lamp 环境配置:
二、编译安装基本环境
1. 安装准备
1) 系统约定
软件源代码包存放位置 /usr/local/src
源码包编译安装位置(prefix) /usr/local/software_name
脚本以及维护程序存放位置 /usr/local/sbin
MySQL 数据库位置 /data/mysql/data(可按情况设置)
Apache 网站根目录 /data/www/wwwroot(可按情况设置)
Apache 虚拟主机日志根目录 /data/www/logs(可按情况设置)
Apache 运行账户 www:www (useradd -d /data/www/;chown www.www /data/www/wwwroot)
2) 系统环境部署及调整
检查系统是否正常
# tail -n100 /var/log/messages (检查有无系统级错误信息)
# dmesg (检查硬件设备是否有错误信息)
# ifconfig(检查网卡设置是否正确)
# ping www.linuxtone.org (检查网络是否正常)
3) 使用 yum 程序安装所需开发包(以下为标准的 RPM 包名称)
#rpm --import http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5
#yum install ntp vim-enhanced gcc gcc-c++ gcc-g77 flex bison autoconf automake bzip2-devel \
ncurses-devel zlib-devel libjpeg-devel libpng-devel libtiff-devel freetype-devel libXpm-devel \
gettext-devel pam-devel kernel
4) 定时校正服务器时钟,定时与中国国家授时中心授时服务器同步
# crontab -e
加入一行:
15 3 * * * /usr/sbin/ntpdate 210.72.145.44 > /dev/null 2>&1
2. 编译安装软件包
源码编译安装所需包(Source)
1) GD2
# cd /usr/local/src
# tar xvf gd-2.0.35.tar.gz
# cd gd-2.0.35
# ./configure --prefix=/usr/local/gd2
# make
# make install
2) LibXML2
# cd /usr/local/src
# tar xvf libxml2-2.6.29.tar.bz2
# cd libxml2-2.6.29
# ./configure --prefix=/usr/local/libxml2
# make
# make install
3) LibMcrypt
# cd /usr/local/src
# tar xvf libmcrypt-2.5.8.tar.bz2
# cd libmcrypt-2.5.8
# ./configure --prefix=/usr/local/libmcrypt
# make
# make install
4) Apache日志截断程序
# cd /usr/local/src
# tar xvf cronolog-1.6.2.tar.gz
# cd cronolog-1.6.2
# ./configure --prefix=/usr/local/cronolog
# make
# make install
3. 升级OpenSSL和OpenSSH
# cd /usr/local/src
# tar xvf openssl-0.9.8g.tar.gz
# cd openssl-0.9.8g
# ./config --prefix=/usr/local/openssl
# make
# make test
# make install
# cd ..
# tar xvf openssh-5.0p1.tar.gz
# cd openssh-5.0p1
# ./configure \
"--prefix=/usr" \
"--with-pam" \
"--with-zlib" \
"--sysconfdir=/etc/ssh" \
"--with-ssl-dir=/usr/local/openssl" \
"--with-md5-passwords"
# make
# make install
1) 禁用 SSH V1 协议
找到#Protocol 2,1改为:Protocol 2
2) 禁用服务器端GSSAPI
找到以下两行,并将它们注释:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
3) 禁用 DNS 名称解析
找到:#UseDNS yeas改为:UseDNS no
4)禁用客户端 GSSAPI
# vi /etc/ssh/ssh_config 找到:GSSAPIAuthentication yes 将这行注释掉。
最后,确认修改正确后重新启动 SSH 服务
# service sshd restart
# ssh -v
确认 OpenSSH 以及 OpenSSL 版本正确。
以上SSH配置可利用以下脚本自动修改:
1. -------------------cut begin-------------------------------------------
2. #init_ssh
3. ssh_cf="/etc/ssh/sshd_config"
4. sed -i -e '74 s/^/#/' -i -e '76 s/^/#/' $ssh_cf
5. sed -i "s/#UseDNS yes/UseDNS no/" $ssh_cf
6. #client
7. sed -i -e '44 s/^/#/' -i -e '48 s/^/#/' $ssh_cf
8. echo "ssh is init is ok.............."
9. -------------------cut end---------------------------------------------
复制代码
架站推荐1:LEMP构建高性能WEB服务器(第二版)
Nginx 技术指南[NGINX TIPS]
三、编译安装A.M.P环境
1.下载软件编译安装
1)下载软件
# cd /usr/local/src
httpd-2.2.8.tar.gz
mysql-5.0.51b.tar.gz
php-5.2.6.tar.bz2
ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz
2) 安装MySQL
查看分析你的CPU型号:
http://gentoo-wiki.com/Safe_Cflags 查找您的GCC编译参数.
确定系统CPU类型:
# cat /proc/cpuinfo | grep "model name"
执行后会看到系统中CPU的具体型号,记下CPU型号。
# tar xvf mysql-5.0.51b.tar.gz
# cd mysql-5.0.51b
# vi mysql.sh
1. -------------------cut begin-------------------------------------------
2. CHOST="i686-pc-linux-gnu"
3. CFLAGS="-march=prescott -O2 -pipe -fomit-frame-pointer"
4. CXXFLAGS="${CFLAGS}"
5. ./configure \
6. "--prefix=/usr/local/mysql" \
7. "--localstatedir=/data/mysql/data" \
8. "--with-comment=Source" \
9. "--with-server-suffix=-LinuxTone" \
10. "--with-mysqld-user=mysql" \
11. "--without-debug" \
12. "--with-big-tables" \
13. "--with-charset=gbk" \
14. "--with-collation=gbk_chinese_ci" \
15. "--with-extra-charsets=all" \
16. "--with-pthread" \
17. "--enable-static" \
18. "--enable-thread-safe-client" \
19. "--with-client-ldflags=-all-static" \
20. "--with-mysqld-ldflags=-all-static" \
21. "--enable-assembler" \
22. "--without-isam" \
23. "--without-innodb" \
24. "--without-ndb-debug"
25. make && make install
26. mkdir -p /data/mysql/data
27. useradd mysql -d /data/mysql -s /sbin/nologin
28. /usr/local/mysql/bin/mysql_install_db --user=mysql
29. cd /usr/local/mysql
30. chown -R root:mysql .
31. chown -R mysql /data/mysql/data
32. cp share/mysql/my-huge.cnf /etc/my.cnf
33. cp share/mysql/mysql.server /etc/rc.d/init.d/mysqld
34. chmod 755 /etc/rc.d/init.d/mysqld
35. chkconfig --add mysqld
36. /etc/rc.d/init.d/mysqld start
37.
38. cd /usr/local/mysql/bin
39. for i in *; do ln -s /usr/local/mysql/bin/$i /usr/bin/$i; done
40.
41. -------------------cut end---------------------------------------------
复制代码
#sh mysql.sh 即可开始编译.
3) 编译安装Apache
# cd /usr/local/src
# tar xvf httpd-2.2.8.tar.gz
# cd httpd-2.2.8
1. # ./configure \
2. "--prefix=/usr/local/apache2" \
3. "--with-included-apr" \
4. "--enable-so" \
5. "--enable-deflate=shared" \
6. "--enable-expires=shared" \
7. "--enable-rewrite=shared" \
8. "--enable-static-support" \
9. "--disable-userdir"
10. # make
11. # make install
12. # echo '/usr/local/apache2/bin/apachectl start ' >> /etc/rc.local
复制代码
4.)编译安装PHP
# cd /usr/local/src
# tar xjvf php-5.2.6.tar.bz2
# cd php-5.2.6
1. # ./configure \
2. "--prefix=/usr/local/php" \
3. "--with-apxs2=/usr/local/apache2/bin/apxs" \
4. "--with-config-file-path=/usr/local/php/etc" \
5. "--with-mysql=/usr/local/mysql" \
6. "--with-libxml-dir=/usr/local/libxml2" \
7. "--with-gd=/usr/local/gd2" \
8. "--with-jpeg-dir" \
9. "--with-png-dir" \
10. "--with-bz2" \
11. "--with-freetype-dir" \
12. "--with-iconv-dir" \
13. "--with-zlib-dir " \
14. "--with-openssl=/usr/local/openssl" \
15. "--with-mcrypt=/usr/local/libmcrypt" \
16. "--enable-soap" \
17. "--enable-gd-native-ttf" \
18. "--enable-ftp" \
19. "--enable-mbstring" \
20. "--enable-exif" \
21. "--disable-ipv6" \
22. "--disable-cgi" \
23. "--disable-cli" #禁掉ipv6,禁掉cli模式,提升速度和安全性.请根据具体需求定制相关的编译数.
24. # make
25. # make install
26. # mkdir /usr/local/php/etc
27. # cp php.ini-dist /usr/local/php/etc/php.ini
复制代码
5)Xcache的安装.
#tar xvf xcache-1.2.2.tar.gz
1. #/usr/local/php/bin/phpize
2. ./configure --enable-xcache --enable-xcache-coverager --with-php-config=/usr/local/php/bin/php-config \
3. --enable-inline-optimization --disable-debug
复制代码
#vi /usr/local/php/etc/php.ini (将以下内容加入php.ini最后面)
1. -------------------cut begin-------------------------------------------
2. [xcache-common]
3. zend_extension = /usr/local/php/lib/php/extensions/no-debug-non-zts-20060613/xcache.so
4.
5. [xcache.admin]
6. xcache.admin.user = "admin"
7. ;如何生成md5密码: echo -n "password"| md5sum
8. xcache.admin.pass = "035d849226a8a10be1a5e0fec1f0f3ce" #密码为52netseek
9.
10. [xcache]
11. ; Change xcache.size to tune the size of the opcode cache
12. xcache.size = 24M
13. xcache.shm_scheme = "mmap"
14. xcache.count = 4
15. xcache.slots = 8K
16. xcache.ttl = 0
17. xcache.gc_interval = 0
18.
19. ; Change xcache.var_size to adjust the size of variable cache
20. xcache.var_size = 8M
21. xcache.var_count = 1
22. xcache.var_slots = 8K
23. xcache.var_ttl = 0
24. xcache.var_maxttl = 0
25. xcache.var_gc_interval = 300
26. xcache.test = Off
27. xcache.readonly_protection = On
28. xcache.mmap_path = "/tmp/xcache"
29. xcache.coredump_directory = ""
30. xcache.cacher = On
31. xcache.stat = On
32. xcache.optimizer = Off
33.
34. [xcache.coverager]
35. xcache.coverager = On
36. xcache.coveragedump_directory = ""
37. -------------------cut end---------------------------------------------
复制代码
6) 安装Zend Optimizer
# cd /usr/local/src
# tar xzvf ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz
# ./ZendOptimizer-3.3.3-linux-glibc23-i386/install.sh
安装Zend Optimizer过程的最后不要选择重启Apache。
2. 整合Apache与PHP及系统初化配置.
1)整合Apache与PHP
# vi /usr/local/apache2/conf/httpd.conf
找到:
AddType application/x-gzip .gz .tgz
在该行下面添加
AddType application/x-httpd-php .php
找到:
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
将该行改为
<IfModule dir_module>
DirectoryIndex index.html index.htm index.php
</IfModule>
找到:
#Include conf/extra/httpd-mpm.conf
#Include conf/extra/httpd-info.conf
#Include conf/extra/httpd-vhosts.conf (虚拟主机配置文件存放目录.)
#Include conf/extra/httpd-default.conf
去掉前面的“#”号,取消注释。
注意:以上 4 个扩展配置文件中的设置请按照相关原则进行合理配置!
修改完成后保存退出。
# /usr/local/apache2/bin/apachectl restart
2)查看确认L.A.M.P环境信息、提升 PHP 安全性
在网站根目录放置 info.php 脚本,检查phpinfo中的各项信息是否正确。
<?php
phpinfo();
?>
确认 PHP 能够正常工作后,在 php.ini 中进行设置提升 PHP 安全性,禁掉危险的函数.
# vi /etc/php.ini找到:disable_functions =设置为:phpinfo,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server
3)脚本自动完成初始化配置(以上配置可以用脚本自动化完成)
#cat init_apache_php.sh
1. -------------------cut begin-------------------------------------------
2. #!/bin/bash
3. #Written by :NetSeek http://www.linuxtone.org
4. #init_httpd.conf
5. http_cf="/usr/local/apache2/conf/httpd.conf"
6. sed -i -e "s/User daemon/User www/" -i -e "s/Group daemon/Group www/" $http_cf
7. sed -i -e '121 s/^/#/' -i -e '122 s/^/#/' $http_cf
8. sed -i 's#DirectoryIndex index.html# DirectoryIndex index.php index.html index.htm#/g' $http_cf
9. sed -i -e '374 s/^#//g' -i -e '389 s/^#//g' -i -e '392 s/^#//g' -i -e '401 s/^#//g' $http_cf
10. #init_php(PHP安全设置及隐藏PHP版本)
11. php_cf="/usr/local/php/etc/php.ini"
12. sed -i '205 s#;open_basedir =#open_basedir = /data/www/wwwroot:/tmp#g' $php_cf
13. sed -i '210 s#disable_functions =#disable_functions = phpinfo,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server#g' $php_cf
14. sed -i '/expose_php/s/On/Off/' $php_cf
15. sed -i '/display_errors/s/On/Off/' $php_cf
16. -------------------cut end-------------------------------------------
复制代码
三、配置虚拟主机及基本性能调优
1) 配置虚拟主机:
#vi /usr/local/apache2/conf/extra/httpd-vhosts.conf
1. NameVirtualHost *:80
2.
3. <VirtualHost *:80>
4. ServerAdmin cnseek@gmail.com
5. DocumentRoot "/data/www/wwwroot/linuxtone.org"
6. ServerName www.linuxtone.org
7. ServerAlias bbs.linxutone.org
8. ErrorLog "logs/dummy-host.example.com-error_log"
9. CustomLog "|/usr/sbin/cronolog /data/logs/access_www.linuxtone.org.%Y%m%d" combined
10. </VirtualHost>
复制代码
2).基本性能调优参考:(更多的调优相关文章请关注:http://bbs.linuxtone.org/index.html性能调优相关的贴子)
#vi /usr/local/apache2/conf/extra/httpd-default.conf
1. Timeout 15
2. KeepAlive Off
3. MaxKeepAliveRequests 50
4. KeepAliveTimeout 5
5. UseCanonicalName Off
6. AccessFileName .htaccess
7. ServerTokens Prod
8. ServerSignature Off
9. HostnameLookups Off
复制代码
#vi /usr/local/apache2/conf/extra/httpd-mpm.conf
1. <IfModule mpm_prefork_module>
2. ServerLimit 2000
3. StartServers 10
4. MinSpareServers 10
5. MaxSpareServers 15
6. MaxClients 2000
7. MaxRequestsPerChild 10000
8. </IfModule>
复制代码
3).Apache日志处理相关问题汇总贴(http://bbs.linuxtone.org/thread-102-1-1.html)
利用awstats分析网站日志:http://bbs.linuxtone.org/thread-56-1-1.html
忽略不需要的日志配置参考具体请据据具体问题分析:
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
#下面加入如下内容:
1. # filter the localhost visit
2. SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
3. # filter some special directories
4. SetEnvIf Request_URI "^ZendPlatform.*$" dontlog
5. SetEnvIf Request_URI \.healthcheck\.html$ dontlog
6. SetEnvIf Remote_Addr "::1" dontlog
7. SetEnvIf Request_URI "\.getPing.php$" dontlog
8. SetEnvIf Request_URI "^/error\.html$" dontlog
9. SetEnvIf Request_URI "\.gif$" dontlog
10. SetEnvIf Request_URI "\.jpg$" dontlog
11. SetEnvIf Request_URI "\.css$" dontlog
复制代码
4). Apache防盗链(Apache防盗链相关问题汇总:http://bbs.linuxtone.org/thread-101-1-1.html)
1. RewriteEngine on
2. RewriteCond %{HTTP_REFERER} !^$
3. RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
4. RewriteRule \.(gif|jpg)$ http://网站域名/nolink.png [R,L]
复制代码
四、基本安全设置
1)iptables 封锁相关端口(推荐读CU白金大哥的两小时玩转iptables)
2)SSH全安(修改SSH端口限制来源IP登陆,或者参考http://bbs.linuxtone.org/thread-106-1-1.html)
3)Linux防Arp攻击策略(http://bbs.linuxtone.org/thread-41-1-1.html)
4)注意(还是那句老话:安全工作从细节做起!)
引自:http://www.linuxtone.org