<![CDATA[Chen's blog]]> http://blog.hackroad.com/index.php zh-cn http://blog.hackroad.com/read.php/505.htm <![CDATA[Windows下的Memcache安装]]> chen <fanmaochen@gmail.com> Mon, 06 Feb 2012 02:02:25 +0000 http://blog.hackroad.com/read.php/505.htm 其实我开始研究Memcache的时候并不知道居然还有memcached for Win32这个鸟东西,害得我在CnetOS下折腾1天才搞定,今天突然发现Windows下的Memcache进行开发调试完全没有问题,所以写篇Memcache的文档分享给大家。

Windows下的Memcache安装:
1. 下载memcache的windows稳定版,解压放某个盘下面,比如在c:\memcached
2. 在终端(也即cmd命令界面)下输入 'c:\memcached\memcached.exe -d install' 安装
3. 再输入: 'c:\memcached\memcached.exe -d start' 启动。NOTE: 以后memcached将作为windows的一个服务每次开机时自动启动。这样服务器端已经安装完毕了。
4.下载php_memcache.dll,请自己查找对应的php版本的文件
5. 在C:\winnt\php.ini 加入一行 'extension=php_memcache.dll'
6.重新启动Apache,然后查看一下phpinfo,如果有memcache,那么就说明安装成功!


memcached的基本设置:

引用

-p 监听的端口 -l 连接的IP地址, 默认是本机 -d start 启动memcached服务 -d restart 重起memcached服务 -d stop|shutdown 关闭正在运行的memcached服务 -d install 安装memcached服务 -d uninstall 卸载memcached服务 -u 以的身份运行 (仅在以root运行的时候有效) -m 最大内存使用,单位MB。默认64MB -M 内存耗尽时返回错误,而不是删除项 -c 最大同时连接数,默认是1024 -f 块大小增长因子,默认是1.25 -n 最小分配空间,key+value+flags默认是48 -h 显示帮助



Memcache环境测试:
运行下面的php文件,如果有输出This is a test!,就表示环境搭建成功。开始领略Memcache的魅力把!
< ?php
$mem = new Memcache;
$mem->connect("127.0.0.1", 11211);
$mem->set('key', 'This is a test!', 0, 60);
$val = $mem->get('key');
echo $val;
?>
]]> http://blog.hackroad.com/read.php/504.htm <![CDATA[Windows 7终端管理 ]]> chen <fanmaochen@gmail.com> Fri, 03 Feb 2012 08:27:22 +0000 http://blog.hackroad.com/read.php/504.htm
       经常使用远程桌面管理众多服务器的朋友们可能都使用过Windows MMC中的“远程桌面”功能,使用它可以很容易的保存N多远程桌面连接,而不用每次需要连接某台服务器时重复的Alt+R、mstsc。Windows工作站操作系统MMC中默认是没有“远程桌面”这个功能模块的,需手动添加,WinXp可以安装Srv2003的管理包或手动复制2003 system32下的mstsmmc.dll 和 mstsmhst.dll 并注册后即可在MMC中添加并使用该功能。
而Win7照搬Xp下的操作办法显然不可行,好在微软给出了解决方案,搜了半天才找到。
1.去MS中国下载“Windows 7 远程服务器管理工具”,KB958850,200多M,
下载地址
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d
2.安装完成后依次打开“控制面板”-“程序和功能”-“打开或关闭Windows功能”-“远程服务器管理工具”-“角色管理工具”,勾选下面的“远程桌面服务工具。

3.此时重新打开MMC控制台,添加管理单元时就可以选择并添加“远程桌面”管理单元了。 ]]> http://blog.hackroad.com/read.php/503.htm <![CDATA[FAN: nagios 自动化]]> chen <fanmaochen@gmail.com> Mon, 30 Jan 2012 06:12:02 +0000 http://blog.hackroad.com/read.php/503.htm FAN是基于centos 系统之上的。

AN是基于centos 系统之上的。
FAN包含以下工具:
Nagios: Core monitoring application(核心监视应用)
Nagios plugins: plugins to monitor servers (监视服务的插件)
Centreon: web frontend for Nagios (Centreon is one of the better tools for that!)(更好的网页界面展示工具)
NagVis: a great tools for configuring maps (不错的图形配置工具)
NDOUtils: Nagios module to store monitoring data in MySQL (将数据存入mysql的Nagios 模块)
NRPE: the check_nrpe plugin (NRPE daemon is not provided) (check_nrpe 插件)
NaReTo (Nagios Reporting Tools): a great tool for getting availabilty report(状态报告配置工具)

Highslide JS
下载地址

http://fannagioscd.sourceforge.net/wordpress/download/
]]> http://blog.hackroad.com/read.php/502.htm <![CDATA[在Linux(CentOS)安装MRTG的教程]]> chen <fanmaochen@gmail.com> Thu, 19 Jan 2012 08:56:01 +0000 http://blog.hackroad.com/read.php/502.htm
1.请确保你的系统安装了以下软件包
net-snmp-5.0.6-17
net-snmp-devel-5.0.6-17
net-snmp-utils-5.0.6-17
使用YUM –y install net-snmp
Yum –y install net-snmp-devel
Yum –y install net-snmp-utils

2.修改/etc/snmp/snmpd.conf

去掉如下一行的注释
view mib2 included .iso.org.dod.internet.mgmt.mib-2 fc

在大约55行处添加如下一行
view systemview included .1.3.6.1.2.1.2

把如下行
access notConfigGroup "" any noauth exact systemview none none
改作:
access notConfigGroup "" any noauth exact mib2 none none

3.启用snmpd服务
#service snmpd start
#chkconfig --levle 2345 snmpd on

4.查看端口的开启状况
# netstat -tunlp |grep snmp
tcp 0 0 0.0.0.0:199 0.0.0.0:* LISTEN 4973/snmpd
udp 0 0 0.0.0.0:161 0.0.0.0:* 4973/snmpd

二、MRTG生成供浏览图像需要httpd服务的支持,同时也需要gd、libpng和zlib三个软件包的支持,而gd的正常运行也需要其它的几个软件,下面一并安装它们

1.安装zlib-1.2.3
#tar zxvf zlib-1.2.3.tar.gz
#cd zlib-1.2.3
#./configure --prefix=/usr/local/zlib
#make
#make install

2.安装httpd-2.2.4
#tar zxvf httpd-2.2.4.tar.gz
#cd httpd-2.2.4
#./configure --prefix=/usr/local/apache --sysconfdir=/etc/httpd --enable-so --enable-track-vars --enable-rewrite --with-z-dir=/usr/local/zlib
#make
#make install
启动httpd
/usr/local/apache/bin/apachectl -k start

3.安装libpng-1.2.14
#tar zxvf libpng-1.2.14.tar.gz
# cd libpng-1.2.14
# cp scripts/makefile.linux makefile
# make (若是提示找不到zlib库文件或者头文件,多半是makefile文件里zlib的默认路径有误。可编辑makefile文件,找到zlib项并重新指定路径到/usr/local/zlib/lib和/usr/local/zlib/include)。
Vi makefile
Zliblib=/usr/local/zlib/lib
Zlibinc=/usr/local/zlib/include 去掉开头的“#”
# make install

4.安装freetype-2.1.10
# tar -zvxf freetype-2.1.10.tar.gz
# cd freetype-2.1.10
# mkdir -p /usr/local/freetype
# ./configure --prefix=/usr/local/freetype
# make;make install

5.安装jpegsrc.v6b
jpeg默认不会自建目录,因此需手动建立目录:
# mkdir -pv /usr/local/jpeg6/{,bin,lib,include,man/{,man1},man1}
安装
#tar zxvf jpegsrc.v6b.tar.gz
# ./configure --prefix=/usr/local/jpeg6/ --enable-shared --enable-static
# make
# make install
# make install-lib

6.安装libxml2-2.6.19
# tar -zxf libxml2-2.6.19.tar.gz
# cd libxml2-2.6.19
# mkdir -p /usr/local/libxml2
# ./configure --prefix=/usr/local/libxml2
# make; make install
#cp xml2-config /usr/bin

7.安装GD-2.0.33库
# tar -zvxf gd-2.0.33.tar.gz
# mkdir -p /usr/local/gd2
# cd gd-2.0.33
# ./configure --prefix=/usr/local/gd2 --with-jpeg=/usr/local/jpeg6/ --with-png=/usr/local/lib/ --with-zlib=/usr/local/zlib/ --with-freetype=/usr/local/freetype/
# make
# make install

三、安装配置MRTG

1.下载mrtg,目前最新版本为mrtg-2.15.1
http://oss.oetiker.ch/mrtg/pub/mrtg-2.15.1.tar.gz

2.安装mrtg-2.15.1
#tar zxvf mrtg-2.15.1.tar.gz
# cd mrtg-2.15.1
# ./configure --prefix=/usr/local/mrtg --sysconfdir=/etc/mrtg --with-gd=/usr/local/gd2/include --with-gd-lib=/usr/local/gd2/lib --with-gd-inc=/usr/local/gd2/include --with-png=/usr/local/include --with-png-lib=/usr/local/lib --with-png-inc=/usr/local/include --with-zlib=/usr/local/zlib/include --with-zlib-lib=/usr/local/zlib/include --with-zlib-inc=/usr/local/zlib/include
# make
# make install

3.基本配置

生成主配置文件
Mkdir /etc/mrtg
touch /etc/mrtg/mrtg.cfg
#/usr/local/mrtg/cfgmaker public@localhost > /etc/mrtg/mrtg.cfg

编辑/etc/mrtg/mrtg.cfg

#WorkDir:/home/http/mrtg
去掉注释并改为
WorkDir: /usr/local/apache/htdocs/mrtg (此处是你的httpd默认的主目录)

去掉如下行的注释
#Options[_]: growright, bits

添加如下行,实现网页中的中文字符显示
Language:gb2312

生成MRTG网页主页面文件
#/usr/local/mrtg/bin/indexmaker /etc/mrtg/mrtg.cfg --output=/usr/local/apache/htdocs/mrtg/index.html --title="My MRTG"

4.启动MRTG
#env LANG=C /usr/local/mrtg/bin/mrtg /etc/mrtg/mrtg.cfg
这个命令会输出一些错误信息,一般可以安全忽略,连续执行三次此命令即可。

5.MRTG生成的web页面是静态的,为了能让其不断的刷新,需要将以上命令添加进crontab
#crontab -e
添加如下一行
*/3 * * * * env LANG=C /usr/local/mrtg/bin/mrtg /etc/mrtg/mrtg.cfg
注:此行表示每三分钟刷新一次,你可以根据自己的需要修改刷新时间间隔。

6.安装完毕,可以去查看结果了,在浏览器输入形如以下地址
http://192.168.1.6/mrtg (IP地址为你的机器IP)

四、一个示例:内存使用监视

1.新建一个存放脚本的文件夹
#mkdir -pv /usr/local/apache/htdocs/mrtgsh

2.建立脚本文件
#vi /usr/local/apache/htdocs/mrtgsh/mrtg.memory
添加如下脚本:
#!/bin/bash
# run this script to check the mem usage.
totalmem=`/usr/bin/free |grep Mem |awk '{print $2}'`
usedmem=`/usr/bin/free |grep Mem |awk '{print $3}'`
UPtime=`/usr/bin/uptime | awk '{print $3""$4""$5}'`
echo $totalmem
echo $usedmem
echo $UPtime
让其具有运行权限
#chmod 755 /usr/local/apache/htdocs/mrtgsh/mrtg.memory

3.编辑/etc/mrtg/mrtg.cfg
添加如下内容
Target[memory]: `/usr/local/apache/htdocs/mrtgsh/mrtg.memory`
MaxBytes[memory]: 4096000
Title[memory]:Memory Usages
ShortLegend[memory]: &
kmg[memory]:kB,MB
kilo[memory]:1024
YLegend[memory]: Memory Usage :
Legend1[memory]: Total Memory :
Legend2[memory]: Used Memory :
LegendI[memory]: Total Memory :
LegendO[memory]: Used Memory :
Options[memory]: growright,gauge,nopercent
PageTop[memory]:
Memory Usages

4.重新生成主页面文件
#/usr/local/mrtg/bin/indexmaker /etc/mrtg/mrtg.cfg --output=/usr/local/apache/htdocs/mrtg/index.html --title="My MRTG"

5.可根据情况重新启动MRTG,然后就可以查看效果了。 ]]> http://blog.hackroad.com/read.php/501.htm <![CDATA[在Centos(RHEL)上安装和配置MRTG]]> chen <fanmaochen@gmail.com> Thu, 19 Jan 2012 08:15:42 +0000 http://blog.hackroad.com/read.php/501.htm 1.我只有一台机器要用,比如我的个人网站.为了一个小服务器搞个cacti不值.象这样MRTG还是很方便的.
2.就算大面积使用Cacti加RRD还是有必要在本机运行一个可以直接查看的网页比较方便.方便运维排错.
3.可以在一个节点的一台机器上装一个MRTG,然后加上那个节点后面所有的机器,这样可以显示每个节点的流量,方便节点排错.


MRTG的全称叫 Multi Router Traffic Grapher 可以监控很多东西,今天我们就用它来监控我小小的个人网站的流量.节点之类多设备的设置后面也可以参考一下.

第一步: 安装 MRTG 和snmp

yum install mrtg net-snmp net-snmp-utils

第二步:配置 snmpd
我不建议使用自己来配置这个配置文件.直接使用 snmpconf 这个软件就可以很好的

vi /etc/snmp/snmpd.conf
修改成下面这样主要是com2sec那行的可以snmp来打开的地址和密码根据你的需要来设置一下.还有就是access部分后面的权限,可以设置成all之类.

com2sec notConfigUser  localhost       public

group   notConfigGroup v1           notConfigUser
group   notConfigGroup v2c           notConfigUser

view    systemview    included   .1.3.6.1.2.1.1
view    systemview    included   .1.3.6.1.2.1.25.1.1

access  notConfigGroup ""      any       noauth    exact all none none
view all    included  .1                               80

syslocation Unknown (edit /etc/snmp/snmpd.conf)
syscontact Root
注:
com2sec notConfigUser  localhost       public 这个后面二个选项是指,可以取得信息的地址为 Localhost,使用的验证码为 public
access  notConfigGroup ""      any       noauth    exact all none none 这行中,会打开读信息.可以读取所有的信息,倒数第三个选项 all 来指定.

记的重起服务


service snmpd restart

我们来确认一下我们的配置,用下面的命令,看看能不能得到你接口的ip信息

snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex

我的输出如下:

IP-MIB::ipAdEntIfIndex.127.0.0.1 = INTEGER: 1
IP-MIB::ipAdEntIfIndex.221.9.252.35 = INTEGER: 2


第三步:配置MRTG

我们使用cfgmaker的命令来建立 /etc/mrtg.cfg 文件,输入如下命令:
1
cfgmaker --global 'WorkDir: /var/www/mrtg' --output /etc/mrtg.cfg public@localhost

    * –global 'WorkDir: /var/www/mrtg' : 设置全局的工作目录配置,也就是存MRTG的图象的地址
    * –global "Options[_]: growright,bits" :设置网络显示
    * –output /etc/mrtg.cfg: 你输出的配置文件的地址
    * public@localhost : public是你的snmp设备读的密码,localhost是设备的密码.如果你要显示远程的snmp的设备,就是远程的地址的密码,现在我这是本地的.

设置完后,运行indexmaker来建立网页显示接口的信息.这个只需运行一次,你加入新的设备和新监控内容才需要更新.

indexmaker --output=/var/www/mrtg/index.html /etc/mrtg.cfg

第四步:加入定时任务

http服务都会配置吧,这个就不教了哦…crontab我想都会加吧.加入下面的命令到crontab中吧

*/5 * * * * root LANG=C LC_ALL=C /usr/bin/mrtg /etc/mrtg.cfg --lock-file /var/lock/mrtg/mrtg_l --confcache-file /var/lib/mrtg/mrtg.ok

最后你打开你的网站的
http://your-ip.add.ress/mrtg/

比如我的网站就是:http://www.php-oa.com/mrtg/


FQA:
1.怎么加入多个节点内其它的多个设备
本地运行下面的命令

cfgmaker --global 'WorkDir: /var/www/mrtg' \
--output /etc/mrtg/mrtg.cfg \
--global "Options[_]: growright,bits" \
--ifref=nr \
public@192.168.0.1 \
public@192.168.0.2 \
public@192.168.0.3 \
远程主机
只需要配置snmp的配置,配置如上面提到的一样,只是配置中的可以读snmp的localhost需要修改成显示的那个地址.
2.怎么显示成中文
在你的/etc/mrtg.conf配置之间加入
Language: Chinese     #注意:不要用Language: gb2312,因为用Language: gb2312会出现流量单位b不能正常显示的问题
3.怎么显示指定接口的流量
在cfgmaker命令参数后面加入接口信息 –ifref=ip
ifref可以指定为nr、ip、eth、descr、name.nr表示用接口在MIBII库中Interface接口的ifIndex来识别接口.

cfgmaker --global 'WorkDir: /var/www/mrtg'   --ifref=ip  --output /etc/mrtg.cfg public@localhost


附:1: mrtg.cfg 里面几个参数的意思.
Target:是要执行的脚本
Xsize:生成图表的横向宽度(最大600)
Ysize:生成图表的纵向高度(最大200)
Title:标题
kMG: Change the default multiplier prefixes
Ytics:纵向划分为几个块(格子)
MaxBytes:图表纵向数值的最大上限
PageTop:页面上面的提示
kilo:一般是写1024,如果需要的话,是1000在计算机里的单位
LegendI:从SHELL返回的数据中的第一个
LegendO:从SHELL返回的数据中的第二个
Options: growright,表示图表向右延展 ]]> http://blog.hackroad.com/read.php/500.htm <![CDATA[Nginx访问控制]]> chen <fanmaochen@gmail.com> Wed, 18 Jan 2012 09:45:39 +0000 http://blog.hackroad.com/read.php/500.htm 限制整个域名访问就要server下添加:
server {
listion 80;
server_name lihuipeng.blog.51cto.com;
root /opt/htdocs/www;

allow   100.100.100.100;
deny    all;

还可以做到PHP的解释限制:
location ~ .*\.php?$
{
allow   100.100.100.100;
deny    all;
fastcgi_pass  127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
}

除了限制IP之然还可以给域名添加帐号码密验证:
server {
listion 80;
server_name lihuipeng.blog.51cto.com;
root /opt/htdocs/www;

allow   100.100.100.100;
deny    all;
auth_basic “lihuipeng website”;
auth_basic_user_file htpasswd;

location ~ .*\.php?$
{
….
}

htpasswd 这个密码很眼熟吧,就是用apache生成的,也有在线生成htpasswd的! ]]> http://blog.hackroad.com/read.php/499.htm <![CDATA[Nginx限制带宽]]> chen <fanmaochen@gmail.com> Wed, 18 Jan 2012 09:43:15 +0000 http://blog.hackroad.com/read.php/499.htm 首先在http{}的配置中添加一条:
limit_zone one $binary_remote_addr 10m;然后在server{}的配置中添加:
location / {
  limit_conn one 1;  限制线程
  limit_rate 100k;     限制速度
}
表示限速100K每个客户端只允许一个线程

客户端最终速度=rate * conn,这样就可以完美的实现限制带宽的设置了。 ]]> http://blog.hackroad.com/read.php/498.htm <![CDATA[nginx 禁止以ip形式访问服务器]]> chen <fanmaochen@gmail.com> Wed, 18 Jan 2012 09:41:03 +0000 http://blog.hackroad.com/read.php/498.htm

  server {
                listen 80;
                server_name _;
                return 404;
        }


加在所有server的前面!
然后重启服务! ]]> http://blog.hackroad.com/read.php/497.htm <![CDATA[Nginx+mysql+php-fpm搭建高性能Nginx平台]]> chen <fanmaochen@gmail.com> Wed, 18 Jan 2012 09:33:49 +0000 http://blog.hackroad.com/read.php/497.htm 1、马上看看所需软件
mysql-5.0.92.tar.gz
libiconv-1.13.tar.gz
libxml2-2.6.31.tar.gz
jpegsrc.v6b.tar.gz
freetype-2.3.5.tar.gz
zlib-1.2.3.tar.gz
libpng-1.2.40.tar.gz
gd-2.0.35.tar.gz
libmcrypt-2.5.7.tar.gz
php-5.2.17.tar.gz
php-5.2.17-fpm-0.5.14.diff.gz
pcre-8.01.tar.gz
nginx-0.9.5.tar.gz
memcache-2.2.5.tgz
eaccelerator-0.9.5.3.tar.bz2
呼拉拉,一大堆软件,马上看看怎么安装这一大堆软件!

2、安装mysql
tar xvfz mysql-5.0.92.tar.gz
cd mysql-5.0.92
./configure --prefix=/usr/local/mysql --localstatedir=/home/var --with-charset=utf8 --with-extra-charsets=all --with-berkeley-db --with-innodb --without-readline --enable-assembler --with-pthread --enable-thread-safe-client --with-client-ldflags=-all-static
make
make install
如何不打算在本机器上运行mysql,可以跳过下面这一步
配置mysql

vi /etc/my.cnf
[client]
character-set-server = utf8
port    = 3306
socket  = /tmp/mysql.sock

[mysqld]
character-set-server = utf8
replicate-ignore-db = mysql
replicate-ignore-db = test
replicate-ignore-db = information_schema
user    = mysql
port    = 3306
socket  = /tmp/mysql.sock
basedir = /usr/local/webserver/mysql
datadir = /home/var
log-error =  /home/var/mysql_error.log
pid-file =/home/var/mysql.pid
open_files_limit    = 10240
back_log = 600
max_connections = 5000
max_connect_errors = 6000
table_cache = 614
external-locking = FALSE
max_allowed_packet = 32M
sort_buffer_size = 1M
join_buffer_size = 1M
thread_cache_size = 300
#thread_concurrency = 8
query_cache_size = 512M
query_cache_limit = 2M
query_cache_min_res_unit = 2k
default-storage-engine = MyISAM
thread_stack = 192K
transaction_isolation = READ-COMMITTED
tmp_table_size = 246M
max_heap_table_size = 246M
long_query_time = 3
log-slave-updates
log-bin = /home/var//binlog/binlog
binlog_cache_size = 4M
binlog_format = MIXED
max_binlog_cache_size = 8M
max_binlog_size = 1G
relay-log-index = /home/var/relaylog/relaylog
relay-log-info-file = /home/var/relaylog/relaylog
relay-log = /home/var/relaylog/relaylog
expire_logs_days = 30
key_buffer_size = 256M
read_buffer_size = 1M
read_rnd_buffer_size = 16M
bulk_insert_buffer_size = 64M
myisam_sort_buffer_size = 128M
myisam_max_sort_file_size = 10G
myisam_repair_threads = 1
myisam_recover

interactive_timeout = 120
wait_timeout = 120

skip-name-resolve
#master-connect-retry = 10
slave-skip-errors = 1032,1062,126,1114,1146,1048,1396

#master-host     =   192.168.1.2
#master-user     =   username
#master-password =   password
#master-port     =  3306

server-id = 1

innodb_additional_mem_pool_size = 16M
innodb_buffer_pool_size = 512M
innodb_data_file_path = ibdata1:256M:autoextend
innodb_file_io_threads = 4
innodb_thread_concurrency = 8
innodb_flush_log_at_trx_commit = 2
innodb_log_buffer_size = 16M
innodb_log_file_size = 128M
innodb_log_files_in_group = 3
innodb_max_dirty_pages_pct = 90
innodb_lock_wait_timeout = 120
innodb_file_per_table = 0

#log-slow-queries = /home/var/slow.log
#long_query_time = 10

[mysqldump]
quick
max_allowed_packet = 32M

初始化数据库及配置启动方法
/usr/local/mysql/bin/mysql_install_db --user=mysql
chown -R mysql:mysql /home/var
/usr/local/mysql/bin/mysqld_safe --user=mysql &
cp ./support-files/mysql.server /etc/rc.d/init.d/mysql     mysql.server在安装目录下
chmod +x /etc/rc.d/init.d/mysql
chkconfig --add mysql
service mysql start
/usr/local/mysql/bin/mysqladmin -u root password 57DwNRI3pirdSAP
cd /usr/bin
ln -s /usr/local/mysql/bin/mysql mysql
3、安装libiconv、libxml2、gd等PHP库
tar zxvf libiconv-1.13.tar.gz
cd libiconv-1.13/
./configure --prefix=/usr/local/libiconv/
make
make install
cd ..
tar zxvf libxml2-2.6.31.tar.gz
cd libxml2-2.6.31
./configure --prefix=/usr/local/libxml2
make
make install
cd ..
mkdir -pv /usr/local/jpeg6/{,bin,lib,include,man/man1,man1}
tar vzxf jpegsrc.v6b.tar.gz
cd jpeg-6b
./configure --prefix=/usr/local/jpeg6 --enable-shared --enable-static
make
make install
cd ..
tar zvxf freetype-2.3.5.tar.gz
cd freetype-2.3.5
./configure --prefix=/usr/local/freetype
make
make install
cd ..
tar zvxf zlib-1.2.3.tar.gz
cd zlib-1.2.3
./configure --prefix=/usr/local/zlib
make
make install
cd ..
tar zxvf libpng-1.2.40.tar.gz
cd libpng-1.2.40
cp scripts/makefile.std makefile
make
make install
cd ..
tar xzvf gd-2.0.35.tar.gz
cd gd-2.0.35
./configure --prefix=/usr/local/gd --with-png=/usr/local/libpng --with-zlib=/usr/local/zlib --with-freetype=/usr/local/freetype --with-jpeg=/usr/local/jpeg6 --with-libxml=/usr/local/libxml2
make (make的时候出报错,没关系,再make一次就可以)
make install
cd ..
tar -zxvf libmcrypt-2.5.7.tar.gz
cd libmcrypt-2.5.7
./configure
make
make install
cd ..
ln -s /usr/local/lib/libmcrypt.la /usr/lib/libmcrypt.la
ln -s /usr/local/lib/libmcrypt.so /usr/lib/libmcrypt.so
ln -s /usr/local/lib/libmcrypt.so.4 /usr/lib/libmcrypt.so.4
ln -s /usr/local/lib/libmcrypt.so.4.4.8 /usr/lib/libmcrypt.so.4.4.8

这样就安装完成php常用的库了
4、接着安装php、php-frm
tar zxvf php-5.2.17.tar.gz
gzip -cd php-5.2.17-fpm-0.5.14.diff.gz | patch -d php-5.2.17 -p1
cd php-5.2.17
./configure --prefix=/usr/local/php --with-mysql=/usr/local/mysql --with-mysqli=/usr/local/mysql/bin/mysql_config --with-iconv=/usr/local/libiconv/ --with-libxml-dir=/usr/local/libxml2 --with-gd=/usr/local/gd/ --with-jpeg-dir=/usr/local/jpeg6/ --with-zlib-dir=/usr/local/zlib --with-png-dir=/usr/local/lib --with-freetype-dir=/usr/local/freetype --with-mysql=/usr/local/mysql --with-mcrypt=/usr/local/lib/libmcrypt --enable-mbstring --with-openssl --enable-ftp --with-curl --enable-fastcgi --enable-xml --enable-xml --disable-rpath --enable-discard-path --enable-safe-mode --enable-bcmath --enable-shmop --enable-sysvsem --enable-inline-optimization  --with-curlwrappers --enable-mbregex  --enable-fpm --enable-force-cgi-redirect --enable-gd-native-ttf --enable-pcntl --enable-sockets --with-ldap --with-ldap-sasl
make
make install
cp php.ini-dist /usr/local/php/lib/php.ini

PHP的配置一会再说,先把nginx安装完成
5、nginx及php扩展插件
tar zxvf pcre-8.01.tar.gz
cd pcre-8.01/
./configure
make
make install
cd ..

groupadd www
useradd -g www -d /home/www -s /sbin/nologin www
tar zxvf nginx-0.9.5.tar.gz
cd nginx-0.9.5/
./configure --with-http_stub_status_module --with-http_ssl_module --user=www --group=www --with-http_realip_module
make
make install
cd ..
tar zxvf memcache-2.2.5.tgz
cd memcache-2.2.5/
/usr/local/php/bin/phpize
./configure --with-php-config=/usr/local/php/bin/php-config
make
make install
cd ..
tar jxvf eaccelerator-0.9.5.3.tar.bz2
cd eaccelerator-0.9.5.3/
/usr/local/php/bin/phpize
./configure --enable-eaccelerator=shared --with-php-config=/usr/local/php/bin/php-config
make
make install
cd ..
mkdir /tmp/eaccelerator
chmod 777 /tmp/eaccelerator
chown www:www /tmp/eaccelerator

6、安装完那一大堆软件之后,要开始配置了,下面这些才是关键
第一步:配置php.ini
vi /usr/local/php/lib/php.ini
找到
extension_dir =""
修改成
extension_dir = "/usr/local/php/lib/php/extensions/no-debug-non-zts-20060613/"
extension = "memcache.so"
再找到
output_buffering=off
修改成
output_buffering = On
再次查找
; cgi.fix_pathinfo=0
把注释去掉
cgi.fix_pathinfo=0
最后跳到php.ini文件的末尾,加入以下内容:
[eaccelerator]
zend_extension="/usr/local/php/lib/php/extensions/no-debug-non-zts-20060613/eaccelerator.so"
eaccelerator.shm_size="16"
eaccelerator.cache_dir="/tmp/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="0"
eaccelerator.compress_level="9"
eaccelerator.keys = "disk_only"
eaccelerator.sessions = "disk_only"
eaccelerator.content = "disk_only"
至此,php.ini文件修改完毕!
第二步:配置nginx的FCGI
vi /usr/local/nginx/conf/fcgi.conf
写入以下内容:
fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;
fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;
第三步:配置php-fpm文件
mv /usr/local/php/etc/php-fpm.conf /usr/local/php/etc/php-fpm.conf.bak
vi /root/lnmp/php-fpm.conf
重新写入以下内容


  All relative paths in this config are relative to php's install prefix
  

    Pid file
    /usr/local/php/logs/php-fpm.pid
    Error log file
    /usr/local/php/logs/php-fpm.log
    Log level
    notice
    When this amount of php processes exited with SIGSEGV or SIGBUS ...
    10
    ... in a less than this interval of time, a graceful restart will be initiated.
    Useful to work around accidental curruptions in accelerator's shared memory.
    1m
    Time limit on waiting child's reaction on signals from master
    5s
    Set to 'no' to debug fpm
    yes
  

  
    

      Name of pool. Used in logs and stats.
      default
      Address to accept fastcgi requests on.
      Valid syntax is 'ip.ad.re.ss:port' or just 'port' or '/path/to/unix/socket'
      127.0.0.1:9000
      
        Set listen(2) backlog
        -1
        Set permissions for unix socket, if one used.
        In Linux read/write permissions must be set in order to allow connections from web server.
        Many BSD-derrived systems allow connections regardless of permissions.
        
        
        0666
      
      Additional php.ini defines, specific to this pool of workers.
      
        /usr/sbin/sendmail -t -i
        0
      
      Unix user of processes
      www
      Unix group of processes
      www
      Process manager settings
      
        Sets style of controling worker process count.
        Valid values are 'static' and 'apache-like'
        static
        Sets the limit on the number of simultaneous requests that will be served.
        Equivalent to Apache MaxClients directive.
        Equivalent to PHP_FCGI_CHILDREN environment in original php.fcgi
        Used with any pm_style.
        128
        Settings group for 'apache-like' pm style
        
          Sets the number of server processes created on startup.
          Used only when 'apache-like' pm_style is selected
          20
          Sets the desired minimum number of idle server processes.
          Used only when 'apache-like' pm_style is selected
          5
          Sets the desired maximum number of idle server processes.
          Used only when 'apache-like' pm_style is selected
          35
        
      
      The timeout (in seconds) for serving a single request after which the worker process will be terminated
      Should be used when 'max_execution_time' ini option does not stop script execution for some reason
      '0s' means 'off'
      0s
      The timeout (in seconds) for serving of single request after which a php backtrace will be dumped to slow.log file
      '0s' means 'off'
      0s
      The log file for slow requests
      logs/slow.log
      Set open file desc rlimit
      65535
      Set max core size rlimit
      0
      Chroot to this directory at the start, absolute path
      
      Chdir to this directory at the start, absolute path
      
      Redirect workers' stdout and stderr into main error log.
      If not set, they will be redirected to /dev/null, according to FastCGI specs
      yes
      How much requests each process should execute before respawn.
      Useful to work around memory leaks in 3rd party libraries.
      For endless request processing please specify 0
      Equivalent to PHP_FCGI_MAX_REQUESTS
      1024
      Comma separated list of ipv4 addresses of FastCGI clients that allowed to connect.
      Equivalent to FCGI_WEB_SERVER_ADDRS environment in original php.fcgi (5.2.2+)
      Makes sense only with AF_INET listening socket.
      127.0.0.1
      Pass environment variables like LD_LIBRARY_PATH
      All $VARIABLEs are taken from current environment
      
        $HOSTNAME
        /usr/local/bin:/usr/bin:/bin
        /tmp
        /tmp
        /tmp
        $OSTYPE
        $MACHTYPE
        2
      
    

  

第四步:配置nginx.conf文件
  vi /usr/local/nginx/conf/nginx.conf
写入以下内容
user www www;
worker_processes 8;
worker_cpu_affinity 0001 0010 0100 1000 0001 0010 0100 1000;
#error_log  /usr/local/nginx/logs/error.log;
#error_log  /usr/local/nginx/logs/error.log  notice;
#error_log  /usr/local/nginx/logs/error.log  info;
#pid        logs/nginx.pid;
worker_rlimit_nofile 204800;
events {
use epoll;
worker_connections 204800;
}
http {
include       mime.types;
default_type  application/octet-stream;
#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
#                  '$status $body_bytes_sent "$http_referer" '
#                  '"$http_user_agent" "$http_x_forwarded_for"';
#access_log  logs/access.log  main;
sendfile        on;
tcp_nopush     on;
tcp_nodelay    on;
keepalive_timeout  60;
#ip_hash;
ignore_invalid_headers   on;
recursive_error_pages    on;
server_name_in_redirect off;
server_tokens           off;
gzip on;
gzip_comp_level  9;
gzip_min_length  1100;
gzip_buffers  4 8k;
gzip_http_version  1.1;
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
server_names_hash_bucket_size 256;
client_header_buffer_size 16K;
large_client_header_buffers 4 64k;
client_max_body_size             50m;
client_body_buffer_size        256k;
client_header_timeout     3m;
client_body_timeout 3m;
send_timeout             3m;
open_file_cache max=204800 inactive=20s;
open_file_cache_min_uses 1;
open_file_cache_valid 30s;
    
server
{
  listen       80;
  server_name lihuipeng.blog.51cto.com;
  index index.html index.php;
  root  /home/www/blog;
  access_log  /home/logs/access_lihuipeng.blog.51cto.com.log;
  
  if (-d $request_filename){
   rewrite ^/(.*)([^/])$ http://$host/$1$2/ permanent;
  }
    
  error_page   500 502 503 504 404 403 http://lihuipeng.blog.51cto.com;
    
  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
   expires 30d;
  }
  location ~ .*\.(js|css)?$ {
   expires 6h;
  }
  location ~ .*\.(log|txt)$
  {
   deny all;
  }
   location ~ .*\.(php)?$
  {
   fastcgi_pass  127.0.0.1:9000;
   fastcgi_index index.php;
   include fcgi.conf;
  }
}
}

7、启动服务
/usr/local/php/sbin/php-fpm start
/usr/local/nginx/sbin/nginx
看看有没启动成功
[root@localhost ~]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name  
tcp        0      0 127.0.0.1:199               0.0.0.0:*                   LISTEN      3937/snmpd          
tcp        0      0 127.0.0.1:9000              0.0.0.0:*                   LISTEN      3954/php-cgi        
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      2662/mysqld        
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      18066/nginx        
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      17955/vsftpd        
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      4137/sendmail: acce
tcp        0      0 :::5989                     :::*                        LISTEN      2714/cimserver      
tcp        0      0 :::22                       :::*                        LISTEN      2574/sshd          
udp        0      0 0.0.0.0:161                 0.0.0.0:*                               3937/snmpd
看见php-cgi和nginx端口在正常监听!
本文出自 “疯狂的猴子” 博客,请务必保留此出处http://lihuipeng.blog.51cto.com/3064864/561862 ]]> http://blog.hackroad.com/read.php/496.htm <![CDATA[linux nginx php木马排查及加固整理]]> chen <fanmaochen@gmail.com> Wed, 18 Jan 2012 09:31:53 +0000 http://blog.hackroad.com/read.php/496.htm 1、改变目录和文件属性,禁止写入
find -type f -name \*.php -exec chmod 444 {} \;
find -type d -exec chmod 555 {} \;
注:当然要排除上传目录、缓存目录等;
同时最好禁止chmod函数,攻击者可通过chmod来修改文件只读属性再修改文件
2、php配置
禁用危险函数
passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,
ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,escapeshellcmd,popen,dl,
syslog,show_source
3、nginx配置
限制一些目录执行php文件
  location~^/images/.*\.(php|php5)$
  {
  denyall;
  }
  
  location~^/static/.*\.(php|php5)$
  {
  denyall;
  }
  location~*^/data/(attachment|avatar)/.*\.(php|php5)$
  {
  denyall;
  }
  注:这些目录的限制必须写在
   location~.*\.(php|php5)$
    {
     fastcgi_pass127.0.0.1:9000;
     fastcgi_indexindex.php;
     include fcgi.conf;
    }
   的前面,否则限制不生效

path_info漏洞修正:
  在通用fcgi.conf顶部加入
  if ($request_filename ~* (.*)\.php) {
  set $php_url $1;
  }
  if (!-e $php_url.php) {
  return 404;
  }
4、木马查找
  php木马一般含有或者
  find /data/wwwroot/* -type f -name "*.php" |xargs grep "eval(" > /root/scan.txt
  
  还有
   常见的一句话后门:
   grep -r --include=*.php  '[^a-z]eval($_POST' . > grep.txt
   grep -r --include=*.php  'file_put_contents(.*$_POST\[.*\]);' . > grep.txt
  
   把搜索结果写入文件,下载下来慢慢分析,其他特征木马、后门类似。有必要的话可对全站所有文件来一次特征查找,上传图片肯定有也捆绑的,来次大清洗。
5、查找近3天被修改过的文件:
find /data/www -mtime -3 -type f -name \*.php
  注意:攻击者可能会通过touch函数来修改文件时间属性来避过这种查找,所以touch必须禁止 ]]>