FreeBSD 入门级Web服务器配置手记

pigwyl · 发表于 2009-7-18 00:25:04

经多几十遍的重做系统，终于将web服务器配好了，其中的错误是自己想都没想到的，随便一个疏忽就会出现错误。下面的顺序可不能变哦，关键地方也要注意，下面将修改过的配置发给大家分享吧
关于FreeBSD的介绍，我这里就不写了，大家可以自己找找，有很多
如果你是高手的话，请多多批评指正，因为本人毕竟只研究了2个星期左右，难免出现纰漏
本文的目的，是记录我自己的研究过程，仅作参考，千万不要完全照搬
最好的教程是：
http://doc.code365.net/Manual/FreeBSD_HandBook/
如果大家真心要驾驭FreeBSD，一定要看！
最后，致那些像我一样如果对FreeBSD感兴趣的新手：
一定要有耐心！坚持不下去的时候多想想当年学习Windows的情况^_^说实话，FreeBSD的界面不友好，别说Windwos跟Mac，可能连Linux都不如-_-!不过，在它桀骜不驯的外表下，是一颗强健稳定的心，需要用耐心去征服——并且这也是值得的！
本文阅读说明
QUOTE: (这样的表示在命令行下的输入和执行)
CODE: (这样表示的是选项)
这样表示的是文件内容（如果原文件没有，本文有，请新增；如果原文件有，本文没有，则保持不变；如果原文件有，本文也有，请按照范例修改；如果原文件跟本文都没有，自己看着办吧^_^）
好了，按步骤开始！
一、安装系统
之前已说明

SSH得安装与配置
首先ee编辑/etc/inetd.conf,去掉ssh前的#，保存退出
编辑/etc/rc.conf
最后加入:sshd_enable=\"yes\"即可
激活sshd服务：
#/etc/rc.d/sshd start
最后
ee /etc/ssh/sshd_config,
下面是我的配置文件：(/etc/ssh/sshd_config)
####################################################
Protocol 2
AllowGroups wheel#允许wheel组成员
IgnoreRhosts yes
IgnoreUserKnownHosts yes
PrintMotd yes
StrictModes no
RSAAuthentication yes
X11Forwarding no
useDNS no
PermitRootLogin yes #允许root登录
PermitEmptyPasswords no #不允许空密码登录
PasswordAuthentication yes # 设置是否使用口令验证。
MaxStartups 5
##############################################
记得修改完配置文件后，重新启动sshd服务器(/etc/rc.d/sshd restart)即可。
添加一个用户
#sysinstall
选择【Configure】--【User Management】--【User】，只需member group 填wheel即可，其他按自己要求填
重启机器后即可用SecureCRT了。

二、系统更新和优化
同步系统时间
QUOTE:
# ntpdate clepsydra.dec.com

网络优化
QUOTE:
# ee /etc/sysctl.conf
CODE:
kern.maxfilesperproc=32768
kern.ipc.somaxconn=32768
kern.ipc.shmmax=67108864 # 64MB
kern.ipc.shmall=32768
kern.ipc.shm_allow_removed=0
kern.coredump=1
net.inet.ip.portrange.last=65535
net.inet.tcp.msl=2500
net.inet.udp.blackhole=1
net.inet.udp.log_in_vain=1
net.inet.tcp.always_keepalive=1
net.inet.udp.blackhole=1
net.inet.raw.maxdgram=65536
net.inet.raw.recvspace=65536
net.inet.tcp.blackhole=2
net.inet.tcp.delayed_ack=1
net.inet.tcp.inflight.enable=1
net.inet.tcp.inflight.debug=0
net.inet.tcp.inflight.rttthresh=10
net.inet.tcp.inflight.min=6144
net.inet.tcp.inflight.max=1073725440
net.inet.tcp.inflight.stab=20
net.local.stream.sendspace=65536
net.local.stream.recvspace=65536
net.inet.tcp.sendspace=32768
net.inet.tcp.recvspace=65536
net.inet.udp.maxdgram=24576
net.inet.udp.recvspace=49152
net.inet.ip.rtexpire=3600
net.inet.ip.rtminexpire=2
net.inet.ip.random_id=1
net.inet.icmp.icmplim=100
net.inet.icmp.icmplim_output=1
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=1
net.inet.tcp.keepidle=600000
net.inet.ip.redirect=0
net.isr.direct=1
net.inet.ip.intr_queue_maxlen=4096
kern.ipc.shm_use_phys=1
net.inet.ip.fastforwarding=1
vfs.hirunningspace=4194304
vfs.ufs.dirhash_maxmem=33554432 # 32MB
vfs.write_behind=0
security.bsd.see_other_uids=1
security.bsd.see_other_gids=1
QUOTE:
# ee /boot/loader.conf
CODE:
kern.maxdsiz=\"536870912\"
kern.ipc.maxsockets=\"4008\"
kern.ipc.nmbclusters=\"32768\"
kern.ipc.nmbufs=\"65535\"
kern.ipc.nsfbufs=\"2496\"
net.inet.tcp.tcbhashsize=\"2048\"
安装多线程下载工具axel
QUOTE:
# cd /usr/ports/ftp/axel
# make install clean ; rehash
默认选项
QUOTE:
# ee /etc/make.conf
CODE:
FETCH_CMD=axel
FETCH_BEFORE_ARGS= -n 10 -a
FETCH_AFTER_ARGS=
DISABLE_SIZE=yes
MASTER_SITE_BACKUP?= \\ftp://ftp.tw.freebsd.org/pub/FreeBSD/distfiles/${DIST_SUBDIR}/\\
ftp://ftp2.tw.freebsd.org/pub/FreeBSD/distfiles/${DIST_SUBDIR}/\\
ftp://ftp3.tw.freebsd.org/pub/FreeBSD/distfiles/${DIST_SUBDIR}/\\
ftp://ftp4.tw.freebsd.org/pub/FreeBSD/distfiles/${DIST_SUBDIR}/\\
ftp://ftp5.tw.freebsd.org/pub/FreeBSD/distfiles/${DIST_SUBDIR}/\\
ftp://ftp7.tw.freebsd.org/pub/FreeBSD/distfiles/${DIST_SUBDIR}/\\
ftp://ftp8.tw.freebsd.org/pub/FreeBSD/distfiles/${DIST_SUBDIR}/\\
ftp://ftp9.tw.freebsd.org/pub/FreeBSD/distfiles/${DIST_SUBDIR}/
MASTER_SITE_OVERRIDE?= ${MASTER_SITE_BACKUP}

三、应用程序及服务
1、基础环境
安装perl
QUOTE:
# cd /usr/ports/lang/perl5.8
# make install clean ; rehash
安装openssl（可选）
QUOTE:
# cd /usr/ports/security/openssl
# make install clean ; rehash
安装Ports检查更新工具
QUOTE:
# cd /usr/ports/sysutils/portupgrade
# make install clean ; rehash
默认选项
2、AMP环境配置
安装mysql
QUOTE:
# cd /usr/ports/databases/mysql50-server
# make WITH_CHARSET=utf8 WITH_XCHARSET=all WITH_PROC_SCOPE_PTH=yes BUILD_OPTIMIZED=yes BUILD_STATIC=yes SKIP_DNS_CHECK=yes WITHOUT_INNODB=yes install clean;rehash
# cd /usr/ports/databases/mysql50-scripts
# make install clean ; rehash
# /usr/local/bin/mysql_install_db
# ln -s /usr/local/lib/mysql/libmysqlclient.so.12 /usr/lib
# chown -R mysql /var/db/mysql
# chown -R root /var/db/mysql
# chown -R mysql:mysql /var/db/mysql
# chmod 700 /var/db/mysql
优化mysql
QUOTE:
# ee /etc/my.cnf
CODE:
[mysqld]
skip-networking
skip-innodb
skip-bdb
skip-name-resolve
skip-locking
#log-bin
# 以下选项基于2G内存
key_buffer=512M
max_allowed_packet=4M
table_cache=1024
thread_cache=64
join_buffer_size=32M
sort_buffer=32M
record_buffer=32M
max_connections=512
wait_timeout=120
interactive_timeout=120
max_connect_errors=30000
long_query_time=1
max_heap_table_size=256M
tmp_table_size=128M
thread_concurrency=8
myisam_sort_buffer_size=128M
mysql随系统启动
QUOTE:
# cp /usr/local/etc/rc.d/mysql-server /usr/local/etc/rc.d/mysql.sh
# ee /etc/rc.conf
CODE:
mysql_enable=\"YES\"
启动mysql
CODE:
# /usr/local/etc/rc.d/mysql.sh start
安装apache22
QUOTE:
# cd /usr/ports/www/apache22
# make install clean ; rehash
安装过程中，加上mysql，取消ipv6
apache随系统启动
QUOTE:
# ee /etc/rc.conf
CODE:
apache22_enable=\"YES\"
启动apache
QUOTE:
# cp /usr/local/etc/rc.d/apache22 /usr/local/etc/rc.d/apache22.sh
# /usr/local/etc/rc.d/apache22.sh start
安装php
QUOTE:
# cd /usr/ports/lang/php5
# make install clean ; rehash
安装过程中，选择apache，取消ipv6

安装php扩展
CODE:
# cd /usr/ports/lang/php5-extensions
# make install clean ; rehash
选择
CALENDAR
CTYPE
GD
ICONV
MBSTRING
MCRYPT
MYSQL
PCRE
POSIX
SESSION
SOCKETS
XML(几个都选)
ZIP
ZLIB
配置php
QUOTE:
# cd /usr/local/etc
# cp php.ini-recommended php.ini
# ee php.ini
CODE:
; 基于安全考虑，禁用某些功能，根据自己情况修改
disable_functions = passthru, exec, phpinfo, system, ini_alter, readlink, symlink, leak, proc_open, popepassthru, chroot, scandir, chgrp, chown, escapeshellcmd, escapeshellarg, shell_exec, proc_get_status
short_open_tag = On(off时只能执行有<?php?>的php文件，on时可执行<??>)

配置apache
具体选项参考http://doc.code365.net/Manual/ApacheManual/
QUOTE:
# ee /usr/local/etc/apache22/httpd.conf
CODE:
DocumentRoot \"/usr/www\"# 网站主目录
<Directory \"/usr/www\"># 网站主目录
Options FollowSymLinks
<IfModule dir_module>
DirectoryIndex index.html index.php index.htm
</IfModule>
<IfModule mime_module>
AddType application/x-gzip .gz .tgz
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
</IfModule>
AddDefaultCharset GB2312
ServerTokens Prod
ServerSignature Off
<IfModule prefork.c># 优化针对BSD的网络支持
StartServers 10
MinSpareServers 10
MaxSpareServers 15
ServerLimit 2000
MaxClients 1500
MaxRequestsPerChild 10000
</IfModule>
安装ZendOptimizer
ZendOptimizer属于商业软件，所以不能通过ports编译安装，只能下载安装
axel +url
QUOTE:
将库文件做个链接
#ln -s /usr/lib/libc.so /usr/lib/libc.so.6
#ln -s /usr/lib/libcrypt.so /usr/lib/libcrypt.so.3
#ln -s /usr/lib/libutil.so /usr/lib/libutil.so.5
#ln -s /usr/lib/libm.so /usr/lib/libm.so.4
# tar zxvf ZendOptimizer-3.3.0a-freebsd6.0-amd64.tar.gz
# mv ZendOptimizer-3.3.0a-freebsd6.0-amd64 zend
# ./install-tty
一路默认
安装phpmyadmin
也可以通过传统方式，通过ftp下载/上传到机器上，配置好参数即可运行。
QUOTE:
# cd /usr/ports/databases/phpmyadmin
# make install clean ; rehash
默认选项
QUOTE:
# cp -R /usr/local/www/phpMyAdmin /usr/www/phpMyAdmin
# cd /usr/www/phpMyAdmin
# cp ./libraries/config.default.php config.inc.php
# ee config.inc.php
CODE:
$cfg['blowfish_secret'] = 'host';# 设置cookie加密
$cfg['Servers'][$i]['auth_type'] = 'cookie'# 设置认证方式
QUOTE:
# chmod 755 config.inc.php
修改mysql密码：mysqladmin -u root password 'your-password'

3、FTP设置-安装pure-ftp
QUOTE:
# pw groupadd ftpgroup -g 10001
# pw useradd ftp -u 10001 -g ftpgroup -s /sbin/nologin
# chown ftp:ftpgroup /usr/www
# cd /usr/ports/ftp/pure-ftpd
# make install clean
选择MYSQL,PAM,PRIVSEP,PERUSERLIMITS,THROTTLING,UPLOADSCRIPT,SENDFILE
建立pure-ftpd数据库
通过phpmyadmin执行
CODE:
CREATE DATABASE pureftpd;
USE pureftpd;
CREATE TABLE `users` (
`User` varchar(16) NOT NULL default '',
`Password` varchar(32) binary NOT NULL default '',
`Uid` int(11) NOT NULL default '14',
`Gid` int(11) NOT NULL default '5',
`Dir` varchar(128) NOT NULL default '',
`QuotaFiles` int(10) NOT NULL default '500',
`QuotaSize` int(10) NOT NULL default '30',
`ULBandwidth` int(10) NOT NULL default '80',
`DLBandwidth` int(10) NOT NULL default '80',
`ipaccess` varchar(15) NOT NULL default '*',
`Comment` tinytext,
`Status` enum('0','1') NOT NULL default '1',
`ULRatio` smallint(5) NOT NULL default '1',
`DLRatio` smallint(5) NOT NULL default '1',
PRIMARY KEY(`User`),
UNIQUE KEY `User` (`User`)
) TYPE=MyISAM;
通过phpmyadmin新建一用户名为ftpadmin,密码adminpassword,并赋予其pureftpd数据库的Select,Insert,Update,Delete权限。
配置pure-ftp
QUOTE:
# cd /usr/local/etc
# cp pureftpd-mysql.conf.sample pureftpd-mysql.conf
# ee pureftpd-mysql.conf
CODE:
# 具体选项请参考http://download.pureftpd.org/pub/pure-ftpd/doc/README
MYSQLServer localhost
MYSQLUserftpadmin
MYSQLPassword adminpassword
MYSQLDatabasepureftpd
MYSQLCryptcrypt
MYSQLGetPWSELECT Password FROM users WHERE User=\"\\L\" AND Status=\"1\" AND (Ipaccess = \"*\" OR Ipaccess LIKE \"\\R\")
MYSQLGetUID SELECT Uid FROM users WHERE User=\"\\L\" AND Status=\"1\" AND (Ipaccess = \"*\" OR Ipaccess LIKE \"\\R\")
MYSQLGetGID SELECT Gid FROM users WHERE User=\"\\L\" AND Status=\"1\" AND (Ipaccess = \"*\" OR Ipaccess LIKE \"\\R\")
MYSQLGetDir SELECT Dir FROM users WHERE User=\"\\L\" AND Status=\"1\" AND (Ipaccess = \"*\" OR Ipaccess LIKE \"\\R\")
MySQLGetQTAFSSELECT QuotaFiles FROM users WHERE User=\"\\L\" AND Status=\"1\" AND (Ipaccess = \"*\" OR Ipaccess LIKE \"\\R\")
MySQLGetQTASZSELECT QuotaSize FROM users WHERE User=\"\\L\" AND Status=\"1\" AND (Ipaccess = \"*\" OR Ipaccess LIKE \"\\R\")
# MySQLGetRatioUL SELECT ULRatio FROM users WHERE User=\"\\L\" AND Status=\"1\" AND (Ipaccess = \"*\" OR Ipaccess LIKE \"\\R\")
# MySQLGetRatioDL SELECT DLRatio FROM users WHERE User=\"\\L\" AND Status=\"1\" AND (Ipaccess = \"*\" OR Ipaccess LIKE \"\\R\")
MySQLGetBandwidthUL SELECT ULBandwidth FROM users WHERE User=\"\\L\" AND Status=\"1\" AND (Ipaccess = \"*\" OR Ipaccess LIKE \"\\R\")
MySQLGetBandwidthDL SELECT DLBandwidth FROM users WHERE User=\"\\L\" AND Status=\"1\" AND (Ipaccess = \"*\" OR Ipaccess LIKE \"\\R\")

QUOTE:
# cp pureftpd.conf.sample pure-ftpd.conf
# ee pure-ftpd.conf

以下是我得配置
ChrootEveryone yes
BrokenClientsCompatibility no
MaxClientsNumber 50
Daemonize yes
MaxClientsPerIP 2
VerboseLog no
DisplayDotFiles yes
AnonymousOnly no
NoAnonymous yes
SyslogFacility ftp
DontResolve yes
MaxIdleTime 15
MySQLConfigFile /usr/local/etc/pureftpd-mysql.conf
LimitRecursion 2000 8
AnonymousCanCreateDirs no
MaxLoad 4
PassivePortRange 30000 50000
AntiWarez yes
Umask 133:022
MinUID 100
AllowUserFXP yes
AllowAnonymousFXP no
ProhibitDotFilesWrite no
ProhibitDotFilesRead no
AutoRename no
AnonymousCantUpload no
CreateHomeDir yes
MaxDiskUsage 99
CustomerProof yes
AltLog clf:/var/log/pureftpd.log
FortunesFile /usr/local/etc/.welcome

QUOTE:
# ee /usr/local/etc/rc.d/pure-ftpd.sh
CODE:
#!/bin/sh
case \"$1\" in
start)
/usr/local/sbin/pure-config.pl /usr/local/etc/pure-ftpd.conf
echo ‘pure-ftpd started!’
echo ‘’
;;
stop)
killall pure-ftpd
echo ‘pure-ftpd stopped!’
echo ‘’
;;
restart)
killall pure-ftpd
/usr/local/sbin/pure-config.pl /usr/local/etc/pure-ftpd.conf
echo ‘pure-ftpd restarted!’
echo ‘’
;;
*)
echo ‘Usage: {start|stop|restart}’ >&2
exit 64
;;
esac
exit 0
QUOTE:
# chmod u+x /usr/local/etc/rc.d/pure-ftpd.sh
让pure-ftpd随系统启动
# ee /etc/rc.conf
CODE:
pureftpd_enable=\"YES\"

安装配置pureftpdadmin
QUOTE:
# ee /usr/www/pureftpdadmin/pureftp.config.php
CODE:
$PUREFTP_CONFIG_FILE= '/usr/local/etc/pureftpd-mysql.conf';
$DefaultUser = \"ftpadmin\";
$DefaultPass = \"adminpassword\";
QUOTE:
# ee /usr/www/pureftpdadmin/goodies/Quota_Checker.php
CODE:
$PUREFTP_CONFIG_FILE= '/usr/local/etc/pureftpd-mysql.conf';
QUOTE:
# chmod 755 /usr/local/sbin/pure-ftpwho
# chmod ug+s /usr/local/sbin/pure-ftpwho
设置pureftpdadmin安全
QUOTE:
# ee /usr/local/etc/apache22/httpd.conf
CODE:
若改变了pureftpdadmin的文件夹名，则其他地方的名字一定要相对应的改
<Directory \"/usr/www/pureftpdadmin\">
deny from all
Options None
AllowOverride AuthConfig
Order deny,allow
</Directory>
QUOTE:
# ee /usr/www/pureftpdadmin/.htaccess
CODE:
AuthType Basic
AuthUserFile /usr/local/ftpadmin.pwd
AuthName “操作前请登录”
require valid-user
satisfy any
QUOTE:
# htpasswd -bc /usr/local/ftpadmin.pwd ftpadmin adminpassword
注意要给数据库权限 chmod -R 777 /var/db/mysql/pureftpd
不然就会登不上的

四、系统安全
1、防火墙IPFW
启用防火墙
QUOTE:
# ee /etc/rc.conf
CODE:
firewall_enable=\"YES\"
firewall_type=\"open\"
firewall_script=\"/etc/ipfw.rules\"
firewall_logging=\"YES\"
firewall_script=\"/etc/rc.firewall\"
gateway_enable=\"YES\"
firewall_quiet=\"NO\"

QUOTE:
# ee /etc/sysctl.conf
CODE:
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5
编辑防火墙规则
QUOTE:
# ee /etc/ipfw.rules
CODE:
######### TCP ##########
add 00001 deny log ip from any to any ipopt rr
add 00002 deny log ip from any to any ipopt ts
add 00003 deny log ip from any to any ipopt ssrr
add 00004 deny log ip from any to any ipopt lsrr
add 00005 deny tcp from any to any in tcpflags syn,fin
# 这5行是过滤各种扫描包
#add 10001 allow tcp from any to 10.0.0.1 80 in# 向整个Internet开放http服务。
add 10002 allow tcp from any to 10.0.0.1 21 in # 向整个Internet开放ftp服务。
add 10000 allow tcp from 1.2.3.4 to 10.0.0.1 22 in
# 向Internet的xx.xx.xx.xx这个IP开放SSH服务。也就是只信任这个IP的SSH登陆。
# 如果你登陆服务器的IP不固定，那么就要设为：add 10000 allow tcp from any to 10.10.10.1 22 in
#add 19997 check-state
#add 19998 allow tcp from any to any out keep-state setup
#add 19999 allow tcp from any to any out #这三个组合起来是允许内部网络访问出去，如果想服务器自己不和Internet进行tcp连接出去，
########## UDP ##########
add 20001 allow udp from any 53 to 10.0.0.1 # 允许其他DNS服务器的信息进入该服务器，因为自己要进行DNS解析嘛~
add 29999 allow udp from any to any out # 允许自己的UDP包往外发送。
########## ICMP #########
add 30000 allow icmp from any to any icmptypes 3
add 30001 allow icmp from any to any icmptypes 4
add 30002 allow icmp from any to any icmptypes 8 out
add 30003 allow icmp from any to any icmptypes 0 in
add 30004 allow icmp from any to any icmptypes 11 in
#允许自己ping别人的服务器。也允许内部网络用router命令进行路由跟踪。

2、其他安全设置
关闭一些不安全的服务
QUOTE:
# ee /etc/rc.conf
CODE:
nfs_server_enable=\"NO\"
nfs_client_enable=\"NO\"
portmap_enable=\"NO\"
syslogd_enable=\"YES\"
syslogd_flags=\"-ss\"
icmp_drop_redirect=\"YES\"
log_in_vain=\"YES\"
kern_securelevel_enable=\"YES\"
kern_securelevel=\"2\"
禁止一般用户查看系统日志
QUOTE:
# chmod g-w,o-r /var/log/*
# chmod 600 /etc/syslog.conf
# chmod 600 /etc/newsyslog.conf
对bin和sbin进行安全保护
QUOTE:
# chflags schg /bin/*
# chflags schg /sbin/*
禁止一般用户使用crontab
QUOTE:
# ee /var/cron/allow
CODE:
root
QUOTE:
# chmod 600 /var/cron/allow

至此，关于用FreeBSD组架的web服务器基本上就可以告一段落了。

其他安全配置，请参考：http://bfc.tjuci.edu.cn/bbs/view ... &extra=page%3D2

所有配置文件的范例供大家参考。

狼哥 · 发表于 2009-8-24 13:49:44

PIG真是高手，自己写的还是转的啊？？？？

账号		自动登录	找回密码
密码			我要加入

FreeBSD 入门级Web服务器配置手记

浏览过的版块