免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 1640 | 回复: 0
打印 上一主题 下一主题

高性能lnmp(二) [复制链接]

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2010-01-28 11:52 |只看该作者 |倒序浏览

tar xzvf nginx-0.7.51.tar.gz
cd nginx-0.7.51
vi src/core/nginx.h
#ifndef _NGINX_H_INCLUDED_
#define _NGINX_H_INCLUDED_


#define nginx_version       000000
#define NGINX_VERSION      "6.0"
#define NGINX_VER          "Microsoft-IIS/" NGINX_VERSION

#define NGINX_VAR          "Microsoft-IIS"
#define NGX_OLDPID_EXT     ".oldbin"


#endif

./configure --prefix=/yp-lnmp/nginx --user=ypweb --group=ypweb --with-http_stub_status_module --with-http_ssl_module
make
make install
cd ../
mv /yp-lnmp/nginx/conf/nginx.conf /yp-lnmp/nginx/conf/nginx.conf.bak
vi /yp-lnmp/nginx/conf/nginx.conf
user  ypweb ypweb;

worker_processes 8;

error_log  logs/nginx_error.log  crit;

pid        /yp-lnmp/nginx/nginx.pid;

#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 51200;

events
{
  use epoll;
  worker_connections 51200;
}

http
{
  include       mime.types;
  default_type  application/octet-stream;

  #charset  gb2312;
     
  server_names_hash_bucket_size 128;
  client_header_buffer_size 32k;
  large_client_header_buffers 4 32k;
  client_max_body_size 8m;
     
  sendfile on;
  tcp_nopush     on;

  keepalive_timeout 60;

  tcp_nodelay on;

  fastcgi_connect_timeout 300;
  fastcgi_send_timeout 300;
  fastcgi_read_timeout 300;
  fastcgi_buffer_size 64k;
  fastcgi_buffers 4 64k;
  fastcgi_busy_buffers_size 128k;
  fastcgi_temp_file_write_size 128k;

  gzip on;
  gzip_min_length  1k;
  gzip_buffers     4 16k;
  gzip_http_version 1.0;
  gzip_comp_level 2;
  gzip_types       text/plain application/x-javascript text/css application/xml;
  gzip_vary on;

  #limit_zone  crawler  $binary_remote_addr  10m;

  server
  {
    listen       80;
    server_name  www.panlei.com;
    index index.html index.htm index.php;
    root  /htdocs/phpBB;

    #limit_conn   crawler  20;   
                           
    location ~ .*\.(php|php5)?$
    {     
      #fastcgi_pass  unix:/tmp/php-cgi.sock;
      fastcgi_pass  127.0.0.1:9000;
      fastcgi_index index.php;
      include fcgi.conf;
    }
   
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    {
      expires      30d;
    }

    location ~ .*\.(js|css)?$
    {
      expires      1h;
    }   

    log_format  panlei_access  '$remote_addr - $remote_user [$time_local] "$request" '
              '$status $body_bytes_sent "$http_referer" '
              '"$http_user_agent" $http_x_forwarded_for';
    access_log  logs/panlei_access.log  panlei_access;
      }

  server
  {
    listen       80;
    server_name  www.jerry.com;
    index index.html index.htm index.php;
    root  /htdocs/Discuz;

    location ~ .*\.(php|php5)?$
    {     
      #fastcgi_pass  unix:/tmp/php-cgi.sock;
      fastcgi_pass  127.0.0.1:9000;
      fastcgi_index index.php;
      include fcgi.conf;
    }

    log_format  jerry_access  '$remote_addr - $remote_user [$time_local] "$request" '
               '$status $body_bytes_sent "$http_referer" '
               '"$http_user_agent" $http_x_forwarded_for';
    access_log  logs/jerry_access.log  jerry_access;
  }
}
vi /yp-lnmp/nginx/conf/fcgi.conf
ulimit –SHn 51200
/yp-lnmp/nginx/sbin/nginx
/yp-lnmp/nginx/sbin/nginx –t
热启动
kill -HUP `cat /yp-lnmp/nginx/nginx.pid `
vi /etc/rc.local
/yp-lnmp/mysql/bin/mysqld_safe --defaults-file=/yp-lnmp/mysql/my.cnf --user=ypdb &
ulimit –SHn 51200

/yp-lnmp/php/sbin/php-fpm start
/yp-lnmp/nginx/sbin/nginx

系统安全
一.设置selinux
setup
Security Level: (*) Enabled ( ) Disabled
SELinux: Enforcing  选择
Permissive
Disabled
Customize
  • WWW (HTTP)
    Other ports 43210:tcp
    二.关闭不需要服务
    chkconfig --del ip6tables
    chkconfig --del netfs
    三.注释掉不需要的用户和组
    vi /etc/passwd
    root:x:0:0:root:/root:/bin/bash
    bin:x:1:1:bin:/bin:/sbin/nologin
    daemon:x:2:2:daemon:/sbin:/sbin/nologin
    #adm:x:3:4:adm:/var/adm:/sbin/nologin
    #lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
    #sync:x:5:0:sync:/sbin:/bin/sync
    #shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
    #halt:x:7:0:halt:/sbin:/sbin/halt
    #mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
    #news:x:9:13:news:/etc/news:
    uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
    #operator:x:11:0:operator:/root:/sbin/nologin
    #games:x:12:100:games:/usr/games:/sbin/nologin
    #gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
    #ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
    #nobody:x:99:99:Nobody:/:/sbin/nologin
    #vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
    sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
    dbus:x:81:81:System message bus:/:/sbin/nologin
    haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
    #nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
    #ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
    ypdb:x:500:500::/:/sbin/nologin
    ypweb:x:501:501::/:/sbin/nologin
    vi /etc/group
    root:x:0:root
    bin:x:1:root,bin,daemon
    daemon:x:2:root,bin,daemon
    #sys:x:3:root,bin,adm
    #adm:x:4:root,adm,daemon
    #tty:x:5:
    disk:x:6:root
    lp:x:7:daemon,lp
    #mem:x:8:
    #kmem:x:9:
    wheel:x:10:root,jerry
    mail:x:12:mail
    #news:x:13:news
    uucp:x:14:uucp
    #man:x:15:
    #games:x:20:
    #gopher:x:30:
    #dip:x:40:
    #ftp:x:50:
    #lock:x:54:
    #nobody:x:99:
    users:x:100:
    utmp:x:22:
    floppy:x:19:
    #vcsa:x:69:
    sshd:x:74:
    dbus:x:81:
    haldaemon:x:68:
    #nscd:x:28:
    #ldap:x:55:
    ypdb:x:500:
    ypweb:x:501:
    四.修改不可修改,删除属性,需要更改时chattr -i
    chattr +i /etc/passwd
    chattr +i /etc/shadow
    chattr +i /etc/group
    chattr +i /etc/gshadow
    chattr +i /etc/services
    chattr +i /etc/inittab
    五.Ctrl alt del重启注释掉
    vi /etc/inittab
    #ca::ctrlaltdel:/sbin/shutdown -t3 -r now
    六、改变服务的权限
    chmod -R 700 /etc/rc.d/init.d/*
    七.只允许wheel组用户su
    vi /etc/pam.d/su
    auth            required        pam_wheel.so use_uid
    usermod -G 10 jerry
    八.登陆消息删除
    rm –rf  /etc/issue
    rm –rf  /etc/issue.net
    touch /etc/issue
    touch /etc/issue.net
    九.防止IP欺骗
    vi /etc/host.conf
    order bind,hosts
    multi on
    nospoof on
    十.ttl基数伪装
    vi /etc/rc.local
    echo 128 > /proc/sys/net/ipv4/ip_default_ttl
    十一.防止dos攻击,限制用户使用的内存和进程
    vi /etc/security/limits.conf
    hard core 0
    hard rss 5000
    hard nproc 20
    vi /etc/pam.d/login
    session    required     /lib/security/pam_limits.so
    上面的命令禁止调试文件,限制进程数为50并且限制内存使用为5MB
    十二.mysql安全
    vi /yp-lnmp/mysql/my.cnf
    [mysqld]
    bind-address = 127.0.0.1
    /yp-lnmp/mysql/bin/mysql
    mysql>SET PASSWORD FOR root@localhost=PASSWORD('复杂密码');
    mysql>use mysql;
    mysql>update user set user="新管理员用户名" where user="root";
    mysql>select Host,User,Password,Select_priv,Grant_priv from user;
    mysql>delete from user where user='';
    mysql>delete from user where password='';
    mysql>delete from user where host='%';
    mysql>drop database test;
    mysql>flush privileges;
    mysql>quit;
    十三.ssh服务安全
    vi /etc/ssh/sshd_config
    Port 43210
    PermitRootLogin no
    十四.伪装nginx,已经在安装第七步修改过了
    iptables配置
    iptables -F
    iptables -X RH-Firewall-1-INPUT
    #iptables -A INPUT -p tcp --sport 12000 -j DROP
    --limit 1/s 限制syn并发数每秒1次

    iptables -A INPUT -s 124.115.16.121 -j ACCEPT
    游戏服务器连接
    iptables -A INPUT -p tcp --dport 21 -j ACCEPT
    iptables -A INPUT -p tcp --dport 20 -j ACCEPT
    ftp服务器
    iptables -A INPUT -p tcp --syn -m limit --limit 1/s --dport 80 -m state --state NEW -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp --dport 43210 -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD DROP
    rm -rf /etc/sysconfig/iptables.save
    service iptables save

    sysctl文件设置
    net.ipv4.tcp_max_syn_backlog = 4096     队列长度
    net.ipv4.tcp_syncookies = 1             打开syncookies
    net.ipv4.tcp_synack_retries = 2         syn重试次数
    net.ipv4.tcp_syn_retries = 2            syn重试次数
    提高tcp连接能力
    net.ipv4.tcp_rmem = 32768
    net.ipv4.tcp_wmem = 32768
    net.ipv4.tcp_sack = 0

    nginx日志备份
    #!/bin/bash
    LOG_PATH="/yp-lnmp/nginx/logs/"
    LOG_NAME1="panlei"
    LOG_NAME2="jerry"
    LOG_NAME3="mgr"
    mkdir -p ${LOG_PATH}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/
    mv ${LOG_PATH}${LOG_NAME1}_access.log ${LOG_PATH}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/${LOG_NAME1}_access_$(date -d "yesterday" +"%Y%m%d").log
    mv ${LOG_PATH}${LOG_NAME2}_access.log ${LOG_PATH}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/${LOG_NAME2}_access_$(date -d "yesterday" +"%Y%m%d").log
    mv ${LOG_PATH}${LOG_NAME3}_access.log ${LOG_PATH}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/${LOG_NAME3}_access_$(date -d "yesterday" +"%Y%m%d").log
    mv ${LOG_PATH}nginx_error.log ${LOG_PATH}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/nginx_error_$(date -d "yesterday" +"%Y%m%d").log
    kill -USR1 `cat /yp-lnmp/nginx/nginx.pid`
    cd ${LOG_PATH}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/
    tar zcf $(date -d "yesterday" +"%Y%m%d").tar.gz *.log
    rm -rf ${LOG_PATH}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/*.log
    mysql增量备份nlog_backup_db.sh
    #!/bin/bash
    /yp-lnmp/mysql/bin/mysqladmin flush-logs
    DATADIR="/yp-lnmp/mysql/data/"
    BACKDIR="/opt/backup/"
    TIME=`date -d today +%A`
    cd $DATADIR
    FILELIST=`cat mysql-bin.index`
    COUNTER=0
    for file in $FILELIST
    do
    COUNTER=`expr $COUNTER + 1`
    done
    NUM=0
    for file in $FILELIST
    do
    BASE=`basename $file`
    NUM=`expr $NUM + 1`
    if [ $NUM -eq $COUNTER ]
    then
    echo "backup done"
    else
    mv $BASE $BACKDIR
    echo $BASE
    cd $BACKDIR
    /yp-lnmp/mysql/bin/mysqlbinlog $BASE > $BASE.sql
    rm -rf $BASE
    fi
    cd $DATADIR
    done
    cd $BACKDIR
    tar czvf $TIME.tar.gz *.sql
    rm -rf *.sql
    cd $DATADIR
    TEMP1=`cat mysql-bin.index`
    TEMP2=`echo $TEMP1|awk '{print $NF}'`
    echo $TEMP2 > mysql-bin.index
    mysql完全备份full_backup_db.sh
    #!/bin/bash
    BackDir="/opt/backup/"
    DATE=`date -d today +%A`
    DumpFile=$DATE.sql
    GZDumpFile=$DATE.tar.gz
    /yp-lnmp/mysql/bin/mysqldump --single-transaction --flush-logs --master-data=2 --delete-master-logs --all-databases > $BackDir$DumpFile
    cd $BackDir
    tar czvf $GZDumpFile $DumpFile
    rm -f $DumpFile
    vi /etc/sysconfig/iptables-config
    IPTABLES_MODULES="ip_conntrack_ftp"


    本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u2/75896/showart_2162953.html
  • 您需要登录后才可以回帖 登录 | 注册

    本版积分规则 发表回复

      

    北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
    未成年举报专区
    中国互联网协会会员  联系我们:huangweiwei@itpub.net
    感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

    清除 Cookies - ChinaUnix - Archiver - WAP - TOP