分类: BSD
2015-01-01 19:57:41
FreeBSD Server 10.0
安装FreeBSD系统:
按照[ Src ]加[ Doc ]安装 /var分区尽量大点
安装完成设置OpenSSH允许root登录
ee /etc/ssh/sshd_config
PermitRootLogin yes
PasswordAuthentication yes
UsePAM yes
编辑完成后,保存退出。
/etc/rc.d/sshd restart
使用密匙对(SSH)登录
在服务器上新建用户目录下的.ssh文件夹,authorized_keys 可以保存多个公钥
mkdir ~/.ssh
ee ~/.ssh/authorized_keys
chmod -R 600 ~/.ssh
更新 port tree和源码
portsnap fetch extract
portsnap fetch update
等它完成吧ports升级完毕。
环境设置(.cshrc)
ee ~/.cshrc
#############################################################
alias ls ls -GFw
setenv PACKAGEROOT ""
set nobeep
set prompt = '%n@%/%# '
set filec
set history = 1000
set savehist = (1000 merge)
set autolist = ambiguous
set autoexpand
set autorehash
setenv
LSCOLORS ExGxFxdxCxegedabagExEx
setenv
CLICOLOR yes
#############################################################
启动优化(loader.conf)
ee /boot/loader.conf
#############################################################
autoboot_delay="0"
beastie_disable="YES"
kern.ipc.nmbclusters="32768"
kern.ipc.somaxconn="1024"
kern.maxusers="256"
kern.maxfilesperproc="16384"
#############################################################
编辑/etc/resolv.conf,确保第一条nameserver记录是127.0.0.1,这样本地DNS缓存才有效,类似如下:
ee /etc/resolv.conf
search hengrun-gd.com
nameserver 127.0.0.1
nameserver 221.4.8.1
nameserver 221.5.88.88
nameserver 210.21.196.6
编霎/etc/rc.conf确保有如下内容
ee /etc/rc.conf
named_enable="YES"
然后执陦如下命令
/etc/rc.d/named start
关于pkg_add的使用
比如您安装lynx,使用pkg_add -rv lynx下载位置是从的ftp fetch 文件
但是你可以改变环境变量pkg_add -r从我们的ftp上fetch 文件具体位置如下
bash shell
export PACKAGEROOT="ftp://ftp.freebsd.org"
csh shell
setenv PACKAGEROOT ""
编辑/etc/motd文件内容?防止系统信息泄漏
echo "" > /etc/motd
ee /etc/rc.conf
#############################################################
hostname="log.hengrun-gd.com"
ifconfig_fxp0="inet 10.1.9.1 netmask 255.255.255.0"
ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
defaultrouter="10.1.9.252"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
#########################################
fsck_y_enable="YES"
update_motd="NO"
keyrate="fast"
#########################################
kern_securelevel_enable="YES"
kern_securelevel="-1"
#########################################
syslogd_enable="YES"
syslogd_flags="-ss"
#########################################
enable_quotas="YES"
check_quotas="YES"
#########################################
tcp_extensions="YES"
tcp_drop_synfin="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
#########################################
#named_enable="YES"
#mysql_enable="YES"
#apache2_enable="YES"
#########################################
#postfix_enable="YES"
sendmail_enable="NONE"
#########################################
ee /etc/make.conf
##########################################
# added by use.perl 2010-08-02 05:10:35
#PERL_VERSION=5.12.3
##########################################
#CPUTYPE=core
WITHOUT_X11=yes
WITH_OPENSSL_PORT=yes
WITH_APACHE2=yes
WITH_MYSQL_VER=56
WITH_BDB_VER=53
WITH_DB_VER=41
WITH_OPENLDAP_VER=24
DEFAULT_PGSQL_VER=94
#MASTER_SITE_BACKUP?= \
#
#MASTER_SITE_OVERRIDE?= ${MASTER_SITE_BACKUP}
NO_GAMES=true
NO_SENDMAIL=true
NO_BLUETOOTH=true
NO_MODULES=true
##########################################
#FETCH_CMD= /usr/local/bin/wget
#FETCH_BEFORE_ARGS= -c -t 1
#FETCH_AFTER_ARGS=
#DISABLE_SIZE=yes
########################################
#FETCH_CMD= /usr/local/bin/axel
#FETCH_BEFORE_ARGS= -a
#FETCH_AFTER_ARGS=
#DISABLE_SIZE=yes
########################################
变量 意义
WITH_APACHE2 如定义此变量则使用apache2而不是系统安装的apache。
WITH_DB_VER 41、42
WITH_BDB_VER Berkeley 数据库可以取值包括 4.8, 5.3, 6.1。
WITH_MYSQL_VER 指定所用MySQL的版本取值包括 51、55、56。
DEFAULT_PGSQL_VER 指定所用PGSQL的版本取值包括 84、90、91、92、、93、94。
WITH_OPENLDAP_VER 指定所用OPENLDAP的版本取值包括 24。
WITHOUT_NLS 关闭国际化支持,可以节省编译时间。
WITH_OPENSSL_BASE 使用基本系统中的 OpenSSL 版本。
WITH_OPENSSL_PORT 使用从 ports 中安装的 OpenSSL 版本并覆盖系统基本系统中的OpenSSL版本。
WITHOUT_X11 开启此变量、则构建不包含 X 支持的版本。
X_WINDOW_SYSTEM=xorg
# Currently the following CPU types are recognized:
# Intel x86 architecture:
# (AMD CPUs) opteron, athlon64, athlon-fx, k8, athlon-mp,athlen-xp, k7,geode,
# (Intel CPUs) core2, core, nocona, pentium4m, pentium4,
# AMD64 architecture: opteron, athlon64, k8, core2, nocona
强制安装
make install FORCE_PKG_REGISTER="yes"
安装 wget 加速下载
cd
/usr/ports/ftp/wget/ && make install clean
pkg
install ftp/wget
ee /etc/make.conf
##########################################
FETCH_CMD= /usr/local/bin/wget
FETCH_BEFORE_ARGS= -c -t 1
FETCH_AFTER_ARGS=
DISABLE_SIZE=yes
##########################################
安装 axel 加速下载
cd /usr/ports/ftp/axel/ && make install clean
ee /etc/make.conf
##########################################
FETCH_CMD= /usr/local/bin/axel
FETCH_BEFORE_ARGS= -a
FETCH_AFTER_ARGS=
DISABLE_SIZE=yes
##########################################
使用代理服务器加上
FETCH_ENV=http_proxy=http://10.1.9.12:8080
FETCH_ENV=ftp_proxy=
安装CVSUP
cd /usr/ports/net/cvsup-without-gui/ && make install clean
pkg install net/cvsup-static
安装CVSUP速度测试
cd /usr/ports/sysutils/fastest_cvsup/ && make install clean
pkg install sysutils/fastest_cvsup
测试速度
# fastest_cvsup -c cn
Subversion uses URLs to designate a repository, taking the form of protocol://hostname/path. Mirrors may support different protocols as specified below. The first component of the path is the FreeBSD repository to access. There are three different repositories, base for the FreeBSD base system source code, ports for the Ports Collection, and doc for documentation. For example, the URL svn://svn0.us-east.FreeBSD.org/ports/head/ specifies the main branch of the ports repository on the svn0.us-east.FreeBSD.org mirror, using the svn protocol.
A checkout from a given repository is performed with a command like this:
# svn
checkout svn-mirror/repository/branch lwcdir
where:
svn-mirror is a URL for one of the Subversion mirror sites.
repository is one of the Project repositories, i.e., base, ports, or doc.
branch depends on the repository used. ports and doc are mostly updated in the head branch, while base maintains the latest version of -CURRENT under head and the respective latest versions of the -STABLE branches under stable/8 (for 8.x), stable/9 (9.x) and stable/10 (10.x).
lwcdir is the target directory where the contents of the specified branch should be placed. This is usually /usr/ports for ports, /usr/src for base, and /usr/doc for doc.
This example checks out the Ports Collection from the western US repository using the HTTPS protocol, placing the local working copy in /usr/ports. If /usr/ports is already present but was not created by svn, remember to rename or delete it before the checkout.
svn
checkout https://svn0.us-west.FreeBSD.org/base/stable/10/ /usr/src
svn
checkout https://svn0.us-east.FreeBSD.org/base/stable/10/ /usr/src
svn
update
/usr/src
系统源代码升级ADSL大概用30分髓左右即可完成。
MAKE WORLD升级操作系统和定制内核
代码升级完成后鬥先髴\隕驥新编隸系统MAKE WORLD。由于我们的系统是刚陬的干净的所以没有驍?么多髫?鬚。霑入
cd /usr/src && make -j4 buildworld
会开始一个30分髓左右的编隸霑程如果编隸没有什么髣?鬚继续
cd /usr/src && make installworld
即可更新系统为最新版髫后就可以驥启机器了。
如果出了问题,我该怎么办
绝对确保您的环境没有先前 build 留下的残余。简单。
chflags -R noschg /usr/obj/usr
rm -rf /usr/obj/usr
cd /usr/src
make cleandir
make cleandir
不髞make cleandir 真的隕执陦两次。
然后驥新开始整个霑程使用 make buildworld 开始。
执陦驟置文件升级在此霑程中髴\隕按 i 以便系统执陦升级
cd /usr/src && mergemaster -i
假隶?我们己经编写好 /etc/mergemaster.rc ,我们只隕把底下系统鬚隶?的騾鬘?反批注就好,
ee /etc/mergemaster.rc
IGNORE_FILES='/etc/motd /etc/printcap /etc/passwd /etc/master.passwd /etc/group /etc/rc.conf /etc/make.conf /etc/profile /etc/hosts.allow /etc/hosts'
修改好后,
执陦 mergemaster
#mergemaster -a
驟置文件升级完成后 我们髴\隕定制内核。定制内核的必隕性我想就不必我隸?了隸?好好看看手册相关驛?分和霑个帖子
为了驟置閾?己的内核应将GENERIC复制为一个另外的文件。习惯上霑个文件和主机名相同。
例如我把閾?己的霑台Web机器命名为mail.myhost.com就把驟置文件命名为mail
在 FreeBSD 5.X 和以后的版本中您仍然可以騾霑下髱?的命令生成 LINT 文件
cd /usr/src/sys/i386/conf && make LINT
为了闃省篇幅霑个文件头上的注驥陲?删掉了一驛?分。
现在隕做的是去掉我们不髴\隕的任何隶?备。闢濶?陦?示增加灰濶?陦?示陲?屏阡?霑份驟置是生产服务器上的驟置文件。
ee /usr/src/sys/i386/conf/m3
髫后用ee fax编霎它。我们拿一个实髯的GENERIC文件来隸?明。
#
# fax -- FreeBSD/i386内核驟置文件
#####################################################
cpu I686_CPU
ident m1
maxusers 0
options INCLUDE_CONFIG_FILE # Include this file in kernel
options SCHED_ULE # ULE scheduler
options PREEMPTION # Enable kernel thread preemption
device npx
device crypto
device cryptodev
options INET # InterNETworking
options ACCEPT_FILTER_HTTP
options INET6 # IPv6 communications protocols
options SCTP # Stream Control Transmission Protocol
options DIRECTIO
options DEVICE_POLLING
options ZERO_COPY_SOCKETS
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options UFS_GJOURNAL # Enable gjournal-based UFS journaling
options MD_ROOT # MD is a potential root device
options QUOTA
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_PART_GPT # GUID Partition Tables.
options GEOM_LABEL # Provides labelization
options COMPAT_43TTY # BSD 4.3 TTY compat (sgtty)
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options COMPAT_FREEBSD6 # Compatible with FreeBSD6
options COMPAT_FREEBSD7 # Compatible with FreeBSD7
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options STACK # stack(9) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options P1003_1B_SEMAPHORES # POSIX-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING
options PRINTF_BUFR_SIZE=128
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options HWPMC_HOOKS
options AUDIT # Security event auditing
options MAC # TrustedBSD MAC Framework
options FLOWTABLE # per-cpu routing cache
# To make an SMP kernel, the next two lines are needed
options SMP # Symmetric MultiProcessor Kernel
device apic # I/O APIC
# Bus support.
device acpi
device eisa
device pci
# ATA and ATAPI devices
device ata
device atadisk # ATA disk drives
device ataraid # ATA RAID drives
device atapicd # ATAPI CDROM drives
device atapifd # ATAPI floppy drives
device atapist # ATAPI tape drives
options ATA_STATIC_ID # Static device numbering
# SCSI Controllers
device mpt # LSI-Logic MPT-Fusion
# SCSI peripherals
device scbus # SCSI bus (required for SCSI)
# RAID controllers interfaced to the SCSI subsystem
device amr # AMI MegaRAID
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device kbdmux # keyboard multiplexer
device vga # VGA video card driver
# syscons is the default console driver, resembling an SCO console
device sc
device agp # support several AGP chipsets
# Add suspend/resume support for the i8254.
device pmtimer
# Serial (COM) ports
#device sio # 8250, 16[45]50 based serial ports
device uart # Generic UART driver
# Parallel port
device ppc
device ppbus # Parallel port bus (required)
device lpt # Printer
device plip # TCP/IP over parallel
device ppi # Parallel port interface device
# If you've got a "dumb" serial or parallel PCI card that is
# supported by the puc(4) glue driver, uncomment the following
# line to enable it (connects to sio, uart and/or ppc drivers):
#device puc
# PCI Ethernet NICs.
device em # Intel PRO/1000 Gigabit Ethernet Family
device igb # Intel PRO/1000 PCIE Server Gigabit Family
device ixgb # Intel PRO/10GbE Ethernet Card
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
device bce # Broadcom BCM5706/BCM5708 Gigabit Ethernet
device bfe # Broadcom BCM440x 10/100 Ethernet
device bge # Broadcom BCM570xx Gigabit Ethernet
device fxp # Intel EtherExpress PRO/100B (82557, 82558)
device vge # VIA VT612x gigabit Ethernet
device vr # VIA Rhine, Rhine II
device re # RealTek 8139C+/8169/8169S/8110S
device rl # RealTek 8129/8139
# Pseudo devices.
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
device vlan # 802.1Q VLAN support
device tun # Packet tunnel.
device pty # BSD-style compatibility pseudo ttys
device md # Memory "disks"
device gif # IPv6 and IPv4 tunneling
device faith # IPv6-to-IPv4 relaying (translation)
device firmware # firmware assist module
# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device bpf # Berkeley packet filter
device carp
# PF kernel options
device pf
device pflog
device pfsync
# ALTQ kernel options will enableand additional functionality
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_CDNR
options ALTQ_PRIQ
options ALTQ_NOPCC
options ALTQ_DEBUG
# USB support
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device usb # USB Bus (required)
device uhid # "Human Interface Devices"
device ukbd # USB Keyboard
device ums # Mouse
#####################################################
编霎完驟置文件是用下髱?的命令编隸、安陬内核
cd /usr/src && make buildkernel KERNCONF=m3
霑个编隸霑程大概隕20分髓编隸完先不隕着急install先备份一下旧内核以免有意外。
cd /boot && rm -R kernel.old
cd /boot && cp -R kernel kernel.old
髫后安陬内核
cd /usr/src && make installkernel KERNCONF=m3
安陬好之后可以驥启了。
服务器霓?件安陬
新的精简内核编隸完成之后就是安陬应用霓?件了。建隶?按照我下髱?的鬘?序来陬。安陬霓?件
前建隶?先
ee /etc/make.conf
##########################################################
# added by use.perl 2010-08-26 21:03:20
PERL_VERSION=5.10.1
CPUTYPE=i686
WITHOUT_X11=yes
WITH_OPENSSL_PORT=yes
WITH_APACHE2=yes
WITH_MYSQL_VER=51
WITH_BDB_VER=44
WITH_OPENLDAP_VER=23
MASTER_SITE_BACKUP?= \
MASTER_SITE_OVERRIDE?= ${MASTER_SITE_BACKUP}
NO_GAMES=true
NO_SENDMAIL=true
NO_BLUETOOTH=true
##########################################################
FETCH_CMD= /usr/local/bin/wget
DISABLE_SIZE=yes
指定ports霓?件鬥先从国内下霓?。否则所有霓?件从国外下霓?有时候騾度实在是不陦。
变驥 意义
WITH_APACHE2 如定义此变驥则使用apache2 閠不是鮟隶?的apache。
WITH_BDB_VER 霑个变驥陦?示所用的 Berkeley 数据库霓?件包版本可以取的值包括 2、 3、 41、 42、 43、和 44。
WITH_MYSQL_VER 指定所用MySQL的版本取值包括323、40、41、50。
DEFAULT_PGSQL_VER 指定所用PGSQL的版本取值包括73、74、80、81。
WITH_OPENLDAP_VER 指定所用OPENLDAP的版本取值包括22、23、24。
WITHOUT_NLS 陦?示不髴\隕国髯化支持霑可以闃省编隸所消閠的时髣?。 鮟隶?启用国髯化支持。
WITH_OPENSSL_BASE 使用基本系统中的 OpenSSL 版本。
WITH_OPENSSL_PORT 使用从 ports 中安陬的 OpenSSL 版本并隕盖髫系统安陬的OpenSSL版本。
WITHOUT_X11 开启此变驥 则构建不包含 X 支持的版本。
X_WINDOW_SYSTEM=xorg
系统驟置优化示例
ee /etc/sysctl.conf
#############################################################
security.bsd.see_other_uids=0
kern.ipc.maxsockbuf=8388608
kern.ipc.shm_use_phys=0
kern.ipc.shmmax=67108864
kern.ipc.shmall=32768
kern.ipc.somaxconn=8192
kern.maxfiles=65536
kern.maxfilesperproc=32768
kern.coredump=0
net.local.stream.recvspace=65535
net.local.stream.sendspace=65535
net.local.dgram.maxdgram=16384
net.local.dgram.recvspace=65536
net.inet.tcp.syncookies=1
net.inet.tcp.log_in_vain=1
net.inet.tcp.delayed_ack=0
net.inet.tcp.rfc1323=1
net.inet.tcp.rfc3042=1
net.inet.tcp.rfc3390=1
net.inet.tcp.sendspace=65535
net.inet.tcp.recvspace=65535
net.inet.tcp.drop_synfin=1
net.inet.tcp.always_keepalive=1
net.inet.tcp.msl=7500
net.inet.tcp.blackhole=2
net.inet.tcp.inflight.enable=1
net.inet.ip.redirect=0
net.inet.ip.fastforwarding=0
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=0
net.inet.icmp.icmplim=100
net.inet.icmp.icmplim_output=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskrepl=0
net.inet.udp.blackhole=1
net.inet.udp.log_in_vain=1
net.inet.udp.checksum=1
net.inet.raw.maxdgram=65536
net.inet.raw.recvspace=65536
vfs.vmiodirenable=1
#############################################################
强制安装
make install FORCE_PKG_REGISTER="yes"
PORTS的更新工具
cd /usr/ports/ports-mgmt/portupgrade/ && make install clean
rehash
portupgrade -ar
全驛?閾?动下霓?升级所有安陬的东东为最新版本包扣各种陦?丁也打上了
安陬portaudit第三方霓?件安全髣?鬚霍雕?工具
cd /usr/ports/ports-mgmt/portaudit/ && make install clean
rehash
/usr/local/sbin/portaudit -Fda
编霎/etc/rc.conf添加如下内容
ee /etc/rc.conf
named_enable="YES"
编霎/etc/resolv.conf确保第一条nameserver隶?录是127.0.0.1,类似如下:
ee /etc/resolv.conf
domain hengrun-gd.com
nameserver 127.0.0.1
nameserver 221.4.66.66
nameserver 210.21.4.130
nameserver 221.4.8.1
nameserver 221.4.9.48
nameserver 210.21.196.6
然后驥启named服务
/etc/rc.d/named start
##################################################################
A. MYSQL41的安陬
cd /usr/ports/databases/mysql41-server
make clean
make BUILD_OPTIMIZED=yes BUILD_STATIC=yes WITH_XCHARSET=all install
开始下霓?并开始安陬数据库。编隸安陬完之后驥启机器可以启动mysqld守护霑程
隶?定开机激活
ee /etc/rc.conf
mysql_enable="YES"
cp /usr/local/share/mysql/my-small.cnf /etc/my.cnf
#此处已经确隶?不可更改
激活MySQL
/usr/local/etc/rc.d/mysql-server
start
确隶? mysql
server 有激活
netstat
-an | grep LISTEN
tcp4 0 0 *.22 *.* LISTEN
tcp4 0 0 *.3306 *.* LISTEN
修改密码
/usr/local/bin/mysqladmin -u root password ww123456
驟置最大霑接数和IP地址的绑定
ee /etc/my.cnf
#################################################################
[mysqld]
bind_address=127.0.0.1
set-variable = max_connections=1024
#################################################################
mysqladmin -uroot -p variables
B. 安陬APACHE服务器
安陬apache20
cd /usr/ports/www/apache20
make WITH_APACHE_SUEXEC=yes APACHE_HARD_SERVER_LIMIT=2048 APACHE_PERF_TUNING=yes install
隶?定 apache2 开机閾?动启动
ee /etc/rc.conf
apache2_enable="YES"
apache2_flags="-DSSL"
编霎apache2驟置文件
cd /usr/local/etc/apache22 && ee httpd.conf
DirectoryIndex index.html index.html.var index.php index.phps
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
建隶?把 Apache 上的 DefaultLanguage 隶?定档 mark 掉 霑样才不会騾 成强霑?使用某种编码閠无法 show 出其它种类的编码。修改 Apache Server 鬚隶?显示中文方式为
DefaultLanguage
zh-CN
AddDefaultCharset GB2312
创建SSL密髓?隸书
cd ~
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in /root/server.csr -signkey /root/server.key -out /root/server.crt
测隸查看它的内容
openssl rsa -noout -text -in server.key
openssl req -noout -text -in server.csr
openssl x509 -noout -text -in server.crt
拷雍密髓?隸书到apache2的目录
mkdir /usr/local/etc/apache2/ssl.key
mkdir /usr/local/etc/apache2/ssl.crt
mkdir -m 0600 /usr/local/etc/apache2/ssl.crt
mkdir -m 0600 /usr/local/etc/apache2/ssl.csr
mkdir -m 0600 /usr/local/etc/apache2/ssl.key
cp ~/server.key /usr/local/etc/apache2/ssl.key/
cp ~/server.crt /usr/local/etc/apache2/ssl.crt/
chmod 0600 /usr/local/etc/apache2/ssl.key
chmod 0600 /usr/local/etc/apache2/ssl.crt
openssl genrsa -des3 -out server.key 1024#把新产生的私髓?用 DES3 加密每次隕使用霑个私髓?时驛?隕用霎入密码。如果你的电子隸书是用在 apache 等服务器中你每次启动服务器时驛?隕霎入密码一次会髱常鮗?烦。所以一闊?人驛?会省去騾鬘? -des3 来产生一个不陲?加密的私髓?只是不会髣?你霎入密码也不会把私髓?加密。
安陬 FastCGI閼本加騾
cd /usr/ports/www/mod_fastcgi
make WITH_APACHE2=yes install
##############################mod_fastcgi################################
LoadModule fastcgi_module libexec/apache2/mod_fastcgi.so
AddHandler fastcgi-script fcgi fcgi fpl
##############################mod_fastcgi################################
安陬 mod_security加强apache的安全性髦?sql注入有很好的效果
cd
/usr/ports/www/mod_security
make
WITH_APACHE2=yes install
##############################mod_security###############################
LoadModule security_module libexec/apache2/mod_security.so
SecFilterEngine On
SecFilterCheckURLEncoding On
SecFilterDefaultAction "deny,log,status:500"
#SecFilterForceByteRange 32 126
#SecFilterScanPOST On
#SecAuditLog logs/audit_log
#####
SecFilter "\.\./"
#####
SecFilter /etc/*passwd
SecFilter /bin/*sh
#for css attack
SecFilter "<( | )*script"
SecFilter "<(.| )+>"
#for sql attack
SecFilter "delete[ ]+from"
SecFilter "insert[ ]+into"
SecFilter "select.+from"
SecFilter "union[ ]+from"
SecFilter "drop[ ]"
#################mod_security##################
安陬mod_limitipconn2实现单一IP地址霑接数髯制
cd /usr/ports/www/
make WITH_APACHE2=yes install
编隸完成后一定隶?得
################mod_limitipconn#################
#ExtendedStatus On
################
LoadModule limitipconn_module libexec/apache2/mod_limitipconn.so
MaxConnPerIP 3
NoIPLimit image/*
################mod_limitipconn#################
安陬mod_dosevasive20髦?止DDOS的攻击
cd /usr/ports/www/mod_dosevasive20
make WITH_APACHE2=yes install
################mod_dosevasive################
LoadModule dosevasive20_module libexec/apache2/mod_dosevasive20.so
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
################mod_dosevasive################
然后 httpd -t 检查httpd.conf看是否 OK
OK一切已经完成驥启你的 APACHE2 就陦了
启动apache2
/usr/local/sbin/apachectl start
/usr/local/sbin/apachectl stop
确隶? apache2 有激活
ps -ax |grep http
34339 ?? Ss 0:00.04 /usr/local/sbin/httpd -k start
34340 ?? S 0:00.00 /usr/local/sbin/httpd -k start
34341 ?? S 0:00.00 /usr/local/sbin/httpd -k start
66241 p1 S+ 0:00.00 grep http
C. 安陬PHP隸?險\
cd /usr/ports/lang/php5/ && make install clean
安陬霑程中騾择OPENSSL和MULTIBYTE多字闃支持.
cd /usr/local/etc/ && cp php.ini-development php.ini
D.安陬髴\隕的PHP扩展模块
cd /usr/ports/lang/php5-extensions && make install clean
[X] BCMATH
[X] BZ2
[X]
CRACK
[X]
CTYPE
[X] CURL
[X]
FTP
[X] GD GD
[X] GETTEXT
[X] ICONV
[X] IMAGICK
[X] IMAP
[X] MBSTRING
[X]
MCRYPT
[X] MYSQL
[X]
OVERLOAD
[X] PCRE
[X] POSIX
[X] SESSION
[X] TOKENIZER
[X] XML
[X] XMLRPC
[X] ZIP
[X] ZLIB
#PHP扩展支持的模块可以参閠
ee /usr/local/etc/php/extensions.ini
驥新启动系统
reboot
测隸PHP信息
ee /usr/local/www/data/index.php
phpinfo();
?>
netstat -na |grep LISTEN
tcp4 0 0 *.22 *.* LISTEN
tcp4 0 0 *.80 *.* LISTEN
tcp4 0 0 127.0.0.1.3306 *.* LISTEN
最后开个 Browse 查看 看php5 有无激活。
E.安陬Zend:
由于版权髣?鬚 系统不会閾?动下霓?隸?霓?件包。髴\隕到zend 的网站
()下霓?FreeBSD 的版本放到
/usr/ports/distfiles 中再霑陦安陬。
cd /usr/ports/devel/ZendOptimizer
make install clean
#安陬完成后在/usr/local/etc/php.ini 添加下髱?的内容。
ee /usr/local/etc/php.ini
[Zend]
zend_optimizer.optimization_level=15
zend_extension_manager.optimizer="/usr/local/lib/php/20020429/Optimizer"
zend_extension_manager.optimizer_ts="/usr/local/lib/php/20020429/Optimizer_TS"
zend_extension="/usr/local/lib/php/20020429/ZendExtensionManager.so"
zend_extension_ts="/usr/local/lib/php/20020429/ZendExtensionManager_TS.so"
F.安陬phpmyadmin
cd /usr/ports/databases/phpmyadmin
make fetch
cd /usr/ports/distfiles && ls | grep phpMyAdmin
phpMyAdmin-2.6.4-pl3.tar.bz2
tar jxvf phpMyAdmin-2.6.4-pl3.tar.bz2
mv phpMyAdmin-2.6.4-pl3 /usr/local/www/data/phpmyadmin
#驟置phpmyadmin
#打开/usr/local/www/data/phpmyadmin/config.inc.php 修改
cd /usr/local/www/data/phpmyadmin && cp config.default.php config.inc.php
ee config.inc.php
$cfg['PmaAbsoluteUri'] = '';
$cfg['Servers'][$i]['auth_type'] = 'http';
#打开 用户名为root 密码为空
#注意mysql 的密码为空霑去后隸?鬩?上修改密码。或如下操作
mysqladmin -u root -p password 123456
#123456 为你的新密码,如果你的数据库已经有密码则隕先霎入旧密码。
G.安陬Blog博客
cd /usr/ports/www/lifetype
make install
**** NOTE ****
For first use of LifeType, remember to point your browser to
and, remember to load your templates at
and then click 'scanTemplates'
H.安陬phpbb隶?坛
cd /usr/ports/www/phpbb
make install
安陬phpbb中文包
cd /usr/local/www/data/phpBB2/language
tar zxvf lang_chinese_simplified.tar.gz
cd /usr/local/www/data/phpBB2/templates
tar zxvf subsilver_chinese_simplified.tar.gz
#打开看看你的隶?坛
以下列指令檢查IMAP/POP是否在正確的port上準備提供服務
sockstat -l4
shutdown -p now
chown –R vmail:vmail /var/tmp/extman/