Shulou(Shulou.com)06/01 Report--

This article mainly shows you "how to configure Apache to achieve hotlink protection and hide version information". The content is simple and clear. I hope it can help you solve your doubts. Let me lead you to study and learn this article "how to configure Apache to achieve hotlink protection and hide version information".

1. Configure Apache for hotlink protection

1. Hotlink protection is to prevent other people's website code from stealing pictures, files, videos and other related resources of the server.

two。 If others steal these static resources of the website, it will obviously increase the bandwidth pressure on the server.

3. Therefore, as the maintainer of the website, we should stop the static resources of our server from being embezzled by other websites.

Use two hosts to simulate hotlink

The configuration and functions of the two hosts are as follows:

Hotlink simulation step

1. Two hosts configuration test page

two。 The test page of the pirated website page embezzled a logo.jpg file from the source host directory page/image

3. Visit http://a.test2.com/page.html, in Windows and use Fiddler to grab the package tool to view the effect picture

Check if the mod_ rewrite module is installed in Apache

1./usr/ocal/apache/bin/apachectl-t-D DUMP_MODULES

two。 If there is no rewrite_module (static) in the output, it is not installed at compile time

Mod_rewrite module

If there is no installation, recompile the installation

1... / configure-- enable-rewrite...

2.make & & make install

Configure rule variable description

1.% {HTTP_ REFERER}: browse the link fields in header and store one by one chain

The URL, which represents the link from which to access the required web page

2! ^: do not start with the following string

3... * $: ends with any character

4.NC: insensitive to upper case

5.R: forced jump

Rule matching description

1.RewriteEngine On: turn on web page rewriting function

2.RewriteCond: setting matching rules

3.RewriteRule: setting jump action

Rule matching

1. If the value of the corresponding variable matches the set rule, it will be processed one by one; if it does not match, the subsequent rules will no longer match.

Configuration operation demonstration

Modify the configuration file to enable hotlink protection and set rules:

RewriteEngine OnRewriteCond% {HTTP_REFERER}! http://test.com/.*$ [NC] * RewriteCond% {HTTP_REFERER}! ^ http://test.com$ [NC] RewriteCond% {HTTP_REFERER}! ^ http://www.test.com/.*$ [NC] RewriteCond% {HTTP_REFERER}! ^ http://www.test.com$ [NC] RewriteRule. *\. (gif | jpg | swf) $http://www.test.com/error.html [RJ NC] configure Apache to hide version information

The version information of 1.Apache reveals some vulnerability information, which brings security risks to the website.

two。 Production environment d to configure Apache to hide version information

3. You can use Fiddler package grabbing tool to analyze

4. Configure Apache to hide version information

5. Remove the following line comments from the main configuration file httpd.conf

(1) # Include conf/extra/httpd-default. Conf

There are two places to modify the httpd-default.conf file

(1) change Server Tokens Full to Server Tokens Prod

(2) modify ServersSignature On to ServersSignature Off

6. Restart the httpd service, visit the website, grab the package test

Configuration experiment

1. Configure DNS domain name resolution file

[root@localhost ~] # yum install bind-y [root@localhost ~] # vim / etc/named.confoptions {listen-on port 53 {any;}; / / change 127.0.0.1 in parentheses to any listen-on-v6 port 53 {:: 1;}; directory "/ var/named"; dump-file "/ var/named/data/cache_dump.db" Statistics-file "/ var/named/data/named_stats.txt"; memstatistics-file "/ var/named/data/named_mem_stats.txt"; recursing-file "/ var/named/data/named.recursing"; secroots-file "/ var/named/data/named.secroots"; allow-query {any;} / / change localhost to any# in parentheses and press Esc, and enter: wq save exit [root@localhost ~] # vim / etc/named.rfc1912.zoneszone "kgc.com" IN {type master; file "kgc.com.zone"; allow-update {none;};} # add the above content in the same format and press Esc, and enter: wq save exit [root@localhost ~] # cd / var/named/ [root@localhost named] # lsdata dynamic named.ca named.empty named.localhost named.loopback slaves [root@localhost named] # cp-p named.localhost kgc.com.zone [root@localhost named] # vim kgc.com.zone$TTL 1D @ IN SOA @ rname.invalid. (0; serial 1D; refresh 1H; retry 1W; expire 3H) Minimum NS @ A 127.0.0.1www IN A 192.168.18.12 make changes to the above format. Note that the last IP address is the IP address of your linux host. Press Esc after modification, and enter: wq Save exit [root@localhost named] # systemctl start named [root@localhost named] # systemctl stop firewalld.service [root@localhost named] # setenforce 0

2. Share files

[root@localhost named] # mkdir / abc [root@localhost named] # mount.cifs / / 192.168.124.17/LAMP-C7 / abc/ / share the folder with compressed files in the host Password for root@//192.168.124.17/rpm: / / enter directly here [root@localhost named] # cd / abc/LAMP/ [root@localhost LAMP] # ls / / this You can see the compressed file apr-1.6.2.tar.gz cronolog-1.6.2-14.el7.x86_64.rpm mysql-5.6.26.tar.gzapr-util-1.6.0.tar.gz Discuz_X2.5_SC_UTF8.zip php-5.6.11.tar.bz2awstats-7.6.tar.gz httpd-2.4.29.tar.bz2 [root] in the mount folder @ localhost LAMP] # tar jxvf httpd-2.4.29.tar.bz2-C / opt/ [root@localhost LAMP] # tar zxvf apr-1.6.2.tar.gz-C / opt/ [root@localhost LAMP] # tar zxvf apr-util-1.6.0.tar.gz-C / opt/ [root@localhost LAMP] # cd / opt/ [root@localhost opt] # lsapr-1.6.2 apr-util-1.6. 0 httpd-2.4.29 rh [root@localhost opt] # mv apr-1.6.2/ httpd-2.4.29/srclib/apr # srclib is the database Parsable apr [root@localhost opt] # mv apr-util-1.6.0/ httpd-2.4.29/srclib/apr-util [root@localhost opt] # yum install gcc gcc-c++ pcre pcre-devel zlib-devel expat-devel-y # expat environment package can not forget [root@localhost opt] # cd httpd-2.4.29/ [root@localhost httpd-2.4.29] #. / configure\-- prefix=/usr/local/httpd\- -enable-deflate\-enable-so\-enable-rewrite\-enable-charset-lite\-enable-cgi [root@localhost httpd-2.4.29] # make [root@localhost httpd-2.4.29] # make inatall [root@localhost httpd-2.4.29] # vim / usr/local/httpd/conf/httpd.conf / ServerName Search to the URL, remove the # comment, change the content to the following content ServerName www.kgc.com:80/Listen, search to the listening port, add the IPv6 comment, change the IPv4 listening IP address to the address of your own linux Listen 192.168.234.164:80#Listen 8 modify and press Esc Input: wq save and exit [root@localhost httpd-2.4.29] # ln-s / usr/local/httpd/conf/httpd.conf / etc/httpd.conf// to establish a soft connection [root@localhost httpd-2.4.29] # cd / usr/local/httpd/bin/ [root@localhost bin] # lsab apu-1-config dbmmanage fcgistarter htdigest httxt2dbmapachectl apxs envvars htcacheclean htpasswd logresolveapr-1-config checkgid Envvars-std htdbm httpd rotatelogs [root@localhost bin] # vim / usr/local/httpd/htdocs/index.html It works!

/ / if you need to insert a picture, make the above changes, press Esc, and then enter: wq save and exit [root@localhost bin] # cp / aaa/LAMP/time.jpg / usr/local/httpd/htdocs/// to copy the picture to this directory [root@localhost bin] #. / apachectl start [root@localhost bin] # netstat-ntap | grep 80tcp 0 192.168.18.128 cp 80 0.0.0.0 * LISTEN 93989/httpd

3. Verification

Win10-1 as a pirated website and win7-1 as a test client

In win7-1, the network changes the address parsed by DNS to the IP address of its own linux system

4. When we enter www.kgc.com in the browser, we can browse the web page we have written:

5. When we enter www.kgc.com in the browser of the win7-1 hotlink client, we can also access this web page. At this time, we want to use this picture, right-click on the image, select the properties, and we can see the URL: http://www.kgc.com/time.jpg of this image.

6. At this point, we need to build a hotlink website:

Control Panel-programs-programs and Features-turn windows functions on and off-Select Internet Information Services

7. We click on the icon in the lower left corner to search for iis in the search bar

8. Create new document

9. Look at the document extension

10. Drag the web page file to the following path: C:\ inetpub\ wwwroot

At this point, you can use the test machine to access it.

1. It should be noted here that both hosts need to turn off the firewall, otherwise the web page will not be accessible.

two。 Enter the IP address of the test host: 192.168.234.161 in the pirated browser China to access the pirated website.

3. At this time, the same picture shows that the hotlink is successful. Test.web is a pirated website and stole the picture of kgc's official website. When others visit test.web, this picture is loaded automatically, but the traffic is still directed to kgc's official website.

The above is the process of hotlink theft, but if there is something about hotlink theft, we need to put an end to it.

[root@localhost bin] # vim.. / conf/httpd.conf / rewrite Uncomment this line and insert the following rule RewriteEngine OnRewriteCond% {HTTP_REFERER}! http://kgc.com/.*$ [NC] RewriteCond% {HTTP_REFERER}! ^ http://kgc.com$ [NC] RewriteCond% {HTTP_REFERER}! ^ http://www.kgc.com/.*$ [NC] RewriteCond% {HTTP_REFERER}! ^ http://www.kgc.com/ under this line $[NC] RewriteRule. *\. (gif | jpg | swf) $http://www.kgc.com/error.png # Press Esc after modification Enter: wq save exit

4. Copy the picture

[root@localhost bin] # ls.. / htdocs/ha.jpg index.html [root@localhost bin] # cp / aaa/LAMP/error.png.. / htdocs/ [root@localhost bin] # ls.. / htdocs/error.png ha.jpg index.html [root@localhost bin] #. / apachectl stop [root@localhost bin] #. / apachectl start

5. Verify hotlink protection:

We use the test machine to re-enter 192.168.234.161, at this time because of the hotlink protection will be forced to pop up our error image, this shows that hotlink protection is set successfully!

2. Hide version information

Based on the same configuration of the previous hotlink protection, start the optimization operation of hiding the version number.

Experimental procedure

1. Verification before experiment

Go to the Windows client and grab the package using fiddler to see the version information.

2. The package grab will display the version suffix, and those who attempt to do something wrong will attack the server for the loopholes in this version, which is very insecure, so you need to hide the version number.

3. The optimization process is as follows:

[root@localhost ~] # vim / usr/local/httpd/conf/httpd.conf/default search default and modify Include conf/extra/httpd-default.conf / / delete the first # wq to save and exit

4. When enabled, a httpd-default.conf configuration file will be generated in / usr/local/httpd/conf/extra/ for optimization

[root@localhost bin] # vim / usr/local/httpd/conf/extra/httpd-default.conf / ServerTokens search ServerTokens, modify ServerTokens Prod / / change Full to Prodwq save and exit [root@localhost bin] #. / apachectl stop [root@localhost bin] #. / apachectl start / / restart the service

5. Verification result: the version number is hidden

The above is all the contents of this article "how to configure Apache to achieve hotlink protection and hide version information". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.