How to hide PHP 5/7 version when using Nginx

last updated in Categories , , , , , , , ,

I am using PHP 5.6.xx and Nginx server on an Apline Linux server. I want to hide ‘X-Powered-By: PHP/5.6.32’ HTTP header. How can I hide PHP version when using Nginx along with PHP-fpm5 or PHP-fpm7?

By default, client/user/browser see information about your PHP and web server version. If you forgot to update your PHP version, an attacker can use version information to attack or find vulnerabilities in your PHP version.
Hiding PHP version
Let us see how to hide PHP version on a Linux or Unix-like system.

How to find out PHP version using the CLI

You need to use the curl command as follows:
curl -IL https://some-server-ip-OR-domain-name/
curl -IL https://server1.cyberciti.biz/
Sample outputs:

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 05 Dec 2017 04:36:28 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.32
Set-Cookie: PHPSESSID=lf9r4cdc1fqrm5l881ia5p52l2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Robots-Tag: noindex, noarchive
Strict-Transport-Security: max-age=15768000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Whome: l-cbz01
Referrer-Policy: no-referrer-when-downgrade

Hiding your PHP version

You need to edit/create a file named custom.ini as per your Linux/Unix variant. Do not edit php.ini file as it might get updated/replaced with your PHP version. Here is a quick list:

  1. Alpine Linux and PHP v5.6.xx : /etc/php5/conf.d/custom.ini
  2. Alpine Linux and PHP v7.xx : /etc/php7/conf.d/custom.ini
  3. Debian/Ubuntu Linux and PHP v7.xx : /etc/php/7.0/fpm/conf.d/custom.ini
  4. RHEL/Fedora/CentOS Linux : /etc/php.d/custom.ini

You can always find php directory location using php* and grep command:
$ php -i | more
$ php -i | grep -i -A4 'Additional .ini files parsed'
$ php-fpm5 -i | grep -i -A4 'Additional .ini files parsed'
$ php-fpm7.0 -i | grep -i -A4 'Additional .ini files parsed'
Sample outputs (look for directory name that stores all .ini files):

Configuration File (php.ini) Path => /etc/php/7.0/fpm
Loaded Configuration File => /etc/php/7.0/fpm/php.ini
Scan this dir for additional .ini files => /etc/php/7.0/fpm/conf.d
Additional .ini files parsed => /etc/php/7.0/fpm/conf.d/10-mysqlnd.ini,
/etc/php/7.0/fpm/conf.d/10-opcache.ini,
/etc/php/7.0/fpm/conf.d/10-pdo.ini,

Add the following line to custom.ini as per your setup:

##############################################
## this is for Alpine Linux and PHP v5.6.xx ##
##############################################
echo 'expose_php = off' >> /etc/php5/conf.d/custom.ini

Restart/reload PHP

The syntax depends upon your PHP version:
### [ Alpine linux restart php-fpm ] ##
$ sudo /etc/init.d/php-fpm restart
### [ RHEL/CentOS 5.x/6.x restart php-fpm ] ##
$ sudo service php-fpm restart
### [ RHEL/CentOS 7.x restart php-fpm ] ##
$ sudo systemctl restart php-fpm
### [ Debian/Ubuntu Linux latest restart php-fpm ] ##
$sudo service php7.0-fpm restart
### [ FreeBSD restart php-fpm ] ##
$ sudo service php-fpm restart

Verification

Use the curl command again:
$ curl -IL https://some-server-ip-OR-domain-name/
$ curl -IL https://server1.cyberciti.biz/
Sample outputs:

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 05 Dec 2017 05:17:40 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: PHPSESSID=6vkcp53a1p99n57lccte9fs0m3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Robots-Tag: noindex, noarchive
Strict-Transport-Security: max-age=15768000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Whome: l-cbz01
Referrer-Policy: no-referrer-when-downgrade

You can also use the nmap command as follows:
sudo nmap -sV --script=http-php-version server-ip-here
sudo nmap -sV --script=http-php-version server1.cyberciti.biz
Sample outputs:

[sudo] password for vivek: 
 
Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-05 10:58 IST
Nmap scan report for server1.cyberciti.biz (192.168.2.42)
Host is up (0.39s latency).
rDNS record for 192.168.2.42: 42-2-168-192-staging.balancer.nginx.nixcraft.lan
Not shown: 998 closed ports
PORT    STATE SERVICE  VERSION
80/tcp  open  http     nginx
|_http-server-header: nginx
443/tcp open  ssl/http nginx
|_http-server-header: nginx
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.42 seconds

A warning about hiding PHP version

This technique falls under Security Through Obscurity. Even if nobody outside of your org allowed to find out anything about PHP version, an attacker can still guess or find your PHP version using other methods such as fingerprinting. I strongly suggest that you apply PHP/Nginx/Apache patches on time and write secure code. Updating PHP is pretty simple as per your Linux/Unix variant:

Update PHP and other apps on an Ubuntu/Debian Linux

Type the following apt command/apt-get command:
$ sudo apt update
$ sudo apt upgrade

Update PHP and other apps on a RHEL/CentOS/Fedora Linux

Type the following yum command:
$ sudo yum update

Update PHP and other apps on an Alpine Linux

Type the following apk command:
# apk update && apk upgrade

See also

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Tagged as: Tags , , , ,