鸟哥学习笔记---WWW
Appche(A patch server):一个修修改改的服务器;
POST与GET不相同 ,Get可以在网址取得客户端所要求的变量。
PHP是挂在Apache下面执行的一个模块,而我们要用网页的PHP程序控制MySQL时,PHP就需要支持MYSQL的模块才行
[root@www named]# yum install httpd mysql mysql-server php php-mysql
[root@www named]# yum install php-devel
/etc/httpd/conf/httpd.conf
/etc/httpd/conf.d/*.conf #扩展名一定要是conf才行,独立配置文件
/usr/lib/httpd/modules/ #模块
/etc/httpd/modules/ #模块
/var/www/html/ #默认工作目录
/var/www/error/ #默认错误信息
/var/www/icons/ #小图示
/var/www/cgi-bin/ #CGI程序放置的目录
/var/log/httpd/
/usr/sbin/apachectl #Apache主要执行文件
/usr/sbin/httpd
/usr/bin/htpasswd #密码保护
MYSQL相关文件:
/etc/my.cnf
/var/lib/mysql/ #数据库文件存储位置
PHP相关文件:
/etc/httpd/conf.d/php.conf
/etc/php.ini #主要配置文件,php-devel提供
/usr/lib/httpd/modules/libphp5.so #ApachePHP支持
/etc/php.d/mysql.ini和/usr/lib/php/modules/mysql.so #MYSQL接口,由php-mysql提供
/usr/bin/phpize和/usr/include/php/ #如果未来要安装类似PHP加速器的话就要安装这个
/etc/httpd/conf/httpd.conf
ServerTokens OS #显示服务器版本与操作系统版本
ServerRoot "/etc/httpd" #类型chroot
PidFile run/httpd.pid #文件在/etc/httpd/run/httpd.pid
Timeout 60
KeepAlive Off #是否允许持续性连接,一个TCP连接可以具有多个文件资料传送的要求
MaxKeepAliveRequests 100 #最大传输数据
<IfModule prefork.c> #下面这两个与内在管理有关
StartServers 8 #启动几个PID Httpd
MinSpareServers 5 #最小的空闲PID数量
MaxSpareServers 20 #最大的空闲PID数量
ServerLimit 256 #最大PID数
MaxClients 256 #最大连接数
MaxRequestsPerChild 4000 #每个程序能够提供的最大传输次数要求
</IfModule> #/usr/sbin/httpd prefork模块
<IfModule worker.c> #/usr/sbin/httpd.worker worker模块
StartServers 4
MaxClients 300
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
Listen 80
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
....................................................
Include conf.d/*.conf #读取配置文件/etc/httpd/conf.d/*.conf
User apache
Group apache
ServerAdmin root@localhost #管理员邮箱
# ServerName dummy-host.example.com #不指定的话就以hosts文件为依据
UseCanonicalName Off #只授受Servername指定的主机名连接
DocumentRoot "/var/www/html"
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory "/var/www/html">
Options Indexes FollowSymLinks #允许列举目录,允许连接到非/var/www/html目录
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#ExecCGI:让此目录具有执行CGI程序的权限,不要让所有目录均可以使用ExecCGI
#Includes:让一些Server-Side Include程序可以远行。建议加上去
#MultiViews:可以依据客户端的语言而给予不同的语言显示
AllowOverride None
#ALL:
#AuthConfig:仅有网页认证可以覆盖
#Indexes:仅允许Indexed方面覆盖
#Limits:允许用户利用Allow、Deny与Order管理可浏览的权限
#None:不可覆盖,让.htaccess文件失效
Order allow,deny #访问默认为Deny(反过来理解可能会更好?默认为allow?)
Allow from all #所有的为可浏览
</Directory>
AddDefaultCharset UTF-8 #网页编码
DirectoryIndex index.html index.html.var #首页文件
Alias /icons/ "/var/www/icons/" #相当于链接文件
#http://192.168.179.7/icons/就会列出这个目录的内容了
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" #以上面一样这里是把可执行脚本进行别名
......................................................
| Worker模块占用的内在较小,对于流量较大的网站来说,是一个比较好的选择。 Prefork虽然占用较大的内存,不过速度与Worker差异不大,并且prefork内存使用设计较为优秀,可以在很多无法提供debug的平台上面进行自我排错,所以,默认的模块就是prefork这个。 |
PHP默认参数修改
[root@www named]# ll /etc/httpd/conf.d/
total 20
-rw-r--r--. 1 root root 674 Nov 12 2010 php.conf #PHP模块设置
-rw-r--r--. 1 root root 392 Jul 7 2011 README
-rw-r--r--. 1 root root 217 Jan 26 2012 sarg.conf
-rw-r--r--. 1 root root 332 Nov 12 2010 squid.conf
-rw-r--r--. 1 root root 299 May 21 2009 welcome.conf #默认首页欢迎信息
[root@www ~]# grep -v '[#]' /etc/httpd/conf.d/php.conf
<IfModule prefork.c> #根据不同的PID模式给予不同的PHP运行模块
LoadModule php5_module modules/libphp5.so
</IfModule>
<IfModule worker.c>
LoadModule php5_module modules/libphp5-zts.so
</IfModule>
PHP安全方面的设定:
[root@www ~]# vim /etc/php.ini
AddHandler php5-script .php #增加扩展名.php
AddType text/html .php #.php文件为纯文本文档
DirectoryIndex index.php #首页文件名增加index.php
[root@www ~]# vim /etc/php.ini #建议做下面的设置
register_globals = Off
log_errors = On
ignore_repeated_errors = Off #日志重复设置
ignore_repeated_source = Off #日志重复设置
display_errors = Off
display_startup_errors = Off
post_max_size = 8M #post附加信息所以比2M要大
file_uploads = On
upload_max_filesize = 2M #文件实际大小
memory_limit = 128M
加强软件
httpd-manual:提供Apache参考文件http://localhost/manual
mrtg:利用类似绘图软件自动产生主机流量图表的软件
mod_perl:Perl支持
mod_python:python支持
mod_ssl:https支持
[root@www ~]# /etc/init.d/httpd configtest #测试配置文件
Syntax OK
两种启动方式
[root@www ~]# /etc/init.d/httpd start
[root@www ~]# /usr/sbin/apachectl start
[root@www ~]# netstat -tulnp | grep http
tcp 0 0 :::80 :::* LISTEN 14265/httpd
[root@www ~]# tail /var/log/httpd/error_log
[root@www ~]# vim /var/www/html/phpinfo.php
<?php
phpinfo();
?>
http://192.168.179.7/phpinfo.php
MySQL基本配置:
当初次启动MySQL后,系统会针对数据库进行初始化的建立。
[root@www ~]# ll /var/lib/mysql/
total 0
[root@www ~]# /etc/init.d/mysqld start
Initializing MySQL database: Installing MySQL system tables...
OK
Filling help tables...
OK
To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system
PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:
/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h www.Centosszm.com. password 'new-password'
Alternatively you can run:
/usr/bin/mysql_secure_installation
which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.
See the manual for more instructions.
You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &
You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl
Please report any problems with the /usr/bin/mysqlbug script!
[ OK ]
Starting mysqld: [ OK ]
[root@www ~]# ll /var/lib/mysql/
total 20488
-rw-rw----. 1 mysql mysql 10485760 Apr 13 23:25 ibdata1
-rw-rw----. 1 mysql mysql 5242880 Apr 13 23:25 ib_logfile0
-rw-rw----. 1 mysql mysql 5242880 Apr 13 23:25 ib_logfile1
drwx------. 2 mysql mysql 4096 Apr 13 23:25 mysql
srwxrwxrwx. 1 mysql mysql 0 Apr 13 23:25 mysql.sock
drwx------. 2 mysql mysql 4096 Apr 13 23:25 test
[root@www ~]# netstat -tulnp | grep mysql
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 14551/mysqld
[root@www ~]# mysql -u root #连接MySQL,不用密码
[root@www ~]# mysqladmin -u root password ipqfntxgt #设置密码
[root@www ~]# mysql -u root -p
mysql> create database szm;
Query OK, 1 row affected (0.01 sec)
mysql> grant all privileges on szm.* to szm@localhost
-> ;
Query OK, 0 rows affected (0.00 sec)
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| szm |
| test |
+--------------------+
4 rows in set (0.00 sec)
mysql> use mysql
mysql> select * from user where user='szm';
#如果数据库大,建议可以改用postgresql这个软件
[root@www ~]# vi /etc/my.cnf #配置MySQL
[mysqld]
default-storage-enagine=innodb
default-character-set=utf8
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
wait_timeout=1814400
lower_case_table_names
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1
# Disabling symbolic-links is recommended to prevent assorted security risks;
# to do so, uncomment this line:
# symbolic-links=0
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
[client]
default-character-set=utf8
比较专业的配置:
[client]
#default-character-set = utf8
port = 3306
socket = /tmp/mysql.sock
[mysql]
prompt="(\u:myprompt:)[\d]> "
no-auto-rehash
[mysqld]
default-character-set = gbk
user = mysql
port = 3306
socket = /tmp/mysql.sock
basedir = /usr/local/mysql
datadir = /zz_data/mysql/
open_files_limit = 10240
back_log = 600
max_connections = 3000
max_connect_errors = 6000
table_cache = 614
external-locking = FALSE
max_allowed_packet = 32M
#内存计算方式:key_buffer+(sort_buffer + readbuffer)*max_connectioin
sort_buffer_size = 2M
join_buffer_size = 2M
thread_cache_size = 300
thread_concurrency = 8
query_cache_size = 32M
query_cache_limit = 2M
query_cache_min_res_unit = 2k
default-storage-engine = MyISAM
default_table_type = MyISAM
thread_stack = 192K
transaction_isolation = READ-COMMITTED
tmp_table_size = 246M
max_heap_table_size = 246M
long_query_time = 2
log-slow-queries = slow_query.log
log_long_format
log-bin = bin-log
binlog_cache_size = 4M
binlog_format = MIXED
max_binlog_cache_size = 1G
max_binlog_size = 2G
expire_logs_days = 7
key_buffer_size = 256M
read_buffer_size = 1M
read_rnd_buffer_size = 16M
bulk_insert_buffer_size = 64M
myisam_sort_buffer_size = 128M
myisam_max_sort_file_size = 10G
myisam_max_extra_sort_file_size = 10G
myisam_repair_threads = 1
myisam_recover
skip-name-resolve
master-connect-retry = 10
slave-skip-errors = 1032,1062,126,1114,1146,1048,1396
#replicate
sync_binlog=1
relay_log = mysql-relay-bin
server-id = 10073
replicate-do-db = newdkp
innodb_additional_mem_pool_size = 16M
innodb_buffer_pool_size = 6144M
innodb_data_home_dir = /zz_data/mysql/innodb/
innodb_data_file_path = ibdata1:10G;ibdata2:10G:autoextend
innodb_file_io_threads = 4
innodb_thread_concurrency = 8
innodb_flush_log_at_trx_commit = 2
innodb_log_buffer_size = 16M
innodb_log_file_size = 128M
innodb_log_files_in_group = 3
innodb_max_dirty_pages_pct = 90
innodb_lock_wait_timeout = 120
innodb_file_per_table = 0
[mysqldump]
quick
max_allowed_packet = 32M
删除数据库恢复密码:
[root@www ~]# rm -rf /var/lib/mysql/*
[root@www ~]# /etc/init.d/mysqld restart
防火墙设置与SELinux规则的放行:
[root@www ~]# iptables -A INPUT -p TCP --dport 80 --sport 1024:65534 -j ACCEPT
[root@www ~]# /etc/init.d/iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@www ~]# setsebool -P httpd_can_network_connect=1
开始网页设计及安装架站软件:
论坛软件:https://www.phpbb.com/
架站软件:http://www.phpnuke.org/
博客软件:http://lifetype.net/
http://www.xoops.org/
[root@www ~]# vim /etc/httpd/conf/httpd.conf
<IfModule mod_userdir.c>
#UserDir disabled
Userdir www #/home/szm/www
</IfModule>
#新建的用户就建议这个目录
[root@www ~]# mkdir /etc/skel/www
[root@www ~]# echo "My homepage" > /home/szm/www/index.html
[root@www ~]# ll -d /home/szm
drwx------. 22 szm szm 4096 Apr 14 00:06 /home/szm
[root@www ~]# chmod 711 /home/szm
[root@www ~]# ll -d /home/szm/www/index.html
-rw-r--r--. 1 root root 12 Apr 14 00:06 /home/szm/www/index.html
[root@www ~]# setsebool -P httpd_enable_homedirs=1
http://192.168.179.7/~szm/
更改访问方式(也可以采用配置文件的别名的方式)
[root@www ~]# ln -s /home/szm/www /var/www/html/szm
http://192.168.179.7/szm/
启动某个目录的CGI(perl)程序执行权限
[root@www ~]# yum install mod_python mod_perl
[root@www ~]# vim /etc/httpd/conf/httpd.conf
<Directory "/var/www/html/cgi"> #增加执行目录
Options +ExecCGI
AllowOverride None
Order allow,deny
Allow from all
</Directory>
#AddHandler cgi-script .cgi
AddHandler cgi-script .cgi .pl #取消注释,添加.pl
[root@www ~]# /etc/init.d/httpd restart
[root@www ~]# mkdir /var/www/html/cgi
[root@www ~]# vim /var/www/html/cgi/helloworld.pl
[root@www ~]# ll /var/www/html/cgi/helloworld.pl
-rw-r--r--. 1 root root 79 Apr 14 00:37 /var/www/html/cgi/helloworld.pl
[root@www ~]# chmod a+x /var/www/html/cgi/helloworld.pl
http://192.168.179.7/cgi/helloworld.pl
方法二:使用ScriptAlias功能;
[root@www ~]# vim /etc/httpd/conf/httpd.conf
AddHandler cgi-script .cgi .pl
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" #默认已经有了,增加下面这段
ScriptAlias /perl/ "/var/www/perl/" #连接/var/www/html/perl/
[root@www ~]# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@www ~]# cp -a /var/www/html/cgi/helloworld.pl /var/www/perl/
http://192.168.179.7/perl/helloworld.pl
错误页面设置:
[root@www ~]# vim /etc/httpd/conf/httpd.conf
Alias /error/ "/var/www/error/"
<IfModule mod_negotiation.c>
<IfModule mod_include.c>
<Directory "/var/www/error">
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
AddHandler type-map var
Order allow,deny
Allow from all
LanguagePriority en es de fr
ForceLanguagePriority Prefer Fallback
</Directory>
# ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
# ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
# ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
# ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
# ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
# ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
# ErrorDocument 410 /error/HTTP_GONE.html.var
# ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
# ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
# ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
# ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
# ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
# ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
# ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
# ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
# ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
# ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
</IfModule>
</IfModule>
[root@www ~]# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
浏览器权限的设定操作(Order、Limit)
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny #注意这里,
Deny from 192.168.179.0/24 #禁止访问的网段
Allow from all
</Directory>
http://192.168.179.7/index.html
Forbidden
You don't have permission to access /index.html on this server.
--------------------------------------------------------------------------------
Apache/2.2.15 (CentOS) Server at 192.168.179.7 Port 80
#用户在这个Lan当中只能进行最简单的GET、POST、OPTIONS功能,其它的不行
[root@www ~]# vi /etc/httpd/conf/httpd.conf
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
服务器状态说明网页:
[root@www ~]# vi /etc/httpd/conf/httpd.conf
ExtendedStatus On
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 192.168.179.0/24
Allow from 127.0.0.1
</Location>
[root@www ~]# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
查看方式:
http://192.168.179.7/server-status
.htaccess与认证网页设定
1.建立保护目录;
2.配置文件;
3.密码
4.重启Apache
[root@www ~]# mkdir /var/www/html/protect
[root@www ~]# vim //var/www/html/protect/index.html
<html>
<head><title>this is protect page</title></head>
<body>protect content</body>
</html>
[root@www ~]# vim /etc/httpd/conf/httpd.conf
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>
#AllowOverride None
AllowOverride AuthConfig #修改为AuthConfig
[root@www ~]# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@www ~]# vim /var/www/html/protect/.htaccess
AuthName "Protect test by szm"
Authtype Basic
AuthUserFile /var/www/apache.passwd
require user test #如果想让上面的文件内的用户都能登录时用:require valid-user
| -c:建立密码文件,存在的话会覆盖文件 -m:改用MD5加密,默认为CRYPT -d:使用SHA加密 -D:删除账号 |
[root@www ~]# htpasswd -c /var/www/apache.passwd test
New password:
Re-type new password:
Adding password for user test
[root@www ~]# cat /var/www/apache.passwd
test:2KfGnbJK3rlwo
[root@www ~]# htpasswd /var/www/apache.passwd test1
http://192.168.179.7/protect/ #输入账号密码就可以访问了,test1不可以登录
虚拟主机:
[root@www ~]# cat /etc/httpd/conf.d/virtual.conf
#本机任何接口的Port80所指定的虚拟主机
NameVirtualHost *:80
<Directory "/var/www/html">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory "/var/ftp">
Options FollowSymLinks Indexes
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<VirtualHost *:80>
ServerName html.szm.com
DocumentRoot /var/www/html
</VirtualHost>
<VirtualHost *:80>
ServerName www.szm.com
DocumentRoot /var/www/www
CustomLog /var/log/httpd/www.access_log combined
</VirtualHost>
<VirtualHost *:80>
ServerName ftp.szm.com
DocumentRoot /var/ftp
</VirtualHost>
[root@www ~]# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
PHP强化模块:eaccelerator
将PHP预先转换成为可直接执行的binary file,不就可以加快速度了么。
http://eaccelerator.net/
[root@www ~]# wget https://nodeload.github.com/eaccelerator/eaccelerator/legacy.tar.gz/master
[root@www ~]# cd /usr/local/src/
[root@www src]# tar -zxvf /root/master
[root@www src]# cd eaccelerator-eaccelerator-42067ac/
[root@www eaccelerator-eaccelerator-42067ac]# phpize
Configuring for:
PHP Api Version: 20090626
Zend Module Api No: 20090626
Zend Extension Api No: 220090626
[root@www eaccelerator-eaccelerator-42067ac]# yum install php-devel autoconf automake m4 libtool
[root@www eaccelerator-eaccelerator-42067ac]# ./configure --enable-eaccelerator=shared --with-php-config=/usr/bin/php-config
[root@www eaccelerator-eaccelerator-42067ac]# make
[root@www eaccelerator-eaccelerator-42067ac]# make install
Installing shared extensions: /usr/lib/php/modules/
+-------------------------------------------------------+
| !!! Attention !!! |
| |
| For disk cache users (using eaccelerator.shm_only=0): |
| |
| Please remember to empty your eAccelerator disk cache |
| when upgrading, otherwise things will break! |
+-------------------------------------------------------+
[root@www eaccelerator-eaccelerator-42067ac]# ll /usr/lib/php/modules/eaccelerator.so
-rwxr-xr-x. 1 root root 381189 Apr 14 15:05 /usr/lib/php/modules/eaccelerator.so
[root@www eaccelerator-eaccelerator-42067ac]# echo "/usr/lib/php/modules/" >> /etc/ld.so.conf.d/php.conf
[root@www eaccelerator-eaccelerator-42067ac]# cat /etc/ld.so.conf.d/php.conf
/usr/lib/php/modules/
[root@www eaccelerator-eaccelerator-42067ac]# ldconfig
[root@www eaccelerator-eaccelerator-42067ac]# mkdir /tmp/eaccelerator
mkdir: cannot create directory `/tmp/eaccelerator': File exists
[root@www eaccelerator-eaccelerator-42067ac]# chmod 777 /tmp/eaccelerator/
[root@www eaccelerator-eaccelerator-42067ac]# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
因为你的eaccelerator是根据目前这一版本的PHP核心所编译出来的,所以未来如果你的Linux Distrubution 开发出新版本的PHP时,你也顺利更新到新版本的PHP了,那你的这个eaccelerator就必须要自行手动再重新编译一次,以配合到正确的PHP版本,否则这个模块将不会正确运行。
http://192.168.179.7/phpinfo.php
查看是否加载了这个模块:eaccelerator
测试速度:
| -d:不显示saved table的百分比数据 -k:KeepAlive -S:不显示长信息 -c:连接数 -n:一个连接通道数 |
[root@www ~]# ab -dSk -c100 -n100 http://127.0.0.1/phpinfo.php
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking 127.0.0.1 (be patient).....done
Server Software: Apache/2.2.15
Server Hostname: 127.0.0.1
Server Port: 80
Document Path: /phpinfo.php
Document Length: 53833 bytes
Concurrency Level: 100
Time taken for tests: 0.551 seconds
Complete requests: 100
Failed requests: 0
Write errors: 0
Keep-Alive requests: 0
Total transferred: 5400500 bytes
HTML transferred: 5383300 bytes
Requests per second: 181.57 [#/sec] (mean) #下面这些重要数据
Time per request: 550.752 [ms] (mean)
Time per request: 5.508 [ms] (mean, across all concurrent requests)
Transfer rate: 9575.86 [Kbytes/sec] received
Connection Times (ms)
min avg max
Connect: 12 63 87
Processing: 85 243 444
Total: 97 306 531
日志:
/var/log/httpd/access_log
/var/log/httpd/error_log
[root@www ~]# cat /etc/logrotate.d/httpd
/var/log/httpd/*log {
missingok
notifempty
compress #备份文件压缩
sharedscripts
delaycompress
postrotate
/sbin/service httpd reload > /dev/null 2>/dev/null || true
endscript
}
syslog与logrotate的说明文件:http://linux.vbird.org/linux_basic/0570syslog.php
日志分析软件:webalizer
http://www.webalizer.org/
[root@www ~]# yum install webalizer
这个软件默认会将输出的结果放置到:/var/www/usage,并且这个目录有本机可以查询。更改这个设置:
[root@www ~]# vim /etc/webalizer.conf
LogFile /var/log/httpd/access_log
OutputDir /var/www/html/protect/webalizer
Incremental yes
[root@www ~]# cp -a /var/www/usage/ /var/www/html/protect/webalizer
[root@www ~]# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@www ~]# webalizer
http://192.168.179.7/protect/webalizer/
日志文件分析软件:awstats(Perl写的)
http://sourceforge.net/projects/awstats/
http://sourceforge.net/#DOWNLOAD
[root@www ~]# wget http://ncu.dl.sourceforge.net/project/awstats/AWStats/7.1.1/awstats-7.1.1-1.noarch.rpm
[root@www ~]# rpm -ivh awstats-7.1.1-1.noarch.rpm
Preparing... ########################################### [100%]
1:awstats ########################################### [100%]
----- AWStats 7.1.1 - Laurent Destailleur -----
AWStats files have been installed in /usr/local/awstats
If first install, follow instructions in documentation
(/usr/local/awstats/docs/index.html) to setup AWStats in 3 steps:
Step 1 : Install and Setup with awstats_configure.pl (or manually)
Step 2 : Build/Update Statistics with awstats.pl
Step 3 : Read Statistics
[root@www ~]# cp /usr/local/awstats/tools/httpd_conf /etc/httpd/conf.d/awstats.conf
[root@www ~]# chmod u-w /etc/httpd/conf.d/awstats.conf
[root@www ~]# grep -v '[#]' /etc/httpd/conf.d/awstats.conf
Alias /awstatsclasses "/usr/local/awstats/wwwroot/classes/"
Alias /awstatscss "/usr/local/awstats/wwwroot/css/"
Alias /awstatsicons "/usr/local/awstats/wwwroot/icon/"
Alias /awstats/ "/usr/local/awstats/wwwroot/cgi-bin/" #
<Directory "/usr/local/awstats/wwwroot">
Options +ExecCGI
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
[root@www ~]# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@www cgi-bin]# cd /etc/awstats/
[root@www awstats]# cp awstats.model.conf awstats.www.conf #www为主机名
[root@www ~]# vim /etc/awstats/awstats.www.conf
LogFile="/var/log/httpd/access_log" #mylog.log修改为access_loog
LogType=W #www的日志分析
LogFormat=1
LogSeparator=" "
SiteDomain="www.Centosszm.com"
HostAliases="localhost 127.0.0.1 REGEX[myserver\.com$]"
DNSLookup=2
DirData="."
DirCgi="/cgi-bin" #能够执行awstats的目录
DirIcons="/icon" #awstats一些小图标的目录
AllowToUpdateStatsFromBrowser=0 #不要利用浏览器来更新
Lang="auto" #语言
[root@www ~]# cd /usr/local/awstats/wwwroot/cgi-bin/
[root@www cgi-bin]# perl awstats.pl -config=www -update -output > index.html
#www为主机名
[root@www cgi-bin]# ll
total 692
-rwxr-xr-x. 1 root root 8691 Mar 9 04:18 awredir.pl
-rwxr-xr-x. 1 root root 675997 Mar 9 04:18 awstats.pl #
-rw-r--r--. 1 root root 3331 Apr 14 16:21 index.html #
drwxr-xr-x. 5 root root 4096 Apr 14 16:00 lang
drwxr-xr-x. 2 root root 4096 Apr 14 16:00 lib
drwxr-xr-x. 3 root root 4096 Apr 14 16:00 plugins
[root@www cgi-bin]# cd /usr/local/awstats/wwwroot/
[root@www wwwroot]# vi .htaccess
AuthName "Protect awstats data"
Authtype Basic
AuthUserFile /var/www/apache.passwd
require valid-user
访问方式:
http://192.168.179.7/awstats/
脚本自动化:
[root@www cgi-bin]# vim /usr/local/awstats/wwwroot/cgi-bin/awstats.sh
cd /usr/local/awstats/wwwroot/cgi-bin
perl awstats.pl -config=www -update -output > index.html
[root@www cgi-bin]# chmod 755 /usr/local/awstats/wwwroot/cgi-bin/awstats.sh
[root@www cgi-bin]# vim /etc/crontab
0 3 * * * root /usr/local/awstats/wwwroot/cgi-bin/awstats.sh
建立连接加密网站:
要实现让Apache支持https协议的话,必须要有mod_ssl这个软件才行。
[root@www cgi-bin]# yum install mod_ssl
/etc/httpd/conf.d/ssl.conf #配置文件
/etc/pki/tls/private/localhost.key #私钥文件
/etc/pki/tls/certs/localhost.crt #加密过的证书文件
拥有自制证书的https
[root@www cgi-bin]# cd /etc/pki/tls/certs/
[root@www certs]# make szm.key
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > szm.key
Generating RSA private key, 2048 bit long modulus
..........+++
............................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
#刚刚建立的文件中的密码取消掉。不要密码存在
[root@www certs]# mv szm.key szm.key.raw
[root@www certs]# openssl rsa -in szm.key.raw -out szm.key
Enter pass phrase for szm.key.raw:
writing RSA key
[root@www certs]# rm szm.key.raw
rm: remove regular file `szm.key.raw'? y #删除旧的密钥文件
[root@www certs]# chmod 400 szm.key #权限一定要是400才行
#建立所需要的最终证书文件
[root@www certs]# make szm.crt SERIAL=2013041401
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key szm.key -x509 -days 365 -out szm.crt -set_serial 2013041401
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:22
State or Province Name (full name) []:guangzhou
Locality Name (eg, city) [Default City]:guangzhou
Organization Name (eg, company) [Default Company Ltd]:KSU
Organizational Unit Name (eg, section) []:SZM
Common Name (eg, your name or your server's hostname) []:www.Centosszm.com
Email Address []:[email protected]
[root@www certs]# ll szm*
-rw-------. 1 root root 1436 Apr 14 17:27 szm.crt #文书文件
-r--------. 1 root root 1679 Apr 14 17:18 szm.key #私钥文件
这个证书依旧只能使用1年,如果你想要建立10年的证书,那就需要修改一个Makefile里面的内容,私钥365改为3650.
SSLCertificateFile /etc/pki/tls/certs/szm.crt
SSLCertificateKeyFile /etc/pki/tls/certs/szm.key
[root@www certs]# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
将加密首页与非加密首页分离:
[root@www certs]# mkdir /var/www/https
[root@www certs]# echo "This is https home" > /var/www/https/index.html
[root@www certs]# vim /etc/httpd/conf.d/ssl.conf
Listen 443 #默认的监听端口,不建议修改
<VirtualHost _default_:443> #虚拟主机设置
DocumentRoot "/var/www/https"
ServerName *:443
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/szm.crt
SSLCertificateKeyFile /etc/pki/tls/certs/szm.key
</VirtualHost>
[root@www certs]# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
#这两个页面就不一样了
http://192.168.179.7/
https://192.168.179.7/
防整站下载:
http://linux.vbird.org/download/index.php?action=detail&fileid=47
#!/bin/bash
#
# �@支程式最早在 2002/06/11 由 VBird �_�l的!
#
# �f明
# �@支程式的最大用途在於保�o你的 WWW 主�C免於被砍站��w所困�_!
# 所以如果�]有 WWW 服�赵谀�的主�C上面,那�N�@支程式就不必要�绦辛耍�
#
# 抵�踉�理
# 有些很���的程式例如 Teleport 之�的��w,由於��一直�L�砍站,
# 因此��一直的要求�c你的主�C�磉B�,�@�拥那�r下,你的主�C可能
# ��相��的耗系�y的�Y源啊!因此造成���C!
# 由於��使用 Teleport �r,他��造成很多�l的�B�,�@些�B�可以
# 使用 netstat �碛^察到!因此,我��就使用 netstat �斫y�
# 『重�}的�B� IP 』,�⑦@些�碜酝�一 IP 的�B��y�一下,
# 如果超�^一���O定值(您自己�x�竦模�),那�N� IP 就��被你的
# iptables �C制�醯袅耍�
# 由於�@�右换厥拢�所以,您在使用本程式之前,注意核心版本。
#
# 注意事�:
# 1. �P於�@支程式:
# 由於�@支程式使用 netstat �算出重�}的 IP �B��滇幔�
# 超�^一定的�B�值�r,� IP ��以 iptables �淼�酰�因此,
# 你的系�y核心必�要高於 2.4 版本,�K且不要使用 ipchains 的啦!
# 2. �P於其他的相�P程式:
# 由於我是�c iptables.rule 那支程式一起作用的,所以
# 除非您��於 shell scripts 已�相��的有概念,否�t,
# 最好到下面的�W站上面 download 那支程式吧!
# http://linux.vbird.org/download/#linux_security
#
# 安�b:
# 1. 放置程式到�m��的目�下
# mkdir -p /usr/local/virus/httpd-err
# cp /完整路��/http-netstat.sh /usr/local/virus/httpd-err
# chmod 755 /usr/local/virus/httpd-err/http-netstat.sh
# 2. 修改本程式的相�P�热荩�
# 在後面的����O定�目需要修改,包括:
# email (後面�接�息要寄�o�l呢?)
# access_log (後面�接 apache 的登��n)
# 3. 修改 crontab
# vi /etc/crontab (加入底下�@�仔�)
# ----------- Start -----------------------------------------------------------------
# * * * * * root /usr/local/virus/httpd-err/http-netstat.sh start > /dev/null 2>&1
# 18 */2 * * * root /usr/local/virus/httpd-err/http-netstat.sh day > /dev/null 2>&1
# 12 04 * * 0,4 root /usr/local/virus/httpd-err/http-netstat.sh week > /dev/null 2>&1
# ----------- End -------------------------------------------------------------------
#
#====================================================================
# 版�嘈�告:
# 本程式�� GPL 授�啵�任何人皆可使用本程式,
# 不�^,使用本程式前,建�h先�� BASH Shell 有一定程度的�t解比�^好!
# 另外,使用本程式出�F的任何���},本人概不��!
# VBird <[email protected]>
#====================================================================
# History:
#--------------------------------------------------------------------
# 2002/06/11 VBird
# First time to setup this program!!
# 2002/06/29 VBird
# Adding some output control line!
# 2002/07/01 VBird
# 1. Add "Using netstat -an" to find out
# the large connect IP and deny it!
# The number of connection is [25].
# 2. By the way, the limited error log is
# changed from [20] to [15].
# 3. The running frequency is changed from
# 30 minutes to 15 minutes.
# 2002/09/26 VBird
# 1. Adding the "netstat -an" for check
# the Apache is live ?
# 2002/11/04 VBird
# 1. change the netstat error from 25 to 15
# 2003/02/27 VBird
# modified the detect method from connection number to the
# "SYN_RECV" signle!
# 2003/03/03 VBird
# 1. The SYN_RECV signle is come from "Brother's settings"
# not only from teleport~ Thus, the last modified is
# error's settings....
# 2. The program have been modified to do the following:
# a. using netstat and grep the TIME_WAIT process
# If the Time_wait connection is over 5 and continue
# 15 seconds then drop the IP!
# b. Analysis the log file, if find the Teleport then
# Drop the IP!
# 2003/03/23 VBird
# �� TIME_WAIT 的封包由原本的 9 ��拉�L成�� 12 ��!
# 因�橛刑�多的朋友�l生被抵�醯���}了!真糟糕!
# 2003/03/24 VBird
# �� TIME_WAIT 的封包由原本的 12 ��拉�L成�� 15 ��!
# 因�橛刑�多的朋友�l生被抵�醯���}了!真糟糕!
# 2003/04/03 VBird
# 因�橛直豢沉耍∷�以�⒁岳��L的 15 ��改回�沓�� 13 ��!
# 2003/04/24 VBird
# 突然�J�榈���一天��在是粉�毫樱����很多人�o法�M入本站,
# 所以又多�_放了����Y料出�恚〕�了 Teleport 罪�C�_�,
# 所以仍然不�o他�M入(�跞�~四天)之外,其他的抵���在 2 小�r�_放!
# 所以,抵�醯�C制可以�O定的更��栏�樱�
# 因此又�⒃�本拉�L的 13 ��改回�� 12 ��了!
# 2003/04/28 VBird
# �⒊淌�G出�斫o大家使用了!
# 2003/05/18 VBird
# 修改了每日�出的 E-Mail 格式!
#====================================================================
#####################################################################
# you must input some parameters
# 底下的�Y料是您必�要填��的!
email="root@localhost"
basedir="/usr/local/virus/httpd-err"
iptables_rule="/usr/local/virus/iptables/iptables.rule"
access_log="/var/log/httpd/access_log"
### Program starting ! You don't change anything for nothing! ^_^ ###
#####################################################################
# The program version and somethings.
lastdate="2003-05-18"
versions="Version 1.1"
hosthome=`hostname`
logfile="$basedir/mail.netstat"
oldlogfile="$basedir/mail.netstat.old"
#####################################################################
# The following is about ethernet interface's IP and check if the http live?
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export PATH
LANG=en; LC_TIME=en; export LC_TIME LANG
ethface=`route -n | awk '{print $1 , $8}'| grep '0.0.0.0'| cut -d' ' -f2`
ethIP=`ifconfig "$ethface" | grep 'inet addr'| awk '{print $2}'| cut -d':' -f2`
export ethIP
case $1 in
start)
# 1. Get the TIME_WAIT signle
#=== Part A, about the TIME WAIT signle ===#
netstat -an|grep 80|grep TIME| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| \
awk '{if ($1 >= 12) print $2}' > $basedir/netstat1
sleep 12s
netstat -an|grep 80|grep TIME| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| \
awk '{if ($1 >= 12) print $2}' > $basedir/netstat2
sleep 12s
netstat -an|grep 80|grep TIME| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| \
awk '{if ($1 >= 12) print $2}' > $basedir/netstat3
cat $basedir/netstat1 $basedir/netstat2 $basedir/netstat3 | sort | uniq -c | \
awk '{ if ( $1 == 3 ) print $2 }' > $basedir/netstat.now
denyip_netstat=`cat $basedir/netstat.now`
#=== Part B, about the log file ===#
tail -n 1000 $access_log | grep "Teleport" | cut -d' ' -f1|sort|uniq > $basedir/loga.now
denyip_log=`cat $basedir/loga.now`
# 2. Exit if non IP in this problem !
if [ "$denyip_netstat" == "" ] && [ "$denyip_log" == "" ]; then
exit 0
fi
# 3. adding the IP into the deny files dailyerr
[ -e $basedir/dailynet ] || touch $basedir/dailynet
[ -e $basedir/dailylog ] || touch $basedir/dailylog
[ -e $basedir/dailyerr ] || touch $basedir/dailyerr
cat $basedir/netstat.now $basedir/dailynet | sort +0n | uniq > $basedir/dailynet.1
cat $basedir/loga.now $basedir/dailylog | sort +0n | uniq > $basedir/dailylog.1
cp $basedir/dailynet.1 $basedir/dailynet
cp $basedir/dailylog.1 $basedir/dailylog
sleep 1s
num_new=`cat $basedir/dailynet $basedir/dailylog | sort | uniq | wc -l`
num_old=`cat $basedir/dailyerr | wc -l`
if [ "$num_new" == "$num_old" ]; then
exit 0
fi
cat $basedir/dailynet $basedir/dailylog | sort | uniq > $basedir/dailyerr
echo '#!/bin/bash' > $basedir/iptables.http
echo '#' >> $basedir/iptables.http
echo "# This file is automatic created by $0" >> $basedir/iptables.http
echo '#' >> $basedir/iptables.http
echo '# Please to see the web page is any questions:' >> $basedir/iptables.http
echo '# http://linux.vbird.org' >> $basedir/iptables.http
echo '################################################' >> $basedir/iptables.http
cat $basedir/dailyerr | \
/bin/awk -v ethIP="$ethIP" '{ printf( "\%-42s \%-18s \%-19s\n", "/sbin/iptables -A INPUT -p TCP -i eth0 -s", $1, "--dport 80 -j DROP")}' \
>> $basedir/iptables.http
chmod 700 $basedir/iptables.http
if [ -f "$iptables_rule" ]; then
sh $iptables_rule
[ -e "$basedir/dailyerr.number" ] || echo 0 > $basedir/dailyerr.number
declare -i daynumber=`cat $basedir/dailyerr.number`+1
sleep 1s
echo $daynumber > $basedir/dailyerr.number
fi
;;
day)
# 1. Get the uptime of your Linux system
timeset1=`uptime | grep day`
timeset2=`uptime | grep min`
if [ "$timeset1" == "" ]; then
if [ "$timeset2" == "" ]; then
UPtime=`/usr/bin/uptime | awk '{print $3}'`
else
UPtime=`/usr/bin/uptime | awk '{print $3 " " $4}'`
fi
else
if [ "$timeset2" == "" ]; then
UPtime=`/usr/bin/uptime | awk '{print $3 " " $4 " " $5}'`
else
UPtime=`/usr/bin/uptime | awk '{print $3 " " $4 " " $5 " " $6}'`
fi
fi
# 2. Send the information to you!
if [ ! -f $logfile ]; then
echo "################################################" > $logfile
echo "�g迎使用本程式�聿轵�您的 HTTP 登��n" >> $logfile
echo "本程式目前版本�椋� $versions" >> $logfile
echo "最後更新日期�椋� $lastdate" >> $logfile
echo "若在您的系�y中�l�F本程式有���}" >> $logfile
echo "�g迎�c VBird ��j!" >> $logfile
echo "�B哥的首� http://linux.vbird.org" >> $logfile
echo "################################################" >> $logfile
echo "=============== 系�y�≌� =======================" >> $logfile
echo "核心版本 : `cat /proc/version | awk '{print $1 " " $2 " " $3 " " $4}'`" \
>> $logfile
echo "CPU �Y� : `cat /proc/cpuinfo | grep "model name" | \
awk '{print $4 " " $5 " " $6}'`">> $logfile
echo " : `cat /proc/cpuinfo | grep "cpu MHz" | \
awk '{print $4 " MHz"}'`" >> $logfile
echo "主�C名�Q : `/bin/hostname`" \
>> $logfile
echo "================================================" >> $logfile
echo " " >> $logfile
fi
echo "目前�r�g: "`date +%Y/%m/%d' '%H:%M` >> $logfile
ipnumber=`cat $basedir/dailyerr | wc -l`
echo "�^去�尚�r�缺槐境淌降�醯� IP �盗浚� $ipnumber" >> $logfile
daynumber=`cat $basedir/dailyerr.number`
echo "�^去�尚�r�缺境淌椒阑����拥拇�担� $daynumber" >> $logfile
echo " " >> $logfile
cat $basedir/dailyerr >> $basedir/dailytotal
rm $basedir/dailynet
rm $basedir/iptables.http
rm $basedir/dailyerr.number
if [ -f "$iptables_rule" ]; then
sh $iptables_rule
fi
sendor=`date +%H`
if [ "$sendor" == "05" ] || [ "$sendor" == "06" ]; then
echo "本日抵�醯� IP �y�" >> $logfile
sort -n $basedir/dailytotal |uniq -c | \
awk '{printf("\%-16s \%-3d\n", $2, $1)}' >> $logfile
mail -s "The deny IPs in your system ." $email < $logfile
[ -f "$oldlogfile" ] && rm $oldlogfile
mv $logfile $oldlogfile
rm $basedir/dailytotal
fi
sync; sync; sync
;;
week)
cat $basedir/dailylog >> $basedir/teleport.ip
rm $basedir/dailylog
;;
*)
echo "Usage command is {start|day|week}, such as [$0 start]"
;;
esac