10年工作经验,专研网站运维。
全部博文(454)
分类: 系统运维
2015-07-08 13:36:45
1、 目前所有前端机及中转机均为centos6.2以上64位操作系统,原则上要求英文操作系统,无桌面
2、 目前所有前端机及中转机均只安装了nginx-1.6.2版本
3、 拿到服务器后安装步骤
1) yum install -y make gcc gcc-c++ libtool zlib-devel openssl-devel pcre-devel ncurses-devel libtermcap-devel automake autoconf libxml2-devel curl-devel gd-devel readline-devel bzip2-devel net-snmp net-snmp-devel net-snmp-utils libjpeg-static libpng-static gmp-devel gmp-static zlib-static nc cmake bison vim-enhanced ntp wget
2) 检查当前时区是否正常
date
如不正常,cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
ntpdate clock.cuhk.edu.hk
然后计划任务增加
/etc/crontab
*/30 * * * * root /usr/sbin/ntpdate clock.cuhk.edu.hk &>/dev/null
3) 下载nginx-1.6.2
wget style="font-size:10.0pt;font-family:"color:black;background:white;">
4) 编译安装nginx
tar zxvf nginx-1.6.2.tar.gz
cd nginx-1.6.2
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
make && make install
5) 修改nginx配置
/usr/local/nginx/conf/nginx.conf
user nobody;
worker_processes 4;
worker_rlimit_nofile 10240;
error_log /dev/null;
pid logs/nginx.pid;
events {
worker_connections 1024;
use epoll;
}
http {
server_tokens off;
server_names_hash_bucket_size 128;
server_names_hash_max_size 1024;
#client_max_body_size 2m;
client_header_buffer_size 16k;
large_client_header_buffers 4 16k;
include mime.types;
open_file_cache max=10240 inactive=20s;
open_file_cache_errors on;
open_file_cache_min_uses 2;
open_file_cache_valid 30s;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_buffer_size 64k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
#proxy_intercept_errors on;
gzip on;
gzip_http_version 1.0;
gzip_buffers 4 8k;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_comp_level 2;
gzip_min_length 1k;
#gzip_proxied any;
limit_req_zone $binary_remote_addr zone=req_one:100m rate=1r/s;
limit_conn_zone $binary_remote_addr zone=conn_one:100m;
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" "$request_body"' '"$http_user_agent" "$http_x_forwarded_for"';
access_log off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30;
proxy_temp_path proxy_temp;
proxy_cache_path proxy_cache levels=1:2 keys_zone=cache_one:500m inactive=1h max_size=30g;
proxy_ignore_headers Expires Cache-Control;
limit_req_zone $binary_remote_addr zone=req_web:100m rate=1r/s;
limit_conn_zone $binary_remote_addr zone=conn_web:100m;
upstream web_xxx {
server x.x.x.x:888;
server x.x.x.x:888;
}
server {
listen 80 default;
server_name 0.0.0.0;
root html/80;
index check.html;
location ~ \.(js|css|gif|jpg|jpeg|png|bmp|swf)$ {
expires 30d;
}
}
server {
listen 888;
server_name
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_pass
}
}
}
6) Nginx 启动 停止 和重启
启动 /usr/local/nginx/sbin/nginx
停止 /usr/local/nginx/sbin/nginx –s stop
重启 /usr/local/nginx/sbin/nginx –s reload
4、 修改iptables
具体修改 /etc/sysconfig/iptables
*filter
:INPUT DROP [1:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec --limit-burst 10 -j ACCEPT
-A INPUT -p tcp -m connlimit --connlimit-above 10 --connlimit-mask 32 -m multiport --dports 888 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m multiport --dports 888 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m connlimit --connlimit-above 3 --connlimit-mask 32 -m multiport --dports 80 -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m multiport --dports 80 -j ACCEPT
COMMIT
Iptables 重启
service iptables restart