隐藏nginx的版本号

1 设置nginx.conf的http段参数server_tokens;

bear@njava:~/nginx-0.8.34# sudo vi /etc/nginx/nginx.conf

user www-data;
worker_processes  2;

error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
    # multi_accept on;
}

http {
    include       /etc/nginx/mime.types;

    server_tokens off;
.....

2 重新编译nginx
修改nginx的代码,重新编译

bear@njava:~/nginx-0.8.34/src/http# vi ngx_http_header_filter_module.c 
/*
static char ngx_http_server_string[] = "Server: nginx" CRLF;
static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
*/
static char ngx_http_server_string[] = "Server: njava/4.1.6" CRLF;
static char ngx_http_server_full_string[] = "Server: njava server /4.1.6" CRLF;

Tags: , , ,

星期二, 三月 30th, 2010 服务器 没有评论

linux固定静态ip设置

1 修改网卡设置

bear@njava:~$ sudo vi /etc/network/interfaces
auto lo
iface lo inet loopback
 
auto etho
iface etho inet static
address 192.168.0.101
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1

bear@njava:~$ sudo /etc/init.d/networking start

2 增加DNS

bear@njava:~$ sudo vi /etc/resolv.conf 
nameserver 8.8.8.8
nameserver 192.168.0.1

Tags: ,

星期一, 三月 29th, 2010 服务器 没有评论

在ubuntu9.10下用awstats分析nginx日志

1 下载awstats
sudo apt-get install awstats 弄下来的版本在执行awstats_configure.pl时候找不到wwwroot目录结构,所以重新直接下载awstats了

bear@njava:~$axel http://prdownloads.sourceforge.net/awstats/awstats-6.95.tar.gz
bear@njava:~$tar xzvf awstats-6.95.tar.gz

2 执行配置脚本
先把 awstats目录复制到/usr/local/awstats,脚本是按照这个目录结构去执行的,如果不是在这/usr/local/awstats里,运行时回提示的

bear@njava:/usr/local/awstats/tools$ sudo ./awstats_configure.pl 
[sudo] password for bear: 

----- AWStats awstats_configure 1.0 (build 1.8) (c) Laurent Destailleur -----
This tool will help you to configure AWStats to analyze statistics for
one web server. You can try to use it to let it do all that is possible
in AWStats setup, however following the step by step manual setup
documentation (docs/index.html) is often a better idea. Above all if:
- You are not an administrator user,
- You want to analyze downloaded log files without web server,
- You want to analyze mail or ftp log files instead of web log files,
- You need to analyze load balanced servers log files,
- You want to 'understand' all possible ways to use AWStats...
Read the AWStats documentation (docs/index.html).

-----> Running OS detected: Linux, BSD or Unix

-----> Check for web server install

Enter full config file path of your Web server.
Example: /etc/httpd/httpd.conf
Example: /usr/local/apache2/conf/httpd.conf
Example: c:\Program files\apache group\apache\conf\httpd.conf
Config file path ('none' to skip web server setup):
> none     #因为没法自动配置nginx,所以none

Your web server config file(s) could not be found.
You will need to setup your web server manually to declare AWStats
script as a CGI, if you want to build reports dynamically.
See AWStats setup documentation (file docs/index.html)

-----> Update model config file '/usr/local/awstats/wwwroot/cgi-bin/awstats.model.conf'
  File awstats.model.conf updated.

-----> Need to create a new config file ?
Do you want me to build a new AWStats config/profile
file (required if first install) [y/N] ? y  

-----> Define config file name to create
What is the name of your web site or profile analysis ?
Example: www.mysite.com
Example: demo
Your web site, virtual server or profile name:
> www.njava.com   #配置名字

-----> Define config file path
In which directory do you plan to store your config file(s) ?
Default: /etc/awstats
Directory path to store config file(s) (Enter for default):
> 

-----> Create config file '/etc/awstats/awstats.www.njava.com.conf'
 Config file /etc/awstats/awstats.www.njava.com.conf created.

-----> Add update process inside a scheduler
Sorry, configure.pl does not support automatic add to cron yet.
You can do it manually by adding the following command to your cron:
/usr/local/awstats/wwwroot/cgi-bin/awstats.pl -update -config=www.njava.com
Or if you have several config files and prefer having only one command:
/usr/local/awstats/tools/awstats_updateall.pl now
Press ENTER to continue... 


A SIMPLE config file has been created: /etc/awstats/awstats.www.njava.com.conf
You should have a look inside to check and change manually main parameters.
You can then manually update your statistics for 'www.njava.com' with command:
> perl awstats.pl -update -config=www.njava.com
You can also build static report pages for 'www.njava.com' with command:
> perl awstats.pl -output=pagetype -config=www.njava.com

Press ENTER to finish...

bear@njava:/usr/local/awstats/tools$ 

3 修改awstats配置文件
修改awstats.conf

bear@njava:/usr/local/awstats/tools$ sudo vi /etc/awstats/awstats.conf
# LogFormat = 1
# LogFormat = "%host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot"
#
# Example for IIS:
# LogFormat = 2
#
LogFormat =1  #继续使用apache的默认格式

AllowToUpdateStatsFromBrowser=1 #允许浏览器刷新,njava的流量小,这个可以有

Include "/etc/awstats/awstats.www.njava.com.conf" #包含njava的配置

4 修改nginx的日志格式

bear@njava:/etc/awstats$sudo  vi /etc/nginx/nginx.conf
user www-data;
worker_processes  2;

error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
    # multi_accept on;
}

http {
    include       /etc/nginx/mime.types;

    #main 把nginx的输出日志定义成了apache格式的日志
     log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" $http_x_forwarded_for';

    access_log  /var/log/nginx/access.log main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;
    tcp_nodelay        on;

    gzip  on;
    gzip_disable "MSIE [1-6]\.(?!.*SV1)";

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

4 修改awstats.www.njava.com.conf

bear@njava:/usr/local/awstats/tools$ sudo vi /etc/awstats/awstats.conf
LogFile="/var/log/nginx/www.njava.access.log"

要看相应域名下的日志使用
http://awstats.njava.com/awstats.pl?config=cdn.njava.com

5 配置nginx
先确保了nginx已经代理了nginx-fcgi,可以参看 xxx

bear@njava:/etc/awstats$ vi /etc/nginx/sites-enabled/awstats.njava.com  

server {
        listen   80;
        server_name awstats.njava.com;

        access_log   /var/log/nginx/awstats.log main;
        error_log    /var/log/nginx/awstats_error.log;

        root /usr/local/awstats/wwwroot;
        #auth_basic   "Restricted";
       #auth_basic_user_file  /etc/nginx/conf/awstats;

        location / {
             rewrite ^ /awstats.pl?config=freshventure.info;
        }

        location ~ .*(\.cgi|\.pl?)$ {
               gzip off; #gzip makes scripts feel slower since they have to complete before getting gzipped
               root /usr/local/awstats/wwwroot/cgi-bin;
               #fastcgi_pass 127.0.0.1:8000;
                fastcgi_pass   unix:/tmp/nginx-fcgi.sock;
                fastcgi_index awstats.pl;
               fastcgi_param SCRIPT_FILENAME            $document_root$fastcgi_script_name;
               include        fastcgi_params;
        }

         location /icon {
                alias /usr/local/awstats/wwwroot/icon;
  location /icon {
                alias /usr/local/awstats/wwwroot/icon;
        }
  location /js {
                alias /usr/local/awstats/wwwroot/js;
        }

  location /css {
                alias /usr/local/awstats/wwwroot/css;
        }

  location /classes {
                alias /usr/local/awstats/wwwroot/classes;
        }
}

为目录添加用户验证

bear@njava:/etc/nginx/conf$ sudo htpasswd -c awstats admin
New password: 
Re-type new password: 
Adding password for user admin
bear@njava:/etc/nginx/conf$

可以把/etc/nginx/sites-enabled/awstats.njava.com中出现的这个注释掉了
#auth_basic “Restricted”;
#auth_basic_user_file /etc/nginx/conf/awstats;

Tags: , ,

星期一, 三月 29th, 2010 服务器 没有评论

ab测试和ulimit的设置

ApacheBench 是一个指令列程式,专门用来执行网站服务器的运行效能,特别是针对Apache 网站服务器。这原本是用来检测 Apache 网站服务器能够提供的效能,特别是可以看出Apache能提供每秒能送出多少网页。
ApacheBench( ab )工具程式是标准 Apache 网站服务器发布的一部份,跟 Apache 网站服务器一样,也是免费软件,并可以用 Apache许可证 的规范下散布此软件。

命令格式:ab [-q] -c 并发请求数 -n 总的请求数 [http://]域名[:端口]/路径

1)使用-q选项时,将不显示测试进度信息

2)当测试的目标是Web站点的根路径时,注意最后的“/”符号不能省略

3)指定的并发请求数不能小于总的请求数

使用ab的时候当并发数超过默认最大打开文件数1024的时候就会示出错:

bear@njava:~/$ ab -n 1000000 -c 2000 http://www.njava.com/
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking www.njava.com (be patient)
socket: Too many open files (24)
bear@njava:~/soft$

这个时候可以是用ulimit命令来增大文件打开数限制

命令格式: ulimit –n 最大文件数
如:

ulimit -n 10000

sudo需要bash的shell来运行ulimit

这个命令只是真对当前shell, 如果要开机生效需要修改 /etc/security/limits.conf

bear@njava:/$ sudo vi /etc/security/limits.conf
...
#                 
#

#*               soft    core            0
#root            hard    core            100000
#*               hard    rss             10000
#@student        hard    nproc           20
#@faculty        soft    nproc           20
#@faculty        hard    nproc           50
#ftp             hard    nproc           0
#ftp             -       chroot          /ftp
#@student        -       maxlogins       4
* soft nofile 32768
* hard nofile 65536
bear@njava:/$sudo reboot

Tags: , ,

星期日, 三月 28th, 2010 服务器 没有评论

nginx目录验证

建立一个密码文件,然后设置nginx设置

bear@njava:/$ sudo mkdir /etc/nginx/conf
bear@njava:/$ sudo htpasswd -c /etc/nginx/conf/passwd njava
bear@njava:/$ sudo vi /etc/nginx/sites-available/njava
location ~ ^/xxx/  {
      root    /data/htdocs/xxx;
      auth_basic              "input your username and password";
      auth_basic_user_file /etc/nginx/conf/passwd;
}

Tags: ,

星期日, 三月 28th, 2010 服务器 没有评论

nginx限制并发连接

做法:定义一个叫“limit”的记录区,总容量为 10M,以变量 $binary_remote_addr 作为会话的判断基准

修改nginx配置

bear@njava:/$ sudo vi /etc/nginx/sites-available/njava

limit_zone   limit  $binary_remote_addr  10m;
server {
location /download/ {
limit_conn   limit  1;
}

Tags: ,

星期日, 三月 28th, 2010 服务器 没有评论

在ubuntu9.10下用cacti监控nginx运行

Cacti 在英文中的意思是仙人掌的意思,Cacti是一套基于PHP,MySQL,SNMP及RRDTool开发的网络流量监测图形分析工具。它通过snmpget来获取数据,使用 RRDtool绘画图形,而且你完全可以不需要了解RRDtool复杂的参数。它提供了非常强大的数据和用户管理功能,可以指定每一个用户能查看树状结 构、host以及任何一张图,还可以与LDAP结合进行用户验证,同时也能自己增加模板,功能非常强大完善。http://www.cacti.net/

1 安装cacti

bear@njava:/$  sudo apt-get install cacti-cactid 

2 下载cacti-nginx脚本

bear@njava:/$ wget http://forums.cacti.net/download.php?id=12676
bear@njava:/$ tar -xzvf cacti-nginx.tar.gz
bear@njava:/$ sudo cp cacti-nginx/get_nginx_socket_status.pl /usr/share/cacti/site/scripts
bear@njava:/$ sudo cp cacti-nginx/get_nginx_clients_status.pl /usr/share/cacti/site/scripts
bear@njava:/$ sudo chmod 755 /usr/share/cacti/site/scripts/get_nginx*

3 检查脚本

bear@njava:/$ /usr/share/cacti/site/scripts/get_nginx_socket_status.pl http://www.njava.com/nginx_status

4 配置cacti的nginx虚拟主机

 
bear@njava:$ sudo vi /etc/nginx/sites-available/cacti
server {
        listen   80;
        server_name cacti.njava.com;
        access_log  /var/log/nginx/cacti.access.log;

        location / {
                root   /usr/share/cacti/site;
                index  index.html index.htm index.php;
        }

        location ~ \.php$ {
                fastcgi_pass unix:/tmp/php-cgi.njava.sock;
                fastcgi_index index.php;
                set $path_info "/";
                set $real_script_name $fastcgi_script_name;
                if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {
                    set $real_script_name $1;
                    set $path_info $2;
                }
               fastcgi_param SCRIPT_FILENAME /usr/share/cacti/site/$real_script_name;
               fastcgi_param script_name $real_script_name;
               fastcgi_param path_info $path_info;
               include /etc/nginx/fastcgi_params;
        }
}

bear@njava:$ sudo ln -s /etc/nginx/sites-available/cacti  /etc/nginx/sites-enable/cacti

bear@njava:$ sudo /etc/init.d/nginx reload

5 从cacti的UI上传cacti模板

cacti_graph_template_nginx_clients_stat.xml
cacti_graph_template_nginx_sockets_stat.xml

Tags: , ,

星期日, 三月 28th, 2010 服务器 没有评论

ssh因为eCryptfs的原因PubkeyAuthentication登录不上

折腾了一天,ubuntu9.10服务端authorized_keys文件权限,.ssh权限都正常,ssh基于密码登录能正常登录,但是基于ras的密钥登录却出现问题。必须要服务器控制台先登录了,远程的ssh才能登录。查期原因,原来是eCryptfs闹腾的。

eCryptfs – Enterprise Cryptographic Filesystem 是linux下一个企业级的磁盘加密系统。

解决办法一

 $ /sbin/umount.ecryptfs_private
 $ cd $HOME
 $ chmod 700 .
 $ mkdir -m 700 .ssh
 $ chmod 500 .
 $ echo $YOUR_REAL_PUBLIC_KEY > .ssh/authorized_keys
 $ /sbin/mount.ecryptfs_private

解决方法二
bear@njava:~$ vi /etc/ssh/sshd_config

AuthorizedKeysFile /etc/.ssh/%u/authorized_keys

Tags: ,

星期六, 三月 27th, 2010 服务器 没有评论

ubuntu启动加载调整sysv-rc-conf

1 安装sysv-rc-conf

bear@njava:~$ sudo apt-get update
bear@njava:~$ sudo apt-get install sysv-rc-conf

2 运行

bear@njava:~$ sudo sysv-rc-conf

3 运行等级
开机进程执行顺序如下:
运行等级 S:开机进程中的第一个运行等级。/etc/init.d/rcS脚本将被调用到开启并且/etc/rcS.d目录下的所有进程将被执行。
运行等级 1:单用户模式。/etc/rc1.d目录下的所有进程将被执行。
运行等级 2,3,4,5:在debian系统里是多用户环境,可能不包含图形用户界面。同样的,在相应目录下的进程将被运行。
运行等级 0:关闭计算机
运行等级 6:重起计算机

Tags: ,

星期六, 三月 27th, 2010 服务器 没有评论

ssh安全策略

1 客户机生成私钥和公钥

客户端:

$ ssh-keygen -t rsa

2 上传公钥 xx.pub

ssh-copy-id -i ~/.ssh/bear@njava.pub bear@njava.com

或者
服务端:

$ mkdir ~/.ssh
$ chmod 700 .ssh
$ cat xx.pub>~/.ssh/authorized_keys
$ chmod 600 authorized_keys

3 禁止密码登录
服务端:

$ sudo vim /etc/ssh/sshd_config 

#PasswordAuthentication yes /*禁止密码验证登录
PasswordAuthentication no

#确保公钥登录
PubkeyAuthentication yes 

#LogLevel info  提高日志级别
LogLevel VERBOSE

#LoginGraceTime 120 登录等待的最短时间 改为20秒,可以有效的防御thwarting automated),暴力攻击ssh,和DDOS
LoginGraceTime 20

#Banner /etc/issue.net 警告信息,建立/etc/issue 文件,ln -s 到 /etc/issue.net
Banner /etc/issue.net

#只允许特定用户ssh登录
AllowUsers 'bear njava'

#不允许特定用户ssh登录
DenyUsers 'pig java'

#只允许指定组用户登录
AllowGroups sshlogin

#添加组信息的方法
#sudo addgroup --gid 450 sshlogin
#sudo adduser  sshlogin 

#改变ssh监听端口
Port 2222

4 重启ssh

sudo /etc/init.d/ssh restart

Tags: , ,

星期五, 三月 26th, 2010 服务器 没有评论
Pages: Prev 1 2 3 ... 5 6 7 8 9 10 11 12 13 14 15 Next
1LMooBmUE153Wnd3zDryWvDyXxQudbFxDr