Rails 用什么方法可以防止 Rails 站被 wappalyzer 类的工具发现?

bindiry · 2016年07月04日 · 最后由 mimosa 回复于 2016年07月05日 · 3072 次阅读

看到 wappalyzer 源码里关于 Ruby on Rails 的设别代码。

换句许说:

  • 用什么方法将下面代码里 headers 里的 Server 和 X-Powered-By 的信息隐藏掉?
  • 用什么方法修改 csrf-param 的格式?
"Ruby": {
  "cats": [
    27
  ],
  "headers": {
    "Server": "(?:Mongrel|WEBrick|Ruby)"
  },
  "icon": "Ruby.png",
  "website": "ruby-lang.org"
},
"Ruby on Rails": {
  "cats": [
    18
  ],
  "headers": {
    "Server": "(?:mod_rails|mod_rack|Phusion(?:\\.|_)Passenger)\\;confidence:50",
    "X-Powered-By": "(?:mod_rails|mod_rack|Phusion[\\._ ]Passenger)(?: \\(mod_rails/mod_rack\\))?(?: ?/?([\\d\\.]+))?\\;version:\\1\\;confidence:50"
  },
  "icon": "Ruby on Rails.png",
  "implies": "Ruby",
  "meta": {
    "csrf-param": "authenticity_token\\;confidence:50"
  },
  "script": "/assets/application-[a-z\\d]{32}/\\.js\\;confidence:50",
  "website": "rubyonrails.org"
}

如果你用 Nginx 做反向代理的话可以用下面的方法

去掉指定 Headers

more_clear_headers  'Server' 'X-Powered-By';

自定义 Headers

more_set_headers "Server: WTF";
more_set_headers "X-Powered-By: FUCK";

Download tengine

curl http://tengine.taobao.org/download/tengine-tengine-2.1.2_f.tar.gz >> ~/tengine-tengine-2.1.2_f.tar.gz &&\
  tar zxvf tengine-tengine-2.1.2_f.tar.gz

Download ngx_headers_more

curl https://github.com/openresty/headers-more-nginx-module/archive/v0.30.tar.gz >> ~/headers-more-nginx-module-0.30.tar.gz &&\
  tar zxvf headers-more-nginx-module-0.30.tar.gz

Build nginx

rbenv sudo passenger-install-nginx-module \
  --nginx-source-dir=$HOME/tengine-tengine-2.1.2_f \
  --extra-configure-flags=' --prefix=/usr/local/nginx \
  --sbin-path=/usr/local/sbin \
  --user=$USER --group=$USER \
  --with-ipv6 \
  --with-http_v2_module \
  --with-http_stub_status_module \
  --conf-path=/etc/nginx/nginx.conf \
  --http-log-path=/var/log/nginx/access.log \
  --error-log-path=/var/log/nginx/error.log \
  --pid-path=/var/run/nginx/nginx.pid \
  --lock-path=/var/lock/nginx/nginx.lock \
  --add-module=$HOME/headers-more-nginx-module-0.30' \
  --languages ruby --auto
需要 登录 后方可回复, 如果你还没有账号请 注册新账号