LAMP架构_2


7. 使用 jail 保护 apache
# mkdir chroot
# mkdir /root/chroot/httpd
# mkdir /root/chroot/httpd/dev
# mkdir /root/chroot/httpd/lib
# mkdir /root/chroot/httpd/etc
# mkdir -p /root/chroot/httpd/usr/sbin
# mkdir -p /root/chroot/httpd/var/run
# mkdir -p /root/chroot/httpd/var/log/httpd
# chmod 750 /root/chroot/httpd/var/log/httpd/
# mkdir -p /root/chroot/httpd/home/httpd
# cp -r /etc/httpd /root/chroot/httpd/etc/
# cp -r /usr/local/apache2/cgi-bin /root/chroot/httpd/home/httpd/
# cp -r /usr/local/apache2/htdocs /root/chroot/httpd/home/httpd/
# mknod /root/chroot/httpd/dev/null c 1 3
# chmod 666 /root/chroot/httpd/dev/null
# cp /usr/local/apache2/bin/httpd /root/chroot/httpd/usr/sbin/
# ldd /root/chroot/httpd/usr/sbin/httpd                   # 查看 apache 涉及的模块
将所有显示的模块 copy /root/chroot/httpd/lib/
# /root/chroot/httpd/usr/sbin/httpd -k start              # 启动 apache
# ps aux|grep httpd                                       # 查看 apache 的运行目录
 
如果 apache 安装了 ssl 模块,还应该将证书和密钥转移过来,如:
# cp -r /etc/ssl /chroot/httpd/etc/            
# chmod 600 /chroot/httpd/etc/ssl/certs/ca.crt            
# chmod 600 /chroot/httpd//etc/ssl/certs/server.crt           
# chmod 600 /chroot/httpd/etc/ssl/private/ca.key           
# chmod 600 /chroot/httpd/etc/ssl/private/server.key
 
8. 使用 Sphinx 优化 LAMP 的应用检索性能,提供全文检索
# tar jxf sphinx-for-chinese-2.1.0-dev-r3361.tar.bz2
# tar zxf xdict_1.1.tar.gz
# cd sphinx-for-chinese-2.1.0-dev-r3361
# ./configure --prefix=/usr/local/sphinx
# make &&make install
# cp sphinx.conf.dist sphinx.conf
# vim sphinx.conf
***********************************************
编辑:
        sql_host                = localhost
        sql_user                = test
        sql_pass                = test
        sql_db                  = test
        sql_port                = 3306  # optional, default is 3306
sql_sock                = /var/lib/mysql/mysql.sock
*************************************************
# mysql �Curoot �Cppassword
mysql> create database test;
mysql> create user 'test'@'localhost' identified by 'test';
mysql> grant all privileges on test.* to 'test'@'localhost';
# /usr/local/sphinx/bin/mkdict xdict_1.1.txt xdict# 利用解压出来的 xdict_1.1.txt 生成中文词库,使其支持中文
注意: 改程序默认在 /usr/lib/ 下寻找 libmysqlclient.so.18 ,如果提示没有找到,搜索该模块到 /usr/lib/ 下即可!
# cp xdict /usr/local/sphinx/etc/
# vim /usr/local/sphinx/etc/sphinx.conf
**************************************************
charset_type        =  sbcs
改为:
charset_type           = utf-8
chinese_dictionary      = /usr/local/sphinx/etc/xdict
配置完成!
# vim /usr/local/sphinx/etc/example.sql( 利用示例添加数据 )
************************************************
REPLACE INTO test.documents ( id, group_id, group_id2, date_added, title, content ) VALUES
        ( 1, 1, 5, NOW(), 'test one', 'this is my test document number one. also checking search within phrases.' ),
        ( 2, 1, 6, NOW(), 'test two', 'this is my test document number two' ),
        ( 3, 2, 7, NOW(), 'another doc', 'this is another group' ),
        ( 4, 2, 8, NOW(), 'doc number four', 'this is to test groups' );
 
        ( 4, 2, 1, NOW(), 'doc number four', ' ' );
        ( 4, 2, 2, NOW(), 'doc number four', ' ' );
        ( 4, 2, 3, NOW(), 'doc number four', ' ' );
*********************************************************
# mysql -utest -ptest <example.sql
# /usr/local/sphinx/bin/indexer  --all
# /usr/local/sphinx/bin/search -i test1 -q test  # 测试是否 OK
# /usr/local/sphinx/bin/search  中国人               # 测试是否工作正常
注意,上面这个命令测试时报错,“ index 'test1': search error: . ”,网上查找说这个是程序本身的问题,使用 php 的时候自动就解决了。
 
9.Apache+Tomcat 处理 Jsp Servlet
apache-tomcat-7.0.37.tar.gz 
jdk-7u17-linux-i586.gz
tomcat-connectors-1.2.37-src.tar.gz
( 请勿使用 jakarta-tomcat-connectors-jk2-x.x.x-src.tar.gz ,貌似不支持!! )
9.1 安装配置  JDK7
    # tar zxf jdk-7u17-linux-i586.gz
# mkdir /usr/lib/jvm
# cp -r jdk1.7.0_17 /usr/lib/jvm/jdk7
# vim ~/.bash_profile
***************************************************************
添加:
export JAVA_HOME=/usr/lib/jvm/jdk7
export JRE_HOME=${JAVA_HOME}/jre
export CLASSPATH=.:${JAVA_HOME}/bin:${JRE_HOME}/lib
export PATH=${JAVA_HOME}/bin:$PATH
***************************************************************
# source ~/.bash_profile
* 设置为默认 JDK*
# update-alternatives --install /usr/bin/java java /usr/lib/jvm/jdk7/bin/java 300
#update-alternatives --install /usr/bin/javac javac /usr/lib/jvm/jdk7/bin/javac 300
* 看当前各种 JDK 版本和配置 *
# update-alternatives --config java
* 测试安装 OK *
# java �Cversion
 
9.2 安装 Tomcat
   # tar zxf apache-tomcat-7.0.37.tar.gz
# cp -r apache-tomcat-7.0.37 /usr/local/tomcat
# ./usr/local/tomcat/bin/startup.sh
测试: http://192.168.0.2:8080
9.3 安装 tomcat-connectors
# tar zxf tomcat-connectors-1.2.37-src.tar.gz
# cd tomcat-connectors-1.2.37-src/native/
#./configure --with-apxs=/usr/local/apache2/bin/apxs
       # make
# cp tomcat-connectors-1.2.37-src/native/apache-2.0/mod_jk.so /usr/local/apache2/modules/
9.4 配置
# cd /etc/httpd/extra/
# vim /etc/httpd/extra/httpd-jk.conf
**************************************************************
  LoadModule jk_module modules/mod_jk.so
      
       # 指定 tomcat 监听配置文件地址
       JkWorkersFile   /etc/httpd/extra/workers.properties
       JkLogFile   logs/mod_jk.log
       JkShmFile   logs/mod_jk.shm
       JkLogLevel   info
 
       # 代表了 apache 访问 tomcat 的路径
       JkMount   /servlet/*  ajp13
       JkMount   /*.jsp      ajp13
       JkMount   /*.do        ajp13
 
       JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
       JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
      JkRequestLogFormat"%w%V%T"*****************************************************************
  # echo  Include /etc/httpd/extra/httpd-jk.conf>>/etc/httpd/httpd.conf
  # vim /etc/httpd/extra/workers.properties
******************************************************************
workers.tomcat_home=/usr/local/tomcat
workers.java_home=/usr/lib/jvm/jdk7
worker.list=ajp13
worker.ajp13.port=8009
worker.ajp13.host=192.168.0.2
worker.ajp13.type=ajp13
worker.ajp13.lbfactor=1
*******************************************************************
 
设置 tomcat 主配置文件:(还有性能方面的参数,可以合适的设置)
# vi /usr/local/tomcat/conf/server.xml
******************************************************************
编辑:
<Host name="localhost"  appBase="/usr/local/apache2/htdocs/"
            unpackWARs="true" autoDeploy="true"
            xmlValidation="false" xmlNamespaceAware="false">
<Context path="" docBase="" debug="0"/>
******************************************************************
重启 apache tomcat
# /etc/init.d/httpd stop
# /etc/init.d/httpd  start
# /usr/local/tomcat/bin/shutdown.sh
# /usr/local/tomcat/bin/startup.sh
# vim /usr/local/apache2/htdocs/index.jsp 测试动态页面
********************************************
The time is: <%= new java.util.Date() %>
********************************************
测试访问: http://192.168.0.2/index.jsp
 
 
出现问题及解决方案:
 
1.Can't locate API module structure `jk_module' in file /usr/local/apache2/modules/mod_jk2.so: /usr/local/apache2/modules/mod_jk2.so: undefined symbol: jk_module
http.conf 中载入的 jk 文件的语句更改为:
LoadModule jk2_module modules/mod_jk2.so
 
2.loading mod_jk.so, undefined symbol; map_name_at
说明 mod_jk.so 并没有编译完全,没有将所以的 .o 文件或者 .c 文件编译进去,需要重新编译。
 
3. 请勿使用 Jk2 ,官网貌似宣布已经废弃了 Jk2. 不然会出现以下错误!
Invalid command 'JkShmFile', perhaps misspelled or defined by a module not included in the server configuration 。”
 
10. 利用 AWStats 分析 Apache 网站的状态
# tar zxf awstats-7.1.1.tar.gz
# mv awstats-7.1.1  /usr/local/awstats
# chown -R www.www /usr/local/awstats
# chmod +x /usr/local/awstats/tools/*.pl
# chmod +x /usr/local/awstats/wwwroot/cgi-bin/
# cd /usr/local/awstats/
# perl tools/awstats_configure.pl
 
# vim /etc/awstats/awstats.server2.example.com.conf
修改: LogFile="/usr/local/apache2/logs/access_log"
( 该日志需要清空后再重启 apache 后使用,否则会有格式问题! )
或对于压缩文件:
LogFile="gzip-d</var/log/awstats/access.log.gz"
注: LogFile 路径文件需要自己手动建立,若没有可能会报错!
 
# mkidr /var/lib/awstats
# chown www.www /var/lib/awstats �CR
 
# vim /etc/httpd/conf/httpd.conf( 可选项!为了安全考虑! )
************************************************************
增加如下内容:
Alias /awstatsclasses "/usr/local/awstats/wwwroot/classes/" 
Alias /awstatscss "/usr/local/awstats/wwwroot/css/" 
Alias /awstatsicons "/usr/local/awstats/wwwroot/icon/" 
ScriptAlias /awstats/ "/usr/local/awstats/wwwroot/cgi-bin/" 
<Directory "/usr/local/awstats/wwwroot">
    Options None
    AllowOverride None  
    Order allow,deny  
    Allow from all  
</Directory>
**************************************************************
# perl /usr/local/awstats/wwwroot/cgi-bin/awstats.pl  -config=server2.example.com �Cupdate
(该命令使得可以加载新日志到 apache 的访问统计数据内!)
重启 apache
访问: http://192.168.0.2/awstats/awstats.pl?config=server2.example.com 测试
防范 DDoS 攻击的措施:
1.#echo 1> /proc/sys/net/ipv4/tcp_syncookies            #SYNCookies 技术
2.#sysctl -W net.ipv4.tcp_max_syn_backlog="2048"  # 增加最大半连接数
3.#sysctl -W net.ipv4.tcp_synack_retries="0"     # 缩短 SYN 半连接的 timeout 时间
或者将以上配置修改到 /etc/sysctl.conf
简单的 iptanles 预防 DDoS 脚本:
#!/bin/bash SYN_RECV 数量到达 5 IP 统计,并拒绝)
netstat  -an|grep  SYN_RECV|awk  '{print$5}'|awk  -F:  '{print$1}'|sort|uniq -c|sort  -rn|awk  '{if ($>1)  print  $2}'
for  i  in  $(cat  /tmp/dropip)
do
/sbin/iptables  -A  INPUT  -s  $i  -j  DROP
echo  "$i  kill  at  `date`" >> /var/log/ddos
done

承接LAMP架构_1,部分内容参考了李晨光编著的《Linux企业应用案例精解》

你可能感兴趣的:(tomcat,lamp,sphinx,awstats,ddos, , , ,jail)