Chinaunix首页 | 论坛 | 博客
  • 博客访问: 3013924
  • 博文数量: 454
  • 博客积分: 4860
  • 博客等级: 上校
  • 技术积分: 6375
  • 用 户 组: 普通用户
  • 注册时间: 2011-03-13 10:08
个人简介

10年工作经验,专研网站运维。

文章分类

全部博文(454)

文章存档

2017年(11)

2016年(13)

2015年(47)

2014年(36)

2013年(147)

2012年(64)

2011年(136)

分类: 系统运维

2015-07-08 13:36:45

1、 目前所有前端机及中转机均为centos6.2以上64位操作系统,原则上要求英文操作系统,无桌面

2、 目前所有前端机及中转机均只安装了nginx-1.6.2版本

3、 拿到服务器后安装步骤

1)      yum install -y make gcc gcc-c++ libtool zlib-devel openssl-devel pcre-devel ncurses-devel libtermcap-devel automake autoconf libxml2-devel curl-devel gd-devel readline-devel bzip2-devel net-snmp net-snmp-devel net-snmp-utils libjpeg-static libpng-static gmp-devel gmp-static zlib-static nc cmake bison vim-enhanced ntp wget

2)      检查当前时区是否正常

date

如不正常,cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

          ntpdate clock.cuhk.edu.hk

然后计划任务增加

          /etc/crontab

          */30 * * * * root /usr/sbin/ntpdate clock.cuhk.edu.hk &>/dev/null

3)      下载nginx-1.6.2

wget style="font-size:10.0pt;font-family:"color:black;background:white;">

4)      编译安装nginx

tar zxvf nginx-1.6.2.tar.gz

cd nginx-1.6.2

./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module

make && make install

5)      修改nginx配置

/usr/local/nginx/conf/nginx.conf

user  nobody;

worker_processes  4;

worker_rlimit_nofile 10240;

error_log /dev/null;

pid        logs/nginx.pid;

events {

        worker_connections  1024;

        use epoll;

       }

http {

        server_tokens off;

        server_names_hash_bucket_size 128;

        server_names_hash_max_size 1024;

        #client_max_body_size 2m;

        client_header_buffer_size 16k;

        large_client_header_buffers 4 16k;

        include mime.types;

        open_file_cache max=10240 inactive=20s;

        open_file_cache_errors on;

        open_file_cache_min_uses 2;

        open_file_cache_valid 30s;

        proxy_connect_timeout 300;

        proxy_send_timeout 300;

        proxy_read_timeout 300;

        proxy_buffer_size 64k;

        proxy_buffers 4 64k;

        proxy_busy_buffers_size 128k;

        proxy_temp_file_write_size 128k;

        #proxy_intercept_errors on;

        gzip  on;

        gzip_http_version 1.0;

        gzip_buffers     4 8k;

        gzip_types       text/plain application/x-javascript text/css  application/xml;

        gzip_comp_level 2;

        gzip_min_length 1k;

        #gzip_proxied   any;

        limit_req_zone  $binary_remote_addr  zone=req_one:100m rate=1r/s;

        limit_conn_zone  $binary_remote_addr  zone=conn_one:100m;

        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer"  "$request_body"' '"$http_user_agent" "$http_x_forwarded_for"';

        access_log off;

        sendfile on;

        tcp_nopush on;

        tcp_nodelay on;

        keepalive_timeout  30;

        proxy_temp_path   proxy_temp;

        proxy_cache_path  proxy_cache  levels=1:2   keys_zone=cache_one:500m inactive=1h max_size=30g;

        proxy_ignore_headers Expires Cache-Control;

        limit_req_zone  $binary_remote_addr  zone=req_web:100m rate=1r/s;

        limit_conn_zone  $binary_remote_addr  zone=conn_web:100m;

 

        upstream web_xxx {

                server  x.x.x.x:888;

                server  x.x.x.x:888;

        }

 

        server {

                listen 80 default;

                server_name 0.0.0.0;

                root html/80;

                index check.html;

                location ~ \.(js|css|gif|jpg|jpeg|png|bmp|swf)$  {

                        expires 30d;

                }

        }

 

                      

        server {

                listen 888;

                server_name

                 location / {

                        proxy_set_header Host $host;

                        proxy_set_header X-Real-IP $remote_addr;

                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

                        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

                        proxy_pass

                }

        }

}

6)      Nginx 启动 停止 和重启

启动  /usr/local/nginx/sbin/nginx

停止  /usr/local/nginx/sbin/nginx –s stop

重启  /usr/local/nginx/sbin/nginx –s reload

4、 修改iptables

具体修改 /etc/sysconfig/iptables

*filter

:INPUT DROP [1:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset

-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec --limit-burst 10 -j ACCEPT

-A INPUT -p tcp -m connlimit --connlimit-above 10 --connlimit-mask 32 -m multiport --dports 888 -j REJECT --reject-with tcp-reset

-A INPUT -p tcp -m multiport --dports 888 -m state --state NEW -j ACCEPT

-A INPUT -p tcp -m connlimit --connlimit-above 3 --connlimit-mask 32 -m multiport --dports 80 -j REJECT --reject-with tcp-reset

-A INPUT -p tcp -m multiport --dports 80 -j ACCEPT

COMMIT

 

 Iptables 重启

service iptables restart

阅读(1779) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~