Apache Web page and security optimization in Linux system

Web cache

Configure cache time for web pages

  • Configure Apache through mod ﹐ expire module, so that the web page can be cached in the client browser for a period of time to avoid repeated requests
  • After the mod ﹣ expire module is enabled, the Expires tag and cache control tag in the page header will be automatically generated, so as to reduce the frequency and times of client access, reduce unnecessary traffic and increase access speed

To enable Web Caching

  • Check to see if mod? Expire module is installed
  • Modify profile to enable caching
  • Grab Test

Check to see if the mod? Expire module is installed

  • /usr/local/apache/bin/apachectl -t -D DUMP_MODULES
  • If there is no expires_module (static) in the output, then mod_expires is not installed at compile time

If not, recompile the installation

  • ./configure --enable-expires...
  • make && make install

Modify httpd.conf configuration file

  • Enable the mod ﹐ expires module, and set the expiration time of any document format under the http protocol after 60 seconds
    • <lfModule mod_expires.c>
      ExpiresActive On
      ExpiresDefault "access plus 60 seconds"
      </lfModule>

Restart httpd service

Visit the test website again, and use Fiddler to grab and analyze the data

Configuration example

  • Here I will continue to do the previous experiment. In the previous experiment, the expires module was installed when the Apache service was compiled and installed manually. Here I test it directly
[root@localhost ~]# vim /usr/local/httpd/conf/httpd.conf
...//Omit parts
#LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule expires_module modules/mod_expires.so     //Find this module and remove the "open module"
LoadModule headers_module modules/mod_headers.so
#LoadModule unique_id_module modules/mod_unique_id.so
...//Omit parts
<IfModule mod_expires.c>          //Add the following entry at the end of the file to configure the expires module
  ExpiresActive On                //Opening function                     
  ExpiresDefault" access plus 50 seconds"       //Set cache time
</IfModule>
:wq                       //Save exit
[root@localhost ~]# apachectl -t / / verify syntax format
Syntax OK                   //Normal grammar     
[root@localhost ~]# service httpd stop / / stops the HTTP service
[root@localhost ~]# service httpd start / / start the HTTP service
[root@localhost ~]# /usr/local/httpd/bin/apachectl -t -D DUMP_MODULES |grep "expires" 
//Check whether the module is on
 expires_module (shared)  //Successfully opened
[root@localhost ~]# netstat -ntap | grep 80 / / check whether the port is enabled
tcp        0      0 192.168.144.133:80      0.0.0.0:*               LISTEN      47752/httpd  
  • Visit the web page in the client and use the packet capturing tool to see if the cache module is enabled

Apache security optimization

Configure anti-theft chain

  • The anti-theft chain is to prevent other people's website code from stealing the server's pictures, files, videos and other related resources
  • If someone steals these static resources of the website, it will obviously increase the bandwidth pressure of the server
  • Therefore, as the maintenance personnel of the website, we should prevent the static resources of our server from being embezzled by other websites

Configure Apache to implement anti-theft chain

  • Check if Apache has mod? Rewrite module installed

    • /usr/local/apache/bin/apachectl -t -D DUMP_ MODULES
    • If there is no Rewrite Module (static) in the output, the module is not installed at compile time
  • If not, recompile the installation
    • ./configure --enable-rewrite...
    • make && make install

Configuration rule variable description

  • %Http {refer}: browse the link field in the header, store a link URL, which represents the link from which to access the required webpage
  • ! ^: does not start with the following string
  • . * $: ends with any character
  • NC: case insensitive
  • R: forced jump

Rule matching description

  • RewriteEngine On: turn on page rewriting
  • RewriteCond: set matching rules
  • RewriteRule: set Jump Action

Rule matching

  • If the value of the corresponding variable matches the set rule, it will be processed one by one; if it does not match, the following rules will no longer match

Configuration operation demonstration

  • Modify the profile to enable the anti-theft chain function and set the rules:
    • RewriteEngine On
    • RewriteCond %{HTTP_ REFERER} !^http://test.com/.*$ [NC]*
    • RewriteCond %{HTTP_ REFERER} !^http://test.com$ [NC]
    • RewriteCond %{HTTP_ REFERER} !^http://www.test.com/.*$ [NC]*
    • RewriteCond %{HTTP_ REFERER} !^http://www.test.com$ [NC]
    • RewriteRule .*\.(gifljipg|swf)$ http://www.test.com/error.html [R,NC]

Configuration example

  • First, install the DNS service and configure the DNS service. Here is the same domain name to visit the web page. In the manual compilation and installation of Apache service, the plug-in mod? Rewrite of the drop connection module has been installed. You can directly enter the HTTP master configuration file for configuration.
[root@localhost ~]# yum install bind -y
//Loaded plug-ins: faststmirror, langpacks
base                                                     | 3.6 kB     00:00     
extras                                                   | 2.9 kB     00:00 
...//Omit parts
//Installed:
  bind.x86_64 32:9.11.4-9.P2.el7                                                

//Installed as a dependency:
  bind-export-libs.x86_64 32:9.11.4-9.P2.el7                                    

//Upgraded as a dependency:
  bind-libs.x86_64 32:9.11.4-9.P2.el7                                           
  bind-libs-lite.x86_64 32:9.11.4-9.P2.el7                                      
  bind-license.noarch 32:9.11.4-9.P2.el7                                        
  bind-utils.x86_64 32:9.11.4-9.P2.el7                                          
  dhclient.x86_64 12:4.2.5-77.el7.centos                                        
  dhcp-common.x86_64 12:4.2.5-77.el7.centos                                     
  dhcp-libs.x86_64 12:4.2.5-77.el7.centos                                       

//Complete!
[root@localhost ~]# vim /etc/named.conf
...//Omit parts
options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };
...//Omit parts
:wq
[root@localhost ~]# vim /etc/named.rfc1912.zones
...//Omit parts
zone "kgc.com" IN {
        type master;
        file "kgc.com.zone";
        allow-update { none; };
};
...//Omit parts
:wq
[root@localhost ~]# cd /var/named/
[root@localhost named]# ls
data  dynamic  named.ca  named.empty  named.localhost  named.loopback  slaves
[root@localhost named]# cp -p named.localhost kgc.com.zone
[root@localhost named]# vim kgc.com.zone
$TTL 1D
@       IN SOA  @ rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      @
        A       127.0.0.1
www IN  A       192.168.144.133
[root@localhost named]# systemctl start named / / start DNS Service
  • Here we don't start the chain stealing function. Now we visit the web page picture in the client, and then open a win 7 client, install the http service and the chain stealing picture to see if we can steal the chain
  • Configure anti-theft chain module in Linux system
[root@localhost ~]# vim /usr/local/httpd/conf/httpd.conf / / edit the main configuration file
...//Omit parts
#LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so     //Find this entry and open it

<IfModule unixd_module>
#
# If you wish httpd to run as a different user or group, you must run
...//Omit parts
<Directory "/usr/local/httpd/htdocs">           //Add the anti-theft chain entry under this label
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   AllowOverride FileInfo AuthConfig Limit
    #
    AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
    Require all granted
    RewriteEngine On               //Turn on the anti-theft chain function
    RewriteCond %{HTTP_REFERER} !^http://kgc.com/.*$ [NC]   
    RewriteCond %{HTTP_REFERER} !^http://kgc.com$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.kgc.com/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http:// www.kgc.com/$ [NC]
    RewriteRule .*\.(gif|jpg|swf)$ http://www.kgc.com/error.png
 </Directory>
 ...//Omit parts
 :wq
 [root@localhost ~]# cd /mnt / / enter the mount directory
[root@localhost mnt]# ls / / check whether there is a picture of the prepared anti-theft chain
apr-1.6.2.tar.gz       cronolog-1.6.2-14.el7.x86_64.rpm  httpd-2.4.29.tar.bz2  mysql-5.6.26.tar.gz
apr-util-1.6.0.tar.gz  Discuz_X2.5_SC_UTF8.zip           LAMP-php5.6.txt       nginx-1.12.0.tar.gz
awstats-7.6.tar.gz     error.png                         miao.jpg              php-5.6.11.tar.bz2
[root@localhost mnt]# cp error.png /usr/local/httpd/htdocs / / copy the anti-theft chain picture into the http site directory
[root@localhost mnt]# cd /usr/local/httpd/htdocs / / enter the site directory
[root@localhost htdocs]# ls / / view
error.png  index.html  miao.jpg      //Successful replication
[root@localhost htdocs]# systemctl start httpd / / restart the network service
  • Visit the webpage in the client again to see if the anti-theft chain function is on

    Hide version information

Apache hidden version information

  • Version information of Apache reveals certain vulnerability information, which brings security risks to the website
  • To configure Apache hidden version information in production environment
  • Analysis by Fiddler

Configure Apache hidden version information

  • Remove the following comments from the main configuration file httpd.conf

    • #Include conf/extra/httpd-default.conf
  • Two places to modify httpd-default.conf file
  • Change ServerTokens Full to Server Tokens Prod
  • Change ServersSignature On to ServersSignature Off

Restart httpd service, visit website, grab package test

Configuration example

  • Now use the grab tool in the client to see if the version information will be displayed
  • Enter HTTP configuration file, change information
[root@localhost htdocs]# vim /usr/local/httpd/conf/httpd.conf 
...//Omit parts
#Include conf/extra/httpd-dav.conf

# Various default settings
Include conf/extra/httpd-default.conf     //Find this entry and remove comments

# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
...//Omit parts
:wq             //Save exit
[root@localhost htdocs]# cd /usr/local/httpd/conf/extra / / / enter the directory
[root@localhost extra]# ls           
httpd-autoindex.conf  httpd-info.conf       httpd-mpm.conf                 httpd-userdir.conf
httpd-dav.conf        httpd-languages.conf  httpd-multilang-errordoc.conf  httpd-vhosts.conf
httpd-default.conf    httpd-manual.conf     httpd-ssl.conf                 proxy-html.conf
[root@localhost extra]# vim httpd-default.conf / / edit the configuration file
...//Omit parts
# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
#
ServerTokens Prod          //Find this entry and change Full to Prod

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory 
# listings, mod_status and mod_info output etc., but not CGI generated 
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
# 
ServerSignature Off                   //And determine whether it is closed here. It is closed by default

#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
:wq              //Save exit
[root@localhost extra]# systemctl restart httpd.service / / restart the service
  • Test the packet capture in the client again to see if the version information is also displayed

Tags: Linux Apache vim DNS CentOS

Posted on Wed, 06 Nov 2019 13:31:05 -0800 by nathus