服务器
ssh因为eCryptfs的原因PubkeyAuthentication登录不上
折腾了一天,ubuntu9.10服务端authorized_keys文件权限,.ssh权限都正常,ssh基于密码登录能正常登录,但是基于ras的密钥登录却出现问题。必须要服务器控制台先登录了,远程的ssh才能登录。查期原因,原来是eCryptfs闹腾的。
eCryptfs – Enterprise Cryptographic Filesystem 是linux下一个企业级的磁盘加密系统。
解决办法一
$ /sbin/umount.ecryptfs_private $ cd $HOME $ chmod 700 . $ mkdir -m 700 .ssh $ chmod 500 . $ echo $YOUR_REAL_PUBLIC_KEY > .ssh/authorized_keys $ /sbin/mount.ecryptfs_private
解决方法二
bear@njava:~$ vi /etc/ssh/sshd_config
AuthorizedKeysFile /etc/.ssh/%u/authorized_keys
ubuntu启动加载调整sysv-rc-conf
1 安装sysv-rc-conf
bear@njava:~$ sudo apt-get update bear@njava:~$ sudo apt-get install sysv-rc-conf
2 运行
bear@njava:~$ sudo sysv-rc-conf
3 运行等级
开机进程执行顺序如下:
运行等级 S:开机进程中的第一个运行等级。/etc/init.d/rcS脚本将被调用到开启并且/etc/rcS.d目录下的所有进程将被执行。
运行等级 1:单用户模式。/etc/rc1.d目录下的所有进程将被执行。
运行等级 2,3,4,5:在debian系统里是多用户环境,可能不包含图形用户界面。同样的,在相应目录下的进程将被运行。
运行等级 0:关闭计算机
运行等级 6:重起计算机
ssh安全策略
1 客户机生成私钥和公钥
客户端:
$ ssh-keygen -t rsa
2 上传公钥 xx.pub
ssh-copy-id -i ~/.ssh/bear@njava.pub bear@njava.com
或者
服务端:
$ mkdir ~/.ssh $ chmod 700 .ssh $ cat xx.pub>~/.ssh/authorized_keys $ chmod 600 authorized_keys
3 禁止密码登录
服务端:
$ sudo vim /etc/ssh/sshd_config #PasswordAuthentication yes /*禁止密码验证登录 PasswordAuthentication no #确保公钥登录 PubkeyAuthentication yes #LogLevel info 提高日志级别 LogLevel VERBOSE #LoginGraceTime 120 登录等待的最短时间 改为20秒,可以有效的防御thwarting automated),暴力攻击ssh,和DDOS LoginGraceTime 20 #Banner /etc/issue.net 警告信息,建立/etc/issue 文件,ln -s 到 /etc/issue.net Banner /etc/issue.net #只允许特定用户ssh登录 AllowUsers 'bear njava' #不允许特定用户ssh登录 DenyUsers 'pig java' #只允许指定组用户登录 AllowGroups sshlogin #添加组信息的方法 #sudo addgroup --gid 450 sshlogin #sudo adduser sshlogin #改变ssh监听端口 Port 2222
4 重启ssh
sudo /etc/init.d/ssh restart
nginx链接php的一种方法,unix domain socket
1 建立sock文件/tmp/php-cgi.njava.sock
bear@njava:/tmp$sudo chown www-data /tmp/php-cgi.njava.sock
2 修改站点配置/etc/nginx/site-available
# fastcgi_pass 127.0.0.1:9000; fastcgi_pass unix:/tmp/php-cgi.njava.sock;
3 修改php-cgi启动方式
#DAEMON_OPTS=”-a 127.0.0.1 -p 9000 -C 1 -u www-data -f /usr/bin/php-cgi” DAEMON_OPTS=”-a 127.0.0.1 -s /tmp/php-cgi.njava.sock -C 1 -u www-data -f /usr/bin/php-cgi
给ubuntu9.10下的nginx安装nagios监控
1 开权限
root@njava:~# sudo -s root@njava:~# useradd -m -s /bin/bash nagios root@njava:~# passwd nagios Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully root@njava:~# groupadd nagios groupadd: group 'nagios' already exists root@njava:~# usermod -G nagios nagios root@njava:~# groupadd nagcmd root@njava:~# usermod -a -G nagcmd nagios root@njava:~# usermod -a -G nagcmd www-data root@njava:~#
2 下软件
root@njava:~# axel http://prdownloads.sourceforge.net/sourceforge/nagios/nagios-3.2.1.tar.gz root@njava:~# axel http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.14.tar.gz root@njava:~# tar -xzvf nagios-3.2.1.tar.gz
3 编译设置
root@njava:~# cd nagios-3.2.1 root@njava:~/nagios-3.2.1# ./configure --with-command-group=nagcmd root@njava:~/nagios-3.2.1# make all root@njava:~/nagios-3.2.1# make install root@njava:~/nagios-3.2.1# make install-init root@njava:~/nagios-3.2.1# make install-config root@njava:~/nagios-3.2.1# make install-commandmode
4 安装apache配置,对nagios无用
root@njava:~/nagios-3.2.1# make install-webconf
5 配置nginx
root@njava:~/nagios-plugins-1.4.14# cat /etc/nginx/sites-available/nagios
server {
listen 80;
server_name nagios.njava.com;
access_log /var/log/nginx/nagios.access.log;
location / {
root /usr/local/nagios/share;
index index.php;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
set $path_info "/";
set $real_script_name $fastcgi_script_name;
if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {
set $real_script_name $1;
set $path_info $2;
}
fastcgi_param SCRIPT_FILENAME /usr/local/nagios/share/$real_script_name;
fastcgi_param script_name $real_script_name;
fastcgi_param path_info $path_info;
include /etc/nginx/fastcgi_params;
}
location /nagios/images {
alias /usr/local/nagios/share/images;
}
location /nagios/stylesheets {
alias /usr/local/nagios/share/stylesheets;
}
location /cgi-bin {
alias /usr/local/nagios/sbin;
}
location ~ \.cgi$ {
root /usr/local/nagios/sbin;
rewrite ^/cgi-bin/(.*)\.cgi /$1.cgi break;
fastcgi_index index.cgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include nginx_fcgi_params;
fastcgi_read_timeout 5m;
fastcgi_pass unix:/var/run/nginx-fcgi.sock;
}
6 安装Nagios Plugins
root@njava:~# tar -xzvf nagios-plugins-1.4.14.tar.gz
root@njava:~# cd nagios-plugins-1.4.14
root@njava:~/nagios-plugins-1.4.14# ./configure --with-nagios-user=nagios --with-nagios-group=nagios
...
... --with-apt-get-command: /usr/bin/apt-get
--with-ping6-command: /bin/ping6 -n -U -w %d -c %d %s
--with-ping-command: /bin/ping -n -U -w %d -c %d %s
--with-ipv6: yes
--with-mysql: no
--with-openssl: yes
--with-gnutls: no
--enable-extra-opts: no
--with-perl: /usr/bin/perl
--enable-perl-modules: no
--with-cgiurl: /nagios/cgi-bin
--with-trusted-path: /bin:/sbin:/usr/bin:/usr/sbin
--enable-libtap: no
root@njava:~/nagios-plugins-1.4.14# make && make install
7 启动nagios相关设置
root@njava:~/nagios-plugins-1.4.14# ln -s /etc/init.d/nagios /etc/rcS.d/ S99nagios
9 nagios设置
用户登录验证
root@njava:~/nagios-plugins-1.4.14#vi /usr/local/nagios/etc/cgi.cfg
use_authentication=0
CGI工作目录
root@njava:~/nagios-plugins-1.4.14#vi /usr/local/nagios/share/config.inc.php $cfg['cgi_base_url']='/cgi-bin';
8 效验nagios执行nagios
root@njava:~/nagios-plugins-1.4.14# /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg Things look okay - No serious problems were detected during the pre-flight check root@njava:~/nagios-plugins-1.4.14# /etc/init.d/nagios start
参考:
1 http://nagios.sourceforge.net/docs/3_0/quickstart-ubuntu.html
Nginx0.8.34 支持 CGI
1 安装FCGI
root@njava:~# wget http://www.cpan.org/modules/by-module/FCGI/FCGI-0.67.tar.gz root@njava:~# tar -zxf FCGI-0.67.tar.gz root@njava:~#cd FCGI-0.67 root@njava:~/FCGI-0.67# perl Makefile.PL root@njava:~/FCGI-0.67# make && make install root@njava:~/FCGI-0.67# cd ..
2 安装FCGI-ProcManager
root@njava:~# wget http://search.cpan.org/CPAN/authors/id/G/GB/GBJK/FCGI-ProcManager-0.18.tar.gz root@njava:~#tar -zxf FCGI-ProcManager-0.18.tar.gz root@njava:~#cd FCGI-ProcManager-0.18 root@njava:~/FCGI-ProcManager-0.18#perl Makefile.PL root@njava:~/FCGI-ProcManager-0.18#make && make install root@njava:~/FCGI-ProcManager-0.18#cd ..
3 安装IO-ALL
root@njava:~#wget http://search.cpan.org/CPAN/authors/id/I/IN/INGY/IO-All-0.39.tar.gz root@njava:~# tar zxf IO-All-0.39.tar.gz root@njava:~#cd IO-All-0.39 root@njava:~/IO-All-0.39# perl Makefile.PL root@njava:~/IO-All-0.39# make && make install
4 安装nginx-fcgi脚本
root@njava:~#wget http://www.nginx.eu/nginx-fcgi/nginx-fcgi.txt root@njava:~#mv nginx-fcgi.txt /usr/sbin/nginx-fcgi root@njava:~# chmod +x /usr/sbin/nginx-fcgi
不以root权限执行脚本,注释nginx-fcgi
#if ( $> == "0" ) {
# print "\n\tERROR\tRunning as a root!\n";
# print "\tSuggested not to do so !!!\n\n";
# exit 1;
#}
5启动nginx-fcgi
nginx-fcgi -l /var/log/nginx/nginx-fcgi.log -pid /var/run/nginx-fcgi.pid -S /var/run/nginx-fcgi.sock chown www-data:www.data /var/run/nginx-fcgi.sock
注意nginx-fcgi.sock的权限让nginx的执行账户有权读写
6 复制fastcgi_params一份用来设置nginx_fcgi_params
root@njava:~#cp /etc/nginx/fastcgi_params /etc/nginx/nginx_fcgi_params root@njava:~#vi /nginx/nginx_fcgi_params #fastcgi_param REDIRECT_STATUS 200;
7 代理cgi设置
server {
listen 80;
server_name njava.com;
location ~ ^/cgi-bin/.*\.cgi$
{
root /home/bear/njava/test;
fastcgi_index index.cgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include nginx_fcgi_params;
fastcgi_read_timeout 5m;
fastcgi_pass unix:/var/run/nginx-fcgi.sock;
}
}
8 完工
discuz在Nginx0.8.34下的伪静态规则
discuz论坛在Nginx下的rewrite规则,修改完后restart nginx
bear@bear-laptop:/etc/nginx/sites-available$ vi bbs.njava
server {
listen 80;
server_name bbs.njava.com;
access_log /var/log/nginx/bbs.njava.access.log;
location / {
root /home/bear/Sites/bbs.njava;
index index.html index.htm index.php;
rewrite ^(.*)/archiver/((fid|tid)-[\w\-]+\.html)$ $1/archiver/index.php?$2 last;
rewrite ^(.*)/forum-([0-9]+)-([0-9]+)\.html$ $1/forumdisplay.php?fid=$2&page=$3 last;
rewrite ^(.*)/thread-([0-9]+)-([0-9]+)-([0-9]+)\.html$ $1/viewthread.php?tid=$2&extra=page%3D$4&page=$3 last;
rewrite ^(.*)/profile-(username|uid)-(.+)\.html$ $1/viewpro.php?$2=$3 last;
rewrite ^(.*)/space-(username|uid)-(.+)\.html$ $1/space.php?$2=$3 last;
rewrite ^(.*)/tag-(.+)\.html$ $1/tag.php?name=$2 last;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
set $path_info "/";
set $real_script_name $fastcgi_script_name;
if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {
set $real_script_name $1;
set $path_info $2;
}
fastcgi_param SCRIPT_FILENAME /home/bear/Sites/bbs.njava/$real_script_name;
fastcgi_param script_name $real_script_name;
fastcgi_param path_info $path_info;
include /etc/nginx/fastcgi_params;
}
}
nginx 0.8.34以fastcgi方式运行php
1 安装spawn-fcgi
bear@bear-laptop:~$sudo apt-get install php5-cli php5-cgi php5-xcache build-essential bear@bear-laptop:~$ sudo apt-get install spawn-fcgi
很多地方都说要先安装lighttpd,不用这样,可以直接安装 spawn-fcgi
2 增加fastcgi控制脚本
bear@bear-laptop:/usr/bin$ sudo vi /etc/init.d/php-fastcgi
#!/bin/bash
SCRIPT=/usr/bin/spawn-fcgi
NAME=php-fastcgi
DESC=Spawn-fcgi
case "$1" in
start)
echo -n "Starting $DESC: "
$SCRIPT -a 127.0.0.1 -p 9000 -u www-data -g www-data -f /usr/bin/php5-cgi -P /var/run/$NAME.pid|| true
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
killall -9 php5-cgi
echo "$NAME."
;;
restart)
echo -n "Stopping $DESC: "
killall -9 php5-cgi
sleep 1
echo "Starting $DESC: "
$SCRIPT -a 127.0.0.1 -p 9000 -u www-data -g www-data -f /usr/bin/php5-cgi -P /var/run/$NAME.pid|| true
echo "$DESC."
;;
*)
echo "Usage: $NAME {start|stop|restart}"
exit 1
;;
esac
exit 0
3 开机启动
bear@bear-laptop:/usr/bin$ sudo gedit /etc/rc.local /etc/init.d/php-fastcgi start
ubuntu9.10安装nginx0.8.34
源里的是nginx0.7.62,决定把他升级到nginx0.8.34
1 卸载nginx0.7.62
bear@bear-laptop:~/$ sudo apt-get remove nginx
2 安装编译环境
bear@bear-laptop:~/soft/nginx-0.8.34$ sudo sudo apt-get install build-essential libpcre3-dev libssl-dev libxslt-dev libgd2-xpm-dev libgeoip-dev
4 下载nginx0.8.34
bear@bear-laptop:~/soft$ axel http://nginx.org/download/nginx-0.8.34.tar.gz bear@bear-laptop:~/soft$ tar -xzvf nginx-0.8.34.tar.gz
5 下载upstream fair 模块
bear@bear-laptop:~/soft$ wget http://github.com/gnosek/nginx-upstream-fair/tarball/master bear@bear-laptop:~/soft$ tar -xzvf gnosek-nginx-upstream-fair-2131c73.tar.gz
6 编译
bear@bear-laptop:~/soft$ cd nginx-0.8.34/ bear@bear-laptop:~/soft/nginx-0.8.34$ ./configure --conf-path=/etc/nginx/nginx.conf \--error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --with-debug --with-http_stub_status_module --with-http_flv_module --with-http_ssl_module --with-http_dav_module --with-http_gzip_static_module --with-mail --with-mail_ssl_module --with-ipv6 --with-http_realip_module --with-http_geoip_module --with-http_xslt_module --with-http_image_filter_module --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --add-module=../gnosek-nginx-upstream-fair-2131c73 .... ... Configuration summary + using system PCRE library + using system OpenSSL library + md5: using OpenSSL library + using sha1 library: /usr/include/openssl + using system zlib library nginx path prefix: "/usr/local/nginx" nginx binary file: "/usr/local/nginx/sbin/nginx" nginx configuration prefix: "/etc/nginx" nginx configuration file: "/etc/nginx/nginx.conf" nginx pid file: "/var/run/nginx.pid" nginx error log file: "/var/log/nginx/error.log" nginx http access log file: "/var/log/nginx/access.log" nginx http client request body temporary files: "/var/lib/nginx/body" nginx http proxy temporary files: "/var/lib/nginx/proxy" nginx http fastcgi temporary files: "/var/lib/nginx/fastcgi" bear@bear-laptop:~/soft/nginx-0.8.34$ make bear@bear-laptop:~/soft/nginx-0.8.34$ sudo make install make -f objs/Makefile install make[1]: 正在进入目录 `/home/bear/soft/nginx-0.8.34' test -d '/usr/local/nginx' || mkdir -p '/usr/local/nginx' test -d '/usr/local/nginx/sbin' || mkdir -p '/usr/local/nginx/sbin' test ! -f '/usr/local/nginx/sbin/nginx' || mv '/usr/local/nginx/sbin/nginx' '/usr/local/nginx/sbin/nginx.old' cp objs/nginx '/usr/local/nginx/sbin/nginx' test -d '/etc/nginx' || mkdir -p '/etc/nginx' cp conf/koi-win '/etc/nginx' cp conf/koi-utf '/etc/nginx' cp conf/win-utf '/etc/nginx' test -f '/etc/nginx/mime.types' || cp conf/mime.types '/etc/nginx' cp conf/mime.types '/etc/nginx/mime.types.default' test -f '/etc/nginx/fastcgi_params' || cp conf/fastcgi_params '/etc/nginx' cp conf/fastcgi_params '/etc/nginx/fastcgi_params.default' test -f '/etc/nginx/fastcgi.conf' || cp conf/fastcgi.conf '/etc/nginx' cp conf/fastcgi.conf '/etc/nginx/fastcgi.conf.default' test -f '/etc/nginx/nginx.conf' || cp conf/nginx.conf '/etc/nginx/nginx.conf' cp conf/nginx.conf '/etc/nginx/nginx.conf.default' test -d '/var/run' || mkdir -p '/var/run' test -d '/var/log/nginx' || mkdir -p '/var/log/nginx' test -d '/usr/local/nginx/html' || cp -r html '/usr/local/nginx' test -d '/var/log/nginx' || mkdir -p '/var/log/nginx' make[1]:正在离开目录 `/home/bear/soft/nginx-0.8.34' bear@bear-laptop:~/soft/nginx-0.8.34$
7 修改 /etc/init.d/nginx 脚本
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/local/nginx/sbin/nginx
NAME=nginx
DESC=nginx
test -x $DAEMON || exit 0
# Include nginx defaults if available
if [ -f /etc/default/nginx ] ; then
. /etc/default/nginx
fi
set -e
. /lib/lsb/init-functions
test_nginx_config() {
if /usr/local/nginx/sbin/nginx -t
then
return 0
else
return $?
fi
}
8 update-rc脚本
sudo update-rc.d -f nginx defaults
9 over
nginx-0.8.34配置ZendOptimizer-3.3.9
ubuntu9.10下把apache2干掉了,代码编译安装0.8.34,php以fastcgi方式运行,配置ZendOptimizer的方法
root@njava:~# axel http://downloads.zend.com/optimizer/3.3.9/ZendOptimizer-3.3.9-linux-glibc23-i386.tar.gz root@njava:~# cp ZendOptimizer-3.3.9-linux-glibc23-i386/data/5_2_x_comp/ZendOptimizer.so /usr/lib/php5/20060613+lfs/ root@njava:~# vi /etc/php5/cgi/conf.d/zendoptimizer.ini extension=ZendOptimizer.so :wq root@njava:~# /etc/init.d/nginx restart
64位的地址
root@njava:~# axel http://downloads.zend.com/optimizer/3.3.9/ZendOptimizer-3.3.9-linux-glibc23-x86_64.tar.gz