- 论坛徽章:
- 0
|
Openbsd4.0 + APACHE + MySQL + PHP + Mod_ssl + Mod_gzip + Pf
欢迎大家转贴这个文章,但要保留下面的版权信息:
作者:llzqq
联系:llzqq@126.com
来自:www.chinaunix.net
本文旨在用OPENBSD自己提供的软件安装包来搭建服务器环境,当然你也可以下载原代码包编译安装,但这样就费时费力了。实际上OPENBSD给我们提供了大量的编译好的二进制安装包,利用这些二进制安装包我们可以快速部署我们需要的服务器环境,不仅省时还可以保障OPENBSD的安全性,还可以自动解决各个安装包之间的包依赖问题(用pkg_add来安装远程服务器上的软件包,包依赖问题会自动处理不需要人为干预,这个有点像通过PORTS安装)。另外系统安装采用了OB的快照这样就省去了繁琐的系统升级。文中最后给出一个比较简单的PF防火墙规则供大家参考。附录中提供了利用OB的源代码修改APACHE的最大连接数和版本号的方法。
OB快照下载地址:
ftp://ftp.zedz.net/pub/OpenBSD.snapshot/
设置网络安装服务器:
export PKG_PATH="ftp://ftp.freebsdchina.org/pub/OpenBSD/4.0/packages/i386/"
由于我采用的是OPENBSD的快照(12月25日的快照)安装的系统,所以系统的有些库文件比较新,造成有些TGZ包安装不了。下面我们做了两个软连接来解决这个问题:
# ln -s /usr/lib/libc.so.40.3 /usr/lib/libc.so.39.3
# ln -s libpthread.so.7.0 /usr/lib/libpthread.so.6.3
1. 配置APACHE服务器:
因为APACHE是系统默认安装的,这里就省去了安装过程,下面配置APACHE这样就可以开机运行HTTP了因为在/ETC/RC脚本中已经有了HTTPD服务的启动设置
# vi /etc/rc.conf
改:
httpd_flags=NO
为:
httpd_flags=""
对apache做一初步设置
# vi /var/www/conf/httpd.conf
ServerAdmin aidns@126.com
ServerName www.aidns.cn
ServerTokens Prod
ServerSignature Off
Options Indexes FollowSymLinks 改为 Options FollowSymLinks
安装mod_gzip
# pkg_add -v mod_gzip-1.3.26.1ap0.tgz
# /usr/local/sbin/mod_gzip-enable
# cd /usr/local/share/examples/mod_gzip
# cp mod_gzip.conf.sample /var/www/conf/mod_gzip.conf
# vi /var/www/conf/httpd.conf
在配置文件的最后加上:
include conf/mod_gzip.conf
2. 安装mysql-server-5.0.24a:
# pkg_add -v mysql-server-5.0.24a.tgz
# cp /usr/local/share/mysql/my-medium.cnf /etc/my.cnf
如果不想让其他机器连接MYSQL,可以通过下面的操作实现:
# vi /etc/my.cnf
bind-address = 127.0.0.1
启动MYSQL-SERVER服务器:
# /usr/local/bin/mysqld_safe &
设置ROOT的MYSQL密码:
# /usr/local/bin/mysqladmin -u root password mydbserver
为了方便启动和关闭MYSQL服务建立了下面的脚本:
# vi /etc/rc.d/mysqld.sh
========================= mysqld.sh ===========================
#!/bin/sh
# made by llzqq
# website:www.aidns.cn
# mysql startup scripts
case "$1" in
start)
if [ -x /usr/local/bin/mysqld_safe ]; then
/usr/local/bin/mysqld_safe &
fi
;;
stop)
pkill mysqld &
rm -f /var/run/mysql/mysql.sock &
;;
*)
echo "$0 start | stop"
;;
esac
exit 0
========================= mysqld.sh ===========================
# chmod 550 /etc/rc.d/mysqld.sh
设置开机启动MYSQL
# vi /etc/rc.local
if [ -f /etc/my.cnf ]; then
/etc/rc.d/mysqld.sh start
fi
3. 安装配置PHP-4.4.1
# pkg_add -v php4-core-4.4.1p1.tgz
运行下面的命令使其生效:
# cp /usr/local/share/examples/php4/php.ini-recommended /var/www/conf/php.ini
# /usr/local/sbin/phpxs -s
由于OPENBSD上的APACHE采用了CHROOT机制,要保证PHP正常工作就要建下面的目录PHP工作目录:
# mkdir /var/www/tmp
# chmod 1777 /var/www/tmp
下面选择安装几个常用PHP组件:
# pkg_add -v php4-gd-4.4.1p4-no_x11.tgz
# /usr/local/sbin/phpxs -a gd
# pkg_add -v php4-mysql-4.4.1p0.tgz
# /usr/local/sbin/phpxs -a mysql
# pkg_add -v php4-ncurses-4.4.1p0.tgz
# /usr/local/sbin/phpxs -a ncurses
# pkg_add -v php4-imap-4.4.1p0.tgz
# /usr/local/sbin/phpxs -a imap
# pkg_add -v php4-curl-4.4.1p0.tgz
# /usr/local/sbin/phpxs -a curl
# pkg_add -v php4-mhash-4.4.1p0.tgz
# /usr/local/sbin/phpxs -a mhash
# pkg_add -v php4-dbx-4.4.1p0.tgz
# /usr/local/sbin/phpxs -a dbx
# pkg_add -v php4-ldap-4.4.1p0.tgz
# /usr/local/sbin/phpxs -a ldap
# pkg_add -v php4-pdf-4.4.1p0.tgz
# /usr/local/sbin/phpxs -a pdf
设置apache支持PHP:
# vi /var/www/conf/httpd.conf
DirectoryIndex index.html index.php
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
4.建立测试php页面
# vi /var/www/htdocs/test.php
<?php phpinfo(); ?>
测试一下:
# apachectl restart
在浏览器中输入http://IP/test.php实验一下
5.下面我们APACHE+SSL
# vi /var/www/conf/httpd.conf
添加下面两行:
SSLCertificateFile /etc/ssl/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
为了使APACHE启动时启用SSL,设置一下APACHE启动选项:
# vi /etc/rc.conf
改:
httpd_flags="" # or it could have httpd_flags=NO
为:
httpd_flags="-DSSL # or it could have httpd_flags=NO
手动启动和关闭APACHE这样做就可以了:
# apachectl startssl/stop
下面是创建证书过程:
创建服务器KEY文件 (1024 bit) :
# /usr/sbin/openssl genrsa -out /etc/ssl/private/server.key 1024
创建服务器CSR文件(certificate signing request)
# /usr/sbin/openssl req -new -key /etc/ssl/private/server.key -out \
/etc/ssl/private/server.csr
A challenge password []:openbsdrootai
这里自己填写一些注册信息
生成签名证书(365天有效证书):
# /usr/sbin/openssl x509 -req -days 365 -in /etc/ssl/private/server.csr \
-signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt
虚拟主机部分:
========================== VirtualHost ======================
NameVirtualHost 192.168.10.1:*
<VirtualHost 192.168.10.1:443>
ServerAdmin llzqq@126.com
DocumentRoot /var/www/llzqq
ServerName llzqq.home.com
ErrorLog logs/llzqq.home.com-error_log
CustomLog logs/llzqq.home.com-access_log common
SSLEngine on
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/ssl/virtualsite.com.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
</VirtualHost>
<VirtualHost 192.168.10.1:80>
ServerAdmin llzgg@126.com
DocumentRoot /var/www/llzgg
ServerName llzgg.home.com
ErrorLog logs/llzgg.home.com-error_log
CustomLog logs/llzgg.home.com-access_log common
</VirtualHost>
========================== VirtualHost ======================
6.配置Pf防火墙:
# > /etc/pf.conf
# vi /etc/pf.conf
========================== pf.conf ======================
ext_if = "{ rl0 }"
noroute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }"
ports = "{ 20, 21, 22 }"
web = "{127.0.0.1}"
set block-policy return
set optimization aggressive
set skip on lo0
scrub in all
rdr on $ext_if proto tcp from any to $ext_if port 80 -> $web port 80
rdr on $ext_if proto tcp from any to $ext_if port 443 -> $web port 443
###to disenable antispoof
antispoof for $ext_if inet
block all
block return
block in quick on $ext_if os NMAP
block in quick on $ext_if from $noroute to any
block out quick on $ext_if from any to $noroute
###enable synproxy for web
pass in on $ext_if proto tcp from any to $web port {80,443} flags S/SA synproxy state
pass quick on $loop all
pass in on $ext_if proto {tcp,udp} from any to any port $ports keep state
pass in quick proto tcp from any to any port 55000 >< 56000 keep state
pass out on $ext_if all keep state
========================== pf.conf ======================
PF启动教本:
# mkdir /etc/rc.d
# vi /etc/rc.d/pf.sh
========================== pf.sh ======================
#!/bin/sh
# made by llzqq
# 02/08/ 2005
# pf startup scripts
case "$1" in
start)
if ifconfig pflog0 >/dev/null 2>&1; then
ifconfig pflog0 up
pflogd ${pflogd_flags}
fi
if [ -f /etc/pf.conf ]; then
/sbin/pfctl -e -F all -f /etc/pf.conf
fi
;;
stop)
/sbin/pfctl -d -F all
/usr/bin/pkill pflogd
/sbin/ifconfig pflog0 down
;;
*)
echo "$0 start | stop"
;;
esac
exit 0
========================== pf.sh ======================
# chmod 550 /etc/rc.d/pf.sh
# vi /etc/rc.local
if [ -f /etc/pf.conf ]; then
/etc/rc.d/pf.sh start
fi
禁用系统自定义的PF规则
# vi /etc/rc.conf
pf=NO
安装PF工具:
# pkg_add -v pfstat-1.7.tgz
# pkg_add -v pftop-0.4.tgz
安装流量检测工具:
# pkg_add -v ifstat-1.1.tgz
附录:
利用OB的源代码修改APACHE的最大连接数和版本号的方法
# cd /usr/src/usr.sbin/httpd
# vi src/include/httpd.h
==============================================
#ifndef HARD_SERVER_LIMIT
#define HARD_SERVER_LIMIT 1024
#endif
#define SERVER_BASEVENDOR "GOD Group"
#define SERVER_BASEPRODUCT "GOD_SITE"
#define SERVER_BASEREVISION "34.06.32"
==============================================
编译安装:
# make -f Makefile.bsd-wrapper obj
# make -f Makefile.bsd-wrapper cleandir
# make -f Makefile.bsd-wrapper depend
# make -f Makefile.bsd-wrapper
# make -f Makefile.bsd-wrapper install
重新启动HTTPD:
# apachectl restart
[ 本帖最后由 llzqq 于 2006-12-30 07:54 编辑 ] |
|