Technology Sharing

Apache hotlink protection, web page compression, web page caching

2024-07-12

한어Русский языкEnglishFrançaisIndonesianSanskrit日本語DeutschPortuguêsΕλληνικάespañolItalianoSuomalainenLatina

Table of contents

Web Compression

type

Example

Dynamically add module steps

Reinstall Apache steps

Web Cache

Example

Steps

Hide version information

Steps

Apache hotlink protection

definition

principle

Configuring the Anti-Hotlink Experiment Environment

lab environment

Local image hotlink example

Steps

Anti-hotlink example

Steps

Web Compression

The access speed of a website is determined by many factors, including the response speed of the application, network bandwidth, server performance, network transmission speed between the client and the server, etc. One of the most important factors is the response speed of Apache itself. You can use web page compression to increase the speed of the application. More importantly, it does not cost anything at all, it just increases the server CPU usage by one or two percentage points or less.

type

  • gzip
    • High compression efficiency, high CPU usage
  • deflate
    • The compression efficiency is not as high as gzip, and the CPU usage is small

Example

Web page compression through the deflate module

If you have already installed Apache using the source package, you can reconfigure, compile, and install it if you still have the source package. Reinstalling Apache will not affect the previous parameters.

Or if you configured the dynamic loading module function during the last installation, you can use the apxs tool to add dynamic modules without reinstalling them.

Dynamically add module steps

Dynamically add the deflate module without reinstalling Apache

cd to the Apache HTTP server to store the module code related to the filter

Use apxs tool to operate

  • -i: Install module. Install the compiled module into the Apache server.
  • -c: Compile the module. Compile the source code file (here mod_deflate.c) into a shared object file (.so file).
  • -a: Automatically activate the module. After compiling and installing the module, it is enabled immediately, without the need to manually edit the configuration file.

Finally, use the apachectl command with pipes and grep to check whether the deflate module is loaded successfully.

  1. [root@localhost filters]# cd /root/httpd-2.4.25/modules/filters/
  2. [root@localhost filters]# apxs -i -c -a mod_deflate.c
  3. [root@localhost filters]# apachectl -t -D DUMP_MODULES | grep deflate
  4.  deflate_module (shared)

Enable the mod_deflate module in the httpd configuration file

  1. [root@localhost filters]# vim /usr/local/httpd/conf/httpd.conf
  2. 在末行模式下搜索:/deflate
  3. LoadModule deflate_module     modules/mod_deflate.so    # 去掉开头注释
  4. <IfModule mod_deflate.c>
  5.     # 对指定的类型应用deflat进行压缩(文本、样式表、图像)
  6.     AddOutputFilterByType DEFLATE text/html text/css text/jpg text/png text/gif
  7.     DeflateCompressionLevel 9    # 指定了压缩级别为9,表示最高级别的压缩(压缩比最高,但消耗CPU资源较多)
  8.     SetOutputFilter DEFLATE    # 指定默认的输出过滤器为deflate进行输出内容的压缩
  9. </IfModule>

Reinstall Apache steps

Add the deflate module by directly reinstalling Apache

Use firstapachectl -t -D DUMP_MODULES | grep deflateCommand to check whether the current Apache has a deflate module

If Apache is enabled, usesystemctl stop httpdShutdown Service

Enter the source package decompression directory, specify the installation directory, and enable some functions. The deflate module is used for web compression

./configureAfter processing, usemake && make installCommand to compile and install

  1. [root@localhost httpd-2.4.25]# ./configure --prefix=/usr/local/httpd --enable-so --enable-rewrite --enable-charset-lite --enable-cgi --enable-deflate
  2. [root@localhost httpd-2.4.25]# make && make install

Use the ll command to check whether the deflate module is enabled. You can see that the mod_deflate.so file exists.

  1. [root@localhost httpd-2.4.25]# ll /usr/local/httpd/modules/mod_deflate.so 
  2. -rwxr-xr-x 1 root root 53096 7月  10 20:43 /usr/local/httpd/modules/mod_deflate.so

But usingapachectl -t -D DUMP_MODULES | grep deflateThe command cannot be found because it is not enabled in the Apache configuration file

Edit the main configuration file of httpd. At around line 143, you can see a lot ofLoadModuleStatement, we add new module loading statements under these LoadModule

In the second part of the module loading statement, you can use an absolute path or a relative path. Because when installing Apache, the prefix rule is defined through the ./configure script, so if you want to specify the path of a certain file in the Apache configuration file, the prefix path can be omitted.

The IfModule tag is used to conditionally load module configuration. Its function is to check whether the specified module is loaded in the current Apache environment. Only when the module is loaded, the configuration instructions wrapped in the IfModule tag will take effect.

  1. [root@localhost httpd-2.4.25]# vim /usr/local/httpd/conf/httpd.conf
  2.  
  3. LoadModule deflate_module modules/mod_deflate.so
  4. <IfModule mod_deflate.c>    # 只有当 mod_deflate 模块加载时才会执行下面的配置
  5.     DeflateCompressionLevel 6 # 压缩级别,数字越大压缩比就越大
  6.     SetOutputFilter DEFLATE   # 启用deflate模块
  7.     # 告诉服务器对哪些文件进行压缩,如果是已经压缩过的,就不再压缩
  8.     AddOutputFilterByType DEFLATE text/html text/plain text/xml text/csstext/javascript application/x-javascript application/javascript application/json
  9.     SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary
  10.     SetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
  11.     SetEnvIfNoCase Request_URI .(?:pdf|mov|avi|mp3|mp4|rm)$ no-gzip dont-vary
  12.     AddOutputFilterByType DEFLATE text/*
  13.     AddOutputFilterByType DEFLATE application/ms* application/vnd* application/postscript application/javascript application/x-javascript
  14.     AddOutputFilterByType DEFLATE application/x-httpd-php application/x-httpd-fastphp
  15. </IfModule>

Save and exit, you can usehttpd -tTo check if there are any syntax errors in the configuration file, if it prompts Syntax OK, it means there are no errors

Because httpd needs to reload the modified configuration file to make the newly added configuration take effect, restart the service

Now access the web server in the browser, press F12 on the keyboard to open the developer tools, select the IP address of the web server, and you can see that the compression technology is gzip in the response header.

End of the experiment

Web Cache

Web page caching is to cache some pages that are rarely changed or rarely changed. The next time the browser visits these pages, it does not need to download them again, thereby improving the user's access speed. Apache's mod_expires module automatically generates the Expires tag and Cache-Control tag in the page header information. The client browser decides to obtain the page from the cache of the local machine based on the tags when visiting next time, and does not need to send a request to the server again, thereby reducing the frequency and number of client visits, achieving the purpose of reducing unnecessary traffic and increasing access speed.

Example

Implementing web page caching

Steps

Open the httpd main configuration file, enable the expires module and add it, then restart the service

  1. [root@localhost httpd-2.4.25]# vim /usr/local/httpd/conf/httpd.conf
  2. 在末行模式搜索:/expires_module
  3. 将前面的注释去掉,开启expires模块
  4. LoadModule expires_module modules/mod_expires.so
  5. <IfModule mod_expires.c>
  6.     ExpiresActive On    # 开启缓存功能
  7.     ExpiresDefault "access plus 60 seconds"    # 缓存时间设置为60秒
  8. </IfModule>
  9.  
  10. 检测语法正确性,重启服务
  11.  [root@localhost httpd-2.4.25]# httpd -t
  12. Syntax OK
  13. [root@localhost httpd-2.4.25]# systemctl restart httpd

After restarting the service, go to the browser to access the Web server, and you can see that there are two more lines of information in the response header

Hide version information

Software vulnerability information is related to a specific version, so the version number is very useful for attackers. In the developer tools in the browser, the server item in the response header can show the version information of Apache.

If a network attacker obtains the version information of Apache, they will carry out targeted attacks and cause damage to the website. Therefore, in the actual production environment, the version number of Apache should be hidden to reduce the risk of attacks.

Steps

  1. [root@localhost httpd-2.4.25]# vim /usr/local/httpd/conf/httpd.conf
  2. 在末行模式下搜索:/httpd-default
  3. 将Include语句前的注释去掉,表示包含Include语句后面指定的文件在当前文件中(相当于把指定文件的内容复制粘贴到当前文件的当前Include语句的位置)
  4. # Various default settings
  5. Include conf/extra/httpd-default.conf

Save and exit, open the httpd.default file

  1. [root@localhost httpd-2.4.25]# vim /usr/local/httpd/conf/extra/httpd-default.conf
  2. 在第55行就可以设置隐藏版本信息,这里改为Prod
  3. ServerTokens Prod

You can see that the options are provided in the comments:Set to one of: Full | OS | Minor | Minimal | Major | Prod

Options

illustrate

ServerTokens Full

Returns the most detailed server information, including the operating system type and a list of compiled modules.

For example: Apache/2.4.41 (Unix) OpenSSL/1.1.1d PHP/7.3.11

ServerTokens OS

Returns only the operating system type.

For example: Apache/2.4.41 (Unix)

ServerTokens Minor

Returns the major and minor version numbers.

For example: Apache/2.4

ServerTokens Minimal

Returns the major version number.

For example: Apache/2

ServerTokens Major

Returns only the major version number.

For example: Apache/2

ServerTokens Prod

Returns minimal information, showing only Apache and omitting the version number.

For example: Apache

Save and exit, restart the service. Access the Web server

You can see that the version information only shows one Apache

Apache hotlink protection

Apache hotlinking protection is a protection measure that prevents other websites or unauthorized third parties from directly linking to images, videos, audio or other resources on your website.

When a site uses resources directly from your site, they are essentially consuming your bandwidth and server resources, possibly without your permission.

definition

  • Hotlink protection means prohibiting external websites or unauthorized third parties from directly using resource links on your website through server configuration. If someone tries to directly use your resource links on their web pages, visitors will see a problem that the resource cannot be loaded on the web page, or alternative content will be displayed.

principle

  • HTTP Referer check: The server checks the Referer header in the HTTP request to determine the source of the resource request. If the Referer is not from a source you allow (such as your own website), the server can refuse to provide the resource or return alternative content.
  • Rewrite rules: Use Apache's Rewrite rules to rewrite requests, check the Referer header, and then decide whether to provide resources or reject the request based on the settings.

Configuring the Anti-Hotlink Experiment Environment

CPU name

domain name

IP address

operating system

Main software and versions

apache1

www.e1.com

192.168.10.101

CentOS7.9

httpd-2.4.25.tar.gz

apache2

www.e2.com

192.168.10.201

CentOS7.9

httpd-2.4.25.tar.gz or yum installation

Client

Windows 10

Browser

lab environment

Clone the first server or install httpd directly using yum -y install httpd, and change the IP address to 192.168.10.102

Change the hostnames of the two servers

  1. 101主机
  2. [root@localhost ~]# hostname apache1
  3. [root@localhost ~]# bash
  4. [root@apache1 ~]#
  5. 201主机
  6. [root@localhost ~]# hostname apache2
  7. [root@localhost ~]# bash
  8. [root@apache2 ~]#

Modify the hosts files of the two Web servers so that they can resolve the corresponding domain names

Follow the same steps below to modify the 201 host

  1. [root@apache1 ~]# vim /etc/hosts
  2. 在hosts文件末尾追加
  3. 192.168.10.101 www.e1.com
  4. 192.168.10.201 www.e2.com

For the hosts file of the Win10 client host, under C:WindowsSystem32driversetc, double-click the hosts file and open it with Notepad

Disable the firewall and kernel security mechanism of the two Web servers, enable the httpd service, and try to access the two Web servers on the client host.

  1. 在两个Web服务器操作
  2. [root@apache1 ~]# systemctl start httpd
  3. [root@apache1 ~]# setenforce 0

Local image hotlink example

101 host is my site, I need to steal the pictures on 201 host web server

That is, www.e1.com steals the image link of www.e2.com

Steps

Come to 201 host

Enter the directory where httpd stores web page files, drag in a picture, and edit the index.html file.

  1. [root@apache2 ~]# cd /usr/local/httpd/htdocs/
  2. 在该目录下从宿主机拖入一张图片
  3. [root@apache2 htdocs]# vim index.html
  4. <html>
  5.     <head>
  6.     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  7.     <title>标题</title>
  8. </head>
  9. <body>
  10.     <h1>原图网站</h1>
  11.     <img src="logo.jpg" />    # 如果图片文件是在网页文件同一目录下,可以不用加路径
  12. </body>
  13. </html>

Save and exit. Now you can visit www.e2.com using a browser on the host machine and see that there are pictures on the web page.

If you want to steal pictures from other websites, you need a link to the picture. Right-click the picture in the browser and select Copy Image Link.

Come to 101 host

Add a link to the image on the home page of the 101Web server

  1. [root@apache1 ~]# cd /var/www/html    # 使用yum安装httpd的存放网页文件的目录
  2. [root@apache1 html]# vim index.html
  3. <html>
  4.     <head>
  5.     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  6.     <title>标题</title>
  7. </head>
  8. <body>
  9.     <h1>盗图网站</h1>
  10.     <img src="http://www.e2.com/logo.jpg" />
  11. </body>
  12. </html>

Save and exit, go to the client Win10 host and visit two websites www.e1.com and www.e2.com

Use F12 to open the developer tools. You can see that the request URL and image link of www.e2.com are all www.e2.com's own.

The request URL of www.e1.com is www.e1.com, but the image request is the IP of www.e2.com host + image link

So far, a simple local image hotlink has been realized

Anti-hotlink example

If another host steals the image link of the 201 host, only the fixed image will be displayed instead of the image that the other party wants to steal.

Steps

Import another image (error.jpg) into the htdocs directory of the 201 host (www.e2.com) that provides the original image for the anti-hotlink experiment

Then edit the httpd configuration file and enable the rewrite module (address rewriting). The purpose of rewriting is to redirect the request to error.jpg if someone requests my logo.jpg.

With the address rewriting function, you can review and judge the request. If the request is prefixed with www.e2.com, access is allowed. If the request prefix is ​​not www.e2.com, access to the image is not allowed.

  1. [root@apache2 htdocs]# vim /usr/local/httpd/conf/httpd.conf
  2. 在末行模式下搜索:/rewrite
  3. LoadModule rewrite_module modules/mod_rewrite.so # 将开头注释去掉,启用rewrite模块
  4.  
  5. 在末行模式下搜索:/htdocs
  6. 在<Directory "/usr/local/httpd/htdocs">标签内往下翻
  7. 找到AllowOverride参数的行,修改内容为下方内容
  8.     AllowOverride None
  9.     RewriteEngine On
  10.     RewriteCond %{HTTP_REFERER} !^http://e2.com$ [NC]
  11.     RewriteCond %{HTTP_REFERER} !^http://e2.com/.*$ [NC]
  12.     
  13.  
  14.     RewriteCond %{HTTP_REFERER} !^http://www.e2.com$ [NC]
  15.     RewriteCond %{HTTP_REFERER} !^http://www.e2.com/.*$ [NC]
  16.     RewriteRule .*.(gif|jpg|swf)$ http://www.e2.com/error.png

parameter

illustrate

AllowOverride ALL

Allows using RewriteEngine and other rewrite rules in .htaccess files.

ALL: Allows all types of rewrite directives to be overridden by rules in .htaccess files.

None: Disable the use of .htaccess files in this directory to override server configuration

RewriteEngine On

Enable the rewrite function, which is the first step to enable rewrite rules

RewriteCond

Defining rewrite conditions

%{HTTP_REFERER}

It is a built-in variable in Apache. This variable can obtain the URL in the header information of the request message when the user accesses it.

Match the Referer value in the request

!^http://www.e2.com/.*$

Any file under the URL (.*: matches single or multiple characters)

Indicates that it does not match a string that starts with http://www.e2.com/ and ends with any single or multiple characters.

[NC]

Filtering is not case sensitive

RewriteRule

Defining rewrite rules

.*.(gif|jpg|swf)$ http://www.e2.com/error.png

When the previous rewrite condition matches, if the requested URL ends with .gif, .jpg, or .swf

The request will be redirected to http://www.e2.com/error.png

.*: matches any number of any characters

.: The dot escaped by the escape character, here it means a simple dot

Save and exit, then restart the service.

Finally, we come to the client host (Win10) test to prevent the image from being cached by the browser, so use the Ctrl + Shift + Delete shortcut to clear the browser cache.

Then visit www.e2.com, everything is normal

Visit www.e1.com, the stolen image link becomes the redirected error.png image

Personal profile

I have devoted myself to the research of technology for more than 30 years. I am proficient in various languages ​​such as Java, Linux, JavaScript, PHP, CSS, etc. I have made many contributions in the field of open source. I have established a developer documentation site to share some problems in technology development for everyone to read.

my contact information

Mail