升东运维是一家专业从事Linux/Freebsd Unix/Windows平台网站维护业务的公司,专业提供Linux(CentOS Redhat Ubuntu等),Unix(Freebsd),Nginx,Apache等系统及网站维护,七年从业经验

Archive for the ‘Linux’ Category

freebsd下配置lets-encrypt ssl证书第二种方式

星期四, 六月 8th, 2017

1.先配置好nginx well-known访问

server { 
 ...
 location /.well-known/ {
 alias /wwwroot/ppkj.net/.well-known/;
 }
 ...
}

 

2.安装git ,安装virtualenv, 安装python(如果没有),邮箱和域名改成自己的

cd /usr/ports/devel/git && make install clean

git clone https://github.com/letsencrypt/letsencrypt  /disk/letsencrypt

cd /usr/ports/devel/py-virtualenv && make install clean

cd /disk/letsencrypt

./letsencrypt-auto certonly –webroot -w /wwwroot/ppkj.net/ -d www.ppkj.net –email [email protected] –agree-tos –no-bootstrap

 

3.配置证书 ,生成后的key和密钥位置/etc/letsencrypt/live/www.ppkj.net/

server { 
 listen 443 ;
 ssl on;
 ssl_certificate /etc/letsencrypt/live/www.ppkj.net/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/www.ppkj.net/privkey.pem;
... 
}

4. 重启nginx即可

自动续期命令:(自行添加到计划任务)

/disk/letsencrypt/letsencryptauto renew 

配置免费ssl证书Lets Encrypt并自动更新

星期四, 二月 16th, 2017

Lets Encrypt证书配置快捷,无需登录网站验证域名邮箱等操作,有效期为3月(中小网站域名频率过快,为了保证ssl安全),自动更新十分方便,强烈推荐!中小网站福音.

方法步骤如下:

1.创建一个目录,获取自动配置脚本

mkdir /root/letsencrypt &cd /root/letsencrypt
wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.conf 
wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.sh 
chmod +x letsencrypt.sh

2.编辑letsencrypt.conf 替换里面的域名为自己的域名,DOMAIN_DIR为网站所在目录绝对地址,用于生成.well-known目录内的验证文件,必须正确配置

# only modify the values, key files will be generated automaticly.
ACCOUNT_KEY=”letsencrypt-account.key”
DOMAIN_KEY=”ssl.ppkj.net.key”
DOMAIN_DIR=”/wwwroot/ppkj.net/
DOMAINS=”DNS:ssl.ppkj.net,DNS:ssl2.ppkj.net
#ECC=TRUE
#LIGHTTPD=TRUE

3.创建目录.well-known,并添加nginx位置,或者允许直接访问,此处为非ssl加密的普通http访问,必须保证能够正常访问,否则无法生成证书

server { 
 ...
 location /.well-known/ {
 alias /wwwroot/ppkj.net/.well-known/;
 }
 ...
}

4.配置ssl访问,配置后重启nginx:   service nginx restart

server { 
 listen 443 ;
 ssl on;
 ssl_certificate /root/lets-encrypt/ssl.chained.crt;#chained 为合并后的证书
 ssl_certificate_key /root/lets-encrypt/ssl.ppkj.net.key;
... 
}

5.生成证书,注意必须是bash环境,freebsd需要先安装bash及python,并且不要用sh letsencrypt.sh方式执行(默认csh)

./letsencrypt.sh ./letsencrypt.conf

运行后会提示生成成功,如果.well-known里面的文件无法正常访问则会失败.检查后重新运行生成即可.

6.每月自动更新证书的脚本,也可以设置为2个月运行一次

0 0 1 * * /root/letsencrypt/letsencrypt.sh /root/letsencrypt/letsencrypt.conf >> /var/log/lets-encrypt.log 2>&1

 

如果一直创建失败 尝试修改dns为阿里云dns

/etc/resolve.conf

nameserver 100.100.2.136
nameserver 100.100.2.138

虚拟机中安装虚拟机开启提示incompatible hypervisor解决办法

星期四, 八月 23rd, 2012

在虚拟机(云主机)中安装虚拟机,开机时提示incompatible hypervisor,解决办法如下:

在虚拟机的vmx(如 Red Hat Enterprise Linux 6.vmx)文件中最下面添加一行下面的代码即可

vmx.allowNested = TRUE

ssh 超时断开服务器端解决办法(转)

星期一, 七月 16th, 2012

当用SSH Secure Shell连接Linux时,如果几分钟没有任何操作,连接就会断开。必须重新登陆才行,每次都重复相同的操作,很是烦人,一般修改两个地方可将这烦人的问题解决

 

1、echo $TMOUT
如果显示空白,表示没有设置, 等于使用默认值0, 一般情况下应该是不超时. 如果大于0, 可以在如/etc/profile之类文件中设置它为0.
Definition: TMOUT: If set to a value greater than zero, the value is interpreted as the number of seconds to wait for input after issuing the primary prompt. Bash terminates after waiting for that number of seconds if input does not arrive

 

2、修改/etc/ssh/sshd_config文件,将ClientAliveInterval 0和ClientAliveCountMax 3的注释符号去掉,将ClientAliveInterval对应的0改成60,ClientAliveInterval指定了服务器端向客户端请求消息的时间间隔, 默认是0, 不发送.而ClientAliveInterval 60表示每分钟发送一次, 然后客户端响应, 这样就保持长连接了.ClientAliveCountMax, 使用默认值3即可.ClientAliveCountMax表示服务器发出请求后客户端没有响应的次数达到一定值, 就自动断开. 正常情况下, 客户端不会不响应.

想参考更多,请输入man sshd_config了解更多信息

centos下webalizer使用

星期一, 三月 19th, 2012

首先安装

yum install webalizer gd gd-devel

生成分析结果

 #日志名字自己查询下,可以分析nginx,apache,varnishncsa

webalizer -c /etc/webalizer.conf -o /www/html/webalizer /var/log/nginx/access.log

 

分析配置文件(部分)/etc/webalizer.conf

默认分析log的位置LogFile

/var/log/httpd/access_log

默认输出结果的目录

OutputDir      /var/www/usage

视为页面的文件后缀

PageType htm*
PageType cgi
PageType php
PageType shtml

Nginx/LINUX中文url支持

星期二, 一月 24th, 2012

1:确定你的系统是UTF编码

[[email protected] ~]# env|grep LANG
LANG=en_US.UTF-8

2:NGINX配置文件里默认编码设置为utf-8

server
{
listen 80;
server_name .inginx.com ;
index index.html index.htm index.php;
root /usr/local/nginx/html/inginx.com;
charset utf-8;
}

3:如果使用putty
windows –> translation –>UTF-8

mkdir NGINX中文技术站
echo ‘NGINX中文技术站’ > NGINX中文技术站/中国.html

如果是用securecrt 上传文件,请选择 回话–>外观–UTF-8
如果是FTP软件也将默认编码设置为TUF-8

4,如果上传的文件名出现乱码显示
执行(转换当前目录下所有文件编码,如果GBK不行可以尝试GB2312,请先备份!)

for f in `ls *.*` ; do mv $f `ls $f|iconv -f GBK -t UTF-8`; done

完毕

Linux下hdparm硬盘测速

星期四, 一月 19th, 2012

在Linux下可以使用hdparm对硬盘进行测试或者查看硬盘的相关信息。这样你就知道了硬盘读写速度。

hdparm
参数:

-a 表示是否关闭磁盘预读取功能。对于大文件读取,这个显然能提高性能。

-A设置硬盘驱动器缓存读取特性。可能就是硬盘缓存开关

-g 显示硬盘的磁轨,磁头,磁区等参数。

-i 显示硬盘的硬件规格信息,这些信息是在开机时由硬盘本身所提供。

-I 直接读取硬盘所提供的硬件规格信息。

-p 设定硬盘的PIO模式。

-Tt 评估硬盘的读取效率和硬盘快取的读取效率。

-u; 在硬盘存取时,允许其他中断要求同时执行。

-v 显示硬盘的相关设定。

例子:
1)直接硬盘读测试

[[email protected] ~]# hdparm -tT –direct /dev/sda1
/dev/sda1:
Timing O_DIRECT cached reads: 704 MB in 2.00 seconds = 351.50 MB/sec
HDIO_DRIVE_CMD(null) (wait for flush complete) failed: Inappropriate ioctl for device
Timing O_DIRECT disk reads: 546 MB in 3.01 seconds = 181.43 MB/sec
HDIO_DRIVE_CMD(null) (wait for flush complete) failed: Inappropriate ioctl for device

 

使用DMA方式传输数据可以占用更少的CPU资源,因此与其它操作系统一样,Linux支持硬盘以DMA方式转输数据,但在安装Red Hat7.0时关于DMA的默认选项是Disable的,当然你可以在安装时就enable它。

hdparm -t /dev/hda 查看IDE的磁盘,Sata或scsi的为:hdparm -t /dev/sda
一硬盘using_dma 为off,读取速度慢;而另一硬盘using_dma 为on,读取速度快。
查看与开启DMA支持执行命令如下:

[[email protected] root]# hdparm -cdt /dev/hda
/dev/hda:
IO_support   =  0 (default 16-bit)
 using_dma    =  0 (off)
Timing buffered disk reads:  64 MB in 20.84 seconds =  3.07 MB/sec

[[email protected] root]# hdparm -d1 /dev/hda
/dev/hda:
setting using_dma to 1 (on)
using_dma    =  1 (on)
[[email protected] root]# hdparm -cdt /dev/hda
/dev/hda:
IO_support   =  0 (default 16-bit)
using_dma    =  1 (on)
Timing buffered disk reads:  64 MB in  1.09 seconds = 58.72 MB/sec

hdparm的改变是个临时的状态,下次再次启动Linux系统的时候hdparm将会消失。所以要想永久的保存修改后的信息,就必须把修改后的参数和数据写入/etc/rc.d/rc.local或/etc/rc.local文档,甚至比启动过程要早运行的程式中。

 

坏道修复

检查: smartctl -l selftest /dev/sda

卸载: umount /dev/sda*

修复: badblocks /dev/sda

 

discuzx2 反向代理后url出现被代理端口号解决

星期六, 一月 14th, 2012

前端如果代理的话,discuzx2会自动检测端口并加上,去掉也很简单

注释掉 /source/class/class_core.php 180行即可

// $_G[‘siteport’] = empty($_SERVER[‘SERVER_PORT’]) || $_SERVER[‘SERVER_PORT’] == ’80’ ? ” : ‘:’.$_SERVER[‘SERVER_PORT’];

varnish与discuzx部署问题

星期六, 一月 14th, 2012

varnish做最前端,nginx做反向代理,配置完毕之后可能会遇到无法登陆discuzx后台的情况,

此时将discuzx配置文件config/config_global.php里面的

$_config[‘admincp’][‘checkip’] 设置为0即可

varnish3 yum安装介绍

星期三, 一月 11th, 2012

Varnish 3.02 yum方式 安装:

yum方式安装比编译安装要简单简洁很多,而且还可以平滑升级,优点很多

Varnish-2.1.2 安装与配置pdf文件(版本:2.1.2,与本文所用varnish3.02有差异,仅供参考)

Varnish[‘vɑ:niʃ]  官网 http://www.varnish-cache.org 高性能,高并发 squid替代缓存服务器 

本文介绍的是最新版本号3的安装,进入url https://www.varnish-cache.org/releases/varnish-cache-3.0.2,选择对应的操作系统版本.

 

centos6.2编译方式安装

wget http://repo.varnish-cache.org/source/varnish-3.0.2.tar.gz

tar -zxf varnish-3.0.2.tar.gz

cd varnish-3.0.2

yum -y  install gcc gcc-c++ pcre pcre-devel

./configure

make

make install

本文使用centos5.7 ,选择 Red Hat Enterprise Linux 5

安装源:

rpm –nosignature -i http://repo.varnish-cache.org/redhat/varnish-3.0/el5/noarch/varnish-release-3.0-1.noarch.rpm

安装:

yum  install gcc gcc-c++ pcre pcre-devel

yum install varnish

重启: service varnish restart

查看进程 ps aux|grep varnish  结果如下

root 14296 0.0 0.0 61172 756 pts/1 S+ 15:16 0:00 grep varnish
root 22708 0.0 0.0 111924 1112 ? Ss 14:37 0:00 /usr/sbin/varnishd -P /var/run/varnish.pid -a :8000 -f /etc/varnish/default.vcl -T 127.0.0.1:6082 -t 120 -w 1,1000,120 -u varnish -g varnish -S /etc/varnish/secret -s file,/var/lib/varnish/varnish_storage.bin,1G
varnish 22709 0.0 0.0 1293716 3672 ? Sl 14:37 0:00 /usr/sbin/varnishd -P /var/run/varnish.pid -a :8000 -f /etc/varnish/default.vcl -T 127.0.0.1:6082 -t 120 -w 1,1000,120 -u varnish -g varnish -S /etc/varnish/secret -s file,/var/lib/varnish/varnish_storage.bin,1

 

需要开启防火墙相应端口

其他文档:

1.深入探讨Varnish缓存命中率

2.Varnish权威指南(中文)

3.使用Varnish代替Squid做网站缓存加速器的详细解决方案[张宴原创]

4. varnish3英文文档

 

内核调优参数:

vi /etc/sysctl.conf  最下面加入

 

#—-for varnish
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.ip_local_port_range = 1024 65536
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_wmem=4096 65536 16777216
net.ipv4.tcp_fin_timeout = 3
net.core.netdev_max_backlog = 30000
net.ipv4.tcp_no_metrics_save=1
net.core.somaxconn = 262144
net.ipv4.tcp_syncookies = 0
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2

使参数生效  sysctl -p

配置文件:

访问控制,我自己的一例:/etc/varnish/default.vcl

# This is a basic VCL configuration file for varnish. See the vcl(7)
# man page for details on VCL syntax and semantics.
#
# Default backend definition. Set this to point to your content
# server.
#
backend default {
.host = “localhost”;
.port = “88”;
}
#
# Below is a commented-out copy of the default VCL logic. If you
# redefine any of these subroutines, the built-in logic will be
# appended to your code.
sub vcl_recv {
#路由

if (req.request == “GET” && req.url ~ “\.(css|mp3|jpg|png|gif|swf|jpeg|ico)$”)
{
unset req.http.cookie; #删除图片cookie提高命中率,否则命中率对于论坛等会很低
}
if (req.request == “GET” && req.url ~ “\.(php|html)($|\?)”) {
return (pass); #不缓存含php,html url的缓存
}
if (req.restarts == 0) {
if (req.http.x-forwarded-for) {
set req.http.X-Forwarded-For =
req.http.X-Forwarded-For + “, ” + client.ip;
} else {
set req.http.X-Forwarded-For = client.ip;
}
}
if (req.request != “GET” &&
req.request != “HEAD” &&
req.request != “PUT” &&
req.request != “POST” &&
req.request != “TRACE” &&
req.request != “OPTIONS” &&
req.request != “DELETE”) {
/* Non-RFC2616 or CONNECT which is weird. */
return (pipe);
}
if (req.request != “GET” && req.request != “HEAD”) {
/* We only deal with GET and HEAD by default */
return (pass);
}
if (req.http.Authorization || req.http.Cookie) {
/* Not cacheable by default */
return (pass);
}

return (lookup);
}
#
# sub vcl_pipe {
# # Note that only the first request to the backend will have
# # X-Forwarded-For set. If you use X-Forwarded-For and want to
# # have it set for all requests, make sure to have:
# # set bereq.http.connection = “close”;
# # here. It is not set by default as it might break some broken web
# # applications, like IIS with NTLM authentication.
# return (pipe);
# }
#
# sub vcl_pass {
# return (pass);
# }
#
# sub vcl_hash {
# hash_data(req.url);
# if (req.http.host) {
# hash_data(req.http.host);
# } else {
# hash_data(server.ip);
# }
# return (hash);
# }
#
#sub vcl_hit {
# return (deliver);
#}
#
# sub vcl_miss {
# return (fetch);
# }
#
sub vcl_fetch {
if (beresp.http.Content-Length ~ “[0-9]{7,}”) {
set req.http.x-pipe = “1”;
return (restart);
}
if (req.request == “GET” && req.url ~ “\.(css|mp3|jpg|png|gif|swf|jpeg|ico)$” )
{
unset req.http.cookie;
set beresp.ttl = 7d; #设置图片缓存时间7天
}
return (deliver);
}
#
sub vcl_deliver {
set resp.http.x-hits=obj.hits;
if(obj.hits>0){
set resp.http.X-Cache=”HIT”;
}
else{
set resp.http.X-Cache=”MISS”;
}
set resp.http.Site-Support-By=”ppkj.net”;
return (deliver);
}
#
# sub vcl_error {
# set obj.http.Content-Type = “text/html; charset=utf-8”;
# set obj.http.Retry-After = “5”;
# synthetic {”
# <?xml version=”1.0″ encoding=”utf-8″?>
# <!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN”
# “http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd”>
# <html>
# <head>
# <title>”} + obj.status + ” ” + obj.response + {“</title>
# </head>
# <body>
# <h1>Error “} + obj.status + ” ” + obj.response + {“</h1>
# <p>”} + obj.response + {“</p>
# <h3>Guru Meditation:</h3>
# <p>XID: “} + req.xid + {“</p>
# <hr>
# <p>Varnish cache server</p>
# </body>
# </html>
# “};
# return (deliver);
# }
#
# sub vcl_init {
# return (ok);
# }
#
# sub vcl_fini {
# return (ok);
# }

端口等配置:/etc/sysconfig/varnish

# Configuration file for varnish
#
# /etc/init.d/varnish expects the variable $DAEMON_OPTS to be set from this
# shell script fragment.
#

# Maximum number of open files (for ulimit -n)
NFILES=131072

# Locked shared memory (for ulimit -l)
# Default log size is 82MB + header
MEMLOCK=82000

# Maximum size of corefile (for ulimit -c). Default in Fedora is 0
# DAEMON_COREFILE_LIMIT=”unlimited”

# Set this to 1 to make init script reload try to switch vcl without restart.
# To make this work, you need to set the following variables
# explicit: VARNISH_VCL_CONF, VARNISH_ADMIN_LISTEN_ADDRESS,
# VARNISH_ADMIN_LISTEN_PORT, VARNISH_SECRET_FILE, or in short,
# use Alternative 3, Advanced configuration, below
RELOAD_VCL=1

# This file contains 4 alternatives, please use only one.

## Alternative 1, Minimal configuration, no VCL
#
# Listen on port 6081, administration on localhost:6082, and forward to
# content server on localhost:8080. Use a fixed-size cache file.
#
#DAEMON_OPTS=”-a :6081 \
# -T localhost:6082 \
# -b localhost:8080 \
# -u varnish -g varnish \
# -s file,/var/lib/varnish/varnish_storage.bin,1G”
## Alternative 2, Configuration with VCL
#
# Listen on port 6081, administration on localhost:6082, and forward to
# one content server selected by the vcl file, based on the request. Use a
# fixed-size cache file.
#
#DAEMON_OPTS=”-a :6081 \
# -T localhost:6082 \
# -f /etc/varnish/default.vcl \
# -u varnish -g varnish \
# -S /etc/varnish/secret \
# -s file,/var/lib/varnish/varnish_storage.bin,1G”
## Alternative 3, Advanced configuration
#
# See varnishd(1) for more information.
#
# # Main configuration file. You probably want to change it :)
VARNISH_VCL_CONF=/etc/varnish/default.vcl
#
# # Default address and port to bind to
# # Blank address means all IPv4 and IPv6 interfaces, otherwise specify
# # a host name, an IPv4 dotted quad, or an IPv6 address in brackets.
# varnish监听端口,正常部署后应该是80  VARNISH_LISTEN_ADDRESS=
VARNISH_LISTEN_PORT=8000
#
# # Telnet admin interface listen address and port
VARNISH_ADMIN_LISTEN_ADDRESS=127.0.0.1
VARNISH_ADMIN_LISTEN_PORT=6082
#
# # Shared secret file for admin interface
VARNISH_SECRET_FILE=/etc/varnish/secret
#
# # The minimum number of worker threads to start
VARNISH_MIN_THREADS=1
#
# # The Maximum number of worker threads to start
VARNISH_MAX_THREADS=1000
#
# # Idle timeout for worker threads
VARNISH_THREAD_TIMEOUT=120
#
# # Cache file location
VARNISH_STORAGE_FILE=/var/lib/varnish/varnish_storage.bin
#
# # Cache file size: in bytes, optionally using k / M / G / T suffix,
# # or in percentage of available disk space using the % suffix.

#磁盘存储缓存文件大小,如果采用磁盘缓存取消下面的注释
#VARNISH_STORAGE_SIZE=1G
#
# # Backend storage specification
VARNISH_STORAGE=”file,${VARNISH_STORAGE_FILE},${VARNISH_STORAGE_SIZE}”
#
# # Default TTL used when the backend does not specify one
VARNISH_TTL=120
#
# # DAEMON_OPTS is used by the init script. If you add or remove options, make
# # sure you update this section, too.
DAEMON_OPTS=”-a ${VARNISH_LISTEN_ADDRESS}:${VARNISH_LISTEN_PORT} \
-f ${VARNISH_VCL_CONF} \
-T ${VARNISH_ADMIN_LISTEN_ADDRESS}:${VARNISH_ADMIN_LISTEN_PORT} \
-t ${VARNISH_TTL} \
-w ${VARNISH_MIN_THREADS},${VARNISH_MAX_THREADS},${VARNISH_THREAD_TIMEOUT} \
-u varnish -g varnish \
-S ${VARNISH_SECRET_FILE} \

-s malloc,4G

#-s malloc,4G 此处改为内存存储,大小应该最大为剩余内存的80%,不能再大!!

#-s ${VARNISH_STORAGE}
#如果采用磁盘缓存,则用上面一行替换 -s malloc,4G
## Alternative 4, Do It Yourself. See varnishd(1) for more information.
#
# DAEMON_OPTS=””