/dev/vda 8G
/dev/vdb 500G
/dev/vda 系统盘 挂载在 /
/dev/vdb 分四个逻辑盘
/dev/vdb1 400G 用作项目应用 挂载 /var/www
/dev/vdb2 60G 用作日志记录 挂载 /var/log
/dev/vdb3 20G 分系统使用的软件其余的工具 例如 一些测试网速的软件就存放安装到这里 挂载 /opt
/dev/vdb4 20G /home 数据交换
ulimit -SHn 65535 echo "* soft nofile 65535" >> /etc/security/limits.conf echo "* hard nofile 65535" >> /etc/security/limits.conf
/**********sshd key 登录*******************************************/
yum -y install sshd echo "ClientAliveInterval 60" >> /etc/ssh/sshd_config echo "ClientAliveCountMax 60" >> /etc/ssh/sshd_config echo "PasswordAuthentication no" >> /etc/ssh/sshd_config echo export TMOUT=1000000 >> /root/.bash_profile source /root/.bash_profile service sshd restart /usr/bin/ssh-keygen -t rsa XXXXXXX move XXXXXXX.pub /root/.ssh/authorized_keys
必须将 key 备份到本地 登录要用。
/************sshd 登录编码格式 vim设置 时区设置 关闭selinux*************/
yum install fonts-chinese locale -a | grep -E 'zh|en_US'
vim /etc/sysconfig/i18n
LANG="zh_CN.gb18030" LANGUAGE="zh_CN.gb18030:zh_CN.gb2312:zh_CN.gbk:zh_CN.utf8:zh_CN" SUPPORTED="zh_CN.utf8:zh_CN:zh:en_US.utf8:en_US:en" SYSFONT="lat0-sun16" LANG="zh_CN.gb18030" LANG="en_US.utf8" source /etc/sysconfig/i18n
vim ~/.vimrc
set termencoding=gbk set encoding=utf-8 set fileencodings=ucs-bom,utf-8,cp936 set fileencoding=utf-8
vim /etc/profile
export LANG=zh_CN.utf8 export LC_ALL=zh_CN.gb18030
###设置vi, vim的默认的tab、行号显示参数
echo "set tabstop=4" >> /etc/virc echo "set tabstop=4" >> /etc/vimrc echo "set number" >> /etc/virc echo "set number" >> /etc/vimrc echo "alias vi=vim" >> ~/.bashrc
source ~/.bashrc
##设置正确的时区
cp /usr/share/zoneinfo/Asia/Chongqing /etc/localtime printf 'ZONE="Asia/Chongqing"\nUTC=false\nARC=false' > /etc/sysconfig/clock ###更新系统时间 每天凌晨6点更新系统时间 ntpdate pool.ntp.org 06*** /sbin/ntpdate pool.ntp.org 2>&1 | /bin/logger 设置/etc/sysconfig/selinux文件中 SELINUX=disabled
/*******************************************防火墙***************/
vim /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] #-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #-A INPUT -p icmp -j ACCEPT #-A INPUT -i lo -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT #-A INPUT -j REJECT --reject-with icmp-host-prohibited #-A FORWARD -j REJECT --reject-with icmp-host-prohibited -N whitelist -A whitelist -s 36.36.68.0/24 -j ACCEPT -A whitelist -s 223.73.59.0/24 -j ACCEPT -A whitelist -s 119.130.86.0/24 -j ACCEPT -A whitelist -s 36.36.68.65 -j ACCEPT -A whitelist -s 223.73.59.101 -j ACCEPT -A whitelist -s 119.130.86.201 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -m state --state INVALID,NEW -j LOG -A INPUT -s 180.0.0.0/8 -j DROP -A INPUT -p tcp -m tcp --sport 54321 -j ACCEPT -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT -A INPUT -p tcp -m tcp --sport 20 -j ACCEPT -A INPUT -p tcp -m tcp --sport 21 -j ACCEPT -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT -A INPUT -p tcp -m tcp --sport 110 -j ACCEPT -A INPUT -p tcp -m tcp --sport 25 -j ACCEPT -A INPUT -p tcp -m tcp --sport 995 -j ACCEPT -A INPUT -p tcp -m tcp --sport 68 -j ACCEPT #iptables -A INPUT -p tcp -m tcp --sport 995 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -m limit --limit 25/min --limit-burst 200 -j ACCEPT COMMIT
service iptables start
/*********************禁止root 创建普通用户******************************/
useradd wyj2507
passwd wyj2507 (密码 [email protected])
visudo (99行)
wyj2507 ALL=(ALL) ALL
/*********************禁止root 创建普通用户********************/
/*******************************************修改HOSTS*******************/
vi /etc/hosts
27.0.0.1 localhost VM_41_93_centos
#使用DNS域名服务器来解析名字
order bind hosts
#一台主机是否存在多个IP
multi on
#如果用逆向解析找出与指定的地址匹配的主机名,对返回的地址进行解析以确认它确实与您查询的地址相配.为了防止“骗取”IP地址
nospoof on
service network restart
/*****************精简开机自启动服务*************************************/
7个运行级别 0 系统停机模式 1 单用户 2 多用户模 3 完整多用户
4 系统未使用 5 图形化模式 6 重启模式
init 0 1 2 3 4 5 6 设置运行级别
新系统只保留crond,network,syslog(rsyslog),sshd自启动服务 后期加
查看运行级别 runlevel
查看开启的服 chkconfig --list
#关闭全部服务
for sun in `chkconfig --list|grep 3:启用 | awk '{print $1}'`;
do
chkconfig --level 3 $sun off
done
#或者
for sun in `chkconfig --list|grep 3:启用|awk '{print $1}'`;
do
chkconfig --level 3 $sun off
done
#开启需要的服务
for sun in crond rsyslog sshd network do chkconfig --level 3 $sun on done
#或者需要使用防火墙的话可以开启iptables和ip6tables
for sun in crond rsyslog sshd network iptables ip6tables do chkconfig --level 3 $sun on done
/******************清理登陆的时候显示的系统及内核版本等***********************/
#查看登陆信息
cat /etc/redhat-release
cat /etc/issue
#清理登陆信息
echo >/etc/redhat-release
echo >/etc/issue
#关闭重启ctl-alt-delete组合键
vi /etc/init/control-alt-delete.conf
#注释掉
#exec /sbin/shutdown -r now "Control-Alt-Deletepressed"
#chattr类似chmod修改文件/目录属性 级别高于chmod
#chattr命令不能保护/、/dev、/tmp、/var目录。lsattr命令是显示chattr命令设置的文件属性。
#锁定关键文件系统
chattr +i /etc/passwd chattr +i /etc/inittab chattr +i /etc/group chattr +i /etc/shadow chattr +i /etc/gshadow
#删除不必要的系统用户和群组
userdel adm userdel lp userdel sync userdel shutdown userdel halt userdel news userdel uucp userdel operator userdel games userdel gopher userdel ftp
#删除不必要的群组
groupdel adm groupdel lp groupdel news groupdel uucp groupdel games groupdel dip groupdel pppusers
/******************************************清理登陆的时候显示的系统及内核版本等********************************/
/*****************************内核参数优化*************************/
vi /etc/sysctl.conf 增加以下配置
net.ipv4.tcp_max_syn_backlog = 65536 net.core.netdev_max_backlog = 32768 net.core.somaxconn = 32768 net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 2 net.ipv4.tcp_mem = 94500000 915000000 927000000 net.ipv4.tcp_max_orphans = 3276800 net.ipv4.ip_local_port_range = 1024 65535
net.nf_conntrack_max = 25000000 # 如果使用默认参数,容易出现网络丢包 最大会话数 net.netfilter.nf_conntrack_max = 25000000 # 如果使用默认参数,容易出现网络丢包 最大会话数 net.netfilter.nf_conntrack_tcp_timeout_established = 180 #会话连接超时变量 自动清除30分钟的无效链接 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
#TIME_WAIT 要过段时间释放 Linux 65535个端口 #1 SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击 #2 允许将TIME-WAIT sockets重新用于新的TCP连接 #3 开启TCP连接中TIME-WAIT sockets的快速回收 #4 系統默认的 TIMEOUT 时间 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_fin_timeout = 30
echo "modprobe nf_conntrack" >> /etc/rc.local
echo "modprobe bridge" >> /etc/rc.local
配置生效
# modprobe nf_conntrack
# sysctl -p
修改iptables启动脚本,在star()函数里面加上
# vi /etc/init.d/iptables
/sbin/sysctl -p
service iptables restart
iptables -v -n -L
#查看当前的会话
cat /proc/net/nf_conntrack | wc -l
lNMP
/*******************************************依赖包*************/
yum install -y autoconf curl curl-devel cmake yum install -y sendmail graphviz yum install -y gcc gcc-c++ yum -y install python yum -y install python-dev yum install libicu-devel yum install ncurses-libs yum install ncurses-devel yum -y install libxslt yum install libxslt-devel yum -y install curl-devel yum -y install e2fsprogs-devel krb5-devel libidn-devel openssl-devel
wget http://download.savannah.gnu.org/releases/freetype/freetype-2.4.4.tar.gz tar zxvf freetype-2.4.4.tar.gz ./configure make && make install wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.37.tar.bz2 tar -jxvf pcre-8.37.tar.bz2 cd pcre-8.37 ./configure make && make install wget https://www.openssl.org/source/openssl-1.0.1g.tar.gz -O openssl-1.0.1g.tar.gz tar -zxf openssl-1.0.1g.tar.gz ./config -fPIC enable-shared make && make test && make install wget http://zlib.net/zlib-1.2.8.tar.gz tar -zxf zlib-1.2.8.tar.gz ./configure make && make install
wget http://nginx.org/download/nginx-1.8.0.tar.gz
tar -zxvf nginx-1.8.0.tar.gz
cd nginx-1.8.0
## 启用SSL模块 启用nginx状态模块 启用realip模块(将用户IP转发给后端服务器)
./configure --prefix=/usr/local/nginx \ --user=nobody \ --conf-path=/usr/local/nginx/conf/nginx.conf \ --with-http_ssl_module \ --with-http_flv_module \ --with-http_stub_status_module \ --with-http_gzip_static_module \ --with-http_realip_module \ #启用realip模块(将用户IP转发给后端服务器) --with-pcre=/opt/pcre-8.37 --with-openssl=/opt/openssl-1.0.1g \ --with-zlib=/opt/zlib-1.2.8 \
wget http://xmlsoft.org/sources/old/libxml2-2.7.0.tar.gz wget ftp://ftp.xmlsoft.org/libxml2/libxml2-2.9.2.tar.gz tar zxvf libxml2-2.9.2.tar.gz ./configure make && make install libjpeg wget ftp://ftp.pl.freebsd.org/vol/rzm1/GraphicsMagick/delegates/libjpeg-6b.tar.gz tar zxvf libjpeg-6b.tar.gz ./configure && make && make install libpng wget http://download.sourceforge.net/libpng/libpng-1.6.18.tar.gz tar zxvf libpng-1.6.18.tar.gz ./configure sed -i 's/LDFLAGS\=/LDFLAGS\=-L\/usr\/local\/lib/g' Makefile sed -i 's/CPPFLAGS\=/CPPFLAGS\=-L\/usr\/local\/include/g' Makefile make && make install
wget ftp://mcrypt.hellug.gr/pub/crypto/mcrypt/attic/libmcrypt/libmcrypt-2.5.7.tar.gz tar zxvf libmcrypt-2.5.7.tar.gz ./configure make && make install wget http://curl.haxx.se/download/curl-7.44.0.tar.gz wget http://www.execve.net/curl/curl-7.44.0.tar.gz tar zxvf curl-7.44.0.tar.gz cd /opt/curl-7.44.0 ./configure --with-ssl=/opt/openssl-1.0.1g --with-zlib=/opt/zlib-1.2.8 && make && make install
或者
./configure --with-zlib=/opt/zlib-1.2.8 --with-ssl=/usr/local/ssl && make && make install
--with-openssl=/usr/local/ssl --with-libs=/usr/local/ssl
ldd $(which curl)
ln -s /usr/local/ssl/lib/libcrypto.so /usr/local/lib/libcrypto.so.1.0.0
cd /opt/php-5.6.12/ext/curl
/usr/local/php/bin/phpize
./configure -with-php-config=/usr/local/php/bin/php-config --with-curl=/opt/curl-7.44.0
make && make install
编译oci php扩展
rpm -ivh oracle-instantclient12.1-basic-12.1.0.1.0-1.x86_64.rpm
rpm -ivh oracle-instantclient12.1-sqlplus-12.1.0.1.0-1.x86_64.rpm
rpm -ivh oracle-instantclient12.1-devel-12.1.0.1.0-1.x86_64.rpm
配置库路径 libsqlplus.so
vim /etc/ld.so.conf
/usr/lib/oracle/12.1/client64/lib/
ldconfig
export ORACLE_HOME=/usr/lib/oracle/12.1/client64 export ORACLE_BASE=/usr/lib/oracle/12.1 export PATH=$ORACLE_HOME/bin:$PATH: export LD_LIBRARY_PATH=$ORACLE_HOME/lib:$LD_LIBRARY_PATH export NLS_LANG=AMERICAN_AMERICA.AL32UTF8 export TNS_ADMIN=$ORACLE_HOME/network/admin source /etc/profile cd /opt/php-5.6.12/ext/oci8 /usr/local/php/bin/phpize ./configure --with-php-config=/usr/local/php/bin/php-config make && make install cd /usr/local/php/lib/php/extensions/no-debug-non-zts-20131226/
/*******************************************Mysql********************************/
mysql
wget http://ftp.jaist.ac.jp/pub/mysql/Downloads/MySQL-5.5/mysql-5.5.44.tar.gz
groupadd mysql
useradd -r -g mysql mysql
##此处本来只应该装客户端
cd /usr/local/Downloads tar -zxvf mysql-5.5.44.tar.gz cd mysql-5.5.44 cmake -DCMAKE_INSTALL_PREFIX=/usr/local/mysql \ -DMYSQL_DATADIR=/usr/local/mysql/data \ -DMYSQL_TCP_PORT=3306 \ -DMYSQL_UNIX_ADDR=/var/run/mysqld/mysqld.sock \ -DMYSQL_USER=mysql \ -DDEFAULT_CHARSET=utf8 \ -DWITH_EXTRA_CHARSETS:STRING=utf8,gbk \ -DWITH_MYISAM_STORAGE_ENGINE=1 \ -DWITH_MEMORY_STORAGE_ENGINE=1 \ -DDEFAULT_COLLATION=utf8_general_ci \ -DEXTRA_CHARSETS=all \ -DWITH_READLINE=1 \ -DWITH_EMBEDDED_SERVER=1 \ -DENABLED_LOCAL_INFILE=1 \ -DWITH_INNOBASE_STORAGE_ENGINE=1 make && make install
mkdir /usr/local/mysql/etc/ cp support-files/my-large.cnf /usr/local/mysql/etc/my.cnf vim /usr/local/mysql/etc/my.cnf [mysqld] basedir = /usr/local/mysql datadir = /usr/local/mysql/data port = 3306 socket = /var/run/mysqld/mysqld.sock character_set_server = utf8 slow_query_log = 1 log-error = /usr/local/mysql/log/mysql_error.log pid-file = /usr/local/mysql/run/mysql.pid default-storage-engine=MyISAM user = mysql open_files_limit = 65535 max_connections = 5000 max_connect_errors = 6000 #出错锁定host back_log = 600 #连接队列的最大值 skip-name-resolve #关闭反向域名解析 innodb_file_per_table = 0 #innodb表不共享一个文件 interactive_timeout = 120 wait_timeout = 120 #连接过期秒数 thread_cache_size = 32 #连接词空闲线程数 tmp_table_size = 56M max_heap_table_size = 56M long_query_time = 3 log-bin = /var/www/log/binlog binlog_cache_size = 4M binlog_format = MIXED max_binlog_cache_size = 8M max_binlog_size = 1G
[client]
socket = /var/run/mysqld/mysqld.sock
groupadd mysql
useradd -r -g mysql mysql
cd /usr/local/mysql
chown -R mysql . //更改所有文件的所有者为mysql
chgrp -R mysql . // 更改所有文件的所属组为mysql
2. mysql 初始化安装 执行以下命令 //以mysql的身份执行scripts/mysql_install_db脚本
/usr/local/mysql/scripts/mysql_install_db --basedir=/usr/local/mysql \
--defaults-file=/usr/local/mysql/etc/my.cnf \
--user=mysql \
--datadir=/usr/local/mysql/data
chown -R root . //再将所有文件的所有者改为root
chown -R mysql data //其中要将data目录及其子文件的所有者改为mysql
chown -R mysql /usr/local/mysql/data
chgrp -R mysql /usr/local/mysql/data
cp /etc/my.cnf /etc/my.cnf_bak
cp /usr/local/mysql/etc/my.cnf /etc/my.cnf
mkdir /var/run/mysqld
chmod -R 777 /var/run/mysqld
mkdir /usr/local/mysql/run
chmod -R 777 /usr/local/mysql/run
/usr/local/mysql/bin/mysqld \
--defaults-file=/usr/local/mysql/etc/my.cnf \
--basedir=/usr/local/mysql \
--datadir=/usr/local/mysql/data \
--plugin-dir=/usr/local/mysql/lib/plugin \
--user=mysql \
--log-error=/usr/local/mysql/log/mysql_error.log \
--pid-file=/usr/local/mysql/run/mysql.pid \
--socket=/var/run/mysqld/mysqld.sock \
--port=3306 &
cp /usr/local/mysql/support-files/mysql.server /etc/init.d/mysqld
客户端
yum install mysql
update user set password=passworD("wyj_2015") where user='root';
update user set host='%' where user='root';
flush privileges;
/*******************************************php*********************************/
wget http://cn2.php.net/distributions/php-5.6.12.tar.gz opcash http://php.net/manual/zh/opcache.installation.php tar zxvf php-5.6.12.tar.gz ./configure --prefix=/usr/local/php \ --with-config-file-path=/usr/local/php/conf \ --with-fpm-user=nobody \ --with-fpm-group=nogroup \ --enable-fpm \ --enable-bcmath \ --with-curl \ --with-mcrypt \ --with-freetype-dir \ --enable-mbstring \ --with-pdo-mysql=mysqlnd \ --with-mysqli=mysqlnd \ --with-mysql=/usr/local/mysql \ --with-openssl \ --with-imap-ssl \ --with-freetype-dir \ --with-gd \ --with-jpeg-dir=/usr/lib/ \ --with-png-dir=/usr/lib/ \ --enable-exif \ --enable-zip \ --with-zlib \ --with-xsl \ --with-gettext \ --enable-intl \ --with-xmlrpc \ --enable-xml \ --enable-ftp \ --with-pear \ --enable-sockets \ --enable-gd-native-ttf \ --enable-sysvsem \ --enable-sysvshm \ --enable-shmop \ --with-mhash \ --enable-inline-optimization \ --with-curlwrappers \ --enable-mbregex \ --enable-opcache \ make && make install
http://www.oracle.com/technetwork/topics/linuxx86-64soft-092277.html
##最小权限
ROOT="/var/www/html" chown -R nobody:nobody $ROOT chmod a-wxr -R $ROOT chmod u+xr -R $ROOT chmod u+rw -R $ROOT/serverConfig chmod u+rwx -R $ROOT/Runtime chmod u+rxw -R $ROOT/Uploads chmod u+rw -R $ROOT/crontab chmod u+wrx -R $ROOT/Public chmod u+rw -R $ROOT/serverConfig chown -R ftp:ftp $ROOT/ftp chmod u+rw -R $ROOT/ftp
#session
mkdir -p /usr/local/php/sess/weijiaoyun chown nobody:nobody /usr/local/php/sess/weijiaoyun chmod a-wrx -R /usr/local/php/sess/weijiaoyun chmod u+wr -R /usr/local/php/sess/weijiaoyun
/*********************************************启动命令***************************/
pkill php-fpm
/usr/local/php/sbin/php-fpm -c /usr/local/php/etc/php.ini -y /usr/local/php/etc/php-fpm.conf
chown -R nobody:nobody /usr/local/php/sess
chown nobody:nobody /dev/shm/sess/weijiaoyun
chmod u+wr -R /usr/local/php/sess/weijiaoyun
kill -USR2 `cat /usr/local/php/var/run/php-fpm.pid` #平滑重启 推荐
kill -USR1 `cat /usr/local/php/var/run/php-fpm.pid` #平滑重启日志 推荐
pkill nginx
/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
/usr/local/nginx/sbin/nginx -s reload
chown -R nobody:nobody /dev/shm
kill -USR2 `cat /usr/local/nginx/logs/nginx.pid` #平滑重启 推荐
kill -USR1 `cat /usr/local/nginx/logs/nginx.pid` #平滑重启日志 推荐
pkill mysqld
/usr/local/mysql/bin/mysqld \
--defaults-file=/usr/local/mysql/etc/my.cnf \
--basedir=/usr/local/mysql \
--datadir=/usr/local/mysql/data \
--plugin-dir=/usr/local/mysql/lib/plugin \
--user=mysql \
--log-error=/usr/local/mysql/log/mysql_error.log \
--pid-file=/usr/local/mysql/run/mysql.pid \
--socket=/var/run/mysqld/mysqld.sock \
--port=3306 &
不保存历史
sed -i 's/HISTSIZE\=3000/HISTSIZE\=4/g' /etc/profile
source /etc/profile
传输命令
scp -i /root/wjyRsa -P 54321 -r /var/www/testscp 119.29.38.43:/var/www/
scp -i /root/devRsa -P 54321 -r /opt/curl-7.44.0 119.29.11.29:/opt/curl-7.44.0
/********************************系统工具**************************************/
yum -y install vim
yum install fonts-chinese.noarch
添加库文件路径
vim /etc/ld.so.conf
ldconfig
#滞后
--with-oci8 \
apparmor_parser -R /etc/apparmor.d/usr.sbin.tcpdump
tcpdump -i lo -w /var/www/logs/php-fpm2
/usr/sbin/tcpdump -i eth0 -w /var/www/logs/tcpdump7
yum -y install sysstat
sar -n EDEV 2 10
sar -n SOCK 2 10
sar -r 6 #men
sar -u 6 #cpu
top -p pid
P:按%CPU使用率排行
T:按MITE+排行
M:按%MEM排行
Linux查看网络端口对应的程序
lsof -i :80
netstat -a |grep LISTEN |grep -v unix
ps -aux | sort -k4nr
ps -aux | grep -E "sap|USER"
#innode
df -i
#innode 大小
dumpe2fs -h /dev/vdb2 | grep "Inode size"
查看 进程的详细内存
pmap -q php-fpmp的pid
/**********************配置文件备份*******************************/
/usr/local/mysql/etc/my.cnf
[client] port = 3306 socket = /var/run/mysqld/mysqld.sock [mysqld] port = 3306 socket = /var/run/mysqld/mysqld.sock skip-external-locking key_buffer_size = 256M max_allowed_packet = 1M table_open_cache = 256 sort_buffer_size = 1M read_buffer_size = 1M read_rnd_buffer_size = 4M myisam_sort_buffer_size = 64M thread_cache_size = 8 query_cache_size= 16M query_cache_limit = 2M query_cache_min_res_unit = 2k basedir = /usr/local/mysql datadir = /usr/local/mysql/data port = 3306 socket = /var/run/mysqld/mysqld.sock character_set_server = utf8 slow_query_log = 1 log-error = /usr/local/mysql/log/mysql_error.log pid-file = /usr/local/mysql/run/mysql.pid default-storage-engine=MyISAM user = mysql thread_concurrency = 2 open_files_limit = 65535 max_connections = 5000 max_connect_errors = 6000 back_log = 600 skip-name-resolve innodb_file_per_table = 0 interactive_timeout = 120 wait_timeout = 120 log-bin = /var/www/log/binlog binlog_cache_size = 4M binlog_format = MIXED max_binlog_cache_size = 8M max_binlog_size = 1G
cat /usr/local/php/etc/php.ini
[PHP]
engine = On short_open_tag = Off asp_tags = Off precision = 14 output_buffering = 4096 zlib.output_compression = Off implicit_flush = Off unserialize_callback_func = serialize_precision = 17 open_basedir = "/tmp/:/var/www/html:/var/www/task/cli/:/var/www/tasks/test_data/"; disable_functions = disable_classes = zend.enable_gc = On expose_php = On max_execution_time = 30 max_input_time = 60 memory_limit = 256M error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT display_errors = Off display_startup_errors = Off log_errors = On log_errors_max_len = 1024 ignore_repeated_errors = Off ignore_repeated_source = Off report_memleaks = On track_errors = Off html_errors = On variables_order = "GPCS" request_order = "GP" register_argc_argv = Off auto_globals_jit = On post_max_size = 100M auto_prepend_file = auto_append_file = default_mimetype = "text/html" doc_root = user_dir = enable_dl = Off cgi.fix_pathinfo=1 file_uploads = On upload_max_filesize = 100M max_file_uploads = 20 upload_tmp_dir=/tmp allow_url_fopen = On allow_url_include = Off default_socket_timeout = 60 [Phar] [mail function] SMTP = localhost smtp_port = 25 mail.add_x_header = On [opcache] zend_extension = "/usr/local/php/lib/php/extensions/no-debug-non-zts-20131226/opcache.so" opcache.memory_consumption=128 opcache.interned_strings_buffer=8 opcache.max_accelerated_files=4000 opcache.revalidate_freq=60 opcache.fast_shutdown=1 opcache.enable_cli=1 [Session] session.save_handler = files session.save_path = "1;/usr/local/php/sess/weijiaoyun" session.use_cookies = 1 session.use_only_cookies = 1 session.name = PHPSESSID session.auto_start = 0 session.cookie_lifetime = 0 session.cookie_path = / [curl] extension="/usr/local/php/lib/php/extensions/no-debug-non-zts-20131226/curl.so"
cat /usr/local/php/etc/php-fpm.conf | grep -v '^;' | grep -v '^$'| less
[global]
error_log = /var/log/php/php-fpm.log
log_level = notice
rlimit_files = 65535
rlimit_core = 0
pid = run/php-fpm.pid
[www]
user = nobody
group = nobody
listen = 127.0.0.1:9000
listen.allowed_clients = 127.0.0.1
pm = static
pm.max_children = 50
pm.start_servers = 40
pm.min_spare_servers = 5
pm.max_spare_servers = 10
pm.max_requests = 1000
pm.status_path = /status
request_terminate_timeout = 30
rlimit_files = 655360
rlimit_core = 0
security.limit_extensions = .php .html
php_admin_value['date.timezone'] = 'Asia/Shanghai'
cat /usr/local/nginx/conf/nginx.conf | grep -v '^#' | grep -v '^$'| less
user nobody nobody;
worker_processes 2;
worker_rlimit_nofile 65353;
events {
worker_connections 65353;
use epoll;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 128k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 32k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
gzip_disable "MSIE [1-6].";
server_names_hash_bucket_size 128;
client_max_body_size 100m;
client_header_buffer_size 256k;
large_client_header_buffers 4 256k;
include vhost/*.conf;
}
cat /usr/local/nginx/conf/vhost/dev.xcoach.cn.conf | grep -v '^#' | grep -v '^$'| less
server {
listen 80;
server_name 119.29.11.29;
root /var/www/html;
index index.php index.html;
large_client_header_buffers 4 16k;
client_max_body_size 300m;
client_body_buffer_size 128k;
proxy_connect_timeout 600;
proxy_read_timeout 600;
proxy_send_timeout 600;
proxy_buffer_size 64k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
location / {
index index.htm index.html index.php;
if (!-e $request_filename) {
rewrite ^/(.*)$ /index.php/$1 last;
break;
}
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_read_timeout 150;
include /usr/local/nginx/conf/fastcgi_params;
set $path_info "";
set $real_script_name $fastcgi_script_name;
if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {
set $real_script_name $1;
set $path_info $2;
}
fastcgi_param SCRIPT_FILENAME /var/www/html/$real_script_name;
fastcgi_param SCRIPT_NAME $real_script_name;
fastcgi_param PATH_INFO $path_info;
}
location /ngstatus {
stub_status on;
access_log off;
}
location /status {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi.conf;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
expires 30d;
}
location ~ .*\.(js|css)?$ {
expires 12h;
}
location ~* \.(htaccess|inc|conf)$ {
deny all;
}
location ~ /(sql|Data|Uploads|ftp)/.*\.(php|php5)?$ {
deny all;
}
#location ^~ /Runtime {
# deny all;
#}
access_log logs/dev.xcoach.cn.access.log;
error_log logs/dev.xcoach.cn.error.log;
}
/*************************************定时程序***************************/
* * * * * /bin/sh /var/www/tasks/defend_ddos/defend_ddos.sh & */10 * * * * /var/www/tasks/ftp/ftp_get.sh "school" "username" "password" "/var/www/html/ftp/userdata" "/userdata/*.data" & */10 * * * * /usr/local/php/bin/php -q /var/www/tasks/cli/cliApiBandRelation.php & #59 * * * * /var/www/tasks/data_docking/doching.sh 121.41.74.208 youanbao PPla@0155 yabsz 3306 & */1 * * * * /usr/local//qcloud/stargate/admin/start.sh > /dev/null 2>&1 & 0 0 * * * bash /var/www/task/nglog_bak/nglog_bak.sh &
/*************************************************定时程序***********************************************************/
/***************************************其他************************/
保证每天多少PV的并发连接数的计算公式是:
并发连接数= PV / 统计时间(一天是86400) * 页面衍生连接次数 * http响应时间 * 因数(5) / web服务器数量
保证4千万PV的并发连接数:
(40000000PV / 86400秒 * 10个派生连接数 * 5秒内响应 * 5倍峰值) / 6台Web服务器 = 19290连接数
10PV的并发连接数:
(100000PV / 86400秒 * 10个派生连接数 * 5秒内响应 * 5倍峰值) / 1台Web服务器 = 289连接数
ab.exe -n2000 -kc2000
svn
svn delete svn://119.29.11.29/weijiaoyun/Public -m "delete Public"
svn import -m 'reimport' /var/www/html/Public svn://119.29.11.29/weijiaoyun/Public
vim ignore.txt
Application/User/Conf/config.php
Application/Common/Conf/config.php
Runtime
Uploads
svn propset svn:ignore -F ignore.txt .
svn proplist
svn propget svn:ignore
ngnix无法打印日志 tail -f 没有磁盘空间 增大max_user_watches 参考 http://www.51know.info/system_security/inotify.html
echo '17000' > cat /proc/sys/fs/inotify/max_user_watches
批量替换 参考 http://php.net/manual/zh/language.exceptions.php (jim at anderos dot com)
grep 'throw new Exception' /var/www/ceshi/ -rl | xargs sed -i 's/throw new Exception/throw new \\Exception/g'
sed -i 's/throw new Exception/throw new \\Exception/g' `grep 'throw new Exception' /var/www/ceshi/ -rl`
错误日志分析
error_log="/usr/local/nginx/logs/weijiaoyun_error.log"
deny_ip_arr=`cat $error_log | grep -iE "referrer: \"http:\/\/123.249.24.233\/POST_ip_port.phpAccep" | sed 's/\(.*\)\(client: \)\(.*\)\(, server:.*\)/\3/g'`
for ip in $deny_ip_arr
do
exist=`cat /etc/sysconfig/iptables| grep $ip`
if [ -z "$exist" ]
then
/sbin/iptables -A INPUT -s $ip -j DROP
/sbin/iptables -I INPUT -s $ip -j DROP
/sbin/iptables-save > /etc/sysconfig/iptables
fi
done
PHP-FPM master进程可以理解以下信号
INT, TERM 立刻终止 QUIT 平滑终止 USR1 重新打开日志文件 USR2平滑重载所有worker进程并重新载入配置和二进制模块
php-fpm 关闭:kill -INT `cat /usr/local/php/var/run/php-fpm.pid`
php-fpm 重启:kill -USR2 `cat /usr/local/php/var/run/php-fpm.pid`
/**********************************************************其他******************************************************/
/****************服务优化 只开启必要的服务,提高安全性和性能********************/
###以下服务是必须的必须开启 其他可以尝试关闭
安装完Linux之后,以下服务是必须的必须开启,没列出的服务可关闭
acpid #高级控制电源管理接口
crond #定时执行任务
haldaemon #必须开启,否则可能导致控制台键盘鼠标无法使用
hidd #同上
irqbalance #支持多cpu中断,必须开启
kudzu #检测硬件变化时自动进行配置
lvm2-monitor #用于监测LVM状态
messagebus #Linux系统进程间通讯的关键服务
mdmonitor #监测软RAID健康状态 即使没有使用软RAID, 也强烈建议启用此服务
mdmpd #同上,即使没有多路径存储设备,也强烈建议启用之
network #网络支持
readahead_early #预先加载特定的应用程序到内存中以提供性能
readahead_later #同上
smartd #硬盘故障自动检测
sshd
syslog
klogd #如果服务列表中存在,则必须开启
提示:配置服务可使用ntsysv工具,比较方便
其它强烈建议开启的服务 iptables
/**********************************服务优化 只开启必要的服务,提高安全性和性能*************************************/
/*************************************日志************************************/
/var/log/message 系统启动后的信息和错误日志,是Red Hat Linux中最常用的日志之一
/var/log/secure 与安全相关的日志信息
/var/log/maillog 与邮件相关的日志信息
/var/log/cron 与定时任务相关的日志信息
/var/log/spooler 与UUCP和news设备相关的日志信息
/var/log/boot.log 守护进程启动和停止相关的日志消息
dmesg | grep IDE # 查看启动时IDE设备检测状况
route -n # 查看路由表
/**************************************参考***********************/
生产服务器环境最小化安装后 Centos 6.5优化配置备忘 http://zhangxugg-163-com.iteye.com/blog/1843724
Centos 6.5优化配置 http://www.lvtao.net/server/centos-server-setup.html
inotify: http://www.51know.info/system_security/inotify.html
Linux(Centos )的网络内核参数优化来提高服务器并发处理能力 http://blog.csdn.net/shaobingj126/article/details/8549494
日志 :http://www.centoscn.com/CentosSecurity/CentosSafe/2014/0304/2490.html
linux下使用tc模拟网络延迟和丢包 http://blog.csdn.net/duanbeibei/article/details/41250029
/*****************************参考***********************************/