Apaceh Page Optimization
Site access speed is determined by multiple factors. These factors include application response time, network bandwidth, server performance, and network transmission speed before the client, the most important factor is the speed of response of Apache itself, only appropriate Apache server configuration optimization, in order to allow Apache to play a better performance. Therefore, for our application needs some optimization is essential to configure the Apache server.
Skills objectives:
1. to master the Apache web compression
2. grasp the Apache Web cache
3. Grasp the Apache web security chain
4. mastered version of Apache hide information
5.Apache comes rotarelogs segmentation tool
1.Apache page compression
Note: gzip can greatly speed up the site, and sometimes higher compression ratio to 80%, at least there are more than 40%, it is still quite good. In later versions of Apache2, the module name is not called gzip, and called mod_deflate.
1.gzip introduce
gzip is a popular file compression algorithm, especially in the Linux platform, gzip compression when applied to a plain text file, the effect is very obvious, can be reduced by more than about 70 percent of the file size, the use of Apache benefits transferred to the gzip module, what can I use gzip compression algorithm to compress web content Apache server publishing client browser so that compressed actually reduces the number of bytes transmitted over the network, the most obvious is that you can speed up web page load speed. Just make a little server CPU utilization to enhance one or two percentage points or less.
2.HTTP compression process
Web server receives the request HTTP browser, check whether the browser supports HTTP compression (Accept-Encoding information), if the browser supports HTTP compression, Web server will check the file extension request, if when the request file HTML, CSS and other static files, Web servers will compress the latest compressed files in the cache directory to check if there has been requested file, if the requested file is compressed file does not exist, Web servers return uncompressed request file to the browser, and stored in a compressed cache directory in the compressed file the requested file, if the requested file is the latest compressed file already exists, then returned directly compressed file of the requested file, dynamic file when requested files, Web server dynamic compression and return to the browser, but the compression content is not stored in the compressed cache directory.
3.Apache compression module
Apache 1.x series no built-in web page compression module mod_gzip additional third-party technology, when used to perform compression in Apache2.x when the page compression added in, this module is built mod_deflate . mod_deflate compression speed, and slightly higher compression ratio mod_gzip. If your site traffic is small, want to accelerate the pages load faster, use mod_gzip. If shared access to the site is large, and the use of virtual hosts, use mod_defalut will be the better choice.
1. Check if the module is installed mod_defllate
httpd -t -D DUMP_MODULES | grep deflate
httpd -M | grep deflate
(Not deflate compiled and installed module case) module 2. Installation mod_deflate
If mod_deflate module is not installed, you need to stop the Apache service, recompile Apache installation, adding mod_deflate module content in the argument;
./configure --prefix=/usr/local/httpd --enable-deflate --enable-so --enable-rewrite --enable-charset-list --enable-cgi
make && make install
cd /root/httpd-2.4.25/modules/filters 切到apache源码包mod_deflate所在的目录下
/usr/local/httpd/bin/apxs -c -i -a mod_deflate.c 以dso的方式编译安装到apache中
/usr/local/httpd/bin/apxs -c -i -a /root/httpd-2.2.17/modules/metadata/mod_headers.c 以dso的方式编译安装到apache中
httpd -M | grep deflate 查看模块是否安装成功
apxs command parameters:
-i: This option indicates that the installation operation and to mount one or more dynamic shared object modules directory server.
-a: This option automatically add a LoadModule line to the httpd.conf file to enable this module, or, if this line already exists, enable it.
-c: This option indicates the compilation operation
Note:
An error occurred when restarted if:
Quote:
Cannot load /usr/local/apache/modules/mod_deflate.so into server: /usr/local/apache/modules/mod_deflate.so: undefined symbol: inflateEnd
Need to load zlib.so in front LoadModuledeflate_module modules / mod_deflate.so of
note here is: LoadModuledeflate_module needs to be placed after LoadModulephp5_module
reference:
LoadFile / usr / lib / libz.so (x64 system in the library file is located in / usr / lib64 directory next, to the next can be a soft link / usr / lib
LoadModule deflate_module modules / mod_deflate.so)
3. Configure the module enabled mod_deflate
Modifying the Apache main configuration file httpd.conf, increasing the configuration parameter: LoadModule deflate_module modules / mod_deflate.so LoadModule headers_module modules / mod_headers.soAfter opening the httpd.conf, in front of the first two rows disposed above the # removed, this will enable the two Apache modules, wherein mod_deflate compression module, is to be transmitted to the client code gzip compression; mod_headers the browser it will be on gzip compressed pages to download, but not display properly.
Join in httpd.conf the following code can be added to any blank space, do not understand the Apache, and if a mistake to worry about where to put the last line http.conf
Note: The code before adding the code to add a good idea to check out whether there is
<IfModule mod_deflate.c>
DeflateCompressionLevel 9
SetOutputFilter DEFLATE
#AddOutputFilterByType DEFLATE text/html text/plain text/xml application/x-javascript application/x-httpd-php
#AddOutputFilterByType DEFLATE image/*
AddOutputFilterByType DEFLATE text/*
AddOutputFilterByType DEFLATE application/ms* application/vnd* application/postscript application/javascript application/x-javascript
AddOutputFilterByType DEFLATE application/x-httpd-php application/x-httpd-fastphp
SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .(?:pdf|mov|avi|mp3|mp4|rm)$ no-gzip dont-vary
</IfModule>
9 (slowest compression, compression of the highest quality) Default value 1 (fastest compression, compression lowest quality): 6 (compression speed and compression quality more balanced)
DeflateCompressionLevel # 9 compression level, 6 presets using this value in order to maintain consumption of processor performance and page compression quality balance.
SetOutputFilterDEFLATE # Set the output filter, the output enable compression, must, like a switch, like, tell Apache to content streamed to the browser compresses
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/x-javascript application/x-httpd-php
AddOutputFilterByType DEFLATE image/* 注意:图片不需要进行压缩,否则越压缩越大
以上设置对文件的内容进行压缩,例如text/html text/css text/plain等
AddOutputFilterByType DEFLATE application/ms* application/vnd* application/postscript application/javascript application/x-javascript
以上对JavaScript文件进行压缩
AddOutputFilterByType DEFLATE application/x-httpd-php application/x-httpd-fastphp
以上对PHP类型的文件进行压缩
SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary
以上设置不对后缀gif,jpg,jpeg,png的图片文件进行压缩。
Note:
? : That it would not capture () in the contents
SetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
同上,就是设置不对exe,tgz,gz等的文件进行压缩
SetEnvIfNoCase Request_URI .(?:pdf|mov|avi|mp3|mp4|rm)$ no-gzip dont-vary
同上就是设置不对pdf,avi,mp3等的文件进行压缩
4. Set the log output
DeflateFilterNote Input input_info 声明输入流的byte数量
DeflateFilterNote Output output_info 声明输出流的byte数量
DeflateFilterNote Ratio ratio_info 声明压缩的百分比
LogFormat '"%r" %{output_info}n/%{input_info}n (%{ratio_info}n%%)' deflate声明日志格式
CustomLog logs/deflate_log.log deflate
Restart Service
systemctl restart httpd
Note: The
picture is not require to enable Gzip compression.
2. Web cache
Web cache is often part will not change or change very little page cache, the next time the browser to access the page again, these pages do not need to download again, so as to enhance the user's access speed.
Apache's mod_expires module automatically generates a page header information in the Cache-Control Express label and tag, the client browser resolved that the next local machine caches in obtaining access page, do not need to make a request to the server again according to the label, thereby reducing frequency of visits and the number of clients, to reduce unnecessary traffic and increase access speed purposes.
1. Check module is installed mod_expires
httpd -M | grep expires (安装步骤参考第一个内容)
2. expires effect is not enabled
[root@localhost /]# curl -I www.ityunn.com
HTTP/1.1 200 OK
Date: Wed, 04 Sep 2019 21:43:16 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Tue, 03 Sep 2019 10:58:26 GMT
ETag: "15-591a3f7c53031"
Accept-Ranges: bytes
Content-Length: 21
Content-Type: text/html; charset=UTF-8
3. Configure mod_expires module
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType text/css "now plus 1 month"
ExpiresByType application/x-javascript "now plus 5 day"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/bmp "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 month"
ExpiresByType image/png "access plus 1 minutes"
ExpiresByType application/x-shockwave-flash "access plus 1 month"
ExpiresDefault "now plus 0 minutes"
</IfModule>
4. Enable the effect of mod_expires
[root@localhost conf]# curl -I www.ityunn.com
HTTP/1.1 200 OK
Date: Wed, 04 Sep 2019 21:46:26 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Tue, 03 Sep 2019 10:58:26 GMT
ETag: "15-591a3f7c53031"
Accept-Ranges: bytes
Content-Length: 21
==Cache-Control: max-age=0
==Expires: Wed, 04 Sep 2019 21:46:26 GMT
Content-Type: text/html; charset=UTF-8
ExpiresByType ExpiresDefault and instructions can be defined with the same syntax understandable:
ExpiresDefault "<base> [plus] {<num><type>}"
ExpiresByType type/encoding "<base> [plus] {<num><type>}"
Which is one of the following:
• Access
• now (equivalent to 'Access')
• modification
PLUS keyword is optional. Must be an integer, is one of the following:
• In years //
• months // May
• weeks // weeks
• days / day
• hours / time
• minutes / min
• seconds / sec
For example, the following three instructions have expressed the default document is valid for one month:
ExpiresDefault "access plus 1 month"
ExpiresDefault "access plus 4 weeks"
ExpiresDefault "access plus 30 days"
Validity can "" clause further adjusted by adding:
ExpiresByType text/html "access plus 1 month 15 days 2 hours"
ExpiresByType image/gif "modification plus 5 hours 3 minutes"
Note that if you use the last modification date based setting, "Expires:" header will not be added to those content does not come from a disk file. This is because the content does not exist "last modified" attributes.
#GIF valid for one month (in seconds)
ExpiresByType image/gif A2592000
ExpiresByType image/jpeg A2592000
ExpiresByType image/png A2592000
ExpiresByType image/x-icon A2592000
ExpiresByType application/x-javascript A604800
ExpiresByType text/plain A604800
#HTML document is valid for one week after the last modification time
ExpiresByType text/ht
ml M604800
Note: The above "M" represents the last moment to modify the source file, "A" means that the client access time to the source file. Places seconds later time.
3. Hide the version information
1. Test Apache's default
[root@localhost conf]# curl -I www.ityunn.com
HTTP/1.1 200 OK
Date: Wed, 04 Sep 2019 21:58:00 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Tue, 03 Sep 2019 10:58:26 GMT
ETag: "15-591a3f7c53031"
Accept-Ranges: bytes
Content-Length: 21
Cache-Control: max-age=0
Expires: Wed, 04 Sep 2019 21:58:00 GMT
Content-Type: text/html; charset=UTF-8
2. Enable Apache main configuration parameters as follows:
Include /usr/share/doc/httpd-2.4.6/httpd-default.conf
3. Modify the configuration file as follows:
vim /usr/share/doc/httpd-2.4.6/httpd-default.conf
找到:
ServerTokens Full
ServerSignature On
改成:
ServerTokens Prod
ServerSignature off
Restart the Apache service and tested.
[root@localhost conf]# curl -I www.ityunn.com
HTTP/1.1 200 OK
Date: Wed, 04 Sep 2019 22:09:17 GMT
Server: Apache
Last-Modified: Tue, 03 Sep 2019 10:58:26 GMT
ETag: "15-591a3f7c53031"
Accept-Ranges: bytes
Content-Length: 21
Cache-Control: max-age=0
Expires: Wed, 04 Sep 2019 22:09:17 GMT
Content-Type: text/html; charset=UTF-8
Note: If you need to completely release such information will be a new look, you'll need to prepare before you compile or be re-compiled. In the re-compile time, modify ap_release.h files under source packages include directory
define AP_SERVER_BASEVENDOR "Apache Software Foundation" 服务的供应商名称
define AP_SERVER_BASEPROJECT "Apache HTTP Server" 服务的项目名称
define AP_SERVER_BASEPRODUCT "Apache" 服务的产品名
define AP_SERVER_MAJORVERSION_NUMBER 2 主要版本号
define AP_SERVER_MINORVERSION_NUMBER 4 小版本号
define AP_SERVER_PATCHLEVEL_NUMBER 23 补丁级别
define AP_SERVER_DEVBUILD_BOOLEAN 0
After the line listed above, has been given a note, you can modify as you want, and then compile and install, the other completely do not know your version number.
4.Apache split logs
Introduction:
Why split the log?
With increasing access to the site, WebServer log files generated will be growing, if not split logs, then only once a large log (such as Apache log) to delete whole,
This also lost a lot of valuable information on the Web site compares, because these logs can be used for access analysis, network security monitor, network health monitoring,
Therefore manage these vast amounts of logs is a great significance of the site.
Method 1: Use rotatelogs (apache own tools) one day every log record
(1) editing the Apache main configuration file, change as follows:
Comment out the following two lines
ErrorLog logs/error_log
CustomLog logs/access_log common
Then add the following two lines:
ErrorLog "|/usr/sbin/rotatelogs -l logs/error_%Y%m%d.log 86400"
CustomLog "|/usr/sbin/rotatelog -l logs/access_%Y%m%d.log 86400" combined
-l used instead of local time GMT time as the reference time. CustomLog line is defined access log format, 86400 represents one day. That creates a new log file every day. View restart the Apache service.
Finally explain, when you view the log based on the i-node Apache write the file, not the file name, so sometimes we'll Apache log files renamed, restart Apache if not he will write to the file after renaming inside.
Method 2: Use cronolog every day with the establishment of a new log
(1) download and install the program cronolog
Download the official website: https://centos.pkgs.org/7/epel-x86_64/cronolog-1.6.2-14.el7.x86_64.rpm.html
tar zxf cronolog-1.6.2.tar.gz
cd cronolog-1.6.2/
./configure && make && make install
或者
yum -y install cronolog-1.6.2-14.el7.x86_64.rpm yum会自动去yum仓库里面调用软件是需要的依赖包
After (2) the installation is completed, proceeds to Apache main configuration file, add the following two lines:
ErrorLog "|/usr/local/sbin/cronolog logs/error-%Y%m%d.log"
CustomLog "|/usr/local/sbin/cronolog logs/access-%Y%m%d.log" combined
If there are multiple Apache virtual hosts, it is best to place such a code for each virtual host, and the log file name is changed to a different name.
(3) Restart Apache verification, view the log file in the logs directory
Note: These two pipes log file that there is little difference is, if the log is placed on a nonexistent directory path is created automatically when using cronolog, but not automatically created when you use rotatelogs, it should pay special attention .
Extended:
This ensures that a file folder every day, every hour under the folder to produce a log
CustomLog "|/usr/local/sbin/cronolog logs /%Y%m%d/access_log.%H" combined
By day polling (the production environment common usage is recommended):
CustomLog "|/usr/local/sbin/cronolog logs/access_www_%Y%m%d.log" combined
Hourly polling (the production environment more common usage):
CustomLog "|/usr/local/sbin/cronolog logs /access_www_ %Y%m%d%H.log" combined
The anti-theft chain
In general, we view a full page all at once is not transferred to the client, if the requested page with pictures or other information, then the first HTTP request is transmitted text of this page, then by customer end of the browser interpreted this text, if there is found the picture, then the client's browser sends a request httpd again, when the request is processed the image files will be transferred to the client, the last browser the image will be placed in the correct position on the page, this a full page to go through several httpd to send a request to be able to complete the display.
HTTP standard protocol in a dedicated Referer field record, its role is as follows:
(1) can be traced back when one inbound address what
(2) for resource files, can track including a display what his web page address, so that all security chain reaction method is based on the Referer field.
Environment: First prepare the test environment to build two Apache web service, to simulate hotlinking hotlinking of the host and the host.
| IP addresses | domain name | use |
|---|---|---|
| 192.168.10.104 | www.ityunn.com | Centos source host |
| 192.168.10.105 | www.ityun.com | Centos host Daolian |
If you want to see Apache detailed installation procedures please click below this link address to:
Apache installation link
1. Prepare picture (Centos source host configuration above)
mkdir /var/www/html/images
find / -iname '*.jpg' -exec cp {} /var/www/html/images/ \;
find / -iname '*.png' -exec cp {} /var/www/html/images/ \;
Modify index.html page file, add images display the code
vim /var/www/html/index.html
<html>
<body>
<h1>woshinibaba</h1>
<img src="yellow-rose.jpg"/>
<body>
</html>
Daolian host
vim /var/www/html/index.html
<html>
<body>
<h1>woshinimama</h1>
<img src="http://www.ityunn.com/yellow-rose.jpg"/>
<body>
</html>
The picture is illustrated by the above, a second Apache successful hotlinking the picture on the first Apache Web site.
So in order to prevent others to take up their malicious hackers take advantage of our resources and configure the security chain on the first Apache service! ! ! ! !
One: Configure Apache security chain
Method a: A first method Apache security chain, the method may be implemented by rewrite
1. First make sure Apache has a rewrite module
httpd -M | grep rewrite
2. modify the configuration file
Note: The rule arranged in <Directory> inside, page path
vim /etc/httpd/conf/httpd.conf
防盗链配置
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !ityunn\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !ityunn\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !www\.ityunn\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !www\.ityunn\.com/.*$ [NC]
RewriteRule .*\.(gif|jpg|swf)$ http://www.ityunn.com/images/document-new.png [R,NC,L]
1.RewriteEngine On # enable rewrite, rewrite in order to work, you must write on
2.RewriteCond test-string condPattern # written before the RewriteRule, can have one or the N, matching conditions for testing rewrite, specifically how to write, behind Speaking in detail.
3.RewriteRule Pattern Substitution # rule
4.% {HTTP_REFERER}: server variables, HTTPReferer is part of the header, and when the browser sends a request to the web server, usually bring Referer, I tell the server which page the link is coming from , whereby Keyihuode some of the information server for processing. For example, a link from my home page to a friend there, he's server will be able to statistics from the HTTP Referer in the number of daily users click on the link on the home page I visit his website.
5. [NC] refers to a case-insensitive, [R & lt] forced redirection the redirect
6. The letter L indicates if this rule matches, then this rule is the last one (Last), after ignoring the rules
described security chain configuration :
-
**: express their trusted sites. For my sites, and set http://www.ityunn.com http://ityunn.com
-
: To protect the file extension (in | separately). These file extension, you must reference the URL through the red mark can be accessed.
-
:定义被盗链时替代的图片,让所有盗链 jpg、gif、swf 等文件的网页,显示网页文档根目录下的文件images/document-new.png 。注意:替换显示的图片不要放在设置防盗链的目录中,并且该图片文件体积越小越好。
当然你也可以不设置替换图片,而是使用下面的语句即可:RewriteRule .*.(gif|jpg|png)$ - [F]
注:[F] (强制URL为被禁止的forbidden),强制当前URL为被禁止的,即,立即反馈一个HTTP响应代码403(被禁止的)。
注意:
RewriteCond%{HTTP_REFERER}!^$
上面这一行意思是在允许空“HTTP_REFERER”的访问,即允许用户在浏览器地址栏中直接输入图片地址时图片文件的显示。
RewriteCond %{HTTP_REFERER} !ityunn.com/.*$[NC]
RewriteCond %{HTTP_REFERER} !www.ityunn.com/.*$[NC]
设置允许访问的HTTP来源,包括网站自身。
RewriteRule .*.(gif|jpg|swf)$ http://www.ityunn.com/images/document-new.png [R,NC,L]
将不满足referer条件的访问重定向至document-new.png。document-new.png位于允许“盗链”的目录images中,要相当注意,不然,警告信息和图片将无法在对方网站上显示**
3.移动图片到images/目录下面
mv /usr/share/icons/gnome/256x256/actions/document-new.png /var/www/html/images
4.盗链主机访问进行测试
注意:如果看不到效果,记得多清除缓存哦!!!
通过上图可以看出第二台Apache访问的是已经配置过防盗链的第一台Apache服务,所以他只能看到我们随意上传的图片。
&nsbp;
Method 2: to prevent certain request by determining whether the browser header information, i.e. SetEnvIfNoCase use and access. This method can save your bandwidth traffic by blocking certain robotic crawlers or spiders to crawl your site.
语法: SetEnvIfNoCase attribute regex [!]env-variable[=value] [[!]env-variable[=value]] ...
SetEnvIfNoCase when certain conditions are met, assigning a variable, i.e., the request attribute set the environment variable according to the client.
Note: Referer: URL specified in the original request for the current resource resources, you can use a security chain referer
(1) to find the position (or virtual host) corresponding to the main Apache configuration file, add the following code:
Example:
SetEnvIfNoCase Referer "^$" local_ref
SetEnvIfNoCase Referer "www.ityunn.com/.*$" local_ref
SetEnvIfNoCase Referer "ityunn.com/.*$" local_ref
<filesmatch "\.(mp3|mp4|zip|rar|jpg|gif|png)">
Require all denied
Require env local_ref
</filesmatch
2.4版本以上,方法如下:
<filesmatch "\.(mp3|mp4|zip|rar|jpg|gif|png)">
Require all denied
Require env local_ref
</filesmatch>
2.4版本以下的
方法一:
Order Deny,Allow
Allow from env=local_ref
Deny from all
方法二:
Order Allow,Deny
Allow from env=local_ref
Note: The image format must be clear
(2) restart Apache service, and access validation on the client:
through the first diagram illustrates the use of Apache SetEnvIfNoCase and access methods succeeded in preventing a second hotlinking Apache service! ! !
Here are two ways to have anti-hotlinking of presentation.
Summary:
(1.) Apache open the Gzip compression tuning function (tuning)
(2.) Apache open tuning Expires caching functions (tuning)
(3) implement functions (security) Apache hide the version number
(4 .) to achieve the cutting function Apache log (security)
(5) to achieve anti-theft chain Apache (security)