Apache webpage optimization and security optimization

1. Apache webpage optimization

1. Overview of Apache webpage optimization

In enterprises, after deploying Apache, only the default configuration parameters can be used, which will cause a lot of problems for the website. In other words, the default configuration is for the previously low server configuration, and the previous configuration is not applicable to the current Internet era.

2. Optimize content

• Configure web page compression
• Configure web cache
• Selection of working mode and parameter optimization
• Configure hidden version number
• Configure anti-leech
• …

3. Web page compression

3.1 Introduction to gzip

• Configure Apache's web page compression function to use gzip compression algorithm to compress the web page content and then transmit it to the client browser

3.2 Function

• Reduce the number of bytes transmitted over the network and speed up web page loading
• Save traffic and improve the user’s browsing experience
• gzip has a better relationship with search engine crawlers

3.3 The functional modules that Apache implements web page compression include

• mod_gzip module
• mod deflate module

Apache 1.x

• There is no built-in web compression technology, but the third-party mod_gzip module can be used to perform compression

Apache 2.x

• During development, the module mod_deflate is built in instead of mod_gzip

3.4 mod_gzip module and mod_deflate module

• Both use the gzip compression algorithm and the principle of operation is similar
• mod_deflate compression speed is slightly faster, while mod_gzip compression ratio is slightly higher
• mod_gzip occupies more server CPU
• For high-traffic servers, using mod_deflate may load faster than mod_gzip

4. Configure web page compression function

Note: The previous step is to compile and install Apache normally, but yum installs more zlib-devel (compression function); one more deflate module is enabled in the configure configuration, which has an additional compression function than the previously installed Apache environment
1. Install Apache

tar zxf apr-1.6.2.tar.gz
tar zxf apr-util-1.6.0.tar.gz
tar jxf httpd-2.4.29.tar.bz2

mv apr-1.6.2 httpd-2.4.29/srclib/apr
mv apr-util-1.6.0 httpd-2.4.29/srclib/apr-util

yum -y install gcc gcc-c++ make pcre-devel expat-devel perl zlib-devel

cd httpd-2.4.29/

./configure --prefix=/usr/local/httpd --enable-so --enable-rewrite --enable-charset-lite --enable-cgi --enable-deflate


make  &&   make install 

 cp /usr/local/httpd/bin/apachectl /etc/init.d/httpd
 vim /etc/init.d/httpd
添加： 
#chkconfig:35 85 21
#description:Apache HTTP Server

chkconfig --add httpd
chkconfig --list
ln -s /usr/local/httpd/conf/httpd.conf /etc/
ln -s /usr/local/httpd/bin/* /usr/bin/

vi  /etc/httpd.conf
修改：
      ServerName  www.nb.com:80

systemctl stop firewalld
setenforce 0

2. Configure mod_deflate module to start

[root@server1 ~]# vi /etc/httpd.conf 

LoadModule deflate_module/mod_deflate.so     #把前面的#删掉，启用mod_deflate模块

[root@server1 ~]# systemctl start httpd
[root@server1 ~]# systemctl status httpd
[root@server1 ~]# netstat -anpt | grep httpd   
[root@server1 ~]# apachectl -D DUMP_MODULES | grep deflate

Compression is on

5. Configure web page compression

1. Set compressed content type

[root@server1 ~]# vi /etc/httpd.conf    
#............#在文件末尾加入以下内容
#AddOutputFilterByType DEFLATE text/html text/plain text/css text/xml text/javascript
#DeflateCompressionLevel 9      #9代表压缩等级一般用6即可
#SetOutputFilter DEFLATE    text/javascript
DeflateCompressionLevel 9
SetOutputFilter DEFLATE

[root@server1 ~]# systemctl start httpd
[root@server1 ~]# httpd -t

2. Web page settings

[root@server1 ~]# echo "<h1>This is the fa</h1>" > /usr/local/httpd/htdocs/index.html 

Packet capture test:
enter IP on the browser to access and

use packet capture software to view

6. Configure web cache function

1. Steps to enable web caching

• Check whether the mod_expire module is installed
• Modify the configuration file to enable the cache function
• Access test

Solve the problem of Chinese garbled

vi /etc/httpd.conf
添加：
    AddDefaultCharset utf-8

1. Open the expire module

[root@server1 ~]# vi /etc/httpd.conf 
去除#号，开启expire模块
LoadModule expires_module modules/mod_expires.so
[root@server1 ~]# systemctl start httpd
[root@server1 ~]# apachectl -D DUMP_MODULES | grep expires

2. Set up the configuration file

[root@server1 ~]# vi /etc/httpd.conf 
[root@server1 ~]# httpd -t
[root@server1 ~]# systemctl stop httpd
[root@server1 ~]# systemctl start httpd

<IfModule mod_expires.c>   当expire模块开启时，命令生效
         ExpiresActive On
         ExpiresDefault "access plus 3 day"   缓存3天
</IfModule>

Test:
input on this machine: 20.0.0.13 visit, then capture the packet

2. Apache security optimization

1. Configure Apache to hide version information

• The version information of Apache reveals certain vulnerability information, which brings security risks to the website
• Configure Apache to hide version information in the production environment

2. Assignment of ServerTokens

ServerTokens Prod  显示“Server：Apache” 显示版本信息
ServerTokens Major 显示“Server：Apache/2” 版本数
ServerTokens Minor 显示“Server：Apache/2.2” 版本数下发行的版本数
ServerTokens Min   显示“Server：Apache/2.2.17” 完整版本
ServerTokens OS    显示“Server：Apache/2.2.17 (Unix)”平台
ServerTokens Full  显示“Server：Apache/2.2.17 (Unix) PHP/5.3.5”其它平台所有信息（apache嵌存PHP模块）

3. Hidden version configuration

[root@server1 ~]# vi /usr/local/httpd/conf/extra/httpd-default.conf 
修改为：
     ServerTokens Prod

2. Configuration file

  [root@server1 ~]# vi /etc/httpd.conf 
  修改：
    Include conf/extra/httpd-default.conf        #取消注释
  [root@server1 ~]# systemctl stop httpd
  [root@server1 ~]# systemctl start httpd

Test
Input on this machine: 20.0.0.13 visit, then capture

4. Anti-leech

1. The role of anti-leech

• Anti-hotlinking is to prevent others' website code from embezzling pictures, files, videos and other related resources on our own server
• If others embezzle these static resources of the website, it will obviously increase the bandwidth pressure of the server
• As the maintainer of the website, we must prevent the static resources of the server from being embezzled by other websites

2. No anti-theft chain

1. Delete domain configuration

   [root@server1 ~]# cd /usr/local/httpd/htdocs/
      [root@server1 htdocs]# ls
       index.html
      [root@server1 htdocs]# rm -rf index.html 
      [root@server1 htdocs]# 

2. Edit the configuration file

     [root@server1 ~]# vi /etc/httpd.conf 
     修改：
       LoadModule rewrite_module modules/mod_rewrite.so   #取消配置

Prepare 2 emoticons and an html page and

import them into Xshell

Using the local IP address to access,

restart a machine (20.0.0.14)
1. Install httpd, configure the domain name

[root@server2 ~]# yum -y install httpd
[root@server2 ~]# vi /var/www/html/index.html
添加：
 <html><body>Theft<img src="http://20.0.0.13/a.jpg"/></body></html>
[root@server2 ~]# systemctl stop firewalld 
[root@server2 ~]# setenforce 0
[root@server2 ~]# systemctl start httpd

Test:
can be directly stolen

3. Configure anti-theft chain

1. Edit the configuration file on the host

[root@server1 ~]# vi /etc/httpd.conf 
[root@server1 ~]# httpd -t
[root@server1 ~]# systemctl stop httpd
[root@server1 ~]# systemctl start httpd

AllowOverride All
    RewriteEngine On
    RewriteCond %{
    
    HTTP_REFERER} !^http://20.0.0.13/.*$ [NC]
    RewriteCond %{
    
    HTTP_REFERER} !^http://20.0.0.13/* [NC]
    RewriteCond %{HTTP_REFERER} !^http://20.0.0.13$ [NC]
    RewriteRule .*\.(gif|jpg|swf)$ http://20.0.0.13/b.png [R,NC]