基于CentOS构建高性能的LAMP平台
大纲:
一、系统 安装二、编译安装基本环境 三、配置虚拟主机及基本性能调优四、基本安全设置五、附录及相关介绍一、系统安装 1. 分区 /boot 100M左右 SWAP 物理内存 的2倍(如果你的物理内存大于4G以上,分配4G即可) / 15G /usr/local 20G (用于安装软件 ) /data 剩余所有空间2. 系统初始化脚本 (根据具体需求关闭不需要的服务 ) #vi init.sh -------------------cut begin------------------------------------------- #welcome cat << EOF +--------------------------------------------------------------+ | === Welcome to Centos System init === | +--------------http://www.linuxtone.org------------------------+ +----------------------Author:NetSeek--------------------------+ EOF #disable ipv6 cat << EOF +--------------------------------------------------------------+ | === Welcome to Disable IPV6 === | +--------------------------------------------------------------+ EOF echo "alias net-pf-10 off" >> /etc/ mod probe.conf echo "alias ipv6 off" >> /etc/modprobe.conf /sbin/chkconfig --level 35 ip6tables off echo "ipv6 is disabled!" #disable selinux sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config echo "selinux is disabled,you must reboot!" #vim sed -i "8 s/^/alias vi='vim'/" /root/.bashrc echo 'syntax on' > /root/.vimrc #zh_cn sed -i -e 's/^LANG=.*/LANG="zh_CN.GB18030"/' /etc/sysconfig/i18n #tunoff services #-------------------------------------------------------------------------------- cat << EOF +--------------------------------------------------------------+ | === Welcome to Tunoff services === | +--------------------------------------------------------------+ EOF #--------------------------------------------------------------------------------- for i in `ls /etc/rc3.d/S*` do CURSRV=`echo $i|cut -c 15-` echo $CURSRV case $CURSRV in crond | irqbalance | microcode_ctl | network | random | sendmail | ssh d | syslog | local | mysql d ) echo "Base services, Skip!" ;; *) echo "change $CURSRV to off" chkconfig --level 235 $CURSRV off service $CURSRV stop ;; esac done -------------------cut end------------------------------------------- #sh init.sh (执行上面保存的脚本,仍后重启)
二、编译安装基本环境
1. 安装准备 1) 系统约定 软件源代码包存放位置 /usr/local/src 源码包编译安装位置(prefix) /usr/local/software_name 脚本以及维护程序 存放位置 /usr/local/sbin MySQL 数据库 位置 /data/mysql/data(可按情况设置) Apache 网站根目录 /data/www/wwwroot(可按情况设置) Apache 虚拟主机日志 根目录 /data/www/logs(可按情况设置) Apache 运行 账户 www:www (useradd -d /data/www/;chown www.www /data/www/wwwroot) 2) 系统环境部署及调整 检查系统是否正常 # tail -n100 /var/log/messages (检查有无系统级错误信息) # dmesg (检查硬件设备是否有错误信息) # ifconfig(检查网卡设置是否正确) # ping (检查网络 是否正常) 3) 使用 yum 程序安装所需开发 包(以下为标准的 RPM 包名称) #rpm --import #yum install ntp vim-enhanced gcc gcc-c++ gcc-g77 flex bison autoconf automake bzip2-devel / ncurses-devel zlib-devel libjpeg-devel libpng-devel libtiff-devel freetype-devel libXpm-devel / gettext-devel pam-devel kernel 4) 定时校正服务器 时钟,定时与中国 国家授时中心授时服务器同步 # crontab -e 加入一行: 15 3 * * * /usr/sbin/ntpdate 210.72.145.44 > /dev/null 2>&12. 编译安装软件包 源码编译安装所需包(Source) 1) GD2 # cd /usr/local/src # tar xvf gd-2.0.35.tar.gz # cd gd-2.0.35 # ./configure --prefix=/usr/local/gd2 # make # make install 2) LibXML2 # cd /usr/local/src # tar xvf libxml2-2.6.29.tar.bz2 # cd libxml2-2.6.29 # ./configure --prefix=/usr/local/libxml2 # make # make install 3) LibMcrypt # cd /usr/local/src # tar xvf libmcrypt-2.5.8.tar.bz2 # cd libmcrypt-2.5.8 # ./configure --prefix=/usr/local/libmcrypt # make # make install 4) Apache日志截断程序 # cd /usr/local/src # tar xvf cronolog-1.6.2.tar.gz # cd cronolog-1.6.2 # ./configure --prefix=/usr/local/cronolog # make # make install3. 升级OpenSSL和OpenSSH # cd /usr/local/src # tar xvf openssl-0.9.8g.tar.gz # cd openssl-0.9.8g # ./config --prefix=/usr/local/openssl # make # make test# make install # cd .. # tar xvf openssh-5.0p1.tar.gz # cd openssh-5.0p1# ./configure /"--prefix=/usr" /"--with-pam" /"--with-zlib" /"--sysconfdir=/etc/ssh" /"--with-ssl-dir=/usr/local/openssl" /"--with-md5-passwords" # make # make install 1) 禁用 SSH V1 协议 找到#Protocol 2,1改为:Protocol 2 2) 禁用服务器端GSSAPI 找到以下两行,并将它们注释: GSSAPIAuthentication yes GSSAPICleanupCredentials yes 3) 禁用 DNS 名称解析 找到:#UseDNS yeas改为:UseDNS no 4)禁用客户端 GSSAPI # vi /etc/ssh/ssh_config 找到:GSSAPIAuthentication yes 将这行注释掉。 最后,确认修改正确后重新启动 SSH 服务 # service sshd restart # ssh -v 确认 OpenSSH 以及 OpenSSL 版本正确。以上SSH配置可利用以下脚本自动修改: -------------------cut begin------------------------------------------- #init_ssh ssh_cf="/etc/ssh/sshd_config" sed -i -e '74 s/^/#/' -i -e '76 s/^/#/' $ssh_cf sed -i "s/#UseDNS yes/UseDNS no/" $ssh_cf #client sed -i -e '44 s/^/#/' -i -e '48 s/^/#/' $ssh_cf echo "ssh is init is ok.............." -------------------cut end---------------------------------------------
三、编译安装A.M.P环境1.下载软件编译安装 1)下载软件 # cd /usr/local/src httpd-2.2.8.tar.gz mysql-5.0.51b.tar.gz php-5.2.6.tar.bz2 ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz 2) 安装MySQL 查看分析你的CPU型号: 查找您的GCC编译参数. 确定系统CPU类型: # cat /proc/cpuinfo | grep "model name" 执行后会看到系统中CPU的具体型号,记下CPU型号。 # tar xvf mysql-5.0.51b.tar.gz # cd mysql-5.0.51b # vi mysql.sh #sh mysql.sh 即可开始编译. 3) 编译安装Apache # cd /usr/local/src # tar xvf httpd-2.2.8.tar.gz # cd httpd-2.2.8 4.)编译安装PHP # cd /usr/local/src # tar xjvf php-5.2.6.tar.bz2 # cd php-5.2.6 5)Xcache的安装. #tar xvf xcache-1.2.2.tar.gz #vi /usr/local/php/etc/php.ini (将以下内容加入php.ini最后面) 6) 安装Zend Optimizer # cd /usr/local/src # tar xzvf ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz # ./ZendOptimizer-3.3.3-linux-glibc23-i386/install.sh 安装Zend Optimizer过程的最后不要选择重启Apache。 2. 整合Apache与PHP及系统初化配置. 1)整合Apache与PHP # vi /usr/local/apache2/conf/httpd.conf 找到: AddType application/x-gzip .gz .tgz 在该行下面添加 AddType application/x-httpd-php .php 找到: <IfModule dir_module> DirectoryIndex index.html </IfModule> 将该行改为 <IfModule dir_module> DirectoryIndex index.html index.htm index.php </IfModule> 找到: #Include conf/extra/httpd-mpm.conf #Include conf/extra/httpd-info.conf #Include conf/extra/httpd-vhosts.conf (虚拟主机配置文件存放目录.) #Include conf/extra/httpd-default.conf 去掉前面的“#”号,取消注释。 注意:以上 4 个扩展配置文件中的设置请按照相关原则进行合理配置! 修改完成后保存退出。 # /usr/local/apache2/bin/apachectl restart 2)查看确认L.A.M.P环境信息、提升 PHP 安全性 在网站根目录放置 info.php 脚本,检查phpinfo中的各项信息是否正确。 <?php phpinfo(); ?> 确认 PHP 能够正常工作后,在 php.ini 中进行设置提升 PHP 安全性,禁掉危险的函数. # vi /etc/php.ini找到:disable_functions =设置为:phpinfo,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server 3)脚本自动完成初始化配置(以上配置可以用脚本自动化完成) #cat init_apache_php.sh 三、配置虚拟主机及基本性能调优 1) 配置虚拟主机: #vi /usr/local/apache2/conf/extra/httpd-vhosts.conf 2).基本性能调优参考:(更多的调优相关文章请关注: 性能调优相关的贴子) #vi /usr/local/apache2/conf/extra/httpd-default.conf #vi /usr/local/apache2/conf/extra/httpd-mpm.conf 3).Apache日志处理相关问题汇总贴( ) 利用awstats分析网站日志: 忽略不需要的日志配置参考具体请据据具体问题分析: LogFormat "%{X-Forwarded-For}i %l %u %t /"%r/" %>s %b /"%{Referer}i/" /"%{User-Agent}i/"" combined #下面加入如下内容: quot; dontlog SetEnvIf Request_URI /.healthcheck/.html$ dontlog SetEnvIf Remote_Addr "::1" dontlog SetEnvIf Request_URI "/.getPing.php[ DISCUZ_CODE_9 ]quot; dontlog SetEnvIf Request_URI "^/error/.html[ DISCUZ_CODE_9 ]quot; dontlog SetEnvIf Request_URI "/.gif[ DISCUZ_CODE_9 ]quot; dontlog SetEnvIf Request_URI "/.jpg[ DISCUZ_CODE_9 ]quot; dontlog SetEnvIf Request_URI "/.css[ DISCUZ_CODE_9 ]quot; dontlog [/code]4). Apache防盗链(Apache防盗链相关问题汇总: ) 四、基本安全设置 1)iptables 封锁相关端口(推荐读CU白金大哥的两小时玩转iptables) 2)SSH全安(修改SSH端口限制来源IP登陆,或者参考 ) 3)Linux防Arp攻击策略( ) 4)注意(还是那句老话:安全工作从细节做起!) 五、附录及相关介绍 1)参考文档(感谢): Discuz!公司Nanu先生文章的相关链接: 配置全能WEB(05年文章参考): LinuxTone.Org(Apache相关问题专题贴): 感谢网友eddiechen提出相关问题!
-------------------cut begin------------------------------------------- CHOST="i686-pc-linux-gnu" CFLAGS="-march=prescott -O2 -pipe -fomit-frame-pointer" CXXFLAGS="${CFLAGS}" ./configure / "--prefix=/usr/local/mysql" / "--localstatedir=/data/mysql/data" / "--with-comment=Source" / "--with-server-suffix=-LinuxTone" / "--with-mysqld-user=mysql" / "--without-debug" / "--with-big-tables" / "--with-charset=gbk" / "--with-collation=gbk_chinese_ci" / "--with-extra-charsets=all" / "--with-pthread" / "--enable-static" / "--enable-thread-safe-client" / "--with-client-ldflags=-all-static" / "--with-mysqld-ldflags=-all-static" / "--enable-assembler" / "--without-isam" / "--without-innodb" / "--without-ndb-debug" make && make install mkdir -p /data/mysql/data useradd mysql -d /data/mysql -s /sbin/nologin /usr/local/mysql/bin/mysql_install_db --user=mysql cd /usr/local/mysql chown -R root:mysql . chown -R mysql /data/mysql/data cp share/mysql/my-huge.cnf /etc/my.cnf cp share/mysql/mysql.server /etc/rc.d/init.d/mysqld chmod 755 /etc/rc.d/init.d/mysqld chkconfig --add mysqld /etc/rc.d/init.d/mysqld start cd /usr/local/mysql/bin for i in *; do ln -s /usr/local/mysql/bin/$i /usr/bin/$i; done -------------------cut end---------------------------------------------
./configure / "--prefix=/usr/local/apache2" / "--with-included-apr" / "--enable-so" / "--enable-deflate=shared" / "--enable-expires=shared" / "--enable-rewrite=shared" / "--enable-static-support" / "--disable-userdir" make make install echo '/usr/local/apache2/bin/apachectl start ' >> /etc/rc.local
./configure / "--prefix=/usr/local/php" / "--with-apxs2=/usr/local/apache2/bin/apxs" / "--with-config-file-path=/usr/local/php/etc" / "--with-mysql=/usr/local/mysql" / "--with-libxml-dir=/usr/local/libxml2" / "--with-gd=/usr/local/gd2" / "--with-jpeg-dir" / "--with-png-dir" / "--with-bz2" / "--with-freetype-dir" / "--with-iconv-dir" / "--with-zlib-dir " / "--with-openssl=/usr/local/openssl" / "--with-mcrypt=/usr/local/libmcrypt" / "--enable-soap" / "--enable-gd-native-ttf" / "--enable-ftp" / "--enable-mbstring" / "--enable-exif" / "--disable-ipv6" / "--disable-cgi" / "--disable-cli" #禁掉ipv6,禁掉cli模式,提升速度和安全性.请根据具体需求定制相关的编译数. make make install mkdir /usr/local/php/etc cp php.ini-dist /usr/local/php/etc/php.ini
#/usr/local/php/bin/phpize ./configure --enable-xcache --enable-xcache-coverager --with-php-config=/usr/local/php/bin/php-config / --enable-inline-optimization --disable-debug
-------------------cut begin------------------------------------------- [xcache-common] zend_extension = /usr/local/php/lib/php/extensions/no-debug-non-zts-20060613/xcache.so [xcache.admin] xcache.admin.user = "admin" ;如何生成md5密码: echo -n "password"| md5sum xcache.admin.pass = "035d849226a8a10be1a5e0fec1f0f3ce" #密码为52netseek [xcache] ; Change xcache.size to tune the size of the opcode cache xcache.size = 24M xcache.shm_scheme = "mmap" xcache.count = 4 xcache.slots = 8K xcache.ttl = 0 xcache.gc_interval = 0 ; Change xcache.var_size to adjust the size of variable cache xcache.var_size = 8M xcache.var_count = 1 xcache.var_slots = 8K xcache.var_ttl = 0 xcache.var_maxttl = 0 xcache.var_gc_interval = 300 xcache.test = Off xcache.readonly_protection = On xcache.mmap_path = "/tmp/xcache" xcache.coredump_directory = "" xcache.cacher = On xcache.stat = On xcache.optimizer = Off [xcache.coverager] xcache.coverager = On xcache.coveragedump_directory = "" -------------------cut end---------------------------------------------
-------------------cut begin------------------------------------------- #!/bin/bash #Written by :NetSeek http://www.linuxtone.org #init_httpd.conf http_cf="/usr/local/apache2/conf/httpd.conf" sed -i -e "s/User daemon/User www/" -i -e "s/Group daemon/Group www/" $http_cf sed -i -e '121 s/^/#/' -i -e '122 s/^/#/' $http_cf sed -i 's#DirectoryIndex index.html# DirectoryIndex index.php index.html index.htm#/g' $http_cf sed -i -e '374 s/^#//g' -i -e '389 s/^#//g' -i -e '392 s/^#//g' -i -e '401 s/^#//g' $http_cf #init_php(PHP安全设置及隐藏PHP版本) php_cf="/usr/local/php/etc/php.ini" sed -i '205 s#;open_basedir =#open_basedir = /data/www/wwwroot:/tmp#g' $php_cf sed -i '210 s#disable_functions =#disable_functions = phpinfo,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server#g' $php_cf sed -i '/expose_php/s/On/Off/' $php_cf sed -i '/display_errors/s/On/Off/' $php_cf -------------------cut end-------------------------------------------
NameVirtualHost *:80 <VirtualHost *:80> ServerAdmin cnseek@gmail.com DocumentRoot "/data/www/wwwroot/linuxtone.org" ServerName www.linuxtone.org ServerAlias bbs.linxutone.org ErrorLog "logs/dummy-host.example.com-error_log" CustomLog "|/usr/sbin/cronolog /data/logs/access_www.linuxtone.org.%Y%m%d" combined </VirtualHost>
Timeout 15 KeepAlive Off MaxKeepAliveRequests 50 KeepAliveTimeout 5 UseCanonicalName Off AccessFileName .htaccess ServerTokens Prod ServerSignature Off HostnameLookups Off
<IfModule mpm_prefork_module> ServerLimit 2000 StartServers 10 MinSpareServers 10 MaxSpareServers 15 MaxClients 2000 MaxRequestsPerChild 10000 </IfModule>
# filter the localhost visit SetEnvIf Remote_Addr "127/.0/.0/.1" dontlog # filter some special directories SetEnvIf Request_URI "^ZendPlatform.*[code] # filter the localhost visit SetEnvIf Remote_Addr "127/.0/.0/.1" dontlog # filter some special directories SetEnvIf Request_URI "^ZendPlatform.*[ DISCUZ_CODE_9 ]quot; dontlog SetEnvIf Request_URI /.healthcheck/.html$ dontlog SetEnvIf Remote_Addr "::1" dontlog SetEnvIf Request_URI "/.getPing.php[ DISCUZ_CODE_9 ]quot; dontlog SetEnvIf Request_URI "^/error/.html[ DISCUZ_CODE_9 ]quot; dontlog SetEnvIf Request_URI "/.gif[ DISCUZ_CODE_9 ]quot; dontlog SetEnvIf Request_URI "/.jpg[ DISCUZ_CODE_9 ]quot; dontlog SetEnvIf Request_URI "/.css[ DISCUZ_CODE_9 ]quot; dontlog
RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www/.)?mydomain.com/.*$ [NC] RewriteRule /.(gif|jpg)$ http://网站域名/nolink.png [R,L]