• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
X64服务器 lnmp服务器部署标准 new
 

X64服务器 lnmp服务器部署标准 new

on

  • 1,731 views

 

Statistics

Views

Total Views
1,731
Views on SlideShare
1,731
Embed Views
0

Actions

Likes
6
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    X64服务器 lnmp服务器部署标准 new X64服务器 lnmp服务器部署标准 new Document Transcript

    • X64 服务器 L.N.M.P 环境部署标准一、系统约定软件源代码包存放位置 /usr/local/src源码包编译安装位置(prefix) /usr/local/software_name脚本以及维护程序存放位置 /usr/local/sbinMySQL 数据库位置 /data/mysql(可按情况设置)Nginx 网站根目录 /data/www/wwwroot(可按情况设置)Nginx 虚拟主机日志根目录 /data/logs(可按情况设置)Nginx 运行账户 www:www二、系统环境部署及调整1. 检查系统是否正常 # more /var/log/messages (检查有无系统级错误信息) # dmesg (检查硬件设备是否有错误信息) # ifconfig(检查网卡设置是否正确) # ping www.163.com (检查网络是否正常)2. 关闭不需要的服务 # ntsysv 以下仅列出需要启动的服务,未列出的服务一律推荐关闭: atd crond irqbalance microcode_ctl network sendmail sshd syslog3. 重新启动系统 # init 64. 配置 vim
    • # vi /root/.bashrc 在 alias mv=mv -i 下面添加一行:alias vi=vim 保存退出。 # echo syntax on > /root/.vimrc # source /root/.bashrc5. 使用 yum 对系统进行更新并且安装必要软件包 # yum update -y # yum install ntp -y6. 定时校正服务器时钟,定时与中国国家授时中心授时服务器同步 # crontab -e 加入一行: 1 */6 * * * ntpdate 210.72.145.44 > /dev/null 2>&17. 源码编译安装所需包 (Source) 其他兼容包 # yum install libpng libpng-devel libjpeg libjpeg-devel gd gd-devel libxml2 libxml2-devel libmcrypt libmcrypt-devel compat-* pam-devel* ( 1)禁用 SSH V1 协议 找到: #Protocol 2,1 改为: Protocol 2 ( 2)禁用服务器端 GSSAPI 找到以下两行,并将它们注释: GSSAPIAuthentication yes GSSAPICleanupCredentials yes ( 3)禁用 DNS 域名反解 找到: #UseDNS yes 改为: UseDNS no
    • ( 4)禁用客户端 GSSAPI # vi /etc/ssh/ssh_config 找到: GSSAPIAuthentication yes 将这行注释掉。 最后,确认修改正确后重新启动 SSH 服务 # service sshd restart # ssh -v 确认 OpenSSH 以及 OpenSSL 版本正确。三、编译安装 L.N.M.P 环境1. 下载软件 # cd /usr/local/src pcre-7.6.tar.bz2 nginx-0.6.29.tar.gz mysql-5.0.51a-linux-x86_64-icc-glibc23.tar.gz php-5.2.5.tar.bz2 php-5.2.5-fpm-0.5.7.diff.gz */fpm 方式启动 php-cgi eaccelerator-0.9.5.2.tar.bz2 ZendOptimizer-3.3.3-linux-glibc23-x86_64.tar.gz2. 安装 MySQL tar xzvf mysql-5.0.51a-linux-x86_64-icc-glibc23.tar.gz mv mysql-5.0.51a-linux-x86_64-icc-glibc23 /usr/local/ ln -s mysql-5.0.51a-linux-x86_64-icc-glibc23 /usr/local/mysql useradd mysql –s /sbin/nologin chown -R mysql:root /usr/local/mysql/ cd /usr/local/mysql ./scripts/mysql_install_db --user=mysql cp ./support-files/mysql.server /etc/rc.d/init.d/mysqld chown root:root /etc/rc.d/init.d/mysqld chmod 755 /etc/rc.d/init.d/mysqld chkconfig --add mysqld chkconfig --level 3 mysqld on cp ./support-files/my-huge.cnf /etc/my.cnf cp –r /usr/local/mysql/data /data/mysql
    • chown -R mysql:mysql /var/lib/mysql/vi /etc/my.cnf 修改以下内容: 在 [mysqld] 段增加或修改: datadir = /data/mysql skip-innodb wait-timeout = 3 | 5 | 10 max_connections = 256 | 384 | 512 max_connect_errors = 10000000 thread_concurrency = CPU 个数×2 将 log-bin 注释(如果需要使用 mysql 的主从备份功能,需要 log-bin 参数打开,不能注释)# bin/mysqladmin -u root password password_for_root(注:password_for_root 为 mysql 的 root 帐户的密码,用户自行设定)针对大型用户 mysql 优化的参数设置 (供参考 ):[mysqld]port = 3306socket = /tmp/mysql.sockdatadir = /data/mysqlskip-lockingskip-name-resolveskip-innodbskip-symbolic-linkslocal-infile=0low_priority_updates=1back_log = 300key_buffer = 256Mmax_allowed_packet = 16Mthread_stack = 128Ktable_cache = 1024sort_buffer_size = 4Mread_buffer_size = 256Kjoin_buffer_size = 4M
    • record_buffer = 2M read_rnd_buffer_size = 4M myisam_sort_buffer_size = 64M thread_cache_size = 64 query_cache_size = 32M tmp_table_size = 196M max_connections = 1600 max_connect_errors = 10000000000000 wait_timeout = 5 thread_concurrency=16 long_query_time = 1 log-slow-queries = /data/mysql/slow.log3.编译安装 Nginx # 安装 pcre # tar jxvf pcre-7.6.tar.bz2 # cd pcre-7.6 # ./configure --prefix=/usr/local/pcre --enable-utf8 --enable-unicode-properties # make # make install # 安装 Nginx # tar jxvf nginx-fancyindex-0.1_beta5.tar.bz2 # tar zxvf nginx-0.6.29-tar.gz # cd nginx-0.6.29 ./configure --prefix=/usr/local/nginx --sbin-path=/usr/local/nginx/sbin/nginx--conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/usr/local/nginx/logs/error.log --http-log-path=/usr/local/nginx/logs/access.log --pid-path=/usr/local/nginx/var/nginx.pid --lock-path=/usr/local/nginx/var/nginx.lock --http-client-body-temp-path=/dev/shm//nginx_temp/client_body --http-proxy-temp-path=/dev/shm/nginx_temp/proxy --http-fastcgi-temp-path=/dev/shm/nginx_temp/fastcgi --user=www --group=www --with-cpu-opt=pentium4F --without-select_module --without-poll_module --with-http_realip_module --with-http_sub_module --with-http_gzip_static_module --with-http_stub_status_module --without-http_ssi_module --without-http_userid_module --without-http_geo_module --without-http_memcached_module --without-http_map_module --without-mail_pop3_module --without-mail_imap_module--without-mail_smtp_module --with-pcre=/usr/local/src/pcre-7.6"
    • # make# make install# mkdir /dev/shm/nginx_temp# vim /etc/init.d/nginx 写入#!/bin/bash## chkconfig: 2345 90 60# description: nginx# processname: nginx# Source Function Library. /etc/init.d/functions# Nginx SettingsNGINX_SBIN="/usr/local/nginx/sbin/nginx"NGINX_CONF="/usr/local/nginx/conf/nginx.conf"NGINX_PID="/usr/local/nginx/var/nginx.pid"RETVAL=0prog="Nginx"start() { echo -n $"Starting $prog: " mkdir -p /dev/shm/nginx_temp daemon $NGINX_SBIN -c $NGINX_CONF RETVAL=$? echo return $RETVAL}stop() { echo -n $"Stopping $prog: " killproc -p $NGINX_PID $NGINX_SBIN -TERM rm -rf /dev/shm/nginx_temp RETVAL=$? echo return $RETVAL}reload(){ echo -n $"Reloading $prog: "
    • killproc -p $NGINX_PID $NGINX_SBIN -HUP RETVAL=$? echo return $RETVAL}restart(){ stop start}configtest(){ $NGINX_SBIN -c $NGINX_CONF -t return 0}case "$1" in start) start ;; stop) stop ;; reload) reload ;; restart) restart ;; configtest) configtest ;; *) echo $"Usage: $0 {start|stop|reload|restart|configtest}" RETVAL=1esacexit $RETVAL# chmod 755 /etc/init.d/nginx# Nginx 语法高亮
    • # mkdir -p /root/.vim/syntax # cd /root/.vim/syntax # vim nginx.vim 插入以下行 " Vim syntax file " Language: Nginx configuration (nginx.conf) " Maintainer: Evan Miller " Last Change: 2007 May 02 " Notes: This is a bit patchy. if exists("b:current_syntax") finish end setlocal iskeyword+=. setlocal iskeyword+=/ setlocal iskeyword+=: " basics syn match ngxStringVariable "$ww*" contained syn region ngxString start=+"+ end=+"+ skip=+|"+contains=ngxStringVariable oneline syn region ngxString start=++ end=++ skip=+|+contains=ngxStringVariable oneline " Main syn keyword ngxDirective daemon debug_points error_log lock_filemaster_process pid ssl_engine timer_resolution user group worker_cpu_affinityworker_priority worker_processes worker_rlimit_core worker_rlimit_nofileworker_rlimit_sigpending working_directory syn keyword ngxDirectiveImportant include syn keyword ngxBlockDirective http events contained syn keyword ngxBlockDirective server contained "Events syn keyword ngxDirective accept_mutex accept_mutex_delay debug_connectiondevpoll_changes devpoll_events epoll_events kqueue_changes kqueue_eventsmulti_accept rtsig_signo rtsig_overflow_events rtsig_overflow_testrtsig_overflow_threshold use worker_connections " HTTP core syn keyword ngxDirective alias client_body_in_file_only
    • client_body_buffer_size client_body_temp_path client_body_timeoutclient_header_buffer_size client_header_timeout client_max_body_size default_typekeepalive_timeout large_client_header_buffers limit_rate msie_padding msie_refreshoptimize_server_names port_in_redirect recursive_error_pages satisfy_anysend_timeout sendfile server_names_hash_max_size server_names_hash_bucket_sizetcp_nodelay tcp_nopush internal syn keyword ngxDirective output_buffers postpone_output send_lowatconnections syn keyword ngxDirectiveImportant root server server_name listen syn keyword ngxDirectiveError error_page syn keyword ngxBlockDirective location limit_except types contained " Access syn keyword ngxDirective allow deny " Auth syn keyword ngxDirective auth_basic auth_basic_user_file " Auto-index syn keyword ngxDirective autoindex syn keyword ngxDirective autoindex_exact_size syn keyword ngxDirective autoindex_localtime " DAV syn keyword ngxDirective dav_access dav_methods create_full_put_path " FastCGI syn keyword ngxDirective fastcgi_index fastcgi_hide_headerfastcgi_intercept_errors fastcgi_param fastcgi_pass_header fastcgi_redirect_errors syn keyword ngxDirectiveImportant fastcgi_pass " gzip syn keyword ngxDirective gzip gzip_buffers gzip_comp_level gzip_min_lengthgzip_http_version gzip_proxied gzip_types " header syn keyword ngxDirective add_header syn keyword ngxDirective expires " auto-index syn keyword ngxDirective index " log syn keyword ngxDirective access_log log_format
    • " proxy syn keyword ngxDirective proxy_buffer_size proxy_buffering proxy_buffersproxy_connect_timeout proxy_hide_header proxy_intercept_errors proxy_methodproxy_next_upstream proxy_pass_header proxy_read_timeout proxy_redirect_errorsproxy_send_timeout proxy_set_header proxy_temp_path proxy_temp_file_write_sizeproxy_busy_buffers_size proxy_send_lowat syn keyword ngxDirectiveImportant proxy_pass proxy_redirect " rewrite syn keyword ngxDirectiveControl break return set uninitialized_variable_warnrewrite syn keyword ngxDirective uninitialized_variable_warn syn keyword ngxBlockDirective if contained " SSL syn keyword ngxDirective ssl ssl_certificate ssl_certificate_keyssl_client_certificate ssl_ciphers ssl_prefer_server_ciphers ssl_protocolsssl_verify_client ssl_verify_depth ssl_session_cache ssl_session_timeout " Upstream syn keyword ngxDirective ip_hash server syn keyword ngxBlockDirective upstream contained " Addition syn keyword ngxDirectiveImportant add_before_body add_after_body " Charset syn keyword ngxDirective charset charset_map override_charset source_charset " empty gif syn keyword ngxDirective empty_gif " geo syn keyword ngxBlockDirective geo " map syn keyword ngxBlockDirective map syn keyword ngxDirective map_hash_max_size map_hash_bucket_size " realip syn keyword ngxDirective set_real_ip_from real_ip_header " referer
    • syn keyword ngxDirective valid_referers " ssi syn keyword ngxDirective ssi " user id syn keyword ngxDirective userid userid_domain userid_expires userid_nameuserid_p3p userid_path userid_service " sub filter syn keyword ngxDirective sub_filter sub_filter_once sub_filter_types " perl syn keyword ngxDirective perl_modules perl_require perl_set " limit zone syn keyword ngxDirective limit_zone limit_conn " memcache syn keyword ngxDirective memcached_connect_timeoutmemcached_send_timeout memcached_read_timeout memcached_buffer_sizememcached_next_upstream syn keyword ngxDirectiveImportant memcached_pass " stub syn keyword ngxDirective stub_status " flv syn keyword ngxDirective flv " browser syn keyword ngxDirective ancient_browser ancient_browser_valuemodern_browser modern_browser_value syn region ngxStartBlock start=+^+ end=+{+contains=ngxBlockDirective,ngxContextVariable oneline syn match ngxContextVariable "$ww*" contained syn match ngxComment " *#.*$" syn match ngxVariable "$ww*" hi link ngxBlockDirective Statement hi link ngxStartBlock Normal
    • hi link ngxStringVariable Special hi link ngxDirectiveControl Special hi link ngxComment Comment hi link ngxString String hi link ngxDirective Identifier hi link ngxDirectiveImportant Type hi link ngxVariable Identifier hi link ngxContextVariable Identifier hi link ngxDirectiveError Constant let b:current_syntax = "nginx" # vim /root/.vim/filetype.vim 插入: au BufRead,BufNewFile /usr/local/nginx/conf/* set ft=nginx# chkconfig --add nginx# chkconfig --level 3 nginx on4. 编译安装 PHP# php-cgi –fpm 方式# tar –jxvf php-5.2.8.tar.gz# gzip -cd php-5.2.8-fpm-0.5.10.diff.gz | patch -d php-5.2.8 -p1 为 php 打补丁# cd php-5.2.8# ./configure --prefix=/usr/local/php --with-config-file-path=/usr/local/php/etc --with-mysql=/usr/local/mysql --with-mysql-sock=/tmp --with-libxml-dir --with-gd --with-jpeg-dir --with-png-dir --with-freetype-dir --with-iconv-dir --with-zlib-dir --with-mcrypt= --enable-soap --enable-gd-native-ttf --enable-ftp --enable-mbstring --enable-exif --enable-zend-multibyte --disable-ipv6 --enable-fastcgi --enable-fpm # make # make install # mkdir /usr/local/php/etc # cp php.ini-dist /usr/local/php/etc/php.ini 编辑/usr/local/php/etc/php-fpm.conf # vim /usr/local/php/etc/php-fpm.conf 修改用户和组的名称为”www”
    • 去掉注释 Unix user of processes <value name="user">www</value> Unix group of processes <value name="group">www</value> #/usr/local/php/sbin/php-fpm start # echo ‘/usr/local/php/sbin/php-fpm start’ >> /etc/rc.local5.安装 Eaccelerator php 加速器 # cd /usr/local/src # tar jxvf eaccelerator-0.9.5.2.tar.bz2 # cd eaccelerator-0.9.5.2 # /usr/local/php /bin/phpize phpize 命令是用来准备 PHP 外挂模块的编译环境的 # ./configure --enable-eaccelerator=shared --with-php-config=/usr/local/php/bin/php-config --with-eaccelerator-shared-memory --with-eaccelerator-sessions --with-eaccelerator-content-caching # make # make install # mkdir /usr/local/php/ext #cp modules/eaccelerator.so /usr/local/php/ext/6. 安装 memcache 扩展 php 扩展 # cd /usr/local/src/ # tar zxvf memcache-2.2.3.tgz # cd memcache-2.2.3 # /usr/local/php/bin/phpize #./configure --with-php-config=/usr/local/php/bin/php-config --enable- memcache --with-zlib-dir # make # make install # cp modules/memcache.so /usr/local/php/ext/ # 安装为 Zend 扩展 # vim /usr/local/php/etc/php.ini 插入 zend_extension="/usr/local/php/ext/eaccelerator.so" eaccelerator.shm_size="16"
    • eaccelerator.cache_dir="/tmp/eaccelerator" eaccelerator.enable="1" eaccelerator.optimizer="1" eaccelerator.check_mtime="1" eaccelerator.debug="0" eaccelerator.filter="" eaccelerator.shm_max="0" eaccelerator.shm_ttl="0" eaccelerator.shm_prune_period="0" eaccelerator.shm_only="0" eaccelerator.compress="1" eaccelerator.compress_level="9" # mkdir /tmp/eaccelerator # chmod 0777 /tmp/eaccelerator6.安装 Zend Optimizor php 优化器 # cd /usr/local/src # tar zxvf ZendOptimizer-3.3.3-linux-glibc23-x86_64.tar.gz # cd ZendOptimizer-3.3.3-linux-glibc23-x86_64 # ./install.sh7. 查看确认 L.N.M.P 环境信息、提升 PHP 安全性 在网站根目录放置 phpinfo.php 脚本,检查 phpinfo 中的各项信息是否正确。 确认 PHP 能够正常工作后,在 php.ini 中进行设置提升 PHP 安全性。 首先找到: extension_dir = "./" 修改成: extension_dir = "/usr/local/php-fcgi/ext/" # vi /etc/php.ini 找到: ;extension=php_zip.dll 在该行下添加 extension=memcache.so 修改完成后保存退出。 保存后可以利用 /usr/local/php/bin/php-cgi -m |grep memcache 检测和查看具体的参数 找到:
    • disable_functions = 设置为:passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server三、服务器安全性设置1. 设置系统防火墙 # vi /usr/local/sbin/fw.sh 将以下脚本命令粘贴到 fw.sh 文件中。#!/bin/bash# Stop iptables service firstservice iptables stop# Load FTP Kernel modules/sbin/modprobe ip_conntrack_ftp/sbin/modprobe ip_nat_ftp# Inital chains default policy/sbin/iptables -F -t filter/sbin/iptables -P INPUT DROP/sbin/iptables -P OUTPUT ACCEPT# Enable Native Network Transfer/sbin/iptables -A INPUT -i lo -j ACCEPT# Accept Established Connections/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT# ICMP Control/sbin/iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT# WWW Service/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT# FTP Service/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT# SSH Service/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    • # chmod 755 /usr/local/sbin/fw.sh# echo /usr/local/sbin/fw.sh >> /etc/rc.local# /usr/local/sbin/fw.sh