Apache Web pages and security

1, Apache Web page optimization

1. Web page compression

The access speed of the website is determined by many factors, including the response speed of the application, network bandwidth, server performance, network transmission speed with the client and so on
One of the most important factors is the response speed of Apache itself. Therefore, when you are worried about the performance of the website, the first thing to deal with is to improve the execution speed of Apache as much as possible. Using web page compression can improve the speed of the application. And very importantly, it does not require any cost at all, but will slightly increase the server CPU utilization by one or two percentage points or less
 

1.1 gzip overview

gzip is a popular file compression algorithm, which is widely used, especially on Linux platform
Using the gzip module in Apache, we can use the gzip compression algorithm to compress the web content published by the Apache server and then transmit it to the client browser. This compression actually reduces the number of bytes transmitted on the network. The most obvious advantage is that it can speed up the loading of web pages
 

1.2 HTTP compression process

After receiving the HTTP request from the browser, the Web server first checks whether the browser supports HTTP compression (accept encoding information). If the browser supports HTTP compression, the Web server will check the suffix of the request file. If the request file is a static file such as HTML and CSS, The Web server checks in the compressed cache directory whether the latest compressed file of the requested file already exists
If the compressed file of the request file does not exist, the Web server returns the uncompressed request file to the browser and stores the compressed file of the request file in the compressed cache directory
If the latest compressed file of the request file already exists, the compressed file of the request file is returned directly
If the request file is a dynamic file, the Web server dynamically compresses the content and returns it to the browser, but the compressed content is not stored in the compressed cache directory
 

1.3 mod_deflate module

  • Check if mod is installed_ Deflate module
apachectl -t -D DUMP_MODULES | grep "deflate"
  • If mod is not installed_ Deflate module, you need to stop the Apache service, recompile and install Apache, and add mod to the parameters_ Deflate module content
systemctl stop httpd.service
cd /usr/local/httpd/conf
mv httpd.conf httpd.conf.bak

yum -y install gcc gcc-c++ pcre pcre-devel zlib-devel
cd /opt/httpd-2.4.29/
./configure \
--prefix=/usr/local/httpd \
--enable-so \
--enable-rewrite \
--enable-charset-lite \
--enable-cgi \
--enable-deflate				         #Add mod_deflate module

make -j 4 && make install
  • Configure mod_deflate module enabled

vim /usr/local/httpd/conf/httpd.conf
#Line 52 modification
Listen 192.168.10.20:80
#Line 105 uncomment
LoadModule deflate_module modules/mod_deflate.so		#Enable mod_deflate module
#Line 197 uncomment, modify
ServerName www.test.com:80
--Add on last line--
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/css text/xml text/javascript text/jpg text/png	                        #Represents what kind of content gzip compression is enabled for
DeflateCompressionLevel 9			#Represents the compression level, ranging from 1 to 9
SetOutputFilter DEFLATE				#It means that the deflate module is enabled to gzip compress the output of this site
</IfModule>
  • Check the httpd.conf syntax and check whether the module is installed
    apachectl -t			              				#Verify that the configuration file is configured correctly
    apachectl -t -D DUMP_MODULES | grep "deflate"		#Check Mod_ Is deflate module installed
    deflate_module (shared)						     	#Installed correct results
    
    systemctl restart httpd.service       				#Restart service
    

    2. Web page cache

    2.1 general

Web page caching is to cache some pages that often do not change or change little. The next time the browser visits these pages again, it does not need to download these pages again, so as to improve the user's access speed.
Apache Mod_ The expires module will automatically generate the Express tag and cache control tag in the page header information. The client browser determines that the next access is to obtain the page in the cache of the local machine according to the tag, and there is no need to send a request to the server again, so as to reduce the access frequency and times of the client, so as to reduce unnecessary traffic and increase the access speed.

2.2 configure web page cache

Configure Mod_ Steps and mod of expires module_ Deflate module is similar

  • Check if mod is installed_ Expires module
    apachectl -t -D DUMP_MODULES | grep "expires"
    

  • Install Mod_ If the expires module is not installed, stop the Apache service, reinstall Apache, and add mod to the parameters_ Expires module content
  • systemctl stop httpd.service
    cd /usr/local/httpd/conf
    mv httpd.conf httpd.conf.bak1                 #Rename backup
    
    yum -y install gcc gcc-c++ pcre pcre-devel zlib-devel
    cd /opt/httpd-2.4.29/
    ./configure \
    --prefix=/usr/local/httpd \
    --enable-so \
    --enable-rewrite \
    --enable-charset-lite \
    --enable-cgi \
    --enable-deflate \
    --enable-expires							 #Add mod_expires module
    
    make -j 4 && make install
    

  • Configure mod_expires module
vim /usr/local/httpd/conf/httpd.conf
#Line 52 modification
Listen 192.168.10.20:80
#Line 111 uncomment
LoadModule expires_module modules/mod_expires.so		#Enable mod_expires module
#Line 199 uncomment, modify
ServerName www.test.com:80
--Add on last line--
<IfModule mod_expires.c>
  ExpiresActive On								   		#Turn on Web page caching
  ExpiresDefault "access plus 50 seconds"				#Set cache for 50 seconds
</IfModule>

2, Apache security optimization

1. Anti theft chain

1.1 general

Generally speaking, when we browse a complete page, it is not transmitted to the client at one time. If the requested page contains pictures or other information, the first HTTP request transmits the text of the page, and then interprets and executes the text through the client's browser. If there are pictures in it, the client's browser will send an HTTP request again, After the request is processed, the picture file will be transmitted to the client. Finally, the browser will place the picture in the correct position of the page. In this way, a complete page can be displayed completely after sending HTTP requests many times.

  • There are special Referer field records in the HTTP standard protocol. Its functions are as follows
    ① What is the last inbound address traceable
    ② For a resource file, you can track the address of the web page that contains it. Therefore, all anti-theft chain methods are based on this Referer field.

1.2 anti theft chain configuration

Apache anti-theft chain requires mod to be installed_ Rewrite Module

  • Check if mod is installed_ Rewrite Module
    apachectl -t -D DUMP_MODULES | grep "rewrite"
    
  • If mod is not installed_ Rewrite module, recompile and install Apache, add mod_rewrite Module
systemctl stop httpd.service
cd /usr/local/httpd/conf
mv httpd.conf httpd.conf.bak2

yum -y install gcc gcc-c++ pcre pcre-devel zlib-devel
cd /opt/httpd-2.4.29/
./configure \
--prefix=/usr/local/httpd \
--enable-so \
--enable-rewrite \									#Add mod_rewrite Module
--enable-charset-lite \
--enable-cgi \
--enable-deflate \
--enable-expires

make -j 4 && make install
  • Configure mod_rewrite Module enabled
vim /usr/local/httpd/conf/httpd.conf
#Line 157 uncomment
LoadModule rewrite_module modules/mod_rewrite.so
#224 lines
<Directory "/usr/local/httpd/htdocs">
  Options Indexes FollowSymLinks
  AllowOverride None
  Require all granted

  RewriteEngine On  							 #Open the rewrite function and add mode_rewrite module content
  RewriteCond %{HTTP_REFERER} !^http://heihei.com/.*$ [NC] 				# Set matching rules
  RewriteCond %{HTTP_REFERER} !^http://heihei.com$ [NC]
  RewriteCond %{HTTP_REFERER} !^http://www.heihei.com/.*$ [NC]
  RewriteCond %{HTTP_REFERER} !^http://www.heihei.com/$ [NC]
  RewriteRule .*\.(gif|jpg|swf)$ http://www.heihei.com/error.png 		# Set Jump Action
</Directory>

2. Hide version information

Generally, the vulnerability information of software is related to the specific version information, so the version number is very valuable for attackers

If hackers or people with ulterior motives get the Apache version information, they will carry out targeted attacks and bring great losses to the website. Therefore, we should hide the Apache version number, reduce the risk of attack and protect the safe operation of the server

Modify the httpd.conf configuration file to make the httpd-default.conf file effective, which contains the content of whether to return version information
 

vim /usr/local/httpd/conf/httpd.conf
#Line 491 uncomment
Include conf/extra/httpd-default.conf

vim /usr/local/httpd/conf/extra/httpd-default.conf
#Line 55 modification
ServerTokens Prod           			 #Change the original Full to Prod, only display the name, no version
#ServerTokens indicates whether the response header field returned by the Server to the client contains information about the Server OS type and the compiled module description

systemctl start httpd.service
#Browser access http://192.168.8.132  , double-click the 200 message to view the Server entry

Tags: Apache Vue.js html

Posted on Thu, 07 Oct 2021 04:53:46 -0400 by melrse