网站技术

Protected: centos 5.4 L2TP/IPSec VPN配置

This post is password protected. To view it please enter your password below:


Tags: , , ,

Sunday, May 16th, 2010 网站技术 Enter your password to view comments.

给服务器添加了ssl

看图

Tags: , ,

Monday, May 10th, 2010 网站技术 No Comments

Centos yum 安装nginx+php+mysql

yum -y install yum-fastestmirror
yum -y update
yum -y install patch make gcc gcc-c++ gcc-g77 flex bison
yum -y install libtool libtool-libs kernel-devel autoconf
yum -y install libjpeg libjpeg-devel libpng libpng-devel
yum -y install freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel
yum -y install glib2 glib2-devel bzip2 diff*
yum -y install bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs
yum -y install e2fsprogs-devel krb5 krb5-devel libidn libidn-devel
yum -y install openssl openssl-devel vim-minimal

rpm -ihv http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm

rpm -ihv http://centos.alt.ru/repository/centos/5/i386/centalt-release-5-3.noarch.rpm

64位替换i386为x86_64

yum -y install mysql mysql-server mysql-devel

yum -y install php  php-mysql php-cgi php-mbstring php-gd php-fastcgi php-pear php-pear-DB php-fpm php-cli php-pdo php-mcrypt  php-tidy php-xml php-xmlrpc  php-pecl-memcache php-eaccelerator

yum -y install nginx

所有的配置文件都在 /etc 目录

chkconfig mysqld on
chkconfig php-fpm on
chkconfig  nginx on

service mysqld start
mysqladmin -u root password rootpassword

创建www用户和组,以及主机需要的目录,日志目录


groupadd www
useradd -g www www
mkdir -p /home/www
chmod +w /home/www
mkdir -p /home/www/logs
chmod 777 /home/www/logs
chown -R www:www /home/www

vi /etc/nginx/nginx.conf


user www www;

worker_processes 2; #这里根据你的CPU和内存配置, 设置2到10都OK

error_log  /home/www/logs/nginx_error.log  crit;

pid        /usr/local/nginx/logs/nginx.pid;

#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 51200;

events {
use epoll;
worker_connections 51200;
}

http {
include       mime.types;
default_type  application/octet-stream;

#charse  gb2312; # 默认编码,可以不设置

server_names_hash_bucket_size 128;
client_header_buffer_size 16k;
large_client_header_buffers 4 16k;
client_max_body_size 8m;

sendfile on;
tcp_nopush     on;

keepalive_timeout 60;

tcp_nodelay on;

fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;

gzip on;
gzip_min_length  1k;
gzip_buffers     4 16k;
gzip_http_version 1.0;
gzip_comp_level 5;
gzip_types       text/plain text/javascript application/x-javascript text/css application/xml;
gzip_vary on;

#limit_zone  crawler  $binary_remote_addr  10m;
server {
listen 80;
server_name localhost;
root  /home/www;
location /status {
stub_status on;
access_log  off;
}
location / {
# 这里是把所有不存在的文件和目录,全都转到 index.php 处理
try_files $uri $uri/ /index.php?q=$uri&$args;
}

# 这里分开放到 server.conf 是为了再开 server 的时候方便,统一调用,放到/etc/nginx/ 目录下
include server.conf;

log_format  access  '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" $http_x_forwarded_for';
access_log  /home/www/logs/access.log  access;
}

server {
listen 80;
server_name yourdomain.com;
root  /home/www/yourdomain;
if ($host !~* yourdomain\.com$) {
return 444;
}
location / {
try_files $uri $uri/ /index.php?q=$uri&$args;
}
include server.conf; # 这里复用了,这段就省了
access_log  /home/www/logs/yourdomain.com_access.log  access;
}
}

vi /etc/nginx/server.conf

index index.html index.htm index.php;

#limit_conn crawler 20;

location ~ /\.ht {
deny all;
}

location ~ .*\.(sqlite|sq3)$ {
deny all;
}

location ~ .*\.php$ {
fastcgi_pass unix:/tmp/php-cgi.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
}

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|ico)$ {
expires 30d;
access_log off;
}

location ~ .*\.(js|css)?$ {
expires 30d;
access_log off;
}

service php-fpm start
service nginx start

OK!

nginx测试
/usr/local/nginx/sbin/nginx -t
nginx平滑重启命令
/usr/local/nginx/sbin/nginx -s reload

Tags: , , ,

Friday, May 7th, 2010 网站技术 No Comments

建立只使用ssh“转发”功能的系统账户

为了满足“翻墙”的需要,在国外的Linux主机上(比如 DreamHost )上建个可 ssh登录的用户,使用 ssh 的 Tunnel 来作代理是十分常见的方法。
但是主人往往又想最小化用户权限,以避免对系统造成影响。最简单的办法就是,禁止用户登录。
其实 ssh 可以连接到 sshd 但是不执行远程命令(默认是启动用户设定的 shell ),使用 -N 参数即可。
在服务器上建一个 username :
添加用户:useradd -s /bin/false  username,将用户的shell设置成/bin/false。这样用户就无法与系统进行交互。
设置密码:passwd username

小技巧:
也可以使用 /usr/bin/passwd 作为用户的 shell ,这样用户就可以通过登录而来自主修改密码。需要注意的是,需要将 /usr/bin/passwd 这一行写进 /etc/shells文件。
sshd 认证通后之后,会检查设定的 shell 是否登记在 /etc/shells 文件中,若已经登记,则fork自己,然后fork出来的子进程再exec 设定的 shell 。而 ssh 的 -N 参数,则是告诉 sshd 不需要执行 shell。

建立Tunnel:

ssh -D 1080 -qfnN    username@hostname

输入密码即可使用(也可以用key认证)。

Windows的话,可以使用plink.exe或者MyEnTunnel(MyEnTunnel 本质上也是使用plink.exe来建立Tunnel)。

此时账号username 可以通过sshd的认证使用 TcpForwarding ,但是不能运行 shell,不能与系统交互。刚好可以用来为朋友提供国外的代理翻墙。

参数详解:
-D 1080 建立动态Tunnel,监听在本地1080端口。
-q  安静模式。
-f   ssh在后台运行,即认证之后,ssh退居后台。
-n  将 stdio 重定向到 /dev/null,与-f配合使用。
-N  不运行远程程序。即通知 sshd 不运行设定的 shell。

zt from http://www.bsdmap.com/2010/02/22/create-tunnel-user/

Tags: ,

Saturday, May 1st, 2010 网站技术 No Comments

成功安装vpn的全自动管理网站pptpd+nginx+php+mysql+freeradius+daloradius

忙了好几个晚上,参考了很多教程,我终于把pptpd+ngnix+mysql+freeradius+daloradius整合成功了。
现在可以通过web全自动管理vpn了。

Tags: , , , , , ,

Thursday, April 29th, 2010 网站技术 2 Comments

nginx主机配置ssl

1、可以通过浏览器认证的ssl证书
openssl req -new -newkey rsa:2048 -nodes -out server.csr -keyout server.key

在当前目录下会发现server.csr server.key两个文件。

然后提供这两个文件,购买或者向startssl申请免费server.crt证书。

三个文件放在指定目录,如/root下

nginx配置文件例子如下:

server
{
listen 443;
server_name mydomain.com;
index index.html index.htm index.php;
root /web/www/test;
ssl on;
ssl_certificate /root/server.crt;
ssl_certificate_key /root/server.key;
}

重新启动nginx

/usr/local/nginx/sbin/nginx -t
kill -HUP `cat /usr/local/nginx/nginx.pid`

startssl的证书需要添加根证书才可以被firefox信任,需要在配置conf文件前,添加根证书信息到server.crt

wget http://www.startssl.com/certs/ca.pem
wget http://www.startssl.com/certs/sub.class1.server.ca.pem
cat ca.pem sub.class1.server.ca.pem >> server.crt

2、自制证书

openssl genrsa -out server.key 2048
openssl req -new -x509 -key privkey.key -out server.crt -days 1095

nginx的配置同上。

3、强制使用https访问的nginx的conf配置

server
{
listen 443;
listen 80;
server_name servername;
index index.html index.htm index.php;
root /web/test;
ssl on;
ssl_certificate /root/server.crt;
ssl_certificate_key /root/server.key;
error_page 497 “https://$host$uri?$args”;
}

或者
error_page 497 “https://$host$uri$is_args$args”;

Tags: , ,

Friday, April 16th, 2010 网站技术 No Comments

WordPress mu在nginx里的rewrite规则

1、域名泛解析;
2、nginx conf里rewrite规则

rewrite ^.*/files/(.*) /wp-content/blogs.php?file=$1;
rewrite ^/.*(/wp-content/themes/.*\.(html|jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js))$ $1 last;
if (!-e $request_filename) {
rewrite ^.+?(/wp-.*) $1 last;
rewrite ^.+?(/.*\.php)$ $1 last;
rewrite ^ /index.php last;
}

Tags: , , ,

Friday, April 16th, 2010 网站技术 No Comments

xen vps centos安装pptpd vpn

1.安装ppp iptables服务
yum install -y ppp iptables

2.下载pptpd最新版本的rpm包
32位
wget http://poptop.sourceforge.net/yum/stable/packages/pptpd-1.3.4-1.rhel5.1.i386.rpm
64位
wget http://poptop.sourceforge.net/yum/stable/packages/pptpd-1.3.4-1.rhel5.1.x86_64.rpm

3.安装下载好的rpm包
32位
rpm -ivh pptpd-1.3.4-1.rhel5.1.i386.rpm
64位
rpm -ivh pptpd-1.3.4-1.rhel5.1.x86_64.rpm

4.设置pptpd解析用的dns
vi /etc/ppp/options.pptpd
ms-dns 8.8.8.8
ms-dns 8.8.4.4

5.设置拨号时候用的:用户名、拨号方式、用户密码、来源ip地址(用户名和密码可以随便设置,拨号方式只能填pptpd,来源ip用*号代表不限制)
vi /etc/ppp/chap-secrets
vpnuser pptpd vpnpassword *

6.设置本地ip和远端ip
vi /etc/pptpd.conf
localip 192.168.8.1
remoteip 192.168.8.2-30

7.设置ip转发状态为生效,然后立即载入(和第9步的NAT转发有关)
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
/sbin/sysctl -p

8.启动pptpd服务,并且设置为开机启动
/sbin/service pptpd start
chkconfig pptpd on

9.启动iptables规则,设置NAT转发,然后保存(iptables本身就是开机启动的,不需要再用chkconfig iptables on了)
/sbin/service iptables start
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.8.0/24 -j MASQUERADE
service iptables save

10.在windows下本地连接里建立vpn拨号,输入用户名和密码,就连接上了。

Tips:

多ip服务器转发指定规则

iptables -t nat -A POSTROUTING -s 192.168.8.0/24 -j SNAT --to-source 192.168.8.1

or

iptables -t nat -A POSTROUTING -s 192.168.8.0/24 -j SNAT --to-source 服务器外网ip

如果iphone之类的设备能连上,访问网页或者youtube特别慢,需要做如下修改:

vi /etc/ppp/ip-up

增加一行

/sbin/ifconfig $1 mtu 1400

或者修改iptables规则

iptables -A FORWARD -p tcp --syn -s 192.168.8.0/24 -j TCPMSS --set-mss 1356

1356的值可能需要自己调整,调节到能保证网络正常使用情况下的最大值。

Tags: , , ,

Sunday, March 28th, 2010 网站技术 No Comments

centos 安装Nginx+PHP+Mysql vps适用

1,升级系统和安装相关的程序库


yum -y install yum-fastestmirror
yum -y update
yum -y install patch make gcc gcc-c++ gcc-g77 flex bison
yum -y install libtool libtool-libs kernel-devel autoconf
yum -y install libjpeg libjpeg-devel libpng libpng-devel
yum -y install freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel
yum -y install glib2 glib2-devel bzip2 diff*
yum -y install bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs
yum -y install e2fsprogs-devel krb5 krb5-devel libidn libidn-devel
yum -y install openssl openssl-devel vim-minimal
yum -y install fonts-chinese scim-chewing scim-pinyin scim-tables-chinese

2,下载相关程序源码包

wget http://catlnmp.googlecode.com/files/libiconv-1.13.1.tar.gz
wget http://catlnmp.googlecode.com/files/libmcrypt-2.5.8.tar.gz
wget http://catlnmp.googlecode.com/files/mhash-0.9.9.9.tar.gz
wget http://catlnmp.googlecode.com/files/mcrypt-2.6.8.tar.gz
wget http://catlnmp.googlecode.com/files/mysql-5.1.44.tar.gz
wget http://php-fpm.org/downloads/php-5.2.13-fpm-0.5.13.diff.gz
wget http://www.sfr-fresh.com/unix/www/php-5.2.13.tar.gz
wget http://catlnmp.googlecode.com/files/memcache-2.2.5.tgz
wget http://catlnmp.googlecode.com/files/PDO_MYSQL-1.0.2.tgz
wget http://catlnmp.googlecode.com/files/eaccelerator-0.9.6.tar.bz2
wget http://catlnmp.googlecode.com/files/ZendOptimizer-3.3.9-linux-glibc23-i386.tar.gz
wget http://catlnmp.googlecode.com/files/ZendOptimizer-3.3.9-linux-glibc23-x86_64.tar.gz
wget http://catlnmp.googlecode.com/files/pcre-8.01.tar.gz
wget http://catlnmp.googlecode.com/files/nginx-0.7.65.tar.gz
wget http://catlnmp.googlecode.com/files/phpMyAdmin-3.2.4-all-languages.tar.gz
wget http://catlnmp.googlecode.com/files/index.php

3,开始安装,先安装PHP需要的库程序

tar zxvf libiconv-1.13.1.tar.gz
cd libiconv-1.13.1/
./configure --prefix=/usr/local
make
make install
cd ../

tar zxvf libmcrypt-2.5.8.tar.gz
cd libmcrypt-2.5.8/
./configure
make
make install
/sbin/ldconfig
cd libltdl/
./configure --enable-ltdl-install
make
make install
cd ../../

tar zxvf mhash-0.9.9.9.tar.gz
cd mhash-0.9.9.9/
./configure
make
make install
cd ../

ln -s /usr/local/lib/libmcrypt.la /usr/lib/libmcrypt.la
ln -s /usr/local/lib/libmcrypt.so /usr/lib/libmcrypt.so
ln -s /usr/local/lib/libmcrypt.so.4 /usr/lib/libmcrypt.so.4
ln -s /usr/local/lib/libmcrypt.so.4.4.8 /usr/lib/libmcrypt.so.4.4.8
ln -s /usr/local/lib/libmhash.a /usr/lib/libmhash.a
ln -s /usr/local/lib/libmhash.la /usr/lib/libmhash.la
ln -s /usr/local/lib/libmhash.so /usr/lib/libmhash.so
ln -s /usr/local/lib/libmhash.so.2 /usr/lib/libmhash.so.2
ln -s /usr/local/lib/libmhash.so.2.0.1 /usr/lib/libmhash.so.2.0.1
ln -s /usr/local/bin/libmcrypt-config /usr/bin/libmcrypt-config

tar zxvf mcrypt-2.6.8.tar.gz
cd mcrypt-2.6.8/
./configure
make
make install
cd ../

4,安装mysql

tar -zxvf mysql-5.1.44.tar.gz
cd mysql-5.1.44
./configure --prefix=/usr/local/mysql --enable-assembler --with-charset=utf8 --with-extra-charsets=all --enable-thread-safe-client --with-big-tables --with-readline --with-ssl --with-embedded-server --enable-local-infile --without-debug --with-mysqld-ldflags=-ltcmalloc_minimal --enable-thread-safe-client --enable-server
make && make install
cd ../

创建MySQL数据库,用默认的配置my.cnf

groupadd mysql
useradd -g mysql mysql
cp /usr/local/mysql/share/mysql/my-medium.cnf /etc/my.cnf
/usr/local/mysql/bin/mysql_install_db --user=mysql
chown -R mysql /usr/local/mysql/var
chgrp -R mysql /usr/local/mysql/.

添加Mysql启动服务,并且设置root密码

cp /usr/local/mysql/share/mysql/mysql.server /etc/init.d/mysql
chmod 755 /etc/init.d/mysql
chkconfig --level 345 mysql on
echo "/usr/local/mysql/lib/mysql" >> /etc/ld.so.conf
echo "/usr/local/lib" >>/etc/ld.so.conf
ldconfig
ln -s /usr/local/mysql/lib/mysql /usr/lib/mysql
ln -s /usr/local/mysql/include/mysql /usr/include/mysql
service mysql start
/usr/local/mysql/bin/mysqladmin -u root password rootpass //rootpass改为你需要的密码
service mysql restart
service mysql stop

5,安装PHP(FastCGI模式)

tar zxvf php-5.2.13.tar.gz
gzip -cd php-5.2.13-fpm-0.5.13.diff.gz | patch -d php-5.2.13 -p1
cd php-5.2.13/
./buildconf --force
./configure --prefix=/usr/local/php --with-config-file-path=/usr/local/php/etc --with-mysql=/usr/local/mysql --with-mysqli=/usr/local/mysql/bin/mysql_config --with-iconv-dir=/usr/local --with-freetype-dir --with-jpeg-dir --with-png-dir --with-zlib --with-libxml-dir=/usr --enable-xml --disable-rpath --enable-discard-path --enable-safe-mode --enable-bcmath --enable-shmop --enable-sysvsem --enable-inline-optimization --with-curl --with-curlwrappers --enable-mbregex --enable-fastcgi --enable-fpm --enable-force-cgi-redirect --enable-mbstring --with-mcrypt --with-gd --enable-gd-native-ttf --with-mhash --enable-pcntl --enable-sockets --with-xmlrpc --enable-zip --enable-ftp --with-openssl --with-pear=/usr/local/php/pear --disable-debug
make ZEND_EXTRA_LIBS='-liconv'
make install
cp php.ini-dist /usr/local/php/etc/php.ini
cd ../

6,安装PHP扩展模块

php守护神(可不装)
wget -c http://catlnmp.googlecode.com/files/suhosin-0.9.29.tgz
tar zxvf suhosin-0.9.29.tgz
cd suhosin-0.9.29/
/usr/local/php/bin/phpize
./configure --with-php-config=/usr/local/php/bin/php-config
make
make install
cd ../

tar zxvf memcache-2.2.5.tgz
cd memcache-2.2.5/
/usr/local/php/bin/phpize
./configure --with-php-config=/usr/local/php/bin/php-config
make
make install
cd ../

tar zxvf PDO_MYSQL-1.0.2.tgz
cd PDO_MYSQL-1.0.2/
/usr/local/php/bin/phpize
./configure --with-php-config=/usr/local/php/bin/php-config --with-pdo-mysql=/usr/local/mysql
make
make install
cd ../

tar jxvf eaccelerator-0.9.6.tar.bz2
cd eaccelerator-0.9.6/
/usr/local/php/bin/phpize
./configure --enable-eaccelerator=shared --with-php-config=/usr/local/php/bin/php-config
make
make install
cd ../

安装Zend Optimizer,32位系统版本

tar zxvf ZendOptimizer-3.3.9-linux-glibc23-i386.tar.gz
mkdir -p /usr/local/zend/
cp ZendOptimizer-3.3.9-linux-glibc23-i386/data/5_2_x_comp/ZendOptimizer.so /usr/local/zend/

如果是64位系统,则

tar zxvf ZendOptimizer-3.3.9-linux-glibc23-x86_64.tar.gz
mkdir -p /usr/local/zend/
cp ZendOptimizer-3.3.9-linux-glibc23-x86_64/data/5_2_x_comp/ZendOptimizer.so /usr/local/zend/

配置php.ini

cat >>/usr/local/php/etc/php.ini< [Zend Optimizer]
zend_optimizer.optimization_level=1
zend_extension="/usr/local/zend/ZendOptimizer.so"
EOF

7,修改php.ini文件
手工修改:查找/usr/local/php/etc/php.ini中的extension_dir = "./"
修改为extension_dir = "/usr/local/php/lib/php/extensions/no-debug-non-zts-20060613/"
并在此行后增加以下几行,然后保存:
extension = "memcache.so"
extension = "pdo_mysql.so"

再查找 output_buffering = Off
修改为output_buffering = On

自动修改:可执行以下shell命令,自动完成对php.ini文件的修改:

sed -i 's#extension_dir = "./"#extension_dir = "/usr/local/php/lib/php/extensions/no-debug-non-zts-20060613/"\nextension = "memcache.so"\nextension = "pdo_mysql.so"\n#' /usr/local/php/etc/php.ini
sed -i 's#output_buffering = Off#output_buffering = On#' /usr/local/php/etc/php.ini

8,配置eAccelerator加速PHP:
创建缓存目录

mkdir -p /usr/local/eaccelerator_cache

配置php.ini

cat >>/usr/local/php/etc/php.ini< [eaccelerator]
zend_extension="/usr/local/php/lib/php/extensions/no-debug-non-zts-20060613/eaccelerator.so"
eaccelerator.shm_size="1"
eaccelerator.cache_dir="/usr/local/eaccelerator_cache"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="3600"
eaccelerator.shm_prune_period="3600"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
eaccelerator.keys = "disk_only"
eaccelerator.sessions = "disk_only"
eaccelerator.content = "disk_only"
EOF

9,创建www用户和组,以及主机需要的目录,日志目录

groupadd www
useradd -g www www
mkdir -p /home/www
chmod +w /home/www
mkdir -p /home/www/logs
chmod 777 /home/www/logs
chown -R www:www /home/www

10,创建php-fpm配置文件

rm -f /usr/local/php/etc/php-fpm.conf
vi /usr/local/php/etc/php-fpm.conf

输入以下内容,我设置开的进程是5个.需要更改进程数,可以修改5

< ?xml version="1.0" ?>

All relative paths in this config are relative to php's install prefix

Pid file
/usr/local/php/logs/php-fpm.pid
Error log file
/home/www/logs/php-fpm.log
Log level
notice
When this amount of php processes exited with SIGSEGV or SIGBUS ...
10
... in a less than this interval of time, a graceful restart will be initiated.
Useful to work around accidental curruptions in accelerator's shared memory.
1m
Time limit on waiting child's reaction on signals from master
5s
Set to 'no' to debug fpm
yes

Name of pool. Used in logs and stats.
default
Address to accept fastcgi requests on.
Valid syntax is 'ip.ad.re.ss:port' or just 'port' or '/path/to/unix/socket'
127.0.0.1:9000

Set listen(2) backlog
-1
Set permissions for unix socket, if one used.
In Linux read/write permissions must be set in order to allow connections from web server.
Many BSD-derrived systems allow connections regardless of permissions.
www
www
0666

Additional php.ini defines, specific to this pool of workers.


Unix user of processes
www
Unix group of processes
www
Process manager settings

Sets style of controling worker process count.
Valid values are 'static' and 'apache-like'
static
Sets the limit on the number of simultaneous requests that will be served.
Equivalent to Apache MaxClients directive.
Equivalent to PHP_FCGI_CHILDREN environment in original php.fcgi
Used with any pm_style.
5
Settings group for 'apache-like' pm style

Sets the number of server processes created on startup.
Used only when 'apache-like' pm_style is selected
20
Sets the desired minimum number of idle server processes.
Used only when 'apache-like' pm_style is selected
5
Sets the desired maximum number of idle server processes.
Used only when 'apache-like' pm_style is selected
35

The timeout (in seconds) for serving a single request after which the worker process will be terminated
Should be used when 'max_execution_time' ini option does not stop script execution for some reason
'0s' means 'off'
0s
The timeout (in seconds) for serving of single request after which a php backtrace will be dumped to slow.log file
'0s' means 'off'
0s
The log file for slow requests
logs/slow.log
Set open file desc rlimit
65535
Set max core size rlimit
0
Chroot to this directory at the start, absolute path

Chdir to this directory at the start, absolute path

Redirect workers' stdout and stderr into main error log.
If not set, they will be redirected to /dev/null, according to FastCGI specs
yes
How much requests each process should execute before respawn.
Useful to work around memory leaks in 3rd party libraries.
For endless request processing please specify 0
Equivalent to PHP_FCGI_MAX_REQUESTS
102400
Comma separated list of ipv4 addresses of FastCGI clients that allowed to connect.
Equivalent to FCGI_WEB_SERVER_ADDRS environment in original php.fcgi (5.2.2+)
Makes sense only with AF_INET listening socket.
127.0.0.1
Pass environment variables like LD_LIBRARY_PATH
All $VARIABLEs are taken from current environment

$HOSTNAME
/usr/local/bin:/usr/bin:/bin
/tmp
/tmp
/tmp
$OSTYPE
$MACHTYPE
2



11,启动php-cgi进程,监听127.0.0.1的9000端口,进程数为5,用户为www

ulimit -SHn 65535
/usr/local/php/sbin/php-fpm start

注:/usr/local/php/sbin/php-fpm还有其他参数,包括:start|stop|quit|restart|reload|logrotate,修改php.ini后不重启php-cgi,重新加载配置文件使用reload

12,安装Nginx

tar zxvf pcre-8.01.tar.gz
cd pcre-8.01/
./configure
make && make install
cd ../

tar zxvf nginx-0.7.65.tar.gz
cd nginx-0.7.65/
./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module
make && make install
cd ../

13,创建Nginx配置文件

mkdir -p /usr/local/nginx/conf/servers
rm -f /usr/local/nginx/conf/nginx.conf
vi /usr/local/nginx/conf/nginx.conf

输入以下内容:

user www www;
worker_processes 1;
error_log /home/www/logs/nginx_error.log crit;
pid /usr/local/nginx/nginx.pid;
#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 65535;
events
{
use epoll;
worker_connections 65535;
}
http
{
include mime.types;
default_type application/octet-stream;
#charse gb2312;
server_names_hash_bucket_size 128;
client_header_buffer_size 128k;
large_client_header_buffers 4 256k;
client_max_body_size 8m;
sendfile on;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;

fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;

gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 9;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
output_buffers 4 32k;
postpone_output 1460;

#limit_zone crawler $binary_remote_addr 10m;

server
{
listen 80;
server_name vps.imcat.in;
index index.html index.htm index.php;
include location.conf;
root /home/www;
}
include servers/*;
}

14,在/usr/local/nginx/conf/目录中创建location.conf文件:

vi /usr/local/nginx/conf/location.conf

输入内容:

location ~ .*\.(php|php5)?$
{
#fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi.conf;
}

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}

location ~ .*\.(js|css)?$
{
expires 12h;
}

多站点管理,可以在/usr/local/nginx/conf/servers目录添加配置文件,格式为:

vi /usr/local/nginx/conf/servers/yourwebsite.conf

内容:

server

{
listen 80;
server_name yourdomain;
index index.html index.htm index.php;
root /home/www/yourwebsite;
}

请注意,我是没有开启Nginx日志记录功能的.
启动Nginx:

ulimit -SHn 65535
/usr/local/nginx/sbin/nginx

放个探针看看

mv index.php /home/www/

访问你的IP看看吧!

15,安装phpMyAdmin,管理Mysql数据库

tar zxvf phpMyAdmin-3.2.4-all-languages.tar.gz
mv phpMyAdmin-3.2.4-all-languages /home/www/phpmyadmin

16,配置开机自动启动Nginx + PHP

echo "ulimit -SHn 65535" >>/etc/rc.local
echo "/usr/local/php/sbin/php-fpm start" >>/etc/rc.local
echo "/usr/local/nginx/sbin/nginx" >>/etc/rc.local

17,优化Linux内核参数(我只在Xen VPS用过,Openvz VPS失败,慎用,可不操作。)

vi /etc/sysctl.conf

在最后加入

# Add
net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768

net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216

net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2

net.ipv4.tcp_tw_recycle = 1
#net.ipv4.tcp_tw_len = 1
net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800

#net.ipv4.tcp_fin_timeout = 30
#net.ipv4.tcp_keepalive_time = 120
net.ipv4.ip_local_port_range = 1024 65535

使配置立即生效:

/sbin/sysctl -p

18,需要安装ftp的,可以简单安装vsftpd应用:

yum -y install vsftpd
/etc/init.d/vsftpd start
chkconfig --level 345 vsftpd on

19,请务必更改www用户密码:

passwd www

zt from imcat.in

Tags: , , ,

Sunday, March 21st, 2010 网站技术 No Comments

openvpn相关

vi /etc/sysctl.conf
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 1.2.3.4
/sbin/iptables -t nat -A POSTROUTING -o venet0 -s 10.8.0.0/24 -j MASQUERADE
/etc/init.d/iptables save
/etc/init.d/iptables restart
vi /etc/sysconfig/iptables
cat /etc/sysconfig/iptables

Tags:

Sunday, December 27th, 2009 网站技术 No Comments
« Previous Entries