nginx的高性能参数配置

1)nginx.conf 里面的参数配置,假设服务器8核心(逻辑核心)

worker_processes 8;
worker_cpu_affinity 00000001 00000010 00000100 00001000 00010000 00100000 01000000 10000000;
worker_rlimit_nofile 102400;
events
{
use epoll;
worker_connections 204800;
accept_mutex on;
}

2) /etc/rc.local

echo “ulimit -SHn 65535” >> /etc/rc.local

3)/etc/security/limits.conf

* soft nofile 655360
* hard nofile 655360

4) /etc/sysctl.conf

net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 30
net.ipv4.ip_local_port_range = 1024 65000

 

参考文件:

http://www.open-open.com/lib/view/open1392942521299.html

 

apt.sw.be失效 导致wdcp安装出错

修改 /etc/yum.repos.d/rpmforge.repo

### Name: RPMforge RPM Repository for RHEL 5 to 6 - dag
### URL: http://rpmforge.net/
### MODIFIED BY QQ733905
[rpmforge]
name = RHEL $releasever - RPMforge.net - dag
baseurl = https://mirrors.tuna.tsinghua.edu.cn/repoforge/redhat/el$releasever/en/$basearch/rpmforge/
mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
enabled = 1
protect = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
gpgcheck = 0

奇怪的linux网络不通事件

一个客户Centos Linux系统出现dz通信失败,
ssh登录到服务器后发现,服务器有双ip, 1.1.1.1 和 1.1.1.2
经询问得知原来1.1.1.1 废弃不用,更改为1.1.1.2,但是原来的系统管理员图省事,
只是增加了1.1.1.2的新ip,并未去掉老的ip,导致服务器对外ping和从服务器的主动动作都
被认为是从老的ip发出,估计外围交换机做了限制,导致失败
去掉旧ip,只保留新ip,问题解决

nginx 的php配置支持php-fpm和Apache,失败后自动切换

其中 error_page 502 = @apache; 是关键!!!

 location ~ .*\.php$
{
        error_page 502 = @apache;
        fastcgi_pass  127.0.0.1:9002;
        fastcgi_index index.php;
        fastcgi_param GATEWAY_INTERFACE CGI/1.1;
        fastcgi_param SERVER_SOFTWARE nginx;
        fastcgi_param QUERY_STRING $query_string;
        fastcgi_param REQUEST_METHOD $request_method;
        fastcgi_param CONTENT_TYPE $content_type;
        fastcgi_param CONTENT_LENGTH $content_length;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param SCRIPT_NAME $fastcgi_script_name;
        fastcgi_param REQUEST_URI $request_uri;
        fastcgi_param DOCUMENT_URI $document_uri;
        fastcgi_param DOCUMENT_ROOT $document_root;
        fastcgi_param SERVER_PROTOCOL $server_protocol;
        fastcgi_param REMOTE_ADDR $remote_addr;
        fastcgi_param REMOTE_PORT $remote_port;
        fastcgi_param SERVER_ADDR $server_addr;
        fastcgi_param SERVER_PORT $server_port;
        fastcgi_param SERVER_NAME $server_name;
        # PHP only, required if PHP was built with --enable-force-cgi-redirect
        fastcgi_param REDIRECT_STATUS 200;
}

 location @apache {
        proxy_pass http://127.0.0.1:88;
        proxy_connect_timeout 30s;
        proxy_send_timeout   90;
        proxy_read_timeout   90;
        proxy_buffer_size    32k;
        proxy_buffers     4 32k;
        proxy_busy_buffers_size 64k;
        proxy_redirect     off;
        proxy_hide_header  Vary;
        proxy_set_header   Accept-Encoding '';
        proxy_set_header   Host   $host;
        proxy_set_header   Referer $http_referer;
        proxy_set_header   Cookie $http_cookie;
        proxy_set_header   X-Real-IP  $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
}

nginx的godaddy ssl 证书配置

openssl genrsa -des3 -out server.key 2048
生成server.key

openssl rsa -in server.key -out server.key
去除server.key 里面密码

openssl req -new -key server.key -out server.csr
生成server.csr

提交server.csr 内容到godaddy,审核后下载zip文件
把里面的非gd_bundled的文件和server.key 合并为pem

cat bf5d584ffa226fa6.crt server.key > /etc/nginx/server.pem
cp server.key /etc/nginx/server.key

nginx的配置里面这样写

ssl on;
ssl_certificate /etc/nginx/server.pem;
ssl_certificate_key /etc/nginx/server.key;

linux redhat centos 双网卡单网关或者双网关的配置

vim /etc/iproute2/rt_tables 增加
252  cnc
251  tel

在 /etc/rc.local 里面增加

ip route flush table tel
ip route add default via 网关1 dev eth1 src IP1 table tel
ip rule add from IP1 table tel
ip route flush table cnc
ip route add default via 网关2 dev eth0 src IP2 table cnc
ip rule add from IP2 table cnc

注意红色部分即可

写成shell脚本如下

#!/bin/bash

ip1=”1.1.1.2″
e1=”eth0″
gw1=”1.1.1.1″
ip2=”2.2.2.2″
e2=”eth1″
gw2=”2.2.2.1″

#################################################
### 上面的配置要改改
### 下面就不要动了
#################################################

rt=”/etc/iproute2/rt_tables”
echo “252 cnc ” >> $rt
echo “251 tel ” >> $rt
rclocal=”/etc/rc.local”

echo “ip route flush table tel” >> $rclocal
echo “ip route add default via $gw1 dev $e1 src $ip1 table tel” >> $rclocal
echo “ip rule add from $ip1 table tel” >> $rclocal
echo “ip route flush table cnc” >> $rclocal
echo “ip route add default via $gw2 dev $e2 src $ip2 table cnc” >> $rclocal
echo “ip rule add from $ip2 table cnc” >> $rclocal

点此下载

2iprule

禁止 某些可写目录执行 php的方法

首先说下分析为啥这个是正确的,
httpd.conf里面 AddType application/x-httpd-php5 .php
并不区分大小写,从而导致 .php .PHP .Php .pHp .phP 都可以正确执行,那么就需要防止这类漏洞,采用apache rewrite方法的时候用 NC 表示不区分大小写匹配 ,F表示forbidden

RewriteRule ^images/.*\.php – [NC,F]

nginx location 指令匹配顺序

官方 http://nginx.org/en/docs/http/ngx_http_core_module.html#location
中文有人这样理解 http://www.php100.com/html/program/nginx/2013/0905/5535.html
还有这个 http://blog.sina.com.cn/s/blog_97688f8e0100zws5.html

下面这个理解的不错,
这个 http://blog.chinaunix.net/uid-25196855-id-108805.html

下面的那个 3 是 上尖号和波浪号

摘录如下

nginx-location

curl参数备忘

curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Charset: UTF-8,*;q=0.5',
'User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11',
'Accept-Encoding: gzip,deflate,sdch',
'Accept-Language: zh-CN,zh;q=0.8',
'Connection: keep-alive',
'Content-Type:application/x-www-form-urlencoded; charset=UTF-8',
'Referer: http://somewww.com',
'X-Requested-With: XMLHttpRequest',
));

伪静态做个记录

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

 

RewriteEngine On
RewriteCond %{HTTP_HOST} !^my-domain\.com$ [NC]
RewriteRule ^(.*)$ http://my-domain.com/$1 [R=301,L]

参考来自 http://dense13.com/blog/2008/02/27/redirecting-non-www-to-www-with-htaccess/

nginx的下面

http://stackoverflow.com/questions/1629231/nginx-rewrite-non-www-prefixed-domain-to-www-prefixed-domain

redhat 6 使用 centos yum

curl -o yum-3.2.29-40.el6.centos.noarch.rpm   http://mirrors.163.com/centos/6/os/x86_64/Packages/yum-3.2.29-40.el6.centos.noarch.rpm
curl -o yum-metadata-parser-1.1.2-16.el6.x86_64.rpm  http://mirrors.163.com/centos/6/os/x86_64/Packages/yum-metadata-parser-1.1.2-16.el6.x86_64.rpm
curl -o yum-plugin-fastestmirror-1.1.30-14.el6.noarch.rpm http://mirrors.163.com/centos/6/os/x86_64/Packages/yum-plugin-fastestmirror-1.1.30-14.el6.noarch.rpm
curl -o python-iniparse-0.3.1-2.1.el6.noarch.rpm  http://mirrors.163.com/centos/6/os/x86_64/Packages/python-iniparse-0.3.1-2.1.el6.noarch.rpm

rpm -Uvh python-iniparse-0.3.1-2.1.el6.noarch.rpm
rpm -Uvh yum-3.2.29-40.el6.centos.noarch.rpm  yum-metadata-parser-1.1.2-16.el6.x86_64.rpm yum-plugin-fastestmirror-1.1.30-14.el6.noarch.rpm

cd /etc/yum.repos.d/
wget  http://mirrors.163.com/.help/CentOS6-Base-163.repo
vi CentOS6-Base-163.repo
把文件里面的$releasever全部替换为版本号,即6 最后保存

yum clean all
yum makecache

参考文章
http://down.chinaz.com/server/201111/1321_1.htm

linux下邮件服务器配置的各个部件的关系

postfix 毫无疑问这个MTA (Mail Transfer Agent) 是用来做邮件传输的
maildrop 用来做本地的邮件投递投递工作,MDA (Mail delivery agent)
courier-authdaemon 用于认证 配置文件是 /etc/courier/authdaemonrc
courier-authlib 认证库支持
courier-authlib-mysql 支持mysql的认证库 配置文件 /etc/courier/authmysqlrc
saslauthd 用于 SMTP 认证,支持courier-authlib 配置文件 /etc/default/saslauthd
courier-pop courier-pop-ssl pop3 和 pop-ssl 的认证服务 配置文件 /etc/courier/pop3d
courier-imap courier-imap-ssl imap 和 imap-ssl 的 认证服务 配置文件 /etc/courier/imapd

需要启动的服务
/etc/init.d/postfix start
/etc/init.d/courier-authdaemon start
/etc/init.d/saslauthd start
/etc/init.d/courier-imap start
/etc/init.d/courier-pop start

测试方法
测试下Courier-Authlib是否能成功连接mysql

authtest -s login 邮件地址 或者 authtest -s login 邮件地址 密码

测试sasl 的smtp
testasaslauthd -s smtp -u xxxx -p xxxxx

ubuntu 下安装 postfix extmail 系统参考
http://www.mike.org.cn/articles/ubuntu-configure-postfix-mailserver/

nginx 的 substitutions4nginx 在gzip的问题上的处理

nginx 的代理功能不错,但是有些类似小偷的程序,可以利用
substitutions4nginx 来改写目标页面的html代码,
subs_filter www.a.com www.b.com;
但是有时候居然无法匹配 www.a.com ,发现源文件里面是gzip的从而无法匹配
那么只需要修改proxy的指令,告知源,我这里不收取gzip的资料,请发我未压缩的版本
proxy_set_header Accept-Encoding “”;
可以解决
完整的如下

server
{
listen 80;
server_name www.a.com;
location / {
subs_filter www.a.com www.b.com ;
proxy_set_header Accept-Encoding “”;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://www.a.com;
index index.html index.htm;
}
}

 

有关apache的proxy时候碰到gzip,看 http://www.zjpro.com/apache-2-4-substitute.html

yum安装的proftpd无法登录系统用户

默认安装的proftpd 的 pam_stack.so 模块文件不存在
我经过参考 http://cosmicb.no/2014/05/09/proftpd-pam-unable-to-dlopenlib64securitypam_stack-so-in-centos-6-5/
修改 /etc/pam.d/proftpd 为
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth
account include system-auth
session required pam_loginuid.so

QQ互联 client request’s parameters are invalid, invalid openid

Q互联官方Demo的callback页面在数据获取方面有问题。如果直接引用,就会出现以下问题:

“client request’s parameters are invalid, invalid openid”

【解决方法】
在 callback.php页面 请按顺序放置以下几行代码

  1. $qc = new QC();  
  2. $acs = $qc->qq_callback();  
  3. $oid = $qc->get_openid();  
  4. $qc = new QC($acs,$oid);  
  5. $uinfo = $qc->get_user_info();  

参考

 

http://blog.csdn.net/codeeer/article/details/17469411

apache 泛域名伪静态的一点备忘

匹配所有非 www bbs 开头的域名,可以匹配 111.domain.com aaa.domain.com

RewriteCond %{HTTP_HOST} ^(?!www|bbs)([^.]+).domainname.com [NC]
RewriteRule ^$   test.php?uid=%1 [QSA,L]
或者
RewriteCond %{HTTP_HOST} ^(.+)\.domainname.com$ [NC]
RewriteCond %1 !^(www|bbs)$ 
RewriteRule ^$   test.php?uid=%1 [QSA,L]

test.php 这样写

 
print_r($_GET);
 

wdcp 的迁移

新老机器都安装的wdcp 管理,

把新机器的wdcp 关闭
/etc/init.d/wdapache stop
/etc/init.d/httpd stop
/etc/init.d/nginx stop
/etc/init.d/mysqld stop

然后
mv /www/wdlinux /www/wdlinux-back
mv /www/web /www/web-back

然后把老站的 /www/wdlinux 和 /www/web 弄个过来
方法一般是 rsync

程序启动测试

etc/init.d/wdapache start
/etc/init.d/httpd start
/etc/init.d/nginx start
/etc/init.d/mysqld start