Web server cluster -- Apache Web page and security optimization

Apache Web page optimization

Web page compression

  • Factors affecting website access speed: application response speed, network bandwidth, server performance, network transmission speed with clients, etc.
  • One of the most important factors is Apache itself, so improving the execution speed of Apache (using web page compression) is the most cost-effective choice.

effect:

  • It reduces the number of bytes transmitted on the network and speeds up the loading speed of web pages
  • Save traffic and improve users' browsing experience
  • gzip has a better relationship with the crawling tools of search engines

The functional modules of Apache to realize web page compression include

  • mod_gzip module
  • mod_deflate module

Apache 1.x

  • There is no built-in web page compression technology, but a third-party mod can be used_ Gzip module performs compression

Apache 2.x

  • During development, mod is built in_ Deflate this module to replace mod_gzip

mod_gzip module and mod_deflate module

  • Both use gzip compression algorithm, and the operation principle is similar
  • mod_deflate compresses slightly faster than mod_gzip has a slightly higher compression ratio
  • mod_gzip consumes more CPU of the server
  • High traffic server, using mod_deflate may be better than mod_gzip loads faster
# Check that the module is installed
[root@lamp bin]# ./apachectl -t -D DUMP_MODULES | grep deflate
 deflate_module (shared)

# If the installation is not recompiled
# Turn off httpd
# Add options when recompiling and installing: -- enable deflate

# Enable module: in httpd Add to conf file
[root@lamp bin]# vim /usr/local/httpd/conf/httpd.conf

LoadModule deflate_module modules/mod_deflate.so

Cancel comment

<IfModule mod_deflate.c>
       AddOutputFilterByType DEFLATE text/html text/plain text/css text/xml	text/javascript # Represents what kind of content to enable gzip compression
       DeflateCompressionLevel 9	# Compression level 9 is the highest
       SetOutputFilter DEFLATE	#Enable deflate module to gzip compress the output of this site
       
</IfModule>

# Check syntax
[root@lamp bin]# ./apachectl -t
Syntax OK

# restart
[root@lamp bin]# systemctl restart httpd

# Browser F12 check
# Request header
Content-Encoding: gzip
# Head back
Accept-Encoding: gzip, deflate


Seeing gzip indicates that the web page compression configuration is successful

Web cache

  • Through Mod_ The expire module configures Apache so that the web page can be cached in the client browser for a period of time to avoid repeated requests

  • Enable Mod_ After the expire module, it will automatically generate the Expires tag and cache control tag in the page header information, so as to reduce the access frequency and times of the client, reduce unnecessary traffic and increase access speed

# Check whether the module is installed
[root@lamp bin]# ./apachectl -M |grep expires
 expires_module (shared)


# If not, recompile the installation and add the option: - enable expires

# Configure enabling module: modify httpd conf
[root@lamp bin]# vim /usr/local/httpd/conf/httpd.conf

LoadModule expires_module modules/mod_expires.so

<IfModule mod_expires.c>
        ExpiresActive on
        ExpiresDefault "access plus 1 month"
</IfModule>

# Optional
# ExpiresDefault "access plus 1 month"
# ExpiresDefault "access plus 4 weeks"
# ExpiresDefault "access plus 30 days"


# ExpiresByType text/html "access plus 1 month 15 days 2 hours"
# ExpiresByType image/gif "modification plus 5 hours 3 minutes"

# Check syntax
[root@lamp bin]# ./apachectl -t
Syntax OK

# Open browser
Expires: Wed, 11 Jan 1984 05:00:00 GMT

Here you can see that the web page cache is successful

Attention
For dynamic pages, if Expires is not forcibly added through functions inside the page, such as header("Expires:". gmdate("D, D, m, y, H: I: s"). " GMT "), the Apache server will return Wed, 11 Jan 1984 05:00:00 GMT to the browser as the contents of the Expires field. That is, dynamic pages are always considered invalid. The browser will still save the invalid dynamic pages.

Apache security optimization

Configure anti-theft chain

  • The anti-theft chain is to prevent other people's website code from stealing the server's pictures, files, videos and other related resources
  • If others steal these static resources of the website, it will obviously increase the bandwidth pressure of the server
  • Therefore, as the maintenance personnel of the website, we should prevent the static resources of our server from being embezzled by other websites
ip addresspurpose
192.168.188.188Source host
192.168.188.158Chain stealing host

wordpress is currently deployed on the source host
Then I post a picture

# Add pictures to genuine websites
[root@lamp htdocs]# chmod -R a+w wp-content
[root@lamp htdocs]# ls


Then we go to steal the picture link from the chain stealing website

# Write an index on the pirated host html
[root@maomao html]# vim index.html
<html>
<head>
        <h1>It works!</h1>
</head>
<body>
        <img src="http://192.168.188.188/wp-content/uploads/2021/03/mao1.jpg"/>
</body>
</html>

At present, chain stealing websites can steal pictures

We make anti-theft chains on genuine servers

# Check the log before making the anti-theft chain to know if someone has stolen our resources
[root@lamp logs]# tailf wordpree_20210319.log 

192.168.188.1 - - [19/Mar/2021:02:01:24 -0400] "GET /wp-content/uploads/2021/03/mao1.jpg HTTP/1.1" 200 237948 "http://192.168
.188.158/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Edg/89.0.774.54"

#It is found that the ip address of 158 uses WP content / uploads / 2021 / 03 / Mao1 Jpg picture

Set the anti-theft chain

# Set the anti-theft chain
[root@lamp bin]# ./apachectl -t -D DUMP_MODULES | grep rewrite

# Edit httpd Conf file
# Configuration rule variable description
# %{http_reference}: browse the link field in the header and store the URL of a link, which represents the link from which to access the required web page
# !^:  Do not start with the following string
# .*?:  Do not end with any character
# . * $: ends with any character
# NC: case insensitive
# R: Forced jump
# ?:  Match 0-1 characters
# *: match 0 to more than one character
# +: match 1 to more characters
# ^: String start flag
# $: end of string flag
# .: matches any single character

# Uncomment and open rewrite Module
LoadModule rewrite_module modules/mod_rewrite.so
	
	Require all granted
    RewriteEngine On	# Turn on the engine
    # The limit can only be http://192.168.188.188/
    RewriteCond %{HTTP_REFERER} !^http://192.168.188.188/.*$ [NC]	
    RewriteCond %{HTTP_REFERER} !^http://192.168.188.188$ [NC]
    RewriteRule  .*\.(png|jpg|jpeg|gif)$  -F	# If not, access to the picture is denied
    
[root@lamp bin]# ./apachectl -t
Syntax OK
[root@lamp bin]# systemctl restart httpd

Use the browser to visit the genuine website to see the pictures

Use the browser to access the stolen chain website. After clearing the browser cache

The picture can no longer be displayed, indicating that the anti-theft chain is successful

Hide version information

  • The version information of Apache reveals certain vulnerability information, which brings security risks to the website
  • Apache hidden version information should be configured in the production environment
# Edit the main configuration file httpd conf
# Cancel comment
Include conf/extra/httpd-default.conf

[root@lamp bin]# vim /usr/local/httpd/conf/extra/httpd-default.conf 
ServerTokens Prod
ServerSignature Off

# Open browser F12
Server: Apache	# The version number is not displayed

Tags: Web Server Linux Operation & Maintenance Apache server

Posted by c0le on Wed, 30 Mar 2022 00:22:18 +0300