前言
应公司需求,最近需要搭建一个内部员工交流的论坛,任务自然落到我的头上。所以这篇博文也就是记录一下部署过程,也希望各位博友多多指点。
Discuz! X 是一款以 PHP 为编程语言,以 MySQL 为数据库,并使用 Apache/IIS/Nginx(任意一种即可) 提供 web 服务的产品。要搭建 Discuz! X 站点,服务器必须安装由 PHP、MySQL、Apache/IIS/Nginx 构成的环境。其中,IIS 主要用于 Windows 服务器,Apache、Nginx 多用于 Linux 服务器(即 LAMP 和 LNMP)。
我这里采用的是LAMP架构,具体的部署环境如下:
CentOS 6.5 x64
Apache 2.4.10
MySQL 5.5.39
PHP 5.4
Discuz_X3.2_SC_UTF8
部署过程
CentOS系统的安装过程
这里就不讲解了,否则篇幅过于冗长。如果有需要的同学,请参考《使用VMware Workstation安装CentOS 5.8》。或者google之。
系统安装完成之后,做一些基本的优化操作
更新yum源为国内网易163的源
同步时间
打开文件数量限制
SELinux 和 iptables
内核参数调优
关闭不需要的服务
ssh服务配置
注意:如果是root用户通过ssh软件远程连接到Linux服务器可要小心了,因为此脚本会配置sshd禁止root用户远程登录。
#!/bin/bash
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
###CentOS 6.5_x64 minimal
### check OS version
platform=$(uname -i)
if [[ "x$platform" != "xx86_64" ]];then
echo "This script is only for 64 bit Operating System !"
exit 1
fi
### check the root
uid=$(id -u)
if [[ "x$uid" ! "x0" ]];then
echo "Must root can do it"
exit 1
fi
cat << EOF
+---------------------------------------+
| your system is CentOS 6 x86_64 |
| start optimizing....... |
+---------------------------------------
EOF
### yum install wget , lrzsz
yum -y install wget lrzsz
### make the 163.com as the default yum repo
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.$(date +%F).bak
wget http://mirrors.163.com/.help/CentOS6-Base-163.repo -O /etc/yum.repos.d/CentOS-Base-163.repo
### update the system and set the ntp
yum clean all
yum makecache
# 这里可选,后续空闲的时候执行也可以,否则要等待很长一段时间
yum -y update
### ntp pool.ntp.org(202.118.1.130) 或者 210.72.145.44
if rpm -qa | grep -q ‘ntpdate‘ &> /dev/null; then
echo ‘10 4 * * * /usr/sbin/ntpdate 210.72.145.44 &> /dev/null ; hwclock -w‘ >> /var/spool/cron/root
else
yum -y install ntpdate
echo ‘10 4 * * * /usr/sbin/ntpdate 210.72.145.44 &> /dev/null; hwclock -w‘ >> /var/spool/cron/root
fi
service crond restart
### set the file limit
echo ‘ulimit -SHn 102400‘ >> /etc/rc.local
cat >> /etc/security/limits.conf << EOF
* soft nofile 65535
* hard nofile 65535
EOF
### set the control-alt-delete to restart
sed -i ‘s#exec /sbin/shutdown -r now#\#exec /sbin/shutdown -r now#‘ /etc/init/control-alt-delete.conf
### disable selinux
sed -i ‘s/SELINUX=enforcing/SELINUX=disabled/‘ /etc/selinux/config
### tune kernel parameters
cat >> /etc/sysctl.conf << EOF
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
EOF
/sbin/sysctl -p
### close the nouse server
#for server in "$(chkconfig --list | grep 3:on | awk ‘{print $1}‘)";do
# chkconfig --level 3 $server off
#done
#for server in crond kudzu network readahead_early rsyslog sshd iptables; do
# chkconfig --level 3 $server on
#done
#ssh
sed -i ‘/^#UseDNS/s/#UseDNS yes/UseDNS no/g‘ /etc/ssh/sshd_config
#sed -i ‘s/#PermitRootLogin yes/PermitRootLogin no/g‘ /etc/ssh/sshd_config
sed -i ‘s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g‘ /etc/ssh/sshd_config
/etc/init.d/sshd restart
### iptables
iptables -F
iptables -X
iptables -Z
iptables -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -P INPUT DROP
/etc/init.d/iptables save
cat << EOF
+-------------------------------------------------+
| optimizer is done |
| it‘s recommond to restart this server ! |
+-------------------------------------------------+
EOFLAMP环境搭建
在安装之前,我们先关闭掉iptables,最后再开启它。
因为后期要编译源码包,所以我们需要安装所需的开发工具包。
编译安装的原则:对于我来说,需要定制的就直接编译,其余的一切皆yum / apt-get搞定
下载的软件包列表如下:在开始安装之前,最好先用rpm -qa 检查一下是否已经安装了相应的包,因为我这里是最小化安装,所以就跳过这个步骤了。
[root@localhost lamp]# ls -l total 196880 -rw-r--r--. 1 root root 1020833 Sep 13 16:29 apr-1.5.1.tar.gz -rw-r--r--. 1 root root 874462 Mar 18 17:16 apr-util-1.5.3.tar.gz -rw-r--r--. 1 root root 6820719 Sep 13 16:27 httpd-2.4.10.tar.gz -rw-r--r--. 1 root root 172464 Mar 20 13:54 libmcrypt-2.5.7-1.2.el6.rf.i686.rpm -rw-r--r--. 1 root root 84680 Mar 20 13:54 libmcrypt-devel-2.5.7-1.2.el6.rf.i686.rpm -rw-r--r--. 1 root root 100230 Mar 26 13:49 mod_fastcgi-2.4.6.tar.gz -rw-r--r--. 1 root root 177020618 Jul 20 11:00 mysql-5.5.38-linux2.6-i686.tar.gz -rw-r--r--. 1 root root 15323862 Sep 13 16:27 php-5.4.32.tar.gz -rw-r--r--. 1 root root 166263 Sep 13 16:28 xcache-3.0.4.tar.gz
1、编译安装httpd
我这里仅列出简明扼要的命令,详细的安装步骤可以参考《编译安装LAMP之一》。
[root@localhost ~]# service iptables stop
# 安装开发工具 gcc make cmake , and so on
[root@localhost ~]# yum -y groupinstall "Development Tools"
# 安装openssl
[root@localhost ~]# yum -y install openssl openssl-devel pcre pcre-devel
# 安装 apr 1.5.1
[root@localhost lamp]# tar xf apr-1.5.1.tar.gz -C /usr/local/src
[root@localhost lamp]# cd /usr/local/src
[root@localhost src]# cd apr-1.5.1/
[root@localhost apr-1.5.1]# ./configure --prefix=/usr/local/apr-httpd
[root@localhost apr-1.5.1]# make && make install
# 安装 apr-util 1.5.3
[root@localhost lamp]# tar xf apr-util-1.5.3.tar.gz -C /usr/local/src
[root@localhost lamp]# cd /usr/local/src
[root@localhost src]# cd apr-util-1.5.3/
[root@localhost apr-util-1.5.3]# ./configure --prefix=/usr/local/apr-util-httpd --with-apr=/usr/local/apr-httpd
[root@localhost apr-util-1.5.3]# make && make install
# 编译安装httpd
[root@localhost lamp]# tar xf httpd-2.4.10.tar.gz -C /usr/local/src
[root@localhost lamp]# cd /usr/local/src
[root@localhost src]# cd httpd-2.4.10/
[root@localhost httpd-2.4.10]# ./configure --prefix=/usr/local/apache --sysconfdir=/etc/httpd --enable-so --enable-ssl --enable-cgi --enable-modules=most --enable-mods-shared=most --enable-rewrite --with-zlib --with-pcre --enable-mpms-shared=all --with-apr=/usr/local/apr-httpd --with-apr-util=/usr/local/apr-util-httpd
[root@localhost httpd-2.4.10]# make && make install
# 创建apache用户
[root@localhost ~]# groupadd -r apache
[root@localhost ~]# useradd -r -g apache -s /sbin/nologin apache
# 编辑httpd.conf配置文件
[root@localhost ~]# vi /etc/httpd/httpd.conf
User apache
Group apache
# pidfile for httpd
Pidfile "/var/run/httpd.pid"
# 提供httpd服务启动脚本
[root@localhost ~]# vi /etc/init.d/httpd
#!/bin/bash
#
# httpd Startup script for the Apache HTTP Server
#
# chkconfig: - 85 15
# description: Apache is a World Wide Web server. It is used to serve \
# HTML files and CGI.
# processname: httpd
# config: /etc/httpd/conf/httpd.conf
# config: /etc/sysconfig/httpd
# pidfile: /var/run/httpd.pid
# Source function library.
. /etc/rc.d/init.d/functions
if [ -f /etc/sysconfig/httpd ]; then
. /etc/sysconfig/httpd
fi
# Start httpd in the C locale by default.
HTTPD_LANG=${HTTPD_LANG-"C"}
# This will prevent initlog from swallowing up a pass-phrase prompt if
# mod_ssl needs a pass-phrase from the user.
INITLOG_ARGS=""
# Set HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server
# with the thread-based "worker" MPM; BE WARNED that some modules may not
# work correctly with a thread-based MPM; notably PHP will refuse to start.
# Path to the apachectl script, server binary, and short-form for messages.
apachectl=/usr/local/apache/bin/apachectl
httpd=${HTTPD-/usr/local/apache/bin/httpd}
prog=httpd
pidfile=${PIDFILE-/var/run/httpd.pid}
lockfile=${LOCKFILE-/var/lock/subsys/httpd}
RETVAL=0
start() {
echo -n $"Starting $prog: "
LANG=$HTTPD_LANG daemon --pidfile=${pidfile} $httpd $OPTIONS
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch ${lockfile}
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
killproc -p ${pidfile} -d 10 $httpd
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile}
}
reload() {
echo -n $"Reloading $prog: "
if ! LANG=$HTTPD_LANG $httpd $OPTIONS -t >&/dev/null; then
RETVAL=$?
echo $"not reloading due to configuration syntax error"
failure $"not reloading $httpd due to configuration syntax error"
else
killproc -p ${pidfile} $httpd -HUP
RETVAL=$?
fi
echo
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status -p ${pidfile} $httpd
RETVAL=$?
;;
restart)
stop
start
;;
condrestart)
if [ -f ${pidfile} ] ; then
stop
start
fi
;;
reload)
reload
;;
graceful|help|configtest|fullstatus)
$apachectl $@
RETVAL=$?
;;
*)
echo $"Usage: $prog {start|stop|restart|condrestart|reload|status|fullstatus|graceful|help|configtest}"
exit 1
esac
exit $RETVAL
###
[root@localhost ~]# chmod +x /etc/init.d/httpd
[root@localhost ~]# chkconfig --add httpd
[root@localhost ~]# chkconfig httpd on
[root@localhost ~]# service httpd start
Starting httpd: AH00558: httpd: Could not reliably determine the server‘s fully qualified domain name, using localhost.localdomain. Set the ‘ServerName‘ directive globally to suppress this message
[ OK ]
[root@localhost ~]# netstat -tulpn | grep 80
tcp 0 0 :::80 :::* LISTEN 32608/httpd
# 把httpd的bin目录添加到PATH
[root@localhost ~]# vi /etc/profile.d/httpd.sh
export PATH=$PATH:/usr/local/apache/bin
[root@localhost ~]# . /etc/profile.d/httpd.sh
[root@localhost ~]# httpd -t
[root@localhost ~]# httpd -l
[root@localhost ~]# httpd -M
# OK, httpd到此安装完毕本文出自 “Share your knowledge” 博客,请务必保留此出处http://skypegnu1.blog.51cto.com/8991766/1551970
原文地址:http://skypegnu1.blog.51cto.com/8991766/1551970
