Shulou(Shulou.com)06/02 Report--

Optimizing Apache to realize hotlink protection

■ hotlink protection is to prevent other people's website code from stealing server images.

, files, videos and other related resources

■, if someone steals these static resources of the website, it will obviously increase the service.

Bandwidth pressure of server

Therefore, as the maintainer of the website, ■ should put an end to the static resources of our server.

The source was embezzled by other websites

■ checks whether Apache has the mod_ rewrite module installed

● / usr/local/apache/bin/apachectl-t-D DUMP MODULES

● if there is no rewrite module (static) in the output, it is not installed at compile time

Mod rewrite module

If ■ is not installed, recompile the installation

●. / configure-- enable-rewrite...

● make & & make install

Configure rule variable description

% {HTTP REFERER}: browse the link fields in header and store one by one chain

The URL, which represents the link from which to access the required web page

! ^: do not start with the following string

. * $: ends with any character

NC: insensitive to upper case

R: forced jump

■ rule matching description

● RewriteEngine On: turn on the web rewriting feature

● RewriteCond: setting matching rules

● RewriteRule: setting jump action

Rule matching

● if the value of the corresponding variable matches the set rule, it will proceed one by one; if not

Match, then the subsequent rules no longer match

Demonstration of ■ configuration operation

● modifies the configuration file to enable hotlink protection and sets rules:

RewriteEngine On

RewriteCond% {HTTP_ REFERER}! tp://est.com/.$ [NC]

RewriteCond% {HTTP REFERER}! ^ http://test.com$ [NC1

RewriteCond% {HTTP REFERER}! ^ http://www.test.com/.$ [NC]

RewriteCond% {HTTP_ REFERER}! ^ http://www.test.com$ [NC]

RewriteRule. (gifljpg | swf) $http://www.test.com/error.html [RMagnNC]

Hotlink protection configuration install and configure DNS service [root@localhost] # yum install bind-y / / installation service [root@localhost ~] # vim / etc/named.conf / / Edit the main configuration file options {listen-on port 53 {any;}; / / replace 127.0.0.1 with any listen-on-v6 port 53 {:: 1;} in parentheses Directory "/ var/named"; dump-file "/ var/named/data/cache_dump.db"; statistics-file "/ var/named/data/named_stats.txt"; memstatistics-file "/ var/named/data/named_mem_stats.txt"; recursing-file "/ var/named/data/named.recursing"; secroots-file "/ var/named/data/named.secroots" Allow-query {any;}; / / replace localhost in parentheses with any [root@localhost ~] # vim / etc/named.rfc1912.zones / / Edit the zone configuration file zone "kgc.com" IN {/ / specify the domain name type master; file "kgc.com.zone"; / / specify the region data configuration file allow-update {none for the specified domain name };}; [root@localhost ~] # cd / var/named/ [root@localhost named] # lsdata dynamic named.ca named.empty named.localhost named.loopback slaves [root@localhost named] # cp-p named.localhost kgc.com.zone / / copy zone data profile template [root@localhost named] # vim kgc.com.zone / / Edit zone data configuration file $TTL 1D @ IN SOA @ rname.invalid. (0; serial 1D; refresh 1H; retry 1W; expire 3H) Minimum NS @ A 127.0.0.1www IN A 192.168.131.129 [root@localhost named] # systemctl start named / / enable the DNS service [root@localhost named] # systemctl stop firewalld.service / / turn off the firewall [root@localhost named] # setenforce 0 / / turn off the enhanced security feature compilation and installation Apache service [root@localhost named] # mkdir / aaa [root@localhost named] # mount.cifs / / 192.168.100.10/LAMP-C7 / abc / / remotely mount the file to the local Password for root@//192.168.100.10/LAMP-C7: [root@localhost named] # cd / abc [root@localhost LAMP] # ls / / View the contents of the mounted file apr-1.6.2.tar.gz cronolog-1.6.2-14.el7.x86 _ 64.rpm mysql-5.6.26.tar.gzapr-util-1.6.0.tar.gz Discuz_X2.5_SC_UTF8.zip php-5.6.11.tar.bz2awstats-7.6.tar.gz httpd-2.4.29.tar.bz2

Extract the source file of the toolkit and move the package to the directory of Apache

[root@localhost LAMP] # tar jxvf httpd-2.4.29.tar.bz2-C / opt/ [root@localhost LAMP] # tar zxvf apr-1.6.2.tar.gz-C / opt/ [root@localhost LAMP] # tar zxvf apr-util-1.6.0.tar.gz-C / opt/ [root@localhost LAMP] # cd / opt/ [root@localhost opt] # lsapr-1.6.2 apr-util-1.6.0 httpd-2.4.29 rh [ Root@localhost opt] # mv apr-1.6.2/ httpd-2.4.29/srclib/apr [root@localhost opt] # mv apr-util-1.6.0/ httpd-2.4.29/srclib/apr-util

Install the compiled language environment

Yum-y install\ gcc\ gcc-c++\ make\ pcre-devel\ zlib-devel\ expat-devel\ pcre\ perl

Configure configuration Apache function module

[root@localhost opt] # cd httpd-2.4.29/ [root@localhost httpd-2.4.29]. / configure\-- prefix=/usr/local/httpd\-- enable-deflate\-- enable-so\-- enable-rewrite\-- enable-charset-lite\-- enable-cgi

Compilation and installation

Make & & make installroot@localhost httpd-2.4.29] # vim / usr/local/httpd/conf/httpd.conf / ServerName search keywords to this line And configure the ServerName www.kgc.com:80/Listen search keywords to the listening port Listen 192.168.131.129 ipv4 port and change the listening address to the local address # Listen 80 / / A pair of ipv6 ports to comment LoadModule rewrite_module modules/mod_rewrite.so/rewrite search keywords to this line Open the rewrite function module [root@localhost httpd-2.4.29] # cd / usr/local/httpd/bin/// and switch to the / bin directory of the Apache service [root@localhost bin] # vim / usr/local/httpd/htdocs/index.html / / edit the home page file It works!

/ / put the picture in the label [root@localhost bin] # cp / abc/tupian.png / usr/local/httpd/htdocs/// copy the picture from the previously mounted directory to the site directory. / apachectl start / / enable the Apache service

Open a win10 test machine and change the DNS server address to the local server address

Enter www.kgc.com in the browser to access the web page

Right-click the picture to view the properties of the page to get the URL address of the picture

Create and configure pirated websites

Open another win10-2 testing machine to build a hotlink website

Use txt documents to write web content

This is test web

Change the file to html format and place it in a site that is placed in C:\ inetpub\ wwwroot

At this time, you can access the web page by using the test machine win10 to visit 192.168.131.128, but this is a hotlink website. Visiting this site not only steals the resources of other people's source websites, but also directs the traffic back to the source sites, thus causing the load on other people's servers, so in order to prevent this from happening, we have to configure our apache pages for hotlink protection.

Configure hotlink protection

Modify apache configuration file

[root@localhost bin] # vim / usr/local/httpd/conf/httpd.conf

Require all granted

/ / insert the following rules under this line

RewriteEngine On

RewriteCond% {HTTP_REFERER}! http://kgc.com/.$ [NC]

RewriteCond% {HTTP_REFERER}! ^ http://kgc.com$ [NC]

RewriteCond% {HTTP_REFERER}! ^ http://www.kgc.com/.$ [NC]

RewriteCond% {HTTP_REFERER}! ^ http://www.kgc.com/$ [NC]

RewriteRule. *. (gif | png | swf) $http://www.kgc.com/fangdao.jpg

Put the error picture into the site directory

[root@localhost bin] # cp / abc/fangdao.jpg / usr/local/httpd/htdocs/

[root@localhost bin] # ls / usr/local/httpd/htdocs/

Tupian.png fangdao.jpg index.html

[root@localhost bin] #. / apachectl stop / / restart the service

[root@localhost bin] #. / apachectl start

When we use the test machine to input 192.168.131.128 again, another picture will pop up because hotlink protection is set, which indicates that the hotlink protection is set successfully.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.