安装第三方软件源(epel、nginx、remi)
rpm -ivh http://download.fedora.redhat.com/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm rpm -ivh http://nginx.org/packages/centos/6/noarch/RPMS/nginx-release-centos-6-0.el6.ngx.noarch.rpm rpm -ivh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
yum一键安装lnmp
yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers
二、安装php和mysql
yum -y install php mysql mysql-server mysql-devel php-mysql php-cgi php-mbstring php-gd php-fastcgi
php参数配置
sed -i '/expose_php/{s/On/Off/g}' /etc/php.ini
sed -i '/display_errors/{s/On/Off/g}' /etc/php.ini
sed -i '/php_errors.log/{s/;//g}' /etc/php.ini
sed -i '/file_uploads/{s/On/Off/g}' /etc/php.ini
sed -i '/allow_url_fopen/{s/On/Off/g}' /etc/php.ini
sed -i '/allow_url_include/{s/On/Off/g}' /etc/php.ini
sed -i '/;date.timezone/{s/;//g;s/=/= Asia\/Shanghai/g}' /etc/php.ini
sed -i '/cgi.fix_pathinfo\=/{s/;//g;s/1/0/g}' /etc/php.ini
sed -i '/memory_limit/{s/128/64/g}' /etc/php.ini
sed -i '/safe_mode/{s/Off/On/g}' /etc/php.ini
php-fpm配置
sed -i 's/apache/nginx/g' /etc/php-fpm.d/www.conf
sed -i '/request_terminate_timeout/{s/;//g;s/0/30/g}' /etc/php-fpm.d/www.conf
内核优化
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf echo "vm.swappiness = 25" >> /etc/sysctl.conf echo "net.ipv4.route.max_size = 524288 " >> /etc/sysctl.conf echo "net.core.somaxconn = 10240" >> /etc/sysctl.conf echo "net.ipv4.tcp_max_syn_backlog = 204800" >> /etc/sysctl.conf echo "net.core.netdev_max_backlog = 204800" >> /etc/sysctl.conf echo "net.ipv4.ip_local_port_range = 1024 65535" >> /etc/sysctl.conf
echo "ulimit -SHn 65535" >> /etc/profile cat >> /etc/security/limits.conf <<EOF nginx soft nofile 65535 nginx hard nofile 65535 EOF
nginx基本优化
sed -i '/worker_processes/{s/1/4/g}' /etc/nginx/nginx.conf
sed -i '/worker_processes/a\ worker_rlimit_nofile 65535;' /etc/nginx/nginx.conf
sed -i '/worker_connections/{s/1024/10240/g}' /etc/nginx/nginx.conf
sed -i '/sendfile/a\ server_tokens off;' /etc/nginx/nginx.conf
sed -i '/version/{s/\/\$nginx_version//g}' /etc/nginx/fastcgi_params
sed -i '/events/a\ use epoll;' /etc/nginx/nginx.conf
nginx的fpm基本配置,找到FASTCGI选项,去掉注释,修改下面这样
location ~ \.php$ {
root /var/www/html;
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
nginx页面设置
mkdir -p /www/html sed -i 's#/usr/share/nginx/html#/www/html#g' /etc/nginx/nginx.conf sed -i 's/index.html/& index.php/' /etc/nginx/nginx.conf echo "<?php phpinfo();?>" /var/www/html/index.php
ysql配置
有条件的话,给mysql单独分个区作为datadir
[mysqld]
datadir=/data
其他参数可以参考/usr/share/mysql下的示例文件
mysql基本加固,(设置密码,限制访问等)
mysql_secure_installation
启动服务
chkconfig nginx on
chkconfig php-fpm on
chkconfig mysqld on
/etc/init.d/php-fpm start
/etc/init.d/mysqld start
/etc/init.d/nginx start
iptables防火墙,需要根据自己设置,下面仅仅是个示例
cat >/root/firewall.sh <<EOF #!/usr/bin/env bash modprobe ip_tables modprobe iptable_filter modprobe ipt_REJECT iptables -F iptables -X iptables -Z iptables -P INPUT ACCEPT iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT iptables -A INPUT -s 202.45.84.58/32 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT iptables -A INPUT -s 202.45.84.58/32 -p udp -j ACCEPT iptables -A INPUT -s 203.80.96.10/32 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT iptables -A INPUT -s 203.80.96.10/32 -p udp -j ACCEPT iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -m recent --set --name ssh --rsource iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -m recent ! --rcheck --seconds 60 --hitcount 10 --name ssh --rsource -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP iptables -A OUTPUT -s 224.0.0.0/8 -j DROP iptables -A OUTPUT -d 224.0.0.0/8 -j DROP iptables -A OUTPUT -s 255.255.255.255/32 -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP /etc/init.d/iptables save /etc/init.d/iptables restart EOF
转载于:https://blog.51cto.com/alvin1/1208449
571
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
