Shulou(Shulou.com)06/03 Report--

Blog outline:

1. Enable apache Gzip (deflate) function 2, enable expires cache function 3, disable Apache from traversing directories, 4, hide apache version information 5, apache log cutting 6, configure hotlink protection 1, enable apache Gzip (deflate) function

Gzip can greatly accelerate websites, and the compression ratio is usually between 40% and 80%. In previous versions, Gizp was a third-party compression tool, but after Gzip 2, Apache developed its own deflate module to implement compression.

If you want to turn on apache compression, you need to add the "--enable-deflate" configuration item when compiling and installing apache, and you must open the following two modules in the main configuration file:

LoadModule deflate_module modules/mod_deflate.soLoadModule headers_module modules/mod_headers.so

Note: if the "--enable-deflate" option is not added during compilation and installation, you can install this feature using DSO, as follows:

[root@www ~] # cd / root/httpd-2.4.23/modules/filters/ # switch to the directory where the apache source package mod_deflate is located [root@www ~] # / usr/local/http-2.4.23/bin/apxs-c-I-a mod_deflate.c # is compiled and installed in apache by dso

If an error is reported as follows:

This error is the lack of zlib-devel installation package, just execute "yum-y install zlib-devl" to install, and then install the deflate function again.

Confirm that the installation is successful:

[root@www filters] # ll / usr/local/http-2.4.23/modules/mod_deflate.so # check whether mod_deflate is installed. The file will be displayed here if the installation is successful.

About the command "/ usr/local/http-2.4.23/bin/apxs-c-I-a mod_deflate.c" executed above.

The options are explained as follows:

-c: indicates that a compilation operation needs to be performed;-I: indicates that an installation operation is required to install one or more dynamic shared objects to the server's modeles directory. -a: this option automatically adds a LoadModule line to the httpd.conf file to enable this module, or, if the line already exists, enable it.

After installation, these two modules are enabled by default, but an error may be reported when checking the main configuration file of apache, as follows:

Solution: you need to load zlib.so in front of the LoadModule deflate_modulemodules/mod_deflate.so configuration item. When yum installed zlib just now, it was installed by default in the / usr/lib64 directory, so in the apache main configuration file, add LoadFile / usr/lib64/libz.so on the first line of the LoadModule deflate_module modules/mod_deflate.so line.

Finally, make sure that compression is enabled (the following three lines must be enabled in the apache main configuration file, which may not be in the same location, but LoadFile / usr/lib64/libz.so must be before those two):

LoadFile / usr/lib64/libz.soLoadModule deflate_module modules/mod_deflate.soLoadModule headers_module modules/mod_headers.so

At this point, the compression function is enabled, and then configure the compression function.

Write the following at the end of the main configuration file of apache (it is best to determine whether the following code exists before adding code):

DeflateCompressionLevel 6 SetOutputFilter DEFLATE AddOutputFilterByType DEFLATE text/*AddOutputFilterByType DEFLATE application/ms* application/vnd* application/postscript application/javascript application/x-javascript AddOutputFilterByType DEFLATE application/x-httpd-php application/x-httpd-fastphpSetEnvIfNoCase Request_URI. (?: gif | jpe?g | png) $no-gzip dont-varySetEnvIfNoCase Request_URI. (?: exe | t?gz | zip | bz2 | sit | rar) $no-gzip dont-varySetEnvIfNoCase Request_URI. (?: pdf | mov | avi | mp3 | mp4 | rm) $no-gzip dont-vary DeflateFilterNote Input input_info DeflateFilterNote Output output_info DeflateFilterNote Ratio ratio _ info LogFormat'"% r"% {output_info} n deflate CustomLog logs/deflate_log.log deflate% {input_info} n (% {ratio_info} n%) 'deflate CustomLog logs/deflate_log.log deflate

According to the above configuration, you can define the compression project you need, and the file type to be compressed can be configured according to your needs. (note: in addition to pictures, flash swf files do not need to enable GZip compression. ).

The code after removing the comments is as follows:

DeflateCompressionLevel 6 SetOutputFilter DEFLATE AddOutputFilterByType DEFLATE text/*AddOutputFilterByType DEFLATE application/ms* application/vnd* application/postscript application/javascript application/x-javascript AddOutputFilterByType DEFLATE application/x-httpd-php application/x-httpd-fastphpSetEnvIfNoCase Request_URI. (?: gif | jpe?g | png) $no-gzip dont-varySetEnvIfNoCase Request_URI. (?: exe | t?gz | zip | bz2 | sit | rar) $no-gzip dont-varySetEnvIfNoCase Request_URI. (?: pdf | mov | avi | mp3 | mp4 | rm) $no-gzip dont-vary DeflateFilterNote Input input_info DeflateFilterNote Output output_info DeflateFilterNote Ratio ratio_info LogFormat'"% R "% {output_info} n deflate CustomLog logs/deflate_log.log deflate% {input_info} n (% {ratio_info} n%) 'deflate CustomLog logs/deflate_log.log deflate

After the modification is completed, save and exit and restart the http service, and access it using Google browser (press "F12" before accessing), and you can see the information related to compression (it is best to modify the file of the web page to make it larger, otherwise compression will not be enabled and you will not see the effect), as follows:

View the logs generated by compressed information:

[root@apache http-2.4.23] # cat logs/deflate_log.log # View the compressed log "GET / HTTP/1.1" 74swap 454545 (1%) # 74 indicates the size after compression, and 4545 indicates the size before compression In parentheses at the end is the compression ratio "GET / HTTP/1.1" 74ax 4545.1 "-" /-(-%) [root@apache http-2.4.23] # ll htdocs/index.html # you can check whether the size of the web page is "4545"-rw-r--r--.. 1 root root 4545 October 12 23:00 htdocs/index.html

Optimization of compression, which ends here.

2. Enable expires cache function

The expires feature can reduce the number of repeated requests by about 20% to 30%, allowing repeated users to cache the results of the specified page requests locally without sending a request to the server. But files that change frequently are not recommended.

1. In the absence of caching mechanism, check the response message obtained below. [root@apache htdocs] # curl-I 127.0.0.1/test.jpg # visit a picture HTTP/1.1 200 OKDate: Sun, 13 Oct 2019 02:10:34 GMTServer: Apache/2.4.23 (Unix) Last-Modified: Mon, 22 Jul 2019 05:55:51 GMTETag: "415bf-58e3eba7687c0" Accept-Ranges: bytesContent-Length: 267711Content-Type: image/jpeg # this is the format of the content The type when defining the caching mechanism is defined according to this # you can see There are no related words such as cache on it. 2. Configure expires caching: [root@apache htdocs] # vim / usr/local/http-2.4.23/conf/httpd.conf # Edit the main configuration file. # omit part of the content LoadModule expires_module modules/mod_expires.so # remove this line comment symbol # and add the following expires rule at the end of the configuration file Then ExpiresActive On # enables caching mechanism # the following is how long ExpiresByType text/css "now plus 1 month" ExpiresByType application/x-javascript "now plus 5 day" ExpiresByType image/jpeg "access plus 30 days" # sets the caching time of images to 30 days ExpiresByType image/gif "access plus 1 month" ExpiresByType image/bmp "access plus 1 month" ExpiresByType image/x-icon "access plus 1 month" ExpiresByType image/ Png "access plus 1 minute" ExpiresByType application/x-shockwave-flash "access plus 1 month" ExpiresDefault "now plus 0 minute" # this line indicates that the Is not cached. # after writing, save and exit. [root@apache htdocs] # apachectl-t # Test whether the configuration file is incorrect Syntax OK [root@apache htdocs] # apachectl restart # restart apache For the previous change to take effect, the uncommented configuration file is as follows: LoadModule expires_module modules/mod_expires.soExpiresActive OnExpiresByType text/css "now plus 1 month" ExpiresByType application/x-javascript "now plus 5 day" ExpiresByType image/jpeg "access plus 30 days" ExpiresByType image/gif "access plus 1 month" ExpiresByType image/bmp "access plus 1 month" ExpiresByType image/x-icon "access plus 1 month" ExpiresByType image/png "access plus 1 minute" ExpiresByType application/x-shockwave-flash "access plus 1 month" ExpiresDefault Configuration format of the "now plus 0 minute" caching mechanism: ExpiresByType type/encoding "[plus] {}"

1. One of the following:

Access (relative to client access time) now (equivalent to access) modification (relative to cache time after the last modification of the source file)

2. The plus keyword is optional. Num should be an integer value, and type is one of the following: yearsmonthsweeksdayshoursminutesseconds

You can also define the caching mechanism using the following format:

ExpiresByType image/jpeg A2592000 # indicates that the cache of the picture is 1 month ExpiresByType text/html M604800 # indicates that the validity period of the HTML document is one week after the last modification time

If you use "A" (equivalent to access) and "M" (equivalent to modification) to define cache validity, it can only be calculated in seconds.

Conclusion: the expires module can set the expiration date relative to the time the source file was last modified, or relative to the time accessed by the client.

3. Conduct an access test to see if there is a caching mechanism: [root@apache htdocs] # curl-I 127.0.0.1/test.jpg # visit an image HTTP/1.1 200 OKDate: Sun, 13 Oct 2019 02:16:44 GMTServer: Apache/2.4.23 (Unix) Last-Modified: Mon, 22 Jul 2019 05:55:51 GMTETag: "415bf-58e3eba7687c0" Accept-Ranges: bytesContent-Length: 267711Cache-Control: max-age=2592000 # this is the caching time In seconds Expires: Tue, 12 Nov 2019 02:16:44 GMTContent-Type: image/jpeg

For more information about the configuration format of the cache, you can read its official documentation.

3. Prohibit Apache from traversing directories

When the web server receives the request message, it will automatically look for the index.html file in the root of the web page. What if there is no such file?

[root@apache htdocs] # ls # confirm that the root directory of the web server does not have the index.html file a.sh images test.jpg

The client will see the following interface:

As you can see, if there is no index.html file, then our web page structure will be directly exposed to client, so there will be some hidden dangers, so, how to solve it?

The solution is as follows:

[root@apache htdocs] # vim.. / conf/httpd.conf # Edit the main configuration file Options Indexes FollowSymLinks # navigate to this line # change as follows: Options FollowSymLinks # delete the middle Indexes to save exit [root@apache htdocs] # apachectl restart # restart apache to take effect

The purpose of Indexes is to display the directory structure when there are no index.html files in that directory.

The client accesses again:

OK!!! You see the 403 page.

4. Hide apache version information [root@apache htdocs] # curl-I 127.0.0.1 # View the status information of the default apache HTTP/1.1 403 ForbiddenDate: Sun, 13 Oct 2019 03:08:39 GMT'Server: Apache/2.4.23 (Unix)'# you can see the detailed version information of apache Content-Type: text/html; charset=iso-8859-1

If you want to hide, you must do the following:

[root@apache htdocs] # cd.. / conf/ [root@apache conf] # vim httpd.conf # Edit the main configuration file Include conf/extra/httpd-default.conf # remove the comment symbol before this line and save and exit [root@apache conf] # pwd # View the current working path / usr/local/http-2.4.23/conf [root@apache conf] # vim extra/httpd-default.conf # Edit this file # find the following two lines: ServerTokens FullServerSignature Off# changes as follows: save after ServerTokens ProdServerSignature On# changes and exit [root@apache conf] # apachectl restart # restart the service For the change to take effect [root@apache conf] # curl-I 127.0.0.1 # visit again to view HTTP/1.1 403 ForbiddenDate: Sun, 13 Oct 2019 03:19:17 GMTServer: Apache # found that there is only apache, but not the detailed version Content-Type: text/html Charset=iso-8859-1

If you need to completely revamp information such as versions, you need to prepare or recompile before compiling. When recompiling, modify the ap_release.h configuration file in the include directory under the source package of apache

# define AP_SERVER_BASEVENDOR "Apache Software Foundation" # Service supplier # define AP_SERVER_BASEPROJECT "Apache HTTP Server" # Service Project name # define AP_SERVER_BASEPRODUCT "Apache" # Service Product name # define AP_SERVER_MAJORVERSION_NUMBER 2 # Major version # define AP_SERVER_MINORVERSION_NUMBER 4 # minor version # define AP_SERVER_PATCHLEVEL_NUMBER 23 # Patch level # define AP_SERVER_DEVBUILD_BOOLEAN 0 #

The lines listed above can be changed to what you want, and then after compilation and installation, the client will not know your version number at all.

5. Apache log cutting

With the increasing number of visits to the website, the log files generated by web server will become larger and larger, if not segmented, there will be a certain degree of inconvenience. Therefore, managing these massive logs is of great significance to the website.

There are two methods for log segmentation.

Method 1: use rotatelogs (a tool that comes with apache) to split logs by day Log every other day [root@apache conf] # vim httpd.conf # Edit the main configuration file # comment out the following two lines of configuration (remove the default logging) # ErrorLog "logs/error_log" # CustomLog "logs/access_log" common# and then it's best to add the following to the next line of the CustomLog "logs/access_log" common configuration (the following cannot be copied directly Please see the explanation below): ErrorLog "| / usr/local/http-2.4.23/bin/rotatelogs-l logs/error_%Y-%m-%d.log 86400" CustomLog "| / usr/local/http-2.4.23/bin/rotatelogs-l logs/access_%Y-%m-%d.log 86400" combined# is added, save and exit.

The configuration items in the above two lines must be written in the label. That's why I said it's best to write on the next line of the CustomLog "logs/access_log" common configuration, because it's in that tag, and it's on the next line, and you can't go wrong.

In the above addition, 86400 is the rotation time in seconds (that is, a log file is generated per day)

You need to pay attention to the absolute path of my rotatelogs command, which needs to be determined according to your actual installation path, and do not copy it directly.

[root@apache conf] # apachectl restart # restart the service so that the changes take effect [root@apache conf] # ls.. / logs/ # View the log file, you will find that there is no access cutting log access _ log' error_2019-10-13.log' error_log httpd.pid# at this time The original access_log and error_log log files can be deleted # the cutting log without access is because after the change, there is no access to [root@apache conf] # curl 127.0.0.1 & > / dev/null # visit [root@apache conf] # ls.. / logs/ # to check again, there is a 'access_2019-10-13.log error_2019-10-13.log' httpd.pidaccess_log error_log

Because apache has its own log polling tool rotatelogs, it is said that logs are easily lost during log cutting, so we usually use cronolog (that is, method 2) for log polling.

Method 2: use cronolog to create a new log for each day

You also need to comment out the following two lines in the main configuration file:

# ErrorLog "logs/error_log" # CustomLog "logs/access_log" common

Download the cronolog source package provided by me

[root@apache src] # rz # upload the source code package provided by me using xshell to compile and install [root@apache src] # tar zxf cronolog-1.6.2.tar.gz [root@apache src] # cd cronolog-1.6.2/ [root@apache cronolog-1.6.2] #. / configure & & make & & make install [root@apache conf] # pwd # switch the work path to this / usr/local/http -2.4.23/conf [root@apache conf] # vim httpd.conf # Edit the main configuration file # delete the log cutting configuration entry written in method 1 Write the following two lines to configure ErrorLog "| / usr/local/sbin/cronolog logs/error-%Y-%m-%d.log" CustomLog "| / usr/local/sbin/cronolog logs/access-%Y-%m-%d.log" combined# and then [root@apache logs] # ls # to avoid confusion I removed the original log file httpd.pid [root@apache logs] # apachectl restart # restart [root@apache logs] # curl 127.0.0.1 & > / dev/null # visit it in order to generate the access log file [root@apache logs] # ls # View confirmation, access-2019-10-13.log error-2019-10-13.log httpd.pid

At this point, it is possible to store daily log files separately.

If there are multiple virtual hosts in the Apache, it is best to place one such code in each virtual host and change the log file name to a different name.

3. Additional

If the number of visits to the website is really too large, then what we may need more is to divide the log by hour, and then store the log by hour in a directory, that is, a directory every day. This directory stores the hourly logs generated on the same day.

The implementation is as follows:

Simply change the two-line configuration item written in method 2 to the following:

[root@apache conf] # vim httpd.conf # change the following ErrorLog "| / usr/local/sbin/cronolog logs/error_%Y-%m-%d/error_log.%H" CustomLog "| / usr/local/sbin/cronolog logs/access_%Y-%m-%d/access_log.%H" combined [root@apache conf] # apachectl restart # restart [root@apache logs] # curl 127.0.0.1 # visit [root @ apache http-2.4.23] # pwd # switch work path / usr/local/http-2.4.23 [root@apache http-2.4.23] # tree logs/ # use the tree command to view the log date accessed by logs/ |-- access_2019-10-13 # | `--access_log.12 # generated at 12:00 |-- error_2019-10-13 # incorrect Log date | `--error_log.12 # is also generated at 12:00`-- httpd.pid

Note: another difference between the above two pipe log file programs is that a directory is automatically created if the log is placed in a path that does not exist when using cronolog, but not automatically when using rotatelogs, which should be paid special attention to

VI. Configure hotlink protection

Sometimes, the inexplicable traffic to your website becomes larger, don't be happy too early, it may be stolen by others.

For example: for example, you set up a forum with some hot pictures and videos, and then someone redirects the address of visiting pictures on his website to your forum, so that his server can be free; that is to say, when others visit the pictures and videos of his website, they consume the resources of your server.

To solve this problem, you need to use the rewrite module of apache, which is configured as follows:

[root@apache conf] # vim httpd.conf # Edit the main configuration file # confirm the following configuration items and remove the comments. If there is no following line, you need to install the rewrite module LoadModule rewrite_module modules/mod_rewrite.so

After opening the rewrite module, find the configuration file corresponding to your website (such as the master configuration file or virtual host configuration file), and add the following code at the end:

RewriteEngine OnRewriteCond% {HTTP_REFERER}! ^ $RewriteCond% {HTTP_REFERER}! ^ http://test.com/.*$ [NC] RewriteCond% {HTTP_REFERER}! ^ http://test.com$ [NC] RewriteCond% {HTTP_REFERER}! ^ http://www.test.com/.*$ [NC] RewriteCond% {HTTP_REFERER}! ^ http://www.test.com$ [NC] RewriteRule. *\. (gif | jpg | swf) $http://www.test.com/about/nolink.png

The relevant options are explained as follows:

RewriteEngine On: enable rewrite, which must be written; RewriteCond.: can have one or more entries before writing RewriteRule, which can be used to test the matching conditions of rewrite. The specific description will be discussed later; .RewriteRule: configure rules % {HTTP_REFERER}: server variable. Http referer is part of header. When a browser sends a request to a web server, it usually brings referer to tell the server which page I linked from, so that the server can get some information for processing, such as linking to a friend from my home page. His server can count from http referer how many users click on the link on my home page to visit his website every day. [NC] refers to case insensitivity. [R] forced redirection of the redirect; letter L means that if this rule can be matched, then this rule is the last (Last), ignoring the subsequent rule; RewriteCond% {HTTP_REFERER}! ^ $: the purpose of this line of configuration item is to allow empty "HTTP_REFERER" access, that is, the user enters URL directly in the browser to access the resource, rather than through a link. RewriteCond% {HTTP_REFERER}! test.com/.$ [NC] and RewriteCond% {HTTP_REFERER}! www.test.com/.$ [NC] are the HTTP sources that are set to allow access, including the site itself. RewriteRule. *. (gif | jpg | swf) $http://www.test.com/about/nolink.png is used to redirect visits that do not meet the referer conditions to nolink.png. Nolink.png is located in the directory about that allows "theft chain". Be careful, otherwise, warnings and pictures will not be displayed on each other's website.

Note: pay attention to clearing the cache when testing.

Summary:

1. The red part: indicates your trust site. For my site, set to http://www.test.com and http://test.com

2. Green: the extension of the file to be protected (to | separate). Indicates that files with these extensions must be referenced by a red URL before they can be accessed.

3. The blue part: define the image that is replaced when it is stolen, and let all the web pages of jpg, gif, swf and other files display the about/ nolink.png files in the root directory of the web document. Note: replace the displayed picture do not put it in the directory where hotlink protection is set, and

And the smaller the size of the picture file, the better. Of course, instead of setting up a replacement picture, you can use this sentence: RewriteRule. *. (gif | jpg | png) $- [F]

Note: [F] (force URL to be prohibited forbidden), force the current URL to be prohibited, that is, immediately feedback a HTTP response code 403 (prohibited).

Test the above hotlink protection:

I have two servers A (www.test.com) and B (www.daolian.com) here, and the index.html front page file of server B is as follows:

[root@localhost html] # cat index.html # B server's home page file is a link to server A's test.jpg file. Link

When client accesses the test.jpg file of server A directly (its URL is the same as the hyperlink address of server B), it gets the following beauty:

But what if you access it through the hyperlink of the B server? Please keep watching.

What??? Why is it only Erha? shouldn't it be a beautiful woman? And its URL is no longer the hyperlink address specified by our B server.

This is the hotlink protection configuration of our A server has taken effect!

Using rewrite to realize Apache hotlink protection

Judge whether the reference of picture or resource is legal by judging the value of referer variable. Only when the referer within the set demand range is configured according to the configuration, can the specified resource content be called and accessed, thus achieving the purpose that the resource is stolen by the website. It should be noted that all user agents (browsers) will set the referer variable, and some can be manually modified erferer,referer can be forged, the above configuration is just a simple means of protection. It's enough to deal with general theft.

When a website is stolen, the following measures can be taken:

Mark your own site name brand or related watermark on the pictures, videos, audio and other files of this site; set up a firewall to control and set hotlink protection from the source IP (according to referer mechanism)

The illegal use of the website will lead to the increase of the cost of website bandwidth and the pressure on the server. in serious cases, it will affect the access of a huge amount of websites and normal users.

All right, hotlink protection is done.

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.