欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

Apache优化之防盗链和隐藏版本

程序员文章站 2022-06-26 12:54:28
...

Apache优化之防盗链和隐藏版本

前言

在线网当中,有些人为了解决没有图片的问题就去找别人的图片,建立一个盗链,自己的网页就有图片了,然后,别人通过访问你的网站的时候,访问会流经你盗链所链接的服务器,服务器压力逐渐增大,就会给服务器这家公司造成一定的影响。所以,防盗链就应运而生。在别人访问服务器时候,如果不把版本信息隐藏起来,黑客就会知道Apache版本的漏洞,从而攻击网站,造成不可估量的损失。所以,从安全角度来看,我们在搭建Apache服务器的时候就应该隐藏Apache的版本。

Apache防盗链

实验环境

centos7虚拟机两台

win10虚拟机一台

实验步骤

1.先安装bind域名解析服务,并进行配置

[aaa@qq.com ~]# yum -y install bind
[aaa@qq.com ~]# vim /etc/named.conf
        listen-on port 53 { any; };
		allow-query     { any; };
[aaa@qq.com ~]# vim /etc/named.rfc1912.zones
zone "hello.com" IN {
        type master;
        file "hello.com.zone";
        allow-update { none; };
};
[aaa@qq.com ~]# cd /var/named/
[aaa@qq.com named]# ls
data  dynamic  named.ca  named.empty  named.localhost  named.loopback  slaves
[aaa@qq.com named]# cp -p named.localhost hello.com.zone
[aaa@qq.com named]# vim hello.com.zone
$TTL 1D
@       IN SOA  @ rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      @
        A       127.0.0.1
www IN  A       192.168.73.167

2.重启域名解析服务,并关闭防火墙

[aaa@qq.com named]# systemctl restart named
[aaa@qq.com named]# systemctl stop firewalld
[aaa@qq.com named]# setenforce 0

3.开始手工编译Apache

[aaa@qq.com named]# cd
[aaa@qq.com ~]# ls
anaconda-ks.cfg   apr-util-1.6.0.tar.gz  initial-setup-ks.cfg  模板  图片  下载  桌面
apr-1.6.2.tar.gz  httpd-2.4.29.tar.bz2   公共                  视频  文档  音乐
[aaa@qq.com ~]# tar -zxvf apr-1.6.2.tar.gz -C /opt/
[aaa@qq.com ~]# tar -zxvf apr-util-1.6.0.tar.gz -C /opt/
[aaa@qq.com ~]# tar -jxvf httpd-2.4.29.tar.bz2 -C /opt/
[aaa@qq.com ~]# cd /opt
[aaa@qq.com opt]# ls
apr-1.6.2  apr-util-1.6.0  httpd-2.4.29  rh
[aaa@qq.com opt]# mv apr-1.6.2/ httpd-2.4.29/srclib/apr
[aaa@qq.com opt]# mv apr-util-1.6.0/ httpd-2.4.29/srclib/apr-util
[aaa@qq.com opt]# cd httpd-2.4.29/
[aaa@qq.com httpd-2.4.29]# ls
ABOUT_APACHE     BuildBin.dsp    emacs-style     LAYOUT        NOTICE            srclib
acinclude.m4     buildconf       httpd.dep       libhttpd.dep  NWGNUmakefile     support
Apache-apr2.dsw  CHANGES         httpd.dsp       libhttpd.dsp  os                test
Apache.dsw       CMakeLists.txt  httpd.mak       libhttpd.mak  README            VERSIONING
apache_probes.d  config.layout   httpd.spec      LICENSE       README.cmake
ap.d             configure       include         Makefile.in   README.platforms
build            configure.in    INSTALL         Makefile.win  ROADMAP
BuildAll.dsp     docs            InstallBin.dsp  modules       server
[aaa@qq.com httpd-2.4.29]# yum -y install gcc gcc-c++ pcre make pcre-devel zlib-devel expat-devel
[aaa@qq.com httpd-2.4.29]# ./configure \
> --prefix=/usr/local/httpd \
> --enable-deflate \
> --enable-so \
> --enable-rewrite \
> --enable-charset-lite \
> --enable-cgi
[aaa@qq.com httpd-2.4.29]# make && make install

4.修改主配置文件,创建软链接,便于操作

[aaa@qq.com httpd-2.4.29]# vim /usr/local/httpd/conf/httpd.conf
ServerName www.hello.com:80
Listen 192.168.73.167:80
#Listen 80
[aaa@qq.com httpd-2.4.29]# ln -s /usr/local/httpd/conf/httpd.conf /etc/httpd.conf
[aaa@qq.com httpd-2.4.29]# cd /usr/local/httpd/bin/
[aaa@qq.com bin]# pwd
/usr/local/httpd/bin
[aaa@qq.com bin]# cd ..
[aaa@qq.com httpd]# ls
bin  build  cgi-bin  conf  error  htdocs  icons  include  lib  logs  man  manual  modules
[aaa@qq.com httpd]# cd htdocs/
[aaa@qq.com htdocs]# ls
E2A44F9213403D04017939019ADDED89.gif  index.html
[aaa@qq.com htdocs]# vim index.html
<html><body><h1>It works!</h1>
<img src="E2A44F9213403D04017939019ADDED89.gif" \ ></body></html>
[aaa@qq.com htdocs]# cd /usr/local/httpd/bin
[aaa@qq.com bin]# ./apachectl start
[aaa@qq.com bin]# netstat -ntap | grep 80
tcp        0      0 192.168.73.167:80       0.0.0.0:*               LISTEN      69230/httpd

5.win10中修改域名,并用服务器查看

Apache优化之防盗链和隐藏版本

ipconfig /release
ipconfig /renew
ipconfig /all

Apache优化之防盗链和隐藏版本

Apache优化之防盗链和隐藏版本

6.在另外一台虚拟机上面,安装httpd,并进行配置

[aaa@qq.com ~]# yum -y install httpd
[aaa@qq.com ~]# vim /etc/httpd/conf/httpd.conf
ServerName www.world.com:80
Listen 192.168.73.147:80
#Listen 80
[aaa@qq.com ~]# vim /var/www/html/index.html
[aaa@qq.com ~]# vim /var/www/html/index.html 
<html>
<body>
   this is test web <br />
   <img src="http://192.168.73.167/E2A44F9213403D04017939019ADDED89.gif" / >
</body>
</html>
[aaa@qq.com ~]# systemctl start httpd

7.在win10主机里面测试

Apache优化之防盗链和隐藏版本

Apache优化之防盗链和隐藏版本

8.接下来我们去开启Apache的防盗链的功能

[aaa@qq.com htdocs]# cd ..
[aaa@qq.com httpd]# ls
bin  build  cgi-bin  conf  error  htdocs  icons  include  lib  logs  man  manual  modules
[aaa@qq.com httpd]# cd conf
[aaa@qq.com conf]# ls
extra  httpd.conf  magic  mime.types  original
[aaa@qq.com conf]# vim httpd.conf
LoadModule rewrite_module modules/mod_rewrite.so
<Directory "/usr/local/httpd/htdocs">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   AllowOverride FileInfo AuthConfig Limit
    #
    AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
    Require all granted
    Require all granted
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} !^http://hello.com/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://hello.com$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.hello.com/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.hello.com/$ [NC]
    RewriteRule .*\.(gif|jpg|swf)$ http://www.hello.com/error.png
</Directory>
[aaa@qq.com conf]# cd 
[aaa@qq.com ~]# cd /usr/local/httpd/bin/
[aaa@qq.com bin]# ./apachectl stop
[aaa@qq.com bin]# ./apachectl start

9.去win10主机中查看防盗链

清空缓存数据

Apache优化之防盗链和隐藏版本

清空浏览数据后重启服务器

Apache优化之防盗链和隐藏版本Apache优化之防盗链和隐藏版本

Apache版本的隐藏

实验步骤

1.打开win10里面的抓包工具,直接开启抓包

Apache优化之防盗链和隐藏版本

Apache优化之防盗链和隐藏版本

2.修改Apache的主配置文件,并重启Apache服务

[aaa@qq.com htdocs]# vim /usr/local/httpd/conf/httpd.conf
Include conf/extra/httpd-default.conf
[aaa@qq.com htdocs]# cd ..
[aaa@qq.com httpd]# ls
bin  build  cgi-bin  conf  error  htdocs  icons  include  lib  logs  man  manual  modules
[aaa@qq.com httpd]# cd conf/
[aaa@qq.com conf]# ls
extra  httpd.conf  magic  mime.types  original
[aaa@qq.com conf]# cd extra/
[aaa@qq.com extra]# ls
httpd-autoindex.conf  httpd-info.conf       httpd-mpm.conf                 httpd-userdir.conf
httpd-dav.conf        httpd-languages.conf  httpd-multilang-errordoc.conf  httpd-vhosts.conf
httpd-default.conf    httpd-manual.conf     httpd-ssl.conf                 proxy-html.conf
[aaa@qq.com extra]# vim httpd-default.conf
ServerTokens Prod
ServerSignature Off
[aaa@qq.com extra]# /usr/local/httpd/bin/apachectl stop
[aaa@qq.com extra]# /usr/local/httpd/bin/apachectl start

3.清空win10的浏览器中的浏览数据

Apache优化之防盗链和隐藏版本

实验总结

我们再做防盗链的时候,我们要注意那个盗链的图片不能设置成被禁用的图片,不然会一直显示图片出不来。然后,就是我们在做版本隐藏的时候,一定要将自己的Apache的版本隐藏。

相关标签: 云计算架构