當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

centos5.3搭建安全高效的LNMP服务器

發布時間：2023/11/29 编程问答 39 豆豆

生活随笔收集整理的這篇文章主要介紹了 centos5.3搭建安全高效的LNMP服务器小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

操作系統基于centos 5.3
#!/bin/bash
?# BY kerryhu
?# QQ:263205768
?# MAIL:king_819@163.com
?# BLOG:http://kerry.blog.51cto.com
?# Please manual operation yum of before Operation.....
# yum install ntp vim-enhanced gcc gcc-c++ flex bison autoconf \
?# automake bzip2-devel ncurses-devel libjpeg-devel libpng-devel \
?# libtiff-devel freetype-devel pam-devel kernel netconfig
#============================更新系統時間===========================================
?yum install ntp
?ntpdate time.nist.gov
?crontab -e
?00 01 * * * /usr/sbin/ntpdate time.nist.gov
#============================安裝開源組件===========================================
?sudo -s
?LANG=C
?yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers
#============================下載安裝包=============================================
?cd /opt
?wget http://sysoev.ru/nginx/nginx-0.8.34.tar.gz
wget http://www.php.net/get/php-5.2.13.tar.gz/from/this/mirror
wget http://php-fpm.org/downloads/php-5.2.13-fpm-0.5.13.diff.gz
wget http://mirrors.sohu.com/mysql/MySQL-5.5/mysql-5.5.2-m2.tar.gz
wget http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.13.tar.gz
wget "http://downloads.sourceforge.net/mcrypt/libmcrypt-2.5.8.tar.gz?modtime=1171868460&big_mirror=0"
?wget "http://downloads.sourceforge.net/mcrypt/mcrypt-2.6.8.tar.gz?modtime=1194463373&big_mirror=0"
?wget http://pecl.php.net/get/memcache-2.2.5.tgz
wget "http://downloads.sourceforge.net/mhash/mhash-0.9.9.9.tar.gz?modtime=1175740843&big_mirror=0"
?wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.01.tar.gz
wget http://bart.eaccelerator.net/source/0.9.6/eaccelerator-0.9.6.tar.bz2
wget http://pecl.php.net/get/PDO_MYSQL-1.0.2.tgz
wget http://blog.s135.com/soft/linux/nginx_php/imagick/ImageMagick.tar.gz
wget http://pecl.php.net/get/imagick-2.3.0.tgz
#============================編譯安裝php所需的支持庫=================================
?cd /opt
?tar zxvf libiconv-1.13.tar.gz
?cd libiconv-1.13/
?./configure --prefix=/usr/local
?make;make install
?cd ../
tar zxvf libmcrypt-2.5.8.tar.gz
?cd libmcrypt-2.5.8/
?./configure
?make;make install
?/sbin/ldconfig
?cd libltdl/
?./configure --enable-ltdl-install
?make;make install
?cd ../../
tar zxvf mhash-0.9.9.9.tar.gz
?cd mhash-0.9.9.9/
?./configure
?make;make install
?cd ../
ln -s /usr/local/lib/libmcrypt.la /usr/lib/libmcrypt.la
?ln -s /usr/local/lib/libmcrypt.so /usr/lib/libmcrypt.so
?ln -s /usr/local/lib/libmcrypt.so.4 /usr/lib/libmcrypt.so.4
?ln -s /usr/local/lib/libmcrypt.so.4.4.8 /usr/lib/libmcrypt.so.4.4.8
?ln -s /usr/local/lib/libmhash.a /usr/lib/libmhash.a
?ln -s /usr/local/lib/libmhash.la /usr/lib/libmhash.la
?ln -s /usr/local/lib/libmhash.so /usr/lib/libmhash.so
?ln -s /usr/local/lib/libmhash.so.2 /usr/lib/libmhash.so.2
?ln -s /usr/local/lib/libmhash.so.2.0.1 /usr/lib/libmhash.so.2.0.1
tar zxvf mcrypt-2.6.8.tar.gz
?cd mcrypt-2.6.8/
?/sbin/ldconfig
?./configure
?make;make install
?cd ../
#=============================編譯安裝MySQL 5.5.2-m2=========================
?cd /opt
?mkdir -p /usr/local/mysql
?useradd mysql -d /usr/local/mysql -s /sbin/nologin
?tar zxvf mysql-5.5.2-m2.tar.gz
?cd mysql-5.5.2-m2/
?./configure --prefix=/usr/local/mysql/ --enable-assembler --with-extra-charsets=complex --enable-thread-safe-client --with-big-tables --with-readline --with-ssl --with-embedded-server --enable-local-infile --with-plugins=partition,innobase,myisammrg
?make;make install
?chown -R mysql:mysql /usr/local/mysql/
mkdir -p /data/mysql/data
?mkdir -p /data/mysql/binlog
?mkdir -p /data/mysql/relaylog
?mkdir -p /data/mysql/mysql
?chown -R mysql:mysql /data/mysql
?/usr/local/mysql/bin/mysql_install_db --basedir=/usr/local/mysql --datadir=/data/mysql/data --user=mysql
#編輯mysql配置文件
?vi /data/mysql/my.cnf
?[client]
?character-set-server = utf8
?port??? = 3306
?socket? = /tmp/mysql.sock
[mysqld]
?character-set-server = utf8
?replicate-ignore-db = mysql
?replicate-ignore-db = test
?replicate-ignore-db = information_schema
?user??? = mysql
?port??? = 3306
?socket? = /tmp/mysql.sock
?basedir = /usr/local/mysql
?datadir = /data/mysql/data
?log-error = /data/mysql/mysql_error.log
?pid-file = /data/mysql/mysql.pid
?open_files_limit??? = 10240
?back_log = 600
?max_connections = 5000
?max_connect_errors = 6000
?table_cache = 614
?external-locking = FALSE
?max_allowed_packet = 32M
?sort_buffer_size = 1M
?join_buffer_size = 1M
?thread_cache_size = 300
?thread_concurrency = 8
?query_cache_size = 512M
?query_cache_limit = 2M
?query_cache_min_res_unit = 2k
?default-storage-engine = MyISAM
?thread_stack = 192K
?transaction_isolation = READ-COMMITTED
?tmp_table_size = 246M
?max_heap_table_size = 246M
?long_query_time = 3
?log-slave-updates
?log-bin = /data/mysql/binlog/binlog
?binlog_cache_size = 4M
?binlog_format = MIXED
?max_binlog_cache_size = 8M
?max_binlog_size = 100M
?relay-log-index = /data/mysql/relaylog/relaylog
?relay-log-info-file = /data/mysql/relaylog/relaylog
?relay-log = /data/mysql/relaylog/relaylog
?expire_logs_days = 30
?key_buffer_size = 256M
?read_buffer_size = 1M
?read_rnd_buffer_size = 16M
?bulk_insert_buffer_size = 64M
?myisam_sort_buffer_size = 128M
?myisam_max_sort_file_size = 10G
?myisam_repair_threads = 1
?myisam_recover
interactive_timeout = 120
?wait_timeout = 120
skip-name-resolve
?master-connect-retry = 10
?slave-skip-errors = 1032,1062,126,1114,1146,1048,1396
#master-host???? =?? 192.168.1.2
?#master-user???? =?? username
?#master-password =?? password
?#master-port???? =? 3306
server-id = 1
innodb_additional_mem_pool_size = 16M
?innodb_buffer_pool_size = 512M
?innodb_data_file_path = ibdata1:256M:autoextend
?innodb_file_io_threads = 4
?innodb_thread_concurrency = 8
?innodb_flush_log_at_trx_commit = 2
?innodb_log_buffer_size = 16M
?innodb_log_file_size = 128M
?innodb_log_files_in_group = 3
?innodb_max_dirty_pages_pct = 90
?innodb_lock_wait_timeout = 120
?innodb_file_per_table = 0
#log-slow-queries = /data/mysql/slow.log
?#long_query_time = 10
[mysqldump]
?quick
?max_allowed_packet = 32M
#設置mysql啟動文件
?cp support-files/mysql.server /etc/rc.d/init.d/mysqld
?sed -i 's#basedir=#basedir=/usr/local/mysql#' /data/mysql/my.cnf
?sed -i 's#datadir=#datadir=/data/mysql/data#' /data/mysql/my.cnf??
?chmod 700 /etc/rc.d/init.d/mysqld
?/etc/rc.d/init.d/mysqld start
?chkconfig --add mysqld
?chkconfig --level 2345 mysqld on
?ln -s /usr/local/mysql/bin/mysql /sbin/mysql
?ln -s /usr/local/mysql/bin/mysqladmin /sbin/mysqladmin
#設置root密碼（1q2w3e）
?mysqladmin -u root password 1q2w3e
#配置庫文件搜索路徑
?echo "/usr/local/mysql/lib/mysql" >> /etc/ld.so.conf
?ldconfig
#添加/usr/local/mysql/bin到環境變量PATH中
?export PATH=$PATH:/usr/local/mysql/bin
#添加mysql管理帳戶
?mysql -h localhost -u root -p1q2w3e
?msqyl> use mysql;
?msqyl> grant all on *.* to 'kerry'@'172.16.16.150' identified by 'kerry1q2w3e';
?msqyl> flush privileges;
?msqyl> exit;

#==========================編譯安裝PHP（FastCGI模式）===============================
?#編譯安裝php-5.2.13
?cd /opt
?tar zxvf php-5.2.13.tar.gz
?gzip -cd php-5.2.13-fpm-0.5.13.diff.gz | patch -d php-5.2.13 -p1
?cd php-5.2.13/
?./configure --prefix=/usr/local/php --with-config-file-path=/usr/local/php/etc --with-mysql=/usr/local/mysql --with-mysqli=/usr/local/mysql/bin/mysql_config --with-iconv-dir=/usr/local --with-freetype-dir --with-jpeg-dir --with-png-dir --with-zlib --with-libxml-dir=/usr --enable-xml --disable-rpath --enable-discard-path --enable-safe-mode --enable-bcmath --enable-shmop --enable-sysvsem --enable-inline-optimization --with-curl --with-curlwrappers --enable-mbregex --enable-fastcgi --enable-fpm --enable-force-cgi-redirect --enable-mbstring --with-mcrypt --with-gd --enable-gd-native-ttf --with-openssl --with-mhash --enable-pcntl --enable-sockets --with-ldap --with-ldap-sasl --with-xmlrpc --enable-zip --enable-soap
?make ZEND_EXTRA_LIBS='-liconv'
?make install
?cp php.ini-dist /usr/local/php/etc/php.ini
?cd ../
#編譯安裝PHP5擴展模塊
?tar zxvf memcache-2.2.5.tgz
?cd memcache-2.2.5/
?/usr/local/php/bin/phpize
?./configure --with-php-config=/usr/local/php/bin/php-config
?make;make install
?cd ../
tar jxvf eaccelerator-0.9.6.tar.bz2
?cd eaccelerator-0.9.6/
?/usr/local/php/bin/phpize
?./configure --enable-eaccelerator=shared --with-php-config=/usr/local/php/bin/php-config
?make;make install
?cd ../
tar zxvf PDO_MYSQL-1.0.2.tgz
?cd PDO_MYSQL-1.0.2/
?/usr/local/php/bin/phpize
?./configure --with-php-config=/usr/local/php/bin/php-config --with-pdo-mysql=/usr/local/mysql
?make;make install
?cd ../
tar zxvf ImageMagick.tar.gz
?cd ImageMagick-6.5.1-2/
?./configure
?make;make install
?cd ../
tar zxvf imagick-2.3.0.tgz
?cd imagick-2.3.0/
?/usr/local/php/bin/phpize
?./configure --with-php-config=/usr/local/php/bin/php-config
?make;make install
?cd ../

#手動修改php.ini文件
???? 手工修改：查找/usr/local/php/etc/php.ini中的extension_dir = "./"
?　　修改為extension_dir = "/usr/local/php/lib/php/extensions/no-debug-non-zts-20060613/"
?　　并在此行后增加以下幾行，然后保存：
?　　extension = "memcache.so"
?　　extension = "pdo_mysql.so"
?　　extension = "imagick.so"
　　再查找output_buffering = Off
?　　修改為output_buffering = On
#自動修改php.ini文件
?sed -i 's#extension_dir = "./"#extension_dir = "/usr/local/php/lib/php/extensions/no-debug-non-zts-20060613/"\nextension = "memcache.so"\nextension = "pdo_mysql.so"\nextension = "imagick.so"\n#' /usr/local/php/etc/php.ini
?sed -i 's#output_buffering = Off#output_buffering = On#' /usr/local/php/etc/php.ini
?sed -i "s#; always_populate_raw_post_data = On#always_populate_raw_post_data = On#g" /usr/local/php/etc/php.ini
#配置eAccelerator加速PHP：
?mkdir -p /usr/local/eaccelerator_cache
vi /usr/local/php/etc/php.ini
?[eaccelerator]
?zend_extension="/usr/local/php/lib/php/extensions/no-debug-non-zts-20060613/eaccelerator.so"
?eaccelerator.shm_size="64"
?eaccelerator.cache_dir="/usr/local/eaccelerator_cache"
?eaccelerator.enable="1"
?eaccelerator.optimizer="1"
?eaccelerator.check_mtime="1"
?eaccelerator.debug="0"
?eaccelerator.filter=""
?eaccelerator.shm_max="0"
?eaccelerator.shm_ttl="3600"
?eaccelerator.shm_prune_period="3600"
?eaccelerator.shm_only="0"
?eaccelerator.compress="1"
?eaccelerator.compress_level="9"
#創建www用戶和組，以及供blog.56diy.com和www.56diy.com兩個虛擬主機使用的目錄：
groupadd www
?useradd -g www -s /sbin/nologin www
?mkdir -p /data/www/blog.56diy.com
?chmod +w /data/www/blog.56diy.com
?chown -R www:www /data/www/blog.56diy.com
?mkdir -p /data/www/www.56diy.com
?chmod +w /data/www/www.56diy.com
?chown -R www:www /data/www/www.56diy.com
#創建php-fpm配置文件（php-fpm是為PHP打的一個FastCGI管理補丁，可以平滑變更php.ini配置而無需重啟php-cgi）：
?mv /usr/local/php/etc/php-fpm.conf /usr/local/php/etc/php-fpm.conf.bak
?vi /usr/local/php/etc/php-fpm.conf
#//輸入以下內容（如果您安裝 Nginx + PHP 用于程序調試，請將以下的<value name="display_errors">0</value>改為<value name="display_errors">1</value>，以便顯示PHP錯誤信息，否則，Nginx 會報狀態為500的空白錯誤頁）：
?<?xml version="1.0" ?>
?<configuration>
? All relative paths in this config are relative to php's install prefix
? <section name="global_options">
??? Pid file
???? <value name="pid_file">/usr/local/php/logs/php-fpm.pid</value>
??? Error log file
???? <value name="error_log">/usr/local/php/logs/php-fpm.log</value>
??? Log level
???? <value name="log_level">notice</value>
??? When this amount of php processes exited with SIGSEGV or SIGBUS ...
???? <value name="emergency_restart_threshold">10</value>
??? ... in a less than this interval of time, a graceful restart will be initiated.
???? Useful to work around accidental curruptions in accelerator's shared memory.
???? <value name="emergency_restart_interval">1m</value>
??? Time limit on waiting child's reaction on signals from master
???? <value name="process_control_timeout">5s</value>
??? Set to 'no' to debug fpm
???? <value name="daemonize">yes</value>
? </section>
? <workers>
??? <section name="pool">
????? Name of pool. Used in logs and stats.
?????? <value name="name">default</value>
????? Address to accept fastcgi requests on.
?????? Valid syntax is 'ip.ad.re.ss:port' or just 'port' or '/path/to/unix/socket'
?????? <value name="listen_address">127.0.0.1:9000</value>
????? <value name="listen_options">
??????? Set listen(2) backlog
???????? <value name="backlog">-1</value>
??????? Set permissions for unix socket, if one used.
???????? In Linux read/write permissions must be set in order to allow connections from web server.
???????? Many BSD-derrived systems allow connections regardless of permissions.
???????? <value name="owner"></value>
???????? <value name="group"></value>
???????? <value name="mode">0666</value>
?????? </value>
????? Additional php.ini defines, specific to this pool of workers.
?????? <value name="php_defines">
???????? <value name="sendmail_path">/usr/sbin/sendmail -t -i</value>
???????? <value name="display_errors">0</value>
?????? </value>
????? Unix user of processes
?????? <value name="user">www</value>
????? Unix group of processes
?????? <value name="group">www</value>
????? Process manager settings
?????? <value name="pm">
??????? Sets style of controling worker process count.
???????? Valid values are 'static' and 'apache-like'
???????? <value name="style">static</value>
??????? Sets the limit on the number of simultaneous requests that will be served.
???????? Equivalent to Apache MaxClients directive.
???????? Equivalent to PHP_FCGI_CHILDREN environment in original php.fcgi
???????? Used with any pm_style.
???????? <value name="max_children">128</value>
??????? Settings group for 'apache-like' pm style
???????? <value name="apache_like">
????????? Sets the number of server processes created on startup.
?????????? Used only when 'apache-like' pm_style is selected
?????????? <value name="StartServers">20</value>
????????? Sets the desired minimum number of idle server processes.
?????????? Used only when 'apache-like' pm_style is selected
?????????? <value name="MinSpareServers">5</value>
????????? Sets the desired maximum number of idle server processes.
?????????? Used only when 'apache-like' pm_style is selected
?????????? <value name="MaxSpareServers">35</value>
??????? </value>
????? </value>
????? The timeout (in seconds) for serving a single request after which the worker process will be terminated
?????? Should be used when 'max_execution_time' ini option does not stop script execution for some reason
?????? '0s' means 'off'
?????? <value name="request_terminate_timeout">0s</value>
????? The timeout (in seconds) for serving of single request after which a php backtrace will be dumped to slow.log file
?????? '0s' means 'off'
?????? <value name="request_slowlog_timeout">0s</value>
????? The log file for slow requests
?????? <value name="slowlog">logs/slow.log</value>
????? Set open file desc rlimit
?????? <value name="rlimit_files">65535</value>
????? Set max core size rlimit
?????? <value name="rlimit_core">0</value>
????? Chroot to this directory at the start, absolute path
?????? <value name="chroot"></value>
????? Chdir to this directory at the start, absolute path
?????? <value name="chdir"></value>
????? Redirect workers' stdout and stderr into main error log.
?????? If not set, they will be redirected to /dev/null, according to FastCGI specs
?????? <value name="catch_workers_output">yes</value>
????? How much requests each process should execute before respawn.
?????? Useful to work around memory leaks in 3rd party libraries.
?????? For endless request processing please specify 0
?????? Equivalent to PHP_FCGI_MAX_REQUESTS
?????? <value name="max_requests">1024</value>
????? Comma separated list of ipv4 addresses of FastCGI clients that allowed to connect.
?????? Equivalent to FCGI_WEB_SERVER_ADDRS environment in original php.fcgi (5.2.2+)
?????? Makes sense only with AF_INET listening socket.
?????? <value name="allowed_clients">127.0.0.1</value>
????? Pass environment variables like LD_LIBRARY_PATH
?????? All $VARIABLEs are taken from current environment
?????? <value name="environment">
???????? <value name="HOSTNAME">$HOSTNAME</value>
???????? <value name="PATH">/usr/local/bin:/usr/bin:/bin</value>
???????? <value name="TMP">/tmp</value>
???????? <value name="TMPDIR">/tmp</value>
???????? <value name="TEMP">/tmp</value>
???????? <value name="OSTYPE">$OSTYPE</value>
???????? <value name="MACHTYPE">$MACHTYPE</value>
???????? <value name="MALLOC_CHECK_">2</value>
?????? </value>
??? </section>
? </workers>
</configuration>
#啟動php-cgi進程，監聽127.0.0.1的9000端口，<value name="max_children">128</value>進程數為128（如果服務器內存小于3GB，可以只開啟64個進程），用戶為www：
?ulimit -SHn 65535
?/usr/local/php/sbin/php-fpm start
?#//注：/usr/local/php/sbin/php-fpm還有其他參數，包括：start|stop|quit|restart|reload|logrotate，修改php.ini后不重啟php-cgi，重新加載配置文件使用reload。
#==================================安裝Nginx 0.8.34 =========================================
?#安裝Nginx所需的pcre庫：
?cd /opt
?tar zxvf pcre-8.01.tar.gz
?cd pcre-8.01/
?./configure
?make;make install
?cd ../
#安裝Nginx
?tar zxvf nginx-0.8.34.tar.gz
?cd nginx-0.8.34/
?./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
?make;make install
?cd ../

#創建Nginx日志目錄
?mkdir -p /data/logs/blog.56diy.com
?chmod +w /data/logs/blog.56diy.com
?chown -R www:www /data/logs/blog.56diy.com
mkdir -p /data/logs/www.56diy.com
?chmod +w /data/logs/www.56diy.com
?chown -R www:www /data/logs/www.56diy.com
#創建Nginx配置文件
?mv /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.bak
vi /usr/local/nginx/conf/nginx.conf
user? www www;
worker_processes 8;
error_log? /data/logs/nginx_error.log? crit;
pid??????? /usr/local/nginx/nginx.pid;
#Specifies the value for maximum file descriptors that can be opened by this process.
?worker_rlimit_nofile 65535;
events
?{
?? use epoll;
?? worker_connections 65535;
?}
http
?{
?? include?????? mime.types;
?? default_type? application/octet-stream;
? #charset? gb2312;
??????
?? server_names_hash_bucket_size 128;
?? client_header_buffer_size 32k;
?? large_client_header_buffers 4 32k;
?? client_max_body_size 8m;
??????
?? sendfile on;
?? tcp_nopush???? on;
? keepalive_timeout 60;
? tcp_nodelay on;
? fastcgi_connect_timeout 300;
?? fastcgi_send_timeout 300;
?? fastcgi_read_timeout 300;
?? fastcgi_buffer_size 64k;
?? fastcgi_buffers 4 64k;
?? fastcgi_busy_buffers_size 128k;
?? fastcgi_temp_file_write_size 128k;
? gzip on;
?? gzip_min_length? 1k;
?? gzip_buffers???? 4 16k;
?? gzip_http_version 1.0;
?? gzip_comp_level 2;
?? gzip_types?????? text/plain application/x-javascript text/css application/xml;
?? gzip_vary on;
? #limit_zone? crawler? $binary_remote_addr? 10m;
? server
?? {
???? listen?????? 80;
???? server_name? blog.56diy.com;
???? index index.html index.htm index.php;
???? root? /data/www/blog.56diy.com;
??? #limit_conn?? crawler? 20;???
?????????????????????????????
???? location ~ .*\.(php|php5)?$
???? {?????
?????? #fastcgi_pass? unix:/tmp/php-cgi.sock;
?????? fastcgi_pass? 127.0.0.1:9000;
?????? fastcgi_index index.php;
?????? include fcgi.conf;
???? }
????
???? location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
???? {
?????? expires????? 30d;
???? }
??? location ~ .*\.(js|css)?$
???? {
?????? expires????? 1h;
???? }???
??? log_format? access? '$remote_addr - $remote_user [$time_local] "$request" '
?????????????? '$status $body_bytes_sent "$http_referer" '
?????????????? '"$http_user_agent" $http_x_forwarded_for';
???? access_log? /data/logs/blog.56diy.com/access.log? access;
?????? }
? server
?? {
???? listen?????? 80;
???? server_name? www.56diy.com;
???? index index.html index.htm index.php;
???? root? /data/www/www.56diy.com;
??? location ~ .*\.(php|php5)?$
???? {?????
?????? #fastcgi_pass? unix:/tmp/php-cgi.sock;
?????? fastcgi_pass? 127.0.0.1:9000;
?????? fastcgi_index index.php;
?????? include fcgi.conf;
???? }
??? log_format? wwwlogs? '$remote_addr - $remote_user [$time_local] "$request" '
??????????????? '$status $body_bytes_sent "$http_referer" '
??????????????? '"$http_user_agent" $http_x_forwarded_for';
???? access_log? /data/logs/www.56diy.com/wwwlogs.log? wwwlogs;
?? }
? server
?? {
???? listen? 80;
???? server_name? status.www.56diy.com;
??? location / {
???? stub_status on;
???? access_log?? off;
???? }
?? }
?}
#在/usr/local/nginx/conf/目錄中創建fcgi.conf文件
?vi /usr/local/nginx/conf/fcgi.conf
?fastcgi_param? GATEWAY_INTERFACE? CGI/1.1;
?fastcgi_param? SERVER_SOFTWARE??? nginx;
fastcgi_param? QUERY_STRING?????? $query_string;
?fastcgi_param? REQUEST_METHOD???? $request_method;
?fastcgi_param? CONTENT_TYPE?????? $content_type;
?fastcgi_param? CONTENT_LENGTH???? $content_length;
fastcgi_param? SCRIPT_FILENAME??? $document_root$fastcgi_script_name;
?fastcgi_param? SCRIPT_NAME??????? $fastcgi_script_name;
?fastcgi_param? REQUEST_URI??????? $request_uri;
?fastcgi_param? DOCUMENT_URI?????? $document_uri;
?fastcgi_param? DOCUMENT_ROOT????? $document_root;
?fastcgi_param? SERVER_PROTOCOL??? $server_protocol;
fastcgi_param? REMOTE_ADDR??????? $remote_addr;
?fastcgi_param? REMOTE_PORT??????? $remote_port;
?fastcgi_param? SERVER_ADDR??????? $server_addr;
?fastcgi_param? SERVER_PORT??????? $server_port;
?fastcgi_param? SERVER_NAME??????? $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
?fastcgi_param? REDIRECT_STATUS??? 200;
#啟動Nginx
?ulimit -SHn 65535
?/usr/local/nginx/sbin/nginx
#配置開機自動啟動Nginx + PHP
?vi /etc/rc.local
ulimit -SHn 65535
?/usr/local/php/sbin/php-fpm start
?/usr/local/nginx/sbin/nginx

#============================安全優化================================================
?#優化Linux內核參數
?mv /etc/sysctl.conf /etc/sysctl.conf.bak
?vi /etc/sysctl.conf
?net.ipv4.tcp_max_syn_backlog = 65536
?net.core.netdev_max_backlog =? 32768
?net.core.somaxconn = 32768
?net.core.wmem_default = 8388608
?net.core.rmem_default = 8388608
?net.core.rmem_max = 16777216
?net.core.wmem_max = 16777216
?net.ipv4.tcp_timestamps = 0
?net.ipv4.tcp_synack_retries = 2
?net.ipv4.tcp_syn_retries = 2
?net.ipv4.tcp_tw_recycle = 1
?#net.ipv4.tcp_tw_len = 1
?net.ipv4.tcp_tw_reuse = 1
?net.ipv4.tcp_mem = 94500000 915000000 927000000
?net.ipv4.tcp_max_orphans = 3276800
?net.ipv4.tcp_fin_timeout = 30
?net.ipv4.tcp_keepalive_time = 120
?net.ipv4.ip_local_port_range = 1024? 65535
?kernel.shmmax = 128000000
#使配置立即生效
?/sbin/sysctl -p
#關閉不用服務
?vi /etc/service_stop.sh
?#!/bin/bash
?# This script is used to del some service is not used on the server
?# Create by kerryhu
?# Date 2010-03-23
?# Mail king_819@163.com
service? microcode_ctl stop
?chkconfig --level 235 microcode_ctl off
?service gpm stop
?chkconfig --level 235 gpm off
?service kudzu stop
?chkconfig --level 235 kudzu off
?service netfs stop
?chkconfig --level 235 netfs off
?service rawdevices stop
?chkconfig --level 235 rawdevices off
?service saslauthd stop
?chkconfig --level 235 saslauthd off
?service keytable stop
?chkconfig --level 235 keytable off
?service mdmonitor stop
?chkconfig --level 235 mdmonitor off
?service atd stop
?chkconfig --level 235 atd off
?service irda stop
?chkconfig --level 235 irda off
?service psacct stop
?chkconfig --level 235 psacct off
?service apmd stop
?chkconfig --level 235 apmd off
?service isdn stop
?chkconfig --level 235 isdn off
?service iptables stop
?chkconfig --level 235 iptables off
?service ip6tables stop
?chkconfig --level 235 ip6tables off
?service pcmcia stop
?chkconfig --level 235 pcmcia off
?service sendmail stop
?chkconfig --level 235 sendmail off
?service smartd stop
?chkconfig --level 235 smartd off
?service autofs stop
?chkconfig --level 235 autofs off
?service netdump stop
?chkconfig --level 235 netdump off
?service portmap stop
?chkconfig --level 235 portmap off
?service nfs stop
?chkconfig --level 235 nfs off
?service nfslock stop
?chkconfig --level 235 nfslock off
?service snmptrapd stop
?chkconfig --level 235 snmptrapd off
?service rhnsd stop
?chkconfig --level 235 rhnsd off
?service xinetd stop
?chkconfig --level 235 xinetd off
?service cups stop
?chkconfig --level 235 cups off
?service snmpd stop
?chkconfig --level 235 snmpd off
?service vncserver stop
?chkconfig --level 235 vncserver off
?service hpoj stop
?chkconfig --level 235 hpoj off
?service xfs stop
?chkconfig --level 235 xfs off
?service ntpd stop
?chkconfig --level 235 ntpd off
?service winbind stop
?chkconfig --level 235 winbind off
?service smb stop
?chkconfig --level 235 smb off
?service dc_client stop
?chkconfig --level 235 dc_client off
?service dc_server stop
?chkconfig --level 235 dc_server off
?service httpd stop
?chkconfig --level 235 httpd off
?service aep1000 stop
?chkconfig --level 235 aep1000 off
?service bcm5820 stop
?chkconfig --level 235 bcm5820 off
?service squid stop
?chkconfig --level 235 squid off
?service named stop
?chkconfig --level 235 named off
?service tux stop
?chkconfig --level 235 tux off
?service vsftpd stop
?chkconfig --level 235 vsftpd off
?service avahi-daemon stop
?chkconfig --level 235 avahi-daemon? off
?service bluetooth stop
?chkconfig --level 235 bluetooth off
?service firstboot stop
?chkconfig --level 235 firstboot off
?service lvm2-monitor stop
?chkconfig --level 235 lvm2-monitor off
?service mcstrans stop
?chkconfig --level 235 mcstrans off
?service pcscd stop
?chkconfig --level 235 pcscd off
?service restorecond stop
?chkconfig --level 235 restorecond off
?service rpcgssd stop
?chkconfig --level 235 rpcgssd off
?service rpcidmapd stop
?chkconfig --level 235 rpcidmapd off
chmod +x /root/service_stop.sh
?#執行腳本關閉不需要的服務
?/root/service_stop.sh
#iptables設置
?vi /root/iptables.sh
#echo "Starting kerryhu-iptables rules..."
?#!/bin/bash
?#this is a common firewall created by 2010-3-27
?
?#define some variable
?IPT=/sbin/iptables
?CONNECTION_TRACKING="1"
?INTERNET="eth0"
?CLASS_A="10.0.0.0/8"
?CLASS_B="172.16.0.0/12"
?CLASS_C="192.168.0.0/16"
?CLASS_D_MULTICAST="224.0.0.0/4"
?CLASS_E_RESERVED_NET="240.0.0.0/5"
?BROADCAST_SRC="0.0.0.0"
?BROADCAST_DEST="255.255.255.255"
?LOOPBACK_INTERFACE="lo"
?
?#Remove any existing rules
?$IPT -F
?$IPT -X
?
?#setting default firewall policy
?$IPT --policy OUTPUT DROP
?$IPT --policy FORWARD DROP
?$IPT -P INPUT DROP
?
?
?#stop firewall
?if [ "$1" = "stop" ]
?then
?echo "Filewall completely stopped!no firewall running!"
?exit 0
?fi
?
?#setting for loopback interface
?$IPT -A INPUT -i lo -j ACCEPT
?$IPT -A OUTPUT -o lo -j ACCEPT
?
?# Stealth Scans and TCP State Flags
?# All of the bits are cleared
?$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
?# SYN and FIN are both set
?$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
?# SYN and RST are both set
?$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
?# FIN and RST are both set
?$IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
?# FIN is the only bit set, without the expected accompanying ACK
?$IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
?# PSH is the only bit set, without the expected accompanying ACK
?$IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
?# URG is the only bit set, without the expected accompanying ACK
?$IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
?
?# Using Connection State to By-pass Rule Checking
?if [ "$CONNECTION_TRACKING" = "1" ]; then
???? $IPT -A INPUT? -m state --state ESTABLISHED,RELATED -j ACCEPT
???? $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
???? $IPT -A INPUT -m state --state INVALID -j DROP
???? $IPT -A OUTPUT -m state --state INVALID -j DROP
?fi
?
?##################################################################
?# Source Address Spoofing and Other Bad Addresses
?
?# Refuse spoofed packets pretending to be from
?# the external interface.s IP address
?
?# Refuse packets claiming to be from a Class A private network
?$IPT -A INPUT? -i $INTERNET -s $CLASS_A -j DROP
?
?# Refuse packets claiming to be from a Class B private network
?$IPT -A INPUT? -i $INTERNET -s $CLASS_B -j DROP
?
?# Refuse packets claiming to be from a Class C private network
?$IPT -A INPUT? -i $INTERNET -s $CLASS_C -j DROP
?
?$IPT -A INPUT -i $INTERNET -s 0.0.0.0/8 -j DROP
?$IPT -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP
?$IPT -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP
?###################################################################
?#setting access rules
?
?#enable ssh connect
?#$IPT -A OUTPUT? -o $INTERNET -p tcp? -d 61.177.7.1 -j ACCEPT
?#時鐘同步
?$IPT -A OUTPUT -d 192.43.244.18 -j ACCEPT
?#允許ping出
?$IPT -A OUTPUT -p icmp -j ACCEPT
?$IPT -A OUTPUT -o $INTERNET -p udp? --dport 53 -j ACCEPT
?$IPT -A OUTPUT -o $INTERNET -p tcp? --dport 80 -j ACCEPT
?$IPT -A INPUT -i $INTERNET -p tcp -m mac --mac-source 00:02:3F:EB:E2:01? --dport 22 -j ACCEPT
?$IPT -A INPUT -i $INTERNET -p tcp? --dport 443 -j ACCEPT
?$IPT -A INPUT -i $INTERNET -p tcp? --dport 80 -j ACCEPT
?$IPT -A INPUT -i $INTERNET -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT
?$IPT -A INPUT -i $INTERNET -p udp? --dport 123 -j ACCEPT
chmod +x /root/iptables.sh
?echo "/root/iptables.sh" >> /etc/rc.local
#=======================在不停止Nginx服務的情況下平滑變更Nginx配置======================================
?1、修改/usr/local/nginx/conf/nginx.conf配置文件后，請執行以下命令檢查配置文件是否正確：
/usr/local/nginx/sbin/nginx -t
/*
?如果屏幕顯示以下兩行信息，說明配置文件正確：
?　　the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
?　　the configuration file /usr/local/nginx/conf/nginx.conf was tested successfully
?*/
?2、平滑重啟：
?①、對于Nginx 0.8.x版本，現在平滑重啟Nginx配置非常簡單，執行以下命令即可：
/usr/local/nginx/sbin/nginx -s reload

②、對于Nginx 0.8.x之前的版本，平滑重啟稍微麻煩一些，按照以下步驟進行即可。輸入以下命令查看Nginx主進程號：
ps -ef | grep "nginx: master process" | grep -v "grep" | awk -F ' ' '{print $2}'
屏幕顯示的即為Nginx主進程號，例如：
?　　6302
?這時，執行以下命令即可使修改過的Nginx配置文件生效：
kill -HUP 6302
#或者無需這么麻煩，找到Nginx的Pid文件：
?kill -HUP `cat /usr/local/nginx/nginx.pid`

#===========================編寫每天定時切割Nginx日志的腳本==============================================
?vi /usr/local/nginx/sbin/cut_nginx_log.sh
?#!/bin/bash
?# This script run at 00:00
# The Nginx logs path
?logs_path_blog="/data/logs/blog.56diy.com/"
?logs_path_www="/data/logs/www.56diy.com/"
mkdir -p ${logs_path_blog}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/
?mv ${logs_path_blog}access.log ${logs_path_blog}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/access_$(date -d "yesterday" +"%Y%m%d").log
?mkdir -p ${logs_path_www}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/
?mv ${logs_path_www}wwwlogs.log ${logs_path_www}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")/wwwlogs_$(date -d "yesterday" +"%Y%m%d").log
?kill -USR1 `cat /usr/local/nginx/nginx.pid`
chmod +x /usr/local/nginx/sbin/cut_nginx_log.sh
#添加計劃任務，每天凌晨00:00切割nginx訪問日志
?crontab -e
?00 00 * * * /bin/bash? /usr/local/nginx/sbin/cut_nginx_log.sh
#====================================故障排查===========================================
?#故障1
?/usr/local/php/sbin/php-fpm start
?Starting php_fpm eAccelerator: Could not allocate 67108864 bytes, the maximum size the kernel allows is 33554432 bytes. Lower the amount of memory request or increase the limit in /proc/sys/kernel/shmmax.
?PHP Warning:? [eAccelerator] Can not create shared memory area in Unknown on line 0
?PHP Fatal error:? Unable to start eAccelerator module in Unknown on line 0
? failed
?
?#說明

php.ini中設置的eAccelerator，eaccelerator.shm_size="64"，解釋：eaccelerator可使用的共享內存大小(單位為MB)，即64M
?在Linux下，單個進程的最大內存使用量受/proc/sys/kernel/shmmax中設置的數字限制(單位為字節)? /proc/sys/kernel/shmmax = 33554432 （32M）
?臨時更改該值：
?echo 128000000 > /proc/sys/kernel/shmmax
?或者
?vi /etc/sysctl.conf
?kernel.shmmax = 128000000
syscatl -p

轉載于:https://blog.51cto.com/flylucheng/912718

總結

以上是生活随笔為你收集整理的centos5.3搭建安全高效的LNMP服务器的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

上一篇：做梦梦到蛇是什么意思把蛇打死了被报复
下一篇：字符串替换方法的优劣