Shulou(Shulou.com)06/01 Report--

How to deeply optimize Apache, I believe that many inexperienced people are at a loss about this. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

1. Gzip (deflate) function of Apache

Gzip can greatly accelerate the website, using the gzip function sometimes the compression ratio is more than 80%, at least more than 40%, so the gzip function is very powerful, or good.

In versions after Apache2, the module name is not gzip, but mod_deflate

The process of transferring files in a web page without using gzip, as shown in the figure:

When using gzip, the process of transferring files in a web page is shown in the figure:

For the case environment of this blog post, you can refer to the blog post: the installation, deployment and working mode of Apache.

If you want to use the features of gzip (deflate), be sure to open two modules:

The role of the LoadModule deflate_module modules/mod_deflate.so// module: gzip compression of the code transferred to the client. The function of the LoadModule headers_module modules/mod_headers.so// module is to tell the browser of the client that the transferred files are compressed by gzip. | if it is not enabled, the webpage content cannot be displayed properly [root@localhost ~] # apachectl-M | grep deflate// checks whether the mod_deflate module is installed. If no return information is returned, it is not installed. |

There are two installation methods:

Add the "--enable-deflate" option at compile time to install

Use DSO for installation

Apache itself has been installed, so here is the installation in DSO mode

[root@localhost ~] # cd / usr/src/httpd-2.4.23/modules/filters/// switch to the directory where the Apache source package mod_deflate is located [root@localhost filters] # / usr/local/http-2.4.23/bin/apxs-c-I-a mod_deflate.c// use the apxs command to install

Interpretation of apxs command parameters:

-I: indicates that an installation operation is required to install one or more dynamic shared objects to the server's modules directory

-a: indicates that a LoadModule line is automatically added to the httpd.conf file to enable this module, or if the line already exists, enable it

-c: indicates that the compilation operation needs to be performed.

This error message appears during installation, as shown in the figure:

Such an error message indicates that the installation package for zlib-devel is missing. Just use "yum-y install zlib-devel" and reinstall the mod_deflate module again!

[root@localhost filters] # ll / usr/local/http-2.4.23/modules/mod_deflate.so-rwxr-xr-x. 1 root root 98160 November 22 18:53 / usr/local/http-2.4.23/modules/mod_deflate.so// confirm that the file already exists

Check the Apache main configuration file for the following:

[root@localhost ~] # apachectl-thttpd: Syntax error on line 104of / usr/local/http-2.4.23/conf/httpd.conf: Cannot load modules/mod_deflate.so into server: / usr/local/http-2.4.23/modules/mod_deflate.so: undefined symbol: inflate

Solution:

You need to add LoadFile / usr/local/zlib/lib/libz.so on the previous line of the LoadModule deflate_module modules/mod_deflate.so line of the Apache main configuration file

You can do it, as shown in the figure:

[root@localhost ~] # apachectl-tSyntax OK / / check its configuration file for errors [root@localhost ~] # apachectl restart / / restart the Apache service

Next, modify the Apache main configuration file to enable the gzip compression transfer feature:

The function of the LoadModule deflate_module modules/mod_deflate.so// module: gzip compression LoadModule headers_module modules/mod_headers.so// the code transferred to the client: tell the browser of the client that the transferred files are compressed by gzip. If it is not enabled, the web page content cannot be displayed properly / / to view the Apache main configuration file must ensure that these two modules have been enabled

Add the following to the Apache main configuration file (personally recommended at the end):

/ / indicates that you need to enable the mod_deflate module DeflateCompressionLevel 9 / / compression level SetOutputFilter DEFLATE / / set the output filter to enable the compression function AddOutputFilterByType DEFLATE text/* / / set to compress the file in text format SetEnvIfNoCase Reques t_URI. (?: gif | jpe?g | png) $no-gzip dont-vary / / set not to compress the picture file with the suffix gif,jpg,jpeg,png. ?: indicates that the content in () will not be captured / / the following is to set the log output DeflateFilterNote Input input_info / / declare the number of byte of the input stream DeflateFilterNote Output output_info / / declare the number of byte of the output stream DeflateFilterNote Ratio ratio_info / / declare the percentage of compression LogFormat'"r"% {output_info} nCompact% {input_info} n (% {ratio_info} n%) 'deflate / / declare the log format CustomLog logs/deflate_log.log deflate / / specify the path where the log is stored

Considering the problem of paste and copy, the content added in the Apache file (without comments) is attached.

DeflateCompressionLevel 9SetOutputFilter DEFLATEAddOutputFilterByType DEFLATE text/*SetEnvIfNoCase Request_URI. (?: gif | jpe?g | png) $no-gzip dont-varyDeflateFilterNote Input input_infoDeflateFilterNote Output output_infoDeflateFilterNote Ratio ratio_infoLogFormat'"% r"% {output_info} n deflateCustomLog logs/deflate_log.log deflate% {input_info} n (% {ratio_info} n%) 'deflateCustomLog logs/deflate_log.log deflate

After the modification is completed, re-enable the Apache service and test it with a browser (open developer mode with F12 and refresh with F5), as shown below:

[root@localhost ~] # cat / usr/local/http-2.4.23/logs/deflate_log.log// View deflate log (log path is defined in configuration file) "GET / HTTP/1.1"-/-(-%) "GET / favicon.ico HTTP/1.1"-/-(-%) "GET / HTTP/1.1"-/-(-%) "GET / HTTP/1.1" 76 / 4725 (1%) "GET / HTTP/1.1" 76ax 4725 (1%) / / it can be seen that the compression ratio reaches 99% "-"-(-%)

Note: pictures do not need to be compressed, and flash swf files do not need to be compressed (these two things will have unexpected effects after compression)

II. Cache settings of Apache

The cache setting of Apache mainly depends on the mod_expires module. After enabling the module, the number of repeated requests can be reduced by about 20% / 30%, so that the results of repeated user requests can be cached locally. Be careful not to do this for files that update quickly.

The mod_expires module controls the content of the Expires header and the max-age instruction of the Cache-Control header when the server answers. The expiration date can be set relative to the last modification time of the source file or the access time of the client.

The effect of mod_expires module expire caching not enabled:

Enable mod_expires module expire caching as follows:

LoadModule expires_module modules/mod_expires.so / / to view the main configuration file of Apache, it is necessary to ensure that this module is enabled

Then add the following at the end of the Apache main configuration file:

/ / enable expires module ExpiresActive On / / enable expires function ExpiresByType text/html "access plus 2 minute" / / set the save time of the text file with the suffix html to two minutes ExpiresByType image/jpeg "access plus 1 mouth" / / set the save time of the picture information with the suffix jpeg to one month ExpiresDefault "now plus 0 minute" / / other things that are not defined by default are not cached

Uncommented configuration file:

ExpiresActive OnExpiresByType text/html "access plus 2 minute" ExpiresByType image/jpeg "access plus 1 mouth" ExpiresDefault "now plus 0 minute"

The test results are as follows:

Configuration format of the caching mechanism:

ExpiresByType type/encoding "[plus] {}" ExpiresDefault "[plus] {}"

1. One of the following:

Access (relative to client access time)

Now (equivalent to access)

Modification (relative to the cache time after the source file was last modified)

2. The plus keyword is optional. Num should be an integer value, and type is one of the following:

Years

Months

Weeks

Days

Hours

Minutes

Seconds

You can also define the caching mechanism using the following format:

ExpiresByType image/jpeg A2592000 / / indicates that the cache of the picture is one month ExpiresByType text/html M604800 / / indicates that the validity period of the HTML document is one week after the last modification time / / "M" indicates the last modification time of the source file, and "A" indicates the time when the client accesses the source file. The rest of the time is calculated in seconds.

For a specific introduction, please refer to the official documentation.

3. Apache forbids directory traversal

When accessing Apache, the default access is the index.html in the root directory of the Apache web page. If this file does not exist, the following occurs:

To prevent the above situation, you need to modify the configuration file of Apache:

After you restart the service, this happens:

4. Apache Hidden version Directory

Without modification, the default version information:

It is obviously not safe to appear on the Internet so easily. You can optimize it by doing the following:

In the Apache main configuration file, enable httpd-default.conf Include conf/extra/httpd-default.conf / / remove the previous # [root@localhost ~] # vim / usr/local/http-2.4.23/conf/extra/httpd-default.conf / / find ServerTokens Full ServerSignature On// and modify it to the following content ServerTokens ProdServerSignature Off

After restarting the service, review it again:

If you need to completely change the version and so on, you need to modify the ap_release.h in the include directory under the source package before compiling.

[root@localhost] # vim / usr/src/httpd-2.4.23/include/ap_release.h / / this is my decompression path The content that you modify according to the actual situation is as follows: # define AP_SERVER_BASEVENDOR "Apache Software Foundation" / / Service supplier name # define AP_SERVER_BASEPROJECT "Apache HTTP Server" / / Service Project name # define AP_SERVER_BASEPRODUCT "Apache" / / Service Product name # define AP_SERVER_MAJORVERSION_NUMBER 2 / / Major version # define AP_SERVER_MINORVERSION_NUMBER 4 / / minor version # define AP_SERVER _ PATCHLEVEL_NUMBER 23 / / Patch level # define AP_SERVER_DEVBUILD_BOOLEAN 0 / / the above lines do not need to delete the "#" at the beginning of the line

Change it to what you want according to the comments, compile and install it!

5. Apache log segmentation

With the increasing number of visits to the website, the resulting log files will become larger and larger. If you do not separate the logs, the log files will become larger and larger, it is not easy to back up, and you can only delete all the Apache logs at once, so you will lose a lot of valuable information to the website, so it is very important for the website to manage these massive logs.

Logs can be separated in the following two ways:

Method 1: use rotatelogs (a tool that comes with apache) to log every other day to modify the main configuration file of Apache. The changes are as follows: / / find the following two lines and comment: ErrorLog logs/error_log CustomLog logs/access_log common / / then it is best to add the following to the next line of the CustomLog "logs/access_log" common configuration (the following cannot be copied directly See the explanation below): ErrorLog "| / usr/local/http-2.4.23/bin/rotatelogs-l logs/error_%Y-%m-%d.log 86400" CustomLog "| / usr/local/http-2.4.23/bin/rotatelogs-l logs/access_%Y-%m-%d.log 86400" combined//. Here is the absolute path to the rotatelogs tool.

In the above addition, 86400 is the rotation time in seconds (that is, a log file is generated per day).

[root@localhost ~] # systemctl restart httpd// restart the Apache service [root@localhost ~] # ls / usr/local/http-2.4.23/logs/access_2019-11-23.log access_log error_2019-11-23.log error_log httpd.pid// to view the log file. Only the error log may appear for the first time. Access the log to generate the log.

In this way, it has been realized that the log is divided and stored by day!

Because apache has its own log polling tool rotatelogs, it is said that logs are easily lost during log cutting, so we usually use cronolog (that is, method 2) for log polling.

Method 2: use cronolog to create a new log for each day, also comment out the following two lines in Apache's main configuration file: ErrorLog "logs/error_log" CustomLog "logs/access_log" common

Download the cronolog source code package

[root@localhost ~] # tar zxf cronolog-1.6.2.tar.gz-C / usr/src [root@localhost ~] # cd / usr/src/cronolog-1.6.2/ [root@localhost cronolog-1.6.2] #. / configure & & make & & make install// decompress and then compile and install [root@localhost ~] # vim / usr/local/http-2.4.23/conf/httpd.conf / / edit the main configuration file of Apache / / delete the log cutting configuration entry written in method 1 Write the following two lines of configuration CustomLog "| / usr/local/sbin/cronolog logs/access-%Y-%m-%d.log" combined ErrorLog "| / usr/local/sbin/cronolog logs/error-%Y-%m-%d.log" / / here is also the absolute path of the cronolog tool for better testing It is recommended to delete and move the original log file [root@localhost ~] # rm-rf / usr/local/http-2.4.23/logs/*log [root@localhost ~] # ls / usr/local/http-2.4.23/logs/httpd.pid [root@localhost ~] # ls / usr/local/http-2.4.23/logs/access-2019-11-23.log error-2019-11-23.log httpd.pid// test access Access log and error log can be generated

In this way, it has been realized that the log is divided and stored by day!

If there are multiple virtual hosts in the Apache, it is best to place one such code in each virtual host and change the log file name to a different name.

If the visit to the website is too large, it can also be separated by hour, as follows:

Based on the second method:

[root@localhost ~] # vim / usr/local/http-2.4.23/conf/httpd.conf / / modify the original two lines of configuration as follows: CustomLog "| / usr/local/sbin/cronolog logs/access-%Y-%m-%d.log.%H" combined ErrorLog "| / usr/local/sbin/cronolog logs/error-%Y-%m-%d.log.%H" / / is added to the original configuration " % H "means to separate [root@localhost ~] # systemctl restart httpd// by hour to restart the Apache service.

Make your own test access, and then check the log file, as shown in the figure:

In the production environment, the common methods are:

Daily polling: CustomLog "| / usr/local/sbin/cronolog logs/access_www_%Y%m%d.log" combined polling by hour: CustomLog "| / usr/local/sbin/cronolog logs/access_www_% Y%m%d%H.log" combined

Note: another difference between the two pipe log file programs is that directories are automatically created when using cronolog if the log is placed in a path that is not stored, but not automatically when using rotatelogs.

VI. Configure hotlink protection

Sometimes you will suddenly find that the number of visits to the website is increasing, do not be happy too early, it is likely to be hacked by others. For example: you build a video website yourself, and then someone redirects the address of the video on his site to your server. In this way, the number of visits to your website will become larger and larger, and more and more resources will be consumed! How to avoid this possibility, then you need to use hotlink protection.

Method 1: to implement using rewrite module, first make sure that the rewrite module module of Apache has been installed. Available: [root@localhost ~] # apachectl-M | grep rewrite rewrite_module (shared)

Next, write the main configuration file for Apache

[root@localhost ~] # vim / usr/local/http-2.4.23/conf/httpd.confLoadModule rewrite_module modules/mod_rewrite.so / / find this line. It is annotated by default. Just delete the #. / / the following must be written in the root directory of the website RewriteEngine On RewriteCond% {HTTP_REFERER}! ^ $RewriteCond% {HTTP_REFERER}! ^ http://192.168.1.1/.*$ [NC] RewriteRule. *\. (gif | jpg | swf) $http://192.168.1.1/about/error.png [Rmaine NCJL]

Explanation of the added content:

RewriteEngine On / / enable rewrite (address redirection) function, which must be filled in

RewriteCond% {HTTP_REFERER}! ^ $/ / allows users to test access directly in the browser

RewriteCond% {HTTP_REFERER}! ^ http://192.168.1.1/.*$ [NC] / / allows access through the address of 192.168.1.1

RewriteRule. *. (gif | jpg | swf) $http://192.168.1.1/about/error.png [RMagneNC Magazine L] / redirect all files with suffixes gif, jpg and swf that do not meet the above strategy to error.png in the about directory of the root directory of the web page. Be careful that the error.png file in the about directory exists, otherwise, warnings and pictures will not be displayed on the other side's website.

The details are as shown in the figure:

Note: clear the browser cache when testing

The following tests are performed:

The lab environment has 192.168.1.1 (A) website server and 192.168.1.2 (B) website server. The configuration is as follows:

A server:

[root@localhost ~] # apachectl-M | grep rewrite rewrite_module (shared) [root@localhost ~] # vim / usr/local/http-2.4.23/conf/httpd.confLoadModule rewrite_module modules/mod_rewrite.so / / find this line. It is annotated by default and can be deleted by #. / / the following must be written in the root directory of the website RewriteEngine On RewriteCond% {HTTP_REFERER}! ^ $RewriteCond% {HTTP_REFERER}! ^ http://192.168.1.1/.*$ [NC] RewriteRule. *\. (gif | jpg | swf) $http://192.168.1.1/about/error.png [Rmaine NCMagi L] [root@localhost ~] # ll / usr/local/http-2.4.23/htdocs/ total usage 64drwxr-xr-x. 2 root root 23 November 25 14:45 about-rw-r--r--. 1 root root 60108 November 24 10:02 access.jpg / / make sure the file exists-rw-r--r--. 1 root root 45 June 12 2007 index.html [root@localhost] # ll / usr/local/http-2.4.23/htdocs/about total consumption 236 RW / usr/local/http-2.4.23/htdocs/about RW, RW, R, R, M, M, R, R, 1 root root 240595 November 24 10:01 error.png / / make sure the file exists [root@localhost ~] # apachectl restart / / restart the httpd server

Server B:

[root@localhost ~] # yum-y install httpd// for convenience, install the httpd service using yum [root@localhost] # vim / var/www/html/index.html link / / manually installed httpd home page file as a hyperlink to the access.jpg// in the root directory of the A server, a hyperlink will appear when you visit

In this way, when the client accesses the B server, it will look up the error.png (the original intention of the access is to access access.jpg)

You can also allow the client to access the error page when the link comes over, as follows:

Modify the configuration file of the A server:

[root@localhost] # vim / usr/local/http-2.4.23/conf/httpd.conf... / / omit part of the content RewriteEngine On RewriteCond% {HTTP_REFERER}! ^ $RewriteCond% {HTTP_REFERER}! ^ http://192.168.1.1/.*$ [NC] # RewriteRule. *\. (gif | jpg | swf) $http://192.168.1.1/about/error.png [RMagnNC L] / / annotate this entry RewriteRule. *\. (gif | jpg | png) $- [F] / / (force URL to be a prohibited forbidden), and force the current URL to be prohibited That is, immediately feedback a HTTP response code 403 (prohibited) [root@localhost ~] # systemctl restart httpd// to restart the httpd service

When you visit again, something like this will happen:

Pay attention to clearing the browser cache

This proves the role of hotlink protection!

Method 2: block the request by judging the browser header information

That is, using SetEnvIfNoCase and access. This method can save your bandwidth traffic by preventing some robots or spider crawlers from crawling your website. Syntax: SetEnvIfNoCase attribute regex [!] env-variable [= value] [[!] env-variable [= value]]... SetEnvIfNoCase assigns a value to a variable when a condition is met, that is, it sets the environment variable according to the client request property. Note: Referer: indicates the URL that requests the original resource of the current resource. Using referer, you can protect against hotlink and then find the corresponding configuration of your website (such as in the master configuration file or virtual host).

, add the following code:

SetEnvIfNoCase Referer "^ $" local_refSetEnvIfNoCase Referer "^ http://www.benet.com/.*$" local_refSetEnvIfNoCase Referer" ^ http://benet.com/.*$"local_ref

Judge whether the reference of picture or resource is legal by judging the value of referer variable. Only when the referer within the set demand range is configured according to the configuration, can the specified resource content be called and accessed, thus achieving the purpose that the resource is stolen by the website. It should be noted that all user agents (browsers) will set the referer variable, and some can be manually modified erferer,referer can be forged, the above configuration is just a simple means of protection. It's enough to deal with general theft.

When a website is stolen, the following measures can be taken:

Mark your own site name brand or related watermark on the pictures, videos, audio and other files of this site.

Set up a firewall to control from the source IP

Set hotlink protection (according to referer mechanism)

The illegal use of the website will lead to the increase of the cost of website bandwidth and the pressure on the server. in serious cases, it will affect the access of a huge amount of websites and normal users.

After reading the above, have you mastered how to deeply optimize Apache? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.