Apache Web Optimization and Security optimization (page compression; Web cache; Web page anti-theft chain; hide version information)

1, web compression

The speed at which a website is accessed is determined by a number of factors, including:

1) Response speed of the application

2) network bandwidth

3) Server Performance

4) network transfer speed to and from the client, etc.

The most important of these is the response speed of Apache itself, so the first thing to do to improve the performance of the website is to increase the execution speed of Apache as much as possible, using Web compression to increase the speed of the application without any cost.

Apache's Compression module

apache2.x built the Mod_deflate module, using the gzip compression algorithm. Mod_deflate can use the Deflatecompressionlevel directive to set the compression level. The value of this directive can be 1 to (the fastest compression, the lowest compression quality) 9 (the slowest compression, the highest compression quality) between the integer, the default value is 6 (compression speed and compression quality is more balanced value)

(1) First compile and install Apache source package

Yum–y Remove httpd #编译安装前将系统自带的httpd删掉

Tar xzvf httpd-2.4.2.tar.gz-c/opt #解压源码包

Tar xzvf apr-util-1.4.1.tar.gz-c/opt #解压依赖包

Tar xzvf apr-1.4.6.tar.gz-c/opt #解压依赖包, support Apache Upper application cross-platform, provide the bottom interface library, effectively alleviate the number of concurrent connection processes

Cp-r Apr-util-1.4.1/httpd-2.4.2/srclib/apr-util

Cp-r Apr-util-1.4.1/httpd-2.4.2/srclib/apr-util

Yum-y install gcc gcc-c++ pcre pcre-devel zlib-devel #安装组件包 Build a compilation environment

CD httpd-2.4.2/#进入到httpd目录下进行配置, compiling and installing

./configure \

--PREFIX=/USR/LOCAL/HTTPD \ #指定httpd安装目录

--enable-deflate \ #加入mod_deflate模块

--ENABLE-SO \

--enable-rewrite \

--enable-charset-lite \

--enable-cgi

Make && make install #进行编译安装

Cd/uar/local/httpd

Grep-v "#" Bin/apachectl >/etc/init.d/httpd #优化启动方式, Apache services can be managed using service commands

Vim/etc/init.d/httpd

#!/bin/bash

#chkconfig: 2345 #在apache启动脚本里加入必要注释

#description: Apache is a Web server

chmod 755/etc/init.d/httpd

Chkconfig--add httpd #设置apache服务开机自启

Chkconfig httpd on

Ln-s/usr/local/httpd/conf/httpd.conf/etc/httpd.conf #在/etc directory to generate a link to the Apache master configuration file for easy administration.

(2) Build a Web site www.benet.com, and build a DNS service to resolve the domain name.

Vim/etc/httpd.conf

Vim/etc/named.conf

Vim/etc/named.rfc1912.zones

Service named start

Can modify the Apache site home page content, add picture information,

Vim/usr/local/httpd/htdocs/index.html

Use the browser input www.benet.com to access the Web page, and then use the grab kit fiddler to grab the bag,

Show content is not compressed before Mod_deflate module is enabled

(3) Configure Mod_ deflate module enable

After compiling the installation, the Mod_deflate module needs to be enabled in the httpd.conf file to take effect.

Vim/etc/httpd.conf

LoadModule Filter_module modules/mod_filter.so

LoadModule Headers_module modules/mod_headers.so #开启模块服务

LoadModule Deflate_module modules/mod_deflate.so

At the end of the httpd.conf configuration file, add the Mod_deflate configuration item.

<ifmodule mod_deflate.c>

Addoutputfilterbytype DEFLATE text/html text/plain text/css text/xml text/javascript #第一行代表对什么样的内容启用gzip压缩

Deflatecompressionlevel 9                                                                                                  #第二行代表压缩级别

Setoutputfilter DEFLATE #第三行 On behalf of enable deflate module Press to gzip compress the output of this site

</IfModule>

After the profile modification is complete, you can detect whether the Mod_deflate module is enabled and then start the Apache service

Cd/usr/local/httpd/bin

./apachectl–t–d Dump_modules | grep "Deflate"

Service httpd Start

(4) Test mod_deflate compression is in effect

Open the Fiddler capture tool and use the browser to access the Apache Server page, you can see the response header contains Content-encoding:gzip, indicating that the compression has taken effect

2, Web cache

Web caching is a part of the page cache that does not change or changes very infrequently, and the next time the browser accesses these pages again, it does not need to download the pages again, thus increasing the user's access speed.

Apache's Mod_exprices module automatically generates the express label and Cache-control tag in the header information of the page, and the client browser determines that the next visit is to fetch the page in the local machine's cache, without making a request to the server. This reduces the frequency and number of visits to the client, reducing unnecessary traffic and increasing access speed.

The steps for configuring the Mod_exprices module are similar to the Mod_deflate module.

Before enabling the Mod_exprices module feature, you can open the browser input www.benet.com Access Web page, use the Fiddler grab tool to crawl the packet first, to see if the cache settings expires items, can and enable Mod_ Exprices module after the comparison

(1) Installing the Mod_ exprices module

Based on the Apache source package that you just installed, first turn off Apache service, add the Mod_exprices module and re-compile the installation.

Service htted Stop

Cd/opt/httpd-2.4.2/

./configure \

--PREFIX=/USR/LOCAL/HTTPD \

--enable-deflate \ # Add Mod_deflate module

--enable-expires \ #加入mod_exprices模块

--ENABLE-SO \

--enable-rewrite \

--enable-charset-lite \

--enable-cgi

Make && make install #编译安装

(2) Configuring the Mod_exprices module

Vim/etc/httpd.conf

LoadModule Expires_module modules/mod_expires.so #开启mod_exprices模块

Add mod_exprices module Settings at the end of httpd.conf

<ifmodule mod_expires.c>
Expiresactive on
ExpiresDefault "Access plus seconds" #添加缓存时间60秒
</IfModule>

Then restart the Apache service

Service httpd Restart

(3) test cache is in effect

Open the Fiddler capture tool and use the browser to access the Apache Server page, you can see the response header contains the expires item, indicating that the cache is already working

3, anti-theft chain Apache default settings In addition to the performance can be optimized, but also need to set security settings, if a site does not have the picture information on its page, then it can be linked to other web site picture information. Such Sites that do not have any resources use the resources of other sites to display to the visitors, increasing their access, and most of the visitors are not easy to find. Some bad sites in order not to increase the cost of expansion of their site content, often misappropriation of links to other sites, on the one hand damage the legitimate interests of the source website, on the other hand, the burden of the server, so we need to set up the anti-theft chain

Preparation environment:

1) client uses Windows system, IP address 192.168.30.100 build hotlinking website www.test.com

2) Source host redhat6.5 system, IP address 192.168.30.15 build source website www.benet.com

(1) In the client to build Hotlinking website www.test.com, and in the Hosts file to add the above IP address and domain name Mapping relationship

Open Internet Information Services Manager

Open IIS for Site Settings

Create a new file, write the HTML format, point the picture information to the source host, and change the file format to HTML format and put it into the site Wwwroot

To add a mapping relationship to the Hosts file

Enter www.benet.com,www.test.com in the browser to access, you can see the picture content is not different,

Using the Fiddler grab tool to fetch data, you can see the www.test.com request, and then the www.benet.com/abc.jpg request, stating hotlinking success

(2) Apache anti-theft chain configuration

If the Mod_rewrite module is not installed, you need to stop the Apache service, recompile the installation, and add the Mod_rewrite module to the parameters.

CD HTTPD-2.4.2/

./configure \

--PREFIX=/USR/LOCAL/HTTPD \

--enable-deflate \

--ENABLE-SO \

--enable-rewrite \ #加入mod_rewrite模块

--enable-charset-lite \

--enable-cgi

Make && make install

(3) Configure Mod_rewrite module enable

Vim/etc/httpd.conf

Add rewrite settings at the end of the site Directory

<directory "/usr/local/httpd/htdocs" >

........................................................

Rewriteengine on

Rewritecond%{http_referer}!^http://benet.com/.*$ [NC]

Rewritecond%{http_referer}!^http://benet.com/$ [NC]

Rewritecond%{http_referer}!^http://www.benet.com/.*$ [NC]

Rewritecond%{http_referer}!^http://www.benet.com/$ [NC]

Rewriterule. *\. (gif|jpg|swf) $ http://www.benet.com/error.png

</directory >

The final matching result is: Second, three, four, five elements of the trust of the site, to be able to use the site's pictures; In addition to trusting sites outside the site, direct access to files ending in gif,jpg,swf jumps to the redirect page.

Restart Apache Service

(4) Test mod_rewrite redirection is in effect

Clear the browser's cache, avoid reading the cached content from the local, move error.png this picture to the site Directory/usr/local/httpd/htdocs, visit the website again, as shown in

4, hide version information in general, the vulnerability information of the software and the specific version is related, so the software version number for the XXX is very valuable, with the Fiddler grab Bag tool can see Apache version,

If XXX or an ulterior motive to get Apache version information, will be targeted to the XXX, to the site caused a great loss, so we want to hide the Apache version number, reduce the risk of XXX, protect the server safe operation.

Modify the httpd.conf configuration file to make the httpd-default.conf file effective, which contains the contents of whether to return the version information.

Then modify the httpd-default.conf file

Restart the Apache service, visit the webpage again, crawl the packet using the Fiddler Grab tool, and you can see that the version information is hidden.

Apache Web Optimization and Security optimization (page compression; Web cache; Web page anti-theft chain; hide version information)