前言:
本文基于step by step的结构向大家介绍Nginx构建高性能WEB的全过程.并且我们在
生产服务器上运行一个月非常稳定,所以整理出来供大家分享。希望能够帮助
更多的初学者轻松构建高性能的WEB服务器。对文中提到的相关操作有任何问题都可以
到LinuxTone论坛去交流提问,我们将第一时间为你解答,同时把网友的建议加入,及
时更新相关内容.
系统环境:
CentOS 5.1+nginx-0.6.31+php-5.2.6+memcache-2.2.3+xcache-1 .2.2+mysql-5.0.51b
一、系统安装
1. 系统分区
/boot 100M左右
SWAP 物理内存的2倍(如果你的物理内存大于4G以上,分配4G即可)
/ 分区15~20G
/usr/local 20G (用于安装软件)
/data 剩余所有空间
*具体分区请根据相关业务划分,具体安装本文不作介绍.
2.系统初始化脚本(根据具体需求关闭不需要的服务)
#vi init.sh#welcome
cat > /etc/modprobe.conf
echo "alias ipv6 off" >> /etc/modprobe.conf
/sbin/chkconfig --level 35 ip6tables off
echo "ipv6 is disabled!"
#disable selinux
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config
echo "selinux is disabled,you must reboot!"
#vim
sed -i "8 s/^/alias vi='vim'/" /root/.bashrc
echo 'syntax on' > /root/.vimrc
#LANG=en
sed -i -e 's/^LANG=.*/LANG="en"/' /etc/sysconfig/i18n
#tunoff services
#------------------------------------------------- -------------+
cat flex bison autoconf automake bzip2-devel \
ncurses-devel libtool* zlib-devel libxml2-devel libjpeg-devel libpng-devel libtiff-devel \
fontconfig-devel freetype-devel libXpm-devel gettext-devel curl curl-devel pam-devel kernel
复制代码◆因网友说照我的方法YUM装的时候还是有一些错误,这次是按最少的包装的:)不过还是希望网友在安装系统的 时候就把相关的开
发包装上。
4) 定时校正服务器时钟,定时与中国国家授时中心授时服务器同步
# crontab -e
加入一行:
15 3 * * * /usr/sbin/ntpdate 210.72.145.44 > /dev/null 2>&1
5) 下载编译相关的源码包.
#vi list 在list文件里填入以后下载地址列表.http://www.libgd.org/releases/gd-2.0.35.tar.bz2
http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.12. tar.gz
http://jaist.dl.sourceforge.net/sourceforge/mcrypt /libmcrypt-2.5.8.tar.bz2
http://jaist.dl.sourceforge.net/sourceforge/mcrypt /mcrypt-2.6.7.tar.gz
http://www.openssl.org/source/openssl-0.9.8h.tar.g z
http://openbsd.md5.com.ar/pub/OpenBSD/OpenSSH/port able/openssh-5.0p1.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/programming/p cre/pcre-7.7.tar.gz
http://sysoev.ru/nginx/nginx-0.6.31.tar.gz
http://mysql.byungsoo.net/Downloads/MySQL-5.0/mysq l-5.0.51b.tar.gz
http://cn2.php.net/get/php-5.2.6.tar.bz2/from/this /mirror
http://php-fpm.anight.org/downloads/head/php-5.2.6 -fpm-0.5.8.diff.gz
http://pecl.php.net/get/memcache-2.2.3.tgz
http://xcache.lighttpd.net/pub/Releases/1.2.2/xcac he-1.2.2.tar.gz
http://downloads.phpchina.com/zend/optimizer/3.3.3 /ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz
复制代码#vi down.sh 创建下载脚本.#!/bin/bash
for i in `cat list`
do
wget -c $i
done
复制代码#sh down.sh 执行下载脚本即可下载相关软件包.
或更简捷直接使用命令wget -i list
复制代码下载
2. 编译安装软件包
源码编译安装所需包(Source)
1) 升级OpenSSL及OpenSSH tar xvf openssl-0.9.8h.tar.gz
cd openssl-0.9.8h
#vi in_openssl.sh
./config --prefix=/usr/local/openssl
make
make test
make install
# sh in_openssl.sh
#tar xvf openssh-5.0p1.tar.gz
#cd openssh-5.0p1
# vi in_openssh.sh
./configure \
"--prefix=/usr" \
"--with-pam" \
"--with-zlib" \
"--sysconfdir=/etc/ssh" \
"--with-ssl-dir=/usr/local/openssl" \
"--with-md5-passwords"
make
make install
# sh in_openssh.sh
复制代码禁用 SSH V1 协议:找到#Protocol 2,1改为:Protocol 2
禁用服务器端GSSAPI找到以下两行,并将它们注释:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
禁用 DNS 名称解析
找到:#UseDNS yeas改为:UseDNS no
禁用客户端 GSSAPI
# vi /etc/ssh/ssh_config 找到:GSSAPIAuthentication yes 将这行注释掉。
最后,确认修改正确后重新启动 SSH 服务
# service sshd restart
# ssh -v 确认 OpenSSH 以及 OpenSSL 版本正确。
以上SSH配置可利用以下脚本自动修改:
#vi init_ssh.sh #init_ssh.sh
ssh_cf="/etc/ssh/sshd_config"
sed -i -e '74 s/^/#/' -i -e '76 s/^/#/' $ssh_cf
sed -i "s/#UseDNS yes/UseDNS no/" $ssh_cf
#client
sed -i -e '44 s/^/#/' -i -e '48 s/^/#/' $ssh_cf
echo "ssh is init is ok.............."
复制代码#sh init_ssh.sh
# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
# ssh -v
OpenSSH_5.0p1, OpenSSL 0.9.8h 28 May 2008
2) GD2
# cd /usr/local/src
# tar xvf gd-2.0.35.tar.gz
# cd gd-2.0.35
# vi in_gd2.sh aclocal
./configure --prefix=/usr/local/gd2
make && make install
# sh in_gd2.sh
复制代码3) tar xvf libmcrypt-2.5.8.tar.bz2
cd libmcrypt-2.5.8 #vi in_libmcrypt.sh
./configure --prefix=/usr/local/libmcrypt && make && make install
#sh in.sh
复制代码4) #tar xvf libiconv-1.12.tar.gz
#cd libiconv-1.12
#vi in_iconv.sh ./configure --prefix=/usr && make && make install
复制代码#sh in_iconv.sh
5) 编译安装MySQL
# tar xvf mysql-5.0.51b.tar.gz
# cd mysql-5.0.51b
# vi in_mysql.sh CFLAGS="-O3" CXX=gcc CXXFLAGS="-O3 -felide-constructors \
-fno-exceptions -fno-rtti -fomit-frame-pointer -ffixed-ebp"
./configure \
"--prefix=/usr/local/mysql" \
"--localstatedir=/data/mysql/data" \
"--with-comment=Source" \
"--with-server-suffix=-LinuxTone.Org" \
"--with-mysqld-user=mysql" \
"--without-debug" \
"--with-big-tables" \
"--with-charset=utf8" \
"--with-collation=utf8_chinese_ci" \
"--with-extra-charsets=all" \
"--with-pthread" \
"--enable-static" \
"--enable-thread-safe-client" \
"--with-client-ldflags=-all-static" \
"--with-mysqld-ldflags=-all-static" \
"--enable-assembler" \
"--without-isam" \
"--without-innodb" \
"--without-ndb-debug"
make && make install
useradd mysql -d /data/mysql -s /sbin/nologin
/usr/local/mysql/bin/mysql_install_db --user=mysql
cd /usr/local/mysql
chown -R root:mysql .
chown -R mysql /data/mysql/data
cp share/mysql/my-huge.cnf /etc/my.cnf
cp share/mysql/mysql.server /etc/rc.d/init.d/mysqld
chmod 755 /etc/rc.d/init.d/mysqld
chkconfig --add mysqld
/etc/rc.d/init.d/mysqld start
cd /usr/local/mysql/bin
for i in *; do ln -s /usr/local/mysql/bin/$i /usr/bin/$i; done
复制代码#sh in_mysql.sh
收藏2 分享1 1 0 转发到微博
本公司招聘XEN/KVM虚拟化技术和PHP中级程序员,爱折腾人才!工作地点:北京 简历请发送至:caojincheng@cy2009.com
回复 引用 举报 返回顶部
NetSeek 发短消息
加为好友
NetSeek 当前离线
阅读权限200 积分7383 注册时间2008-5-19 最后登录2011-3-31 在线时间1674小时 精华24 主题111 帖子2476 UID1
LT管理团队
阅读权限200 积分7383 注册时间2008-5-19 最后登录2011-3-31 在线时间1674小时 精华24 主题111 帖子2476 UID1
2#
发表于 2008-6-23 16:27 |只看该作者
三、编译安装PHP及Nginx
1.PHP(Fastcgi)编译安装
1)php-fpm 给PHP(Fastcgi)打补丁
#tar xvf php-5.2.6.tar.bz2
#gzip -cd php-5.2.6-fpm-0.5.8.diff.gz | patch -d php-5.2.6 -p1
2)PHP(Fastcgi)安装.
#cd php-5.2.6
#vi in_php5.sh./configure \
"--prefix=/usr/local/php-fcgi" \
"--enable-fastcgi" \
"--enable-fpm" \
"--enable-discard-path" \
"--enable-force-cgi-redirect" \
"--with-config-file-path=/usr/local/php-fcgi/etc" \
"--enable-zend-multibyte" \
"--with-mysql=/usr/local/mysql" \
"--with-libxml-dir" \
"--with-iconv-dir=/usr/lib" \
"--with-xmlrpc" \
"--with-gd=/usr/local/gd2" \
"--with-jpeg-dir" \
"--with-png-dir" \
"--with-bz2" \
"--with-freetype-dir" \
"--with-zlib-dir " \
"--with-openssl=/usr/local/openssl" \
"--with-mcrypt=/usr/local/libmcrypt" \
"--enable-sysvsem" \
"--enable-inline-optimization" \
"--enable-soap" \
"--enable-gd-native-ttf" \
"--enable-ftp" \
"--enable-mbstring" \
"--enable-exif" \
"--disable-debug" \
"--disable-ipv6"
make && make install
cp php.ini-dist /usr/local/php-fcgi/etc/php.ini
复制代码#sh in_php5.sh
4)安装Xcache
tar xvf xcache-1.2.2.tar.gz
cd xcache-1.2.2
#vi in_xcache.sh /usr/local/php-fcgi/bin/phpize
./configure --enable-xcache --enable-xcache-coverager --with-php-config=/usr/local/php-fcgi/bin/php-conf ig \
--enable-inline-optimization --disable-debug
make && make install
复制代码#sh in_xcache.sh
#vi /usr/local/php-fcgi/etc/php.ini #编辑php.ini在其内容最后加入如下内容:[xcache-common]
zend_extension = /usr/local/php-fcgi/lib/php/extensions/no-debug-no n-zts-20060613/xcache.so
[xcache.admin]
xcache.admin.user = "admin"
;如何生成md5密码: echo -n "password"| md5sum
xcache.admin.pass = "035d849226a8a10be1a5e0fec1f0f3ce" #密码为52netseek
[xcache]
; Change xcache.size to tune the size of the opcode cache
xcache.size = 24M
xcache.shm_scheme = "mmap"
xcache.count = 4
xcache.slots = 8K
xcache.ttl = 0
xcache.gc_interval = 0
; Change xcache.var_size to adjust the size of variable cache
xcache.var_size = 8M
xcache.var_count = 1
xcache.var_slots = 8K
xcache.var_ttl = 0
xcache.var_maxttl = 0
xcache.var_gc_interval = 300
xcache.test = Off
xcache.readonly_protection = On
xcache.mmap_path = "/dev/zero"
xcache.coredump_directory = ""
xcache.cacher = On
xcache.stat = On
xcache.optimizer = Off
[xcache.coverager]
xcache.coverager = On
xcache.coveragedump_directory = ""
复制代码4)安装Memcache
cd memcache-2.2.3
#vi in_memcache.sh /usr/local/php-fcgi/bin/phpize
./configure --with-php-config=/usr/local/php-fcgi/bin/php-conf ig
make && make install
复制代码#sh in_memcache.sh
5) PHP初始化脚本
# cat init_fcgi.sh#!/bin/bash
#php-fastcgi.php
fcgi_cf="/usr/local/php-fcgi/etc/php.ini"
sed -i '205 s#;open_basedir =#open_basedir = /data/www/wwwroot:/tmp#g' $fcgi_cf
sed -i '210 s#disable_functions =#disable_functions =
phpinfo,passthru,exec,system,chroot,scandir,chgrp, chown,shell_exec,proc_open,proc_get_status,ini_alte r,ini_alter,ini_restore,
dl,pfsockopen,openlog,syslog,readlink,symlink,pope passthru,stream_socket_server#g' $fcgi_cf
sed -i '/expose_php/s/On/Off/' $fcgi_cf
sed -i '/display_errors/s/On/Off/' $fcgi_cf
sed -i 's#extension_dir = "./"#extension_dir = "/usr/local/php-fcgi/lib/php/extensions/no-debug-n on-zts-20060613/"\nextension
= "memcache.so"\n#' $fcgi_cf
复制代码6)ZendOptimizer-3.3.3-linux-glibc23-i386 (解压后进入目录./install,安提示选择相关的目录及配置文件存放目录即可)
2.安装Nginx
1)Nginx编译安装
cd pcre-7.7/
./configure
make && make install
cd ../
cd nginx-0.6.31
#vi in_nginx.sh./configure --user=www --group=www --prefix=/usr/local/nginx/ --with-http_stub_status_module --with-
openssl=/usr/local/openssl
make && make install
复制代码sh in_nginx.sh
2)初始化Nginx相关配置
#mkdir /usr/local/nginx/conf/vhosts 创建存放虚拟主机配置文件目录
#cd /usr/local/nginx/conf
#mv nginx.conf nginx.conf_back 将原配置文件备份供以后参考.
#vi nginx.conf 重新创建nginx主配置文件user www www;
worker_processes 8;
pid /var/run/nginx.pid;
# [ debug | info | notice | warn | error | crit ]
#error_log /var/log/nginx.error_log info;
#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 51200;
events
{
use epoll;
#maxclient = worker_processes * worker_connections / cpu_number
worker_connections 51200;
}
http
{
include mime.types;
default_type application/octet-stream;
charset gb2312;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
log_format main '$remote_addr - $remote_user [$time_local] $request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#access_log /data/www/logs/access.log main;
access_log /dev/null;
sendfile on;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 128k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
fastcgi_intercept_errors on;
gzip on;
gzip_comp_level 4;
gzip_min_length 1100;
gzip_buffers 4 8k;
gzip_http_version 1.0;
gzip_proxied any;
gzip_types text/plain text/xml text/javascript application/x-javascript text/css text/html application/xml;
#
client_max_body_size 10m;
client_body_buffer_size 256k;
#
#proxy_temp_path /dev/shm/proxy_temp;
fastcgi_temp_path /dev/shm/fastcgi_temp;
client_body_temp_path /dev/shm/client_body_temp;
# The following includes are specified for virtual hosts
include vhosts/bbs.linxutone.org.conf;
include vhosts/down.redocn.com.conf;
include vhosts/count.linuxtone.org.conf;
}
复制代码#vi /enable_php5.conf Nginx支持PHP配置文件.fastcgi_pass 127.0.0.1:8085;
fastcgi_index index.php;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
#fastcgi_param REDIRECT_STATUS 200;
复制代码3)配置修改php-fpm脚本
配置php-fpm脚本:
cd /usr/local/php-fcgi/etc/
vi php-fpm.conf 修改如下内容:(进入vi编辑器,输入:set nu 显示行号.)41 127.0.0.1:8085
62 Unix user of processes
63 www
65 Unix group of processes
66 www
79 128
80
81 Settings group for 'apache-like' pm style
82
83
84 Sets the number of server processes created on startup.
85 Used only when 'apache-like' pm_style is selected
86 20
87
88 Sets the desired minimum number of idle server processes.
89 Used only when 'apache-like' pm_style is selected
90 5
91
92 Sets the desired maximum number of idle server processes.
93 Used only when 'apache-like' pm_style is selected
94 250
104 Set open file desc rlimit
105 51200
106
107 Set max core size rlimit
108 0
109
110 Chroot to this directory at the start
111
112
113 Chdir to this directory at the start
114
115
116 Redirect workers' stdout and stderr into main error log.
117 If not set, they will be redirected to /dev/null, according to FastCGI specs
118 yes
119
120 How much requests each process should execute before respawn.
121 Useful to work around memory leaks in 3rd party libraries.
122 For endless request processing please specify 0
123 Equivalent to PHP_FCGI_MAX_REQUESTS
124 51200
复制代码4) Nginx+PHP(fastcgi)启动脚本参考:http://bbs.linuxtone.org/thread-372-1-2.html
本公司招聘XEN/KVM虚拟化技术和PHP中级程序员,爱折腾人才!工作地点:北京 简历请发送至:caojincheng@cy2009.com
点评回复 引用 举报 返回顶部
NetSeek 发短消息
加为好友
NetSeek 当前离线
阅读权限200 积分7383 注册时间2008-5-19 最后登录2011-3-31 在线时间1674小时 精华24 主题111 帖子2476 UID1
LT管理团队
阅读权限200 积分7383 注册时间2008-5-19 最后登录2011-3-31 在线时间1674小时 精华24 主题111 帖子2476 UID1
3#
发表于 2008-6-23 16:27 |只看该作者
四、Nginx多虚拟主机配置及基本优化(以配置Discuz!论坛为例)
1.配置Nginx虚拟主机(防盗链及expires设置)
#vi /usr/local/nginx/conf/vhosts/bbs.linuxtone.org.con fserver
{
listen 80;
server_name bbs.linuxtone.org www.linuxtone.org;
index index.html index.php index.htm;
root /data/www/wwwroot/lt/bbs;
#access_log /var/log/nginx/access_bbs.redocn.com.log combined;
location / {
if (!-e $request_filename) {
rewrite ^/archiver/((fid|tid)-[\w\-]+\.html)$ /archiver/index.php?$1 last;
rewrite ^/forum-([0-9]+)-([0-9]+)\.html$ /forumdisplay.php?fid=$1&page=$2 last;
rewrite ^/thread-([0-9]+)-([0-9]+)-([0-9]+)\.html$ /viewthread.php?tid=$1&extra=page%3D$3&page=$2
last;
rewrite ^/space-(username|uid)-(.+)\.html$ /space.php?$1=$2 last;
rewrite ^/tag-(.+)\.html$ /tag.php?name=$1 last;
break;
}
}
#Preventing hot linking of images and other file types
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip)$ {
valid_referers none blocked server_names *.linuxtone.org http://localhost;
if ($invalid_referer) {
rewrite ^/ http://bbs.linuxtone.org/images/default/logo.gif;
return 403;
}
}
# Add expires header for static content
location ~* \.(js|css|jpg|jpeg|gif|png|swf)$ {
if (-f $request_filename) {
root /data/www/wwwroot/lt/bbs;
expires 1d;
break;
}
}
#support php
location ~ .*\.php?$
{
include enable_php5.conf;
}
}
复制代码2.Nginx搭建下载站点限制并发数和速率.vi /usr/local/nginx/conf/vhosts/down.redocn.com.conf
limit_zone one $binary_remote_addr 10m;
server
{
listen 80;
server_name down.redocn.com;
index index.html index.htm index.php;
root /data/www/wwwroot/down;
error_page 404 /index.php;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
#Zone limit
location / {
limit_conn one 1;
limit_rate 20k;
}
# serve static files
location ~ ^/(images|javascript|js|css|flash|media|static)/ {
root /data/www/wwwroot/down;
expires 30d;
}
}
复制代码3.如何实现Nginx身份验证
实现输入http://count.linuxtone.org/tongji 要求输入用户名和密码验证才可查看内内。配置方法如下:
创建统计配置文件:mkdir /usr/local/nginx/conf/htpasswd #创建存放密码的目录
/usr/local/apache2/bin/htpasswd -c /usr/local/nginx/conf/htpasswd/tongji admin
server
{
listen 80;
server_name count.linuxtone.org;
index index.html index.php;
root /data/www/wwwroot/count;
access_log /data/logs/access_count.linuxtone.org.log combined;
#error page
error_page 404 http://www.linuxtone.org/error.html;
error_page 500 502 503 504 http://www.linuxtone.org;
#support php
location ~ .*\.php?$
{
include enable_php5.conf;
}
#expires static files
location ~* \.(js|css|jpg|jpeg|gif|png)$ {
if (-f $request_filename) {
access_log off;
expires 1d;
break;
}
}
location ~ ^/(tongji)/ {
root /data/www/wwwroot/count;
auth_basic "LT-COUNT-TongJi";
auth_basic_user_file /usr/local/nginx/conf/htpasswd/tongji;
}
}
复制代码4.如何实现Nginx目录列表
在相关虚拟主机配置文件加入如下设置即可,更多请参考官方wikilocation / {
autoindex on;
}
复制代码5.修改Nginx的header伪装服务器cd nginx-0.6.31/src/core
#define NGINX_VERSION "1.2"
#define NGINX_VER "LTWS/" NGINX_VERSION
复制代码仍后重新编译nginx即可,查看一下效果:
# curl -I http://bbs.linuxtone.orgHTTP/1.1 200 OK
Server: LTWS/1.2
Date: Mon, 23 Jun 2008 06:11:17 GMT
Content-Type: text/html; charset=gb2312
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: lt__sid=cJN2FT; expires=Mon, 30-Jun-2008 06:11:17 GMT; path=/
Set-Cookie: lt__onlineusernum=228; expires=Mon, 23-Jun-2008 06:16:17 GMT; path=/
复制代码6.减小nginx编译后的文件大小 (Reduce file size of nginx)
默认的nginx编译选项里居然是用debug模式(-g)的(debug模式会插入很多跟踪和ASSERT之类),编译以后一个nginx有好几兆。
去掉nginx的debug模式编译,编译以后只有480K(nginx-0.6.31 , gcc4)。
# du -sh nginx
480K nginx
在auto/cc/gcc,最后几行有:# debug
CFLAGS="$CFLAGS -g"
复制代码注释掉或删掉这几行,重新编译即可
7.Nginx日志处理
# crontab -l59 23 * * * /usr/local/sbin/logcron.sh /dev/null 2>&1
复制代码# cat /usr/local/sbin/logcron.sh#!/bin/bash
log_dir="/data/logs"
time=`date +%Y%m%d`
/bin/mv ${log_dir}/access_linuxtone.org.log ${log_dir}/access_count.linuxtone.org.$time.log
kill -USR1 `cat /var/run/nginx.pid`
复制代码更多的日志分析与处理就关注(同时欢迎你参加讨论):http://bbs.linuxtone.org/forum-8-1.html
8.优化内核参数
vi /etc/sysctl.confnet.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.ip_local_port_range = 5000 65000
复制代码五、基本安全设置策略
1)SSH安全策略:经常升级OpenSSH,SSH全安(修改SSH端口限制来源IP登陆,或者参考http://bbs.linuxtone.org/thread-106-1-1.html
)
2)关掉不需要的服务可以利用上文提到的脚本;iptables 封锁相关端口(推荐读CU白金大哥的两小时玩转iptables)
3)做好系统监控和审计相关的工作,做好系统自动化备份脚本,保证数据短时期可以恢复最近时间段,降低损失!
4)Linux防Arp攻击策略(http://bbs.linuxtone.org/thread-41-1-1.html)
5)注意(还是那句老话:安全工作从细节做起!)更多的请实时关注:http://bbs.linuxtone.org/forum-21-1.html (安全专项)
六、附录及相关介绍
1.参考文档(对相关作者分享精神表示感谢!):
Reduce file size of nginx: http://bianbian.org/technology/271.html
构建LEMP相关文章(作者:张宴): http://blog.s135.com/read.php/351.htm
基于CentOS构建高性能的LAMP平台: http://bbs.linuxtone.org/thread-122-1-1.html
利用Nginx替代apache实现高性能的Web环境(第一版): http://bbs.linuxtone.org/thread-7-1-1.html
2.关于LinuxTone.Org(IT运维专家论坛):
目标:希望和大家一起努力打造一个专注IT运维,Linux集群架构的开放互动讨论平台!期待您的加入!
我们很乐意把平时工作中遇到的问题和得到的经验与大家共同分享相互学习!
如果你是Linux爱好者?
如果你目前在网站服务器方面遇到很多头痛的问题?
如果你目前的站就使用了Linux?或者你想将你的Linux的apache迁于至高性能的Nginx?
如果您使用的是WAMP(即Windows平台的AMP)平台想迁移至LAMP?
如果你目前的网站需要优化进一步提升硬件性能?
如果你目前的网站需要负载均衡集群架构方案? 请联系我们!
我们愿意抽出空余时间免费热心为你解答相关问题,协助你完成所有相关工作!共同分享!共同进步!
同时也热情期待你能加入http://www.linuxtone.org 帮我一起完善论坛建设工作,完成每版置顶的手册形成可操作 性强的文档及方案,方便大家一起学习进步!联系方式:QQ:67888954 MSN:cnseek@msn.com Gtalk:cnseek@gmail.com
本文基于step by step的结构向大家介绍Nginx构建高性能WEB的全过程.并且我们在
生产服务器上运行一个月非常稳定,所以整理出来供大家分享。希望能够帮助
更多的初学者轻松构建高性能的WEB服务器。对文中提到的相关操作有任何问题都可以
到LinuxTone论坛去交流提问,我们将第一时间为你解答,同时把网友的建议加入,及
时更新相关内容.
系统环境:
CentOS 5.1+nginx-0.6.31+php-5.2.6+memcache-2.2.3+xcache-1 .2.2+mysql-5.0.51b
一、系统安装
1. 系统分区
/boot 100M左右
SWAP 物理内存的2倍(如果你的物理内存大于4G以上,分配4G即可)
/ 分区15~20G
/usr/local 20G (用于安装软件)
/data 剩余所有空间
*具体分区请根据相关业务划分,具体安装本文不作介绍.
2.系统初始化脚本(根据具体需求关闭不需要的服务)
#vi init.sh#welcome
cat > /etc/modprobe.conf
echo "alias ipv6 off" >> /etc/modprobe.conf
/sbin/chkconfig --level 35 ip6tables off
echo "ipv6 is disabled!"
#disable selinux
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config
echo "selinux is disabled,you must reboot!"
#vim
sed -i "8 s/^/alias vi='vim'/" /root/.bashrc
echo 'syntax on' > /root/.vimrc
#LANG=en
sed -i -e 's/^LANG=.*/LANG="en"/' /etc/sysconfig/i18n
#tunoff services
#------------------------------------------------- -------------+
cat flex bison autoconf automake bzip2-devel \
ncurses-devel libtool* zlib-devel libxml2-devel libjpeg-devel libpng-devel libtiff-devel \
fontconfig-devel freetype-devel libXpm-devel gettext-devel curl curl-devel pam-devel kernel
复制代码◆因网友说照我的方法YUM装的时候还是有一些错误,这次是按最少的包装的:)不过还是希望网友在安装系统的 时候就把相关的开
发包装上。
4) 定时校正服务器时钟,定时与中国国家授时中心授时服务器同步
# crontab -e
加入一行:
15 3 * * * /usr/sbin/ntpdate 210.72.145.44 > /dev/null 2>&1
5) 下载编译相关的源码包.
#vi list 在list文件里填入以后下载地址列表.http://www.libgd.org/releases/gd-2.0.35.tar.bz2
http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.12. tar.gz
http://jaist.dl.sourceforge.net/sourceforge/mcrypt /libmcrypt-2.5.8.tar.bz2
http://jaist.dl.sourceforge.net/sourceforge/mcrypt /mcrypt-2.6.7.tar.gz
http://www.openssl.org/source/openssl-0.9.8h.tar.g z
http://openbsd.md5.com.ar/pub/OpenBSD/OpenSSH/port able/openssh-5.0p1.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/programming/p cre/pcre-7.7.tar.gz
http://sysoev.ru/nginx/nginx-0.6.31.tar.gz
http://mysql.byungsoo.net/Downloads/MySQL-5.0/mysq l-5.0.51b.tar.gz
http://cn2.php.net/get/php-5.2.6.tar.bz2/from/this /mirror
http://php-fpm.anight.org/downloads/head/php-5.2.6 -fpm-0.5.8.diff.gz
http://pecl.php.net/get/memcache-2.2.3.tgz
http://xcache.lighttpd.net/pub/Releases/1.2.2/xcac he-1.2.2.tar.gz
http://downloads.phpchina.com/zend/optimizer/3.3.3 /ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz
复制代码#vi down.sh 创建下载脚本.#!/bin/bash
for i in `cat list`
do
wget -c $i
done
复制代码#sh down.sh 执行下载脚本即可下载相关软件包.
或更简捷直接使用命令wget -i list
复制代码下载
2. 编译安装软件包
源码编译安装所需包(Source)
1) 升级OpenSSL及OpenSSH tar xvf openssl-0.9.8h.tar.gz
cd openssl-0.9.8h
#vi in_openssl.sh
./config --prefix=/usr/local/openssl
make
make test
make install
# sh in_openssl.sh
#tar xvf openssh-5.0p1.tar.gz
#cd openssh-5.0p1
# vi in_openssh.sh
./configure \
"--prefix=/usr" \
"--with-pam" \
"--with-zlib" \
"--sysconfdir=/etc/ssh" \
"--with-ssl-dir=/usr/local/openssl" \
"--with-md5-passwords"
make
make install
# sh in_openssh.sh
复制代码禁用 SSH V1 协议:找到#Protocol 2,1改为:Protocol 2
禁用服务器端GSSAPI找到以下两行,并将它们注释:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
禁用 DNS 名称解析
找到:#UseDNS yeas改为:UseDNS no
禁用客户端 GSSAPI
# vi /etc/ssh/ssh_config 找到:GSSAPIAuthentication yes 将这行注释掉。
最后,确认修改正确后重新启动 SSH 服务
# service sshd restart
# ssh -v 确认 OpenSSH 以及 OpenSSL 版本正确。
以上SSH配置可利用以下脚本自动修改:
#vi init_ssh.sh #init_ssh.sh
ssh_cf="/etc/ssh/sshd_config"
sed -i -e '74 s/^/#/' -i -e '76 s/^/#/' $ssh_cf
sed -i "s/#UseDNS yes/UseDNS no/" $ssh_cf
#client
sed -i -e '44 s/^/#/' -i -e '48 s/^/#/' $ssh_cf
echo "ssh is init is ok.............."
复制代码#sh init_ssh.sh
# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
# ssh -v
OpenSSH_5.0p1, OpenSSL 0.9.8h 28 May 2008
2) GD2
# cd /usr/local/src
# tar xvf gd-2.0.35.tar.gz
# cd gd-2.0.35
# vi in_gd2.sh aclocal
./configure --prefix=/usr/local/gd2
make && make install
# sh in_gd2.sh
复制代码3) tar xvf libmcrypt-2.5.8.tar.bz2
cd libmcrypt-2.5.8 #vi in_libmcrypt.sh
./configure --prefix=/usr/local/libmcrypt && make && make install
#sh in.sh
复制代码4) #tar xvf libiconv-1.12.tar.gz
#cd libiconv-1.12
#vi in_iconv.sh ./configure --prefix=/usr && make && make install
复制代码#sh in_iconv.sh
5) 编译安装MySQL
# tar xvf mysql-5.0.51b.tar.gz
# cd mysql-5.0.51b
# vi in_mysql.sh CFLAGS="-O3" CXX=gcc CXXFLAGS="-O3 -felide-constructors \
-fno-exceptions -fno-rtti -fomit-frame-pointer -ffixed-ebp"
./configure \
"--prefix=/usr/local/mysql" \
"--localstatedir=/data/mysql/data" \
"--with-comment=Source" \
"--with-server-suffix=-LinuxTone.Org" \
"--with-mysqld-user=mysql" \
"--without-debug" \
"--with-big-tables" \
"--with-charset=utf8" \
"--with-collation=utf8_chinese_ci" \
"--with-extra-charsets=all" \
"--with-pthread" \
"--enable-static" \
"--enable-thread-safe-client" \
"--with-client-ldflags=-all-static" \
"--with-mysqld-ldflags=-all-static" \
"--enable-assembler" \
"--without-isam" \
"--without-innodb" \
"--without-ndb-debug"
make && make install
useradd mysql -d /data/mysql -s /sbin/nologin
/usr/local/mysql/bin/mysql_install_db --user=mysql
cd /usr/local/mysql
chown -R root:mysql .
chown -R mysql /data/mysql/data
cp share/mysql/my-huge.cnf /etc/my.cnf
cp share/mysql/mysql.server /etc/rc.d/init.d/mysqld
chmod 755 /etc/rc.d/init.d/mysqld
chkconfig --add mysqld
/etc/rc.d/init.d/mysqld start
cd /usr/local/mysql/bin
for i in *; do ln -s /usr/local/mysql/bin/$i /usr/bin/$i; done
复制代码#sh in_mysql.sh
收藏2 分享1 1 0 转发到微博
本公司招聘XEN/KVM虚拟化技术和PHP中级程序员,爱折腾人才!工作地点:北京 简历请发送至:caojincheng@cy2009.com
回复 引用 举报 返回顶部
NetSeek 发短消息
加为好友
NetSeek 当前离线
阅读权限200 积分7383 注册时间2008-5-19 最后登录2011-3-31 在线时间1674小时 精华24 主题111 帖子2476 UID1
LT管理团队
阅读权限200 积分7383 注册时间2008-5-19 最后登录2011-3-31 在线时间1674小时 精华24 主题111 帖子2476 UID1
2#
发表于 2008-6-23 16:27 |只看该作者
三、编译安装PHP及Nginx
1.PHP(Fastcgi)编译安装
1)php-fpm 给PHP(Fastcgi)打补丁
#tar xvf php-5.2.6.tar.bz2
#gzip -cd php-5.2.6-fpm-0.5.8.diff.gz | patch -d php-5.2.6 -p1
2)PHP(Fastcgi)安装.
#cd php-5.2.6
#vi in_php5.sh./configure \
"--prefix=/usr/local/php-fcgi" \
"--enable-fastcgi" \
"--enable-fpm" \
"--enable-discard-path" \
"--enable-force-cgi-redirect" \
"--with-config-file-path=/usr/local/php-fcgi/etc" \
"--enable-zend-multibyte" \
"--with-mysql=/usr/local/mysql" \
"--with-libxml-dir" \
"--with-iconv-dir=/usr/lib" \
"--with-xmlrpc" \
"--with-gd=/usr/local/gd2" \
"--with-jpeg-dir" \
"--with-png-dir" \
"--with-bz2" \
"--with-freetype-dir" \
"--with-zlib-dir " \
"--with-openssl=/usr/local/openssl" \
"--with-mcrypt=/usr/local/libmcrypt" \
"--enable-sysvsem" \
"--enable-inline-optimization" \
"--enable-soap" \
"--enable-gd-native-ttf" \
"--enable-ftp" \
"--enable-mbstring" \
"--enable-exif" \
"--disable-debug" \
"--disable-ipv6"
make && make install
cp php.ini-dist /usr/local/php-fcgi/etc/php.ini
复制代码#sh in_php5.sh
4)安装Xcache
tar xvf xcache-1.2.2.tar.gz
cd xcache-1.2.2
#vi in_xcache.sh /usr/local/php-fcgi/bin/phpize
./configure --enable-xcache --enable-xcache-coverager --with-php-config=/usr/local/php-fcgi/bin/php-conf ig \
--enable-inline-optimization --disable-debug
make && make install
复制代码#sh in_xcache.sh
#vi /usr/local/php-fcgi/etc/php.ini #编辑php.ini在其内容最后加入如下内容:[xcache-common]
zend_extension = /usr/local/php-fcgi/lib/php/extensions/no-debug-no n-zts-20060613/xcache.so
[xcache.admin]
xcache.admin.user = "admin"
;如何生成md5密码: echo -n "password"| md5sum
xcache.admin.pass = "035d849226a8a10be1a5e0fec1f0f3ce" #密码为52netseek
[xcache]
; Change xcache.size to tune the size of the opcode cache
xcache.size = 24M
xcache.shm_scheme = "mmap"
xcache.count = 4
xcache.slots = 8K
xcache.ttl = 0
xcache.gc_interval = 0
; Change xcache.var_size to adjust the size of variable cache
xcache.var_size = 8M
xcache.var_count = 1
xcache.var_slots = 8K
xcache.var_ttl = 0
xcache.var_maxttl = 0
xcache.var_gc_interval = 300
xcache.test = Off
xcache.readonly_protection = On
xcache.mmap_path = "/dev/zero"
xcache.coredump_directory = ""
xcache.cacher = On
xcache.stat = On
xcache.optimizer = Off
[xcache.coverager]
xcache.coverager = On
xcache.coveragedump_directory = ""
复制代码4)安装Memcache
cd memcache-2.2.3
#vi in_memcache.sh /usr/local/php-fcgi/bin/phpize
./configure --with-php-config=/usr/local/php-fcgi/bin/php-conf ig
make && make install
复制代码#sh in_memcache.sh
5) PHP初始化脚本
# cat init_fcgi.sh#!/bin/bash
#php-fastcgi.php
fcgi_cf="/usr/local/php-fcgi/etc/php.ini"
sed -i '205 s#;open_basedir =#open_basedir = /data/www/wwwroot:/tmp#g' $fcgi_cf
sed -i '210 s#disable_functions =#disable_functions =
phpinfo,passthru,exec,system,chroot,scandir,chgrp, chown,shell_exec,proc_open,proc_get_status,ini_alte r,ini_alter,ini_restore,
dl,pfsockopen,openlog,syslog,readlink,symlink,pope passthru,stream_socket_server#g' $fcgi_cf
sed -i '/expose_php/s/On/Off/' $fcgi_cf
sed -i '/display_errors/s/On/Off/' $fcgi_cf
sed -i 's#extension_dir = "./"#extension_dir = "/usr/local/php-fcgi/lib/php/extensions/no-debug-n on-zts-20060613/"\nextension
= "memcache.so"\n#' $fcgi_cf
复制代码6)ZendOptimizer-3.3.3-linux-glibc23-i386 (解压后进入目录./install,安提示选择相关的目录及配置文件存放目录即可)
2.安装Nginx
1)Nginx编译安装
cd pcre-7.7/
./configure
make && make install
cd ../
cd nginx-0.6.31
#vi in_nginx.sh./configure --user=www --group=www --prefix=/usr/local/nginx/ --with-http_stub_status_module --with-
openssl=/usr/local/openssl
make && make install
复制代码sh in_nginx.sh
2)初始化Nginx相关配置
#mkdir /usr/local/nginx/conf/vhosts 创建存放虚拟主机配置文件目录
#cd /usr/local/nginx/conf
#mv nginx.conf nginx.conf_back 将原配置文件备份供以后参考.
#vi nginx.conf 重新创建nginx主配置文件user www www;
worker_processes 8;
pid /var/run/nginx.pid;
# [ debug | info | notice | warn | error | crit ]
#error_log /var/log/nginx.error_log info;
#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 51200;
events
{
use epoll;
#maxclient = worker_processes * worker_connections / cpu_number
worker_connections 51200;
}
http
{
include mime.types;
default_type application/octet-stream;
charset gb2312;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
log_format main '$remote_addr - $remote_user [$time_local] $request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#access_log /data/www/logs/access.log main;
access_log /dev/null;
sendfile on;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 128k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
fastcgi_intercept_errors on;
gzip on;
gzip_comp_level 4;
gzip_min_length 1100;
gzip_buffers 4 8k;
gzip_http_version 1.0;
gzip_proxied any;
gzip_types text/plain text/xml text/javascript application/x-javascript text/css text/html application/xml;
#
client_max_body_size 10m;
client_body_buffer_size 256k;
#
#proxy_temp_path /dev/shm/proxy_temp;
fastcgi_temp_path /dev/shm/fastcgi_temp;
client_body_temp_path /dev/shm/client_body_temp;
# The following includes are specified for virtual hosts
include vhosts/bbs.linxutone.org.conf;
include vhosts/down.redocn.com.conf;
include vhosts/count.linuxtone.org.conf;
}
复制代码#vi /enable_php5.conf Nginx支持PHP配置文件.fastcgi_pass 127.0.0.1:8085;
fastcgi_index index.php;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
#fastcgi_param REDIRECT_STATUS 200;
复制代码3)配置修改php-fpm脚本
配置php-fpm脚本:
cd /usr/local/php-fcgi/etc/
vi php-fpm.conf 修改如下内容:(进入vi编辑器,输入:set nu 显示行号.)41 127.0.0.1:8085
62 Unix user of processes
63 www
65 Unix group of processes
66 www
79 128
80
81 Settings group for 'apache-like' pm style
82
83
84 Sets the number of server processes created on startup.
85 Used only when 'apache-like' pm_style is selected
86 20
87
88 Sets the desired minimum number of idle server processes.
89 Used only when 'apache-like' pm_style is selected
90 5
91
92 Sets the desired maximum number of idle server processes.
93 Used only when 'apache-like' pm_style is selected
94 250
104 Set open file desc rlimit
105 51200
106
107 Set max core size rlimit
108 0
109
110 Chroot to this directory at the start
111
112
113 Chdir to this directory at the start
114
115
116 Redirect workers' stdout and stderr into main error log.
117 If not set, they will be redirected to /dev/null, according to FastCGI specs
118 yes
119
120 How much requests each process should execute before respawn.
121 Useful to work around memory leaks in 3rd party libraries.
122 For endless request processing please specify 0
123 Equivalent to PHP_FCGI_MAX_REQUESTS
124 51200
复制代码4) Nginx+PHP(fastcgi)启动脚本参考:http://bbs.linuxtone.org/thread-372-1-2.html
本公司招聘XEN/KVM虚拟化技术和PHP中级程序员,爱折腾人才!工作地点:北京 简历请发送至:caojincheng@cy2009.com
点评回复 引用 举报 返回顶部
NetSeek 发短消息
加为好友
NetSeek 当前离线
阅读权限200 积分7383 注册时间2008-5-19 最后登录2011-3-31 在线时间1674小时 精华24 主题111 帖子2476 UID1
LT管理团队
阅读权限200 积分7383 注册时间2008-5-19 最后登录2011-3-31 在线时间1674小时 精华24 主题111 帖子2476 UID1
3#
发表于 2008-6-23 16:27 |只看该作者
四、Nginx多虚拟主机配置及基本优化(以配置Discuz!论坛为例)
1.配置Nginx虚拟主机(防盗链及expires设置)
#vi /usr/local/nginx/conf/vhosts/bbs.linuxtone.org.con fserver
{
listen 80;
server_name bbs.linuxtone.org www.linuxtone.org;
index index.html index.php index.htm;
root /data/www/wwwroot/lt/bbs;
#access_log /var/log/nginx/access_bbs.redocn.com.log combined;
location / {
if (!-e $request_filename) {
rewrite ^/archiver/((fid|tid)-[\w\-]+\.html)$ /archiver/index.php?$1 last;
rewrite ^/forum-([0-9]+)-([0-9]+)\.html$ /forumdisplay.php?fid=$1&page=$2 last;
rewrite ^/thread-([0-9]+)-([0-9]+)-([0-9]+)\.html$ /viewthread.php?tid=$1&extra=page%3D$3&page=$2
last;
rewrite ^/space-(username|uid)-(.+)\.html$ /space.php?$1=$2 last;
rewrite ^/tag-(.+)\.html$ /tag.php?name=$1 last;
break;
}
}
#Preventing hot linking of images and other file types
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip)$ {
valid_referers none blocked server_names *.linuxtone.org http://localhost;
if ($invalid_referer) {
rewrite ^/ http://bbs.linuxtone.org/images/default/logo.gif;
return 403;
}
}
# Add expires header for static content
location ~* \.(js|css|jpg|jpeg|gif|png|swf)$ {
if (-f $request_filename) {
root /data/www/wwwroot/lt/bbs;
expires 1d;
break;
}
}
#support php
location ~ .*\.php?$
{
include enable_php5.conf;
}
}
复制代码2.Nginx搭建下载站点限制并发数和速率.vi /usr/local/nginx/conf/vhosts/down.redocn.com.conf
limit_zone one $binary_remote_addr 10m;
server
{
listen 80;
server_name down.redocn.com;
index index.html index.htm index.php;
root /data/www/wwwroot/down;
error_page 404 /index.php;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
#Zone limit
location / {
limit_conn one 1;
limit_rate 20k;
}
# serve static files
location ~ ^/(images|javascript|js|css|flash|media|static)/ {
root /data/www/wwwroot/down;
expires 30d;
}
}
复制代码3.如何实现Nginx身份验证
实现输入http://count.linuxtone.org/tongji 要求输入用户名和密码验证才可查看内内。配置方法如下:
创建统计配置文件:mkdir /usr/local/nginx/conf/htpasswd #创建存放密码的目录
/usr/local/apache2/bin/htpasswd -c /usr/local/nginx/conf/htpasswd/tongji admin
server
{
listen 80;
server_name count.linuxtone.org;
index index.html index.php;
root /data/www/wwwroot/count;
access_log /data/logs/access_count.linuxtone.org.log combined;
#error page
error_page 404 http://www.linuxtone.org/error.html;
error_page 500 502 503 504 http://www.linuxtone.org;
#support php
location ~ .*\.php?$
{
include enable_php5.conf;
}
#expires static files
location ~* \.(js|css|jpg|jpeg|gif|png)$ {
if (-f $request_filename) {
access_log off;
expires 1d;
break;
}
}
location ~ ^/(tongji)/ {
root /data/www/wwwroot/count;
auth_basic "LT-COUNT-TongJi";
auth_basic_user_file /usr/local/nginx/conf/htpasswd/tongji;
}
}
复制代码4.如何实现Nginx目录列表
在相关虚拟主机配置文件加入如下设置即可,更多请参考官方wikilocation / {
autoindex on;
}
复制代码5.修改Nginx的header伪装服务器cd nginx-0.6.31/src/core
#define NGINX_VERSION "1.2"
#define NGINX_VER "LTWS/" NGINX_VERSION
复制代码仍后重新编译nginx即可,查看一下效果:
# curl -I http://bbs.linuxtone.orgHTTP/1.1 200 OK
Server: LTWS/1.2
Date: Mon, 23 Jun 2008 06:11:17 GMT
Content-Type: text/html; charset=gb2312
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: lt__sid=cJN2FT; expires=Mon, 30-Jun-2008 06:11:17 GMT; path=/
Set-Cookie: lt__onlineusernum=228; expires=Mon, 23-Jun-2008 06:16:17 GMT; path=/
复制代码6.减小nginx编译后的文件大小 (Reduce file size of nginx)
默认的nginx编译选项里居然是用debug模式(-g)的(debug模式会插入很多跟踪和ASSERT之类),编译以后一个nginx有好几兆。
去掉nginx的debug模式编译,编译以后只有480K(nginx-0.6.31 , gcc4)。
# du -sh nginx
480K nginx
在auto/cc/gcc,最后几行有:# debug
CFLAGS="$CFLAGS -g"
复制代码注释掉或删掉这几行,重新编译即可
7.Nginx日志处理
# crontab -l59 23 * * * /usr/local/sbin/logcron.sh /dev/null 2>&1
复制代码# cat /usr/local/sbin/logcron.sh#!/bin/bash
log_dir="/data/logs"
time=`date +%Y%m%d`
/bin/mv ${log_dir}/access_linuxtone.org.log ${log_dir}/access_count.linuxtone.org.$time.log
kill -USR1 `cat /var/run/nginx.pid`
复制代码更多的日志分析与处理就关注(同时欢迎你参加讨论):http://bbs.linuxtone.org/forum-8-1.html
8.优化内核参数
vi /etc/sysctl.confnet.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.ip_local_port_range = 5000 65000
复制代码五、基本安全设置策略
1)SSH安全策略:经常升级OpenSSH,SSH全安(修改SSH端口限制来源IP登陆,或者参考http://bbs.linuxtone.org/thread-106-1-1.html
)
2)关掉不需要的服务可以利用上文提到的脚本;iptables 封锁相关端口(推荐读CU白金大哥的两小时玩转iptables)
3)做好系统监控和审计相关的工作,做好系统自动化备份脚本,保证数据短时期可以恢复最近时间段,降低损失!
4)Linux防Arp攻击策略(http://bbs.linuxtone.org/thread-41-1-1.html)
5)注意(还是那句老话:安全工作从细节做起!)更多的请实时关注:http://bbs.linuxtone.org/forum-21-1.html (安全专项)
六、附录及相关介绍
1.参考文档(对相关作者分享精神表示感谢!):
Reduce file size of nginx: http://bianbian.org/technology/271.html
构建LEMP相关文章(作者:张宴): http://blog.s135.com/read.php/351.htm
基于CentOS构建高性能的LAMP平台: http://bbs.linuxtone.org/thread-122-1-1.html
利用Nginx替代apache实现高性能的Web环境(第一版): http://bbs.linuxtone.org/thread-7-1-1.html
2.关于LinuxTone.Org(IT运维专家论坛):
目标:希望和大家一起努力打造一个专注IT运维,Linux集群架构的开放互动讨论平台!期待您的加入!
我们很乐意把平时工作中遇到的问题和得到的经验与大家共同分享相互学习!
如果你是Linux爱好者?
如果你目前在网站服务器方面遇到很多头痛的问题?
如果你目前的站就使用了Linux?或者你想将你的Linux的apache迁于至高性能的Nginx?
如果您使用的是WAMP(即Windows平台的AMP)平台想迁移至LAMP?
如果你目前的网站需要优化进一步提升硬件性能?
如果你目前的网站需要负载均衡集群架构方案? 请联系我们!
我们愿意抽出空余时间免费热心为你解答相关问题,协助你完成所有相关工作!共同分享!共同进步!
同时也热情期待你能加入http://www.linuxtone.org 帮我一起完善论坛建设工作,完成每版置顶的手册形成可操作 性强的文档及方案,方便大家一起学习进步!联系方式:QQ:67888954 MSN:cnseek@msn.com Gtalk:cnseek@gmail.com
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
