Introduction to the optimization and security configuration of VPS in CentOS6

Applicable environment and conditions: Install CentOS5 or 6 of any VPS

Upgrade system

Yum Update

Upgrade Firewall Policy
#清除现有防火墙规则

Iptables-f
Iptables-x
Iptables-z
#允许本机访问本机
Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT
# allow established or connected traffic
Iptables-a input-m State--state established,related-j ACCEPT

#允许有限的ping功能, 10 times per second
Iptables-a input-p icmp-m Limit--limit 10/sec-j

#允许所有本机向外的访问
Iptables-a output-j ACCEPT

# Allow access to 22 ports, the default SSH port, please reserve, and so modify the sshd_conf before you modify
Iptables-a input-p TCP--dport 22-j ACCEPT

#允许访问80端口
Iptables-a input-p TCP--dport 80-j ACCEPT

#允许其他端口只需要修改端口号即可

#禁止其他未允许的规则访问
Iptables-a input-j REJECT (Note: If the 22 port does not join the Allow rule, the SSH link will be disconnected directly.) ）
Iptables-a forward-j REJECT

#保持防火墙规则

Service Iptables Save

#如果保持失败, because of the lack of policycoreutils, please first install
Yum-y Install Policycoreutils
#之后再进行保存
#将iptables加入随机启动
Chkconfig--level 345 iptables on
Remove unused applications
Yum Remove deployment_guide-en-us cups-libs cups
Bluez-libs desktop-file-utils PPP Rp-pppoe wireless-tools irda-utils
Nfs-utils nfs-utils-lib rdate fetchmail eject Ksh mkbootdisk mtools
Syslinux tcsh startup-notification talk apmd RMT dump Setserial portmap Yp-tools
Ypbind
#删除不安全的服务
Yum remove Telnet rsh ftp rcp
#安装postfix替代sendmail
Yum install Postfix
#删除sendmail
Yum Remove SendMail
#禁用和删除xinetd服务
/sbin/service xinetd stop; /sbin/chkconfig xinetd off
Rm-rf/etc/xinetd.d
Cleaning up unwanted users and groups of users

#复制备份一份passwd和group
Cp/etc/passwd/etc/passwd.sav
Cp/etc/group/etc/group.sav
#删除没用的用户和用户组

For a in ADM LP sync news UUCP operator games gopher mailnull RPC;
Do/usr/sbin/userdel $a-F; Done
For a in LP news UUCP games gopher users floopy nscd RPC Rpcuser nfsnobody;
Do/usr/sbin/groupdel $a-F; Done

Update to Hong Kong time zone

Ln-sf/usr/share/zoneinfo/hongkong/etc/localtime
Support Zip and Unzip
Yum Install zip unzip

Next Look Nginx optimization

First, nginx configuration
To edit a configuration file:

Vim/etc/nginx/nginx.conf

1,
Found it:

Worker_processes

To

Worker_processes 2;

Nginx the number of processes running, typically set to the same number as the CPU's kernel.

2,
Found it:

Worker_rlimit_nofile

To

Worker_rlimit_nofile 40960;

Worker_rlimit_nofile is the maximum number of handles that Nginx can open a file.

3,
Found it:

Worker_connections

To

Worker_connections 10240;

The maximum number of connections allowed by the nginx process, max_clients = worker_processes * worker_connections.

4,
Found it:

Keepalive_timeout

To

Keepalive_timeout 60;

Set the connection timeout to 60.

5, open gzip
Find the related parameters for gzip:

gzip on;
Gzip_static on;
Gzip_comp_level 5;
Gzip_min_length 1024;

Add and modify (same direct overlay):

gzip on;
Gzip_static on;
Gzip_comp_level 5;
Gzip_min_length 1024;
Gzip_buffers 4 8k;
Gzip_types text/xml text/css text/javascript application/x-javascript application/xml;
Gzip_vary on;
Gzip_http_version 1.1;

Gzip related compression parameters, from top to bottom:
Supports gzip compression.
Supports static cache modules.
gzip compression level, 1 compression than the minimum processing speed is the fastest, 9 compression than the largest but the slowest processing speed.
Sets the minimum number of bytes of pages allowed for compression.
Gzip compressed cache, is the size of the block to request memory space, here to 8k as a piece, to 8k 4 times times the size of the application of memory.
Sets the MIME type that needs to be compressed.
Vary header support.
The version used to identify the HTTP protocol.

Second, PHP-FPM configuration

Vim/etc/php-fpm.d/www.conf

The following configuration is configured in PM = dynamic mode.
1,
Found it:

Pm.max_children

To

Pm.max_children = 8;

PHP-FPM the maximum number of child process replicas created, and the more concurrency capability is created. At the same time modify the idle process number pm.min_spare_servers and pm.max_spare_servers, can not be larger than Pm.max_children.

2,
Found it:

;p m.max_requests = 500

Remove the comment and change it to:

pm.max_requests = 2000

Re-establish the PHP-FPM process after the number of requests received.

Ps:dynamic This pattern is much like the prefork way of Apache.

3,
Found it:

; request_terminate_timeout = 0

Remove the comment and change it to:

Request_terminate_timeout = 100

Set the maximum execution time for PHP scripts.

A nginx process takes up 5~10MB memory, and a php-fpm process takes up about 15~25MB of memory.

Iii. Nginx Prevention 500, 502, 504
1, Nginx 500 wrong
Nginx a 500 error, in large part because the Nginx open file descriptor is too small to limit the number of restrictions, you can refer to the following "(iv) to modify the system ulimit restrictions."
Nginx.conf in the Worker_rlimit_nofile also to be changed to 40960.

2, Nginx 502 wrong
Nginx 502 Bad Gateway is the most common error, the main reason is that the number of PHP fastcgi process in the large concurrent processing request, resulting in the request was discarded.
If you have excess memory, you can increase the number of PHP-FPM processes and modify the Max_children parameters.

Other methods on the Internet:
Part of the PHP program's execution time exceeds the Nginx wait time, you can appropriately increase the timeout time of fastcgi in the nginx.conf configuration file, such as
......
http
{
......
Fastcgi_connect_timeout 300;
Fastcgi_send_timeout 300;
Fastcgi_read_timeout 300;
......
}
......

PS:NGINX.CONF basic structure is as follows, do not add the wrong place = =

XXXXXXXX
XXXXXXXX
events{
Xxxxxxxxxxxx
...
}
http{
XXX added in this location xxxx
server{
Xxxxxxxxxxxx
...
}
...
}
In addition, modifying request_terminate_timeout to control the maximum running time of PHP scripts can improve the problem. There are 502 errors in php-cgi processes, long PHP execution time, or php-cgi process death.

3, Nginx 504 wrong
The 504 Gateway time-out is typically caused by a small buffer that nginx the default fastcgi process response, which causes the fastcgi process to be suspended.
Add a few fastcgi configurations:

Fastcgi_buffers 4 256k;
Fastcgi_buffer_size 128K;
Fastcgi_busy_buffers_size 256K;
Fastcgi_temp_file_write_size 256K;

Iv. System-related
1,
Modify Network parameters

Vim/etc/sysctl.conf

Add to:

Net.ipv4.tcp_syncookies = 1
Net.ipv4.tcp_tw_reuse = 1
Net.ipv4.tcp_tw_recycle = 1

2,
modifying system Ulimit Limits

Vim/etc/security/limits.conf

Add two lines:

* Soft Nofile 40960
* Hard Nofile 40960

Vim/etc/pam.d/login

Add the following line:

Session Required Pam_limits.so

Add a line to the profile file:

echo "Ulimit-shn 40960" >>/etc/profile

The reboot system is in effect.

Five, MySQL configuration

Vim/etc/my.cnf

Because of the small memory, do not use InnoDB, or use back to mysql5.1.x MyISAM. If memory is sufficient or recommended to use InnoDB.

Add in [mysqld]:

Loose-skip-innodb
Default-storage-engine = MyISAM

Skip-external-locking
Skip-name-resolve
Skip-networking

Key_buffer_size = 32M
Max_allowed_packet = 2M
Table_cache = 64
Sort_buffer_size = 1M
Net_buffer_length = 8K
Read_buffer_size = 1M
Read_rnd_buffer_size = 1M
Myisam_sort_buffer_size = 16M
Thread_cache_size = 8//add
Query_cache_size = 32M//add

Six, PHP configuration

Vim/etc/php.ini

1,
Found it:

Zlib.output_compression = Off
; zlib.output_compression_level =-1

To

Zlib.output_compression = On
Zlib.output_compression_level = 5

Turn on PHP gzip compression. Here and Nginx gzip compressed things different, nginx is compressed html,css,javascript. PHP gzip is used to compress PHP.

2,
Found it:

Memory_limit = 128M

To

Memory_limit = 32M

Modify the maximum number of memory used by the PHP script.

Finally restart Nginx, PHP-FPM, MySQL:

Service Nginx Restart
Service PHP-FPM Restart
Service mysqld Restart