Build a high-performance lamp Platform Based on centos

Source: Internet
Author: User
Tags introductions openlog symlink apache log ssh port

Build a high-performance lamp Platform Based on centos

Outline:
I. System Installation
Ii. Compile and install the Basic Environment
3. Configure virtual hosts and optimize Basic Performance
Iv. Basic Security Settings
V. Appendix and related introductions

I. System Installation
1. Partition
/Boot around M
2 times the physical memory of swap (If your physical memory is larger than 4 GB, allocate 4 GB)
/15g
/Usr/local 20G (for software installation)
/All data space remaining

2. system initialization script (disable unnecessary services as needed)

# Vi init. Sh
------------------- Cut begin -------------------------------------------
# Welcome
Cat <EOF
+ -------------------------------------------------------------- +
| === Welcome to centos system init ==|
+ -------------- Http://www.linuxtone.org ------------------------ +
+ ---------------------- Author: netseek -------------------------- +
EOF

# Disable Ipv6
Cat <EOF
+ -------------------------------------------------------------- +
| === Welcome to disable IPv6 ==|
+ -------------------------------------------------------------- +
EOF
Echo "alias net-pf-10 off">/etc/MoD probe. conf
Echo "alias IPv6 off">/etc/modprobe. conf
/Sbin/chkconfig -- level 35 ip6tables off
Echo "IPv6 is disabled! "

# Disable SELinux
Sed-I '/SELinux/S/enforcing/disabled/'/etc/SELinux/config
Echo "SELinux is disabled, you must reboot! "

# Vim
Sed-I "8 S/^/alias Vi = 'vim '/"/root/. bashrc
Echo 'syntax on'>/root/. vimrc

# Zh_cn
Sed-I-e's/^ lang =. */lang = "zh_cn.gb18030"/'/etc/sysconfig/i18n

# Tunoff services
#--------------------------------------------------------------------------------
Cat <EOF
+ -------------------------------------------------------------- +
| === Welcome to tunoff services ===|
+ -------------------------------------------------------------- +
EOF
#---------------------------------------------------------------------------------
For I in 'ls/etc/rc3.d/S *'
Do
Cursrv = 'echo $ I | cut-C 15 -'

Echo $ cursrv
Case $ cursrv in
Crond | irqbalance | microcode_ctl | Network | Random | Sendmail | SSH d | syslog | Local | MySQL D)
Echo "base services, Skip! "
;;
*)
Echo "Change $ cursrv to off"
Chkconfig -- level 235 $ cursrv off
Service $ cursrv stop
;;
Esac
Done
------------------- Cut end -------------------------------------------
# Sh init. Sh (execute the script saved above and restart it later)

Ii. Compile and install the Basic Environment

1. Installation preparation
1) system conventions
Software source code package storage location/usr/local/src
Source code package compilation and installation location (prefix)/usr/local/software_name
Script and maintenance program storage location/usr/local/sbin
MySQL database location/data/MySQL/data (can be set as needed)
Apache website root directory/data/www/wwwroot (which can be set as needed)
Apache Virtual Host log root directory/data/www/logs (can be set as needed)
Apache running account www: WWW (useradd-D/data/www/; chown www. www/data/www/wwwroot)

2) system environment deployment and adjustment
Check whether the system is normal
# Tail-N100/var/log/messages (check for system-level error messages)
# Dmesg (check whether the hardware device has an error message)
# Ifconfig (check whether Nic settings are correct)
# Ping www.linuxtone.org (check whether the network is normal)

3) use the yum program to install the required development package (the following is the standard RPM package name)
# Rpm -- import http://mirror.centos. org/centos/RPM-GPG-KEY-CentOS-5
# Yum install NTP vim-enhanced GCC gcc-C ++ gcc-g77 flex bison Autoconf automake bzip2-devel/
Ncurses-devel zlib-devel libjpeg-devel libpng-devel LibTIFF-devel FreeType-devel libxpm-devel/
Gettext-devel Pam-devel Kernel

4) Timing correction server clock, timing synchronization with the Chinese National Time Service Center Time Service Server
# Crontab-e
Add a row:
15 3 ***/usr/sbin/ntpdate 210.72.145.44>/dev/null 2> & 1

2. Compile and install the software package
Source)
1) GD2
# Cd/usr/local/src
# Tar xvf gd-2.0.35.tar.gz
# Cd gd-2.0.35
#./Configure -- prefix =/usr/local/GD2
# Make
# Make install

2) libxml2
# Cd/usr/local/src
# Tar xvf libxml2-2.6.29.tar.bz2
# Cd libxml2-2.6.29
#./Configure -- prefix =/usr/local/libxml2
# Make
# Make install

3) libmcrypt
# Cd/usr/local/src
# Tar xvf libmcrypt-2.5.8.tar.bz2
# Cd libmcrypt-2.5.8
#./Configure -- prefix =/usr/local/libmcrypt
# Make
# Make install

4) Apache Log truncation Program
# Cd/usr/local/src
# Tar xvf cronolog-1.6.2.tar.gz
# Cd cronolog-1.6.2
#./Configure -- prefix =/usr/local/cronolog
# Make
# Make install

3. Upgrade OpenSSL and OpenSSH
# Cd/usr/local/src
# Tar xvf openssl-0.9.8g.tar.gz
# Cd openssl-0.9.8g
#./Config -- prefix =/usr/local/OpenSSL
# Make
# Make Test
# Make install
# CD ..
# Tar xvf openssh-5.0p1.tar.gz
# Cd openssh-5.0p1
#./Configure/
"-- Prefix =/usr "/
"-- With-Pam "/
"-- With-zlib "/
"-- Sysconfdir =/etc/ssh "/
"-- With-SSL-Dir =/usr/local/OpenSSL "/
-- With-md5-passwords"
# Make
# Make install

1) disable SSH V1 Protocol
Find # Replace protocol with: Protocol 2

2) Disable gssapi on the server
Locate the following two lines and comment them out:
Gssapiauthentication Yes
Gssapicleanupcredentials Yes

3) disable DNS name resolution
Find: # Change usedns yeas to usedns No

4) disable the client gssapi
# Vi/etc/ssh/ssh_config: gssapiauthentication yes. Comment out this line.
Finally, confirm the modification and restart the SSH service.
# Service sshd restart
# Ssh-V
Verify that the OpenSSH and OpenSSL versions are correct.

The above SSH configuration can be automatically modified using the following script:

------------------- Cut begin -------------------------------------------
# Init_ssh
Ssh_cf = "/etc/ssh/sshd_config"
Sed-I-e '74 S/^/#/'-I-e '76 S/^/#/' $ ssh_cf
Sed-I "s/# usedns Yes/usedns no/" $ ssh_cf
# Client
Sed-I-e '44 S/^/#/'-I-e' 48 s/^/#/'$ ssh_cf
Echo "SSH is INIT is OK .............."
------------------- Cut end --------------------------------------------- Iii. Compile and install the.M. P Environment

1. Download Software compilation and Installation
1) Download Software
# Cd/usr/local/src
Httpd-2.2.8.tar.gz
Mysql-5.0.51b.tar.gz
Php-5.2.6.tar.bz2
ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz

2) install MySQL
View and analyze your CPU model:
Http://gentoo-wiki.com/Safe_Cflags to find your GCC compilation parameters.
Determine the system CPU type:
# Cat/proc/cpuinfo | grep "model name"
After running the command, you will see the specific CPU model in the system. Write down the CPU model.

# Tar xvf mysql-5.0.51b.tar.gz
# Cd mysql-5.0.51b
# Vi mysql. Sh

------------------- Cut begin -------------------------------------------
Chost = "i686-pc-linux-gnu"
Cflags = "-March = Prescott-O2-pipe-fomit-frame-pointer"
Cxxflags = "$ {cflags }"
./Configure/
"-- Prefix =/usr/local/MySQL "/
"-- Localstatedir =/data/MySQL/Data "/
"-- With-Comment = source "/
"-- With-server-suffix =-linuxtone "/
"-- With-mysqld-user = MySQL "/
"-- Without-Debug "/
"-- With-big-tables "/
"-- With-charset = GBK "/
"-- With-collation = gbk_chinese_ci "/
"-- With-extra-charsets = all "/
"-- With-pthread "/
"-- Enable-static "/
"-- Enable-thread-safe-client "/
"-- With-client-ldflags =-all-static "/
"-- With-mysqld-ldflags =-all-static "/
"-- Enable-Cycler "/
"-- Without-isam "/
"-- Without-InnoDB "/
"-- Without-NDB-Debug"
Make & make install
Mkdir-P/data/MySQL/Data
Useradd mysql-D/data/MySQL-S/sbin/nologin
/Usr/local/MySQL/bin/mysql_install_db -- user = MySQL
CD/usr/local/MySQL
Chown-r root: MySQL.
Chown-r MySQL/data/MySQL/Data
CP share/MySQL/my-huge.cnf/etc/My. CNF
CP share/MySQL. Server/etc/rc. d/init. d/mysqld
Chmod 755/etc/rc. d/init. d/mysqld
Chkconfig -- add mysqld
/Etc/rc. d/init. d/mysqld start

CD/usr/local/MySQL/bin
For I in *; do ln-S/usr/local/MySQL/bin/$ I/usr/bin/$ I; done

------------------- Cut end ---------------------------------------------

# Sh mysql. Sh to start compiling.

3) Compile and install Apache
# Cd/usr/local/src
# Tar xvf httpd-2.2.8.tar.gz
# Cd httpd-2.2.8

./Configure/
"-- Prefix =/usr/local/apache2 "/
"-- With-defined ded-APR "/
"-- Enable-so "/
"-- Enable-Deflate = shared "/
"-- Enable-expires = shared "/
"-- Enable-Rewrite = shared "/
"-- Enable-static-support "/
"-- Disable-userdir"
Make
Make install
Echo '/usr/local/apache2/bin/apachectl start'>/etc/rc. Local

4) Compile and install PHP
# Cd/usr/local/src
# Tar xjvf php-5.2.6.tar.bz2
# Cd php-5.2.6

./Configure/
"-- Prefix =/usr/local/PHP "/
"-- With-apxs2 =/usr/local/apache2/bin/apxs "/
"-- With-config-file-Path =/usr/local/PHP/etc "/
"-- With-mysql =/usr/local/MySQL "/
"-- With-libxml-Dir =/usr/local/libxml2 "/
"-- With-Gd =/usr/local/GD2 "/
"-- With-JPEG-Dir "/
"-- With-PNG-Dir "/
"-- With-bz2 "/
"-- With-FreeType-Dir "/
"-- With-iconv-Dir "/
"-- With-zlib-Dir "/
"-- With-OpenSSL =/usr/local/OpenSSL "/
"-- With-mcrypt =/usr/local/libmcrypt "/
"-- Enable-Soap "/
"-- Enable-Gd-native-TTF "/
"-- Enable-FTP "/
"-- Enable-mbstring "/
"-- Enable-EXIF "/
"-- Disable-ipv6 "/
"-- Disable-cgi "/
"-- Disable-CLI" # disable IPv6 and the CLI mode to improve the speed and security. Please customize the relevant compilation quantity as needed.
Make
Make install
Mkdir/usr/local/PHP/etc
Cp php. ini-Dist/usr/local/PHP/etc/PHP. ini

5) install xcache.
# Tar xvf xcache-1.2.2.tar.gz

#/Usr/local/PHP/bin/phpize
./Configure -- enable-xcache-coverager -- With-PHP-Config =/usr/local/PHP/bin/PHP-config/
-- Enable-inline-optimization -- disable-Debug

# Vi/usr/local/PHP/etc/PHP. ini (Add the following content to the end of PHP. INI)

------------------- Cut begin -------------------------------------------
[Xcache-common]
Zend_extension =/usr/local/PHP/lib/PHP/extensions/no-debug-non-zts-20060613/xcache. So

[Xcache. admin]
Xcache. admin. User = "admin"
; How to generate an MD5 password: ECHO-n "password" | md5sum
Xcache. admin. Pass = "035d841526a8a10be1a5e0fec1f0f3ce" # The password is 52 netseek.

[Xcache]
; Change xcache. Size to tune the size of the opcode Cache
Xcache. size = 24 m
Xcache. shm_scheme = "MMAP"
Xcache. Count = 4
Xcache. Slots = 8 K
Xcache. TTL = 0
Xcache. gc_interval = 0

; Change xcache. var_size to adjust the size of variable Cache
Xcache. var_size = 8 m
Xcache. var_count = 1
Xcache. var_slots = 8 K
Xcache. var_ttl = 0
Xcache. var_maxttl = 0
Xcache. var_gc_interval = 300
Xcache. test = off
Xcache. readonly_protection = on
Xcache. mmap_path = "/tmp/xcache"
Xcache. coredump_directory = ""
Xcache. cacher = on
Xcache. Stat = on
Xcache. optimizer = off

[Xcache. coverager]
Xcache. coverager = on
Xcache. coveragedump_directory = ""
------------------- Cut end ---------------------------------------------

6) install Zend Optimizer
# Cd/usr/local/src
# Tar xzvf ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz
#./ZendOptimizer-3.3.3-linux-glibc23-i386/install. Sh
Do not restart Apache after installing Zend optimizer.

2. Integrate Apache with PHP and initial configuration of the system.
1) Integrate Apache and PHP
# Vi/usr/local/apache2/CONF/httpd. conf
Find:
Addtype application/X-gzip. GZ. tgz
Add
Addtype application/X-httpd-PHP. php

Find:
<Ifmodule dir_module>
Directoryindex index.html
</Ifmodule>
Change this row
<Ifmodule dir_module>
Directoryindex index.html index.htm index. php
</Ifmodule>

Find:
# Include CONF/extra/httpd-mpm.conf
# Include CONF/extra/httpd-info.conf
# Include CONF/extra/httpd-vhosts.conf (virtual host configuration file storage directory .)
# Include CONF/extra/httpd-default.conf
Remove the previous "#" and cancel the comment.
Note: Please configure the settings in the above four extension configuration files according to relevant principles!

Save the modification and exit.
#/Usr/local/apache2/bin/apachectl restart

2) check and confirm the l.a. m.p environment information to improve PHP security
Place the info. php script in the root directory of the website to check whether the information in phpinfo is correct.
<? PHP
Phpinfo ();
?>

After confirming that PHP works properly, set in PHP. ini to improve PHP security and disable dangerous functions.
# Vi/etc/PHP. INI: disable_functions =: phpinfo, passthru, exec, system, chroot, scandir, chgrp, chown, shell_exec, proc_open, proc_get_status, ini_alter, ini_alter, DL, pfsockopen, openlog, syslog, readlink, symlink, popepassthru, stream_socket_server

3) The Script automatically completes the Initialization Configuration (the above configuration can be automated using the script)
# Cat init_apache_php.sh

------------------- Cut begin -------------------------------------------
#! /Bin/bash
# Written by: netseek http://www.linuxtone.org
# Init_httpd.conf
Http_cf = "/usr/local/apache2/CONF/httpd. conf"
Sed-I-e "s/user daemon/user www/"-I-e "s/group daemon/Group WWW/" $ http_cf
Sed-I-e '2017 S/^/#/'-I-e '2017 S/^/#/' $ http_cf
Sed-I's # directoryindex index.html # directoryindex index. php index.html index.htm #/G' $ http_cf
Sed-I-e '000000s/^ # // G'-I-e '000000s/^ # // G'-I-e' 374 S/^ #/ /G'-I-e '401 S/^ # // G' $ http_cf
# Init_php (PHP security settings and hiding PHP versions)
Php_cf = "/usr/local/PHP/etc/PHP. ini"
Sed-I '205 s #; open_basedir = # open_basedir =/data/www/wwwroot:/tmp # G' $ php_cf
Sed-I '210 s # disable_functions = phpinfo, passthru, exec, system, chroot, scandir, chgrp, chown, shell_exec, proc_open, empty, ini_alter, ini_alter, reset, convert, DL, pfsockopen, openlog, syslog, readlink, symlink, popepassthru, stream_socket_server # G' $ php_cf
Sed-I '/expose_php/S/On/Off/' $ php_cf
Sed-I '/display_errors/S/On/Off/' $ php_cf
------------------- Cut end -------------------------------------------

3. Configure virtual hosts and optimize Basic Performance
1) configure the VM:
# Vi/usr/local/apache2/CONF/extra/httpd-vhosts.conf

Namevirtualhost *: 80

<Virtualhost *: 80>
Serveradmin cnseek@gmail.com
DocumentRoot "/data/www/wwwroot/linuxtone.org"
Servername www.linuxtone.org
Serveralias bbs.linxutone.org
Errorlog "log/dummy-host.example.com-error_log"
Customlog "|/usr/sbin/cronolog/data/logs/access_www.linuxtone.org. % Y % m % d" combined
</Virtualhost>

2). Basic Performance Tuning reference :( more tuning-related articles Please note: http://bbs.linuxtone.org/index.html performance tuning-related posts)
# Vi/usr/local/apache2/CONF/extra/httpd-default.conf

Timeout 15
Keepalive off
Maxkeepaliverequests 50
Keepalivetimeout 5
UseCanonicalName off
Accessfilename. htaccess
ServerTokens Prod
Serversignature off
Hostnamelookups off

# Vi/usr/local/apache2/CONF/extra/httpd-mpm.conf

<Ifmodule mpm_prefork_module>
Serverlimit 2000
Startservers 10
Minspareservers 10
Maxspareservers 15
Maxclients 2000
Maxrequestsperchild 10000
</Ifmodule>

3). Apache log processing problems Summary (http://bbs.linuxtone.org/thread-102-1-1.html)
Analyze website logs with AWStats: http://bbs.linuxtone.org/thread-56-1-1.html

To ignore unnecessary log configurations, refer to specific analysis based on specific issues:
Logformat "% {X-forwarded-for} I % L % u % t/" % R/"%> S % B/" % {Referer} I/"/" % {User-Agent} I/"" combined
# Add the following content:

# Filter the localhost visit
Setenvif remote_addr "127/. 0/. 0/. 1" dontlog
# Filter some special Directories
Setenvif request_uri "^ zendplatform. * [Code]
# Filter the localhost visit
Setenvif remote_addr "127/. 0/. 0/. 1" dontlog
# Filter some special Directories
Setenvif request_uri "^ zendplatform. * [discuz_code_9] quot; dontlog
Setenvif request_uri/. healthcheck/. html $ dontlog
Setenvif remote_addr ": 1" dontlog
Setenvif request_uri "/. getping. php [discuz_code_9] quot; dontlog
Setenvif request_uri "^/error/. html [discuz_code_9] quot; dontlog
Setenvif request_uri "/. gif [discuz_code_9] quot; dontlog
Setenvif request_uri "/. jpg [discuz_code_9] quot; dontlog
Setenvif request_uri "/. CSS [discuz_code_9] quot; dontlog

Quot; dontlog
Setenvif request_uri/. healthcheck/. html $ dontlog
Setenvif remote_addr ": 1" dontlog
Setenvif request_uri "/. getping. php [discuz_code_9] quot; dontlog
Setenvif request_uri "^/error/. html [discuz_code_9] quot; dontlog
Setenvif request_uri "/. gif [discuz_code_9] quot; dontlog
Setenvif request_uri "/. jpg [discuz_code_9] quot; dontlog
Setenvif request_uri "/. CSS [discuz_code_9] quot; dontlog
[/Code] 4). Apache anti-Leech (APACHE anti-leech problem summary: http://bbs.linuxtone.org/thread-101-1-1.html)

Rewriteengine on
Rewritecond % {http_referer }! ^ $
Rewritecond % {http_referer }! ^ Http: // (www /.)? Mydomain.com/.#$ [Nc]
Rewriterule/. (GIF | JPG) $ http: // website domain name/nolink.png [R, l]

Iv. Basic Security Settings
1) iptables blocks related ports (we recommend that you read the IP Tables for two hours)
2) SSH Security (modify ssh port limit source IP login, or refer to the http://bbs.linuxtone.org/thread-106-1-1.html)
3) Linux anti-ARP attack strategy (http://bbs.linuxtone.org/thread-41-1-1.html)
4) Note (the old saying goes: security work starts from details !)

V. Appendix and related introductions
1) References (thanks ):
Discuz! Links to the company's Nanu article:
Http://bbs.linuxpk.com/thread-13325-1-2.html
Http://www.discuz.net/thread-722804-1-1.html
Configure all-powerful web (05 years reference): http://bbs.linuxpk.com/thread-437-1-2.html
Linuxtone. org (APACHE related issues): http://bbs.linuxtone.org/thread-88-1-1.html
Thank you, eddiechen!

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.