安大
分类:
2012-02-17 13:07:37
原文地址:基于电子商务的lamp环境 作者:louyuguang
服务器配置:
apache(2.2.22) 下载地址:
php(5.2.17)下载地址:
mysql(5.5.20,64-bit)下载地址:http://dev.mysql.com/get/Downloads/MySQL-5.5/mysql-5.5.20-linux2.6-x86_64.tar.gz/from/http://mysql.ntu.edu.tw/
Apache
安装http前先安装apr和apu
#cd srclib/apr
#./configure
#make&&make install
#cd ../apr-util/
#./configure --with-apr=/usr/local/apr/bin/apr-1-config
#make&&make install
#cd ../..
安装http
#./configure --prefix=/usr/local/apache --enable-rewrite --enable-so --with-apr=/usr/local/apr/bin/apr-1-config --with-apr-util=/usr/local/apr/bin/apu-1-config
#make&&make install
修改/usr/local/apache/conf/httpd.conf
PidFile /var/run/httpd.pid
#DocumentRoot "/usr/local/apache/htdocs"
NameVirtualHost serverip:80
# The following directives modify normal HTTP response behavior to
# handle known problems with browser implementations.
#
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
#
# The following directive disables redirects on non-GET requests for
# a directory that does not include the trailing slash. This fixes a
# problem with Microsoft WebFolders which does not appropriately handle
# redirects for folders with DAV methods.
# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
#
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
#mod_deflate Browser set
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
AddLanguage ca .ca
AddLanguage cs .cz .cs
AddLanguage da .dk
AddLanguage de .de
AddLanguage el .el
AddLanguage en .en
AddLanguage eo .eo
AddLanguage es .es
AddLanguage et .et
AddLanguage fr .fr
AddLanguage he .he
AddLanguage hr .hr
AddLanguage it .it
AddLanguage ja .ja
AddLanguage ko .ko
AddLanguage ltz .ltz
AddLanguage nl .nl
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddLanguage pt .pt
AddLanguage pt-BR .pt-br
AddLanguage ru .ru
AddLanguage sv .sv
AddLanguage zh-CN .zh-cn
AddLanguage zh-TW .zh-tw
CustomLog logs/access_log combined
AllowOverride FileInfo AuthConfig Limit
Options MultiViews -Indexes FollowSymLinks IncludesNoExec
Order allow,deny
Allow from all
Order deny,allow
Allow from all
Include /home/bus_user/sites-enabled/*
Mysql
shell> groupadd mysql
shell> useradd -r -g mysql mysql
shell> cd /usr/local
shell> tar zxvf /path/to/mysql-VERSION-OS.tar.gz
shell> ln -s full-path-to-mysql-VERSION-OS mysql
shell> cd mysql
shell> chown -R mysql .
shell> chgrp -R mysql .
shell> scripts/mysql_install_db --user=mysql
shell> chown -R root .
shell> chown -R mysql data
# Next command is optional
shell> cp support-files/my-medium.cnf /etc/my.cnf
shell> bin/mysqld_safe --user=mysql &
# Next command is optional
shell> cp support-files/mysql.server /etc/init.d/mysql
php:
需要安装的rpm包(扩展库文件)
yum install libjpeg-devel libxml2-devel libpng-devel libXpm-devel freetype-devel libmcrypt-devel curl-devel
[root@CentOS6-78 php-5.3.6]# cat config.nice
#! /bin/sh
#
# Created by configure
'./configure' \
'--prefix=/usr/local/php5' \
'--with-apxs2=/usr/sbin/apxs' \
'--with-mysql=/usr/local/mysql' \
'--with-mysqli=/usr/local/mysql/bin/mysql_config' \
'--with-mcrypt=/usr/lib' \
'--enable-sockets' \
'--with-gd' \
'--enable-gd-native-ttf' \
'--with-curl' \
'--with-pdo-mysql=/usr/local/mysql/bin/mysql_config' \
'--with-jpeg-dir' \
'--with-freetype-dir' \
'--with-png-dir' \
'--with-xpm-dir' \
'--enable-gd-native-ttf' \
'--with-libxml-dir=/usr/lib' \
'--with-zlib-dir=/usr/include' \
'--enable-soap' \
"$@"
#./config.nice
#make&&make install
修改/etc/httpd/conf/httpd.conf
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
DirectoryIndex index.html index.html.var index.php
修改/usr/local/php5/lib/php.ini
#date.timezone =
max_execution_time = 120
upload_max_filesize = 100M
error_reporting = E_ALL & ~E_NOTICE
short_open_tag = On
ftp:
wget
tar -zxvf pure-ftpd.tar.gz
./configure --prefix=/usr/local/pure-ftpd
make install
mkdir /usr/local/pure-ftpd/etc
cp configuration-file/pure-config.pl /usr/local/pure-ftpd/sbin/
cp configuration-file/pure-ftpd.conf /usr/local/pure-ftpd/etc/
chmod a+x /usr/local/pure-ftpd/sbin/pure-config.pl
cp pam/pure-ftpd /etc/pam.d/
cd contrib
编辑 redhat.init 文件。修改
fullpath=/usr/local/sbin/$prog --> fullpath=/usr/local/pure-ftpd/sbin/$prog
pureftpwho=/usr/local/sbin/pure-ftpwho --> pureftpwho=/usr/local/pure-ftpd/sbin/pure-ftpwho
$fullpath /etc/pure-ftpd.conf --daemonize --> $fullpath /usr/local/pure-ftpd/etc/pure-ftpd.conf --daemonize
cp redhat.init /etc/rc.d/init.d/pureftpd
service pureftpd start
监控:
安装nrpe 用于线下245的nagios监控
安装snmp用于线下245的cacti监控
安全
更换ssh,ftp端口(暂不执行)
ssh:
service iptables stop
切记先关掉防火墙,以免出现悲剧
sed -ir 's/#Port\s+22/Port\ 22008/' /etc/ssh/sshd_config
service sshd restart
ftp:
修改/usr/local/etc/pure-ftpd.conf
找到#bind 127.0.0.1,21
修改为bind 21201
service pureftpd restart
从服务器随时下载同步主服务器的php程序(参见OJO的同步脚本)
Mod_evasive
用途,特点:
mod_evasive 是Apache(httpd)服务器的防DDOS的一个模块。对于WEB服务器来说,是目前比较好的一个防护DDOS攻击的扩展模块。虽然并不能完全防御DDOS攻击,但在一定条件下,还是起到缓服Apache(httpd)服务器的压力。
安装:
是官方网站,可以下载最新版本
#tar zxvf mod_evasive_1.10.1.tar.gz
#cd mod_evasive
#/usr/local/apache/bin/apxs -cia mod_evasive20.c
在httpd.conf中下面加入:
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
Include modevasive.d/*
在/usr/local/apache下创建文件夹modevasive.d
创建白名单文件whitelist.conf
内容例如:
DOSWhitelist 127.0.0.1
不会挡住来自本机的可能ddos攻击
重启apache服务
/usr/local/apache/bin/apachectl restart
测试:
在mod_evasive中自带一个test.pl的脚本。用于测试是否配置成功
在test.pl脚本内将127.0.0.1改为要测试的服务器ip地址,然后执行测试脚本:
perl test.pl
或者用apache自带的ab工具:
/usr/local/apache/bin/ab -n 1000 -c 50
如果成功挡住ddos攻击会在/tmp下面生成例如名字为dos-127.0.0.1的文件。证明成功
iptables
开放3306端口可以被远程访问,但是限制只有从服务器ip地址有此权限
优化:
安装eaccelerator
具体安装方法查看包内readme
安装zend Optimizer (仅支持5.2.x以下的php)
具体安装方法查看包内readme
Apache:
httpd.conf:
KeepAlive On
KeepAliveTimeout 15
MaxKeepAliveRequests 100
StartServers 8
MinSpareServers 5
MaxSpareServers 20
ServerLimit 1024
MaxClients 1024
MaxRequestsPerChild 4000
以上两个参数限定同一时间内允许接受的请求数量。如果需要增加需要两个参数都增加
隐藏apache和php版本:
Apache:
ServerTokens ProductOnly
ServerSignature Off
Php.ini:
expose_php = Off
开启gzip压缩:
LoadModule headers_module modules/mod_headers.so
LoadModule deflate_module modules/mod_deflate.so
DeflateCompressionLevel 3
AddOutputFilter DEFLATE html xml php js css
SetOutputFilter DEFLATE
#BrowserMatch ^Mozilla/4 gzip-only-text/html
#BrowserMatch ^Mozilla/4\.0[678] no-gzip
#BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI no-gzip dont-vary
SetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .(?:pdf|mov|avi|mp3|mp4|rm)$ no-gzip dont-vary
开启mysql慢查询日志:
添加/etc/my.cnf
long_query_time = 2
log-slow-queries = /home/data/slowquery.log
日志3天过期
expire_logs_days = 3