这是第一部分,< 系统安装后的初始环境设置 >
主要内容有:
[用户管理与用户安全]
[设置系统时间及自动同步系统时间]
[关闭不需要的服务]
[系统更新]
[用OpenSSH构建SSH服务器]
CentOS+Nginx+PHP+Mysql+安全指南全环境搭建笔记(1)
- 系统安装后的初始环境设置
[普通用户的建立与删除]
# useradd lovemoon
↑ 建立用户名为 lovemoon 的普通用户
# passwd lovemoon
↑ 为用户 lovemoon 设置密码
Changing password for user lovemoon.
New UNIX password:
↑ 输入密码(密码不会被显示)
Retype new UNIX password:
↑ 再次输入密码确认两次密码一致
passwd: all authentication tokens updated successfully.
↑ 密码设置成功
#userdel -r lovemoon
↑ 删除用户名为 lovemoon 的普通用户
[将普通用户设置到不同的用户组中]
# usermod -G wheel lovemoon
↑ 将普通用户 lovemoon 加在管理员组wheel组中
# usermod -G wheel,www lovemoon
↑ 将普通用户 lovemoon 同时加在wheel和www组中
[设置只有管理员wheel组才可以使用su命令进入root权限]
# vi /etc/pam.d/su ← 打开这个配置文件
auth required /lib/security/$ISA/pam_wheel.so use_uid
↑ 修改文件为此状态(大约在第6行的位置)
# echo "SU_WHEEL_ONLY yes" >> /etc/login.defs
↑ 添加语句到login.defs文件行末
[设置系统时间及自动同步系统时间]
# yum install Cy ntp
↑ 安装NTP官方的时间同步程序 (NTP:中国国家授时中心)
# /usr/sbin/ntpdate -s pool.ntp.org
↑ 以NTP官方服务器为准调整本地时间
# crontab -e
↑ 编辑计划任务列表
0 3 * * * /usr/sbin/ntpdate -s pool.ntp.org
↑ 编辑文件到此状态,表示每天凌晨3点自动同步时间
# /sbin/service crond reload
↑ 重载计划任务配置
[关闭不需要的服务]
# setup
↑ 开启图形设置界面
选择System service 进入服务列表
使用"空格"键选择"[*]"或取消"[ ]"服务
只保留以下服务,未列出的服务一律关闭:
crond
irqbalance
↑ 仅当服务器CPU为S.M.P架构或支持双核心、HT技术时,才需开启,否则关闭。
iptables
microcode_ctl
network
sshd
syslog
vsftpd
yum-updatesd
[系统更新]
# vi /etc/yum.repos.d/CentOS-Base.repo
↑ 修改系统更新地址文件
将所有"baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/"
修改为"baseurl=http://mirrors.shlug.org/centos/$releasever/os/$basearch/"
# yum -y upgrade
↑ 更新系统文件
[用OpenSSH构建SSH服务器]
# vi /etc/ssh/sshd_config
↑ 用vi打开SSH的配置文件
将"#Protocol 2,1"
修改为 "Protocol 2"
↑ 只允许SSH2方式的连接(Centos 5.2中已包含此设置)
将"#ServerKeyBits 768"
修改为 "ServerKeyBits 1024"
↑ 将ServerKey强度改为1024比特
将"#PermitRootLogin yes"
修改为 "PermitRootLogin no"
↑ 不允许用root进行登录(wheel组用户SSH登陆后可用su命令使用root权限)
将"#PasswordAuthentication yes"
修改为 "PasswordAuthentication no"
↑ 不允许密码方式的登录(SSH远程管理用密钥登陆会安全很多)
将"#PermitEmptyPasswords no"
修改为 "PermitEmptyPasswords no"
↑ 不允许空密码登录
# vi /etc/hosts.deny
↑ 修改屏蔽规则,在此限定仅有哪些IP地址可以SSH远程登陆本服务器
sshd: ALL
↑ 在文件末尾添加这一行,屏蔽所有的SSH连接请求
# vi /etc/hosts.allow
↑ 修改允许规则,在此限定仅有哪些IP地址可以SSH远程登陆本服务器
sshd:222.17.177.
sshd:10.3.92.25
sshd:10.3.97.137
↑ 在文件末尾添加这三行,只允许来自222.17.177网段、IP地址为10.3.92.25和IP地址为10.3.97.137的SSH连接请求
# /etc/rc.d/init.d/sshd restart
↑ 重新启动SSH服务器
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
↑ SSH服务器重新启动成功
# su -lovemoon
↑ 用普通用户 lovemoon 登陆服务器
$ ssh-keygen -t rsa
↑ 建立公钥与私钥
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kaz/.ssh/id_rsa):
↑ 钥匙的文件名,这里保持默认直接回车
Created directory ‘/home/kaz/.ssh’
Enter passphrase (empty for no passphrase):
↑ 输入密钥口令(使用SSH远程软件时会用到)
Enter same passphrase again:
↑ 再次输入密钥口令(使用SSH远程软件时会用到)
Your identification has been saved in /home/kaz/.ssh/id_rsa.
↑ 建立了id_rsa私钥文件
Your public key has been saved in /home/kaz/.ssh/id_rsa.pub.
↑ 建立了id_rsa.pub公钥文件
$ cd ~/.ssh
↑ 进入 lovemoon 用户SSH配置文件的目录(~/目录相当于/home/lovemoon/)
$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
↑ 公钥内容输出到authorized_keys文件中
$ rm -f ~/.ssh/id_rsa.pub
↑ 删除原来的公钥文件
$ chmod 400 ~/.ssh/authorized_keys
↑ 将新建立的公钥文件属性设置为400
$ exit
↑ 退出普通用户的登录
登陆为root用户,插入U盘
# fdisk -l
↑ 显示目前所有硬盘,找到U盘设备名为sdb1 (具体情况具体对待,这里各服务器有所不同)
# mount /dev/sdb1 /mnt
↑ 挂载U盘设备到/mnt目录
# mv /home/lovemoon/.ssh/id_rsa /mnt/
↑ 移动id_rsa私钥文件到U盘中
# umount /mnt/
↑ 卸载U盘
-Nginx+PHP+MySQL环境搭建
[利用yum命令配置、升级所需程序库]
# sudo -s
# LANG=C
# yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel curl curl-devel
↑安装、升级这些程序库
[下载环境所需文件到指定目录]
# mkdir -p /software
↑ 在根目录建立software文件夹
# cd /software
↑ 进入software文件夹
# wget http://sysoev.ru/nginx/nginx-0.7.19.tar.gz
# wget http://www.php.net/get/php-5.2.6.tar.gz/from/this/mirror
# wget http://php-fpm.anight.org/downloads/head/php-5.2.6-fpm-0.5.9.diff.gz
# wget http://blog.s135.com/soft/linux/mysql/mysql-5.1.26-rc.tar.gz
# wget http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.12.tar.gz
# wget http://mirror.optus.net/sourceforge/m/mc/mcrypt/libmcrypt-2.5.8.tar.gz
# wget http://mirror.optus.net/sourceforge/m/mc/mcrypt/mcrypt-2.6.7.tar.gz
# wget http://pecl.php.net/get/memcache-2.2.3.tgz
# wget http://mirror.optus.net/sourceforge/m/mh/mhash/mhash-0.9.9.tar.gz
# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-7.7.tar.gz
# wget http://bart.eaccelerator.net/source/0.9.5.3/eaccelerator-0.9.5.3.tar.bz2
↑ 下载这些文件到software目录
[编译安装PHP 5.2.6所需的支持库]
# tar zxvf libiconv-1.12.tar.gz
↑ 解压(tar) 参数(zxvf) 文件名(libiconv-1.12.tar.gz)
# cd libiconv-1.12/
↑ 进入解压出来的文件的文件夹(libiconv-1.12)
# ./configure –prefix=/usr/local
↑ 配置安装信息 指定安装目录为/usr/local
# make
↑ make安装文件
# make install
↑ 开始安装
# cd ../
↑ 返回上级目录(此处即software目录)
# tar zxvf libmcrypt-2.5.8.tar.gz
# cd libmcrypt-2.5.8/
# ./configure
# make
# make install
# /sbin/ldconfig
# cd libltdl/
# ./configure –enable-ltdl-install
# make
# make install
# cd ../../
# tar zxvf mhash-0.9.9.tar.gz
# cd mhash-0.9.9/
# ./configure
# make
# make install
# cd ../
# cp /usr/local/lib/libmcrypt.* /usr/lib
# ln -s /usr/local/lib/libmhash.so.2 /usr/lib/libmhash.so.2
# tar zxvf mcrypt-2.6.7.tar.gz
# cd mcrypt-2.6.7/
# ./configure
# make
# make install
# cd ../
[编译安装MySQL 5.1.26-rc]
# /usr/sbin/groupadd mysql
↑ 建立mysql用户组
# /usr/sbin/useradd -g mysql mysql
↑ 建立mysql用户到mysql用户组中
# tar zxvf mysql-5.1.26-rc.tar.gz
# cd mysql-5.1.26-rc/
# ./configure –prefix=/usr/local/webserver/mysql/ –enable-assembler –with-extra-charsets=complex –enable-thread-safe-client –with-big-tables –with-readline –with-ssl –with-embedded-server –enable-local-infile
# make && make install
# chmod +w /usr/local/webserver/mysql
# chown -R mysql:mysql /usr/local/webserver/mysql
# cp support-files/my-medium.cnf /usr/local/webserver/mysql/my.cnf
# cd ../
# /usr/local/webserver/mysql/bin/mysql_install_db –defaults-file=/usr/local/webserver/mysql/my.cnf –basedir=/usr/local/webserver/mysql –datadir=/usr/local/webserver/mysql/data –user=mysql –pid-file=/usr/local/webserver/mysql/mysql.pid –skip-locking –port=3306 –socket=/tmp/mysql.sock
↑ 以mysql用户帐号的身份建立数据表
To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system
PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:
/usr/local/mysql//bin/mysqladmin -u root password ‘new-password’
/usr/local/mysql//bin/mysqladmin -u root -h localhost.localdomain password ‘new-password’
Alternatively you can run:
/usr/local/mysql//bin/mysql_secure_installation
which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.
See the manual for more instructions.
You can start the MySQL daemon with:
cd /usr/local/mysql/ ; /usr/local/mysql//bin/mysqld_safe &
You can test the MySQL daemon with mysql-test-run.pl
cd mysql-test ; perl mysql-test-run.pl
Please report any problems with the /usr/local/mysql//bin/mysqlbug script!
# /bin/sh /usr/local/webserver/mysql/bin/mysqld_safe –defaults-file=/usr/local/webserver/mysql/my.cnf &
↑ 启动MySQL(最后的&表示在后台运行)
[编译安装PHP(FastCGI模式)]
# tar zxvf php-5.2.6.tar.gz
# gzip -cd php-5.2.6-fpm-0.5.9.diff.gz | patch -d php-5.2.6 -p1
# cd php-5.2.6/
# ./configure –prefix=/usr/local/webserver/php –with-config-file-path=/usr/local/webserver/php/etc –with-mysql=/usr/local/webserver/mysql –with-mysqli=/usr/local/webserver/mysql/bin/mysql_config –with-iconv-dir=/usr/local –with-freetype-dir –with-jpeg-dir –with-png-dir –with-zlib –with-libxml-dir=/usr –enable-xml –disable-rpath –enable-discard-path –enable-safe-mode –enable-bcmath –enable-shmop –enable-sysvsem –enable-inline-optimization –with-curl –with-curlwrappers –enable-mbregex –enable-fastcgi –enable-fpm –enable-force-cgi-redirect –enable-mbstring –with-mcrypt –with-gd –enable-gd-native-ttf –with-openssl
# sed -i ‘s#-lz -lm -lxml2 -lz -lm -lxml2 -lz -lm -lcrypt#& -liconv#’ Makefile
# make
# make install
# cp php.ini-dist /usr/local/webserver/php/etc/php.ini
# cd ../
[编译安装PHP5扩展模块]
# tar zxvf memcache-2.2.3.tgz
# cd memcache-2.2.3/
# /usr/local/webserver/php/bin/phpize
# ./configure –with-php-config=/usr/local/webserver/php/bin/php-config
# make
# make install
# cd ../
# tar jxvf eaccelerator-0.9.5.3.tar.bz2
# cd eaccelerator-0.9.5.3/
# /usr/local/webserver/php/bin/phpize
# ./configure –enable-eaccelerator=shared –with-php-config=/usr/local/webserver/php/bin/php-config
# make
# make install
# cd ../
[修改php.ini文件]
手工修改:
# vi /usr/local/webserver/php/etc/php.ini
将 " extension_dir = "./" "
修改为 " extension_dir = "/usr/local/webserver/php/lib/php/extensions/no-debug-non-zts-20060613/" "
将 "output_buffering = Off"
修改为 " output_buffering = On "
extension = "memcache.so"
↑ 文件末尾增加此行
自动修改(已使用手动修改的跳过):
# sed -i ‘s#extension_dir = "./"#extension_dir = "/usr/local/webserver/php/lib/php/extensions/no-debug-non-zts-20060613/"\nextension = "memcache.so"\n#’ /usr/local/webserver/php/etc/php.ini
# sed -i ‘s#output_buffering = Off#output_buffering = On#’ /usr/local/webserver/php/etc/php.ini
[配置eAccelerator加速PHP]
# mkdir -p /usr/local/webserver/eaccelerator_cache
# vi /usr/local/webserver/php/etc/php.ini
按shift+g键跳到配置文件的最末尾,加入以下配置信息:
[eaccelerator]
zend_extension="/usr/local/webserver/php/lib/php/extensions/no-debug-non-zts-20060613/eaccelerator.so"
eaccelerator.shm_size="128"
eaccelerator.cache_dir="/usr/local/webserver/eaccelerator_cache"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="300"
eaccelerator.shm_prune_period="120"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
# vi /etc/sysctl.conf
↑ 修改配置文件
将 "kernel.shmmax = **********"
修改为 "kernel.shmmax = 134217728"
# /sbin/sysctl -p
↑ 执行此命令使配置生效
[创建www用户和组]
# /usr/sbin/groupadd www -g 48
↑ 创建www用户组并指定组ID为48
# /usr/sbin/useradd -u 48 -g www www
↑ 创建www用户到www用户组中
# mkdir -p /wwwroot
↑ 在根目录中创建wwwroot网站目录
# chmod +w /wwwroot
↑ 给wwwroot目录增加可写权限
# chown -R www:www /wwwroot
↑ 使wwwroot目录所属用户组为www,所属用户为www
[创建php-fpm配置文件]
php-fpm是为PHP打的一个FastCGI管理补丁,可以平滑变更php.ini配置而无需重启php-cgi
# rm -f /usr/local/webserver/php/etc/php-fpm.conf
↑ 删除原有php-fpm.conf文件
# vi /usr/local/webserver/php/etc/php-fpm.conf
↑ 建立新的php-fpm.conf文件并启动vi编辑器编辑该文件
输入以下内容(请注意以下内容中"↑"标志后的内容不能出现在实际文件中):
<?xml version="1.0" ?>
<configuration>
All relative paths in this config are relative to php’s install prefix
<section name="global_options">
Pid file
<value name="pid_file">/usr/local/webserver/php/logs/php-fpm.pid</value>
Error log file
<value name="error_log">/usr/local/webserver/php/logs/php-fpm.log</value>
Log level
<value name="log_level">notice</value>
When this amount of php processes exited with SIGSEGV or SIGBUS …
<value name="emergency_restart_threshold">10</value>
… in a less than this interval of time, a graceful restart will be initiated.
Useful to work around accidental curruptions in accelerator’s shared memory.
<value name="emergency_restart_interval">1m</value>
Time limit on waiting child’s reaction on signals from master
<value name="process_control_timeout">5s</value>
Set to ‘no’ to debug fpm
<value name="daemonize">yes</value>
</section>
<workers>
<section name="pool">
Name of pool. Used in logs and stats.
<value name="name">default</value>
Address to accept fastcgi requests on.
Valid syntax is ‘ip.ad.re.ss:port’ or just ‘port’ or ‘/path/to/unix/socket’
<value name="listen_address">127.0.0.1:9000</value>
<value name="listen_options">
Set listen(2) backlog
<value name="backlog">-1</value>
Set permissions for unix socket, if one used.
In Linux read/write permissions must be set in order to allow connections from web server.
Many BSD-derrived systems allow connections regardless of permissions.
<value name="owner"></value>
<value name="group"></value>
<value name="mode">0666</value>
</value>
Additional php.ini defines, specific to this pool of workers.
<value name="php_defines">
<value name="sendmail_path">/usr/sbin/sendmail -t -i</value>
<value name="display_errors">0</value>
↑ 如果安装 Nginx + PHP 用于程序调试,则此处应设置为"1"以显示PHP错误信息,设置为"0" Nginx 会报状态为500的空白错误页
</value>
Unix user of processes
<value name="user">www</value>
Unix group of processes
<value name="group">www</value>
Process manager settings
<value name="pm">
Sets style of controling worker process count.
Valid values are ‘static’ and ‘apache-like’
<value name="style">static</value>
Sets the limit on the number of simultaneous requests that will be served.
Equivalent to Apache MaxClients directive.
Equivalent to PHP_FCGI_CHILDREN environment in original php.fcgi
Used with any pm_style.
<value name="max_children">64</value>
↑ 进程数为64,如果服务器内存大于3GB,可以只开启128-200个进程
Settings group for ‘apache-like’ pm style
<value name="apache_like">
Sets the number of server processes created on startup.
Used only when ‘apache-like’ pm_style is selected
<value name="StartServers">20</value>
Sets the desired minimum number of idle server processes.
Used only when ‘apache-like’ pm_style is selected
<value name="MinSpareServers">5</value>
Sets the desired maximum number of idle server processes.
Used only when ‘apache-like’ pm_style is selected
<value name="MaxSpareServers">35</value>
</value>
</value>
The timeout (in seconds) for serving a single request after which the worker process will be terminated
Should be used when ‘max_execution_time’ ini option does not stop script execution for some reason
‘0s’ means ‘off’
<value name="request_terminate_timeout">0s</value>
The timeout (in seconds) for serving of single request after which a php backtrace will be dumped to slow.log file
‘0s’ means ‘off’
<value name="request_slowlog_timeout">0s</value>
The log file for slow requests
<value name="slowlog">logs/slow.log</value>
Set open file desc rlimit
<value name="rlimit_files">51200</value>
Set max core size rlimit
<value name="rlimit_core">0</value>
Chroot to this directory at the start, absolute path
<value name="chroot"></value>
Chdir to this directory at the start, absolute path
<value name="chdir"></value>
Redirect workers’ stdout and stderr into main error log.
If not set, they will be redirected to /dev/null, according to FastCGI specs
<value name="catch_workers_output">yes</value>
How much requests each process should execute before respawn.
Useful to work around memory leaks in 3rd party libraries.
For endless request processing please specify 0
Equivalent to PHP_FCGI_MAX_REQUESTS
<value name="max_requests">10240</value>
Comma separated list of ipv4 addresses of FastCGI clients that allowed to connect.
Equivalent to FCGI_WEB_SERVER_ADDRS environment in original php.fcgi (5.2.2+)
Makes sense only with AF_INET listening socket.
<value name="allowed_clients">127.0.0.1</value>
Pass environment variables like LD_LIBRARY_PATH
All $VARIABLEs are taken from current environment
<value name="environment">
<value name="HOSTNAME">$HOSTNAME</value>
<value name="PATH">/usr/local/bin:/usr/bin:/bin</value>
<value name="TMP">/tmp</value>
<value name="TMPDIR">/tmp</value>
<value name="TEMP">/tmp</value>
<value name="OSTYPE">$OSTYPE</value>
<value name="MACHTYPE">$MACHTYPE</value>
<value name="MALLOC_CHECK_">2</value>
</value>
</section>
</workers>
</configuration>
[启动php-cgi进程,监听127.0.0.1的9000端口]
# ulimit -SHn 51200
# /usr/local/webserver/php/sbin/php-fpm start
[安装Nginx所需的pcre库]
# tar zxvf pcre-7.7.tar.gz
# cd pcre-7.7/
# ./configure
# make && make install
# cd ../
[安装Nginx 0.7.19]
# tar zxvf nginx-0.7.19.tar.gz
# cd nginx-0.7.19/
# ./configure –user=www –group=www –prefix=/usr/local/webserver/nginx –with-http_stub_status_module –with-http_ssl_module
# make
# make install
# cd ../
[创建Nginx日志目录]
# mkdir -p /logs
# chmod +w /logs
# chown -R www:www /logs
[创建nginx.conf配置文件]
# rm -f /usr/local/webserver/nginx/conf/nginx.conf
# vi /usr/local/webserver/nginx/conf/nginx.conf
输入以下内容(请注意以下内容中"↑"标志后的内容不能出现在实际文件中):
user www www;
worker_processes 8;
↑ Nginx每个进程耗费10M~12M内存
error_log /logs/nginx_error.log warn;
pid /usr/local/webserver/nginx/nginx.pid;
#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 51200;
}
http
{
include mime.types;
default_type application/octet-stream;
#charset gb2312;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
sendfile on;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
limit_zone crash $binary_remote_addr 10m;
↑ 定义一个叫“crash”的记录区,总容量为 10M,以变量 $binary_remote_addr 作为会话的判断基准(即一个地址一个会话),当区的大小为 1M 的时候,大约可以记录 32000 个会话信息(一个会话占用 32 bytes)
server
{
listen 80;
server_name 222.17.177.205;
index index.html index.htm index.php;
root /wwwroot;
#limit_conn crash 5;
↑ *此处已被#注释掉了,即不起作用*定义整个网站的限制。此处为在"crash"记录区中,以变量 $binary_remote_addr 作为会话的判断基准(即一个地址一个会话),限制网站全局目录,一个会话只能进行5个连接(即一个IP只能发起5个连接,多过5个,一律503错误)
location ~ .*\.(php|php5)?$
{
#fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 1h;
}
location /resource/ {
limit_conn crash 2;
↑ 定义resource目录的限制。此处为在"crash"记录区中,以变量 $binary_remote_addr 作为会话的判断基准(即一个地址一个会话),限制resource目录,一个会话只能进行2个连接(即一个IP只能发起2个连接,多过2个,一律503错误)
}
log_format access ‘$remote_addr – $remote_user [$time_local] "$request" ‘
‘$status $body_bytes_sent "$http_referer" ‘
‘"$http_user_agent" $http_x_forwarded_for’;
access_log /logs/access.log access;
sendfile on;
tcp_nopush on;
client_max_body_size 50m;
↑ 网站程序中允许上传的最大size,这里设置成50M,这里只是nginx的限制,PHP本身限制2M
}
}
[创建fcgi.conf配置文件]
# vi /usr/local/webserver/nginx/conf/fcgi.conf
输入以下内容:
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with –enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
[启动Nginx]
# ulimit -SHn 51200
# /usr/local/webserver/nginx/sbin/nginx
[在不停止Nginx服务的情况下平滑变更Nginx配置]
修改/usr/local/webserver/nginx/conf/nginx.conf配置文件后,请执行以下命令检查配置文件是否正确:
# /usr/local/webserver/nginx/sbin/nginx -t
如果测试ok successfully,则可以使用下面命令重启Nginx
(第1种)# pkill nginx
# /usr/local/webserver/nginx/conf/nginx.conf
(第2种)# kill -HUP `cat /usr/local/webserver/nginx/nginx.pid`
# /usr/local/webserver/nginx/conf/nginx.conf
(第3种)# ps -ef | grep "nginx: master process" | grep -v "grep" | awk -F ‘ ‘ ‘{print $2}’
# kill -HUP 数字
↑ 此数字来自于上一条命令执行后屏幕输出的数字,即Nginx的pid进程号
# /usr/local/webserver/nginx/conf/nginx.conf
如果屏幕显示以下两行信息,说明配置文件正确:
the configuration file /usr/local/webserver/nginx/conf/nginx.conf syntax is ok
the configuration file /usr/local/webserver/nginx/conf/nginx.conf was tested successfully
[配置开机自动启动Nginx + PHP + MySQL]
# vi /etc/rc.local
在末尾增加以下内容:
/bin/sh /usr/local/webserver/mysql/bin/mysqld_safe –defaults-file=/usr/local/webserver/mysql/my.cnf &
ulimit -SHn 51200
/usr/local/webserver/php/sbin/php-fpm start
/usr/local/webserver/nginx/sbin/nginx
[优化Linux内核参数]
# vi /etc/sysctl.conf
在文件末尾增加以下内容:
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.ip_local_port_range = 5000 65000
# /sbin/sysctl -p
↑ 使配置立即生效
[编写每天定时切割Nginx日志的脚本]
# vi /usr/local/webserver/nginx/sbin/cut_nginx_log.sh
↑ 创建切割脚本
输入以下内容:
#!/bin/bash
# This script run at 00:00
# The Nginx logs path
logs_path="/logs/"
mkdir -p ${logs_path}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/
mv ${logs_path}access.log ${logs_path}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/access_$(date -d "yesterday" +"%Y%m%d").log
mv ${logs_path}nginx_error.log ${logs_path}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/nginx_error_$(date -d "yesterday" +"%Y%m%d").log
kill -USR1 `cat /usr/local/webserver/nginx/nginx.pid`
[设置切割日志的计划任务]
# crontab -e
↑ 编辑计划任务列表
输入以下内容:
00 00 * * * /bin/bash /usr/local/webserver/nginx/sbin/cut_nginx_log.sh
↑ 每天凌晨00:00切割nginx访问日志
)。于是我在网上一通搜索,找了一些以PHP开发的开源系统工作平台,包括: 
!
