1, Apache Web page optimization
1. Web page compression
The access speed of the website is determined by many factors, including the response speed of the application, network bandwidth, server performance, network transmission speed with the client and so on
One of the most important factors is the response speed of Apache itself. Therefore, when you are worried about the performance of the website, the first thing to deal with is to improve the execution speed of Apache as much as possible. Using web page compression can improve the speed of the application. And very importantly, it does not require any cost at all, but will slightly increase the server CPU utilization by one or two percentage points or less
1.1 gzip overview
gzip is a popular file compression algorithm, which is widely used, especially on Linux platform
Using the gzip module in Apache, we can use the gzip compression algorithm to compress the web content published by the Apache server and then transmit it to the client browser. This compression actually reduces the number of bytes transmitted on the network. The most obvious advantage is that it can speed up the loading of web pages
1.2 HTTP compression process
After receiving the HTTP request from the browser, the Web server first checks whether the browser supports HTTP compression (accept encoding information). If the browser supports HTTP compression, the Web server will check the suffix of the request file. If the request file is a static file such as HTML and CSS, The Web server checks in the compressed cache directory whether the latest compressed file of the requested file already exists
If the compressed file of the request file does not exist, the Web server returns the uncompressed request file to the browser and stores the compressed file of the request file in the compressed cache directory
If the latest compressed file of the request file already exists, the compressed file of the request file is returned directly
If the request file is a dynamic file, the Web server dynamically compresses the content and returns it to the browser, but the compressed content is not stored in the compressed cache directory
1.3 mod_deflate module
- Check if mod is installed_ Deflate module
apachectl -t -D DUMP_MODULES | grep "deflate"
- If mod is not installed_ Deflate module, you need to stop the Apache service, recompile and install Apache, and add mod to the parameters_ Deflate module content
systemctl stop httpd.service cd /usr/local/httpd/conf mv httpd.conf httpd.conf.bak yum -y install gcc gcc-c++ pcre pcre-devel zlib-devel cd /opt/httpd-2.4.29/ ./configure \ --prefix=/usr/local/httpd \ --enable-so \ --enable-rewrite \ --enable-charset-lite \ --enable-cgi \ --enable-deflate #Add mod_deflate module make -j 4 && make install
-
Configure mod_deflate module enabled
vim /usr/local/httpd/conf/httpd.conf #Line 52 modification Listen 192.168.10.20:80 #Line 105 uncomment LoadModule deflate_module modules/mod_deflate.so #Enable mod_deflate module #Line 197 uncomment, modify ServerName www.test.com:80 --Add on last line-- <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/html text/plain text/css text/xml text/javascript text/jpg text/png #Represents what kind of content gzip compression is enabled for DeflateCompressionLevel 9 #Represents the compression level, ranging from 1 to 9 SetOutputFilter DEFLATE #It means that the deflate module is enabled to gzip compress the output of this site </IfModule>
- Check the httpd.conf syntax and check whether the module is installed
apachectl -t #Verify that the configuration file is configured correctly apachectl -t -D DUMP_MODULES | grep "deflate" #Check Mod_ Is deflate module installed deflate_module (shared) #Installed correct results systemctl restart httpd.service #Restart service
2. Web page cache
2.1 general
Web page caching is to cache some pages that often do not change or change little. The next time the browser visits these pages again, it does not need to download these pages again, so as to improve the user's access speed.
Apache Mod_ The expires module will automatically generate the Express tag and cache control tag in the page header information. The client browser determines that the next access is to obtain the page in the cache of the local machine according to the tag, and there is no need to send a request to the server again, so as to reduce the access frequency and times of the client, so as to reduce unnecessary traffic and increase the access speed.
2.2 configure web page cache
Configure Mod_ Steps and mod of expires module_ Deflate module is similar
- Check if mod is installed_ Expires module
apachectl -t -D DUMP_MODULES | grep "expires"
- Install Mod_ If the expires module is not installed, stop the Apache service, reinstall Apache, and add mod to the parameters_ Expires module content
-
systemctl stop httpd.service cd /usr/local/httpd/conf mv httpd.conf httpd.conf.bak1 #Rename backup yum -y install gcc gcc-c++ pcre pcre-devel zlib-devel cd /opt/httpd-2.4.29/ ./configure \ --prefix=/usr/local/httpd \ --enable-so \ --enable-rewrite \ --enable-charset-lite \ --enable-cgi \ --enable-deflate \ --enable-expires #Add mod_expires module make -j 4 && make install
- Configure mod_expires module
vim /usr/local/httpd/conf/httpd.conf #Line 52 modification Listen 192.168.10.20:80 #Line 111 uncomment LoadModule expires_module modules/mod_expires.so #Enable mod_expires module #Line 199 uncomment, modify ServerName www.test.com:80 --Add on last line-- <IfModule mod_expires.c> ExpiresActive On #Turn on Web page caching ExpiresDefault "access plus 50 seconds" #Set cache for 50 seconds </IfModule>
2, Apache security optimization
1. Anti theft chain
1.1 general
Generally speaking, when we browse a complete page, it is not transmitted to the client at one time. If the requested page contains pictures or other information, the first HTTP request transmits the text of the page, and then interprets and executes the text through the client's browser. If there are pictures in it, the client's browser will send an HTTP request again, After the request is processed, the picture file will be transmitted to the client. Finally, the browser will place the picture in the correct position of the page. In this way, a complete page can be displayed completely after sending HTTP requests many times.
- There are special Referer field records in the HTTP standard protocol. Its functions are as follows
① What is the last inbound address traceable
② For a resource file, you can track the address of the web page that contains it. Therefore, all anti-theft chain methods are based on this Referer field.
1.2 anti theft chain configuration
Apache anti-theft chain requires mod to be installed_ Rewrite Module
- Check if mod is installed_ Rewrite Module
apachectl -t -D DUMP_MODULES | grep "rewrite"
- If mod is not installed_ Rewrite module, recompile and install Apache, add mod_rewrite Module
systemctl stop httpd.service cd /usr/local/httpd/conf mv httpd.conf httpd.conf.bak2 yum -y install gcc gcc-c++ pcre pcre-devel zlib-devel cd /opt/httpd-2.4.29/ ./configure \ --prefix=/usr/local/httpd \ --enable-so \ --enable-rewrite \ #Add mod_rewrite Module --enable-charset-lite \ --enable-cgi \ --enable-deflate \ --enable-expires make -j 4 && make install
- Configure mod_rewrite Module enabled
vim /usr/local/httpd/conf/httpd.conf #Line 157 uncomment LoadModule rewrite_module modules/mod_rewrite.so #224 lines <Directory "/usr/local/httpd/htdocs"> Options Indexes FollowSymLinks AllowOverride None Require all granted RewriteEngine On #Open the rewrite function and add mode_rewrite module content RewriteCond %{HTTP_REFERER} !^http://heihei.com/.*$ [NC] # Set matching rules RewriteCond %{HTTP_REFERER} !^http://heihei.com$ [NC] RewriteCond %{HTTP_REFERER} !^http://www.heihei.com/.*$ [NC] RewriteCond %{HTTP_REFERER} !^http://www.heihei.com/$ [NC] RewriteRule .*\.(gif|jpg|swf)$ http://www.heihei.com/error.png # Set Jump Action </Directory>
2. Hide version information
Generally, the vulnerability information of software is related to the specific version information, so the version number is very valuable for attackers
If hackers or people with ulterior motives get the Apache version information, they will carry out targeted attacks and bring great losses to the website. Therefore, we should hide the Apache version number, reduce the risk of attack and protect the safe operation of the server
Modify the httpd.conf configuration file to make the httpd-default.conf file effective, which contains the content of whether to return version information
vim /usr/local/httpd/conf/httpd.conf #Line 491 uncomment Include conf/extra/httpd-default.conf vim /usr/local/httpd/conf/extra/httpd-default.conf #Line 55 modification ServerTokens Prod #Change the original Full to Prod, only display the name, no version #ServerTokens indicates whether the response header field returned by the Server to the client contains information about the Server OS type and the compiled module description systemctl start httpd.service #Browser access http://192.168.8.132 , double-click the 200 message to view the Server entry