Rails 用什么方法可以防止 Rails 站被 wappalyzer 类的工具发现?
看到 wappalyzer 源码里关于 Ruby on Rails 的设别代码。
换句许说:
- 用什么方法将下面代码里 headers 里的 Server 和 X-Powered-By 的信息隐藏掉?
- 用什么方法修改
csrf-param的格式?
"Ruby": {
"cats": [
27
],
"headers": {
"Server": "(?:Mongrel|WEBrick|Ruby)"
},
"icon": "Ruby.png",
"website": "ruby-lang.org"
},
"Ruby on Rails": {
"cats": [
18
],
"headers": {
"Server": "(?:mod_rails|mod_rack|Phusion(?:\\.|_)Passenger)\\;confidence:50",
"X-Powered-By": "(?:mod_rails|mod_rack|Phusion[\\._ ]Passenger)(?: \\(mod_rails/mod_rack\\))?(?: ?/?([\\d\\.]+))?\\;version:\\1\\;confidence:50"
},
"icon": "Ruby on Rails.png",
"implies": "Ruby",
"meta": {
"csrf-param": "authenticity_token\\;confidence:50"
},
"script": "/assets/application-[a-z\\d]{32}/\\.js\\;confidence:50",
"website": "rubyonrails.org"
}
如果你用 Nginx 做反向代理的话可以用下面的方法
去掉指定 Headers
more_clear_headers 'Server' 'X-Powered-By';
自定义 Headers
more_set_headers "Server: WTF";
more_set_headers "X-Powered-By: FUCK";
Download tengine
curl http://tengine.taobao.org/download/tengine-tengine-2.1.2_f.tar.gz >> ~/tengine-tengine-2.1.2_f.tar.gz &&\
tar zxvf tengine-tengine-2.1.2_f.tar.gz
Download ngx_headers_more
curl https://github.com/openresty/headers-more-nginx-module/archive/v0.30.tar.gz >> ~/headers-more-nginx-module-0.30.tar.gz &&\
tar zxvf headers-more-nginx-module-0.30.tar.gz
Build nginx
rbenv sudo passenger-install-nginx-module \
--nginx-source-dir=$HOME/tengine-tengine-2.1.2_f \
--extra-configure-flags=' --prefix=/usr/local/nginx \
--sbin-path=/usr/local/sbin \
--user=$USER --group=$USER \
--with-ipv6 \
--with-http_v2_module \
--with-http_stub_status_module \
--conf-path=/etc/nginx/nginx.conf \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \
--pid-path=/var/run/nginx/nginx.pid \
--lock-path=/var/lock/nginx/nginx.lock \
--add-module=$HOME/headers-more-nginx-module-0.30' \
--languages ruby --auto