Apache Web page and security optimization

Posted by bimmer528 on Tue, 05 Oct 2021 21:07:56 +0200

1, Apache Web page optimization

1. Web page compression

  • The access speed of the website is determined by many factors, including the response speed of the application, network bandwidth, server performance, network transmission speed with the client and so on
  • One of the most important factors is the response speed of Apache itself. Therefore, when you are worried about the performance of the website, the first thing to deal with is to improve the execution speed of Apache as much as possible. Using web page compression can improve the speed of the application. And very importantly, it does not require any cost at all, but will slightly increase the server CPU utilization by one or two percentage points or less

1.1 gzip overview

  • gzip is a popular file compression algorithm, which is widely used, especially on Linux platform
  • Using the gzip module in Apache, we can use the gzip compression algorithm to compress the web content published by the Apache server and then transmit it to the client browser. This compression actually reduces the number of bytes transmitted on the network. The most obvious advantage is that it can speed up the loading of web pages
  • The benefits of faster web page loading are self-evident. In addition to saving traffic and improving users' browsing experience, another potential benefit is that gzip has a better relationship with search engine crawling tools

1.2 HTTP compression process

  • After receiving the HTTP request from the browser, the Web server first checks whether the browser supports HTTP compression (accept encoding information). If the browser supports HTTP compression, the Web server will check the suffix of the request file. If the request file is a static file such as HTML and CSS, The Web server checks in the compressed cache directory whether the latest compressed file of the requested file already exists
  • If the compressed file of the request file does not exist, the Web server returns the uncompressed request file to the browser and stores the compressed file of the request file in the compressed cache directory
  • If the latest compressed file of the request file already exists, the compressed file of the request file is returned directly
  • If the request file is a dynamic file, the Web server dynamically compresses the content and returns it to the browser, but the compressed content is not stored in the compressed cache directory

1.3 compression module of Apache

  • mod_gzip module: high compression ratio, but high CPU consumption of the server

  • mod_deflate module: the compression speed is fast. It is a compression module specially used to ensure the performance of the server. It requires less resources to compress files, which means that in high traffic servers, it is better than mod_gzip loads faster

1.4 mod_deflate module

  • Check if mod is installed_ Deflate module
apachectl -t -D DUMP_MODULES | grep "deflate"
  • If mod is not installed_ Deflate module, you need to stop the Apache service, recompile and install Apache, and add mod to the parameters_ Deflate module content
systemctl stop httpd.service
cd /usr/local/httpd/conf
mv httpd.conf httpd.conf.bak

yum -y install gcc gcc-c++ pcre pcre-devel zlib-devel
cd /opt/httpd-2.4.29/
./configure \
--prefix=/usr/local/httpd \
--enable-so \
--enable-rewrite \
--enable-charset-lite \
--enable-cgi \
--enable-deflate				         #Add mod_deflate module

make -j 4 && make install
  • Configure mod_deflate module enabled
vim /usr/local/httpd/conf/httpd.conf
#Line 52 modification
Listen 192.168.10.20:80
#Line 105 uncomment
LoadModule deflate_module modules/mod_deflate.so		#Enable mod_deflate module
#Line 197 uncomment, modify
ServerName www.test.com:80
--Add on last line--
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/css text/xml text/javascript text/jpg text/png	                        #Represents what kind of content gzip compression is enabled for
DeflateCompressionLevel 9			#Represents the compression level, ranging from 1 to 9
SetOutputFilter DEFLATE				#It means that the deflate module is enabled to gzip compress the output of this site
</IfModule>
  • Check the httpd.conf syntax and check whether the module is installed
apachectl -t			              				#Verify that the configuration file is configured correctly
apachectl -t -D DUMP_MODULES | grep "deflate"		#Check Mod_ Is deflate module installed
deflate_module (shared)						     	#Installed correct results

systemctl restart httpd.service       				#Restart service
  • Test Mod_ Whether deflate compression takes effect
#First transfer the q.jpg file to / usr/local/httpd/htdocs directory
cd /usr/local/httpd/htdocs

vim index.html
<html><body><h1>
<meta charset="utf-8">"111111111</h1>
<img src="q.jpg"/ >

</body></html>

Method 1:
stay Linux In, open the browser and right-click to view the element
 Select network ---> choice HTML,WS,other 
visit http://192.168.10.20, double-click the 200 response message to see that the response header contains content encoding: gzip

Method 2:
stay Windows Installed in sequence in the system Microsoft.NET4 and fiddler Software, open fiddler Software
 choice inspectors ---> choice Headers
 Browser access http://192.168.10.20, double-click the 200 response message to view the content encoding: gzip

2. Web page cache

2.1 general

  • Web page caching is to cache some pages that often do not change or change little. The next time the browser visits these pages again, it does not need to download these pages again, so as to improve the user's access speed.
  • Apache Mod_ The expires module will automatically generate the Express tag and cache control tag in the page header information. The client browser determines that the next access is to obtain the page in the cache of the local machine according to the tag, and there is no need to send a request to the server again, so as to reduce the access frequency and times of the client, so as to reduce unnecessary traffic and increase the access speed.

2.2 configure web page cache

Configure Mod_ Steps and mod of expires module_ Deflate module is similar

  • Check if mod is installed_ Expires module
apachectl -t -D DUMP_MODULES | grep "expires"
  • Install Mod_ If the expires module is not installed, stop the Apache service, reinstall Apache, and add mod to the parameters_ Expires module content
systemctl stop httpd.service
cd /usr/local/httpd/conf
mv httpd.conf httpd.conf.bak1                 #Rename backup

yum -y install gcc gcc-c++ pcre pcre-devel zlib-devel
cd /opt/httpd-2.4.29/
./configure \
--prefix=/usr/local/httpd \
--enable-so \
--enable-rewrite \
--enable-charset-lite \
--enable-cgi \
--enable-deflate \
--enable-expires							 #Add mod_expires module

make -j 4 && make install
  • Configure mod_expires module enabled
vim /usr/local/httpd/conf/httpd.conf
#Line 52 modification
Listen 192.168.10.20:80
#Line 111 uncomment
LoadModule expires_module modules/mod_expires.so		#Enable mod_expires module
#Line 199 uncomment, modify
ServerName www.test.com:80
--Add on last line--
<IfModule mod_expires.c>
  ExpiresActive On								   		#Turn on Web page caching
  ExpiresDefault "access plus 50 seconds"				#Set cache for 50 seconds
</IfModule>
  • Check the httpd.conf syntax and whether the module is installed
apachectl -t										#Verify that the configuration file is configured correctly
apachectl -t -D DUMP_MODULES | grep "expires"		#Check Mod_ Is deflate module installed
deflate_module (shared)								#Installed correct results

systemctl restart httpd.service						#Restart service
  • Test whether the cache is effective
cat /usr/local/httpd/htdocs/index.html

Method 1:
stay Linux In the system, open the browser and right-click to view the element
 Select network ---> choice HTML,WS,other 
visit http://192.168.10.20, double-click the 200 message to view the expiration item in the response header

Method 2:
stay Windows Installed in sequence in the system Microsoft.NET4 and fiddler Software, open fiddler Software
 choice inspectors ---> choice Headers
 Browser access http://192.168.10.20, double-click the 200 message to view the Expires item

2, Apache security optimization

In addition to performance optimization, the default configuration of Apache also needs to configure security accordingly.

1. Anti theft chain

1.1 general

  • Generally speaking, when we browse a complete page, it is not transmitted to the client at one time. If the requested page contains pictures or other information, the first HTTP request transmits the text of the page, and then interprets and executes the text through the client's browser. If there are pictures in it, the client's browser will send an HTTP request again, After the request is processed, the picture file will be transmitted to the client. Finally, the browser will place the picture in the correct position of the page. In this way, a complete page can be displayed completely after sending HTTP requests many times.
  • Based on such a mechanism, there will be chain theft. If a website does not have the picture information mentioned in its page, it can link to the picture information of other websites. In this way, websites without any resources use the resources of other websites to show to visitors, which improves their traffic, and most visitors are not easy to find. In order not to increase the cost, some bad websites expand their own site content and often steal the links of other websites. On the one hand, it damages the legitimate interests of the original website, on the other hand, it increases the burden of the server.
  • There are special Referer field records in the HTTP standard protocol. Its functions are as follows
    ① What is the last inbound address traceable
    ② For a resource file, you can track the address of the web page that contains it. Therefore, all anti-theft chain methods are based on this Referer field.

1.2 anti theft chain configuration

Apache anti-theft chain requires mod to be installed_ Rewrite Module

  • Check if mod is installed_ Rewrite Module
apachectl -t -D DUMP_MODULES | grep "rewrite"
  • If mod is not installed_ Rewrite module, recompile and install Apache, add mod_rewrite Module
systemctl stop httpd.service
cd /usr/local/httpd/conf
mv httpd.conf httpd.conf.bak2

yum -y install gcc gcc-c++ pcre pcre-devel zlib-devel
cd /opt/httpd-2.4.29/
./configure \
--prefix=/usr/local/httpd \
--enable-so \
--enable-rewrite \									#Add mod_rewrite Module
--enable-charset-lite \
--enable-cgi \
--enable-deflate \
--enable-expires

make -j 4 && make install
  • Configure mod_rewrite Module enabled
vim /usr/local/httpd/conf/httpd.conf
#Line 157 uncomment
LoadModule rewrite_module modules/mod_rewrite.so
#224 lines
<Directory "/usr/local/httpd/htdocs">
  Options Indexes FollowSymLinks
  AllowOverride None
  Require all granted

  RewriteEngine On  							 #Open the rewrite function and add mode_rewrite module content
  RewriteCond %{HTTP_REFERER} !^http://heihei.com/.*$ [NC] 				# Set matching rules
  RewriteCond %{HTTP_REFERER} !^http://heihei.com$ [NC]
  RewriteCond %{HTTP_REFERER} !^http://www.heihei.com/.*$ [NC]
  RewriteCond %{HTTP_REFERER} !^http://www.heihei.com/$ [NC]
  RewriteRule .*\.(gif|jpg|swf)$ http://www.heihei.com/error.png 		# Set Jump Action
</Directory>
RewriteCond %{HTTP_REFERER} !^http://Field meaning of www.chenweicom /. $[NC]:
"%{HTTP_REFERER}" : Store a linked URL,Indicates which link to access the desired web page from.
"!^" : Indicates that it does not start with the following string.
"http://www.chenwei.com ": is the path of this website, matching according to the whole string.
".$" : Indicates that it ends with any character.
"[NC]" : Indicates case insensitive letters.

RewriteRule ..(gif|jpg|swf)$ http://Field meaning of www.chenwei.com/error.png:
"." : Indicates a match of one character.
"" : Indicates matching 0 to more than one character, and“."Together, it means to match any character in front of 0 to multiple times. If it is 1 to multiple times, it can be used“+"express.
"." : Here“\"Is an escape character“."On behalf of symbols“."Because“."It is a regular character in the instruction and has corresponding meaning. If matching is required, an escape character needs to be added in front of it“\",If other regular characters need to be matched, do the same.
"(gif|jpg|swf)" : Indicates a match“ gif","jpg","swf"Any one“ $"Indicates the end. The final rule is“.gif",".jpg",".swf"At the end, it is preceded by a string of 1 to more characters, that is, the file matching the image type.
"http://www.chenwei.com/error.png ": indicates forwarding to this path.

The meaning of the whole configuration is that when you use a website domain name other than this website to access the image file of this website, it will be displayed error.png This picture
  • test
cd /usr/local/httpd/htdocs           #Web source host (host 1) configuration

#Transfer the error.png file to the / usr/local/httpd/htdocs directory
#Finally, visit the link on the chain stealing host

2. Hide version information

  • Generally, the vulnerability information of software is related to the specific version information, so the version number is very valuable for attackers

  • If hackers or people with ulterior motives get the Apache version information, they will carry out targeted attacks and bring great losses to the website. Therefore, we should hide the Apache version number, reduce the risk of attack and protect the safe operation of the server

  • Modify the httpd.conf configuration file to make the httpd-default.conf file effective, which contains the content of whether to return version information

vim /usr/local/httpd/conf/httpd.conf
#Line 491 uncomment
Include conf/extra/httpd-default.conf

vim /usr/local/httpd/conf/extra/httpd-default.conf
#Line 55 modification
ServerTokens Prod           			 #Change the original Full to Prod, only display the name, no version
#ServerTokens indicates whether the response header field returned by the Server to the client contains information about the Server OS type and the compiled module description

systemctl start httpd.service
#Browser access http://192.168.8.132  , double-click the 200 message to view the Server entry

summary

  • Apache Web page compression can reduce server traffic and improve server performance. It is implemented using mod_deflate module
  • Apache Web page cache can cache web pages on the client. For infrequently updated pages, the client needs to send a request to the server, which can save traffic. It is implemented with mod expires module
  • Apache anti-theft chain can prevent other sites from using the resources of this website and avoid unnecessary traffic overhead. It is implemented with mod_; rewrite module
  • Apache hides version information to avoid attacks against version information vulnerabilities

Topics: Apache html http