wget http://pecl.php.net/get/mcrypt-1.0.3.tgz
tar xf mcrypt-1.0.1.tgz
cd mcrypt-1.0.3
/usr/local/opt/php/bin/phpize
./configure --with-php-config=/usr/local/opt/php/bin/php-config
make && make install
加入php.ini配置中
在编译的文件夹中找到./modules/mcrypt.so
vim php.ini或者 在php根目录下的conf.d中新建文件extension=mcrypt.so
修改电脑名字(wkj电脑名字)
方法1:
hostnamectl set-hostname wkj
方法2:vi /etc/hostname
临时修改:hostname wkj安装系统之后网络没有
在/etc/sysconfing/network-scripts/ifcfg-ens33中修改网卡自动重启
ONBOOT=yes无法使用ifconfig命令
yum install net-tools
新建repo包:vi /etc/yum.repos.d/dag.repo
[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
enabled=1
gpgkey=http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt重启yum源: yum-config-manager --enable nginx-mainline
yum源错误跳过: yum-config-manager --save --setopt=dag.skip_if_unavailable=true
适用:两台服务之间实现备份
功能:文件备份、定时执行、数据库备份
服务器: 两台 centos 7 服务器
注1: 服务器(主-base): 192.168.0.3 服务器(从-backup):192.168.0.2
注2: 主服务器自动备份到从服务器
1) 安装rsync
[root@wkjhost ~]# yum -y install rsync
2) rsync自启动
[root@wkjhost ~]# systemctl enable rsyncd.service
3) 修改rsync配置文件(修改或者追加)
[root@wkjhost ~]# vi /etc/rsyncd.conf
uid = root gid = root use chroot = yes max connections = 4 pid file = /var/run/rsyncd.pid exclude = lost+found/4) 启动rsync
[root@wkjhost ~]# systemctl start rsyncd.service
4) 安装 crontabs服务并设置开机自启
[root@wkjhost ~]# yum install crontabs
[root@wkjhost ~]# systemctl enable crond
[root@wkjhost ~]# systemctl start crond
1) 生成ssh密钥(可以直接下一步)
[root@backup ~]# ssh-keygen -t rsa
2) 复制公钥到基础服务器
[root@backup ~]# ssh-copy-id root@192.168.0.3
1) 书写rysnc-sys脚本
[root@backup ~]# vi /var/crontab-scripts/rsync-sys.sh
#!/bin/bash # /var/crontab-scripts/rsync-sys.sh # base system sync to backup system #from base system gogs-repositories to backup system rsync -r 192.168.0.1:/home/git/test /home/git2) 启动定时任务(每5分钟同步一次)
[root@backup ~]# crontab -e
*/5 * * * * /var/crontab-scripts/rsync-sys.sh
1) 主库(master)开启(设置主库记录操作日志)
设置主mariadb操作日志记录并标记为主mariadb
[root@base~]# vi /etc/my.cnf.d/server.cnf[mysqld] server_id=1 #设置当前服务器的ID号(1主Mariadb,2从Mariadb) log_bin=mariadb-bin #启动二进制日志并指定文件名 skip_name_resolve=on #跳过主机名解析。在CentOS 6自带的mysql后面的=on不用写 innodb_file_per_table=on #innodb的每个表是用单独的文件登录数据库(用户名: root 密码: root)
[root@base~]# mysql -uroot -proot
创建从mariadb登录主服务器用户(用户:backupuser 密码:backup_pwd )
MariaDB [(none)]> GRANT REPLICATION SLAVE,REPLICATION CLIENT ON . TO 'backupuser'@'192.168.0.%' IDENTIFIED BY 'backup_pwd';
刷新权限表
MariaDB [(none)]> flush privileges;
查看状态主mariadb状态
MariaDB [(none)]> show master status;从mariadb需要使用(日志文件名(File): mariadb-bin.00001 , 位置(Position): 245)
1) 从库(slave)开启
设置主mariadb操作日志记录并标记为主mariadb
[root@backup ~]# vi /etc/my.cnf.d/server.cnf[mysqld] server_id=2 #设置当前服务器的ID号(1主Mariadb,2从Mariadb) relay_log=relay-log #启用中继日志,保存当前的中继日志中主节点二进制文件的名字和位置。 read_only=on #禁止用户写入数据,这一项的管理员和复制重放无效。重启mariadb服务
[root@backup ~]# systemctl restart mariadb
登录数据库(用户名: root 密码: root)
[root@backup ~]# mysql -uroot -proot
从服务器启动read_only,但仅对非SUPER权限的用户有效
MariaDB [(none)]> flush tables with read lock;
连接主mariadb, 需要使用到主mariadb信息【创建的用户、主mariadb状态信息】
MariaDB [(none)]> CHANGE MASTER TO MASTER_HOST='192.168.0.3',MASTER_USER='backupuser',MASTER_PASSWORD='backup_pwd ',MASTER_LOG_FILE='mariadb-bin.00001',MASTER_LOG_POS=245;
启动从mariadb线程
MariaDB [(none)]> start slave;
查看从mariadb线程是否正确
MariaDB [(none)]> show slave stgatus \G;Slave_IO_Running是复制线程,Slave_SQL_TRunning是重放线程,两个值都为Yes时候配置成功,否则看截图下面Error的那几个字段,比如连接不成功,密码错误等
测试主从复制是否生效
在主maridb中创建数据库,查看从mariadb是否已经同步注:如果已经存在的数据库需要要首先导入之后再开启主从复制
步骤都差不多,只是需要注意几个事项:
1、server_id必须要使用不同值
2、均启用binlog和relay log
3、存在自动增长id的表,为了使得id不相冲突,需要定义其自动增长方式
4、都授权有复制权限的用户账号
5、各把对方指定为主节点添加节点代码
定义一个节点使用奇数id
[mysqld] auto_increment_offset=1 #自动增长ID初始数 auto_increment_increment=2 #每次增长几位数另一个节点使用偶数id
[mysqld] auto_increment_offset=2 auto_increment_increment=2
适用:新的服务器部署基础服务
功能: 安装mariadb、php、nginx
服务器: centos 7
[root@wkjhost ~]# yum install -y lrzsz
[root@wkjhost ~]# yum install yum-utils
[root@wkjhost ~]# yum install epel-release
[root@wkjhost ~]# yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
[root@wkjhost ~]# yum update
[root@wkjhost ~]# yum install git
[root@wkjhost ~]# yum install mariadb-server
[root@wkjhost ~]# systemctl enable mariadb
1) 修改/etc/my.cnf(在[mysqld]标签下添加)
init_connect='SET collation_connection = utf8_general_ci'
init_connect='SET NAMES utf8'
character-set-server=utf8
collation-server=utf8_general_ci
skip-character-set-client-handshake
max_allowed_packet=512M
innodb_log_file_size=256M2) 修改/etc/my.cnf.d/client.cnf(在[client]标签下添加)
default-character-set=utf8
3) 修改/etc/my.cnf.d/mysql-clients.cnf(在[mysql]标签下添加)
default-character-set=utf8
4) 重启数据库,并验证字符集是否设置成功
[root@wkjhost ~]# systemctl start mariadb
[root@wkjhost ~]# mysql -uroot -p
MariaDB [(none)]> show variables like "%character%";show variables like "%collation%";
[root@wkjhost ~]# mysql_secure_installation
[root@wkjhost ~]# yum-config-manager --enable remi-php72
[root@wkjhost ~]# yum install php72
[root@wkjhost ~]# yum install php72-php-fpm php72-php-gd php72-php-json php72-php-mbstring php72-php-mysqlnd php72-php-xml php72-php-xmlrpc php72-php-opcache php72-php-zip
[root@wkjhost ~]# systemctl enable php72-php-fpm.service
[root@wkjhost ~]# vi /etc/yum.repos.d/nginx.repo
[nginx-stable] name=nginx stable repo baseurl=http://nginx.org/packages/centos/$releasever/$basearch/ gpgcheck=1 enabled=1 gpgkey=https://nginx.org/keys/nginx_signing.key [nginx-mainline] name=nginx mainline repo baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/ gpgcheck=1 enabled=1 gpgkey=https://nginx.org/keys/nginx_signing.key
[root@wkjhost ~]# yum-config-manager --enable nginx-mainline
[root@wkjhost ~]# yum install nginx
[root@wkjhost ~]# systemctl enable nginx
1) 配置PHP服务器
server { listen 443 ssl; server_name www.kjwoo.cn kjwoo.cn; root /var/www/typecho; index index.php index.html index.htm; access_log /var/www/logs/www.kjwoo.cn-access.log main; error_log /var/www/logs/www.kjwoo.cn-error.log; ssl_certificate /etc/nginx/ssl/www.kjwoo.cn/me.crt; ssl_certificate_key /etc/nginx/ssl/www.kjwoo.cn/me.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|ico|svg)$ { valid_referers none blocked *.kjwoo.cn server_names ~\.google\. ~\.baidu\. ~\.hcs427\.; if ($invalid_referer){ return 301 $http_referer; } expires 7d; access_log off; } location ~ .*\.(js|css|css\.map) { expires 12h; access_log off; } location / { if (!-e $request_filename) { rewrite ^/(.*)$ /index.php?s=$1 last; break; } try_files $uri $uri/ index.php /index.php?$QUERY_STRING; } location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_buffers 16 16k; fastcgi_buffer_size 32k; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_read_timeout 600; include fastcgi_params; } } server { listen 80; server_name www.kjwoo.cn; add_header Strict-Transport-Security max-age=15768000; return 301 https://$server_name$request_uri; } server { listen 80; server_name kjwoo.cn; add_header Strict-Transport-Security max-age=15768000; return 301 https://www.$server_name$request_uri; }2) 配置代理服务器
server { listen 443 ssl; server_name git.kjwoo.cn; ssl_certificate /etc/nginx/ssl/git.ky.kjwoo.cn/me.crt; ssl_certificate_key /etc/nginx/ssl/git.kjwoo.cn/me.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { proxy_connect_timeout 1; proxy_send_timeout 300; proxy_read_timeout 300; proxy_buffer_size 1M; proxy_buffers 8 1M; proxy_busy_buffers_size 1M; proxy_temp_file_write_size 1M; client_max_body_size 100m; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://127.0.0.1:3000; } } server { listen 80; server_name git.kjwoo.cn; rewrite ^(.*)$ https://$host$1 permanent; }3) 配置方向代理服务器
server { listen 443 ssl; server_name git.kjwoo.cn; ssl_certificate /etc/nginx/ssl/git.ky.kjwoo.cn/me.crt; ssl_certificate_key /etc/nginx/ssl/git.kjwoo.cn/me.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { proxy_connect_timeout 1; proxy_send_timeout 300; proxy_read_timeout 300; proxy_buffer_size 1M; proxy_buffers 8 1M; proxy_busy_buffers_size 1M; proxy_temp_file_write_size 1M; client_max_body_size 100m; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:3000; } } server { listen 80; server_name git.kjwoo.cn; rewrite ^(.*)$ https://$host$1 permanent; }
[root@wkjhost ~]# yum provides */applydeltarpm
[root@wkjhost ~]# yum install deltarpm -y
站点安全需求:
实现:
一、防盗链(除了本站点、谷歌、百度才能获取资源,其他的全部转向到自己站点)
在nginx主机配置中的server中添加代码:
valid_referers none blocked *.kjwoo.cn server_names ~\.google\. ~\.baidu\.;
if ($invalid_referer){
return 301 $http_referer;
}
二、防止乱七八糟的访问(返回403错误)
在nginx主机配置中的server中添加代码:
if ($http_user_agent ~ "FeedDemon|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|HttpClient|MJ12bot|heritrix|EasouSpider|LinkpadBot|Ezooms|^$"){
return 403;
}
3、保证表单安全(SSL)
在nginx主机配置中的server中添加代码:
ssl_certificate /etc/nginx/ssl/www.kjwoo.cn/me.crt;
ssl_certificate_key /etc/nginx/ssl/www.kjwoo.cn/me.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
四、启动cookie (第一次访问限制速度为:128k)
在nginx主机配置中的server中添加代码:
if ($cookie_kanjin != "kanjin$remote_addr"){
limit_rate 128;
add_header Set-Cookie "kanjin=kanjin$remote_addr";
return 302 $scheme://$host$request_uri;
}
五、启动Robots协议(允许所有爬虫,但是不能爬/admin目录下面的资源)
在网站跟目录添加:robots.txt:
User-agent:*
Disallow:/admin
六、去除弱爬虫(使用短连接访问动态文件)
在网站的入口文件中添加判断(如果符合就直接重定向到百度)-以PHP为例子
if($_SERVER['HTTP_CONNECTION'] != 'keep-alive'){
header("Location:https://www.baidu.com");exit;//重定向到百度
}
[root@base~]# vi /etc/nginx/conf.d/gzip.conf
gzip on; gzip_min_length 1k; gzip_buffers 4 16k; #gzip_http_version 1.0; gzip_comp_level 2; gzip_types text/plain font/* application/javascript application/x-javascript text/css application/xml application/json text/javascript application/x-httpd-php image/jpeg image/gif image/png application/pdf; gzip_vary off; gzip_disable "MSIE [1-6]\.";