Apache web security optimization, there are pictures and the truth (in memory of Kobe, the spirit of Mamba will live forever)
table of Contents
1. Overview of Apache webpage and security optimization
In enterprises, only the default configuration parameters are used after Apache is deployed, which will cause many problems for the website. In other words, the default configuration is for the previous low server configuration, and the previous configuration is no longer suitable for the current Internet era.
In order to meet the needs of enterprises, it is necessary to consider how to improve the performance and stability of Apache. This is the content of Apache optimization.
2. Apache webpage optimization
(1) Web page compression
1.检查是否安装 mod_deflate 模块
apachectl -t -D DUMP_MODULES | grep "deflate"
2.如果没有安装mod_deflate 模块,重新编译安装 Apache 添加 mod_deflate 模块
systemctl stop httpd.service
cd /usr/local/httpd/conf
mv httpd.conf httpd.conf.bak
yum -y install gcc gcc-c++ pcre pcre-devel zlib-devel
cd /opt/httpd-2.4.29/
./configure \
--prefix=/usr/local/httpd \
--enable-so \
--enable-rewrite \
--enable-charset-lite \
--enable-cgi \
--enable-deflate #加入mod_deflate 模块
make && make install
3.配置 mod_deflate 模块启用
vim /usr/local/httpd/conf/httpd.conf
--52行--修改
Listen 192.198.126.10:80
--105行--取消注释
LoadModule deflate_module modules/mod_deflate.so #开启mod_deflate 模块
--197行--取消注释,修改
ServerName www.chenwei.com:80
--末行添加--
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/css text/xml text/javascript text/jpg text/png #代表对什么样的内容启用gzip压缩
DeflateCompressionLevel 9 #代表压缩级别,范围为1~9
SetOutputFilter DEFLATE #代表启用deflate 模块对本站点的输出进行gzip压缩
</IfModule>
4.检查安装情况,启动服务
apachectl -t #验证配置文件的配置是否正确
apachectl -t -D DUMP_MODULES | grep "deflate" #检查 mod_deflate 模块是否已安装
deflate_module (shared) #已安装的正确结果
systemctl start httpd.service
5.测试 mod_deflate 压缩是否生效
cd /usr/local/httpd/htdocs
先将kobe2.jpg文件传到/usr/local/httpd/htdocs目录下
vim index.html
<html><body><h1>
<meta charset="utf-8">“总有一个人要赢,那为什么不能是我呢?”“第二名只能说明你是头号输家。”“朋友来来往往,冠军
之旗永不落。”科比离开,但曼巴精神,将永远激励篮球场上的少年们。
2016年时,科比曾经在一个访谈中谈到了“生死”的问题,虽然这是一个看上去颇为禁忌的话题,但是科比当时回答时非常平>静,甚至带着一些哲人的气息:”没有死亡哪里生命,没有黑暗哪有光明,死亡于我,将是一个坦然舒顺的过程。“
愿老大在天堂一切安好!</h1>
<img src="kobe2.jpg"/ >
</body></html>
方法一:
在Linux系统中,打开火狐浏览器,右击点查看元素
选择 网络 ---> 选择 HTML、WS、其他
访问 http://192.168.126.10 ,双击200响应消息查看响应头中包含 Content-Encoding: gzip
方法二:
在Windows系统中依次安装 Microsoft.NET4 和fiddler 软件,打开fiddler 软件
选择 inspectors ---> 选择 Headers
浏览器访问 http://192.168.126.10 ,双击200响应消息查看 Content-Encoding: gzip
(2) Web cache
1.检查是否安装 mod_expires 模块
apachectl -t -D DUMP_MODULES | grep "expires"
2.如果没有安装mod_expires 模块,重新编译安装 Apache 添加 mod_expires模块
systemctl stop httpd.service
cd /usr/local/httpd/conf
mv httpd.conf httpd.conf.bak1 #重命名备份一下
yum -y install gcc gcc-c++ pcre pcre-devel zlib-devel
cd /opt/httpd-2.4.29/
./configure \
--prefix=/usr/local/httpd \
--enable-so \
--enable-rewrite \
--enable-charset-lite \
--enable-cgi \
--enable-deflate \
--enable-expires #加入mod_expires 模块
make && make install
3.配置 mod_expires 模块启用
vim /usr/local/httpd/conf/httpd.conf
--52行--修改
Listen 192.198.126.10:80
--111行--取消注释
LoadModule expires_module modules/mod_expires.so #开启mod_expires 模块
--199行--取消注释,修改
ServerName www.chenwei.com:80
--末行添加--
<IfModule mod_expires.c>
ExpiresActive On #打开网页缓存功能
ExpiresDefault "access plus 50 seconds" #设置缓存50秒
</IfModule>
4.检查安装情况,启动服务
apachectl -t #验证配置文件的配置是否正确
apachectl -t -D DUMP_MODULES | grep "expires" #检查 mod_deflate 模块是否已安装
deflate_module (shared) #已安装的正确结果
systemctl start httpd.service
5.测试缓存是否生效
cat /usr/local/httpd/htdocs/index.html
方法一:
在Linux系统中,打开火狐浏览器,右击点查看元素
选择 网络 ---> 选择 HTML、WS、其他
访问 http://192.168.126.10 ,双击200消息查看响应头中包含 Expires 项
方法二:
在Windows系统中依次安装 Microsoft.NET4 和fiddler 软件,打开fiddler 软件
选择 inspectors ---> 选择 Headers
浏览器访问 http://192.168.126.10 ,双击200消息查看 Expires 项
Three, Apache security optimization
(1) Hide version information
vim /usr/local/httpd/conf/httpd.conf
--491行--取消注释
Include conf/extra/httpd-default.conf
vim /usr/local/httpd/conf/extra/httpd-default.conf
--55行--修改
ServerTokens Prod #将原本的 Full 改为 Prod,只显示名称,没有版本
#ServerTokens 表示 Server 回送给客户端的响应头域是否包含关于服务器 OS 类型和编译过的模块描述信息
。
systemctl start httpd.service
浏览器访问 http://192.168.126.10 ,双击200消息查看 Server 项
(2) Apache anti-leech
1. The generation of hotlink
1. Use two Centos7 virtual machines. One is the host 1 for normal access, that is, the apache server configured on its own machine, and the hotlink host 2 is used as a "white prostitute", using the server of the host 1 without anti-theft link to access the webpage
2、在盗链主机2上面安装httpd服务
yum install -y httpd
systemctl start httpd
3、配置临时dns映射
echo "192.168.126.10 www.chenwei.com" >>/etc/hosts
echo "192.168.126.20 www.mm.com" >>/etc/hosts
或者配置DNS正向解析
4. Edit the homepage of the virtual host website
vim /var/www/html/index.html
<html><body><h1>
<meta charset="utf-8">“总有一个人要赢,那为什么不能是我呢?”“第二名只能
说明你是头号输家。”“朋友来来往往,冠军之旗永不落。”科比离开,但曼巴精神
,将永远激励篮球场上的少年们。
2016年时,科比曾经在一个访谈中谈到了“生死”的问题,虽然这是一个看上去颇>为禁忌的话题,但是科比当时回
答时非常平静,甚至带着一些哲人的气息:”没有
死亡哪里生命,没有黑暗哪有光明,死亡于我,将是一个坦然舒顺的过程。“
愿老大在天堂一切安好!</h1>
<img src="http://www.chenwei.com/kobe2.jpg"/>
</body></html>
5、使用本机域名访问:
www.mm.com访问网页
2. Configure anti-theft chain
1、检查是否安装 mod_rewrite 模块
apachectl -t -D DUMP_MODULES | grep "rewrite"
2.如果没有安装mod_rewrite 模块,重新编译安装 Apache 添加 mod_rewrite模块
systemctl stop httpd.service
cd /usr/local/httpd/conf
mv httpd.conf httpd.conf.bak2
yum -y install gcc gcc-c++ pcre pcre-devel zlib-devel
cd /opt/httpd-2.4.29/
./configure \
--prefix=/usr/local/httpd \
--enable-so \
--enable-rewrite \ #加入mod_rewrite 模块
--enable-charset-lite \
--enable-cgi \
--enable-deflate \
--enable-expires
make && make install
3.配置 mod_rewrite 模块启用
vim /usr/local/httpd/conf/httpd.conf
--157行--取消注释
LoadModule rewrite_module modules/mod_rewrite.so
--224行--
<Directory "/usr/local/httpd/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
RewriteEngine On #打开 rewrite 功能,加入 mode_rewrite 模块内容
RewriteCond %{
HTTP_REFERER} !^http://chenwei.com/.*$ [NC] #设置匹配规则
RewriteCond %{
HTTP_REFERER} !^http://chenwei.com$ [NC]
RewriteCond %{
HTTP_REFERER} !^http://www.chenwei.com/.*$ [NC]
RewriteCond %{
HTTP_REFERER} !^http://www.chenwei.com/$ [NC]
RewriteRule .*\.(gif|jpg|swf)$ http://www.chenwei.com/error.png #设置跳转动作
</Directory>
RewriteCond %{HTTP_REFERER} !^http://www.chenweicom/. $ [NC] Field meaning:
"%{HTTP_REFERER}": Store a link URL, indicating which link to access the desired web page from.
"!^": Means not to start with the following character string.
"Http://www.chenwei.com": It is the path of this website, matched by the entire string.
". $": means ending with any character.
"[NC]": Indicates that uppercase and lowercase letters are not distinguished.
RewriteRule. .(Gif|jpg|swf)$ http://www.chenwei.com/error.png Field meaning:
".": Means to match a character.
" ": Means to match 0 to multiple characters. Together with ".", it means to match any character in front of 0 to multiple times. If it is 1 to multiple matches, it can be represented by "+".
".": "\" here is an escape character, and "." represents the meaning of the symbol ".". Because "." is a rule character in the instruction, it has corresponding meaning. If you need to match, you need to add an escape character "\" in front. If other rule characters need to be matched, do the same.
"(Gif|jpg|swf)": means matching any of "gif", "jpg", and "swf", and "$" means end. The final rule is to end with ".gif", ".jpg", and ".swf", followed by a string of 1 or more characters, which is a file that matches the image type.
"Http://www.chenwei.com/error.png": means forwarding to this path.
The meaning of the entire configuration is that the image error.png is displayed when accessing the image file of this site using a website domain name other than this site.
4.网页准备
Web源主机(主机1)配置:
cd /usr/local/httpd/htdocs
将kobe2.jpg、(之前传进去了) error.png文件传到/usr/local/httpd/htdocs目录下
5.在盗图网站主机上进行浏览器验证
http://www.mm.com
