends a HEAD request for the mime headers. -2. `-mime_header` – prints the MIME header of a fetched document together with its source. - -**Note**: Make sure you have [lynx – command-line web browser][3] installed on your system. - -That’s it! In this article, we explained how to hide PHP version number in server HTTP response header in order to secure a web server from possible attacks. You can add an opinion to this post or perhaps ask any related question via the comment form below. - --------------------------------------------------------------------------------- - -作者简介: - -Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge. - ---------------------------------------------------------------------------------- - - -via: http://www.tecmint.com/hide-php-version-http-header/ - -作者:[Aaron Kili][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:http://www.tecmint.com/author/aaronkili/ -[1]:http://www.tecmint.com/hide-apache-web-server-version-information/ -[2]:http://www.tecmint.com/linux-command-line-editors/ -[3]:http://www.tecmint.com/command-line-web-browsers/ diff --git a/translated/tech/20170124 How to Hide PHP Version Number in HTTP Header.md b/translated/tech/20170124 How to Hide PHP Version Number in HTTP Header.md new file mode 100644 index 0000000000..f3272f7f87 --- /dev/null +++ b/translated/tech/20170124 How to Hide PHP Version Number in HTTP Header.md @@ -0,0 +1,99 @@ +如何在 HTTP 头中隐藏 PHP 版本号 +============================================================ + +PHP 配置默认允许服务器在 HTTP 响应头 “**X-Powered-By**” 显示安装在服务器上的 PHP 版本。 + +出于服务器安全原因(虽然不是主要的要担心的威胁),建议你禁用或隐藏此信息,避免那些针对你的服务器的攻击者知道你是否运行了 PHP。 + +假设你服务器上安装的特定版本的 PHP 具有安全漏洞,另一方面,攻击者可以了解这一点,他们将更容易利用漏洞并通过脚本访问服务器。 + +在我以前的文章中,我已经展示了[如何隐藏 apache 版本号][1],在那里你已经看到如何不再显示 apache 的安装版本。但是如果你在你的 apache 服务器上运行 PHP,你需要隐藏 PHP 的安装版本,这我们将在本文中展示。 + +因此,在本文中,我们将解释如何隐藏或关闭服务器 HTTP 响应头中的 PHP 版本号。 + +此设置可以在加载的 PHP 配置文件中配置。如果你不知道此配置文件在服务器上的位置,请运行以下命令找到它: + +``` +$ php -i | grep "Loaded Configuration File" +``` +PHP 配置文件位置 +``` +---------------- 在 CentOS/RHEL/Fedora 上---------------- +Loaded Configuration File => /etc/php.ini +---------------- 在 Debian/Ubuntu/Linux Mint 上---------------- +Loaded Configuration File => /etc/php/7.0/cli/php.ini +``` + +在对 PHP 配置文件进行任何更改之前,我建议您首先备份您的 PHP 配置文件,如下所示: + +``` +----------------在 CentOS/RHEL/Fedora 上---------------- +$ sudo cp /etc/php.ini /etc/php.ini.orig +---------------- 在 Debian/Ubuntu/Linux Mint 上---------------- +$ sudo cp /etc/php/7.0/cli/php.ini /etc/php/7.0/cli/php.ini.orig +``` + +[用你最喜欢的编辑器][2],使用超级用户权限打开文件: + +``` +---------------- 在 CentOS/RHEL/Fedora 上---------------- +$ sudo vi /etc/php.ini +----------------在 Debian/Ubuntu/Linux Mint 上---------------- +$ sudo vi /etc/php/7.0/cli/php.ini +``` + +定位到关键词 `expose_php`,并将值设置成 **Off**: + +``` +expose_php = off +``` + +保存并退出文件。在这之后,重启 web 服务器: + +``` +---------------- 使用 SystemD ---------------- +$ sudo systemctl restart httpd +$ sudo systemctl restart apache2 +---------------- 使用 SysVInit ---------------- +$ sudo service httpd restart +$ sudo service apache2 restart +``` + +最后但并非不重要,使用下面的命令检查服务器 HTTP 响应头是否仍然显示你的 PHP 版本号。 + +``` +$ lynx -head -mime_header http://localhost +或者 +$ lynx -head -mime_header http://server-address +``` + +这里的标志是: + +1. `-head` – 发送对 mime 报头的 HEAD 请求。 +2. `-mime_header` – 打印所提取文档的 MIME 标头及其来源。 + +**注意**: 确保你系统中已经安装了 [lynx- 命令行 web 浏览器][3]。 + +就是这样了!在本文中,我们解释了如何隐藏服务器 HTTP 响应头中的 PHP 版本号以保护 web 服务器免受可能的攻击。你可以在下面的评论栏中留下你的想法或者相关的问题。 + +-------------------------------------------------------------------------------- + +作者简介: + +Aaron Kili 是 Linux 和 F.O.S.S 爱好者,将来的 Linux SysAdmin 及 web 开发者,目前是 TecMint 的内容创作者,他喜欢用电脑工作,并坚信分享知识。 + +--------------------------------------------------------------------------------- + + +via: http://www.tecmint.com/hide-php-version-http-header/ + +作者:[Aaron Kili][a] +译者:[geekpi](https://github.com/geekpi) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:http://www.tecmint.com/author/aaronkili/ +[1]:http://www.tecmint.com/hide-apache-web-server-version-information/ +[2]:http://www.tecmint.com/linux-command-line-editors/ +[3]:http://www.tecmint.com/command-line-web-browsers/