|
阅读:2696回复:0
PhpCms入门指引:linux环境搭建
一、系统约定
软件源代码包存放位置:/usr/local/src 源码包编译安装位置(prefix):/usr/local/software_name 脚本以及维护程序存放位置:/usr/local/sbin MySQL 数据库位置:/var/lib/mysql(可按情况设置) Apache 网站根目录:/home/www/wwwroot(可按情况设置) Apache 虚拟主机日志根目录:/home/www/logs(可按情况设置) Apache 运行账户:www:www 二、系统环境部署及调整 1. 检查系统是否正常 # more /var/log/messages(检查有无系统级错误信息) # dmesg(检查硬件设备是否有错误信息) # ifconfig(检查网卡设置是否正确) # ping www.163.com(检查网络是否正常) 2. 关闭不需要的服务 # ntsysv 以下仅列出需要启动的服务,未列出的服务一律推荐关闭: atd crond irqbalance microcode_ctl network sendmail sshd syslog 3. 重新启动系统 # init 6 4. 配置 vim # vi /root/.bashrc 在 alias mv='mv -i' 下面添加一行:alias vi='vim' 保存退出。 # echo 'syntax on' > /root/.vimrc 5. 使用 yum 程序安装所需开发包(以下为标准的 RPM 包名称) # yum install ntp vim-enhanced gcc gcc-c gcc-g77 flex bison autoconf automake bzip2-devel ncurses-devel libjpeg-devel libpng-devel libtiff-devel freetype-devel pam-devel kernel 6. 定时校正服务器时钟,定时与中国国家授时中心授时服务器同步 # crontab -e 加入一行: */30 * * * * ntpdate 210.72.145.44 7. 源码编译安装所需包 (Source) (1) GD2 # cd /usr/local/src # tar xzvf gd-2.0.34.tar.gz # cd gd-2.0.34 # ./configure --prefix=/usr/local/gd2 # make # make install (2) LibXML2 # cd /usr/local/src # tar xjvf libxml2-2.6.30.tar.bz2 # cd libxml2-2.6.30 # ./configure --prefix=/usr/local/libxml2 # make # make install (3) LibMcrypt # cd /usr/local/src # tar xjvf libmcrypt-2.5.8.tar.bz2 # cd libmcrypt-2.5.8 # ./configure –prefix=/usr/local/libmcrypt # make # make install (4) Apache日志截断程序 # cd /usr/local/src # tar xzvf cronolog-1.7.0-beta.tar.gz # cd cronolog-1.7.0-beta # ./configure –prefix=/usr/local/cronolog # make # make install 8. 升级OpenSSL和OpenSSH # cd /usr/local/src # tar xzvf openssl-0.9.8e.tar.gz # cd openssl-0.9.8e # ./config --prefix=/usr/local/openssl # make # make test # make install # cd .. # tar xzvf openssh-4.7p1.tar.gz # cd openssh-4.7p1 # ./configure "--prefix=/usr" "--with-pam" "--with-zlib" "--sysconfdir=/etc/ssh" "--with-ssl-dir=/usr/local/openssl" "--with-md5-passwords" # make # make install (1)禁用 SSH V1 协议 找到: #Protocol 2,1 改为: Protocol 2 (2)禁止root直接登录 此处先建立一个普通系统用户: # useradd username # passwd username 找到: #PermitRootLogin yes 改为: PermitRootLogin no (3)禁用服务器端GSSAPI 找到以下两行,并将它们注释: GSSAPIAuthentication yes GSSAPICleanupCredentials yes (4)禁用 DNS 名称解析 找到: #UseDNS yes 改为: UseDNS no (5)禁用客户端 GSSAPI # vi /etc/ssh/ssh_config 找到: GSSAPIAuthentication yes 将这行注释掉。 最后,确认修改正确后重新启动 SSH 服务 # service sshd restart # ssh -v 确认 OpenSSH 以及 OpenSSL 版本正确。 三、编译安装L.A.M.P环境 1. 下载软件 # cd /usr/local/src httpd-2.2.6.tar.bz2 mysql-5.0.45-linux-i686-glibc23.tar.gz php-5.2.4.tar.bz2 ZendOptimizer-3.3.0-linux-glibc21-i386.tar.gz 2. 安装MySQL # tar xzvf mysql-5.0.45-linux-i686-glibc23.tar.gz # mv mysql-5.0.45-linux-i686-glibc23 /usr/local/ # ln -s /usr/local/ mysql-5.0.45-linux-i686-glibc23 /usr/local/mysql # useradd mysql # chown -R mysql:root /usr/local/mysql/ # cd /usr/local/mysql # ./scripts/mysql_install_db --user=mysql # cp ./support-files/mysql.server /etc/rc.d/init.d/mysqld # chown root:root /etc/rc.d/init.d/mysqld # chmod 755 /etc/rc.d/init.d/mysqld # chkconfig --add mysqld # chkconfig --level 3 5 mysqld on # cp ./support-files/my-huge.cnf /etc/my.cnf # mv /usr/local/mysql/data /var/lib/mysql # chown -R mysql:mysql /var/lib/mysql/ # vi /etc/my.cnf 修改以下内容: (1) 在 [mysql] 段增加一行: default-character-set = gbk | latin1 | utf8 | big5 (2) 在 [mysqld] 段增加或修改: datadir = /var/lib/mysql --skip-innodb default-character-set = gbk | latin1 | utf8 | big5 --wait-timeout = 3 | 5 | 10 max_connections = 256 | 384 | 512 max_connect_errors = 10000000 thread_concurrency = CPU个数×2 将 log-bin 注释 # bin/mysqladmin -u root password 'password_for_root' 3. 编译安装Apache # cd /usr/local/src # tar xjvf httpd-2.2.6.tar.bz2 # cd httpd-2.2.6 # ./configure "--prefix=/usr/local/apache2" "--with-included-apr" "--enable-so" "--enable-deflate=shared" "--enable-expires=shared" "--enable-rewrite=shared" "--enable-static-support" "--disable-userdir" # make # make install # echo '/usr/local/apache2/bin/apachectl start ' >> /etc/rc.local 4. 编译安装PHP # cd /usr/local/src # tar xjvf php-5.2.4.tar.bz2 # cd php-5.2.4 # ./configure "--prefix=/usr/local/php" "--with-apxs2=/usr/local/apache2/bin/apxs" "--with-config-file-path=/usr/local/php/etc" "--with-mysql=/usr/local/mysql" "--with-libxml-dir=/usr/local/libxml2" "--with-gd=/usr/local/gd2" "--with-jpeg-dir" "--with-png-dir" "--with-bz2" "--with-freetype-dir" "--with-iconv-dir" "--with-zlib-dir " "--with-openssl=/usr/local/openssl" "--with-mcrypt=/usr/local/libmcrypt" "--enable-soap" "--enable-gd-native-ttf" "--enable-ftp" "--enable-mbstring" "--enable-exif" "--disable-ipv6" "--disable-cgi" "--disable-cli" # make # make install # mkdir /usr/local/php/etc # cp php.ini-dist /usr/local/php/etc/php.ini 5. 整合Apache与PHP # vi /usr/local/apache2/conf/httpd.conf 找到: AddType application/x-gzip .gz .tgz 在该行下面添加 AddType application/x-httpd-php .php 找到: DirectoryIndex index.html 将该行改为 DirectoryIndex index.html index.htm index.php 找到: #Include conf/extra/httpd-mpm.conf #Include conf/extra/httpd-info.conf #Include conf/extra/httpd-vhosts.conf #Include conf/extra/httpd-default.conf 去掉前面的“#”号,取消注释。 注意:以上 4 个扩展配置文件中的设置请按照相关原则进行合理配置! 修改完成后保存退出。 # /usr/local/apache2/bin/apachectl restart 6. 查看确认L.A.M.P环境信息、提升 PHP 安全性 在网站根目录放置 phpinfo.php 脚本,检查phpinfo中的各项信息是否正确。 确认 PHP 能够正常工作后,在 php.ini 中进行设置提升 PHP 安全性。 # vi /etc/php.ini 找到: disable_functions = 设置为: phpinfo,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open, proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog, readlink,symlink,popepassthru,stream_socket_server 四、服务器安全性设置 1. 设置系统防火墙 # vi /usr/local/sbin/fw.sh 将以下脚本命令粘贴到 fw.sh 文件中。 #!/bin/bash # Stop iptables service first service iptables stop # Load FTP Kernel modules /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp # Inital chains default policy /sbin/iptables -F -t filter /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT ACCEPT # Enable Native Network Transfer /sbin/iptables -A INPUT -i lo -j ACCEPT # Accept Established Connections /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # ICMP Control /sbin/iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT # WWW Service /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT # FTP Service /sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT # SSH Service /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT # chmod 755 /usr/local/sbin/fw.sh # echo '/usr/local/sbin/fw.sh' >> /etc/rc.local # /usr/local/sbin/fw.sh </strong> |
|
