如果需要其他版本,可以到這裡找到所有的OB2D檔案下載:http://sourceforge.net/projects/ob2dlinux/files/?source=navbar
lsb_release -a
pietty 是一套改良 putty 而來的,可以讓您從windows下登入Linux主機的一套遠端連線工具。
pietty 官網:http://ntu.csie.org/~piaip/pietty/
一般而言,操作 pietty 會比實際在主機中用專端機還來得方便一點...(因為可以很方便的複製貼上)
所以,在進行主機設定之前,先搞定讓 root 可以透過 peitty來登入網站的問題(預設只能用使用者登入)
sudo passwd root
su -
nano /etc/ssh/sshd_config
PermitRootLogin yes
service ssh restart
iptables -F
cd ~
apt-get install wget
wget https://campus-xoops.tn.edu.tw/uploads/vimrc.zip
apt-get install unzip
unzip vimrc.zip
按鍵 | 用途 |
a | 編輯模式下新增、插入內容 |
esc鍵 | 切換指令模式或編輯模式 |
:wq! | 指令模式下w 儲存,q 離開,! 強制模式 |
/ | 指令模式下搜尋 |
n | 指令模式下搜尋下一個 |
vi ~/.bashrc
# You may uncomment the following lines if you want `ls' to be colorized: export LS_OPTIONS='--color=auto' eval "`dircolors`" alias ls='ls $LS_OPTIONS' alias ll='ls $LS_OPTIONS -l' alias l='ls $LS_OPTIONS -lA' # # Some more alias to avoid making mistakes: # alias rm='rm -i' # alias cp='cp -i' # alias mv='mv -i'
重新登出登入後就會生效。
vi /etc/rc.local
sudo /etc/rc.local
#!/bin/sh -e # ###-----------------------------------------------------### echo "Set path of iptables" echo IPTABLES="/sbin/iptables" ###-----------------------------------------------------### echo "Set external ......" echo #FW_IP="" #FW_IP_RANGE="" #FW_IFACE="eth0" ###-----------------------------------------------------### echo "Set internal ......" echo #LAN_IP="192.168.1.1" LAN_IP_RANGE="192.168.1.0/24" #LAN_BCAST_ADRESS="192.168.1.255" #LAN_IFACE="eth1" # loopback interface LO_IFACE="lo" LO_IP="127.0.0.1" ###-----------------------------------------------------### #echo "Enable ip_forward ......" #echo #echo "1" > /proc/sys/net/ipv4/ip_forward ###-----------------------------------------------------### echo "Flush fiter table ......" echo # Flush filter $IPTABLES -F $IPTABLES -X echo "Flush nat table ......" echo # Flush nat $IPTABLES -F -t nat $IPTABLES -t nat -X ###-----------------------------------------------------### $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT ###-----------------------------------------------------### #$IPTABLES -t nat -A POSTROUTING -o $FW_IFACE -j SNAT --to-source $FW_IP ###-----------------------------------------------------### #$IPTABLES -t nat -A PREROUTING -p tcp -d $FW_IP --dport 8080 -j DNAT --to 192.168.1.3:80 ###-----------------------------------------------------### #$IPTABLES -A FORWARD -o $FW_IFACE -p tcp -s 192.168.1.6 --dport 6677 -j ACCEPT #$IPTABLES -A FORWARD -o $FW_IFACE -p tcp --dport 6677 -j DROP ###-----------------------------------------------------### #$IPTABLES -A INPUT -i $FW_IFACE -p tcp -s 192.168.1.0/24 --dport 6677 -j ACCEPT #$IPTABLES -A INPUT -i $FW_IFACE -p tcp --dport 6677 -j DROP #iptables -A ratelimit -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT #iptables -A ratelimit -p icmp --icmp-type echo-request -m limit --limit 3/m --limit-burst 10 -j ACCEPT #iptables -A ratelimit -p icmp --icmp-type echo-request -j LOG --log-level "NOTICE" --log-prefix "[RATELIMIT$ #iptables -A ratelimit -p icmp --icmp-type echo-request -j DROP #iptables -A INPUT -p icmp --icmp-type echo-request -j ratelimit #iptables -A INPUT -p tcp --dport 443 -j LOG --log-level "NOTICE" --log-prefix "[9999]" $IPTABLES -A INPUT -p tcp -s 127.0.0.1 --dport 21 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 21 -j DROP $IPTABLES -A INPUT -p tcp -s $LAN_IP_RANGE --dport 22 -j ACCEPT $IPTABLES -A INPUT -p tcp -s 120.115.3.33 --dport 22 -j ACCEPT $IPTABLES -A INPUT -p tcp -s 127.0.0.1 --dport 22 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 22 -j DROP $IPTABLES -A INPUT -p tcp -s 127.0.0.1 --dport 111 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 111 -j DROP /sbin/ip6tables -F /sbin/ip6tables -A INPUT -p tcp --dport 22 -j DROP exit 0
修改OB2D jessie 的sources.list:
vi /etc/apt/sources.list
在 vi 中用 dd 可以刪除整行(用 5dd 可以一次刪除五行)
如果是2019年版的(buster),請改成:
deb https://opensource.nchc.org.tw/debian/ buster main contrib non-free
deb-src https://opensource.nchc.org.tw/debian/ buster main contrib non-free
deb https://opensource.nchc.org.tw/debian/ buster-updates main
deb-src https://opensource.nchc.org.tw/debian/ buster-updates main
deb https://security.debian.org/debian-security buster/updates main contrib non-free
deb https://opensource.nchc.org.tw/debian buster-backports main
如果是2017年版的(stretch),請改成:
deb https://opensource.nchc.org.tw/debian/ stretch main contrib non-free
deb-src https://opensource.nchc.org.tw/debian/ stretch main contrib non-free
deb https://opensource.nchc.org.tw/debian/ stretch-updates main contrib non-free
deb-src https://opensource.nchc.org.tw/debian/ stretch-updates main contrib non-free
deb https://security.debian.org/ stretch/updates main
deb-src https://security.debian.org/ stretch/updates main
這是2016年版的(jessie )
deb https://opensource.nchc.org.tw/debian/ jessie main contrib non-free
deb-src https://opensource.nchc.org.tw/debian/ jessie main contrib non-free
deb https://opensource.nchc.org.tw/debian/ jessie-updates main contrib non-free
deb-src https://opensource.nchc.org.tw/debian/ jessie-updates main contrib non-free
deb https://security.debian.org/ jessie/updates main
deb-src https://security.debian.org/ jessie/updates main
如果是2013年版的(wheezy),請改成:
deb https://opensource.nchc.org.tw/debian/ wheezy main contrib non-free
deb https://opensource.nchc.org.tw/debian/ wheezy-updates main contrib non-free
deb https://security.debian.org/ wheezy/updates main contrib non-free
更新一下apt套件庫清單:
apt-get update
萬一更新後,有出現 There is no public key available for the following key IDs: xxxxxxxxxxxx 的錯誤訊息
請執行以下動作解決之:
apt-get install debian-keyring debian-archive-keyring
apt-key update
如果出現被鎖住的狀況:
E: 無法將 /var/lib/apt/lists/lock 鎖定 - open (11: 資源暫時無法取得)
E: Unable to lock directory /var/lib/apt/lists/
則刪掉lock檔即可
rm /var/lib/apt/lists/lock
2019年後的(buster)安裝php7.3的curl、mail及mbstring函式庫
apt-get install php7.3-curl php7.3-mbstring php7.3-zip php7.3-soap php7.3-mail
2017年後的(stretch)安裝php7的curl及mbstring函式庫
apt-get install php7.0-curl php7.0-mbstring php7.0-zip php7.0-soap
2016年(含以前的)安裝php5的curl及intl函式庫(XOOPS會用到)
apt-get install php5-curl php5-intl php5-zip php5-soap
安裝rsync(方便日後備份)、htop(方便觀察主機狀況)、 fping(設定排程時可能會用到)、 sshfs及nfs(方便遠端掛載備份,無此需求可免裝)、zip(以壓縮)、unzip(以解壓縮)、NTP (校時工具)、安裝ca-certificates,避免wget無法下載https檔但,以及https網址時,Google快速登入會出現錯誤訊息(Google_IOException: HTTP Error: (0) error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs)
apt-get install rsync htop fping sshfs nfs-common zip unzip ntp ntpdate ca-certificates
查詢核心
uname -a
升級核心(非必須)
apt-get install linux-image-4.11.8-ob2d linux-headers-4.11.8-ob2d linux-firmware-image-4.11.8-ob2d
日後要更新套件所有套件:
apt-get upgrade
a2enmod mod_status rewrite
vi /etc/apache2/mods-enabled/status.conf
<Location /server-status>
SetHandler server-status
Require local
Require ip 120.115.3.0/24
</Location>
systemctl restart apache2
http://網址/server-status?refresh=10
vi /etc/apache2/envvars
把其中limit的註解取消
APACHE_ULIMIT_MAX_FILES='ulimit -n 65536'
重啟網站
vi /etc/apache2/conf-enabled/security.conf
找出底下兩個設定項目,並修改其值
ServerTokens Prod
ServerSignature Off
重啟網站
service apache2 restart
ps aux | grep apache2 | awk '{ total += $6; } END { print total/1024"MB" }'
ps aux | grep apache2 | awk '{ total += $3; } END { print total"%" }'
ps faux|grep apache2|wc -l
ps -eLf|grep apache2|wc -l
ps -eLf|grep $程序編號 |wc -l
netstat -nat|awk '{print awk $NF}'|sort|uniq -c|sort -n
ps aux|head -1;ps aux|grep -v PID|sort -rn -k +3|head
ps aux|head -1;ps aux|grep -v PID|sort -rn -k +4|head
ps -eo pid,ppid,cmd,%mem,%cpu --sort=-%mem | head
top -b -o +%MEM | head -n 17
top -b -o +%CPU | head -n 17
netstat -ae|grep www-data
netstat -nat|grep ":80"|awk '{print $5}' |awk -F: '{print $1}' | sort| uniq -c|sort -n
apache2 -V
若出現類似以下訊息:
[Mon Oct 16 22:34:47.936456 2017] [core:warn] [pid 9405] AH00111: Config variable ${APACHE_RUN_DIR} is not defined
apache2: Syntax error on line 80 of /etc/apache2/apache2.conf: DefaultRuntimeDir must be a valid directory, absolute or relative to ServerRoot
則執行以下指令,重新匯入Apache環境變數:
. /etc/apache2/envvars
接者再執行原本指令,應該就會看到正確信息,如:
Server version: Apache/2.4.25 (Debian)
Server built: 2017-09-19T18:58:57
Server's Module Magic Number: 20120211:68
Server loaded: APR 1.5.2, APR-UTIL 1.5.4
Compiled using: APR 1.5.2, APR-UTIL 1.5.4
Architecture: 64-bit
Server MPM: prefork
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/etc/apache2"
-D SUEXEC_BIN="/usr/lib/apache2/suexec"
-D DEFAULT_PIDLOG="/var/run/apache2.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="mime.types"
-D SERVER_CONFIG_FILE="apache2.conf"
從第7行可以得知,目前跑的是 prefork 模式。因此,開啟對應設定檔編輯之:
vi /etc/apache2/mods-available/mpm_prefork.conf
prefork模式是古老穩定的模式。Apache在啟動之初,就預先產生一些子進程,然後等待請求進來,以減少頻繁創建和銷毀進程的開銷。每個子進程只有一個線程,在一個時間點內,只能處理一個請求。
vi /etc/apache2/mods-available/mpm_prefork.conf
<IfModule mpm_prefork_module>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
ServerLimit 1000
MaxRequestWorkers 750
MaxConnectionsPerChild 3000
</IfModule>
ps -ef|grep apache2|wc -l
)大於此值時,就會開始排隊#推薦設置:小=500 中=500~1500 大型=1500~3000( 如果最大請求進程數超過256需要在MaxRequestWorkers參數前添加參數ServerLimit並且指定最大並發數,該參數最好與MaxRequestWorkers的值保持一致。 )
service apache2 restart
vi /etc/sysctl.conf
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 30
php.ini 的設定非常重要,尤其是時區與除錯的設定,沒設定好,日後問題多多。
2016年以前的版本請輸入:
vi /etc/php5/apache2/php.ini
2017年後的版本請輸入:
vi /etc/php/7.0/apache2/php.ini
請按著下表調整設定吧(底下行數每個版本都不同,這裡是以2017年1.1版為主):
設定項目 | 建議值 | 行數 | 相關說明 |
---|---|---|---|
max_execution_time | 150 | 368 |
每個程序最大允許執行時間(秒),0 表示沒有限制。這個參數有助於阻止劣質程序無休止的佔用伺服器資源。
檔案上傳時,若檔案很大,頻寬卻很小,那麼此值需調大一點,例如上傳 10M 檔案需要花2分鐘,那此值就不要小於 120。 |
max_input_time | 120 | 378 |
每個程序解析輸入數據 (POST, GET, upload) 的最大允許時間(秒)。
-1 表示不限制。 |
max_input_vars | 5000 | 385 |
表單可接收的變數數量,超過此數量,就可能無法完全接收表單內容。
部份系統有匯入功能,匯入後若有表單確定畫面,通常會有很多變數,因此,調大此值有助於匯入資料的完整性。 |
memory_limit | 240M | 389 |
一個程序所能夠申請到的記憶體空間 (可以使用 K 和 M 作為單位)。 這有助於防止劣質程序消耗完伺服器上的所有記憶體。如果要取消記憶體限制,則必須將其設為 -1 。
|
display_errors | on | 462 |
是否顯示錯誤訊息?建議開啟!!否則網站變成空白時將很難進行除錯。
|
post_max_size | 220M | 656 |
允許的 POST 數據最大字節長度。此設定也影響到檔案上傳。
如果 POST 數據超出限制,那麼 $_POST 和 $_FILES 將會為空。 要上傳大檔案,該值必須大於 upload_max_filesize 指令的值。 如果啟用了記憶體限制,那麼該值應當小於 memory_limit 指令的值。 |
upload_max_filesize | 200M | 809 |
允許上傳的檔案的最大尺寸。
|
max_file_uploads | 300 | 812 |
最多只能傳幾個檔案?請視需求設定之。
|
date.timezone | Asia/Taipei | 924 |
主機預設時區,若主機在台灣,請務必設置為「Asia/Taipei」,否則系統抓到的可能會有誤差。
|
修改後記得重新啟動 apache
service apache2 restart
若想測試一下,可建立一個簡單的PHP檔來測試:
vi /var/www/html/info.php
內容為:
<?php phpinfo();
存檔後,開啟瀏覽器,執行「http://網址/info.php」即可看到PHP的資訊頁面。
worker使用了多進程和多線程的混合模式。它也預先產生幾個子進程(數量比較少),然後每個子進程創建一些線程,同時包括一個監聽線程。每個請求過來,會被分配到1個線程來服務。
線程比起進程會更輕量,因為線程通常會共享父進程的內存空間,因此,內存的佔用會減少一些。在高並發的場景下,因為比起prefork有更多的可用線程,表現會更優秀一些。
apt-get update
apt-get upgrade
#for Debian 10 Buster
apt-get install -y php7.3-fpm
#for Debian 9 Stretch
apt-get install -y php7.0-fpm
#for Debian 8 Jessie
apt-get install -y php5.6-fpm
a2dismod php7.0 mpm_prefork
a2enmod mpm_worker actions
a2enconf php7.0-fpm
systemctl restart apache2
#for Debian 10 Buster
vi /etc/php/7.3/fpm/php.ini
#for Debian 9 Stretch
vi /etc/php/7.0/fpm/php.ini
#for Debian 8 Jessie
vi /etc/php/5.6/fpm/php.ini
ps aux|grep php-fpm
kill -USR2 程序編號
vi /etc/apache2/mods-available/mpm_worker.conf
<IfModule mpm_worker_module>
StartServers 3
MinSpareThreads 75
MaxSpareThreads 250
ThreadsPerChild 25
MaxRequestWorkers 400
MaxConnectionsPerChild 0
</IfModule>
systemctl restart apache2
vi /var/www/html/uploads/.htaccess
<Files "*.php">
SetHandler none
SetHandler default-handler
Options -ExecCGI
RemoveHandler .php
</Files>
a2dismod mpm_worker actions
a2enmod php7.0 mpm_prefork
systemctl restart apache2
ps aux|grep php-fpm|awk '{print $2}'|xargs kill -9
這個是Apache中最新的模式,在現在版本裡的已經是穩定可用的模式。它和worker模式很像,最大的區別在於,它解決了keep-alive場景下,長期被佔用的線程的資源浪費問題(某些線程因為被keep-alive,空掛在哪裡等待,中間幾乎沒有請求過來,甚至等到超時)。
event MPM中,會有一個專門的線程來管理這些keep-alive類型的線程,當有真實請求過來的時候,將請求傳遞給服務線程,執行完畢後,又允許它釋放。這樣增強了高並發場景下的請求處理能力。
event MPM在遇到某些不兼容的模塊時,會失效,將會回退到worker模式,一個工作線程處理一個請求。官方自帶的模塊,全部是支持event MPM的。
apt-get update
apt-get upgrade
#for Debian 10 Buster
apt-get install -y php7.3-fpm
#for Debian 9 Stretch
apt-get install -y php7.0-fpm
#for Debian 8 Jessie
apt-get install -y php5.6-fpm
a2dismod php7.0 mpm_prefork
a2enmod mpm_event proxy_fcgi setenvif
a2enconf php7.0-fpm
systemctl restart apache2
#for Debian 10 Buster
vi /etc/php/7.3/fpm/php.ini
#for Debian 9 Stretch
vi /etc/php/7.0/fpm/php.ini
#for Debian 8 Jessie
vi /etc/php/5.6/fpm/php.ini
systemctl restart apache2
ps aux|grep php-fpm
kill -USR2 程序編號
vi /etc/apache2/mods-available/mpm_event.conf
<IfModule mpm_event_module>
StartServers 3
MinSpareThreads 75
MaxSpareThreads 250
ThreadsPerChild 25
MaxRequestWorkers 400
MaxConnectionsPerChild 0
</IfModule>
vi /var/www/html/uploads/.htaccess
systemctl restart apache2
<Files "*.php">
SetHandler none
SetHandler default-handler
Options -ExecCGI
RemoveHandler .php
</Files>
a2dismod mpm_event proxy_fcgi setenvif
a2enmod php7.0 mpm_prefork
systemctl restart apache2
ps aux|grep php-fpm|awk '{print $2}'|xargs kill -9
編輯 apache 主設定檔
vi /etc/apache2/apache2.conf
找到目錄設定,將設定修改成下方這樣:
<Directory /var/www/html>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
將Apache預設編碼設為UTF-8,避免網頁錯誤訊息為亂碼
vi /etc/apache2/conf-available/charset.conf
拿掉#即可
AddDefaultCharset UTF-8
a2enmod userdir
vi /etc/apache2/mods-enabled/userdir.conf
<IfModule mod_userdir.c>
UserDir public_html
UserDir disabled root
<Directory /home/*/public_html>
AllowOverride All
Options MultiViews IncludesNoExec FollowSymLinks
Require method GET POST OPTIONS
</Directory>
</IfModule>
##for Debian 10 Buster
vi /etc/apache2/mods-available/php7.3.conf
#for Debian 9 Stretch
vi /etc/apache2/mods-available/php7.0.conf
#for Debian 8 Jessie
vi /etc/apache2/mods-available/php5.conf
<FilesMatch ".+\.ph(ar|p|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch ".+\.phps$">
SetHandler application/x-httpd-php-source
# Deny access to raw php sources by default
# To re-enable it's recommended to enable access to the files
# only in specific virtual host or directory
Require all denied
</FilesMatch>
# Deny access to files without filename (e.g. '.php')
<FilesMatch "^\.ph(ar|p|ps|tml)$">
Require all denied
</FilesMatch>
# Running PHP scripts in user directories is disabled by default
#
# To re-enable PHP in user directories comment the following lines
# (from <IfModule ...> to </IfModule>.) Do NOT set it to On as it
# prevents .htaccess files from disabling it.
#<IfModule mod_userdir.c>
# <Directory /home/*/public_html>
# php_admin_flag engine Off
# </Directory>
##</IfModule>
service apache2 restart
a2enmod http2
vi /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80> Protocols h2c http/1.1 ServerAdmin webmaster@localhost DocumentRoot /var/www/html
vi /etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c> <VirtualHost _default_:443> Protocols h2 http/1.1 ServerAdmin webmaster@localhost DocumentRoot /var/www/html
service apache2 restart
apt-get install openssl a2enmod ssl
vi /etc/apache2/sites-available/default-ssl.conf
cd /etc/apache2/sites-enabled ln -s ../sites-available/default-ssl.conf service apache2 restart
接著,就可以用 https://網址 來瀏覽您的網站。
現在大多預設網站無法被別人用框架崁入,但若是有特殊情形,例如網站上有架設公佈欄,需要讓別的網站崁入,那遍需要做此設定。
直接使用 .htaccess(放網頁目錄下) 允許部份網站崁入,例如:
Header set X-Frame-Options http://odata.tn.edu.tw
Header always unset X-Frame-Options
phpmyadmin 是用來管理資料庫的工具,預設只能在同網段中連線,若希望遠端也可以連線,必須改一下設定檔:
vi /etc/apache2/conf.d/ra-phpmyadmin
例如:
allow from 127.0.0.1 120.115.3.0/24 106.104.14.111
120.115.3.0/24 是中心網段
106.104.14.111 是我家IP
請視需求自己修改
修改後記得重新啟動 apache
service apache2 restart
啟動後執行phpMyAdmin
http://網址/phpmyadmin
若出現 Not Fund 請重新執行設定檔
dpkg-reconfigure phpmyadmin
若一直沒辦法,請先移除 phpmyadmin
apt-get remove --purge phpmyadmin
再重裝
apt-get install phpmyadmin
重裝的一個畫面請選「否」,後面步驟的「apache」記得空白標記星號。下一步即完成。
apt install nginx
systemctl status nginx
nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argument
的錯誤
mkdir /etc/systemd/system/nginx.service.d
printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf
systemctl daemon-reload
systemctl restart nginx
systemctl start nginx
systemctl enable nginx
nginx -v
nginx -t
vi /var/www/html/index.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Document</title>
</head>
<body>
網頁已開通!
</body>
</html>
http://網址或IP/
apt -y install php php-fpm php-common php-pear php-mbstring
php --version
systemctl start php7.3-fpm
systemctl enable php7.3-fpm
systemctl status php7.3-fpm
vi /etc/nginx/sites-available/default
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.3-fpm.sock;
}
systemctl restart php7.3-fpm nginx
vi /var/www/html/index.php
<?php
phpinfo();
http://網址或IP/index.php
vi /etc/nginx/sites-available/default
server{}
中加入:
location ~ ^/~(.+?)(/.*)?$ {
alias /home/$1/public_html$2;
index index.html index.htm index.php;
autoindex on;
}
adduser somebody
mkdir /home/somebody/public_html
vi /home/somebody/public_html/index.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Document</title>
</head>
<body>
網頁已開通!
</body>
</html>
vi /etc/nginx/sites-available/default
server{}
中的location ~ ^/~(.+?)(/.*)?$ {
上方加入:
location ~* ^/~(.+?)(/.*\.php)$ {
alias /home/$1/public_html$2;
fastcgi_pass unix:/run/php/php7.3-fpm.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
location ~ ^/~(.+?)(/.*)?$ {
alias /home/$1/public_html$2;
index index.html index.htm index.php;
autoindex on;
}
systemctl restart nginx
apt install mariadb-server mariadb-client
systemctl status mariadb
systemctl start mariadb
systemctl enable mariadb
mysql_secure_installation
mariadb --version
apt install php7.3-mysql
free -h
root@ic:/etc/php/7.3/fpm/pool.d# free -h
total used free shared buff/cache available
Mem: 7.8Gi 988Mi 514Mi 39Mi 6.3Gi 6.7Gi
Swap: 2.0Gi 30Mi 2.0Gi
ps --no-headers -o "rss,cmd" -C php-fpm7.3 | awk '{ sum+=$1 } END { printf ("%d%s\n", sum/NR/1024,"M") }'
計算max_children數
(6.7*1024)/38=180
vi /etc/php/7.3/fpm/pool.d/www.conf
修改以下幾個設定項目:
pm.max_children = 180
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_request = 10000
systemctl restart php7.3-fpm
sudo mysql -u root mysql use mysql; UPDATE mysql.user SET Password=PASSWORD('新密碼') WHERE User='root'; UPDATE user set plugin='' where User='root'; FLUSH PRIVILEGES;
mysql -u root -p
ob2d-init
apt-get install ob2d-init-txt
以 以管理員身份(不是root喔,是安裝OB2D時設定的那個管理員帳號)執行 ob2d-init-txt (不必用 sudo 執行)
ob2d-init-txt
mysql -u root -p mysql
然後執行以下指令:
update user set plugin='' where User='root'; flush privileges; \q
cd /etc/mysql/mariadb.conf.d/
cp 50-server.cnf 50-server.cnf.bak
vi /etc/mysql/mariadb.conf.d/50-server.cnf
socket = /var/run/mysqld/mysqld.sock
pid-file = /var/run/mysqld/mysqld.pid
註解掉log-bin(否則會有大量log產生拖慢效能)
# BINARY LOGGING #
#log-bin = /var/lib/mysql/mysql-bin
#expire-logs-days = 14
#sync-binlog = 1
註解掉slow-query-log (否則可能會有超巨型log產生)
# LOGGING #
log-error = /var/lib/mysql/mysql-error.log
log-queries-not-using-indexes = 1
#slow-query-log = 0
#slow-query-log-file = /var/lib/mysql/mysql-slow.log
cd ~ wget https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl chmod +x mysqltuner.pl
執行之:
perl mysqltuner.pl --user root --pass '密碼'
建議:
Variables to adjust: query_cache_size (=0) query_cache_type (=0) performance_schema = ON enable PFS innodb_log_file_size should be (=16M) if possible, so InnoDB total log files size equals to 25% of buffer pool size. innodb_buffer_pool_instances (=1)
開啟設定檔,針對紅色[!!] 的結果來做改善與調教:
vi /etc/mysql/mariadb.conf.d/50-server.cnf
修改設定如:
skip-name-resolve=1 max_connections = 300 query_cache_limit = 1M query_cache_size = 0 query_cache_type = 0 performance_schema = ON
重啟資料庫服務即可。
查詢資料庫最大佔用記憶體語法:
SELECT ( @@key_buffer_size + @@query_cache_size + @@innodb_buffer_pool_size + @@innodb_additional_mem_pool_size + @@innodb_log_buffer_size + @@max_connections * ( @@read_buffer_size + @@read_rnd_buffer_size + @@sort_buffer_size + @@join_buffer_size + @@binlog_cache_size + @@thread_stack + @@tmp_table_size ) ) / (1024 * 1024 * 1024) AS MAX_MEMORY_GB;
vi /etc/rc.local
加入3306 port 的設定,例如:
$IPTABLES -A INPUT -p tcp -s 120.115.2.0/24 --dport 3306 -j ACCEPT $IPTABLES -A INPUT -p tcp -s 120.115.3.0/24 --dport 3306 -j ACCEPT $IPTABLES -A INPUT -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 3306 -j DROP
/etc/rc.local
vi /etc/mysql/mariadb.conf.d/50-server.cnf
將裡面的bind-address標記起來
#bind-address = 127.0.0.1
重啟資料庫即可
service mysql restart
如果主機要換IP,或者這是做好的虛擬機檔案,想要複製在開另一臺機器,那必然會遇到改IP的需求。
先找出有啟動的網卡,如 eth0
ifconfig -a
修改網卡及ip等資訊
vi /etc/network/interfaces
底下的IP、閘道器、DNS...等請自行視情況修改
auto lo eth0 iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 120.115.2.90 netmask 255.255.255.0 network 120.115.2.0 broadcast 120.115.2.255 gateway 120.115.2.253 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 163.26.1.1 dns-search tn.edu.tw iface eth0 inet6 static address 2001:288:7201:2::90 netmask 64 gateway 2001:288:7201:2::fffe
更簡易的寫法:
auto lo eth0 iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 120.115.2.90/24 gateway 120.115.2.253 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 163.26.1.1 dns-search tn.edu.tw iface eth0 inet6 static address 2001:288:7201:2::90 netmask 64 gateway 2001:288:7201:2::fffe
修改 /etc/hosts(一樣請自行修改IP及網址)
vi /etc/hosts
127.0.0.1 localhost 120.115.2.90 campus-xoops.tn.edu.tw # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
修改hostname
vi /etc/hostname
將內容改為主機名稱,如:campus-xoops,接著在手動改一下(立即呈現)
hostname campus-xoops
查詢主機版本以及hostname
uname -a
修改DNS設定
vi /etc/resolv.conf
search campus-xoops.tn.edu.tw nameserver 163.26.1.1
重啟網路
service networking restart
這樣IP就改好了!
vi /etc/network/interfaces
iface eth0 inet6 static address 2001:288:7201:2::99 netmask 64 gateway 2001:288:7201:2::fffe
iface enp0s3 inet6 static address 2001:288:7201:12::D05 netmask 64 gateway 2001:288:7201:12::fffe
systemctl restart network
http://[2001:288:7201:2::99] 或 http://[2001:288:7201:12::d05]
直接執行
dpkg-reconfigure postfix
其中第一個畫面(還是第二個?)選項選擇「Local only」即可
後面的就視需求設定,或直接用預設值即可。
apt-get install ntp ntpdate
ntpdate -s time.stdtime.gov.tw hwclock --systohc
crontab -e
10 5 * * * root /usr/sbin/ntpdate -s time.stdtime.gov.tw
或
*/30 * * * * (/usr/sbin/ntpdate -s time.stdtime.gov.tw;/sbin/hwclock -w) > /dev/null 2>&1
apt-get install monit -y
啟動服務
systemctl start monit systemctl enable monit
可以利用與下指令觀察執行狀態
systemctl status monit
編輯設定檔
vi /etc/monit/monitrc
設定網監看服務(2812 port 可不改,或自行修改,因為中心只開放3389,所以,才修改之),另外,偵測系統swap若超過75%就重啟apache
set mailserver mail.tn.edu.tw, # 設定郵寄伺服器 localhost # fallback relay set mail-format { from: Monit <monit@$HOST> subject: 通知 $HOST -- $EVENT $SERVICE message: $EVENT => $SERVICE 日期: $DATE 動作: $ACTION 主機: $HOST 說明: $DESCRIPTION http://網址:port } set alert tad@tn.edu.tw # 接收所有 alerts 訊息的信箱 set httpd port 3389 and use address 0.0.0.0 # 我要讓他可以對外連線 allow 0.0.0.0/0.0.0.0 # 開放所有IP都可以連得到 allow 帳號:密碼 # require user 'admin' with password 'monit' check system $HOST if loadavg (1min) > 4 then alert if loadavg (5min) > 2 then alert if cpu usage > 95% for 10 cycles then alert if memory usage > 75% then alert if swap usage > 25% then alert if swap usage > 75% for 5 cycles then exec "/usr/sbin/apachectl restart"
修改後,重啟服務
systemctl restart monit
看看是否有在監聽
netstat -ant | grep :3389
此時可自行輸入「http://網址:3389」看看是否能登入觀看。亦可下指令在終端機中觀看狀態:
monit status
加入Apache、MySQL、Rsyslog監控
ln -s /etc/monit/conf-available/apache2 /etc/monit/conf-enabled/ ln -s /etc/monit/conf-available/mysql /etc/monit/conf-enabled/ ln -s /etc/monit/conf-available/rsyslog /etc/monit/conf-enabled/
ln -s /etc/monit/monitrc.d/apache2 /etc/monit/conf.d/ ln -s /etc/monit/monitrc.d/mysql /etc/monit/conf.d/ ln -s /etc/monit/monitrc.d/rsyslog /etc/monit/conf.d/
記得重啟,使之生效
systemctl restart monit
vi /etc/monit/conf-available/apache2
加入一行到原有 if 的前面:
if memory usage > 80% for 5 cycles then restart
記得重啟,使之生效
systemctl restart monit
vi /etc/monit/conf-available/mysql
將第6行註解掉:
#if failed host localhost port 3306 protocol mysql with timeout 15 seconds for 3 times within 4 cycles then restart
記得重啟,使之生效
systemctl restart monit
cd /etc/skel/ mkdir public_html
下載 https://campus-xoops.tn.edu.tw/modules/tad_uploader/index.php?op=dlfile&cfsn=112&cat_sn=11
解壓上傳至/etc/skel/public_html即可。
adduser 使用者名稱
接著,在瀏覽器輸入「http://網址/~使用者名稱」即可看到使用者的網頁
wget http://myip.tw/download/yhtools.tar.gz
tar xzvf yhtools.tar.gz
cd yhtools/maccount
vi passwd.txt
./maccount.sh add passwd.txt
./maccount.sh mysql passwd.txt
cat <<EOF >> /etc/systemd/system/rc-local.service
[Unit]
Description=/etc/rc.local
ConditionPathExists=/etc/rc.local
[Service]
Type=forking
ExecStart=/etc/rc.local start
TimeoutSec=0
StandardOutput=tty
RemainAfterExit=yes
SysVStartPriority=99
[Install]
WantedBy=multi-user.target
EOF
/etc/rc.local
內容,然後賦予執行權限
chmod +x /etc/rc.local
systemctl enable rc-local
systemctl start rc-local
systemctl status rc-local
cd ~ wget https://campus-xoops.tn.edu.tw/uploads/ensshRsync.zip unzip ensshRsync.zip chmod +x ensshRsync.sh
#本地端要備份的目錄 backuplist="/var/www /var/lib/mysql" #遠端備份主機的IP OR DomainName remote="120.115.1.1" #頻寬設定 limit=5000 #recycle保留的設定 recyclekeep=7 #備份的主機使用者名稱 remoteUser="root" # remoteUser="使用者帳號" #備份的主機使用者家目錄 remoteHome="/root" #remoteHome="/home/${remoteUser}" #備份的目錄名稱 remoteDIR="${remoteHome}/backup"
backuplist:要備份的目錄路徑,多個請用空白隔開
remote:備份主機的IP
limit:5000就是5M,若不想限制頻寬,將之註解掉即可。
recyclekeep:備份份數,若一天備份一次,設成7就是可還原至7天前資料之意。
remoteDIR:備份主機放備份資料的資料夾(該資料夾會自動建立無須手動建立)
remoteUser:登入遠端主機的ssh帳號
remoteHome:遠端主機的ssh帳號的加目錄,如果身份不是root,請改用#remoteHome="/home/${remoteUser}"
./ensshRsync.sh
Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again:
直到出現以下問句,輸入 yes 繼續
Are you sure you want to continue connecting (yes/no)
接著會要求輸入備份主機的ssh密碼,請輸入之即可(有可能需要輸入數次)。
crontab -e
每天三點自動備份(時間可以自己修改)
0 3 * * * /root/ensshRsync.sh
./getMyBackup.sh
以下內容參考自:
vi /etc/apt/sources.list
deb https://apt.dockerproject.org/repo debian-jessie main #2016 年的 jessie 請加這行 deb https://apt.dockerproject.org/repo debian-stretch main #2017 年後的 stretch 請加這行
apt-get update apt-get install apt-transport-https ca-certificates dirmngr
apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
apt-get install docker-engine
systemctl start docker
systemctl enable docker
systemctl status docker
docker run hello-world
curl -fsSL https://get.docker.com/ | sh
apt-get purge docker-engine apt-get autoremove --purge docker-engine
rm -rf /var/lib/docker
apt install gnupg
wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add -
sh -c "echo 'deb https://download.jitsi.org stable/' > /etc/apt/sources.list.d/jitsi-stable.list"
apt-get -y update
apt-get -y install jitsi-meet
/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
若裝不起來請用
cert-bot --nginx
vi /etc/nginx/sites-available/default
server_names_hash_bucket_size 64;
server {
listen 80;
listen [::]:80;
server_name meet.lces.tn.edu.tw;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /usr/share/jitsi-meet;
}
location = /.well-known/acme-challenge/ {
return 404;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name meet.lces.tn.edu.tw;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";
add_header Strict-Transport-Security "max-age=31536000";
ssl_certificate /etc/letsencrypt/live/meet.lces.tn.edu.tw/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/meet.lces.tn.edu.tw/privkey.pem; # managed by Certbot
root /usr/share/jitsi-meet;
# ssi on with javascript for multidomain variables in config.js
ssi on;
ssi_types application/x-javascript application/javascript;
index index.html index.htm;
error_page 404 /static/404.html;
gzip on;
gzip_types text/plain text/css application/javascript application/json;
gzip_vary on;
location = /config.js {
alias /etc/jitsi/meet/meet.lces.tn.edu.tw-config.js;
}
location = /external_api.js {
alias /usr/share/jitsi-meet/libs/external_api.min.js;
}
#ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
{
add_header 'Access-Control-Allow-Origin' '*';
alias /usr/share/jitsi-meet/$1/$2;
}
# BOSH
location = /http-bind {
proxy_pass http://localhost:5280/http-bind;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
# xmpp websockets
location = /xmpp-websocket {
proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
tcp_nodelay on;
}
location ~ ^/([^/?&:'"]+)$ {
try_files $uri @root_path;
}
location @root_path {
rewrite ^/(.*)$ / break;
}
location ~ ^/([^/?&:'"]+)/config.js$
{
set $subdomain "$1.";
set $subdir "$1/";
alias /etc/jitsi/meet/meet.lces.tn.edu.tw-config.js;
}
#Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
location ~ ^/([^/?&:'"]+)/(.*)$ {
set $subdomain "$1.";
set $subdir "$1/";
rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
}
# BOSH for subdomains
location ~ ^/([^/?&:'"]+)/http-bind {
set $subdomain "$1.";
set $subdir "$1/";
set $prefix "$1";
rewrite ^/(.*)$ /http-bind;
}
# websockets for subdomains
location ~ ^/([^/?&:'"]+)/xmpp-websocket {
set $subdomain "$1.";
set $subdir "$1/";
set $prefix "$1";
rewrite ^/(.*)$ /xmpp-websocket;
}
}
systemctl restart nginx
apt-get install python-pip apt-get install git pip install git+git://github.com/Lokaltog/powerline wget https://github.com/powerline/powerline/raw/develop/font/PowerlineSymbols.otf mv PowerlineSymbols.otf /usr/share/fonts/ wget https://github.com/powerline/powerline/raw/develop/font/10-powerline-symbols.conf mv 10-powerline-symbols.conf /etc/fonts/conf.d/ apt-get install fontconfig fc-cache -vf /usr/share/fonts/ vi ~/.bashrc
在檔案裡面加入:
export TERM="screen-256color"
找出powerline-status的位置
pip show powerline-status
Name: powerline-status Version: 2.5.2.dev9999-git.5fa504118ee470e9cc9c8665515b77900ce5821e Location: /usr/local/lib/python2.7/dist-packages Requires:
將之再加到 ~/.bashrc 中
vi ~/.bashrc
貼上,看起來會像這樣:
powerline-daemon -q POWERLINE_BASH_CONTINUATION=1 POWERLINE_BASH_SELECT=1 . /usr/local/lib/python2.7/dist-packages/powerline/bindings/bash/powerline.sh
登出在登入即可看到效果。
在vim中套用之:
vi ~/.vimrc
加入以下語法:
set rtp+=/usr/local/lib/python2.7/dist-packages/powerline/bindings/vim/ set laststatus=2 set t_Co=256
安裝
apt-get install vim-nox
完整說明:http://www.tecmint.com/powerline-adds-powerful-statuslines-and-prompts-to-vim-and-bash/
查看目前的所有服務
netstat -pnltu