迷彩 潜伏 隐蔽 伪装
分类: LINUX
2015-05-04 11:12:24
原文地址:nginx+php配置标准化 作者:raochaoxun
运维规范要求严格遵守
1、严格禁止使用root进行操作,如果确实需要请用sudo; php 使用 www 用户,C++使用user_00 用户。2、严格禁止在正式环境修改代码,把正式环境当成测试环境使用,正式环境只能通过log来定位问题。修改代码只能通过版本发布方式。发布需要经过直属领导批准才能发布。
3、log 全部在 /opt/logs 目录下,包括 php,nginx, c++sever,mysql, redis。 不要分散在各个地方。避免新人找不到地方。
4、业务server和代码 部署在 /opt/yoursite/业务 目录下
5、 错误逻辑必须加上文件log,关键路径地方的正确逻辑也必须加上文件log日志。
删除现有visudo 内,使用下面内容全部替换,只赋予www和user_00用户sudo权限, 平时操作禁止使用root
$ visudo
#就是允许执行的命令的列表,命令前加上!表示不能执行此命令. 命令一定要使用绝对路径,避免其他目录的同名命令被执行,造成安全隐患 ,因此使用的时候也是使用绝对路径
Cmnd_Alias WHEELER =/usr/sbin/tcpdump, /bin/ls, /bin/cat, /usr/sbin/lsof, /bin/nice, /bin/ps, /usr/bin/top, /usr/local/bin/nano, /usr/sbin/ss, /usr/bin/locate, /usr/bin/find, /usr/bin/rsync, /bin/netstat, /usr/bin/vmstat, /usr/bin/iostat,/usr/bin/mpstat, /usr/bin/yum,/bin/kill, /usr/bin/ionice, /usr/bin/killall, /usr/bin/ps, /usr/bin/pkill, /bin/kill, /sbin/service, /usr/bin/vim, /usr/bin/nano, /bin/grep, /bin/find, /bin/chmod,/bin/chown, /bin/mkdir, /usr/bin/updatedb
#配置User_Alias:就是具有sudo权限的用户的列表
User_Alias USER_FLAG = www, user_00
root ALL = (ALL) ALL
USER_FLAG ALL = (ALL) NOPASSWD: WHEELER
Defaults !requiretty, !umask
Defaults visiblepw, path_info, insults, lecture=always
Defaults loglinelen = 0, logfile =/opt/logs/sudo/sudo.log, log_year, log_host, syslog=auth
Defaults mailto=webmaster@foobar.com, mail_badpass, mail_no_user, mail_no_perms
Defaults passwd_tries = 8, passwd_timeout = 1
Defaults env_reset, always_set_home, set_home, set_logname
Defaults !env_editor, editor="/usr/bin/vim:/usr/bin/vi:/usr/bin/nano"
Defaults timestamp_timeout=360
Defaults passprompt="Sudo invoked by [%u] on [%H] - Cmd run as %U - Password for user %p:"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
www 帐号给linux 和php启动使用。
user_00 帐号主要是给一些脚本用户使用。
日志目录全部在/opt/logs 下面,包括nginx 和 php,c++
$ useradd -m -U user_00
$ useradd -m -U www
$ mkdir -p /opt/yoursite/业务名字
$ mkdir -p /opt/logs/nginx
$ mkdir -p /opt/logs/php-fpm
$ mkdir -p /opt/logs/sudo
$ mkdir -p /opt/logs/业务名字/web
$ mkdir -p /opt/logs/业务名字/server
chmod a+rwx /opt/logs
$ find /opt/logs -type d | xargs chmod a+rwx
$ find /opt/logs -type f | xargs chmod a+rw
$ chmod a+rwx /opt/yoursite
$ find /opt/yoursite -type d | xargs chmod a+rwx
$ find /opt/yoursite -type f | xargs chmod a+rw
添加完后,退出root用户,切换到www用户
4.1 修改安装源,不使用缺省源,使用指定安装源, 先备份禁用已有的缺省安装源
cd /etc/yum.repos.d/
rename .repo .repo.bak *.repo 16:38 [root@10.10.73.121]
$ ll
total 16
-rw-r--r-- 1 root root 1608 Apr 15 19:18 CentOS-Base.repo.bak
-rw-r--r-- 1 root root 637 Dec 9 2011 CentOS-Debuginfo.repo.bak
-rw-r--r-- 1 root root 626 Dec 9 2011 CentOS-Media.repo.bak
42 添加新的自建安装源
$ vim mirrors_stevenrao.repo
#[serverid] 是用于区别各个不同的repository,必须有一个独一无二的名称;可以随便命名
[stevenrao-base]
name=centos-$releasever-stevenrao-base
baseurl=
enabled=1
gpgcheck=0
#released updates
[stevenrao-update]
name=centos-$releasever-stevenrao-update
baseurl=
enabled=1
gpgcheck=0
4.3 增加源host的ip解析
vim /etc/hosts xx.xx.xx.xx yum.yoursite.com
5.1 安装nginx
$ yum install nginx
5.2 创建对应的log目录
$ mkdir -p /opt/logs/nginx
$ find /opt/logs -type d | xargs chmod a+rwx
$ chmod a+rw /opt/logs/ -R
5.3 备份现有nginx配置
$mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
5.4 编辑新的 nginx.conf
$ vim /etc/nginx/nginx.conf
user www;
worker_processes 24;
worker_rlimit_nofile 100000;
worker_cpu_affinity 000000000000000000000001 000000000000000000000010 000000000000000000000100 000000000000000000001000 000000000000000000010000 000000000000000000100000 000000000000000001000000 000000000000000010000000 000000000000000100000000 000000000000001000000000 000000000000010000000000 000000000000100000000000 000000000001000000000000 000000000010000000000000 000000000100000000000000 000000001000000000000000 000000010000000000000000 000000100000000000000000 000001000000000000000000 000010000000000000000000 000100000000000000000000 001000000000000000000000 010000000000000000000000 100000000000000000000000;
error_log /opt/logs/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
use epoll;
worker_connections 65535;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
output_buffers 1 128k;
log_not_found off;
keepalive_timeout 65;
server_tokens off;
gzip on;
gzip_comp_level 5;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
gzip_types text/plain application/x-javascript text/css application/xml text/javascript application/javascript application/json;
gzip_http_version 1.0;
gzip_vary on;
log_format main '$remote_addr $http_x_forwarded_for [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$request_time" "$upstream_response_time"';
server_names_hash_max_size 4096;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 100m;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
fastcgi_intercept_errors on;
#未定义host的请求
server
{
listen 80 default;
server_name _;
access_log off;
location /
{ return 403;
}
}
include /etc/nginx/nginx_vhost/*.conf;
}
5.5 新增配置 /etc/nginx/nginx_vhost/业务名字.yoursite.com.conf
$ mkdir -p /etc/nginx/nginx_vhost/
$ vim /etc/nginx/nginx_vhost/业务名字.yoursite.com.conf
server
{
listen 80;
server_name 业务名字.yoursite.com;
charset utf8; index index.html index.htm index.php;
root /opt/yoursite/业务名字/web;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
access_log /opt/logs/nginx/${server_name}.access.log main;
error_log /opt/logs/nginx/业务名字.yoursite.com.error.log info;
log_not_found off;
#访问路径的文件不存在
location / { if (!-e $request_filename){
rewrite (.*) /index.php/$1;
}
}
location ~ ^(.+\.php)(.*)$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
include fastcgi_params;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|js|css|html)$ {
root /opt/yoursite/业务名字/front;
expires 12h;
}
server_name_in_redirect off;
}
6.1 安装php
$ yum install php-common php php-mbstring php-xml php-fpm php-cli php-opcache php-process php-pear php-gd
6.2 修改 /etc/php.ini i配置
//查看php.ini的位置
$ php -i | grep 'php.ini' $ mkdir -p /opt/logs/php/
$ find /opt/logs -type d | xargs chmod a+rwx
$ find /opt/logs -type d | xargs chmod a+rw
$ vim /etc/php.ini
; servertype = production or develop
servertype = production
date.timezone = PRC
log_errors = On
error_log = /opt/logs/php/php_error.log memory_limit = 256M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT & ~E_NOTICE & ~E_WARNING
;auto_prepend_file
;auto_append_file
;extension_dir
upload_max_filesize = 20M
max_file_uploads = 50
;sendmail_path =
6.3 修改php-fpm配置
$ mkdir -p /opt/logs/php-fpm/
$ find /opt/logs -type d | xargs chmod a+rwx
$ find /opt/logs -type f | xargs chmod a+rw
$ vim /etc/php-fpm.conf
error_log = /opt/logs/php-fpm/php-fpm-error.log
emergency_restart_threshold = 10
emergency_restart_interval = 1m
process_control_timeout = 5s
6.4 修改 /etc/php-fpm.d/配置
user = www
group = www
listen = 127.0.0.1:9000
listen.backlog = 1024
listen.allowed_clients = 127.0.0.1
pm = static
pm.max_children = 512
pm.start_servers = 64
pm.min_spare_servers = 32
pm.max_spare_servers = 64
pm.max_requests = 1024
access.log = /opt/logs/php-fpm/$pool.access.log
access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
slowlog = /opt/logs/php-fpm/$pool.slow.log
request_slowlog_timeout = 10
request_terminate_timeout = 1m
rlimit_files = 65535
php_flag[display_errors] = off
php_admin_value[error_log] = /opt/logs/php-fpm/php-fpm.www.log
php_admin_flag[log_errors] = on
6.5 修改 /etc/php.d/opcache.ini 配置
opcache.enable=1
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=4000
opcache.max_wasted_percentage=5
opcache.use_cwd=1
opcache.validate_timestamps=1
opcache.revalidate_freq=60
opcache.fast_shutdown=1
7.1 修改 /etc/sysctl.conf
net.core.somaxconn = 4096
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_tw_buckets = 720000
保存退出 运行sysctl -p
7.2 修改 /etc/security/limits.conf
* soft nproc 20240
* hard nproc 16384
* soft nofile 65535
* hard nofile 65536
$ service php-fpm start
$ service nginx start