Shulou(Shulou.com)06/02 Report--

Configure the caching time of the web page through the mod_ expire module configure Apache, so that the web page can be cached in the client browser for a period of time, so as to avoid repeated requests after enabling the mod_ expire module, the Expires tag and Cache-Control tag in the page header information will be automatically generated, thus reducing the frequency and times of client access. To achieve the goal of reducing unnecessary traffic and increasing access speed, enable web caching step to see if mod_ expire module is installed, modify configuration file, enable caching function, grab package test, check if mod_ expire module / usr/local/apache/bin/apachectl-t-D DUMP_MODULES is installed if there is no expires_module (static) in the output. Then mod_expires is not installed at compile time. / configure-- enable-expires...make & & make install modifies the httpd.conf configuration file to enable the mod_expires module, and sets documents in any format under the http protocol to expire in 60 seconds.

ExpiresActive On

ExpiresDefault "access plus 60 seconds"

Restart the httpd service to visit the test website again, and use the package crawling tool Fiddler for data crawling, analysis and configuration examples here I will continue to do it in the previous experiment, in the last experiment. The expires module has already been installed when the Apache service is manually compiled and installed. Here I directly test [root@localhost ~] # vim / usr/local/httpd/conf/httpd.conf...// to omit part of the content. # LoadModule logio_module modules/mod_logio.soLoadModule env_module modules/mod_env.soLoadModule expires_module modules/mod_expires.so / / find this module Remove the # open module LoadModule headers_module modules/mod_headers.so#LoadModule unique_id_module modules/mod_unique_id.so...// and omit part of the content. / / add the following entry at the end of the file Configure expires module ExpiresActive On / / enable function ExpiresDefault "access plus 50 seconds" / / set cache time: wq / / Save exit [root@localhost ~] # apachectl-t / / verify syntax format Syntax OK / / syntax is normal [root@localhost ~] # service httpd stop / / stop HTTP service [root@localhost ~] # service httpd start / / start HTTP service [root@localhost ~] # / usr/local/httpd/bin/apachectl-t-D DUMP_MODULES | grep "expires" / / check whether the module enables expires_module (shared) / / successfully opens [root@localhost ~] # netstat-ntap | grep 80 / / check whether the port opens tcp 00192 .168.144.133: 80 0.0.0.0 LISTEN 47752/httpd visits web pages in the client Use the package grabbing tool to see if the cache module is turned on

Apache security optimization configuration hotlink protection is to prevent other people's website code from embezzling the server's pictures, files, videos and other related resources. If others steal these static resources of the website, it will obviously increase the bandwidth pressure on the server. Therefore, as the maintenance personnel of the website, we should prevent the static resources of our server from being embezzled by other websites to configure Apache to achieve hotlink protection.

Check if the mod_rewrite module is installed in Apache

/ usr/local/apache/bin/apachectl-t-D DUMP_ MODULES if there is no rewrite_module (static) in the output, the mod_ rewrite module is not installed at compile time. / configure-- enable-rewrite...make & & make install configuration rule variable description% {HTTP_ REFERER}: browse the link field in header The URL that stores a link represents the link from which to access the required web page! ^: does not start with the following string. * $: ends with any character NC: insensitive to uppercase R: forced jump rule matching description RewriteEngine On: open web page rewriting function RewriteCond: set matching rules RewriteRule: set jump action rules match if the values of the corresponding variables match the set rules, proceed one by one If it doesn't match, Then the subsequent rules no longer match the configuration operation demo to modify the configuration file to enable hotlink protection and set the rules: RewriteEngine OnRewriteCond% {HTTP_ REFERER}! ^ http://test.com/.*$ [NC] * RewriteCond% {HTTP_ REFERER}! ^ http://test.com$ [NC] RewriteCond% {HTTP_ REFERER}! ^ http://www.test.com/.*$ [NC] * RewriteCond% {HTTP_ REFERER}! ^ http://www. Test.com$ [NC] RewriteRule. *\. (gifljipg | swf) $http://www.test.com/error.html [R NC] the configuration instance first installs the DNS service And configure the DNS service. Here we visit the web page with the same domain name. In the previous manual compilation and installation of the Apache service, you have already installed the release module plug-in mod_rewrite, which goes directly to the HTTP master configuration file for configuration. [root@localhost ~] # yum install bind-y loaded plug-in: fastestmirror, langpacksbase | 3.6 kB 00:00 extras | 2.9 kB 00:00. / / omit part of the content. Installed: bind.x86_64 32 bind-export-libs.x86_64 9.11.4-9.P2.el7 installed as a dependency: 9.P2.el7 upgraded as a dependency: bind-libs.x86_64 32 bind-export-libs.x86_64 9.11.4- 9.P2.el7 bind-libs-lite.x86_64 32VR 9.11.4-9.P2.el7 bind-license.noarch 32VR 9.11.4-9.P2.el7 bind-utils.x86_64 32VR 9.11.4 -9.P2.el7 dhclient.x86_64 12 77.el7.centos dhcp-libs.x86_64 4.2.5-77.el7.centos dhcp-common.x86_64 1215 4.2.5-77.el7.centos dhcp-libs.x86_64 1215 4.2.5-77 .el7.centos. Over! [root@localhost ~] # vim / etc/named.conf...// omits some content... options {listen-on port 53 {any;}; listen-on-v6 port 53 {:: 1;}; directory "/ var/named"; dump-file "/ var/named/data/cache_dump.db"; statistics-file "/ var/named/data/named_stats.txt" Memstatistics-file "/ var/named/data/named_mem_stats.txt"; recursing-file "/ var/named/data/named.recursing"; secroots-file "/ var/named/data/named.secroots"; allow-query {any;} ...: wq [root@localhost ~] # vim / etc/named.rfc1912.zones...// omits part... zone "kgc.com" IN {type master; file "kgc.com.zone"; allow-update {none;};} ...: wq [root@localhost ~] # cd / var/named/ [root@localhost named] # lsdata dynamic named.ca named.empty named.localhost named.loopback slaves [root@localhost named] # cp-p named.localhost kgc.com.zone [root@localhost named] # vim kgc.com.zone$TTL 1D @ IN SOA @ rname.invalid. (0; serial 1D; refresh 1H; retry 1W; expire 3H) Minimum NS @ A 127.0.0.1www IN A 192.168.144.133 [root@localhost named] # systemctl start named / / start the DNS service. Here, we do not enable the hotlink feature. Now, access the web page image in the client, then open a win 7 client, install the http service, and steal the link image to see if you can steal the link.

Configure hotlink protection module in Linux system [root@localhost ~] # vim / usr/local/httpd/conf/httpd.conf / / Edit the main configuration file. / / omit part of the content. # LoadModule userdir_module modules/mod_userdir.soLoadModule alias_module modules/mod_alias.soLoadModule rewrite_module modules/mod_rewrite.so / / find this entry And open this entry # # If you wish httpd to run as a different user or group, and you must run...// omits part of the content. / / add hotlink protection entries # # Possible values for the Options directive are "None", "All" under this tag. # or any combination of: # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews # # Note that "MultiViews" must be named * explicitly*-"Options All" # doesn't give it to you. # # The Options directive is both complicated and important. Please see # http://httpd.apache.org/docs/2.4/mod/core.html#options # for more information. # Options Indexes FollowSymLinks # # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: # AllowOverride FileInfo AuthConfig Limit # AllowOverride None # # Controls who can get stuff from this server. # Require all granted RewriteEngine On / / enable hotlink protection RewriteCond% {HTTP_REFERER}! ^ http://kgc.com/.*$ [NC] RewriteCond% {HTTP_REFERER}! ^ http://kgc.com$ [NC] RewriteCond% {HTTP_REFERER}! ^ http://www.kgc.com/.*$ [NC] RewriteCond% {HTTP_REFERER}! ^ http:// www.kgc.com/ $[NC] RewriteRule. *\. (gif | jpg | swf) $http://www.kgc.com/error.png. / / omit part of the content.: wq [root@localhost ~] # cd / mnt / / enter the mount directory [root@localhost mnt] # ls / / to see if there is a prepared hotlink protection picture apr-1.6.2.tar.gz cronolog-1.6.2- 14.el7.x86_64.rpm httpd-2.4.29.tar.bz2 mysql-5.6.26.tar.gzapr-util-1.6.0.tar.gz Discuz_X2.5_SC_UTF8.zip LAMP-php5.6.txt nginx-1.12.0.tar.gzawstats-7.6.tar.gz error.png miao.jpg php-5.6. 11.tar.bz2 [root@localhost mnt] # cp error.png / usr/local/httpd/htdocs/ copy the hotlink protection image to the http site directory [root@localhost mnt] # cd / usr/local/httpd/htdocs/ enter the site directory [root@localhost htdocs] # ls / / View error.png index.html miao.jpg / / copy [root@localhost htdocs] # systemctl start httpd/ / restart the network successfully The service accesses the web page in the client again See if hotlink protection is enabled.

Hidden version information Apache hidden version information Apache version information, revealing certain vulnerability information, thus bringing security risks to the website. To configure Apache hidden version information in the production environment, use the Fiddler package grabbing tool to analyze and configure Apache hidden version information.

Remove the following line comments from the main configuration file httpd.conf

# Include conf/extra/httpd-default.conf modify httpd-default.conf file two places ServerTokens Full change to ServerTokens Prod modify ServersSignature On to ServersSignature Off restart httpd service, visit website, grab package test configuration instance now use package capture tool in the client to see if version information is displayed

Go to the HTTP configuration file and change the information [root@localhost htdocs] # vim / usr/local/httpd/conf/httpd.conf. / / omit part of the content. # Include conf/extra/httpd-dav.conf# Various default settingsInclude conf/extra/httpd-default.conf / / find this entry And remove the comment # Configure mod_proxy_html to understand HTML4/XHTML1Include conf/extra/proxy-html.conf...// omitted.: wq / / Save exit [root@localhost htdocs] # cd / usr/local/httpd/conf/extra/ enter the directory [root@localhost extra] # ls httpd-autoindex.conf httpd-info.conf httpd-mpm.conf Httpd-userdir.confhttpd-dav.conf httpd-languages.conf httpd-multilang-errordoc.conf httpd-vhosts.confhttpd-default.conf httpd-manual.conf httpd-ssl.conf proxy-html.conf [root@localhost extra] # vim httpd-default.conf / / Edit configuration file. / / omit part of the content. # Set to one of: Full | OS | Minor | Minimal | Major | Prod# where Full conveys the most information And Prod the least.#ServerTokens Prod / / find this entry And change Full to Prod## Optionally add a line containing the server version and virtual host# name to server-generated pages (internal error documents, FTP directory # listings, mod_status and mod_info output etc., but not CGI generated # documents or custom error documents). # Set to "EMail" to also include a mailto: link to the ServerAdmin.# Set to one of: On | Off | EMail# ServerSignature Off / / and determine whether it is closed The default is to disable # # HostnameLookups: Log the names of clients or just their IP addresses# e.g., www.apache.org (on) or 204.62.129.132 (off).: wq / / Save exit [root@localhost extra] # systemctl restart httpd.service / / restart the service to test the grab package in the client again See if the version information is still displayed.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.