- 论坛徽章:
- 0
|
学了很久的FreeBSD,也在这里请教过很多的高手前辈,学到了很多东西,现在有好一段时间没用这个系统了,都有点忘记了,^_^,这次把自己以前学的东西都整理了一下,这个web服务器配置是其中的一部分,贴出来大家看看,希望对新人能有一点帮助,文笔比较粗糙,内容不足不对之处还请达人指点。
一、安装
版本是4.10,选择最小化安装,记得选上ports和sys(安装软件和编译内核用)选择好网络方式,选上
inetd、启用ssh、安装上bash、用默认的安全等级即可。
二、升级ports树
进入root用户不用我说了吧,直接root登录或者用其他用户su到root也行,当然还得确定你已经连上网络
了。
# cd /usr/ports/net/cvsup-without-gui //因为还没装x只能用这种方式了
# make install clean // 意思不用我多说了吧
完成之后进入cvsup目录
# cd /usr/share/examples/cvsup //进入cvsup目录
# cp /ports-supfile /root //保险起见还是备份一下得好^_^
# cd //进入自己的目录
# vi ports-supfile
找到default host CHANGE_THIS.FreeBSD.org //官方站台(默认值)
改成default host cvsup.cn.freebsd.org //改为国内站点下载速度较快
其他的就不改了,网上又文章说把ports-all 注释了,再到下面去修改自己要升级的ports,但是考虑到
又些软件的依赖性,免得升级了之后出问题,就不改了,保存退出。
执行升级
# cvsup -g -L 2 ports-supfile
到出现下面的信息就可以啦。
Shutting down connection to server Finished successfully
三、编译内核
# cd sys/i386/conf
# cp GENERIC mykernel
修改注释掉不用的,加入下面这些:
options QUOTA
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
以下是虚拟机上的内核参考:
machine i386
#cpu I386_CPU
#cpu I486_CPU
#cpu I586_CPU
cpu I686_CPU
ident mykernel
maxusers 0
#makeoptions DEBUG=-g #Build kernel with gdb(1) debug symbols
options MATH_EMULATE #Support for x87 emulation
options INET #InterNETworking
#options INET6 #IPv6 communications protocols
options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep this!]
options SOFTUPDATES #Enable FFS soft updates support
options UFS_DIRHASH #Improve performance on big directories
#options MFS #Memory Filesystem
#options MD_ROOT #MD is a potential root device
#options NFS #Network Filesystem
#options NFS_ROOT #NFS usable as root device, NFS required
#options MSDOSFS #MSDOS Filesystem
#options CD9660 #ISO 9660 Filesystem
#options CD9660_ROOT #CD-ROM usable as root, CD9660 required
options PROCFS #Process filesystem
options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!]
#options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI
options UCONSOLE #Allow users to grab the console
options USERCONFIG #boot -c editor
options VISUAL_USERCONFIG #visual boot -c editor
options KTRACE #ktrace(1) support
options SYSVSHM #SYSV-style shared memory
options SYSVMSG #SYSV-style message queues
options SYSVSEM #SYSV-style semaphores
options P1003_1B #Posix P1003_1B real-time extensions
options _KPOSIX_PRIORITY_SCHEDULING
options ICMP_BANDLIM #Rate limit bad replies
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.
options QUOTA
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
# To make an SMP kernel, the next two are needed
#options SMP # Symmetric MultiProcessor Kernel
#options APIC_IO # Symmetric (APIC) I/O
device isa
#device eisa
device pci
# Floppy drives
#device fdc0 at isa? port IO_FD1 irq 6 drq 2
#device fd0 at fdc0 drive 0
#device fd1 at fdc0 drive 1
#
# If you have a Toshiba Libretto with its Y-E Data PCMCIA floppy,
# don't use the above line for fdc0 but the following one:
#device fdc0
# ATA and ATAPI devices
device ata0 at isa? port IO_WD1 irq 14
device ata1 at isa? port IO_WD2 irq 15
device ata
device atadisk # ATA disk drives
device atapicd # ATAPI CDROM drives
#device atapifd # ATAPI floppy drives
#device atapist # ATAPI tape drives
options ATA_STATIC_ID #Static device numbering
# SCSI Controllers
device ahb # EISA AHA1742 family
device ahc # AHA2940 and onboard AIC7xxx devices
device ahd # AHA39320/29320 and onboard AIC79xx devices
device amd # AMD 53C974 (Tekram DC-390(T))
device isp # Qlogic family
device mpt # LSI-Logic MPT/Fusion
device ncr # NCR/Symbios Logic
device sym # NCR/Symbios Logic (newer chipsets)
options SYM_SETUP_LP_PROBE_MAP=0x40
# Allow ncr to attach legacy NCR devices when
# both sym and ncr are configured
device adv0 at isa?
device adw
device bt0 at isa?
device aha0 at isa?
device aic0 at isa?
device ncv # NCR 53C500
device nsp # Workbit Ninja SCSI-3
device stg # TMC 18C30/18C50
# SCSI peripherals
device scbus # SCSI bus (required)
device da # Direct Access (disks)
device sa # Sequential Access (tape etc)
device cd # CD
device pass # Passthrough device (direct SCSI access)
# RAID controllers interfaced to the SCSI subsystem
#device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
#device dpt # DPT Smartcache - See LINT for options!
#device iir # Intel Integrated RAID
#device mly # Mylex AcceleRAID/eXtremeRAID
#device ciss # Compaq SmartRAID 5* series
#device twa # 3ware 9000 series PATA/SATA RAID
# RAID controllers
#device aac # Adaptec FSA RAID, Dell PERC2/PERC3
#device aacp # SCSI passthrough for aac (requires CAM)
#device ida # Compaq Smart RAID
#device amr # AMI MegaRAID
#device mlx # Mylex DAC960 family
#device pst # Promise Supertrak SX6000
#device twe # 3ware Escalade
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc0 at isa? port IO_KBD
device atkbd0 at atkbdc? irq 1 flags 0x1
device psm0 at atkbdc? irq 12
device vga0 at isa?
# splash screen/screen saver
pseudo-device splash
# syscons is the default console driver, resembling an SCO console
device sc0 at isa? flags 0x100
# Enable this and PCVT_FREEBSD for pcvt vt220 compatible console driver
#device vt0 at isa?
#options XSERVER # support for X server on a vt console
#options FAT_CURSOR # start with block cursor
# If you have a ThinkPAD, uncomment this along with the rest of the PCVT lines
#options PCVT_SCANSET=2 # IBM keyboards are non-std
device agp # support several AGP chipsets
# Floating point support - do not disable.
device npx0 at nexus? port IO_NPX irq 13
# Power management support (see LINT for more options)
device apm0 at nexus? disable flags 0x20 # Advanced Power Management
# PCCARD (PCMCIA) support
#device card
#device pcic0 at isa? irq 0 port 0x3e0 iomem 0xd0000
#device pcic1 at isa? irq 0 port 0x3e2 iomem 0xd4000 disable
# Serial (COM) ports
device sio0 at isa? port IO_COM1 flags 0x10 irq 4
device sio1 at isa? port IO_COM2 irq 3
device sio2 at isa? disable port IO_COM3 irq 5
device sio3 at isa? disable port IO_COM4 irq 9
# Parallel port
device ppc0 at isa? irq 7
device ppbus # Parallel port bus (required)
#device lpt # Printer
device plip # TCP/IP over parallel
device ppi # Parallel port interface device
#device vpo # Requires scbus and da
# PCI Ethernet NICs.
device de # DEC/Intel DC21x4x (``Tulip'')
device em # Intel PRO/1000 adapter Gigabit Ethernet Card (``Wiseman'')
device txp # 3Com 3cR990 (``Typhoon'')
device vx # 3Com 3c590, 3c595 (``Vortex'')
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
#device dc # DEC/Intel 21143 and various workalikes
#device fxp # Intel EtherExpress PRO/100B (82557, 8255
device pcn # AMD Am79C97x PCI 10/100 NICs
#device rl # RealTek 8129/8139
#device sf # Adaptec AIC-6915 (``Starfire'')
#device sis # Silicon Integrated Systems SiS 900/SiS 7016
#device ste # Sundance ST201 (D-Link DFE-550TX)
#device tl # Texas Instruments ThunderLAN
#device tx # SMC EtherPower II (83c170 ``EPIC'')
#device vr # VIA Rhine, Rhine II
#device wb # Winbond W89C840F
#device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')
#device bge # Broadcom BCM570x (``Tigon III'')
# ISA Ethernet NICs.
# 'device ed' requires 'device miibus'
#device ed0 at isa? disable port 0x280 irq 10 iomem 0xd8000
#device ex
#device ep
#device fe0 at isa? disable port 0x300
# Xircom Ethernet
#device xe
# PRISM I IEEE 802.11b wireless NIC.
#device awi
# WaveLAN/IEEE 802.11 wireless NICs. Note: the WaveLAN/IEEE really
# exists only as a PCMCIA device, so there is no ISA attachment needed
# and resources will always be dynamically assigned by the pccard code.
device wi
# Aironet 4500/4800 802.11 wireless NICs. Note: the declaration below will
# work for PCMCIA and PCI cards, as well as ISA cards set to ISA PnP
# mode (the factory default). If you set the switches on your ISA
# card for a manually chosen I/O address and IRQ, you must specify
# those parameters here.
device an
# The probe order of these is presently determined by i386/isa/isa_compat.c.
device ie0 at isa? disable port 0x300 irq 10 iomem 0xd0000
#device le0 at isa? disable port 0x300 irq 5 iomem 0xd0000
device lnc0 at isa? disable port 0x280 irq 10 drq 0
device cs0 at isa? disable port 0x300
device sn0 at isa? disable port 0x300 irq 10
# Pseudo devices - the number indicates how many units to allocate.
pseudo-device loop # Network loopback
pseudo-device ether # Ethernet support
pseudo-device sl 1 # Kernel SLIP
pseudo-device ppp 1 # Kernel PPP
pseudo-device tun # Packet tunnel.
pseudo-device pty # Pseudo-ttys (telnet etc)
pseudo-device md # Memory "disks"
pseudo-device gif # IPv6 and IPv4 tunneling
pseudo-device faith 1 # IPv6-to-IPv4 relaying (translation)
# The `bpf' pseudo-device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
pseudo-device bpf #Berkeley packet filter
# USB support
#device uhci # UHCI PCI->USB interface
#device ohci # OHCI PCI->USB interface
#device usb # USB Bus (required)
#device ugen # Generic
#device uhid # "Human Interface Devices"
#device ukbd # Keyboard
#device ulpt # Printer
#device umass # Disks/Mass storage - Requires scbus and da
#device ums # Mouse
#device uscanner # Scanners
#device urio # Diamond Rio MP3 Player
# USB Ethernet, requires mii
#device aue # ADMtek USB ethernet
#device cue # CATC USB ethernet
#device kue # Kawasaki LSI USB ethernet
# FireWire support
#device firewire # FireWire bus code
#device sbp # SCSI over FireWire (Requires scbus and da)
#device fwe # Ethernet over FireWire (non-standard!)
编辑完成之后执行:
# make depend
# cd ../../compile/mykernel
# make && make install
如果出现错误,看提示做相关更改,完成之后reboot,进入系统执行uname -a看看是否成功。
四、修改相关系统参数
1、
编译fstab文件,加入磁盘配额选项:
# vi /etc/fstab
修改
/dev/ad0s1g /usr ufs rw 2 2
为:
/dev/ad0s1g /usr ufs rw,userquota 2 2
保存退出
2、
在启动项中加入配额以及防火墙选项:
# vi /etc/rc.conf
加入下面内容:
tcp_drop_synfin="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
enable_quotas="YES"
check_quotas="YES"
fsck_y_enable="YES"
sendmail_enable="NONE"
update_motd="NO"
保存退出
再清除/etc/motd文件中的内容避免登录时出现FreeBSD的系统信息。
因为启用了防火墙,所以得在/usr/local/etc/rc.d加入一条规则,以免把自己也挡在外面了,
# vi ipfw.sh
加入下面内容
#!/bin/sh
/sbin/ipfw add allow ip from any to any
保存退出
# chmod 755 ipfw.sh
3、修改shell文件内容
# vi /etc/shells
加入下面内容
/sbin/nologin
/usr/local/bin/bash
4、更新用户shell配置
在自己的用户目录下编辑.bashrc文件(默认不存在,自己编辑添加),
# vi .bashrc
加入下面内容
#! /usr/local/bin/bash
alias ls="ls -aG"
alias ll="ls -al"
在.profiles文件里加入
alias ls="ls -aG"
alias ll="ls -al"
再用chsh把自己的shell环境路径改成bash的路径即可。
五、安装软件
前面已经升级过ports-tree了,现在只要安装就可以了。
(一)、安装vsftp
1、
# cd /usr/ports/ftp/vsftpd
# make
# make install clean
2、
修改vsftp配置文件vsftpd_config
# vi /usr/local/etc/vsftpd_config
修改下面内容
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
idle_session_timeout=120
data_connection_timeout=300
ascii_upload_enable=YES
ascii_download_enable=YES
ftpd_banner=Welcome to blah FTP service.
chroot_list_enable=YES
chroot_list_file=/usr/local/etc/chroot_list
secure_chroot_dir=/usr/local/share/vsftpd/empty
3、
在/usr/local/etc/目录下生成chroot_list文件,这个是锁定ftp用户在自己得目录下的文件,格式是每
个用户占一行。
# touch chroot_list
4、启动vsftp
以inetd方式启动:
修改/etc下的inetd.conf文件,在里面加入下面一行:
ftp stream tcp nowait root /usr/local/libexec/vsftpd vsftpd
当然也可以以独立的方式启动vsftpd,具体如下:
a、在inetd.conf中注释掉上面这一行。
b、在vsftpd.conf文件里增加listen=YES这句。
c、进入/usr/local/libexec/目录,执行./vsftpd & 。
d、想要让vsftp随系统启动,可在/usr/local/etc/rc.d/目录里增加一个sh脚本:
# vi vsftpd_start.sh
加入下面内容
# ! /bin/sh
/usr/local/libexec/vsftpd &
保存退出,再chmod 755 vsftpd_start.sh 。
重启系统,再测试一下:
添加用户
# pw groupadd vsftpd –g 1001
# pw useradd test –g 1001–d /home/test –s /sbin/nologin
# mkdir /home/test
# chown -R vsftpd:test /home/test
# passwd test 设密码
Changing local password for test
New Password:
Retype New Password:
在chroot_list文件里增加test一行,把test用户所在其自家目录下。
# ftp localhost
如果成功会提示你输入用户名和密码
如果不成功,请查看一下你上面的配置
为用户增加磁盘配额:
# edquota -u test
Quotas for user test:
/usr: kbytes in use: 2, limits (soft = 10240, hard = 10240)
inodes in use: 1, limits (soft = 0, hard = 0)
(二)安装mysql数据库
# cd /usr/ports/databases/mysql41-server/
不想让数据库安装在默认的/var/db/mysql目录下,修改Makefile文件,
# vi Makefile
找到 --localstatedir=/var/db/mysql \ 这一行
改成 --localstatedir=/usr/db/mysql \ 安装在/usr/db/mysql目录下
# mkdir /usr/db/mysql
# ln -s /usr/db/ /vsr/db 为了习惯,我们在/var目录下面加一个到mysql的链接
# make install clean
安装完成后执行
# chown -R mysql:mysql /usr/db/mysql
# chmod -R 700 /usr/db/mysql
进入/usr/local/bin目录,执行
# ./mysql_install_db 初始化mysql数据库
# mysqld_safe & 启动数据库
为了让数据库在系统启动时就启动,得做一下修改:
# vi /etc/rc.conf
增加
mysql_enable="YES"
保存退出
在mysql安装完成后默认会在/usr/local/etc/rc.d目录下生成mysql-server.sh文件,如没有我们就自己加
# vi mysql-server.sh
增加下面内容
#!/bin/sh
/usr/local/bin/mysqld_safe &
保存退出
# chmod 755 mysql-server.sh
# reboot
# mysqladmin -uroot password"your_pass"
# mysql -uroot -p
进去看看
(三)安装apache服务器
# cd /usr/ports/www/apache20/
# make
# make install clean
安装时可能会出现expat错误,根据提示,进入expat目录执行一下反安装(make deinstall),再回来安装
apache就可以了,个我估计是因为原来的是expat-1.95.7.tar.gz,而更新ports后是expat-2.0.0.tar.gz两个版本不一致造成的。
安装php模块
# cd /usr/ports/www/mod_php4/
# make
# make install clean
安装完成,根据提示,在/usr/local/etc/apache2/下的httpd.conf文件中找到:
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
增加下面内容:
#php support
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
再找到DirectoryIndex index.html index.html.var这一行,在后面增加index.php index.htm
找到ServerSignature On 改成 ServerSignature Off 这个是防止apache反馈的错误信息泄漏服务器的信息。
# cd /usr/ports/lang/php4-extensions/
# make
# make install clean
注意:安装apache和php的三个步骤当中会有选择apache支持的插件什么的,还有php好像也有选项的,这里有一点就是Zend和debug选项不能同时存在,比方要支持Zend就不能选debug,这换个选项具体在哪个步骤我也记得不是很清楚了,安装时注意一下就好,这也是为什么我把make 和make install clean分开两步做的原因。
php模块设置:
进入/usr/local/etc/目录
# cd /usr/local/etc/
# cp php.ini-dist php.ini
# vi php.ini
修改
safe_mode = On
register_globals = On
disable_functions =get_cfg_var,phpinfo
display_errors = Off
保存退出
让apache随系统一起启动:
# vi /etc/rc.conf
增加
apache2_enable="YES"
编辑/etc/hosts文件,增加下面一行:
127.0.0.1 vhost.localvhost.com
不然apache启动不起来。
apache的虚拟主机配置
修改虚拟主机的设置
# vi /usr/local/etc/apache2/httpd.conf
NameVirtualHost 192.168.234.128
<VirtualHost 192.168.234.128>
ServerName localhost
ServerAlias vhost.localvhost.com
DocumentRoot /usr/local/www/data-dist
ScriptAlias /cgi-bin/ "/usr/local/www/cgi-bin/"
</VirtualHost>
<VirtualHost 192.168.234.128>
ServerName mysql.localvhost.com
DocumentRoot /usr/home/zss/phpmyadmin/
#ScriptAlias /cgi-bin/ "/usr/local/www/cgi-bin/"
</VirtualHost>
还得修改一个地方,
找到<Directory "/usr/local/www">这行改成<Directory "/usr">
否则你的虚拟主机会出现
Forbidden
You don't have permission to access / on this server
虚拟主机目录给755权限。
还有apache中的一些具体的性能参数需要设置我没深入的去研究,这里不一一讲述。 |
|
免费注册
发表于 2006-05-08 12:56
发表于 2006-05-10 16:15
