web机器标准化配置手册

(记录一下工作中web服务器配置过程的傻瓜手册,实际操作中按照文档步骤,使用脚本,一键部署)

1、代码和运维规范(注意!重要)

2、使用root 用户 配置sudo

删除现有visudo 内,使用下面内容全部替换,只赋予www和user_00用户sudo权限, 平时操作禁止使用root

$ visudo 
#就是允许执行的命令的列表,命令前加上!表示不能执行此命令. 命令一定要使用绝对路径,避免其他目录的同名命令被执行,造成安全隐患 ,因此使用的时候也是使用绝对路径 
Cmnd_Alias WHEELER =/usr/sbin/tcpdump, /bin/ls, /bin/cat, /usr/sbin/lsof, /bin/nice, /bin/ps, /usr/bin/top, /usr/local/bin/nano, /usr/sbin/ss, /usr/bin/locate, /usr/bin/find, /usr/bin/rsync, /bin/netstat, /usr/bin/vmstat, /usr/bin/iostat,/usr/bin/mpstat, /usr/bin/yum,/bin/kill, /usr/bin/ionice, /usr/bin/killall, /usr/bin/ps, /usr/bin/pkill, /bin/kill, /sbin/service, /usr/bin/vim, /usr/bin/nano, /bin/grep, /bin/find, /bin/chmod,/bin/chown, /bin/mkdir, /usr/bin/updatedb 
#配置User_Alias:就是具有sudo权限的用户的列表  
User_Alias USER_FLAG = www, user_00 
root ALL  = (ALL) ALL 
USER_FLAG  ALL = (ALL) NOPASSWD: WHEELER 
Defaults !requiretty,  !umask 
Defaults visiblepw, path_info, insults, lecture=always 
Defaults loglinelen = 0, logfile =/opt/logs/sudo/sudo.log, log_year, log_host, syslog=auth 
Defaults mailto=webmaster@foobar.com, mail_badpass, mail_no_user, mail_no_perms 
Defaults passwd_tries = 8, passwd_timeout = 1 
Defaults env_reset, always_set_home, set_home, set_logname 
Defaults !env_editor, editor="/usr/bin/vim:/usr/bin/vi:/usr/bin/nano" 
Defaults timestamp_timeout=360 
Defaults passprompt="Sudo invoked by [%u] on [%H] - Cmd run as %U - Password for user %p:" 
Defaults  secure_path = /sbin:/bin:/usr/sbin:/usr/bin

3、切换到root用户, 添加 user_00, www 帐号 和 主要目录。

$ useradd -m -U user_00
$ useradd -m -U www

$ mkdir -p /opt/yoursite/业务名字
$ mkdir -p /opt/logs/nginx
$ mkdir -p /opt/logs/php-fpm
$ mkdir -p /opt/logs/sudo
$ mkdir -p /opt/logs/业务名字/web
$ mkdir -p /opt/logs/业务名字/server

chmod a+rwx /opt/logs
$ find /opt/logs -type d | xargs chmod a+rwx
$ find /opt/logs -type f | xargs chmod a+rw

$ chmod a+rwx /opt/yoursite
$ find /opt/yoursite -type d | xargs chmod a+rwx
$ find /opt/yoursite -type f | xargs chmod a+rw

添加完后,退出root用户,切换到www用户

4、配置安装源

4.1 修改安装源,不使用缺省源,使用指定安装源, 先备份禁用已有的缺省安装源

cd /etc/yum.repos.d/
rename .repo .repo.bak *.repo 16:38 [root@10.10.73.121]
$ ll
total 16 
-rw-r--r-- 1 root root 1608 Apr 15 19:18 CentOS-Base.repo.bak 
-rw-r--r-- 1 root root 637 Dec 9 2011 CentOS-Debuginfo.repo.bak 
-rw-r--r-- 1 root root 626 Dec 9 2011 CentOS-Media.repo.bak

42 添加新的自建安装源

$ vim mirrors_stevenrao.repo 
#[serverid] 是用于区别各个不同的repository,必须有一个独一无二的名称;可以随便命名
[stevenrao-base]
name=centos-$releasever-stevenrao-base
baseurl=http://yum.yoursite.com/centos/$releasever/os/$basearch/
enabled=1
gpgcheck=0


#released updates
[stevenrao-update]
name=centos-$releasever-stevenrao-update
baseurl=http://yum.yoursite.com/centos/$releasever/updates/$basearch/
enabled=1
gpgcheck=0 

4.3 增加源host的ip解析

vim /etc/hosts xx.xx.xx.xx yum.yoursite.com

5、 nginx安装和配置

5.1 安装nginx

$ yum install nginx

5.2 创建对应的log目录

$ mkdir -p /opt/logs/nginx
$ find /opt/logs -type d | xargs chmod a+rwx
$ chmod a+rw /opt/logs/ -R

5.3 备份现有nginx配置

$mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak

5.4 编辑新的 nginx.conf

$ vim /etc/nginx/nginx.conf

user  www;
worker_processes 24;
worker_rlimit_nofile 100000;
worker_cpu_affinity 000000000000000000000001 000000000000000000000010 000000000000000000000100 000000000000000000001000 000000000000000000010000 000000000000000000100000 000000000000000001000000 000000000000000010000000 000000000000000100000000 000000000000001000000000 000000000000010000000000 000000000000100000000000 000000000001000000000000 000000000010000000000000 000000000100000000000000 000000001000000000000000 000000010000000000000000 000000100000000000000000 000001000000000000000000 000010000000000000000000 000100000000000000000000 001000000000000000000000 010000000000000000000000 100000000000000000000000;

error_log  /opt/logs/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    use epoll;
    worker_connections 65535;
}


http {
    include       /etc/nginx/mime.types;
    default_type application/octet-stream;

    sendfile on;
    output_buffers 1 128k;
    log_not_found   off;
    keepalive_timeout 65;
    server_tokens off;

    gzip on;
    gzip_comp_level 5;
    gzip_min_length 1k;
    gzip_buffers 4 16k;
    gzip_disable "MSIE [1-6]\.(?!.*SV1)";
    gzip_types text/plain application/x-javascript text/css application/xml text/javascript application/javascript application/json;
    gzip_http_version 1.0;
    gzip_vary on;

    log_format main '$remote_addr $http_x_forwarded_for [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$request_time" "$upstream_response_time"';

    server_names_hash_max_size 4096;
    server_names_hash_bucket_size 128;

    client_header_buffer_size 32k;
    large_client_header_buffers 4 32k;
    client_max_body_size 100m;

    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
    fastcgi_buffer_size 64k;
    fastcgi_buffers 4 64k;
    fastcgi_busy_buffers_size 128k;
    fastcgi_temp_file_write_size 128k;
    fastcgi_intercept_errors on
 #未定义host的请求 
    server
    {
        listen 80 default;
        server_name  _;
        access_log off;

        location /
        {  return 403;
        }
    }

    include /etc/nginx/nginx_vhost/*.conf;
} 

5.5 新增配置 /etc/nginx/nginx_vhost/业务名字.yoursite.com.conf

$ mkdir -p /etc/nginx/nginx_vhost/
$ vim /etc/nginx/nginx_vhost/业务名字.yoursite.com.conf
 
 server 
 listen 80;
    server_name  业务名字.yoursite.com;
    charset utf8; index index.html index.htm index.php;
    root   /opt/yoursite/业务名字/web;

    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $http_x_forwarded_for;

    access_log /opt/logs/nginx/${server_name}.access.log main;
    error_log  /opt/logs/nginx/业务名字.yoursite.com.error.log info;
    log_not_found off; 
 #访问路径的文件不存在 
    location / { if (!-e $request_filename){
                    rewrite (.*) /index.php/$1;
            }
    }

    location  ~ ^(.+\.php)(.*)$ {
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param   PATH_INFO $fastcgi_path_info;
            fastcgi_param   PATH_TRANSLATED $document_root$fastcgi_path_info;
            include fastcgi_params;
    }

    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|js|css|html)$ {
            root /opt/yoursite/业务名字/front;
            expires 12h;
    }

    server_name_in_redirect  off;
} 


6、 php 安装与配置

6.1 安装php

$ yum install php-common php php-mbstring php-xml php-fpm php-cli php-opcache php-process php-pear php-gd 

6.2 修改 /etc/php.ini i配置

//查看php.ini的位置
$ php -i | grep 'php.ini' $ mkdir -p /opt/logs/php/
$ find /opt/logs -type d | xargs chmod a+rwx
$ find /opt/logs -type d | xargs chmod a+rw

$ vim /etc/php.ini
; servertype = production or develop
servertype = production
date.timezone = PRC
log_errors    = On
error_log     = /opt/logs/php/php_error.log memory_limit  = 256M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT  & ~E_NOTICE & ~E_WARNING
;auto_prepend_file
;auto_append_file
;extension_dir
upload_max_filesize = 20M
max_file_uploads = 50 
;sendmail_path =

6.3 修改php-fpm配置

$ mkdir -p /opt/logs/php-fpm/
$ find /opt/logs -type d | xargs chmod a+rwx
$ find /opt/logs -type f | xargs chmod a+rw

$ vim /etc/php-fpm.conf 
error_log = /opt/logs/php-fpm/php-fpm-error.log 
emergency_restart_threshold = 10 
emergency_restart_interval = 1m 
process_control_timeout = 5s

6.4 修改 /etc/php-fpm.d/www.conf配置

user  = www
group = www
listen = 127.0.0.1:9000 
listen.backlog = 1024 
listen.allowed_clients = 127.0.0.1 
pm = static
pm.max_children = 512 
pm.start_servers = 64 
pm.min_spare_servers = 32 
pm.max_spare_servers = 64 
pm.max_requests = 1024 
access.log = /opt/logs/php-fpm/$pool.access.log 
access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" 
slowlog = /opt/logs/php-fpm/$pool.slow.log 
request_slowlog_timeout = 10 
request_terminate_timeout = 1m
rlimit_files = 65535 
php_flag[display_errors] = off
php_admin_value[error_log] = /opt/logs/php-fpm/php-fpm.www.log 
php_admin_flag[log_errors] = on

6.5 修改 /etc/php.d/opcache.ini 配置

opcache.enable=1 
opcache.memory_consumption=128 
opcache.interned_strings_buffer=8 
opcache.max_accelerated_files=4000 
opcache.max_wasted_percentage=5 
opcache.use_cwd=1 
opcache.validate_timestamps=1 
opcache.revalidate_freq=60 
opcache.fast_shutdown=1

7、调整系统参数

7.1 修改 /etc/sysctl.conf

net.core.somaxconn = 4096 
net.ipv4.tcp_tw_reuse = 1 
net.ipv4.tcp_max_tw_buckets = 720000
保存退出 运行sysctl -p


7.2 修改 /etc/security/limits.conf

* soft nproc 20240 
* hard nproc 16384 
* soft nofile 65535 
* hard nofile 65536

8、运行启动php 和 nginx

$ service php-fpm start 
$ service nginx start

10-05 19:47