温室小花.技术.博客 --纯粹的unix技术博客 » www

centos4.2 下yum 安装apache2 mysql4 php4 笔记

admin — Fri, 09 Oct 2009 04:13:58 +0000

由于网站国庆中秋假期出了点问题，是网站服务器管理员人为因素造成的网站不能访问。俺深思之下，决定外迁网站，就跟其它相熟的网友伸请一个免费的VPS主机，空间不大那种。，但空间完全让俺管理，没有其它网站服务的。而且环境还是裸机环境，也就是除了基本系统，以及一个yum外。没有其它网络服务在运行。也就是apache mysql,php环境要自已完全搭建。在搭建apache mysql php环境虽遇到一些波折。但也学习懂得许多，也了解到更多，同时，也精进俺在linux/unix的服务器维护以及以及数据库维护持术。由于俺很久没用linux，以往也少用yum这种软件版本升级安装工具。所以，俺也借此环境搭建，熟悉了yum这种软件版本升级安装工具，以及相关命令。。。。
由于服友的vps 系统是centos 4.2 所以，也只能安装apache2,mysql4,php4 ，可能由yum源的限制，centos 4只能安装apache2,mysql4,php4 ,暂时没有找到可以在centos4.安装apache2,mysql5,php5的源。当然，俺从中也懂得如何修改yum的源。俺之前都说，俺很少用yum。这些也顺便熟悉yum源的设置与相关命令使用。。　
俺在安装apache2,mysql4,php4时，借鉴一些网上的文档，由于网上的文档千篇一律，大同小异，并且都没有什么验证过。致使俺在安装amp环境时，遇到一些疑惑或者问题，但后来都懂过经验来判断解决。。。下面就是俺的安装笔记。跟网上一些文档有些区别，算是俺的修订版吧。。。

centos 用yum来管理安装Apache+PHP+Mysql的基本安装。
1. 安装Apahce, PHP, Mysql, 以及php连接mysql库组件。
yum -y install httpd php mysql mysql-server php-mysql
Yum -y install mysql*
2. 配置开机启动服务
/sbin/chkconfig httpd on [设置apache服务器httpd服务开机启动]
/sbin/chkconfig –add mysqld [在服务清单中添加mysql服务]
/sbin/chkconfig mysqld on [设置mysql服务开机启动]
/sbin/service httpd start [启动httpd服务,与开机启动无关]
/sbin/service mysqld start [启动mysql服务,与开机无关]

Yum 安装的mysql下自动生成my.cnf没法正常使用。致使mysql无法正常启动。必需手工编辑一个新的my.cnf 文件。
但就是在这点花费大量时间去排查与查文档。查了大量文档，都没有查到，最后才在一个外国网站查到有人说，centos4　默认yum安装mysql 所产生的my.cnf有问题。所以，俺才将排查重点放在my.cnf　上面。最后，在网上顺便找一个my.cnf配置代替原有的my.cnf ，之后，mysql就启动成功。。
My.cnf内容如下：
[client]
#password = your_password
port = 3306
socket = /var/lib/mysql/mysql.sock

[mysqld]
port = 3306
socket = /var/lib/mysql/mysql.sock
skip-locking
key_buffer = 16M
max_allowed_packet = 1M
table_cache = 64
sort_buffer_size = 512K
net_buffer_length = 8K
read_buffer_size = 256K
read_rnd_buffer_size = 512K
myisam_sort_buffer_size = 8M
skip-innodb

log-bin
server-id = 1
[mysqldump]
quick
max_allowed_packet = 16M

[mysql]
no-auto-rehash
# Remove the next comment character if you are not familiar with SQL
#safe-updates

[isamchk]
key_buffer = 20M
sort_buffer_size = 20M
read_buffer = 2M
write_buffer = 2M

[myisamchk]
key_buffer = 20M
sort_buffer_size = 20M
read_buffer = 2M
write_buffer = 2M

[mysqlhotcopy]
interactive-timeout
再运行 /sbin/service mysqld start mysql 就运行成功。
3.设置mysql数据库root帐号密码。
mysqladmin -u root password ‘newpassword’ [引号内填密码]
4. 让mysql数据库更安全
mysql -u root -p
mysql> DROP DATABASE test; [删除test数据库]
mysql> DELETE FROM mysql.user WHERE user = ”; [删除匿名帐户]
mysql> FLUSH PRIVILEGES; [重载权限]
5. 按照以上的安装方式, 配置出来的默认站点目录为/var/www/html/
//安装apache扩展
yum -y install httpd-manual mod_ssl mod_perl mod_auth_mysql
//安装php的扩展
yum install php-gd
yum -y install php-gd php-xml php-mbstring php-ldap php-pear php-xmlrpc
//安装mysql扩展
yum -y install mysql-connector-odbc mysql-devel libdbi-dbd-mysql

Debian 配置 LAMP (debian5.0+apache2.2+mysql5.0+php5.0 )

admin — Sat, 08 Aug 2009 07:17:11 +0000

一、安装基本程式
~#apt-get install apache2 mysql-server php5 php5-mysql phpmyadin pear php5-gd
#在安装过程序会提示你设置mysql的root用户密码。

在Debian下只要安装相关软体，无需修改任何配置文件，把网页程序上传到/var/www目录，更改权限为777，服务器就能够工作！
二、LAMP简单配置
经过前面的步骤，服务器就能够正常运行，但是有时候达不到我们的要求，所以掌握基本配置方法是很有必要的。

1、建立mysql数据库，并添一个仅拥有这些数据库权限的用户，以便网页程序使用，提高服务器的安全性。
~#mysql -h127.1 -uroot -pabcabc
#连接mysql服务器，其中-h是主机，-u是用户名，-p是密码。注意各参数与附值之间没有空格。
> create database lamp;
#创建数据库lamp，注意mysql内部命令必需以“;”结尾。
>show databases;
+——————–+
| Database |
+——————–+
| information_schema |
| lamp |
| mysql |
+——————–+
4 rows in set (0.00 sec)
#查看数据库。
>grant all on lamp.* to lyb@localhost identified by ‘abc123′;
#建立用户名lyb，只允许本地登录，密码为“abc123”，仅拥有数据库lamp的完全权限。l

2、apache2配置文件介绍。
Debian 5.0 的apache2的配置文件全在/etc/apache2/目录下面。
apache2.conf
#apache的全局配置文件。
envvars
#定义apache的用户环境。
ports.conf
#定义监听端口。
httpd.conf
#默认为空文件，一般用户自已添加的选项写入这里。
mods-available
#以load文件结尾的是加载相应模块选项，以conf文件结尾的是相应模块选项。
mods-enabled
#都是指向mods-available下面的文件的链接文件，需要启用那些模块就在此建立相关链接即可。
sites-available
#虚拟主机配置文件
sites-enabled
#指向sites-available目录下文件的链接。
conf.d
#定义字符编码和其它选项。
三、性能调优
1、内核优化，vim /etc/sysctl.conf
# Use TCP syncookies when needed
net.ipv4.tcp_syncookies = 1
# Enable TCP window scaling
net.ipv4.tcp_window_scaling: = 1
# Increase TCP max buffer size
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
# Increase Linux autotuning TCP buffer limits
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# Increase number of ports available
net.ipv4.ip_local_port_range = 1024 65000
2、优化磁盘
在文件系统上禁用 atime 日志记录特性。atime 是最近访问文件的时间，每当访问文件时，底层文件系统必须记录这个时间戳。因为系统管理员很少使用atime，禁用它可以减少磁盘访问时间。禁用这个特性的方法是，在 /etc/fstab 的第四列中添加 noatime 选项。
例如：LABEL=/boot /boot ext3 defaults,noatime 1 2
3、调优Apache
需要伸缩性的站点可以选择worker或event线程化的MPM，而需要稳定性和兼容性的站点可以用prefork。
一个经典 worker MPM 配置：
ServerLimit 128
StartServers 8
MaxClients 3000
MinSpareThreads 128
MaxSpareThreads 1024
ThreadsPerChild 32
一个 perfoxk MPM 配置实例：
StartServers 32
MinSpareServers 32
MaxSpareServers 64
MaxClients 1024
MaxRequestsPerChild 4000

有效的使用选项和重写

AllowOverride None
Options FollowSymLinks

如果使用 -FollowSymLinks，该特性就会被禁用。如果禁用了 FollowSymLinks，Apache 就必须检查使用该文件名的所有组件（目录和文件本身），以确保它们不是符号连接。这会带来额外的开销（磁盘操作）。
AllowOverride None 是不允许重写，这能消除 Apache 检查 .htaccess 的需求。
HostnameLookups off 指令禁用 DNS 查找，因为试图反向解析连接到您的服务器的所有 IP 地址无疑是浪费资源。

持久连接
KeepAlive On
KeepAliveTimeout 5

关闭DNS查询
HostnameLookups off

合理配置缓冲模块
mod_cache
mod_disk_cache
mod_mem_cache
mod_file_cache

4、优化 php.ini ，四个重要的控制设置 PHP 可以使用多少系统资源。
max_execution_time 一个脚本可使用多少 CPU 秒，建议值 30
max_input_time 一个脚本等待输入数据的时间有多长（秒），建议值 60
memory_limit 在被取消之前，一个脚本可使用多少内存（字节），建议值 32M
output_buffering 数据发送给客户机之前，有多少数据（字节）需要缓存，建议值 4096
PHP 可执行的日志记录数是可配置的。在生产环境中，禁用除最重要的日志以外的一切日志记录能够减少磁盘写操作。如果需要使用日志来排除问题，那么可以按需启用日志记录。error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR 将启用足够的日志记录，使您发现问题，同时从脚本中消除大量无用的内容。
5、优化MySQL
参考：
三、应用 php 加速
1、安装 XCache 或 eAccelerator
下载：apt-get install php5-xcache
下载：http://bart.eaccelerator.net/source/0.9.5.3/eaccelerator-0.9.5.3.tar.bz2

非常好的lighttpd 安装配置说明文档

admin — Sat, 01 Aug 2009 06:38:25 +0000

一，为什么要使用lighttpd?
apache不可以吗？
在支持纯静态的对象时，比如图片，文件等，
lighttpd速度更快，更理想
至于它和apache的比较，很多文档，大家可以google一下

二，从何处下载lighttpd?

http://www.lighttpd.net/download/

这个是它的官方站

三，如何安装？
1,编译安装
./configure –prefix=/usr/local/lighttpd
make
make install

configure完毕以后，会给出一个激活的模块和没有激活模块的清单，可以检查一下，是否自己需要的模块都已经激活，在enable的模块中一定要有“mod_rewrite”这一项，否则重新检查pcre是否安装。

2,编译后配置
cp doc/sysconfig.lighttpd /etc/sysconfig/lighttpd
mkdir /etc/lighttpd
cp doc/lighttpd.conf /etc/lighttpd/lighttpd.conf

如果你的Linux是RedHat/CentOS，那么：
cp doc/rc.lighttpd.redhat /etc/init.d/lighttpd
如果你的Linux是SuSE，那么：
cp doc/rc.lighttpd /etc/init.d/lighttpd
其他Linux发行版本可以自行参考该文件内容进行修改。
然后修改/etc/init.d/lighttpd，把
LIGHTTPD_BIN=/usr/sbin/lighttpd
改为
LIGHTTPD_BIN=/usr/local/lighttpd/sbin/lighttpd

此脚本用来控制lighttpd的启动关闭和重起：
/etc/init.d/lighttpd start
/etc/init.d/lighttpd stop
/etc/init.d/lighttpd restart
3,配置
修改/etc/lighttpd/lighttpd.conf
1）server.modules
取消需要用到模块的注释，mod_rewrite，mod_access，mod_fastcgi，mod_simple_vhost，mod_cgi， mod_compress，mod_accesslog是一般需要用到的。
我们放开 “mod_rewrite”
“mod_compress”,

2）server.document-root, server.error-log，accesslog.filename需要指定相应的目录
server.document-root = “/www/phc/html/”
mkdir /usr/local/lighttpd/logs
chmod 777 /usr/local/lighttpd/logs/
touch /usr/local/lighttpd/logs/error.log
chmod 777 /usr/local/lighttpd/logs/error.log

server.errorlog = “/usr/local/lighttpd/logs/error.log”
accesslog.filename = “|/usr/sbin/cronolog /usr/local/lighttpd/logs/%Y/%m/%d/accesslog.log”

3）用什么权限来运行lighttpd
server.username = “nobody”
server.groupname = “nobody”
从安全角度来说，不建议用root权限运行web server，可以自行指定普通用户权限。

4）静态文件压缩
mkdir /usr/local/lighttpd/compress
chmod 777 /usr/local/lighttpd/compress/
compress.cache-dir = “/usr/local/lighttpd/compress/”
compress.filetype = (“text/plain”, “text/html”,”text/javascript”,”text/css”)

可以指定某些静态资源类型使用压缩方式传输，节省带宽，
对于大量AJAX应用来说，可以极大提高页面加载速度。

5）server.port = 81

6）#$HTTP["url"] =~ “.pdf$” {
131 # server.range-requests = “disable”
132 #}

4，优化
1 最大连接数

默认是1024
修改 server.max-fds,大流量网站推荐2048.

因为lighttpd基于线程,而apache(MPM-prefork)基于子进程,
所以apache需要设置startservers,maxclients等,这里不需要
2 stat() 缓存

stat() 这样的系统调用,开销也是相当明显的.
缓存能够节约时间和环境切换次数(context switches)

一句话,lighttpd.conf加上
server.stat-cache-engine = “fam”

lighttpd还另外提供simple(缓存1秒内的stat()),disabled选项.
相信没人会选disabled吧.
3 常连接(HTTP Keep-Alive)

一般来说,一个系统能够打开的文件个数是有限制的(文件描述符限制)
常连接占用文件描述符,对非并发的访问没有什么意义.

(文件描述符的数量和许多原因有关,比如日志文件数量,并发数目等)

这是lighttpd在keep-alive方面的默认值.
server.max-keep-alive-requests = 128
server.max-keep-alive-idle = 30

换言之,lighttpd最多可以同时承受30秒长的常连接,每个连接最多请求128个文件.
但这个默认值确实不适合非并发这种多数情况.

lighttpd.conf 中减小
server.max-keep-alive-requests
server.max-keep-alive-idle
两个值,可以减缓这种现象.

甚至可以关闭lighttpd keep-alive.
server.max-keep-alive-requests = 0
4 事件处理

对于linux kernel 2.6来说,没有别的可说
lighttpd.conf中加上这一句足矣
server.event-handler = “linux-sysepoll”

另外,
linux 2.4 使用 linux-rtsig
freebsd 使用 freebsd-kqueue
unix 使用 poll
5 网络处理

lighttpd 大量使用了 sendfile() 这样一个高效的系统调用.
减少了从应用程序到网卡间的距离.
(同时也减少了lighttpd对cpu的占用,这部分占用转嫁到内核身上了)

根据平台,可以设置不同的参数.
server.network-backend = “linux-sendfile”
(linux)
freebsd: freebsd-sendfile
unix: writev

如果有兴趣的话,也可以看看lighttpd在async io(aio)上的实现,仅限 lighttpd 1.5
(linux-aio-sendfile, posix-aio, gthread-aio)

此外,网络方面,核心的参数也需要适当进行修改,
这里就不需要详细说明了.

5,启动
6,配置日志
logrotate & cronolog
logrotate很粗暴,直接把进程砍了然后移动日志
cronolog就是比较不错的方式.
lighttpd用法:
accesslog.filename = ” |/usr/sbin/cronolog /var/log/lighttpd/%Y/%m/%d/access_XXXX.log”

7,安装pcre
从何处下载?

http://www.pcre.org/

wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-7.4.tar.bz2
安装过程：
　　./configure
　　make clean
　　make
　　make install

8,支持fam
gamin默认已安装了此包
yum install gamin-devel

另外配置时需添加：
./configure –prefix=/usr/local/lighttpd –with-fam

9,测试lighttpd的启动：
/usr/local/lighttpd/sbin/lighttpd -f /usr/local/lighttpd/etc/lighttpd.conf

10,防止盗链
#$HTTP["referer"] !~ “^($|http://.*.(chinafotopress.com|chinafotopress.cn))” {
# $HTTP["url"] =~ “.(jpg|jpeg|png|gif|rar|zip|mp3)$” {
# #url.redirect = (“.*” => “http://www.baidu.com/”)
# url.access-deny = (“.jpg”)
# }
#}

#$HTTP["referer"] == “” {
# $HTTP["url"] =~ “.(jpg|jpeg|png|gif|rar|zip|mp3)$” {
# #url.redirect = (“.*” => “http://www.baidu.com/”)
# url.access-deny = (“.jpg”)
# }
#}

日志处理

Sometimes, Google Analytics just isn’t enough when it comes to keeping and interpreting server stats. After finding a suitable log file analyzer, AWStats, the next step involved separating out the log files on a per domain basis. When the server was first set up, everything was shuttled to one set of access and error log files. While AWStats could technically analyze this log, the suggested set up involves having one set per domain. This article details the process of separating out the log files and making sure that these new files get rotated correctly.
Create Log Directories

While it would be possible to keep all of the files in one directory and to just name them relative to the domain, for this tutorial we will assume that we will create subdirectories based on the domain name. The first step would be to create a directory for each domain.

sudo -u www-data mkdir /var/log/lighttpd/www.example1.com
sudo -u www-data mkdir /var/log/lighttpd/www.example2.com
Update lighttpd.conf

After creating the directories, it’s time to update the lighttpd conf file in /etc/lighttpd. We’ll want to set the log files by host name. We already had directives setting the server.document-root for these domains so we only added the bolded lines.

$HTTP["host"] =~ “(^|\.)example1.com”$” {
server.document-root = “/var/www/www.example1.com”,
server.errorlog = “/var/log/lighttpd/www.example1.com/error.log”,
accesslog.filename = “/var/log/lighttpd/www.example1.com/access.log”,
}

$HTTP["host"] =~ “(^|\.)example2.com$” {
server.document-root = “/var/www/www.example2.com”,
server.errorlog = “/var/log/lighttpd/www.example2.com/error.log”,
accesslog.filename = “/var/log/lighttpd/www.example2.com/access.log”,
}

After adding these directives, you will need to restart the server.

sudo /etc/init.d/lighttpd restart
Update Logrotate

Finally, we will want logrotate to rotate these new directories. Since our main goal is to integrate the logs with AWStats, it made sense to add a separate entry for each log directory. However, if you don’t need call different scripts for the different domains, feel free to create one directive. We just copied the existing logrotate configuration and editted it for each of the domains. Below are examples of what this might look like.

/var/log/lighttpd/*.log {
daily
missingok
copytruncate
rotate 60
compress
notifempty
sharedscripts
postrotate
if [ -f /var/run/lighttpd.pid ]; then \
kill -HUP $(
fi;
endscript
}
/var/log/lighttpd/www.example1.com/*.log {
daily
missingok
copytruncate
rotate 60
compress
notifempty
sharedscripts
postrotate
if [ -f /var/run/lighttpd.pid ]; then \
kill -HUP $(
fi;
endscript
}
/var/log/lighttpd/www.example2.com/*.log {
daily
missingok
copytruncate
rotate 60
compress
notifempty
sharedscripts
postrotate
if [ -f /var/run/lighttpd.pid ]; then \
kill -HUP $(
fi;
endscript
}

To make just one configuration entry, it would look like this:

“/var/log/lighttpd/*.log” “/var/log/lighttpd/www.example1.com/*.log” “/var/log/lighttpd/www.example2.com/*.log” {
daily
missingok
copytruncate
rotate 60
compress
notifempty
sharedscripts
postrotate
if [ -f /var/run/lighttpd.pid ]; then \
kill -HUP $(
fi;
endscript
}
Sources

* Lighttpd rotating log files with logrotate tool
* Howto: Lighttpd web server setting up virtual hosting

Trackback URL for this post:

http://tracy.hurleyit.com/trackback/1140

lighttpd虚拟主机配置
$HTTP["host"] == “bbs.xxx.com” {
server.name = “bbs.xxx.com”
server.document-root = “/var/www/bbs”
server.errorlog = “/var/www/bbs/error.log”
accesslog.filename = “/var/www/bbs/access.log”
}
else

lighttpd.conf解释

server.use-ipv6 = “disable” # 缺省为禁用
server.event-handler = “linux-sysepoll” # Linux环境下epoll系统调用可提高吞吐量
#server.max-worker = 10 # 如果你的系统资源没跑满，可考虑调高 lighttpd进程数
server.max-fds = 4096 # 默认的，应该够用了，可根据实际情况调整
server.max-connections = 4096 # 默认等于 server.max-fds
server.network-backend = “linux-sendfile”
server.max-keep-alive-requests = 0 # 在一个keep-alive会话终止连接前能接受处理的最大请求数。0为禁止

# 设置要加载的module
server.modules = (
“mod_rewrite”,
“mod_redirect”,
# “mod_alias”,
“mod_access”,
# “mod_cml”,
# “mod_trigger_b4_dl”,
“mod_auth”,
“mod_expire”,
# “mod_status”,
# “mod_setenv”,
“mod_proxy_core”,
“mod_proxy_backend_http”,
“mod_proxy_backend_fastcgi”,
# “mod_proxy_backend_scgi”,
# “mod_proxy_backend_ajp13″,
# “mod_simple_vhost”,
“mod_evhost”,
# “mod_userdir”,
# “mod_cgi”,
“mod_compress”,
# “mod_ssi”,
# “mod_usertrack”,
# “mod_secdownload”,
# “mod_rrdtool”,
“mod_accesslog” )

# 网站根目录
server.document-root = “/var/www/”

# 错误日志位置
server.errorlog = “/var/log/lighttpd/error.log”

# 网站Index
index-file.names = ( “index.php”, “index.html”,
“index.htm”, “default.htm” )

# 访问日志, 以及日志格式 (combined), 使用X-Forwarded-For可越过代理读取真实ip
accesslog.filename = “/var/log/lighttpd/access.log”
accesslog.format = “%{X-Forwarded-For}i %v %u %t \”%r\” %s %b \”%{User-Agent}i\” \”%{Referer}i\”"

# 设置禁止访问的文件扩展名
url.access-deny = ( “~”, “.inc”, “.tpl” )

# 服务监听端口
server.port = 80

# 进程id记录位置
server.pid-file = “/var/run/lighttpd.pid”

# virtual directory listings 如果没有找到index文件就列出目录。建议disable。
dir-listing.activate = “disable”

# 服务运行使用的用户及用户组
server.username = “www”
server.groupname = “www”

# gzip压缩存放的目录以及需要压缩的文件类型
compress.cache-dir = “/tmp/lighttpd/cache/compress/”
compress.filetype = (“text/plain”, “text/html”)

# fastcgi module
# for PHP don’t forget to set cgi.fix_pathinfo = 1 in the php.ini
$HTTP["url"] =~ “\.php$” {
proxy-core.balancer = “round-robin”
proxy-core.allow-x-sendfile = “enable”
# proxy-core.check-local = “enable”
proxy-core.protocol = “fastcgi”
proxy-core.backends = ( “unix:/tmp/php-fastcgi1.sock”,”unix:/tmp/php-fastcgi2.sock” )
proxy-core.max-pool-size = 16
}

# 权限控制
auth.backend = “htpasswd”
auth.backend.htpasswd.userfile = “/var/www/htpasswd.userfile”

# 基于 evhost 的虚拟主机针对域名
$HTTP["host"] == “a.lostk.com” {
server.document-root = “/var/www/lostk/”
server.errorlog = “/var/log/lighttpd/lostk-error.log”
accesslog.filename = “/var/log/lighttpd/lostk-access.log”

# 设定文件过期时间
expire.url = (
“/css/” => “access 2 hours”,
“/js/” => “access 2 hours”,
)

# url 跳转
url.redirect = (
“^/$” => “/xxx/index.html”,
)

# url 重写 (cakephp可用)
url.rewrite = (
“^/(css|js)/(.*)$” => “/$1/$2″,
“^/([^.]+)$” => “/index.php?url=$1″,
)

# 权限控制
auth.require = ( “” =>
(
“method” => “basic”,
“realm” => “admin only”,
“require” => “user=admin1|user=admin2″ # 允许的用户, 用户列表文件在上面配置的auth.backend.htpasswd.userfile 里
),
)
}

# 针对端口的虚拟主机
$SERVER["socket"] == “192.168.0.1:8000″ {
server.document-root = “/var/www/xxx/”
server.errorlog = “/var/log/lighttpd/test-error.log”
accesslog.filename = “/var/log/lighttpd/test-access.log”

linux 下的lighttpd不能加载zend Optimizer的解决方法

admin — Sat, 01 Aug 2009 06:36:21 +0000

在 Fedora 10 安装 lighttpd php5 mysql5 zend Optimizer前 3个均可以用 yum 进行安装，很方便。

　　在 Fedora 10 安装 lighttpd php5 mysql5 zend Optimizer

　　前 3个均可以用 yum 进行安装，很方便。

　　而 zend Optimizer 需要下载解压后，到解压目录输入 # ./install.sh 就会出现界面提示安装。安装后重启 lighttpd却没有成功启动 zend Optimizer 。

　　解决经过：

　　1. 开始认为是 php.ini 没有设置好。打目录中找 #find / -name php.ini ，后发现网页输出就有 Loaded Configuration File : /usr/local/Zend/etc/php.ini 显示 php.ini 文件已被加载。

　　2. 是否 zend Optimizer 版本问题,安装最新版还是不成功。

　　3. 在网络查找解决方法多是说 php.ini 设置问题。最终将几个方法总结才解决：

　　具体解决方法:

　　1. 对于 php.ini文件路径有问题( 我的在 phpinfo()显示php.ini路径正确，我就不用这个方法 )

　　解决方法

　　php -i | grep php.ini 就可以找到当前php使用的php.ini文件

　　比如, 编译安装时没有指定php.ini存放路径, 那么默认php.ini会放在/usr/local/lib下面

　　最好是在编译PHP时指定PHP配置文件的路径如: –with-config-file-path=/usr/local/etc

　　而一般zend默认安装 php.ini在/etc/目录下面或/usr/local/Zend/etc 所以需要在安装的时候手工指定我们php.ini文件存放的位置

　　如果, 不知道现在的PHP 的配置文件具体位置的话可以查看一下:

　　php -i | grep php.ini

　　如果php optimizer安装好却发现不能加载的话可以手工指定读取php.ini文件的位置

　　php -c /etc/ -v 如果可以看到zend opt正确加载

　　那么做个连接就好连接到php默认读取的php.ini路径下面

　　
比如

　　ln -sf /etc/php.ini /usr/local/lib

　　[root@localhost /]# php -v

HP 5.2.5 (cli) (built: Jan 22 2006 12:59:19)

　　Ok 正常 phpinfo()看到的当然也是一样的

　　2. 调用库文件的问题

　　有的时候还有一些情况下 php -i 或php -v 在控制台下可以看到zend opt,

　　但是 apache 执行phpinfo的输出里面却看不到

　　一般是因为调用php的时候zend模块不能加载, 比如AS4里面就是这样的

　　如as4下面默认的php安装后读取库文件的路径是在/usr/lib下面，

　　而php.ini文件中加载zend模块是在zend安装路径的lib目录中

　　比如/usr/local/Zend/lib 这时apache在执行php时不能加载zend模块所以在控制台里php -v 可以正常

　　但是apache 却没有加载zend。

　　解决办法

　　先把zend模块copy到

　　/usr/lib里面然后改一下php.ini里面zend加载模块部分

　　( 我在 php -i 中显示 Failed loading /usr/local/Zend/lib/Optimizer-3.3.0/php-5.2.x/ZendOptimizer.so: /usr/local/Zend/lib/Optimizer-3.3.0/php-5.2.x/ZendOptimizer.so: cannot restore segment prot after reloc: Permission denied

　　看这个原来是权限问题)

　　3. 最恶心的SElinux问题

　　SElinux导致PHP不能使用zend/lib下的库文件。所以，即便是做link也不行。只能够拷贝库文件到有权限的目录。或者直接关掉SElinux

　　但我已在 /etc/selinux/config 的 SELINUX=disabled 关掉SElinux 还是不行, 再网络查询发现

　　在你保证SElinux 被disable后.还执行下

　　chcon -t texrel_shlib_t 命令

　　如: chcon -t texrel_shlib_t /usr/local/Zend/lib/Optimizer-3.3.0/php-5.2.x/ZendOptimizer.so (这个文件视具体执行文件.)

　　就可以。

　　我的解决的情况是:

　　1. 关闭SElinux

　　2. 运行 #chcon -t texrel_shlib_t /usr/local/Zend/lib/Optimizer-3.3.0/php-5.2.x/ZendOptimizer.so

　　就可以。

还有一个最终的解决办法，就是使用低版本的php源代码来编译安装php.

配置Linux+Apache+PHP+Informix

admin — Mon, 20 Jul 2009 14:43:57 +0000

1.配置Apache+PHP
Apache与PHP配置可以使用一套集成环境XAMPP，可以免去编译配置的繁琐工作。
>下载XAMPP的以及对应的开发包
1）xampp-linux-1.7.2.tar.gz
2）xampp-linux-devel-1.7.2.tar.gz
>安装Lampp
使用root用户

tar xvfz xampp-linux-1.7.2.tar.gz -C /opt
tar xvfz xampp-linux-devel-1.7.2.tar.gz -C /opt

即将lampp安装到/opt/目录下

2.Informix & CSDK
Informix的安装在这里不做过多说明，需要注意的是PHP连接Informix需要CSDK 2.81以上版本的支持，CSDK安装到$INFORMIXDIR。
如果php访问远端Informix server，还需要在php所属服务器上安装unixODBC

3.配置PDO_INFORMIX模块
由于我们使用的LAMPP集成环境，所以PHP是已经编译好的，这时需要增加PHP的扩展pdo_informix.so就要用到phpize预编译工具。
>phpize
需要autoconf支持，下载pdo_informix安装包PDO_INFORMIX-1.2.6.tgz
使用root用户：
解开安装包
tar xvfz PDO_INFORMIX-1.2.6.tgz
进入安装包目录
cd PDO_INFORMIX-1.2.6
运行phpize工具

/opt/lamp/bin/phpize
./configure -–with-php-config=/opt/lamp/bin/php-config

如果提示–with-pdo-informix=dir，则需要先加载informix环境变量

FreeBSD传真服务器(FreeBSD+HylaFax+Apache+php+Mysql+AvantFax)

admin — Mon, 08 Jun 2009 14:41:45 +0000

以下文章也是转摘于网上。有空，俺要实际操作一下，以前，俺一直想弄个EFAX服务器，但可惜，由于文档少，以及时间上不方便，就没再深究，现在有此好文档，有机会，也要好好研究一下。。。

FreeBSD安装选择Minimal+Ports
域名：fax.test.org IP:192.168.1.203 新建用户:vincent 属于wheel组

Handbook
http://cnsnap.cn.freebsd.org/doc … ndbook/install.html

开启FTP服务

编辑/etc/inetd.conf文件去掉ftp前的注释’#'。

#vi /etc/inetd.conf
ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l

启动inetd程序
#/etc/rc.d/inetd start

添加vincent用户，用于FTP登录上传文件
#pw useradd vincent -s /bin/csh -d /home/vincent -m -g wheel -h 0

—————————————————————————-

使用wget加快ports软件下载

安装wget程序，加快软件包下载速度。
#cd /usr/ports/net/wget
#make install clean

编辑/etc/make.conf
#vi /etc/make.conf

FETCH_CMD=wget -c -t 1
DISABLE_SIZE=yes

MASTER_SITE_OVERRIDE= \
ftp://ftp.tw.freebsd.org/pub/FreeBSD/ports/distfiles/ \
ftp://ftp.freebsdchina.org/pub/FreeBSD/ports/distfiles/

设置使用ftp.tw.freebsd.org为主下载站点，加快Package软件下载，编辑用户目录下的.cshrc文件加入

#vi .cshrc //编辑完后记得重新登录
setenv PACKAGEROOT ftp://ftp.tw.freebsd.org

——————————————————————————————–

HylaFAX ( WebSite http://www.hylafax.org/ )

HylaFAX是一个基于C/S 架构,企业级的收发传真系统，高效稳固。局域网中只要有一台连接Modem的HylaFAX服务器，就能为局域网所有用户提供传真服务。

软件安装

Package方法安装
#pkg_add -r hylafax

或者

Ports方法安装
#cd /usr/ports/comms/hylafax
#make install clean

软件设置

#faxsetup

Should an entry be added for the FaxMaster to /etc/aliases [yes]?
应该在/etc/aliases中增加一个条FaxMaster记录[yes]? yes

Users to receive fax related mail [root]?
输入接收传真相关信息的Email用户[root]? vincent

Are these ok [yes]?
确认以上信息是否正确[yes]? yes

Country code [1]?
国家代码[1]? 0086

Area code []?
区号[]? 0750

Long distance dialing prefix [1]?
长途拨号前缀 [1]? 0

International dialing prefix [011]?
国际拨号前缀 [001]? 0750

Dial string rules file (relative to /var/spool/hylafax)["etc/dialrules"]?
拨号规则文件( /var/spool/hylafax )["etc/dialrule"]? 按enter默认

Tracing during normal server operation [1]?
追踪正常服务程序[1]? 1

Default tracing during send and receive session [0xfffffffff]?
默认追查在发送和接收 session [0xfffffffff]? 按enter默认

Continuation cover page (relative to /var/spool/hylafax) []?
传真封面页所在目录 ( /var/spool/hylafax )[]? 按enter默认

Timeout when converting PostScript documents (secs) [180]?
转换PostScript文件逾时时间[180]? 180

Maximum number of concurrent jobs to a destination[1]?
一个目的地最大数量的并行工作[1]? 1

Define a group of modems []
定义一组调制解调器[] 按enter默认

Time of day restrictions for outbound jobs ["Any"]?
一天中限制传真外发时间["Any"]? 按enter默认

Pathname of destination controls file (relative to /var/spool/hylafax) []?
控制文件的路径( /var/spool/hylafax )[]? 按enter默认

Timeout before purging a stale UUCP lock file (secs) [30]
超时前清除旧的UUCP锁定文件[30]？30

Max number of pages to permit in an outbound job [0xffffffff]?
允许在出站的最大页数[0xffffffff]? 按enter默认

Syslog facility name for ServerTracing messages [daemon]?
系统日志跟踪记录程序[daemon]? 按enter默认

Are these ok [yes]?
确认以上信息是否正确[yes]? yes

Should I restart the HylaFAX process [yes]?
应该重新启动HylaFAX进程[yes]? yes

You do not appear to have any modem configured for use. Modems are
configured for use with HylaFax with the faxaddmodem command.
Do you want to run faxaddmomdem to configure a modme [yes]?
您似乎没有任何调制解调器配置为使用。调制解调器配置为使用HylaFax与faxaddmodem命令。
你想运行faxaddmomdem配置modme[yes]? yes

Serial port that modem is connected to []?
调制解调器连接到那个串行端口[]? ttyd0 //我的是com1,所以是ttyd0；请根据实际配置。

country code[1]
国家代码[1]? 0086

Area code [415]?
区号[]? 0750

Phone number of fax modem [+1,9999.5555.1212]?
传真的电话号码[+1,9999.5555.1212]? 8607501234567

Local Identifications string (for TS/CIG) ["NothingEtup"]?
本地传真机标识(for TS/CIG) ["NothingEtup"]? FreeBSD.org

Long distance dialing prefix [1]?
长途拨号前缀 [1]? 0

International dialing prefix [011]?
国际拨号前缀 [001]? 0750

Dial string rules file (relative to /var/spool/hylafax) [etc/dialrules]?
拨号规则文件( /var/spool/hylafax )["etc/dialrule"]? 按enter默认

Tracing during normal server operation [1]?
追踪正常服务程序[1]? 1

Tracing during send and receive sessions [11]?
追踪发送和接收 session [11]? 按enter默认

Protection mode for received facsimile [0600]?
收到传真的文件权限[0600]？ 0777

Protection mode for session logs [0600]?
记录文件的档案权限[0600]? 0777

Protection mode for ttyd0 [0600]?
端口的访问权限[0600]? 0777

Rings to wait before answering [1]?
响铃几声后，开始接受传真[1]? 2

Modem speaker volume [off]?
Modem的喇叭音量[off]? on

Command line arguments to getty program ["-h %l dx_%s"]?
接收传真的命令行参数["-h %l dx_%s"]? 按enter默认

Pathname of TSI access control list file (relative to /var/spool/hylafax)[""]?
访问控制列表的TSI文件路径( /var/spool/hylafax )[""]? 按enter默认

Pathname of Caller-ID access control list file (relative to /var/spool/hylafax)[""]?
来电Caller-ID访问控制列表文件路径( /var/spool/hylafax )[""]? 按enter默认

Tag line font file (relative to /var/spool/hylafax) [etc/lutRS18.pcf]?
标记行字体文件( /var/spool/hylafax ) [etc/lutRS18.pcf]? 按enter默认

Tag line form string ["From %%1|%c|Page %%P of %%T"]?
标记行字符串形式["From %%1|%c|Page %%P of %%T"]? 按enter默认

Time before purging a stale UUCP lock file (secs) [30]?
超时前清除旧的UUCP锁定文件[30]？30

Hold UUCP lockfile during inbound data calls [Yes]?
当传真进来时，保留UUCP 设定文件[Yes]? yes

Hold UUCP lockfile during inbound voice calls [Yes]?
当语音进来时，保留UUCP 设定文件[Yes]? yes

Percent good lines to accept during copy quality checking [95]?
线路好的时候，在什么百份比时进行检查[95]? 95

Max consecutive bad lines to accept during copy quality checking [5]?
线路不好的时候，在什么百份比时进行检查[5]? 5

Max number of pages to accept in a received facsimile [25]?
每次传真进来的最大可接收页数[25]? 25

Syslog faxility name for ServerTracing messages [daemon]?
系统日志跟踪记录程序[daemon]? 按enter默认

Set UID to 0 to manipulate CLOCAL [""]?
设置的UID为0操作CLOCAL[""]? 按enter默认

Use available priority job scheduling mechanism [""]?
使用现有的优先工作调度机制[""]? 按enter默认

Are these ok [yes]?
确认以上信息是否正确[yes]? yes

Probing for best speed to talk to modem：38400
探索最佳速度交谈调制解调器： 38400

How should it be configured [1]?
应如何配置[1]? 1

DTE-DCE flow control scheme [default]?
流量控制方案[default]? 按enter默认

Are these ok [yes]?
确认以上信息是否正确[yes]? yes

Do you want to run faxaddmodem to configure another modem [yes]?
你想运行的另一个faxaddmodem配置调制解调器[yes]? no

Should I run faxmodem for each configured modem [yes]?
应该为每个运行faxmodem配置调制解调器[yes]? yes

Done verifying system setup.
完成核查系统设置。

编辑/etc/ttys 文件，查找“ttyd0″字节，修改为下面值(如果没有找，就在最后加上）

#vi /etc/ttys
ttyd0 “/usr/local/sbin/faxgetty” dialup on

设置开机HylaFax服务自动运行

#cp /usr/local/etc/rc.d/hylafax.sh.sample /usr/local/etc/rc.d/hylafax.sh

启动HylaFax服务

#/usr/local/etc/rc.d/hylafax.sh start

HylaFax命令

faxstat -s （显示队列中等待发送的传真）
faxstat -d （显示已发送的传真）
faxstat -r （显示已接收的传真）
faxrm number_of_job (从队列中去删除一个传真)
faxqclean (清除缓冲池)
faxcron (显示统计结果)

——————————————————————————————–

AvantFAX (WebSite http://www.avantfax.com )

AvantFAX是一种Web应用管理传真的HylaFAX 服务器。
AvantFAX允许用户在任何平台上，来查看和发送传真，而无需安装特殊的软件。它还允许管理员管理用户，他们的权限，传真线，传真类等
AvantFAX可以从本地网络，并通过互联网远程使用标准的网络设备

安装说明: http://www.avantfax.com/install.php

安装AvantFAX之前要先安装以下软件：

HylaFAX 4.4 or HylaFAX EE 3
PHP 5
PHP PEAR 5 including MDB2_driver_mysql, Mail and Mail_Mime
PECL FileInfo
PHP mbstring – for improved UTF-8 sorting support (optional)
PHP MySQL 5
MySQL server 4.1.12 or better (see Important Notes below)
Apache
ImageMagick
ghostscript
libtiff
netpbm-progs
libungif
sudo
sendmail/postfix/exim/qmail or use an external SMTP server
cups/lpr and psutils
expect

—————————————–
apache

Package方法安装
#pkg_add -r apache22

或者

Ports方法安装
#cd /usr/ports/www/apache22
#make install clean

—————————————–
mysql51-server

Package方法安装
#pkg_add -r mysql51-server

或者

Ports方法安装

#cd /usr/ports/databases/mysql51-server
#make install clean

—————————————–
PHP5

Ports方法安装
#cd /usr/ports/lang/php5
#make install clean
//安装时记得选上第三项“APACHE Build Apache module”支持

—————————————–
PHP5-session

Package方法安装
#pkg_add -r php5-session

或者

Ports方法安装
#cd /usr/ports/www/php5-session
#make install clean

—————————————–
php5-mysql

Package方法安装
#pkg_add -r php5-mysql

或者

Ports方法安装
#cd /usr/ports/databases/php5-mysql
#make install clean

—————————————–
pear-DB

Package方法安装
#pkg_add -r pear-DB

或者

Ports方法安装
#cd /usr/ports/databases/pear-DB
#make install clean

—————————————–
pear-MDB2_Driver_mysql

Ports方法安装
#cd /usr/ports/databases/pear-MDB2_Driver_mysql
#make install clean

—————————————–
pear-Auth

Package方法安装
#pkg_add -r pear-Auth

或者

Ports方法安装
#cd /usr/ports/security/pear-Auth
#make install clean

—————————————–
pear-Auth_SASL

Package方法安装
#pkg_add -r pear-Auth_SASL

或者

Ports方法安装
#cd /usr/ports/security/pear-Auth_SASL
#make install clean

—————————————–
pear-Net_SMTP

Package方法安装
#pkg_add -r pear-Net_SMTP

或者

Ports方法安装
#cd /usr/ports/net/pear-Net_SMTP
#make install clean

—————————————–
pear-Mail

Package方法安装
#pkg_add -r pear-Mail

或者

Ports方法安装
#cd /usr/ports/mail/pear-Mail
#make install clean

—————————————–
pear-Mail_Mime

Package方法安装
#pkg_add -r pear-Mail_Mime

或者

Ports方法安装
#cd /usr/ports/mail/pear-Mail_Mime
#make install clean

—————————————–
pear-Mail_mimeDecode

Package方法安装
#pkg_add -r pear-Mail_mimeDecode

或者

Ports方法安装
#cd /usr/ports/mail/pear-Mail_mimeDecode
#make install clean

—————————————–
pear-PHP_Compat

Package方法安装
#pkg_add -r pear-PHP_Compat

或者

Ports方法安装
#cd /usr/ports/devel/pear-PHP_Compat
#make install clean

—————————————–
pear-HTML_Common

Ports方法安装
#cd /usr/ports/devel/pear-HTML_Common
#make install clean

—————————————–
pear-HTML_QuickForm

Package方法安装
#pkg_add -r pear-HTML_QuickForm

或者

Ports方法安装
#cd /usr/ports/devel/pear-HTML_QuickForm
#make install clean

—————————————–
pecl-fileinfo

Package方法安装
#pkg_add -r pecl-fileinfo

或者

Ports方法安装
#cd /usr/ports/sysutils/pecl-fileinfo
#make install clean

—————————————–
php5-mbstring

Package方法安装
#pkg_add -r php5-mbstring

或者

Ports方法安装
#cd /usr/ports/converters/php5-mbstring
#make install clean

—————————————–
ImageMagick

Package方法安装
#pkg_add -r ImageMagick

或者

Ports方法安装
#cd /usr/ports/graphics/ImageMagick
#make install clean

—————————————–
smarty

Package方法安装
#pkg_add -r smarty

或者

Ports方法安装
#cd /usr/ports/www/smarty
#make install clean

—————————————–
netpbm

Package方法安装
#pkg_add -r netpbm

或者

Ports方法安装
#cd /usr/ports/graphics/netpbm
#make install clean

—————————————–
libungif

Package方法安装
#pkg_add -r libungif

或者

Ports方法安装
#cd /usr/ports/graphics/libungif
#make install clean

—————————————–
sudo

Package方法安装
#pkg_add -r sudo

或者

Ports方法安装
#cd /usr/ports/security/sudo
#make install clean

—————————————–
cups

Package方法安装
#pkg_add -r cups

或者

Ports方法安装
#cd /usr/ports/print/cups
#make install clean

—————————————–
psutils-a4

Package方法安装
#pkg_add -r psutils-a4

或者

Ports方法安装
#cd /usr/ports/print/psutils-a4
#make install clean

—————————————–
expect

Package方法安装
#pkg_add -r expect

或者

Ports方法安装
#cd /usr/ports/lang/expect
#make install clean

—————————————————————————————–

软件下载：http://www.avantfax.com/download.php

将下载到的软件包通过FTP上传到服务器的vincent目录下,解压:
#cd /home/vincent
#gunzip avantfax-3.1.6.tgz.gz
#tar zxvf avantfax-3.1.6.tgz

移动avantfax Web目录:
#cd avantfax-3.1.6
#mv avantfax /usr/local/www/
#chmod -R 777 /usr/local/www/avantfax/tmp /usr/local/www/avantfax/faxes
#chown -R www:www /usr/local/www/avantfax//includes/templates

# ln -s /usr/local/www/avantfax/includes/faxrcvd.php /var/spool/hylafax/bin/faxrcvd.php
# ln -s /usr/local/www/avantfax/includes/dynconf.php /var/spool/hylafax/bin/dynconf.php
# ln -s /usr/local/www/avantfax/includes/notify.php /var/spool/hylafax/bin/notify.php

编辑config.ttyd0 //我的是外置modem,连接电脑com1，所以是ttyd0
# vi /var/spool/hylafax/etc/config.ttyd0

//添加
#
## AvantFAX configuration
#
FaxrcvdCmd: bin/faxrcvd.php
DynamicConfig: bin/dynconf.php
UseJobTSI: true

————————————-
编辑config
# vi /var/spool/hylafax/etc/config

//添加
#
## AvantFAX configuration
#
NotifyCmd: bin/notify.php

————————————–
备份/替换faxcover程序
#mv /usr/local/bin/faxcover /usr/local/bin/faxcover.old
#ln -s /usr/local/www/avantfax/includes/faxcover.php /usr/local/bin/faxcover

设置HylaFax用户支持Avantfax
#/usr/local/sbin/faxadduser -a pwd www
#/usr/local/sbin/faxdeluser localhost
#/usr/local/sbin/faxdeluser 127.0.0.1
#echo 127.0.0.1 >> /var/spool/hylafax/etc/hosts.hfaxd

编辑Avantfax设置文件
#cd /usr/local/www/avantfax/includes
#cp local_config-example.php local_config.php
#vi local_config.php

$BINARYDIR = ‘/usr/bin’;
//修改为:
$BINARYDIR = ‘/usr/local/bin’;

$HYLAFAX_PREFIX = ‘/usr’;
//修改为:
$HYLAFAX_PREFIX = ‘/usr/local’;

$WWWUSER = ‘apache’;
//修改为:
$WWWUSER = ‘www’;

$dft_config_lang = ‘en’;
//修改为:
$dft_config_lang = ‘zh’;

——————————————————-
编辑hfaxd.conf
#vi /usr/local/lib/fax/hfaxd.conf

#JobFmt: “%-3j %3i %1a %6.6o %-12.12e %5P %5D %7z %.25s”
//修改为:
JobFmt: “%-3j %3i %1a %15o %40M %-12.12e %5P %5D %7z %.25s”

——————————————————-
软件启动设置:
#vi /etc/rc.conf
//添加
apache22_enable=”YES”
mysql_enable=”YES”

——————————————————-
apache22设置

#vi /usr/local/etc/apache22/httpd.conf

DirectoryIndex index.html
//修改为:
DirectoryIndex index.html index.php

//添加
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

——————————————————-
新建fax.conf
#vi /usr/local/etc/apache22/Includes/fax.conf

//添加
NameVirtualHost *:80

ServerName fax.test.org
DocumentRoot /usr/local/www/avantfax/

AllowOverride None
Options None
Order allow,deny
Allow from all

——————————————————–
PHP程序连接
#ln-s /usr/local/bin/php /usr/bin/php

启动apache
#/usr/local/etc/rc.d/apapche start

——————————————————–
avantfax数据导入

启动mysql
#/usr/local/etc/rc.d/mysql start

导入数据
#cd /home/vincent/avantfax-3.1.6
#mysql -uroot < create_user.sql
#mysql -uavantfax -pd58fe49 avantfax < create_tables.sql

--------------------------------------------------------
编辑/etc/crontab
# vi /etc/crontab

//添加
# runs once an hour to update the phone book
0 * * * * root /usr/local/www/avantfax/includes/phb.php
# runs once a day to remove old files
0 0 * * * root /usr/local/www/avantfax/includes/avantfaxcron.php -t 2

---------------------------------------------------------
编辑/usr/local/etc/sudoers
#vi /usr/local/etc/sudoers

//添加
#Defaults requiretty
www ALL = NOPASSWD: /sbin/reboot, /sbin/halt, /usr/local/sbin/faxdeluser, /usr/local/sbin/faxadduser -u * -p * *

---------------------------------------------------------
打开浏览器（IE/firefox/opera)，打上下面的网址：

http://192.168.1.203/admin/

username: admin
password: password

新建 "传真分类" ---> 新建 “Modem” —> 新建 “用户”
到此，服务器基本上可以使用。

Apache 重写规则的常见应用 (rewrite)

admin — Sun, 31 May 2009 07:40:55 +0000

一:目的

本文旨在提供如何用Apache重写规则来解决一些常见的URL重写方法的问题，通过常见的
实例给用户一些使用重写规则的基本方法和线索。

二:为什么需要用重写规则？
一个网站，如果是长期需要放在internet上提供服务，必定会有不断地更新和维护，如临
时转移到其它服务器进行维护，重新组织目录结构，变换URL甚至改变到新的域名等等，
而为了让客户不会因此受到任何影响，最好的方法就是使用Apache Rewrite Rule(重写
规则)。

三: 重写规则的作用范围
1) 可以使用在Apache主配置文件httpd.conf中
2) 可以使用在httpd.conf里定义的虚拟主机配置中
3) 可以使用在基本目录的跨越配置文件.htaccess中

四:重写规则的应用条件
只有当用户的WEB请求最终被导向到某台WEB服务器的Apache后台，则这台WEB服务器接受
进来的请求，根据配置文件该请求是主配置还是虚拟主机，再根据用户在浏览器中请求的
URI来配对重写规则并且根据实际的请求路径配对.htaccess中的重写规则。最后把请求
的内容传回给用户，该响应可能有两种：

1) 对浏览器请求内容的外部重定向(Redirect)到另一个URL。
让浏览器再次以新的URI发出请求(R=301或者R=302，临时的或是永久的重定向)
如：一个网站有正规的URL和别名URL，对别名URL进行重定向到正规URL，或者网站改换
成了新的域名
则把旧的域名重定向到新的域名(Redirect)

2) 也可能是由Apache内部子请求代理产生新的内容送回给客户[P,L]
这是Apache内部根据重写后的URI内部通过代理模块请求内容并送回内容给客户，而客户
端浏览器并
不知道，浏览器中的URI不会被重写。但实际内容被Apache根据重写规则后的URI得到。
如：在公司防火墙上运行的Apache启动这种代理重写规则，代理对内部网段上的WEB服务
器的请求。

五:重写规则怎样工作？
我们假定在编译Apache时已经把mod_rewrite编译成模块，确信你的httpd.conf中有
LoadModule rewrite_module libexec/mod_rewrite.so
并且在Addmodule中有
Addmodule mod_rewrite.c
则可以使用重写规则。
当外部请求来到Apache，Apache调用重写规则中的定义来重写由用户浏览器指定请求的
URI，最后被重写的URI如果是重定向，则送由浏览器作再一次请求；如果是代理则把重写
后的URI交给代理模块请求最终的内容(Content),最后把内容送回给浏览器。

六: 何时使用.htaccess中的重写规则定义？
假如你对你的的网站内容所在的服务器没有管理员权限，或者你的网站放在ISP的服务器
上托管等等条件下，你无法改写主配置文件，然而你可以对你的WEB站点内容所在的目录
有写权限，则你可以设置自己的.htaccess
文件达到同样的目的。但你需要确定主配置文件中对你的网站所在的目录定义了下面的内
容:

Options Indexes FollowSymLinks
AllowOverride all

否则你的.htaccess不会工作。

七: 应用举例
假定Apache被编译安装在主机192.168.1.56的/usr/local/apache/ 目录下面，我们编
译进了重写和代理模块。

1) 隐藏Apache下的某个目录，使得对该目录的任何请求都重定向到另一个文件。

a> httpd.conf的实现方法

我们放下面的部分到/usr/local/apache/conf/httpd.conf

options Indexes followsymlinks
allowoverride all
rewriteengine on
rewritebase /
rewriterule ^(.*)$ index.html.en [R=301]

注：rewriteengine on 为重写引擎开关，如果设为off,则任何重写规则定义将不被应
用，该开关的另一好处就是如果为了临时拿掉重写规则，则改为off再重启动Apache即
可，不必将下面一条条的重写规则注释掉。
rewritebase / 的作用是如果在下面的rewriterule定义中被重写后的部分(此处为文件
名index.html.en)前面没有/，则是相对目录，相对于这个rewritebase后面的定义也就
是/usr/local/apache/htdocs/index.html.en,否则，如果此处没有rewritebase /这
一项，则被重写成
http://192.168.1.56/usr/local/apache/htdocs/manual/index.html.en ，显然是
不正确的。

不过这里我们也可以不用rewritebase / , 而改为
rewriteengine on
rewriterule ^(.*)$ /index.html.en [R=301]
或者
rewriteengine on
rewriterule ^(.*)$ http://192.168.1.56/index.html.en [R=301]

b> .htaccess的实现方法

我们先放下面的部分到httpd.conf

options Indexes followsymlinks
allowoverride all

然后放下面的部分到/usr/local/apache/htdocs/manual/.htaccess中
rewriteengine on
rewritebase /
rewriterule ^(.*)$ index.html.en [R=301]

注：对文件.htaccess所作的任何改动不需要重启动Apache.

问：要是把这个manual目录重定向到用户jephe的自己的主目录呢？
用下面的.htaccess方案。
rewriteengine on
rewritebase /~jephe/
rewriterule ^(.*)$ $1 [R=301]

则对manual目录下任何文件的请求被重定向到~jephe目录下相同文件的请求。

2) 转换www.username.domain.com的对于username的主页请求为
www.domain.com/username

对于HTTP/1.1的请求包括一个Host: HTTP头，我们能用下面的规则集重写
http://www.username.domain.com/anypath 到 /home/username/anypath

Rewriteengine on
rewritecond %{HTTP_HOST} ^www\.[^.]+\.host\.com$
rewriterule ^(.+) %{HTTP_HOST}$1 [C]
rewriterule ^www\.([^.]+)\.host\.com(.*) /home/$1$2

注：
rewritecond 条件重写规则，当满足后面定义的条件后才会应用下面的重写规则，
rewritecond有各种变量
，请查阅相关文档。

3) 防火墙上的重写规则代理内部网段上服务器的请求。

NameVirtualhost 1.2.3.4

servername www.domain.com
rewriteengine on
proxyrequest on
rewriterule ^/(.*)$ http://192.168.1.3/$1 [P,L]

注：当外部浏览器请求www.domain.com时被解析到IP地址1.2.3.4 ,Apache 交出
mod_rewrite处理转换成

http://192.168.1.3/$1后再交由代理模块mod_proxy得到内容后传送回用户的浏览器。

4) 基本预先设定的转换MAP表进行重写 rewritemap

转换www.domain.com/{countrycode}/anypath 到Map表中规定的URI,上面是虚拟主机
中的定义

rewritelog /usr/local/apache/logs/rewrite.log
rewriteloglevel 9

rewriteengine on
proxyrequest on
rewritemap sitemap txt:/usr/local/apache/conf/rewrite.map
rewriterule ^/([^/]+)+/(.*)$ http://%{REMOTE_HOST}::$1 [C]
rewriterule (.*)::([a-z]+)$ ${sitemap:$2|http://h.i.j.k/} [R=301,L]

文件/usr/local/apache/conf/rewrite.map的内容如下:

sg http://a.b.c.d/
sh http://e.f.g.h/

注：当用户请求http://www.domain.com/sg/anypath时被重写为
http://a.b.c.d/anypath .
当需要调试时请用rewritelog and rewriteloglevel 9联合,9为最大即得到最多的调试
信息
最小为1，最小的调试信息，默认为0，没有调试信息。
sitemap的语法是${sitemap: LookupKey | Defaultvalue} ,有些书上把$写成了%是错
误的。

Apache中设置网站301重定向

admin — Sun, 31 May 2009 07:38:23 +0000

今天，有以前的工作同事，在QQ问俺APACHE301重定向的问题，俺一开始以为是只要直接在httpd.conf设定index页的选项就行，例如，将index.htm index.html index.php index.php3.index.pl index.cgi 等索引页选项加上就行。但在GOOGLE搜索一下，发觉APACHE301重定向不是俺所想那回事。这都怪俺。脱离技术有段时间，有些技术细节记得不牢。因而GOOGLE搜索一下。得出下面这些实例。那么，如果参照下面实例来改。同事的问题就即时得到解决。。

比如要把 evanjiang.org 、www.evanjiang.org 域名的内容重定向到 www.evanjiang.net
那在 www.evanjiang.net 网站目录下面新一个 .htaccess 文件，加入下面的内容：

RewriteEngine On

RewriteCond %{HTTP_HOST} !^evanjiang.net$ [NC]
RewriteCond %{HTTP_HOST} !^www.evanjiang.net$ [NC]
RewriteRule ^(.*)$ http://www.evanjiang.net/$1 [L,R=301]

这样所有访问 www.evanjiang.org 的地址都会转向 www.evajiang.net 的地址。

俺认真看了一下，发觉这个实例可能有错，应该是这样写才对。。。

RewriteEngine On

RewriteCond %{HTTP_HOST} !^evanjiang.org$ [NC]
RewriteCond %{HTTP_HOST} !^www.evanjiang.org$ [NC]
RewriteRule ^(.*)$ http://www.evanjiang.net/$1 [L,R=301]

但不清楚，这样写才是最正确的写法。。具体要实践一下，看看结果才清楚。。

unix常用指令及参数

admin — Wed, 08 Apr 2009 13:48:23 +0000

常用组合键
ctrl+h,backspace :删除前面的字符.
ctrl+u:删除一整行.
ctrl+c,del,break: 强行终止正在运行的程序.
ctrl+d:
常用指令
1.date:查看当前时间.
2.cal:查看某一个月的月历.
3.Finger 命令:显示一个用户的详细信息.
4.who命令:显示所有登陆用户.who an i
5.clear 命令:执行清屏动作.
6.echo 命令:将命令名后跟随的参数显示在屏幕echo hello

world
7.banner 命令:将命令名后跟的ACSSII字符串以大字的方式显

示在屏幕上banner hello
8.wc 命令:用于计算一个指定的文件中的行数单词及字符数:
格式wc[-c(计算字符的数目)] [-l(计算行的数目)] [-w(计算

单词的数目)] filename
9.passwd 命令,用于修改口令.
10.man 命令:联机手册
六.shell的基本功能:命令解释器,程序设计语言.
shell的退出命令.
1.exit 主要用于退出B_shell
2.logout 主要用于退出C_shell
3.ctrl+d 用于退出各类shell
第三章通信
内部通信
外部通信<1,电子邮件,2.即时通信
一.即时通讯
1.write 交谈命令 (半双工通信)
格式 write student1
ctrl+d 退出write
Write协议:消息发送结束用O(结束)
结束谈话用OO(结束并退出)
2.mesg 消息开关命令.用于查询和开关本终端的消息接收状态.
格式:mesg [-y] [-n]
$ mesg 查询本终端当前的消息接收状态
is y 可以接收消息
is n 拒绝接收消息
$ mesg n 设置关闭状态
$ mesg y 设置打开状态
3.talk 双向通信命令 (全双工方式)
4.wall 广播信息命令
二,电子邮件
$ mail username 发送邮件
$ mail 接收邮件
系统邮箱:在/usr/mail或/var/mail下,每个用户都有一个以其名字

命名的邮箱.例如:student8的系统邮箱可能为:/var/mail/student8
个人邮箱:个人邮箱通常为用户自己的主目录(home)下的mbox

文件.用户读过的邮件如果末删除或转存,则存放在个人邮箱中

.例如:student8的个人邮箱可能是:/home/student8/mbox
1.发送邮件:
$ mail student8
给多个用户发送邮件
a.$ mail student1 student2 student3 把用户列出来.
b.$ mail TEACHER TEACHER为用户组名,即向属于TEACHER

组所有用记发邮件.
c.$ alias usr_list student1 student2 student3给student1 student2

student3等多个名字建立一个部的别名usr_list,该别名只在本

shell中起作用,退出shell后无效.
$ mail usr_list
把已有的文件作为邮件发送给用户:
$ mail student8 < my_letter
发邮件给不存在的用户:
$ mail meizhegeren
mail命令本身能正常执行,由于无有效的接收方,所以系统把邮

件退回到用户主目录下dead.letter中.
2.接收邮件
不带参数输入mial表示读取邮件.此时已进入出境mail命令模式

下.
mail命令模式常用命令
如有下页则显示,否则退出mail.
p 显示本邮件信息
d 删除当前邮件
n 显示下一个邮件
q 退出 mail,把末删除的邮件保存到个人邮箱中.
R 回复邮件
! 执行shell命令.
? 显示mail的内部命令.
第四章文件系统
与目录相关的命令(pwd,cd,mkdir,rmdir,ls)
与文件相关的命令(cp,mv,ln,more,rm)
1.pwd 显示当前工作目录
2.cd 改变当前目录
3.mkdir 创建目录
格式 mkdir dir_name
4.rmdir 删除目录
格式 rmdir dir_name
a.只能是空目录.
b.有写的权限
一次操作多个目录
- p 选项.在当前目录下逐级创建目录,也可以逐级删除目录.
5.ls 显示目录
$ ls -a 显示所有文件(以点开头的文件名是隐藏文件)
$ ls -R 显示所有子目录的内容
$ ls – l 能得到目录中的文件的详细信息.
-:普通 d: 目录 c: 字符设备 b: 块设备 p:管道
$ ls – C 以多列的格式列表,按列排序.
$ ls – F 如果是目录,文件名后加/,如果是可执行文件,加*表示.
$ ls – m 按页宽列文件,以逗号分隔.
$ ls – p 如果是目录,文件名后加/
$ ls – r 以字母反序列表
$ ls – s 以文件块为单位显示文件大小
$ ls – x 以多列的格式列表,按行排序.
$ ls -G 以不同的颜色显示.
$ ls -lc 显示更新时间
$ ls -i inode序号将列在第一列
$ ls -lu 显示访问时间
$ ls -I 显示更改时间
6.touch 命令:作用是用来修改文件访问时间更改时间的.并可以

用来创建0字节长度的文件.
格式 touch 命令参数
7.cp 命令:复制文件
格式 cp source target
$ cp file1 file2 … Target-dir
$ cp -i 如果目标文件存在,请求确认
$ cp -r 复制目录到新的目录
8.mv 命令:移动文件或命名文件
格式:mv source target
9.ln 命令:ln命令的主要功能是给一个已经存在的文件再取一个

名字.新的文件名与原文件名可以在同一个目录下,也可以以在

不同的目录下,新老文件名代表同一个文件.
格式ln source-file target-file
作用:在现有的文件与新文件之间建立新链接,使一个文件具有

一个以上的名字.
显示文件内容命令
10.cat 命令:用来显示.创建或者合并文件
格式cat filename
11.more 命令:逐屏显示文件内容.翻屏时用键.
格式:$ more filename
12.rm 命令:删除文件(删除后无法恢复)
格式:$ rm file
$ rm file1 file2
$ rm -i 删除文件前,给出确认
$ rm -r 删除指定的目录及目录中的所有文件和子目录.即删除

整个目录结构.
13.lp 命令:打印命令
14.cut 命令:切取文件内容,用于切取文件中的列或字段.它把文

本文件中每一行的一部分显示输出.运行时必须指定功能选项.
- f 指定字段的位置
-c 指定列的位置
-d 指定字段分隔符,缺省的字段分隔符是制表符tab
15.paste 命令:连接文件.
作用:把文件一行接一行地连接在一起,或者把两个或多个文件

的域连到一个新文件里.
格式: $paste 选项参数
选项:-d 指定分隔符.默认是制表符
第五章文件权限
16.chmod 命令:修改文件权限,常用chmod命令修改文件(包括普

通,目录和设备)的访问权限,
格式: chmod pattern filename …
finename 为要修改的权限文件名.可以有多个.
pattern 为将改变成的权限,可以用两种形式表示:字母式和数字

形式.
a,字母形式(符号模式)
字母形式由用户类别(u,g,o). 如何改变(+,-)和权限(r,w,x)三部分

组成.
u:本用户g:同组用户o:其它用户. + :增加权限 -:删除权限
r:读w:写x:执行
例如:chmod u+x file1
chmod o-w file2 file3
chmod go+r file4
b, 数值形式
格式: chmod 777 file1
*新建文件或目录最大权限=状态掩码+新建文件或目录缺省

权限.此时unask为000
对一个新建的文件,umask值为022则指定该文件的权限为644:
对一个新建的目录,umask值为022则指定该目录的权限为755
17.sort 命令:作用在于将指定的文件中的文件进行排序,并把排

序的结果输出到指定的标准输出中.
格式:$srot [-t delimiter] [+field] [.column]][option]
选项: -d 以字典顺序进行排序
-
18.head 命令:用于查看一个文件.或多个文件的前面几行的内

容.
格式:$ head [-number_of_lines] file(s)
19.tail 命令:用于显示从指定行开始直到文件末尾的文件内容
格式;tail [-number_of_lines | +number_of_lines]file
20.tee 命令:在获得输入后,将把该输入数据送到两个地点:标准

输出和文件.
21.grep 命令: 用于选项定包含特定模式的文本行.
21.find 命令:在目录中递归地搜索包括有特定字符的文件名.
22.df 命令:磁盘空间监测命令.显示当前系统中各个逻辑磁盘

中空闲的磁盘块数和空闲的索引节点(即可建立的新文件数)
23.du 命令:查看磁盘使用情况统计,统计指定的目录及所有子

目录的磁盘使用情况,统计单位是磁盘块数.
选项:-a 显示所有文件及子目录
24.fsck 命令:文件系统管理:用于检测和修复文件文件的错误,
25.tar命令:文件存储与备份.该命令可以把文件系统中的一个

或一组文件打成一个文件包.存放到外存上或硬盘上文件系统

的其它地方.常用于多个文件(包括目录)的备份或转移.
格式: tar -cvf target file1 file2 file3 …把file1 file2 file3等文件备份到

档案文件target中.
tar -tvf target 检查档案文件target中包含的文件信息.
tar -xvf targer [file1] 从档案文件target中提取全部或file指定

的文件.
26.shutdown 命令:系统关机
选项:-h 完全关机
-r 关机并重新启动系统
time 关机时间,如17:30
message 关机前向所有已登陆用户发送消息
例如: shutdown -r now 现在关机重启.
27.crypt 文件加密命令:用于对文本文件进行加密和解密.以防

止文件内容泄密.
例如:$ crypt < file > file.cry 对file加密,结果保存在file.cry中.key:加

密口令
$ crypt aaa 对aaa.cry解密,结果保存到aaa中. key:

解密口令
附:$ vi -x file.cry 编辑一个加密后的文件
28.compress/uncompress 文件压缩和解压命令
格式:compress data_file 加压后自动在文件名后加一个.Z
umcompress abc.Z
29.at 定时执行任务:在指定的时间一次性执行规定的任务.
at 15:30 在15:30分执行
who >> userlist 把上机用户清单发到userlist
30,cron 系统定量执行任务:
31,crontab 任务描述文件的管理命令.

OpenBSD4.4下架设CS1.6服务器

admin — Mon, 06 Apr 2009 11:08:42 +0000

Setp 1：环境
1、操作系统OpenBSD4.4。
2、开启Linux支持
#mg /etc/sysctl.conf
去掉#kern.emul.linux=1前的#
#cd /usr/ports/emulators/redhat
#make install

Setp 2：下载所需软件
1：先到http://www.okgogogo.com/download/view.asp?id=393下载hlds_l_02162004.tar.gz
2：接下来下载NoSteamAuthEngines，这个是nosteam补丁：
wget http://www.cstrike.ro/cstrike_files/engine.v15.tgz

Setp 3：安装
#cd /var
#tar zxvf hlds_l_02162004.tar.gz

Setp 4：破解
#tar zxvf engine.tgz
#mv engine_amd.so hlds_l/
#mv engine_i486.so hlds_l/
#mv engine_i686.so hlds_l/

Setp 5：配置
#cd hlds_l
#mg cs
#!/bin/sh
./hlds_run -game cstrike -port 27015 -insecure -ip x.x.x.x +servercfgfile server2.cfg +maxplayers 32 +map de_dust2 -nojoy -noipx -nomaster +localinfo

Setp 6：server.cfg的设置(根据个人情况增添)
rcon_password “rconpassword”
// OP 密码
// “” 表示没有

hostname “CS1.6比赛专用服务器 #A01″
// 服务器名称

sv_region 4
// 服务器所在区域注册参数\r
// 255=全球
// 0=美国东部
// 1=美国西部
// 2=南美洲\r
// 3=欧洲
// 4=亚洲
// 5=澳洲
// 6=中东
// 7=非洲

sv_rcon_maxfailures 9999
// 输入OP密码错误次数上限
// 达到上限则封禁对方的IP

sv_rcon_banpenalty 5
// 封禁的时限单位分钟
// 0=永久

sv_maxupdaterate 30
// 服务器每秒更新最大频率\r
// 根据实际网络状况调节
// 默认=30
// 局域=101

sv_minupdaterate 20
// 服务器每秒更新最小频率\r

sv_unlag 1
// 玩家延时补偿
// 0=关闭
// 1=开启 (默认)

sv_maxunlag 0.5
// 延时补偿最大值默认 0.5
// 0.5=500毫秒 (默认)

sv_voiceenable 1
// 服务器是否允许麦克风语音通讯
// 0=禁止
// 1=允许 (默认)

sv_unlagsamples 1
// 延时补偿数据包平均采样数量\r
// 默认=1

sv_unlagpush 0
// 服务器推进延时补偿\r
// 0=关闭 (默认)
// 1=开启\r

mp_autokick 0
// 自动踢除不动的玩家\r
// 0=关闭
// 1=开启 (比赛默认)

mp_autocrosshair 0
// 自动瞄准
// 0=关闭 (默认)
// 1=开启\r

mp_autoteambalance 0
// 自动平衡双方人数
// 0=关闭 (比赛默认)
// 1=开启\r

mp_buytime 0.25
// 每回合购买武器装备时间单位分钟\r
// 比赛默认=0.25

mp_consistency 1
// 防止某些模型被更改\r
// 0=关闭
// 1=开启 (默认)

mp_c4timer 35
// C4爆炸倒计时单位秒
// 比赛默认=35

mp_decals 300
// 墙壁上的血花弹孔贴图细节数据传送(200-300)

mp_falldamage 1
// 高处落下伤害
// 0=关闭
// 1=开启 (默认)

mp_fadetoblack 0
// 死后黑屏
// 0=关闭 (默认)
// 1=开启\r

mp_flashlight 1
// 手电筒\r
// 0=禁止
// 1=允许 (默认)

mp_forcechasecam 2
// 死后跟随
// 0=所有玩家\r
// 1=仅队友\r
// 2=仅队友，主视角 (比赛默认)

mp_forcecamera 2
// 死后视角选择
// 0=全部视角
// 1=仅队友，全部视角
// 2=仅队友，主视角 (比赛默认)

mp_footsteps 1
// 脚步声\r
// 0=关闭
// 1=开启 (默认)

mp_fraglimit 0
//杀人数上限(1~n)，超过上限就换地图\r
// 0=关闭 (默认)

mp_freezetime 7
// 每回合开始冻结时间单位秒

mp_friendlyfire 1
// 友军伤害
// 0=关闭
// 1=开启 (默认)

mp_friendly_grenade_damage 1
// 友军手雷伤害
// 0=关闭
// 1=开启\r

mp_hostagepenalty 0
// 惩罚人质杀手\r
// 0=不惩罚 (默认)
// 1~N=人质被杀数量，超过则踢出该玩家\r

mp_limitteams 10
// 两队人数差异上限
// 超过此上限，新玩家只能当观察员\r
// 比赛默认=10

sv_logbans 1
// 服务器日志里记录Ban掉玩家的内容
// 0=不记录\r
// 1=记录

mp_logecho 1
// 将服务器日志反馈到控制台
// 0=关闭
// 1=开启\r

mp_logdetail 3
// 服务器日志里记录攻击信息
// 0=不记录任何信息\r
// 1=记录敌人攻击
// 2=记录队友攻击
// 3=记录所有攻击\r

mp_logfile 1
// 服务器记录日志为文件
// 0=不记录\r
// 1=记录

mp_logmessages 1
// 服务器日志里记录谈话内容
// 0=不记录\r
// 1=记录

mp_maxrounds 0
// 回合上限，达到此上限，自动重新载入新地图
// 0=无回合上限 (默认)

mp_playerid 0
// 当准星指向敌人或队友时，显示他们的名字\r
// 0=关闭 (比赛默认)
// 1=开启\r

mp_roundtime 1.75
// 每回合时限单位分钟\r

mp_timelimit 0
// 地图最大时限，达此时限，自动重新载入新地图
// 0=无时限\r

mp_tkpunish 0
// 惩罚队友杀手\r
// 0=关闭 (默认)
// 1=开启\r

mp_startmoney 800
// 第一回合开始金钱(800~16000)
// 加时赛=10000

mp_winlimit 0
// 一方最大胜利回合数，达到此数量，自动重新载入新地图
// 0=无限制 (默认)

sv_aim 0
// 自动瞄准
// 0=关闭 (默认)
// 1=开启\r

sv_airaccelerate 10
// 玩家在空中移动的速度
// 默认=10

sv_airmove 1
// 在空中移动&转向
// 0=禁止
// 1=允许(默认)

sv_allowdownload 1
// 客户端下载服务器资源
// 0=禁止
// 1=允许 (默认)

sv_allowupload 1
// 客户端上传自己的喷图
// 0=禁止
// 1=允许 (默认)

sv_alltalk 0
// 警匪通话
// 0=禁止 (默认)
// 1=允许

sv_proxies 1
// HLTV代理
// 0=禁止
// 1=允许 (默认)

sv_cheats 0
// 作弊模式
// 0=关闭 (默认)
// 1=开启\r

sv_clienttrace 1.0
// 客户端模型的范围框的尺寸
// 默认 1.0

sv_clipmode 0
// 锁定客户端快速模式\r
// 0=关闭(默认)
// 1=开启\r

sv_contact boezombie@gmail.com
// 服务器构建者的联系邮箱

sv_friction 4
// 地面摩擦力默认 4
// 数值越低，摩擦越小

sv_gravity 800
// 重力默认 800

sv_maxrate 25000
// 服务器最大传输速率 <0-25000>
// (服务器上传带宽 x 125) /服务器设定的最大人数 = 要设的值\r
// 0=无限制\r
// 局域=25000

sv_maxspeed 320
// 客户端最大移动速度

sv_minrate 0
// 服务器最小传输速率 <0-25000>
// sv_maxrate / 300 = 要设的值\r
// 0=无限制\r

sv_restartround 0
// 重新开始第一回合在n秒后

sv_restart 0
// 重新开始游戏在n秒后
// 作用等同于sv_restartround

sv_send_logos 1
// 客户端相互之间传送喷图\r
// 0=禁止
// 1=允许(同时确保sv_allowdownloads键值为1)

sv_sendvelocity 0
// 服务器混合物理运算，适用于较好配置的服务器\r
// 0=关闭
// 1=开启\r

sv_send_resources 1
// 自动向客户端传送地图关联的 & .res文件里包括的资源文件
// 0=关闭
// 1=开启(同时确保sv_allowdownload为1)

sv_stepsize 18
// 玩家的步伐距离\r
// 默认 18

sv_stopspeed 75
// 玩家停止移动时的速度默认 75

sv_timeout 65
// 客户端连接服务器超时的时限，达到时限则断开连接

sv_voicecodec voice_speex
// 语音通话解码
// voice_miles是HL引擎长期以来用的语音解码(默认)，占用带宽较大，为32kbps
// voice_speex是Valve新加入的解码，优于voice_miles，占用带宽较少，为2.4kbps至15.2kbps

sv_voicequality 5
// 客户端语音通话质量(确保sv_voicecodec voice_speex)
// 1=非常差………..占用带宽 2.4 kbps
// 2=差……………占用带宽 6.0 kbps
// 3=中等………….占用带宽 8.0 kbps
// 4=好……………占用带宽 11.2 kbps
// 5=非常清晰………占用带宽 15.2 kbps

allow_spectators 1
// 观察员模式\r
// 0=禁止
// 1=允许

decalfrequency 60
// 玩家喷图的时间间隔单位秒

edgefriction 2
// 玩家与玩家、墙壁、物体之间的摩擦
// 默认 2

host_framerate 0
// 与Demo录制有关
// 0 // n=0 为正常(默认)
// n>1 为快录\r

log on
// 开始记录日至\r

pausable 1
// 客户端暂停游戏\r
// 0=禁止
// 1=允许

mapcyclefile mapcycle.txt
// 地图循环列表所在的.txt文件
// *.txt = cstrike\*.txt文件

Installing WP Super Cache with lighttpd

admin — Sun, 05 Apr 2009 14:06:49 +0000

Trying to get WP Super Cache & WordPress working on my fast lighttpd server, I came into problems, mainly because of lighttpd’s lack of (Apache’s version of) the mod_rewrite module. The static files that were created from the cache were not statically served from wordpress. The problem is that in order to use them, the PHP fcgi was called for each request. So, why would we have to call PHP every time that a file can be completely statically provided by the web server?

Following this guide I came up with some problems trying to serve the static files. The problem with that version of the rewrite.lua script is that it does not really work the way it should. The whole point of using WP Super Cache is to avoid calling the PHP fcgi for posts that are already cached into an html file. Calling the PHP fcgi is much slower than using the “core” lighttpd static-page-serving facilities.

So, what did I do to avoid calling the PHP fcgi?

The following script takes the url that was asked from the client. It checks whether there is a fresh version of a static HTML page on the cache and if yes, it servers that. If the file does not exist al all or the it is expired(I check its modification date) then the request is forwarded to the PHP fcgi so that it can be freshly served.

In my lighttpd.conf I have put this:

view sourceprint?
01.
$HTTP["host"] == “www.asteriosk.gr” {
02.

03.
alias.url = ( “/storage/” => “/opt/storage/” )
04.
server.document-root = “/opt/apps/wordpress/”
05.
url.rewrite = (
06.
“^/(wiki|wp-admin|wp-includes|wp-content|storage)/(.*)” => “$0″,
07.
“^/(sitemap\.xml|sitemap\.xml\.gz)” => “$0″,
08.
“^/(.*\.php)” => “$0″,
09.
“^/(.*)$” => “/index.php/$1″
10.
)
11.
magnet.attract-physical-path-to = ( server.document-root + “rewrite.lua” )
12.

13.
}
And in the rewrite.lua file I have put this:

view sourceprint?
01.
expiration_time = 10*60
02.

03.
function serve_html(cached_page, expiration_time)
04.
attr = lighty.stat(cached_page)
05.
–Check if the cached file has expired
06.
if (attr and (attr['st_mtime'] + expiration_time) > os.time() ) then
07.
lighty.env["physical.path"] = cached_page
08.
return true
09.
else
10.
return false
11.
end
12.
end
13.

14.
function serve_gzip(cached_page, expiration_time)
15.
attr = lighty.stat(cached_page .. “.gz”)
16.
–Check if the gziped cached file has expired
17.
if (attr and (attr['st_mtime'] + expiration_time) > os.time() ) then
18.
lighty.header["Content-Encoding"] = “gzip”
19.
lighty.header["Content-Type"] = “”
20.
lighty.env["physical.path"] = cached_page .. “.gz”
21.
return true
22.
else
23.
return false
24.
end
25.
end
26.

27.
attr = lighty.stat(lighty.env["physical.path"])
28.
if (not attr) then
29.

30.
lighty.env["physical.rel-path"] = lighty.env["uri.path"]
31.
–Change the “/opt/apps/wordpress/” to your own wordpress location
32.
lighty.env["physical.path"] = “/opt/apps/wordpress/”
33.
.. lighty.env["physical.rel-path"]
34.
– If we are querying, we don’t have to cache of course
35.
query_condition = not ( lighty.env["uri.query"] and
36.
string.find(lighty.env["uri.query"], “.*s=.*”))
37.
–If there exists a cookie in the client, probably he/she has been here before
38.
–and has left a comment. In that case we don’t use cached content
39.
–for example, the user might has just submitted a comment.
40.
user_cookie = lighty.request["Cookie"] or “no_cookie_here”
41.
cookie_condition = not (string.find(user_cookie, “.*comment_author.*”) or
42.
string.find(user_cookie, “.*wordpress.*”) or
43.
string.find(user_cookie, “.*wp-postpass_.*”))
44.

45.
if (query_condition and cookie_condition) then
46.
–construct the full path of the expeted cached filename for this url
47.
accept_encoding = lighty.request["Accept-Encoding"] or “no_acceptance”
48.
cached_page = lighty.env["physical.doc-root"] ..
49.
“/wp-content/cache/supercache/” ..
50.
lighty.request["Host"] ..
51.
lighty.env["request.uri"] ..
52.
“/index.html”
53.

54.
cached_page = string.gsub(cached_page, “index.php/”, “/”)
55.
cached_page = string.gsub(cached_page, “//”, “/”)
56.

57.
–If the client accepts gzipped content, send gzipped content
58.
if (string.find(accept_encoding, “gzip”)) then
59.
–If for some reason the gzipped file does not exist, fallback to the
60.
–uncompressed cached file
61.
if not serve_gzip(cached_page, expiration_time) then
62.
serve_html(cached_page,expiration_time) end
63.
else
64.
serve_html(cached_page,expiration_time)
65.
end
66.
end
67.
end

If you want to use the script in your own server, the only things that you have to change is the hardcoded /opt/apps/wordpress/ path and the expiration_time variable.

Kudos to Giovanni Intini for porting the Apache mod_rewrite’s rules on mod_magnet and the original idea of the script.

url.rewrite for WordPress on Lighttpd

admin — Sun, 05 Apr 2009 13:35:28 +0000

This blog now runs on a Lighttpd (Lighty) webserver instead of Apache, and this means the configuration for ‘pretty URLs’ or permalinks of WordPress doesn’t work like it used to.
(As you might have noticed, I use permalinks like /2007/02/this-is-permalink/)

Whereas WordPress can automatically adapt the Apache .htacccess file to something like

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

it does not do anything automatically for your Lighty .conf configuration file (which is logical, since an application should not be allowed to mess with a central config file).

So what you have to use is:

a WordPress blog installed in the root of your (sub-) domain:
$HTTP["host"] =~ “{yourdomain}” {
var.app = “{yourdomain}”
accesslog.filename = base + “/logs/” + app + “.access.log”
server.errorlog = base + “/logs/” + app + “.error.log”
load php app
url.rewrite = (
“^/(wp-.+).*/?” => “$0″,
“^/(sitemap.xml)” => “$0″,
“^/(xmlrpc.php)” => “$0″,
“^/(.+)/?$” => “/index.php/$1″
)
}

a WordPress blog installed in a subfolder (e.g. /blog/)
$HTTP["host"] =~ “{yourdomain}” {
var.app = “{yourdomain}”
accesslog.filename = base + “/logs/” + app + “.access.log”
server.errorlog = base + “/logs/” + app + “.error.log”
load php app
url.rewrite = (
“^/?$” => “/blog/index.php”,
“^/blog/(wp-.+)$” => “$0″,
“^/blog/xmlrpc.php” => “$0″,
“^/blog/sitemap.xml” => “$0″,
“^/blog/(.+)/?$” => “/blog/index.php/$1″
)
}
The xmlrpc.php rule is necessary for external access (like, publishing from del.icio.us or Flickr), and the sitemap.xml file is something for Google Sitemaps.

For those stubborn visitors who always precede their URLs with www, you can also add a redirect:

$HTTP["host"] =~ “www.blog.forret.com” {
url.redirect = ( “.*” => “http://blog.forret.com”)
}

How to install LAMP (Apache, PHP and MySQL in Linux) using Yum

admin — Sun, 05 Apr 2009 13:19:58 +0000

Many friends ask me how to install LAMP (Linux, apache, php, mysql). There are many ways to install LAMP. Here i teach you the most easiest way to install LAMP using yum program in CentOS.
Below are the steps to install LAMP (Apache, PHP and MySQL in Linux) using Yum:-

• Go to CentOS and download a copy of CentOS Linux and install it (i’ll not go thru the how to install CentOS with you here)
• Once your CentOS is installed. Open a terminal (if you are using X-Window), and type yum install httpd and follow on screen instruction to install apache web server
• Once apache web server has been installed, type yum install php
• Once PHP installed successfully, type yum install mysql-servermysql
• Once everything finish, type service httpd start to start your apache web server, screen will show you if web server service successfully started
• type service mysqld start to start your mysql server
• Once both services is running, you can point your browser to http://localhost and you should see a welcome page from CentOS
• If you see that welcome page, you just installed everything successfull.
• To test if php is running, go to /var/www/html and create anindex.php file with the content below

and refresh your browser again. If you see a purple PHP information page showing all the php configuration variables, then php is running now.
• Congratulation, you just successfully installed LAMP in your machine.

网站恢复时，Lighttpd+php环境搭建文档笔记

admin — Fri, 03 Apr 2009 03:20:46 +0000

早前。网站要迁移。要从apache+php环境迁移到Lighttpd +php环境，如下为lighttpd+php环境搭建文档笔记。有点乱。有空再详细整理。

fetch ftp://ftp.freebsd.org/pub/FreeBS … Latest/lighttpd.tgz
tar -zxvf lighttpd.tgz
cd lighttpd
./configure –prefix=/home/tiger/evan/lighttpd –with-pcre –with-gdbm –with-memcache make
make install
安装PHP
tar -zxvf php-5.0.4.tgz
cd php-5.0.4
./configure –prefix=/home/tiger/evan/php5-fastcgi –enable-fastcgi –without-pear –with-mysql=/usr/local/mysql –enable-discard-path –enable-force-cgi-redirect -with-iconv
./configure –prefix=/home/tiger/evan/php5-fastcgi –with-mysql=/usr/local/mysql –enable-gd-native-ttf –with-gd –enable-ftp –with-iconv –with-gettext –enable-fastcgi –enable-zend-multibyte –without-pear –enable-force-cgi-redirect –enable-discard-path
Make
Make test
Make clean
Make install

配置Lighttpd
vi lighttpd.confserver.port=5678
server.modules=(“mod_access”,”mod_fastcgi”,”mod_accesslog”)
server.document-root=”/home/tiger/evan/lighttpd/htdocs”
server.pid-file=”/home/tiger/evan//lighttpd/lighttpd.pid”
server.errorlog=”/home/tiger/evan//lighttpd/lighttpd.error.log”
server.indexfiles=(“index.php”,”index.html”)
fastcgi.server=(“.php”=>(“localhost”=>(“socket” =>”/tmp/php-fastcgi.socket”,”bin-path”
=>”/home/tiger/evan/php5-fastcgi/bin/php”)))

启动Lighttpd
/home/tiger/evan/lighttpd/sbin/lighttpd -f /home/tiger/evan/lighttpd/conf/lighttpd.conf

安装环境: Linux Fedora Core 3 上安装 php-5.2.0

在安装 PHP 到系统中时要是发生「undefined reference to `libiconv_open’」之类的错误讯息，那表示在「./configure 」没抓好一些环境变量值。错误发生点在建立「-o sapi/cli/php」时出错，没给到要 link 的 iconv 函式库参数。

快速的解法是：
编辑 Makefile 大约 70 行左右的地方:

EXTRA_LIBS = ….. -lcrypt

在最后加上 -liconv，例如:

EXTRA_LIBS = ….. -lcrypt -liconv

然后重新再次 make 即可。
________________________________________

如果要安装 iconv 函式库的话：
其首页是: http://www.gnu.org/software/libiconv/
下载点是: http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.9.2.tar.gz

安装步骤:

# ./configure –prefix=/usr/local
# make
# make install

________________________________________

make 时的错误讯息范例：

[jjdai@zhupiter php-5.2.0]$ make
/bin/sh /home/jjdai/work/zhupiter/php-5.2.0/libtool –silent –preserve-dup-deps –mode=link gcc -export-dynamic -I/usr/local/include -g -O2 -L/usr/kerberos/lib -L/usr/local/lib -L/usr/lib/mysql -R /usr/kerberos/lib -R /usr/local/lib -R /usr/lib/mysql ext/libxml/libxml.lo ext/openssl/openssl.lo ext/openssl/xp_ssl.lo ext/pcre/pcrelib/pcre_chartables.lo ext/pcre/pcrelib/pcre_ucp_searchfuncs.lo ext/pcre/pcrelib/pcre_compile.lo ext/pcre/pcrelib/pcre_config.lo ext/pcre/pcrelib/pcre_exec.lo ext/pcre/pcrelib/pcre_fullinfo.lo ext/pcre/pcrelib/pcre_get.lo ext/pcre/pcrelib/pcre_globals.lo ext/pcre/pcrelib/pcre_info.lo ext/pcre/pcrelib/pcre_maketables.lo ext/pcre/pcrelib/pcre_ord2utf8.lo ext/pcre/pcrelib/pcre_refcount.lo ext/pcre/pcrelib/pcre_study.lo ext/pcre/pcrelib/pcre_tables.lo ext/pcre/pcrelib/pcre_try_flipped.lo ext/pcre/pcrelib/pcre_valid_utf8.lo ext/pcre/pcrelib/pcre_version.lo ext/pcre/pcrelib/pcre_xclass.lo ext/pcre/php_pcre.lo ext/zlib/zlib.lo ext/zlib/zlib_fopen_wrapper.lo ext/zlib/zlib_filter.lo ext/bz2/bz2.lo ext/bz2/bz2_filter.lo ext/ctype/ctype.lo ext/curl/interface.lo ext/curl/multi.lo ext/curl/streams.lo ext/date/php_date.lo ext/date/lib/astro.lo ext/date/lib/dow.lo ext/date/lib/parse_date.lo ext/date/lib/parse_tz.lo ext/date/lib/timelib.lo ext/date/lib/tm2unixtime.lo ext/date/lib/unixtime2tm.lo ext/dom/php_dom.lo ext/dom/attr.lo ext/dom/document.lo ext/dom/domerrorhandler.lo ext/dom/domstringlist.lo ext/dom/domexception.lo ext/dom/namelist.lo ext/dom/processinginstruction.lo ext/dom/cdatasection.lo ext/dom/documentfragment.lo ext/dom/domimplementation.lo ext/dom/element.lo ext/dom/node.lo ext/dom/string_extend.lo ext/dom/characterdata.lo ext/dom/documenttype.lo ext/dom/domimplementationlist.lo ext/dom/entity.lo ext/dom/nodelist.lo ext/dom/text.lo ext/dom/comment.lo ext/dom/domconfiguration.lo ext/dom/domimplementationsource.lo ext/dom/entityreference.lo ext/dom/notation.lo ext/dom/xpath.lo ext/dom/dom_iterators.lo ext/dom/typeinfo.lo ext/dom/domerror.lo ext/dom/domlocator.lo ext/dom/namednodemap.lo ext/dom/userdatahandler.lo ext/filter/filter.lo ext/filter/sanitizing_filters.lo ext/filter/logical_filters.lo ext/filter/callback_filter.lo ext/gd/gd.lo ext/gd/gdttf.lo ext/gd/libgd/gd.lo ext/gd/libgd/gd_gd.lo ext/gd/libgd/gd_gd2.lo ext/gd/libgd/gd_io.lo ext/gd/libgd/gd_io_dp.lo ext/gd/libgd/gd_io_file.lo ext/gd/libgd/gd_ss.lo ext/gd/libgd/gd_io_ss.lo ext/gd/libgd/gd_png.lo ext/gd/libgd/gd_jpeg.lo ext/gd/libgd/gdxpm.lo ext/gd/libgd/gdfontt.lo ext/gd/libgd/gdfonts.lo ext/gd/libgd/gdfontmb.lo ext/gd/libgd/gdfontl.lo ext/gd/libgd/gdfontg.lo ext/gd/libgd/gdtables.lo ext/gd/libgd/gdft.lo ext/gd/libgd/gdcache.lo ext/gd/libgd/gdkanji.lo ext/gd/libgd/wbmp.lo ext/gd/libgd/gd_wbmp.lo ext/gd/libgd/gdhelpers.lo ext/gd/libgd/gd_topal.lo ext/gd/libgd/gd_gif_in.lo ext/gd/libgd/xbm.lo ext/gd/libgd/gd_gif_out.lo ext/hash/hash.lo ext/hash/hash_md.lo ext/hash/hash_sha.lo ext/hash/hash_ripemd.lo ext/hash/hash_haval.lo ext/hash/hash_tiger.lo ext/hash/hash_gost.lo ext/hash/hash_snefru.lo ext/hash/hash_whirlpool.lo ext/hash/hash_adler32.lo ext/hash/hash_crc32.lo ext/iconv/iconv.lo ext/json/json.lo ext/json/utf8_to_utf16.lo ext/json/utf8_decode.lo ext/json/JSON_parser.lo ext/mysql/php_mysql.lo ext/pdo/pdo.lo ext/pdo/pdo_dbh.lo ext/pdo/pdo_stmt.lo ext/pdo/pdo_sql_parser.lo ext/pdo/pdo_sqlstate.lo ext/pdo_sqlite/pdo_sqlite.lo ext/pdo_sqlite/sqlite_driver.lo ext/pdo_sqlite/sqlite_statement.lo ext/pdo_sqlite/sqlite/src/attach.lo ext/pdo_sqlite/sqlite/src/auth.lo ext/pdo_sqlite/sqlite/src/btree.lo ext/pdo_sqlite/sqlite/src/build.lo ext/pdo_sqlite/sqlite/src/callback.lo ext/pdo_sqlite/sqlite/src/date.lo ext/pdo_sqlite/sqlite/src/delete.lo ext/pdo_sqlite/sqlite/src/expr.lo ext/pdo_sqlite/sqlite/src/func.lo ext/pdo_sqlite/sqlite/src/hash.lo ext/pdo_sqlite/sqlite/src/insert.lo ext/pdo_sqlite/sqlite/src/legacy.lo ext/pdo_sqlite/sqlite/src/main.lo ext/pdo_sqlite/sqlite/src/os_unix.lo ext/pdo_sqlite/sqlite/src/os_win.lo ext/pdo_sqlite/sqlite/src/os.lo ext/pdo_sqlite/sqlite/src/pager.lo ext/pdo_sqlite/sqlite/src/pragma.lo ext/pdo_sqlite/sqlite/src/prepare.lo ext/pdo_sqlite/sqlite/src/printf.lo ext/pdo_sqlite/sqlite/src/random.lo ext/pdo_sqlite/sqlite/src/select.lo ext/pdo_sqlite/sqlite/src/table.lo ext/pdo_sqlite/sqlite/src/tokenize.lo ext/pdo_sqlite/sqlite/src/analyze.lo ext/pdo_sqlite/sqlite/src/complete.lo ext/pdo_sqlite/sqlite/src/trigger.lo ext/pdo_sqlite/sqlite/src/update.lo ext/pdo_sqlite/sqlite/src/utf.lo ext/pdo_sqlite/sqlite/src/util.lo ext/pdo_sqlite/sqlite/src/vacuum.lo ext/pdo_sqlite/sqlite/src/vdbeapi.lo ext/pdo_sqlite/sqlite/src/vdbeaux.lo ext/pdo_sqlite/sqlite/src/vdbe.lo ext/pdo_sqlite/sqlite/src/vdbemem.lo ext/pdo_sqlite/sqlite/src/where.lo ext/pdo_sqlite/sqlite/src/parse.lo ext/pdo_sqlite/sqlite/src/opcodes.lo ext/pdo_sqlite/sqlite/src/alter.lo ext/pdo_sqlite/sqlite/src/vdbefifo.lo ext/pdo_sqlite/sqlite/src/vtab.lo ext/pdo_sqlite/sqlite/src/loadext.lo ext/posix/posix.lo ext/reflection/php_reflection.lo ext/session/session.lo ext/session/mod_files.lo ext/session/mod_mm.lo ext/session/mod_user.lo ext/simplexml/simplexml.lo ext/spl/php_spl.lo ext/spl/spl_functions.lo ext/spl/spl_engine.lo ext/spl/spl_iterators.lo ext/spl/spl_array.lo ext/spl/spl_directory.lo ext/spl/spl_sxe.lo ext/spl/spl_exceptions.lo ext/spl/spl_observer.lo ext/sqlite/sqlite.lo ext/sqlite/sess_sqlite.lo ext/sqlite/pdo_sqlite2.lo ext/sqlite/libsqlite/src/opcodes.lo ext/sqlite/libsqlite/src/parse.lo ext/sqlite/libsqlite/src/encode.lo ext/sqlite/libsqlite/src/auth.lo ext/sqlite/libsqlite/src/btree.lo ext/sqlite/libsqlite/src/build.lo ext/sqlite/libsqlite/src/delete.lo ext/sqlite/libsqlite/src/expr.lo ext/sqlite/libsqlite/src/func.lo ext/sqlite/libsqlite/src/hash.lo ext/sqlite/libsqlite/src/insert.lo ext/sqlite/libsqlite/src/main.lo ext/sqlite/libsqlite/src/os.lo ext/sqlite/libsqlite/src/pager.lo ext/sqlite/libsqlite/src/printf.lo ext/sqlite/libsqlite/src/random.lo ext/sqlite/libsqlite/src/select.lo ext/sqlite/libsqlite/src/table.lo ext/sqlite/libsqlite/src/tokenize.lo ext/sqlite/libsqlite/src/update.lo ext/sqlite/libsqlite/src/util.lo ext/sqlite/libsqlite/src/vdbe.lo ext/sqlite/libsqlite/src/attach.lo ext/sqlite/libsqlite/src/btree_rb.lo ext/sqlite/libsqlite/src/pragma.lo ext/sqlite/libsqlite/src/vacuum.lo ext/sqlite/libsqlite/src/copy.lo ext/sqlite/libsqlite/src/vdbeaux.lo ext/sqlite/libsqlite/src/date.lo ext/sqlite/libsqlite/src/where.lo ext/sqlite/libsqlite/src/trigger.lo regex/regcomp.lo regex/regexec.lo regex/regerror.lo regex/regfree.lo ext/standard/array.lo ext/standard/base64.lo ext/standard/basic_functions.lo ext/standard/browscap.lo ext/standard/crc32.lo ext/standard/crypt.lo ext/standard/cyr_convert.lo ext/standard/datetime.lo ext/standard/dir.lo ext/standard/dl.lo ext/standard/dns.lo ext/standard/exec.lo ext/standard/file.lo ext/standard/filestat.lo ext/standard/flock_compat.lo ext/standard/formatted_print.lo ext/standard/fsock.lo ext/standard/head.lo ext/standard/html.lo ext/standard/image.lo ext/standard/info.lo ext/standard/iptc.lo ext/standard/lcg.lo ext/standard/link.lo ext/standard/mail.lo ext/standard/math.lo ext/standard/md5.lo ext/standard/metaphone.lo ext/standard/microtime.lo ext/standard/pack.lo ext/standard/pageinfo.lo ext/standard/quot_print.lo ext/standard/rand.lo ext/standard/reg.lo ext/standard/soundex.lo ext/standard/string.lo ext/standard/scanf.lo ext/standard/syslog.lo ext/standard/type.lo ext/standard/uniqid.lo ext/standard/url.lo ext/standard/url_scanner.lo ext/standard/var.lo ext/standard/versioning.lo ext/standard/assert.lo ext/standard/strnatcmp.lo ext/standard/levenshtein.lo ext/standard/incomplete_class.lo ext/standard/url_scanner_ex.lo ext/standard/ftp_fopen_wrapper.lo ext/standard/http_fopen_wrapper.lo ext/standard/php_fopen_wrapper.lo ext/standard/credits.lo ext/standard/css.lo ext/standard/var_unserializer.lo ext/standard/ftok.lo ext/standard/sha1.lo ext/standard/user_filters.lo ext/standard/uuencode.lo ext/standard/filters.lo ext/standard/proc_open.lo ext/standard/streamsfuncs.lo ext/standard/http.lo ext/tokenizer/tokenizer.lo ext/xml/xml.lo ext/xml/compat.lo ext/xmlreader/php_xmlreader.lo ext/xmlwriter/php_xmlwriter.lo TSRM/TSRM.lo TSRM/tsrm_strtok_r.lo TSRM/tsrm_virtual_cwd.lo main/main.lo main/snprintf.lo main/spprintf.lo main/php_sprintf.lo main/safe_mode.lo main/fopen_wrappers.lo main/alloca.lo main/php_scandir.lo main/php_ini.lo main/SAPI.lo main/rfc1867.lo main/php_content_types.lo main/strlcpy.lo main/strlcat.lo main/mergesort.lo main/reentrancy.lo main/php_variables.lo main/php_ticks.lo main/network.lo main/php_open_temporary_file.lo main/php_logos.lo main/output.lo main/streams/streams.lo main/streams/cast.lo main/streams/memory.lo main/streams/filter.lo main/streams/plain_wrapper.lo main/streams/userspace.lo main/streams/transports.lo main/streams/xp_socket.lo main/streams/mmap.lo Zend/zend_language_parser.lo Zend/zend_language_scanner.lo Zend/zend_ini_parser.lo Zend/zend_ini_scanner.lo Zend/zend_alloc.lo Zend/zend_compile.lo Zend/zend_constants.lo Zend/zend_dynamic_array.lo Zend/zend_execute_API.lo Zend/zend_highlight.lo Zend/zend_llist.lo Zend/zend_opcode.lo Zend/zend_operators.lo Zend/zend_ptr_stack.lo Zend/zend_stack.lo Zend/zend_variables.lo Zend/zend.lo Zend/zend_API.lo Zend/zend_extensions.lo Zend/zend_hash.lo Zend/zend_list.lo Zend/zend_indent.lo Zend/zend_builtin_functions.lo Zend/zend_sprintf.lo Zend/zend_ini.lo Zend/zend_qsort.lo Zend/zend_multibyte.lo Zend/zend_ts_hash.lo Zend/zend_stream.lo Zend/zend_iterators.lo Zend/zend_interfaces.lo Zend/zend_exceptions.lo Zend/zend_strtod.lo Zend/zend_objects.lo Zend/zend_object_handlers.lo Zend/zend_objects_API.lo Zend/zend_mm.lo Zend/zend_default_classes.lo Zend/zend_execute.lo sapi/cli/php_cli.lo sapi/cli/php_cli_readline.lo sapi/cli/getopt.lo main/internal_functions_cli.lo -lcrypt -lcrypt -lrt -lmysqlclient -lt1 -lpng -lz -ljpeg -lcurl -lbz2 -lz -lresolv -lm -ldl -lnsl -lxml2 -lz -lm -lssl -lcrypto -lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto -lresolv -ldl -lz -lcurl -lssl -lcrypto -lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto -lresolv -ldl -lz -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv -lidn -lssl -lcrypto -lssl -lcrypto -lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto -lresolv -ldl -lz -lz -lxml2 -lz -lm -lxml2 -lz -lm -lcrypt -lxml2 -lz -lm -lxml2 -lz -lm -lxml2 -lz -lm -lcrypt -o sapi/cli/php
ext/gd/libgd/.libs/gdkanji.o(.text+0x5b): In function `do_convert’:
/home/jjdai/work/zhupiter/php-5.2.0/ext/gd/libgd/gdkanji.c:350: undefined reference to `libiconv_open’
ext/gd/libgd/.libs/gdkanji.o(.text+0xa1):/home/jjdai/work/zhupiter/php-5.2.0/ext/gd/libgd/gdkanji.c:365: undefined reference to `libiconv’
ext/gd/libgd/.libs/gdkanji.o(.text+0xb0):/home/jjdai/work/zhupiter/php-5.2.0/ext/gd/libgd/gdkanji.c:381: undefined reference to `libiconv_close’
ext/iconv/.libs/iconv.o(.text+0×155): In function `_php_iconv_appendl’:
/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:335: undefined reference to `libiconv’
ext/iconv/.libs/iconv.o(.text+0×219):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:372: undefined reference to `libiconv’
ext/iconv/.libs/iconv.o(.text+0x2b0): In function `php_iconv_string’:
/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:428: undefined reference to `libiconv_open’
ext/iconv/.libs/iconv.o(.text+0x2e8):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:437: undefined reference to `libiconv’
ext/iconv/.libs/iconv.o(.text+0×309):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:450: undefined reference to `libiconv’
ext/iconv/.libs/iconv.o(.text+0x32c):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:461: undefined reference to `libiconv_close’
ext/iconv/.libs/iconv.o(.text+0x37d): In function `_php_iconv_strlen’:
/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:586: undefined reference to `libiconv_open’
ext/iconv/.libs/iconv.o(.text+0x3d8):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:609: undefined reference to `libiconv’
ext/iconv/.libs/iconv.o(.text+0×402):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:643: undefined reference to `libiconv_close’
ext/iconv/.libs/iconv.o(.text+0x47e): In function `_php_iconv_strpos’:
/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:828: undefined reference to `libiconv_open’
ext/iconv/.libs/iconv.o(.text+0x4e4):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:853: undefined reference to `libiconv’
ext/iconv/.libs/iconv.o(.text+0×574):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:967: undefined reference to `libiconv_close’
ext/iconv/.libs/iconv.o(.text+0x6fd): In function `_php_iconv_mime_decode’:
/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:1328: undefined reference to `libiconv_open’
ext/iconv/.libs/iconv.o(.text+0x7a9):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:1797: undefined reference to `libiconv_close’
ext/iconv/.libs/iconv.o(.text+0x7bd):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:1800: undefined reference to `libiconv_close’
ext/iconv/.libs/iconv.o(.text+0xa67):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:1439: undefined reference to `libiconv_close’
ext/iconv/.libs/iconv.o(.text+0xa79):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:1442: undefined reference to `libiconv_open’
ext/iconv/.libs/iconv.o(.text+0×1025): In function `zif_iconv_substr’:
/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:699: undefined reference to `libiconv_open’
ext/iconv/.libs/iconv.o(.text+0x10c1):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:722: undefined reference to `libiconv’
ext/iconv/.libs/iconv.o(.text+0×1108):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:779: undefined reference to `libiconv_close’
ext/iconv/.libs/iconv.o(.text+0x111d):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:783: undefined reference to `libiconv_close’
ext/iconv/.libs/iconv.o(.text+0x123e):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:730: undefined reference to `libiconv_open’
ext/iconv/.libs/iconv.o(.text+0×1738): In function `zif_iconv_mime_encode’:
/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:1017: undefined reference to `libiconv_open’
ext/iconv/.libs/iconv.o(.text+0×1756):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:1031: undefined reference to `libiconv_open’
ext/iconv/.libs/iconv.o(.text+0×1993):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:1290: undefined reference to `libiconv_close’
ext/iconv/.libs/iconv.o(.text+0x19ad):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:1293: undefined reference to `libiconv_close’
ext/iconv/.libs/iconv.o(.text+0x1b01):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:1102: undefined reference to `libiconv’
ext/iconv/.libs/iconv.o(.text+0x1b33):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:1134: undefined reference to `libiconv’
ext/iconv/.libs/iconv.o(.text+0x1b5e):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:1150: undefined reference to `libiconv’
ext/iconv/.libs/iconv.o(.text+0x1e10):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:1202: undefined reference to `libiconv’
ext/iconv/.libs/iconv.o(.text+0x1e3c):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:1233: undefined reference to `libiconv’
ext/iconv/.libs/iconv.o(.text+0x207f):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:1277: more undefined references to `libiconv’ follow
ext/iconv/.libs/iconv.o(.text+0x2c08): In function `php_iconv_stream_filter_dtor’:
/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:2393: undefined reference to `libiconv_close’
ext/iconv/.libs/iconv.o(.text+0x2cf2): In function `php_iconv_stream_filter_append_bucket’:
/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:2543: undefined reference to `libiconv’
ext/iconv/.libs/iconv.o(.text+0x2d34):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:2543: undefined reference to `libiconv’
ext/iconv/.libs/iconv.o(.text+0x2de7):/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:2465: undefined reference to `libiconv’
ext/iconv/.libs/iconv.o(.text+0x30e2): In function `php_iconv_stream_filter_factory_create’:
/home/jjdai/work/zhupiter/php-5.2.0/ext/iconv/iconv.c:2419: undefined reference to `libiconv_open’
collect2: ld returned 1 exit status
make: *** [sapi/cli/php] Error 1
[错误]error while loading shared libraries: libiconv.so.2:
Tags:error Posted in webserver:-)抢沙发
error while loading shared libraries: libiconv.so.2: cannot open shared object file: No such file or directory
安装好apache后apache无法启动
问题是找不到共享库，查看apache的出错文件，查找的位置是/usr/lib，但实际上find / -name libiconv.so.2是可以找到了，位置在/usr/local/lib/
只要加一个链接就行
ln -s /usr/local/lib/libiconv.so.2 /usr/lib/libiconv.so.2
其它有关库类找不着的都应该可以查看一下是否默认库的位置和实际位置不符

Php5.2.9下面安装pear
访问 http://pear.php.net/go-pear 将这个页面的内容全选，复制并保存成一个go-pear.php文件，然后将这个文件放到某个目录下面，然后 php –q go-pear.php 然后，按照提示进行安装。
/home/tiger/evan/php5-fastcgi/bin/php -q go-pear.php

Introduction to OpenBSD Firewall/Gateway Unix Workstation

admin — Mon, 23 Mar 2009 14:34:10 +0000

Abstract
This is a quick tutorial on how to set up an OpenBSD 3.1 system. The first part covers setting up a firewall, NAT proxy, time and DHCP server on a system connected to the Internet via broadband like DSL or cable. The second part covers things that would be installed on a desktop machine: graphical window managers etc.

The reader is not expected to be a Unix expert (why would a Unix expert need this how-to?) — if you don’t understand something, or something looks intimidating, read on and come back to it. If something still doesn’t make sense, let me know.

I don’t cover what I consider “advanced” usage such as tracking -CURRENT or CVS snapshots. If you want to do that, I assume you know which FAQs to read!

This document may be freely reproduced and redistributed under the terms of the GNU Free Documentation License Version 1.1; with the invariant section being this entire document, with no Front-Cover Texts and no Back-Cover Texts.

In other words, if you want to copy this document in its entirety, feel free to do so; if you wish to modify it (as in providing a translation, or taking sections to include in other documents) please send me email. Needless to say, documents that this document links to will have their own copyrights.

New!
I have a shell script that sets up everything mentioned here. This is still experimental but if you try it, please let me know how it goes. Save this file to disk and run it by typing “sh config31-fw.sh”. (Doesn’t handle PPPoE [the beast].)

There is a new section called Tips and Stuff where I put things I’ve found or written that are useful sysadmin tools.

Introduction
Why OpenBSD? It’s simple and secure. Your firewall machine should not have lots of things installed on it; therefore no exotic hardware, graphical desktops, X11 servers etc. — put those on your desktop machine. A simpler system is more robust and more secure; this machine only offers SMTP (email), ssh, ping/traceroute and optionally HTTP (web) to the outside world. And since it’s running Unix, you can log in to it — securely — using ssh from anywhere on the Internet and make any changes you need to. (N.B.: never use telnet to connect to a machine over the Internet! Anyone can eavesdrop and grab important information like passwords. Only use ssh, which encrypts all communication so that eavesdroppers don’t get any information. And verify those key fingerprints or you leave yourself open to a man-in-the-middle attack. For information do a web search for public key cryptosystems; a good place to start is OpenSSH.)

The utility and security of having this kind of machine: a firewall protects your data and systems from the Big, Bad Internet. When the bad guys are out to vandalise machines on the Internet, MS-Windows machines of various kinds are prime targets because they suck. Er, I mean, Windows is really hard to secure. (Not that an incompetently run Unix machine is any better, of course.) When you dialled in on the phone, your machine was on the ‘net for brief periods; with DSL or cable it’s vulnerable all the time.

This document also describes how to set up an OpenBSD system as a Unix workstation. We will go over setting up X11 (the window system) etc. I assume that you will be using a different machine as your workstation. Important: Unix systems can be set up in various ways; I do things a certain way and that’s what this document will cover. Other people (wizards and newbies alike) may do things differently. In case it matters, I’ve been using Unix since 1982, have been a sysadmin on-and-off since 1986 (VAX/BSD, SunOS 4.x, Solaris 2.x, HP/UX, AT&T 3B5 SVR6 etc.) I’ve been a C programmer since the early 80s. Today I design and implement back-end network servers on Solaris.

This tutorial assumes that you have some familiarity with using Unix: what filenames look like, how to copy and edit files etc. There’s a decent Unix tutorial on the web. The most important command to remember is man (short for “manual”) — if I say something like “read the documentation for foobar it means you should type man foobar. One other piece of Unix argot: if you hear someone write select(2) it indicates that the manual for select is in section 2, i.e. you would read the manpage by typing man 2 select. You should also read the OpenBSD documentation: particularly the OpenBSD FAQ. Bookmark that link right now.

NAT (Network Address Translation) allows you to connect lots of PCs up to one network connection. When any of the machines inside the firewall wants to make a connection to some server out there on the internet, the firewall/NAT box intercepts that request, and sends the request off as though it came from the firewall/NAT machine. When the reply arrives, it is sent off to the machine that made the connection. Neither the server nor the machines on the inside know that all this is going on.

Aside: NAT is also called PAT, for “Port Address Translation.” Also, read this interesting article by HRH Prince Philip, Duke of Edinburgh, on setting up PAT and DHCP on Cisco routers. The whole routergod.com site features many celebrities offering helpful tips on various network issues.

Even if you don’t want plan on having more than one PC at home, NAT is useful, because it allows the machine running your firewall to be different from your main workstation. You probably want to install fancy hardware and software on your machine; but every additional package installed on a firewall makes it more vulnerable.

Network Address Translation (NAT)

Note: if you only have one machine on the “inside”, you don’t need an ethernet hub; use a crossover cable to connect the two machines directly. This also has the advantage that you can get a full-duplex connection between the machines (a hub only allows a half-duplex connection).

Note: you can buy little NAT/DHCP boxes from various manufacturers for about $150, but where’s the fun in that? Besides, who knows how strong the security is on those things. With OpenBSD you know you’re getting the best.

Building the machine
The machine itself: I prefer to build these machines up from individual components rather than buying a pre-made box. That way I can get name-brand supported components, and it works out slightly cheaper since I don’t have to get exotic video cards, sound cards, CD-ROM drives etc. (Not to mention a Fisher-Price operating system that you will be required to pay for.)

Can you build a PC? Well, no one showed me how, but I’ve managed to put together about 10 or so systems, so it can’t be that hard. If you’ve assembed anything with screwdrivers etc. you’ll be fine. There are numerous sites on the web that walk you through building a PC. Go do a Google search and read those. I especially like the one at Acme Labs by Jef Poskanzer. There’s also an excellent motherboard finder at Acme.

Caveat: specific recommendations will be outdated as soon as I write them! I like to use AMD CPUs because I believe Intel is evil and as far as possible I’d like to not buy their products. I’d get the current not-top-of-the-line CPU i.e. the one that costs about $50 and a compatible motherboard that costs in the range of $70. I stay away from integrated components because they’re usually garbage. (For a server that I don’t use directly I might get integrated video.) Spend about $30-50 on RAM, $30 on ethernet, $60 on an IDE disk, $30 for a case (with power supply). I usually find the best prices on components at Directron and CompuVest (warning: uses Java). These have both been non-sleazy (everything was as described in their catalog and shipping was prompt) in all my dealings with them — but let me know if you find any evidence of sleaziness.

All these components add up to around $300 — and that’s brand-new stuff. If you have any old components lying around, they will be fine. You don’t need a keyboard, mouse or monitor when the system is up and running — all maintenance on it can be done over the network. (While you’re installing the OS on the machine you will need to hook up a keyboard, monitor and CD-ROM drive to it, of course.)

While installing the system, I plug in a spare CD-ROM drive, keyboard and monitor. Change the BIOS settings so that the machine will boot without a keyboard etc. Boot off the OpenBSD 3.1 CD and install the system. All the hardware should be recognised without any problems. (The installation guide booklet that comes with the CDs is excellent.)

The easiest way to install OpenBSD is to buy the distribution on CDs. Although you can install it via the network, buying the CD will help make sure that the OpenBSD project will continue to improve and better the system. If you can afford an outlay of US$40, please buy the CDs from the OpenBSD ordering site.

When you’re installing OpenBSD, the installer program will ask you for disklabel information (partitions). On a Unix system, a group of files organised together is called a filesystem. The disk is partitioned into various pieces each of which will hold one filesystem. This is the filesystem breakup and partition sizes I’d use for a 12GB disk (if your disk is bigger, you can just increase the size of /var (for web files) or /home (for your personal files) — the system will be more than happy with these sizes for /, /tmp and /usr):

/dev/wd0a 100M /
/dev/wd0d 400M /tmp
/dev/wd0e 4GB /var
/dev/wd0g 2GB /usr
/dev/wd0h 5GB /home
(The convention is that a is always /, b is swap and c is the whole disk.) Your web files will live in /var, and your other files in /home.

This is all overkill; /usr only needs about 600M or so. Say pad it to 1GB. A 2GB disk would be plenty for the system, but if the cheapest disk you can get is 13GB….

Note for Unix newcomers: the disk is named /dev/wd0, and in this case it has 5 partitions with names /dev/wd0a, /dev/wd0d, /dev/wd0e, /dev/wd0g and /dev/wd0h. And the different partitions don’t get different “drive letters” as in some primitive operating systems; once the system is installed, it looks to the user that there is just one bunch of files; Unix will figure out the right thing to do. After the system has been installed and you’ve booted off the hard disk, log in and (this is important!) type man afterboot; it will remind of some things that you need to do to complete the installation — pick passwords, create user accounts, check network settings etc. Also, man hier will introduce you to the way the system is organised — which files live where. In fact, let me say that again:

After the first normal boot of the system, be sure to read these manpages:
$ man afterboot
$ man hier
Also run dmesg(8) to learn more about your hardware and the driver names that OpenBSD uses for them.

Which packages to install? A good starting point would be to accept the defaults. For a desktop system (workstation), you will want all the X11 packages also. I install everything.

There! And make sure you keep reading the manpages — OpenBSD manpages are a thing of beauty, complete, up-to-date and informative. And also read the OpenBSD FAQ on the web — much of this information is also found there.

Configuring the network
For my outside connection I have DSL and a static IP number (from Speakeasy — I recommend them over PacBell etc. — I’m so happy I switched). Other DSL options are PPPoE that PacBell likes to set people up with, or DHCP which is what you usually get over cable. A completely bogus DSL installation is the USB device they try to foist on customers with Windows. Danger, Will Robinson! They stink; they’re unsupported on any free O/S, and even on Windows they work about half the time.

In *BSD the network cards are named according to the driver used. For the Lite-On (DEC Tulip) cards, the driver is called dc, and the Intel EtherExpress Pro is fxp; so my two ethernet cards are dc0 and fxp0. (If you had two cards that both used the dc driver, they would be dc0 and dc1.) For the inside network I use the “private” (non-routable) IP numbers 192.168.1.* which will make the inward-facing network card 192.168.1.1. The OpenBSD initialization asks you for IP numbers for the two cards. Enter the appropriate ones – the IP number your ISP gave you for dc0, and 192.168.1.1 for fxp0. For PPPoE, the outside interface is tun0 and it will figure out its own IP address. If you’re supposed use DHCP on your DSL or cable connection, type in dhcp.

It is important to remember which network will be the outside and which the inside. If the two cards are identical, the easiest way is to look at the MAC number. Every ethernet card ever made has a unique ID called its MAC number. This will be printed on the card, usually as a sticker. When the kernel boots up, it will print the MAC numbers of each card it finds:

fxp0 at pci0 dev 9 function 0 “Intel 82557″ rev 0x0c: irq 11, address 00:02:b3:a0:3a:50
dc0 at pci0 dev 10 function 0 “Lite-On PNIC” rev 0×20: irq 10 address 00:a0:cc:55:ab:1c
So the card that has a MAC number ending ab1c is dc0; the other is fxp0. (If the two network cards you have are different types, as in this case, there’s no problem, of course. The kernel bootup messages is still be useful to tell you what names the system is using for them.)

(There’s some rule about where the cards are plugged in so which one gets number 0 and which no. 1, but I can never remember that.)

PPPoE
The beast! PPPoE is a pain in the ass but ISPs like it because it makes things simpler for them — they don’t have to maintain lists of IP numbers. Also, they can run a crappy service and keep dropping the connection and that’s ok, you’re expected to reconnect. It’s the Micros**t philosophy of “make something really crappy and expect people to just re-start the whole system a couple of times a day.” It’s a pain in the ass for us because its MTU is 1492 instead of 1500 which used to require changes on every machine inside the network — but now thanks to the “mssfixup” flag we don’t have to any more.

The files you will need to change for PPPoE all live in /etc/ppp/.

Configure system files
To set up the system, the files you will be editing are:/etc/rc.conf, /etc/myname, /etc/mygate, /etc/pf.conf, /etc/nat.conf, /etc/*.conf, /etc/hostname.interface, /var/named/*.

Edit /etc/rc.conf. On my servers I run SMTP, Apache, and ssh. In other words, from the outside it handles email, web acess and secure shell for remote logins. For convenience, on the inside I have a private name server (DNS) and NTP server for accurate time. To get sendmail, NTP, httpd, and NAT to work, these are the lines to change:

sendmail_flags=”-bd -q30m” # for normal use: “-bd -q30m”
named_flags=”" # for normal use: “”
ntpdate_flags=”put.server.here” # for normal use: NTP server; run before ntpd starts
httpd_flags=”" # for normal use: “” (or “-DSSL” after reading ssl(8))
dhcpd_flags=-q # for normal use: “-q”
pf=YES # Packet filter / NAT
ntpd=YES # run ntpd if it exists
pf_rules=/etc/pf.conf # Packet filter rules file
nat_rules=/etc/nat.conf # NAT rules file
Make sure that /etc/sysctl.conf has this line in it:

net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets
Get the names of NTP servers close to where you are and put that name in the ntpdate value. Here’s a list of public NTP servers.

Update ssh
Warning: ssh in OpenBSD 3.1 has a bug!
Upgrading openssh to 3.4 is strongly recommended. See the OpenSSH for OpenBSD page for details. In brief, you will download ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-3.4.tgz and execute the following steps (as root):

# cd /usr/src/usr.bin
# tar xvfz …/openssh-3.4.tgz
# cd ssh
# make obj
# make cleandir
# make depend
# make
# make install
# cp ssh_config sshd_config /etc/ssh
# mkdir /var/empty
Using vipw(8) you will add this line to your password file:

sshd:*:27:27::0:0:sshd privsep:/var/empty:/sbin/nologin
Then add this line to /etc/group:

sshd:*:27:
NAT and firewall rules
OpenBSD 3.1 has a new packet filter — 2.9 used ipf but 3.x has a re-written from scratch one called pf. The details are not important; pf config files are much simpler. I decided that my outside interface would be dc0, and the inside one fxp0. (If you’re using PPPoE, the outside interface will be tun0.) Firewall rules (they tell the gateway what kind of network traffic should be allowed into the internal network) live in /etc/pf.conf; NAT configuration is in /etc/nat.conf.

Here’s a sample /etc/pf.conf — very little is accessible from the outside, but machines on the inside can go out with no restrictions. In your files you’d replace dc0 and fxp0 with the names of your outward- and inward-facing ethernet cards, respectively.

#####################################################################
#
# IP packet filtering rules (firewall)
# Shamim Mohamed 3/2002

# See pf.conf(5) for syntax and examples

# If you change this file, run
# pfctl -R /etc/pf.conf
# to update kernel tables (also run “pfctl -e” if pf was not running)

# Network interfaces
internal = “fxp0″
external = “dc0″

# Services visible from the outside — remove any you’re not using
services = “{ ssh, http, https, smtp }”

# You shouldn’t need to change anything below this line
#####################################################################

# Non-routable IP numbers
nonroutable = “{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8,
0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3,
255.255.255.255/32 }”

# All rules are “quick” so go strictly top to bottom

# Fix fragmented packets
scrub in all

# Don’t bug loopback
#
pass out quick on lo0 from any to any
pass in quick on lo0 from any to any

# Don’t bother the inside interface either
#
pass out quick on $internal from any to any
pass in quick on $internal from any to any

#####################################################################
#
# First, we deal with bogus packets.
#

# Block any inherently bad packets coming in from the outside world.
# These include ICMP redirect packets and IP fragments so short the
# filtering rules won’t be able to examine the whole UDP/TCP header.
#
block in log quick on $external inet proto icmp from any to any icmp-type redir

# Block any IP spoofing atempts. (Packets “from” non-routable
# addresses shouldn’t be coming in from the outside).
#
block in quick on $external from $nonroutable to any

# Don’t allow non-routable packets to leave our network
#
block out quick on $external from any to $nonroutable

#
#####################################################################

#####################################################################
#
# Now the normal filtering rules
#

# ICMP: allow incoming ping and traceroute only
#
pass in quick on $external inet proto icmp from any to any icmp-type { \
echorep, echoreq, timex, unreach }
block in log quick on $external inet proto icmp from any to any

# TCP: Allow ssh, smtp, http and https incoming. Only match
# SYN packets, and allow the state table to handle the rest of the
# connection.
#
pass in quick on $external inet proto tcp from any to any port $services flags S/SA keep state

# Of course we need to allow packets coming in as replies to our
# connections so we keep state. Strictly speaking, with packets
# coming from our network we don’t have to only match SYN, but
# what the hell.
#
pass out quick on $external inet proto tcp from any to any flags S/SA keep state
pass out quick on $external inet proto udp all keep state
pass out quick on $external inet proto icmp from any to any keep state

# End of rules. Block everything to all ports, all protocols and return
# RST (TCP) or ICMP/port-unreachable (UDP).
#
block return-rst in log quick on $external inet proto tcp from any to any
block return-icmp in log quick on $external inet proto udp from any to any
block in quick on $external all

#
# End of file
#
#####################################################################
Read the pf documentation and understand these rules.

This is the NAT config /etc/nat.conf — this allows machines on the inside network to transparently make connections to the outside world:

#####################################################################
#
# NAT rules
# Shamim Mohamed 3/2002

# See nat.conf(5) for syntax and examples

# replace dc0 with external interface name, 192.168.1.0/24 with internal
# network (if different)

# nat: packets going out through dc0 with source address 192.168.1.0/24 will
# get translated as coming from 12.34.56.78 (or whatever the external IP no.
# is). State is created for such packets, and incoming packets will be
# redirected to the internal address.

nat on dc0 from 192.168.1.0/24 to any -> dc0

# End of file
#####################################################################
The system should already have setup /etc/hostname.dc0 and /etc/hostname.fxp0 (or whatever your network device names are) for you. Each file will have the IP number and netmask. This is what these files would look like:

$ cat /etc/hostname.fxp0
inet 192.168.1.1 255.255.255.0 NONE
$ cat /etc/hostname.dc0
inet 123.45.67.89 255.255.255.0 NONE
(The $ is the prompt; cat types a file out to the output.) If you’re using DHCP, the outside interface’s hostname file will say dhcp.

Other important files are /etc/myname — your hostname — and /etc/mygate — your default gateway to the outside world (your ISP told you what this should be — it’s usually the same as your IP number except that the last number is replaced with a 1 or 254.)

PPPoe
If you have PPPoE (you unfortunate soul!) things are different. You shouldn’t have /etc/mygate; and the file describing the outside interface, /etc/hostname.dc0 in my example, will only have one word in it: up. This tells the system to bring up the interface at boot time, but to do nothing else — pppoe will do the rest.

The main file is /etc/ppp/ppp.conf and this is what it should look like:

default:
set log Phase Chat LCP IPCP CCP tun command
set redial 15 0
set reconnect 15 10000

pppoe:
set device “!/usr/sbin/pppoe -i dc0″
disable acfcomp protocomp
deny acfcomp
set mtu 1492
set speed sync
enable lqr
set lqrperiod 5
set cd 5
set dial
set login
set timeout 0
set authname login
set authkey password
enable dns
enable mssfixup
Use your login name and password where indicated. The “set device” line tells ppp which physical device to use to talk to the outside world. You also have to tell the system to start PPPoE at boot time. That can be done with this little snippet of shell script:

echo -n “Trying to establish PPPoE DSL”; ppp -ddial pppoe
for i in 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0; do
sleep 5
echo -n.$i”
if /usr/local/sbin/adsl-status>/dev/null; then
break
fi
done
echo
/usr/local/sbin/adsl-status
Where adsl-status is a little shell-script that tests to see whether the PPP link has come up properly:

#!/bin/sh

IP=$(/sbin/ifconfig tun0 | awk ‘/netmask/{print $2}’)

if [ -z "$IP" ]; then
echo “ADSL link is down.”
exit 1
else
echo “ADSL is up, IP address $IP”
exit 0
fi
Now the question is: where should we put the little loop that tries to get ppp going? The right place to put all these is in /etc/rc.local. However this has the drawback that the outside network hasn’t been initialised while the rest of the system is coming up, which causes some scary-looking error messages from NAT to be printed at boot time. So I do something a little un-kosher: I put the ppp initialisation in /etc/netstart right at the end:

…
echo -n ‘ ADSL… ‘; ; ppp -ddial pppoe
for i in 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0; do
sleep 5
echo -n.$i”
if /usr/local/sbin/adsl-status>/dev/null; then
break
fi
done
echo
/usr/local/sbin/adsl-status
Now remember that each time the PPP link goes up or down, the IPF and NAT rules must be re-done. The files /etc/ppp/ppp.linkup and /etc/ppp/linkdown are scripts that get run by ppp. Here’s /etc/ppp/ppp.linkup:

MYADDR:
! sh -c “/sbin/route del default”
! sh -c “/sbin/route add default HISADDR -mtu 1492″
! sh -c “/sbin/pfctl -F all -R /etc/pf.conf -N /etc/nat.conf -e”
! sh -c “/usr/local/sbin/ntpd -p /var/run/ntpd.pid”
And this is /etc/ppp/linkdown:

MYADDR:
! sh -c “/sbin/pfctl -F all -d”
Configuring email
Sendmail should have been setup automatically since you edited /etc/rc.conf but I’ve occasionally had to make one change in /etc/mail/sendmail.cf:

Djmy-domain-name.com
(If you don’t own a domain, or plan on having it point to your DSL machine, you don’t need sendmail.)

You should have a normal user account that you’re going to use (never log in as root! Always use su or sudo). Administrative email should be forwarded to you; if your normal username is zippy edit /etc/mail/aliases and make sure you make the appropriate lines look like this:

# Well-known aliases — these should be filled in!
root: zippy
manager: zippy
dumper: zippy
One thing you should consider is being an email handler for friends. My DSL service goes down too often — every few months. This is too unreliable for my tastes. What I do is collaborate with friends to accept and queue email for them, and they do the same for me. Example: for my domain foo.com the primary mail exchanger is gateway.foo.com, the OpenBSD firewall/gateway. A friend of mine has bar.com, and his email gateway is gateway.bar.com. I set up a secondary mail exchanger in my domain records as gateway.bar.com. If my DSL line gateway.foo.com goes down and someone out there wants to send email to me at foo.com, her machine will use gateway.bar.com instead and email will wait on that machine until my machine is back on the network. I want to perform the same service for my friend — if gateway.bar.com is down, I want people to be able to send my machine the email destined for bar.com and fubar.org (another friend’s domain). This goes in the file /etc/mail/relay-domains on my gateway box:

bar.com
fubar.org
Now the machine will accept email for my friends’ domains bar.com and fubar.org as well as for itself and forward their messages on. If the machine it’s trying to forward to is down, it will put them in the queue and keep re-trying for a while. (My friend at bar.com does similar things to his /etc/mail/relay-domains.)

Setting up DNS
You probably shouldn’t be running the primary DNS server for your domain on your DSL box; DSL may not be reliable enough for that. Get someone else to do it for you for free, like http://www.zoneedit.com/.

However, it is nice to have a local private DNS because lots of daemons (services that run in the background, like the web server) like to do reverse lookups of IP numbers, so we should have a DNS server for the private network. Also, this installation will give you a caching nameserver which should improve your browsing speed.

The files live in /var/named. Assuming your domain is called fake-domain.org, edit named.boot and add these lines:

primary fake-domain.org fake-domain.db
primary 1.168.192.in-addr.arpa fake-domain.rev

; your static IP number, reversed
primary 89.67.45.123.in-addr.arpa dsl.rev

; remember to add your ISP’s nameservers here!
forwarders 1.2.3.4 5.4.3.2
(Anything starting with a semicolon is a comment.) Here fakedomain.org can be a real domain you have or a fake; and instead of 89.67.45.123 use your static IP but reversed i.e. you would use that line if your IP number were 123.45.67.89. And change the IP numbers on the forwarders line to the nameservers your ISP told you to use.

There are three files you need to create. The first is /var/named/namedb/fake-domain.db:

@ IN SOA gateway.fake-domain.org. root.fake-domain.org.
(
14 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ) ; Minimum

IN NS gateway.fake-domain.org.

gateway IN A 192.168.1.1
libelle IN A 192.168.1.2
discus IN A 192.168.1.4
ventus IN A 192.168.1.3
wander IN A 192.168.1.5
brad IN A 192.168.1.12
jack IN A 192.168.1.13

; your static IP number
dsl IN A 123.45.67.89

www IN CNAME dsl
mail IN CNAME dsl
In this network, there are six machines on the inside and those are their names and IP Number assignments. The OpenBSD gateway machine is named “gateway”. Change these entries to names of the machines on your private network. You can give them any IP number that starts with 192.168.1. Of course if you have three machines on your network, there will only by three entries.)

This is the second file you need to create, /var/named/fake-domain.rev:

@ IN SOA gateway.fake-domain.org. root.fake-domain.org.
(
14 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ) ; Minimum

IN NS gateway.fake-domain.org.

1 IN PTR gateway.fake-domain.org.
2 IN PTR libelle.fake-domain.org
3 IN PTR ventus.fake-domain.org
4 IN PTR discus.fake-domain.org.
5 IN PTR wander.fake-domain.org.
12 IN PTR brad.fake-domain.org.
13 IN PTR jack.fake-domain.org.
(Those trailing dots are important.) And here’s the third, /var/named/namedb/dsl.rev:

@ IN SOA gateway.fake-domain.org. root.fake-domain.org.
(
14 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ) ; Minimum

IN NS gateway.fake-domain.org.

IN PTR dsl.fake-domain.org.
PPPoE
Yes, again more stupid special cases for PPPoE. For one thing, your IP address from the outside keeps changing so all the stuff about dsl.rev doesn’t apply. However, more important: you don’t know what your ISP’s DNS servers are! And they could change which machines you’re supposed to use each time you connect! What you have to do is: connect “by hand” one time, and see which DNS servers you got. After ppp.conf has been written, you can run ppp -ddial pppoe and pray. If all goes well, ifconfig tun0 should show you two lines:

$ /sbin/ifconfig tun0
tun0: flags=11 mtu 1492
inet 63.201.32.40 –> 63.201.39.254 netmask 0xff000000
That means everything worked. Now look at /etc/resolv.conf — there should be one or more lines in there that say which nameservers should be used. Put these IP numbers in the forwarders line in /var/named/named.boot.

One other wrinkle: the /etc/resolv.conf that ppp makes for you doesn’t know about your domain, or that you’re running a nameserver on your machine. To get around these problems, I created another file /etc/resolv.conf-working:

nameserver 192.168.1.1
lookup file bind
search fake-domain.org
In /etc/ppp/ppp.linkup I tell it to overwrite the created resolv.conf with this one:

! sh -c “cp /etc/resolv.conf-working /etc/resolv.conf”
(Add that to the end of the file that you’ve already created.) This allows all programs running on the machine to be able to use all the good things about a local caching nameserver — things like being able to refer to internal hosts by short name etc.

Other machines on the internal network
Go to the other machines on your network (the ones inside your firewall) and set them up with the static IP numbers you assigned above, e.g. the machine wander gets an IP number of 192.168.1.5. All the machines should use 192.168.1.1 for the gateway and use 192.168.1.1 for the DNS server. For more details on DNS, read the excellent O’Reilly book “DNS and BIND”; for more on setting up slightly more complex DNS servers than the one described here, go to the OpenBSD — DNS site maintained by Samiuela LV Taufa.

Setting up DHCP
Above in the DNS setup all internal machines are assigned their own IP numbers. Running DHCP allows guest machines to hook up to the network without fuss. Depending on your comfort level with setting up your other machines, you might also prefer to use DHCP over assigning static IPs.This is what /etc/dhcpd.conf should look like:

# $OpenBSD: dhcpd.conf,v 1.1 1998/08/19 04:25:45 form Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#

# Network: 192.168.1.0/255.255.255.0
# Domain name: my.domain
# Name servers: 192.168.1.3 and 192.168.1.5
# Default router: 192.168.1.1
# Addresses: 192.168.1.32 — 192.168.1.127
#
shared-network LOCAL-NET {
option domain-name “fake-domain.org”;
option domain-name-servers 192.168.1.1;

subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;

range 192.168.1.32 192.168.1.127;
}
}
This will allow up to 96 machines on your internal network, which should be more than sufficient. Create an empty temporary file for dhcpd to use:
# touch /var/db/dhcpd.leases
If you make any changes to this file, run dhcpd fxp0 (or whatever your inside network is). (Or you can reboot the machine — but that’s the Windows way, in the Unix world we prefer to never reboot any machines.)
Install “ports”
“Ports” is a *BSD term for a tree of Makefiles for all the software out there that’s not part of the standard install. I recommend this highly. It is on CD No. 3 of the OpenBSD 3.1 CD-ROM set as ports.tar.gz. Please read the Ports and Packages page on the OpenBSD web site. You install it by typing (as root)

# mount /dev/cd0a /mnt
# cd /usr
# tar xzf /mnt/ports.tar.gz
Once you’ve done this, if you want to install a package, you cd to the appropriate directory and simply type make all install — it will ftp the source from the appopriate site, handle all dependencies, apply any required patches, configure, build and install the tool.

How do you find the appropriate directory to go to? You can guess at where it might be (look around in /usr/ports to get an idea for the layout etc.). But remember: locate(1) is your friend.

If you have the disk space (about 500 MB), I strongly recommend that you install the source code to the system also. (The source is also on CD No. 3.)

# mount /dev/cd0a /mnt
# cd /usr/src
# tar xzf /mnt/src.tar.gz
Getting time from the Internet
Set up NTP so that your machine will always have accurate time. Pick two servers from the public NTP server list and make sure /etc/ntp.conf looks like this:

server ntp.server.first
server ntp.server.second
Since xntpd is not part of the standard install, you have to compile xntpd from source.

# cd /usr/ports/sysutils/xntpd
# make all install
The tools will be installed into /usr/local/sbin/ntpd.

Run ntpdate -b server where you pick a server from the list — this will perform a coarse adjustment of the system clock. The next time the machine reboots, it will sync your clock and record how much your clock drifts.

Setting up other hosts with NTP
On Unix hosts, use the appropriate NTP client; on Linux, it’s xntpd. Set them up to use 192.168.1.1 as the NTP server. On Windows, use AboutTime — a free NTP client. In its configuration make sure it uses only SNTP as the protocol, with 192.168.1.1 as the server. Put AboutTime in the Startup folder so it’s started automatically.

For more details, go to Robert Mooney’s OpenBSD NTP site.

Tips and Stuff
I have a useful shell script called pkg_install that’s a front-end to pkg_add — here’s an example of it being used:
# pkg_install tex
These files match:
gettext-0.10.40.tgz
jadetex-3.11.tgz
latex2html-97.1.tgz
php4-4.0.6p1-gettext-imap-mhash-no_x11-mcrypt-mysql.tgz
php4-4.0.6p1-gettext-imap-mhash-no_x11-mcrypt-postgresql.tgz
php4-4.0.6p1-gettext.tgz
teTeX_texmf-1.0.2.tgz
texi2html-1.64.tgz
textutils-2.0.tgz
# pkg_install -n 4 texi
Using ftp5.usa.openbsd.org/pub/OpenBSD
+ pkg_add -v ftp://ftp5.usa.openbsd.org/pub/OpenBSD/3.1/packages/i386//texi2html-1.64.tgz
Trying to fetch ftp://ftp5.usa.openbsd.org/pub/OpenBSD/3.1/packages/i386//texi2html-1.64.tgz.
Extracting from FTP connection into /var/tmp/instmp.BVMJM29414
>>> ftp -o — ftp://ftp5.usa.openbsd.org/pub/OpenBSD/3.1/packages/i386//texi2html-1.64.tgz
…
It has a list of all the pre-compiled packages that are available. You type in a string and it installs the package. If more than one name matches, it shows you their names. (It uses egrep(1) so you can use regular expressions.) Save it to /usr/local/bin. It handles dependencies by recursively installing them also.

New in this version is in -n flag. The script has a list of mirrors, and this option picks one of the mirrors. (Currently in progress: it needs bash, and it needs some error checking but it works.) Don’t forget to edit the file — read http://www.openbsd.org/ftp.html and choosea list of mirrors closest to you.

Setting up a CVS server
(This section is probably not of interest to most people; you only need this if you want to set up a cvs server so you can put files you’re working on under source control. So it’s a little terse too.)

The changes I made: added a user and group named cvs. All users of CVS should be in the cvs group. Create a directory for the repository: I put it in /var/cvsroot, you might put it in /home or wherever. This directory should be group writable (group cvs). Add a line to /etc/services:

cvspserver 2401/tcp # CVS pserver
Add this line to /etc/inetd.conf:
cvspserver stream tcp nowait root /usr/bin/cvs cvs -f –allow-root=/var/cvsroot -T /var/tmp pserver
The server uses /var/tmp as its temp directory instead of /tmp since my root partitions are small, but I always make /var large. Now run cvs init in the cvs repository and restart inetd. Voila! Import your directory of files from a client machine, using a pserver CVSROOT and cvs import.

When importing a large set of files, you might want to put a .cvswrappers file in the directory you’re importing so CVS won’t try to put RCS ID strings inside your JPEG files etc. The syntax is:

*.jpg -k ‘b’
*.png -k ‘b’
*.tgz -k ‘b’
Coming soon: using ssh for CVS_RSH.
Setting up X11
You did select the packages xbase, xshare, xfont, and xserv when you installed OpenBSD, I hope? If not, never fear; you can install them directly off the CD:

# mount /dev/cd0a /mnt
# cd /
# tar xzvpf /mnt/3.1/i386/xbase31.tgz
# tar xzvpf /mnt/3.1/i386/xserv31.tgz
# tar xzvpf /mnt/3.1/i386/xshare31.tgz
# tar xzvpf /mnt/3.1/i386/xfont31.tgz
etc. The X11 package for ix86 systems is called XFree86; visit their website for more information. Now run xf86cfg. (If the command is not found, you probably don’t have /usr/X11R6/bin in your PATH environment variable.) Of course this is not something you can do over a network login; you have to be sitting at the machine, with a monitor, keyboard and mouse actually plugged in. You should have your video card and monitor specs available. Follow the instructions to setup XFree86. More information is on the Configuring XFree86 page on the Xfree86 site.
Installing a Desktop
Many people also install a desktop suite such as KDE or Gnome. I prefer KDE of the two. There is nothing special about KDE (or Gnome); it’s just a set of packages to be installed. There are two versions of KDE available, KDE 2.2 and KDE 3.0. Decide which one you want to run, and install those packages. (KDE2 and KDE3 cannot co-exist on the same system.)

These are the KDE2 packages:

$ pkg_info -a | egrep kde
kdelibs-2.2.2 X11 toolkit, libraries
kdeartwork-2.2.2 X11 toolkit, additional artwork
kdegraphics-2.2.2 X11 toolkit, graphics applications
kdelibs-doc-2.2.2 X11 toolkit, libraries documentation
kdebase-2.2.2 X11 toolkit, basic applications
kdenetwork-2.2.2 X11 toolkit, network applications
kdetoys-2.2.2 some useless kde applications
And for KDE3, the corresponding packages are:
kdeaddons-3.0.tgz
kdeartwork-3.0.tgz
kdebase-3.0.tgz
kdeedu-3.0.tgz
kdegames-3.0.tgz
kdegraphics-3.0.tgz
kdelibs-3.0.tgz
kdenetwork-3.0.tgz
kdetoys-3.0.tgz
kdeutils-3.0.tgz
koffice-1.1.1-kde3.tgz
There are lots of I18N packages also, kde-i18n-*-3.0.tgz.
Display managers xdm and kdm
You may want to run a display manager like xdm or kdm. (A display manager is the program that gives you a graphical login display instead of a plain text message.) The config file for kdm is /usr/local/share/config/kdm/kdmrc; the xdm config file lives in /etc/X11/xdm/xdm-config. Edit /etc/rc.conf and set xdm_flags to an empty string (in quotes) to make xdm run on startup. (If you installed KDE, it will be kdm that’s started.) If you installed KDE3, add it to the list of available logins in kdmrc: in the [X-*-Greeter] section, look for the SessionTypes line and add “KDE3″ to the list.

Setting up XDMCP
If you have an X-Terminal (like the Sun Ray, or the ones NCD used to make) or run eXceed on Windows platforms, you may want to allow X11 logins to your OpenBSD machine from eXceed or the X-Terminal. The protocol that allows this is called XDMCP; to enable it: if using xdm, edit /etc/X11/xdm/Xaccess and remove the ‘#’ from the first column of this line:

#* #any host can get a login window
Note: we don’t allow any X11 or XDMCP messages to go across our firewall. Only hosts inside the firewall can get a login screen.
Also edit xdm-config and comment out this line by putting a ‘!’ character in the first column:

DisplayManager.requestPort: 0
If using kdm, edit /usr/local/share/config/kdm/kdmrc and look for the [Xdmcp] section. Uncomment lines so it looks like this:
[Xdmcp]
# Whether KDM should listen to XDMCP requests. Default is true.
Enable=true
# The UDP port KDM should listen on for XDMCP requests. Don’t change the 177.
Port=177
(followed by other stuff.)
Amusements
People like to do things like rip CDs to Ogg Vorbis or MP3 and listen to those files. I use grip as a front-end to rip music to Ogg Vorbis files, and xmms (package name xmms-vorbis) to listen to them. I use Gnu LilyPond and TeX/LaTeX (package teTeX_texmf) to typeset documents and music. The LaTeX files can be converted to HTML with latex2html. You can run Linux programs if you install the redhat_base, redhat_motif, and rpm packages. (The Linux version of Opera, the web browser, runs fine.)

Installing Cyrus IMAP and Postfix on OpenBSD

admin — Mon, 23 Mar 2009 14:26:48 +0000

Table of contents
Introduction
Installation

Prerequisites
libsasl2
imapd
postfix
Configuration

imapd
sieve
postfix
Maintenance

Creating mailboxes
Deleting mailboxes
Installing sieve scripts
Restarting cyrus
Trouble shooting
SASL authentication failure
Undefined constant: _PATH_BSHELL
Introduction
This document is a step by step instruction for installing a Cyrus IMAP Server to an OpenBSD 3.4 machine. I was setting up a mail server for the faerion.oss domain and I wanted to achieve:

Security.

I wanted to secure as much data transfers as possible. All services use transport level security (TLS). (On a slightly different note, I was surprised to know how many major mail servers use TLS for delivery.)

Authenticity.

Anonymous SMTP sessions should only allow sending messages to local recipients.

Consistency.

One source of authentication for both IMAP and SMTP servers. I decided to use SASL2 as the simplest available solution.

Things I could not accomplish in the described setup:

Virtual domains (authentication always fails in imapd). [hint]
Allow users to change passwords without my interaction.
These issues will be covered in a later edition of this document.

Installation
Prerequisites
The IMAP server will be running as user cyrus; create the user and the group.

Postfix will be running as user _postfix. The port created everything automatically, so nothing needs to be done.

The password database will be shared between postfix and imapd, so a group mail must be created and both users must be added to it.

It is not a good idea to build ports as root (though you will have to install them as root). It is best to make the whole ports tree gourp writable:

$ cd /usr
$ sudo chmod -R g+w ports
$ sudo chown -R root:wheel portsCyrus SASL Library
The library is in ports, so it is supposed to be installed relatively easy. However, the port for OpenBSD 3.4 is broken (“make install” is failing to install shared versions of authentication plugins). Updated the port to version 3.5, it will work on 3.4.

$ cd /usr/ports/security/cyrus-sasl2
$ cvs up -d:pserver:anoncvs@anoncvs.ca.openbsd.org:/cvs up -r OPENBSD_3_5
$ make
$ sudo make installCyrus IMAP Server
I was installing the latest available version, 2.2.3. I had to disable GSSAPI support until they fix it to compile on OpenBSD.

The following commands worked for me:

$ ftp ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-imapd-2.2.3.tar.gz
$ tar xfz cyrus-imapd-2.2.3.tar.gz
$ cd cyrus-imapd-2.2.3
$ ./configure \
–with-openssl=/usr \
–with-cyrus-user=cyrus \
–with-cyrus-group=cyrus \
–with-notify=no \
–with-idle=idled \
–disable-cmulocal \
–disable-gssapi \
–with-sasl=/usr/local \
–with-bdb=/usr/local/BerkeleyDB.4.2 \
–with-bdb-incdir=/usr/local/BerkeleyDB.4.2/include
$ make
$ sudo make installPostfix
$ cd /usr/ports/mail/postfix/snapshot
$ export FLAVOR=”sasl2 tls”
$ make
$ sudo make install
$ export FLAVOR=
$ sudo /usr/local/sbin/postfix-enable — replace sendmail with postfixConfiguration
Configuring imapd
Create the master configuration file:

$ sudo cp master/conf/normal.conf /etc/cyrus.confEdite the file to disable pop3 and pop3s and enable idled (the latter is an extension that notifies connected clients about new mail so that they won’t have to periodically query the server; you definitely want this).

Create /etc/imapd.conf with the following content:

admins: cyradm
configdirectory: /var/imap
partition-default: /var/spool/imap
reject8bit: 1
rfc2046_strict: 1
virtdomains: no
sasl_pwcheck_method: auxprop
tls_cert_file: /var/imap/server.pem
tls_key_file: /var/imap/server.pemCreate directories specified in imapd.conf:

$ mkdir -m 750 /var/imap /var/spool/imap
$ sudo chown cyrus.cyrus /var/imap /var/spool/imap
$ sudo -u cyrus tools/mkimapCreate the certificate:

$ cd — home
$ openssl req -new -x509 -nodes -out server.pem \
-keyout server.pem -days 3650
$ sudo mv server.pem /var/imap/Add the following lines to /etc/rc.local:

if [ -x /usr/cyrus/bin/master ]; then
echo -n ‘ cyrus-imapd’
/usr/cyrus/bin/master -d >/dev/null 2>&1
fiStart the server:

$ sudo /usr/cyrus/bin/master -dMake sure it works:

$ telnet localhost. imap
Trying ::1…
Connected to localhost..
Escape character is ‘^]’.
* OK faerion.oss Cyrus IMAP4 v2.2.3 server ready
. logout
* BYE LOGOUT received
. OK Completed
Connection closed by foreign host.Good.

Create an email user account that will be used for administering the server:

$ sudo saslpasswd2 -c cyradm
Password:
Again (for verification):Make sure the server will be able to access the database:

$ sudo chown cyrus.mail /etc/sasldb2.dbTry to log in as user cyradm using the LOGIN method:

$ imtest -m login -a cyradm localhost.
S: * OK faerion.oss Cyrus IMAP4 v2.2.3 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+
MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME
UNSELECT CHILDREN MULTIAPPEND BINARY SORT
THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE
IDLE STARTTLS AUTH=OTP AUTH=GSSAPI AUTH=DIGEST-MD5
AUTH=CRAM-MD5 SASL-IR
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN cyradm {4}
S: + go ahead
C:
S: L01 OK User logged in
Authenticated.
Security strength factor: 0
. logout
* BYE LOGOUT received
. OK Completed
Connection closed.Wonderful.

Configuring SIEVE
Sieve is server-side message filtering extension. It requires two additional directories:

$ sudo mkdir -m 750 /usr/sieve /var/sieve
$ sudo chown cyrus.cyrus /usr/sieve /var/sieveConfiguring Postfix
/etc/postfix/main.cf
Added my domains:

myhostname = faerion.oss
mydestination = $myhostname, faerion.ossChanged mailbox transport to cyrus:

mailbox_transport = cyrusEnabled SASL by adding the following to the end of the file:

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
permit_auth_destination,
permit_sasl_authenticated,
reject
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
/etc/postfix/master.cf
Corrected the path to the delivery agent (it was /cyrus/bin/deliver):

cyrus unix – n n – – pipe
user=cyrus argv=/usr/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
To use SASL, the following lines were added to /usr/local/lib/sasl2/smtpd.conf

Note: there were numerous “SASL authentication failure” warnings in /var/log/maillog which confused me at first; it came out to be normal because libsasl2 features several plugins, only one of which succeeds (sasldb), all other should fail.

pwcheck_method: auxprop
mech_list: crammd5 digestmd5 login plainI wanted to use a single certificate for both IMAP and SMTP (some email clients, like The Bat!, complain if different certificates are used):

$ sudo mkdir /etc/postfix/ssl
$ sudo cp /var/imap/server.pem /etc/postfix/ssl/Enabled TLS by adding the following lines to /etc/postfix/main.cf:

smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/server.pem
smtpd_tls_cert_file = /etc/postfix/ssl/server.pem
smtpd_tls_CAfile = /etc/postfix/ssl/server.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandomSince postfix runs chrooted by default, it needs a local copy of /etc/sasldb2.db. I made a hardlink, because /etc and /var are within one filesystem in my installation; you may need to copy the file (perhaps in a cron script) or unchroot the smtp service.

$ sudo mkdir /var/spool/postfix/etc
$ sudo ln /etc/sasldb2.db /var/spool/postfix/etc/sasldb2.dbTo make sure postfix starts with the system, the following lines were added to /etc/rc.local:

if [ -x /usr/sbin/postfix ]; then
echo -n ‘ postfix’
/usr/sbin/postfix start >/dev/null 2>&1
fiStarted the server:

$ sudo postfix startMaintenance
Creating mailboxes
$ sudo -u cyrus saslpasswd2 -c hex
Password:
Again (for verification):
$ cyradm -a login -u cyradm localhost.
IMAP Password:
localhost> createmailbox user.hex
localhost> quitDeleting mailboxes
$ sudo -u cyrus saslpasswd2 -d hex
$ cyradm -a login -u cyradm localhost.
IMAP Password:
localhost> setaclmailbox user.hex cyradm c
localhost> deletemailbox user.hex
localhost> quitInstalling sieve scripts
I created a temporary file called tosser, then I installed it for user hex:

$ sieveshell -u hex localhost.
connecting to localhost.
Please enter your password:
> put tosser
> activate tosser
> list
tosser <- active script
> quit
$ rm tosserHere is a self-explaining example of a sieve script. (I have found this script here and copied it just in case the original link dies.)

require “fileinto”;

if header :is “X-Mailinglist” “suse-linux” {
fileinto “INBOX.Listen.suse-linux”;
}
elsif header :contains “Mailing-List” “reiserfs” {
fileinto “INBOX.Listen.reiserfs”;
}
elsif address :contains :all ["to", "cc", "bcc"] “free-clim” {
fileinto “INBOX.Listen.free-clim”;
}
elsif header :contains “List-Id” “gnupg-users.gnupg.org” {
fileinto “INBOX.Listen.gnupg”;
}
elsif header :is “X-loop” “isdn4linux” {
fileinto “INBOX.Listen.isdn4linux”;
}
elsif header :contains “Mailing-list” “qmail-help@list.cr.yp.to” {
fileinto “INBOX.Listen.qmail”;
}
elsif allof (header :contains “Sender” “owner-info-cyrus@list”,
address :contains :localpart ["to", "cc", "bcc"] “info-cyrus”) {
fileinto “INBOX.Listen.info-cyrus”;
}
elsif header :contains “Sender” “ntbugtraq@listserv” {
fileinto “INBOX.Listen.ntbugtraq”;
}
elsif header :is “list-id” “” {
fileinto “INBOX.Listen.sieve”;
}
elsif header :contains “From” “securityportal-l@listserv.securityportal.com” {
fileinto “INBOX.Newsletter.securityportal”;
}
elsif address :contains :all ["from"] “newsletter@ebay” {
fileinto “INBOX.Newsletter.ebay”;
}
elsif address :contains :all ["to", "cc", "bcc"] “allegro-cl@cs.berkeley.edu” {
fileinto “INBOX.Listen.allegro-cl”;
}
elsif address :contains :all ["to", "cc", "bcc"] “plob@lisp.de” {
fileinto “INBOX.Listen.plob”;
}
else {
fileinto “INBOX”;
}Restarting cyrus
I needed to do the following after changing /etc/imapd.conf or /etc/cyrus.conf:

$ sudo kill `head -1 /var/run/cyrus-master.pid`
$ sudo /usr/cyrus/bin/master -dTrouble shooting
SASL authentication failure
This message in your mailer’s log file (usually /var/log/maillog) means that postfix could not verify the user name against userdb. Make sure that:

The userdb files are readable by postfix children processes.
The userdb files are in the right location. If you run postfix chrooted, make sure that you add passwords to the right copy which is inside the chroot jail.
Sometimes libsasl does not want to verify passwords if the domain name (“realm”) is not specified. Try logging in to the SMTP server using all available authentication data: username@domain.
These notes are not only applicable to the OpenBSD installation described by this document (and most of these errors are not likely to happen); they might be useful to people attempting to use this guide to set up a similar mail server on a different operating system.

Undefined constant: _PATH_BSHELL
This error may occur if you have nntpd installed, which also installs its own vision of system paths as /usr/local/include/paths.h. Remove this file and postfix should recompile smoothly.

Step-by-Step Guide to Building an OpenBSD PPPoE Gateway, with Firewall

admin — Mon, 23 Mar 2009 14:21:18 +0000

Introduction
Why would one install his own personal gateway to the Internet? Because it is quite easy to do. And also because it simply is the most reliable, safest way to connect machines to a dedicated xDSL modem. Moreover, we can stash a whole bunch of useful features in such a little box. Here is a list:

PPPoE Gateway
PPPoE is a curious beast forced down our throats by some DSL providers. On one side, it does not really break anything, has low overhead and allows you to change IP adresses very easily & quickly. On the other side, it sucks big time because it does add overhead to the IP packets, is proprietary, non-standard, forces you to change IP adresses unpredictably, and is unsupported in most operating systems. A good PPPoE gateway simply hides PPPoE from the machines on your internal network. It makes life much easier because you don’t have to install any special “access manager” software on your windoze boxen. They will just work (provided you set their IP address correctly).

Firewall
A firewall is quite mandatory for any machine directly connected to the Big Bad Internet. We want an industrial-strength stateful inspection firewall and this is what we’ll get.

NAT (Network Adress Translation)
The name seems complex, but it is really quite simple: this allows the gateway machine to act on the internet on behalf of all the machines located on the intranet (your internal home network). Even though you might have two, three or even ten computers on your local network, a NAT equipped gateway will hide them to outside observers. They will only see a single very busy machine, with a single IP address.

DNS (Domain Name Service) cache
Having your own DNS server will lower the latency of getting DNS translations for all the machines on your intranet. This will not really decrease the traffic on your DSL modem by a large percentage, but it will improve the quality of the “internet experience” on your local network.

Dynamic DNS tracker
Free dynamic DNS services are extremely useful to xDSL customers. They allow you to have your very own domain name, free of charge, which will follow in real-time your IP address changes. The catch is that the top-level part of your domain must be one of their supplied choices. They are not that bad, really… Personally, I use DYNDNS but any of the multiple free dynamic DNS providers out there will do just fine. Simply make sure they have a client “updater” which can compile and run under OpenBSD.

WEB server
Most ISP’s only allow a few megabytes of disk for web service. Moreover, they never give you direct access to the web logs. Having your own web server allows you the luxury of using all the disk space you want, plus the added advantage of complete control over the web service (cgi-bin) and its logs. Moreover, OpenBSD comes with a crypto-enabled version of Apache and all the tools you need to create RSA-keyed certificates.

Mail server
Have you ever wanted to create a temporary email address just to receive some password? Or simply wanted addresses tailored for specific domains of interest? These are only a few of the many advantages of having your own mail server.

NTP server
The Network Time Protocol allow you to synchronize the gateway’s clock to one of the numerous atomic time references available on the internet. Moreover, the same program is also used as a local time server, so that all your intranet machines can themselves synchronize their clocks to the gateway’s clock. NTP synchronizations are made in tiers, like this, in order to lower the burden on the public time servers.

This page is for all those of you who have are lucky enough to enjoy a dedicated xDSL connection and would like to have a small firewall installation. In my search for the holy grail, i found the answer to most of my wishes in the OpenBSD package. This step-by-step guide is a collection of notes taken while I was installing the thing. They are intended to help my friends do their own setups very quickly and easily, without having to bug me too much They should help you too.

Constructive comments can be sent there … Have fun and GOOD LUCK!

Getting some hardware
The first thing to think about when one embarks on the firewalling adventure is to establish on what hardware you are going to install the thing. This seems unimportant at first, but don’t forget that this box will be turned on 24/7, so the components you use must be reliable.

What are the minimum requirements? My system uses about 50% of its CPU to support Sympatico’s ADSL rate (around 900 kbps). It is built with the following components:

An ancient 486 motherboard (with an ISA bus) given to me by a friend (thanks Christian!). It runs at 66 MHz.
32 MB of brand new RAM i bought for it.
A 200 MB hard disk, which was dying after about 1 year of faithful use (it came with the motherboard). This disk was recently replaced with the cheapest brand new drive i could find. I didn’t know they still made those slow 3600 RPM drives Anyway, the old drive is kept as a kind of extreme emergency backup.
Two ISA-bus ethernet cards. I’ll talk more about this later.
A CD-ROM drive. Very optional, but can make life easier.
A “home” grade hub & cat5 cabling. This is not strictly necessary if you’ll have only one machine connected to your firewall: you can make do with a special “crossover” cat5 cable instead. The cable that comes with xDSL modems is usually (always?) a crossover cable. Anyway, for two or more machines, the hub is mandatory. Small hubs can be bought for a very reasonable price (~40$ cdn).
or
Alternatively, many older ethernet cards come with a BNC female connector. This can be used to connect the machines on your network with coax cables, without any hub. However, be warned that a 10base-2 network must follow certain rules if you want it to work flawlessly. Follow them.
This gives a good approximation of what you need. The MOST important part is the RAM. Make absolutely sure that whatever RAM you use is reliable. Old boxen were usually setup to run Windoze, and it was not a big deal if the machine had flaky RAM because of the way Windoze works…

OpenBSD (like any real OS out there) is much less tolerant of flaky RAM, because it actually uses all of it. It will crash quite quickly if your RAM is marginal, probably within 5-10 minutes. You have been warned.

Finally, the OpenBSD hardware list is there. Try to make sure that whatever hardware you use in your gateway box figures on that list. It’s a long list

The ethernet cards
There is a boring thing of which we must talk about here. You see, there are many kinds of ethernet cards, and you must make sure you have the right ones for your machine. If you have a PCI-based machine, then all is well. Whatever ethernet card you put in there will probably be supported by OpenBSD. However, you must be a bit more careful if you have an ISA-based machine.

It is most likely that your box will not have any ethernet cards to start with since most people did not have networks at home in the pre-historic era of 4 years ago. You need two cards. One will be connected to the DSL modem (the big, bad outerworld), while the other is connected to your internal network hub (your intranet). The gateway’s job will be to pass (or block) packets between those two network cards. For security, its very important that the outside world packets cannot reach directly any of the intranet machines. This is the reason why we use two ethernet cards: complete logical and electrical isolation. Why so much isolation? For example, if someone(s) were launching a full (distributed or not) denial of service attack on your gateway box, its internet-connected ethernet card would be extremely busy, but your intranet would see nothing of this. While any communication with the outside world would probably fail, at least your intranet machines would still be able to talk to each other.

ISA cards use dedicated I/O ports and IRQ’s in your machine. Those must be setup either with jumpers directly on the card, or with a special DOS program if the card is of the more recent “Plug & Play” type. This DOS program is always supplied with the card, when purchased brand new.

If your card is Plug&Play, you must disable the Plug&Play, and program specific I/O port and IRQ values with the setup software that comes with the card. Make sure that you program both cards with different sets of I/O ports and IRQs! Otherwise they will battle each other for cycles on the bus and the result will not be pretty. Once you have set the parameters on the card it will remember them and you don’t have to reprogram anything later on, even if the computer is turned off.

It is good at this point to know a few magic numbers:

Card Type I/O #1 IRQ #1 Mem #1 I/O #2 IRQ #2 Mem #2
NE2000 (ne) 0×240 9 — 0×300 10 —
SMC WD-8003 (we) 0×280 9 0xd0000 0×300 10 0xcc000

For example, i use two cards made by AOpen: the model ALN-101. They are Plug&Play and use the NE2000 chip. The first one is setup at I/O port 0×240, IRQ 9. It is known as “ne0″ in the GENERIC openBSD kernel. The second one is set at I/O port 0×300, IRQ 10. It is known as “ne1″. If the cards were programmed differently, the GENERIC kernel would not recognize them “out of the box” and you would have to re-configure the kernel. It can be done, but its much easier to setup the hardware once than re-configure the kernel every time it gets upgraded.

Some of you might have problems setting the card to an arbitrary combination of IO port and IRQ number. This is allright, just let the card decide what it wants and simply reconfigure your kernel to accomodate that. What is important is that both ethernet cards are not set to conflicting values. Otherwise, any combination that the cards like will be programmable in the kernel.

Last but not least: some cards can be used in the so-called “full-duplex” mode. Be aware that if you want to use an ethernet card in full-duplex, your hub must also be full-duplex, as well as the other ethernet cards in the system. A full-duplex hub is much more expensive and not necessary at all. Unless you know what you are doing, program your ethernet cards to use the half-duplex mode, otherwise it won’t play nice with the other components in your local network, including the xDSL modem
(注，这里需要说NE2000等旧款的基于486机的网卡也可以用，但现在这些网卡，其本难找，所以至少要用8139系列芯片的10-100M自适应的网卡来做应用）

The hard disk
The most secure storage medium is one which can’t be erased. Some firewalls actually use setups like this (with CD-ROMS) but we’ll build our firewall with a classic, writeable hard drive because:

We don’t need “Absolute Security”, do we? We can’t have it anyway
We want to use an “out-of-the-box” OpenBSD distro. This will make maintenance (security, patches, etc…) much easier.
Almost any hard disk out there will work OK, since 200 MB is a safe minimum size. The only thing you must remember is that this disk will run 24/7, so if you use an old drive, it will likely die relatively soon. The venerable drive my friend gave me lasted 6 months before i had to change it, YMMV.

No keyboard?
Of course you’ll need a keyboard… and a monitor too, but just for the installation. After the firewall is successfully installed, you will be able to talk to it through encrypted ssh connections over your internal network, so a keyboard & monitor will not be really useful at that point.

——————————————————————————–

Getting the software
We will be using OpenBSD. Why? Because it is the most secure freely available operating system out there. All the source code included in the mainstream distribution CD’s has been audited for years by the OpenBSD team, which is why sometimes an exploit published on BugTraq is found not to work on OpenBSD simply because the faulty code was already fixed months ago.

I strongly suggest you buy their CD-ROM kit as it comes with a set of very cool stickers… You can also download their stuff for free, of course, but you won’t have the stickers then

This Guide is written for OpenBSD 3.0.

The easiest way to install the software is to use a CD-ROM drive on your firewall box. If you don’t have that, you can do a network install with the “ftp” protocol, either directly to an outside OpenBSD mirror, or to one of your own internal machines equipped with an ftp server. Be aware that if your DSL provider forces you to use PPPoE (boooo!), then of course your link to the outside world will not be functional yet at installation time, which is one more reason to use the CD-ROM. If your machine can boot a CD-ROM, great! It will gladly boot the OpenBSD disc. Otherwise, simply create a boot diskette according to the README and boot that. This diskette is also your rescue disk, so don’t lose it.
——————————————————————————–

Installing OpenBSD
The installation of OpenBSD is very easy, once you have the right hardware, and the right answers to some of the questions. In the following steps, i’ll assume you can follow the instructions of the install program and focus only on the tricky little things you should know to make your life easier.

fdisk & disklabel
After you boot the installer, one of the very first things you’ll have to do is partition your disk. This is done with the “fdisk” and “disklabel” programs. The installer will ask you if you want to use the entire hard disk for OpenBSD. Answer No, even if it is not entirely true. If you say yes, the whole fdisk step will be bypassed, and you will not be able to change the default cylinder/head/sector configuration in order to boot off the hard disk without resorting to the silly “FDISK /MBR” DOS command which is a stupid solution to a stupid problem.
The default OpenBSD fdisk partition setup choice is in slot #3. If you want, you can move your OpenBSD partition in slot #0 with no ill effect.

Important: On some systems, to make sure your system boots off the hard disk, you must set the starting CHS (cylinder/head/sector) to C=0, H=0, S=1, because fdisk suggested an incorrect value for H in OpenBSD 2.7, and still does in 2.8 … If you use “1″, as it suggests, your system will not be able to boot from the hard disk.

After the disk is partitioned with fdisk, you use disklabel to further organize the partition. A label behaves like a traditional partition (as used in Linux, for example), except that you can put as many labels as you want in the single OpenBSD partition. This is useful.

On a fully partitioned system, the disk labels might look like this:

a: 2097648 0 4.2BSD 1024 8192 16 # / 1 GB
b: 262080 2097648 swap # SWAP 128 MB
c: 20015856 0 unused 0 0 # (whole disk) 10 GB
d: 2097648 2359728 4.2BSD 1024 8192 16 # /usr 1 GB
e: 2097648 4457376 4.2BSD 1024 8192 16 # /tmp 1 GB
f: 2097648 6555024 4.2BSD 1024 8192 16 # /var 1 GB
g: 4194288 8652672 4.2BSD 1024 8192 16 # /usr/local 2 GB
h: 7168896 12846960 4.2BSD 1024 8192 16 # /home 3 GB
On my firewall, i like to keep things simpler, so it goes like this:

# size offset fstype [fsize bsize cpg]
a: 18874800 0 4.2BSD 1024 8192 16 # (Cyl. 0 – 18724)
b: 1141056 18874800 swap # (Cyl. 18725 – 19856)
c: 20015856 0 unused 0 0 # (Cyl. 0 – 19856)As you see, the ‘c’ label is a placeholder for the whole disk, in all cases. Don’t delete or otherwise change this, or you’ll be in trouble.

One of the main disadvantages of having a single partition is that one could do bad things in such quantity that the log files would simply fill up the whole drive. OpenBSD doesn’t like it when all its disk space is full. You can guess the rest of the story. In practice, this is not an issue, since i monitor my log files daily, but it could be an issue for someone out there.

On a fully partitioned system, the “df” command says this, after the OS is installed, with its complete source trees:

Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/wd0a 1015269 25985 938521 3% /
/dev/wd0d 1015269 480284 484222 50% /usr
/dev/wd0e 1015269 1 964505 0% /tmp
/dev/wd0f 1015269 5141 959365 1% /var
/dev/wd0g 2030307 8698 1920094 0% /usr/local
/dev/wd0h 3470505 27 3296953 0% /home

On my system i have this:

Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/wd0a 9137589 503054 8177656 6% /

In this example, the full OpenBSD source tree is installed, which explains why the thing uses up about 500 MB. Without the source tree, you only need about 120 MB in there, but having the source tree allows you to make security patches as they are published. This is important and i’ll talk about it more later.

Active FTP
If you do an FTP install to a private FTP server, it might be necessary to use active FTP.

Crypto, SSL, etc…
The crytographic packages are included in the CD’s since release 2.9 of OpenBSD. They will be automatically installed.

UTC time zone
Keep your server in the UTC time zone. This way, your firewall logs will be timestamped in UTC time and it will be simpler to have them interpreted by the abuse@… services of ISP’s. Also, it is important to make sure the gateway is time-synchronized to one of the numerous public NTP servers out there, because having only an IP address is not enough to pin down internet abusers. In this age of dynamic IP allocations you need both IP address and exact time in order to positively identify the origin of an IP packet. Keep your gateway synchronized.
Why not GMT instead? Read all about it there.

Normally, the installer will ask you for a time zone at install time. If you want to change it later, simply make /etc/localtime point to /usr/share/zoneinfo/UTC with a soft link:

ln -s /usr/share/zoneinfo/UTC /etc/localtime

First Boot
reboot … did your machine boot correctly? If not, please consult the numerous FAQ’s available at the OpenBSD site. Are you sure you set H=0 in fdisk? By the way, if it doesn’t boot from hard disk, you can probably still force it by first booting the install diskette, and entering “boot wd0a:/bsd” at the initial prompt. You have about 5 seconds to make your mind, when you see this prompt, act swiftly.
On first boot, you will probably get a message like “ssh-keygen: generating new DSA host key…”, followed with an equivalent message for the RSA host key. They might take quite a long time on a 486 (5-10 minutes), so Don’t Panic! ™ , the machine is not crashed, and the boot process will eventually follow its course, given time. This will happen only on the first boot.

Kernel extra configuration
If, at this point, the kernel sees all you devices (including both ethernet cards), congratulations. If not, you can reconfigure the kernel without having to recompile it by simply using the config utility. Typically, you would copy your current kernel (the “/bsd” file) to an appropriate backup name (e.g. “/bsd.ORIGINAL”), and issue this command:

config -e -f /bsd
and make whatever changes you need. You should know what you’re doing in order to use this command without blowing your system up into tiny bits & pieces. Don’t forget to save your changes. If this modified kernel doesn’t work OK, just boot the “/bsd.ORIGINAL” kernel instead, and you will have another chance.

Sys control files
The services allowed by OpenBSD are configured by a couple of files in the /etc directory. Actually, this directory contains all the configuration files of OpenBSD, for your convenience, but this is something you’ll only appreciate later, when you become an experienced BSD maintainer… We’ll come back to that /etc directory quite often.
For now, just make sure that the following are enabled:

In the file /etc/sysctl.conf:
net.inet.ip.forwarding=1

and in /etc/rc.conf:
sendmail_flags=”-L sm-mta -bd -q30m”
named_flags=”"
httpd_flags=”-DSSL”

Important: If you plan to use PPPoE, don’t enable pf here because you want to start it in a controlled manner, after PPPoE is started. Enabling “pf” here would make it start at the very beginning of the boot process and this would not work.

PPP & PPPoE
Ahhhh… the Evil Beast. Installing a good, working PPP and PPPoE can be quite a tricky task. In OpenBSD 3.0, it is included and works well, once properly configured. This version of PPP supports the “mssfixup” instruction which magically allows you to avoid setting MTU’s at 1492 or less on all of your intranet’s machines. This is very recommended as it avoids a whole bunch of problems with Windows machines, internet appliances, etc…
Notice that there is an excellent Network FAQ available from the OpenBSD site. It contains a lot of information on what to do with those ethernet adapters.

The configuration file for ppp is in /etc/ppp/ppp.conf. Mine contains exactly this:

default:
set log Phase Chat IPCP CCP tun command
set redial 15 0
set reconnect 15 10000

pppoe:
set device “!/usr/sbin/pppoe -i ne0″
disable acfcomp protocomp
deny acfcomp
set mtu max 1492
set speed sync
enable lqr
set lqrperiod 5
set cd 5
set dial
set login
set timeout 0
set authname xxxxxxx
set authkey xxxxxx
add! default HISADDR
enable dns
enable mssfixupNotice how we specify the real network interface ne0 to pppoe (with double quotes), and that i use “max 1492″ for the MTU value, as suggested by many people. Also, no value is specified for the MRU, the PPP network address translation is not enabled, the magic “mssfixup” is enabled and i use the “add!” command instead of plain “add” (suggested by Chris Pockele).

Also notice that the authname and authkey fields don’t contain double-quote characters. You should put in there your own ISP identification and password. Some ISPs require authname to have a full identification (e.g. “username@sympatico.ca”), while other ISPs will want to have only “username” in the authname field. Experiment.

Robert Jameson (thanks Robert!) reports that some ISPs require you to specify the pppoe service you want. This is done on the “set device” line. For example:

set device “!/usr/sbin/pppoe -n Shasta_1 -i ne0″

VERY IMPORTANT!

For some reason, the routes setup automatically by ppp at linkup time were not correctly defined prior to OpenBSD version 3.0. The MTU’s were wrong, leading to all sorts of subtle problems. This is now fixed, and we can safely use the “add default HISADDR” command in the ppp config file, with no special route commands at all in the ppp.linkup file. The MTUs will be properly set to 1492 on all the routes which go through the external interface.

The command “netstat -rn” confirms this:

pcreal# netstat -rn
Routing tables

Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 65.92.185.1 UGS 3 13423 1492 tun0
65.92.185.1 65.92.185.97 UH 1 0 1492 tun0
127.0.0.1 127.0.0.1 UH 1 1045 33224 lo0
192.168.1/24 link#2 UC 0 0 1500 ne1
192.168.1.1 0:e0:18:90:a7:c7 UHL 3 10475 1500 ne1
…

A friend from Australia (thanks Doug!) suggested i clarify the following points:

(1) The 64.229.x.x adresses will NOT be the same in your setup! Those are the adress blocks of my PPPoE service provider (Sympatico). Your own setup will use, most likely, different address blocks.

(2) The ppp daemon creates a virtual network interface (“tun0″) out of thin air. This virtual network interface is internally linked to the actual physical interface (“ne0″ in my system), but you will never have to deal directly with “ne0″ in your configuration files. For example, the firewall rules are written with the virtual “tun0″ interface, not the physical “ne0″ interface. In my setup, the internal interface is “ne1″, and the external interface is “tun0″. Here is Doug’s analogy with the Windows world:

“… think of the PPPoE adaptor like the dialup adaptor in a Windows
control panel. it doesn’t really exist but you gotta have it…”(3) The ppp daemon takes care of automatically assigning the name servers and the routes. Consequently, make sure there is no file “/etc/mygate”, and bear in mind that “/etc/resolv.conf” will be automatically generated as well, at connection time. This has the advantage that you don’t need to know anything about the details of your connection (name server adresses, etc…) to your ISP. Your user ID and password are sufficient, as the ppp daemon will negociate with the server and obtain the information it needs to open the connection.

(4) Since the ppp daemon will take are of the external network interface, you don’t need a “/etc/hostname.ne0″ file. However, you do need a file to describe your internal network interface (in my case, “ne1″):

pcreal# cat /etc/hostname.ne1
inet 192.168.1.2 255.255.255.0 NONENormally, this file should have been built by the setup program of OpenBSD, but if not, you must manually put it there and replace the “192.168.1.2″ with whatever address you want your gateway to have as seen from your internal network.

Another friend, from France (thanks Xavier!), sent me this ascii picture of the network connections:

| |
internet| ====> |DSL Modem| ====>|server|=====>|LAN (HUB)
| tun0 ne1 |
| =ne0 |

Note: I consider this PPP/PPPoE setup to be a work in progress. I continually discover new things about it… so, please bear with me and do send me your feedback about your own experience regarding PPP/PPPoE. It really is a pain, but apparently we will be stuck with it for a long long time, so we might as well learn how to tame the thing!

Second Boot
reboot … your machine should boot correctly. You won’t have internet access yet because the ppp program is not activated. If you want to try it out, just issue

ifconfig ne0 up
ppp -ddial pppoeand ping/telnet away. Don’t worry if you get “carrier settings ignored”, or “change route failed” messages. Be careful because at this point you have no firewall rules set, so you are very vulnerable. Also, make sure your xDSL modem is plugged in the correct ethernet card…

If all works well, then you should kill the “ppp” process. Only restart it when the firewall rules are in place.

The afterboot phase
Follow the instructions obtained by issuing the “man afterboot” command. Actually, quoting FAQ section 2.3, here is a list of the most useful man pages for new users:

* [15]afterboot(8) – things to check after the first complete boot
* [16]boot(8) – system boot strapping procedures
* [17]passwd.conf(5) – format of the password configuration file
* [18]adduser_proc(8) – procedure for adding new users
* [19]adduser(8) – command for adding new users
* [20]vipw(8) – edit the pass word file
* [21]man(1) – display the on-line manual pages
* [22]sendbug(1) – send a problem report (PR) about OpenBSD to a
central support site.
* [23]disklabel(8) – Read and write disk pack label.
* [24]ifconfig(8) – configure network interface parameters.
* [25]route(8) – manually manipulate the routing tables.
* [26]netstat(1) – show network status.
* [27]reboot, halt(8) – Stopping and restarting the system.
* [28]shutdown(8) – close down the system at a given time.
* [29]boot_config(8) – how to change kernel configuration at boot

One of the first things you should do at this point is to add an unprivileged user and make him member of the wheel group. This is because, for security reasons, it is never a good idea to log in directly as root. The preferred way to gain root privileges is to login as a wheel member, and then use the “su -” command to gain root privileges.

OpenBSD will not prevent you from logging in directly as root, but will warn you every time against doing it.

Have fun!

Firewall and NAT rule sets
This is a tricky one. Many people earn a good living just by knowing how to write firewall rule sets! Moreover, the whole packet filter and NAT code was completely rewritten from scratch in OpenBSD 3.0. It is now called “pf”, and is completely free of any external licensing strings so we will always have the latest, fully audited versions in future OpenBSD releases.
Here are my own pf rules, in all their glory. They were heavily influenced by the various man pages and HOW-TO’s pertaining to “pf”. Be aware that they might be either too restrictive, or not enough, depending on your context. My philosophy about this is to disallow everything by default, and only open whatever is known to be useful. This restrictive ruleset will prevent ftp from working correctly, from the firewall itself. However, the ftp proxy currently available will work correctly for client machines located on the intranet.

Don’t forget to send me your tips for better rules… Thanks!

/etc/nat.conf
nat on tun0 from 192.168.1.0/24 to any -> tun0
rdr on ne1 proto tcp from any to any port 21 -> 127.0.0.1 port 8081

/etc/pf.conf
#————————————————————————–
# PF ruleset, 11 dec. 2001
#
# Liberally adapted from the pf man page, the OpenBSD “Network How-To”,
# and my own rulesets.
#————————————————————————–

#————————————————————————–
# Definitions
Ext = “tun0″ # External interface
Int = “ne1″ # Internal interface
Loop = “lo0″ # Loopback interface
IntNet=”192.168.1.0/24″ # Internal network

NoRoute = “{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }”

InServicesTCP = “{ ssh, smtp, auth, http, https, pop3 }”
#InServicesUDP = “{ domain }”
OutServicesTCP = “{ http, https, smtp, pop3, whois, domain, ssh, telnet, ftp, ftp-data, nntp, auth, ntp }”
OutServicesUDP = “{ ntp, domain }”

XMMS = “{ 6000, 7500, 8000, 8004, 8044, 8034, 8052, 8038, 8010, 8400, 8014, 8026, 8048, \
8002, 8024, 8028, 8080 }”
RealAudio = “{ 554, 7070, 8080 }”

#————————————————————————–
#————————————————————————–
# Clean up fragmented and abnormal packets
# By default in pf, packets which contain IP options are blocked. Good.
scrub in on { $Ext, $Int } all
#————————————————————————–

#————————————————————————-
# Defaults
# block and log everything
block out log on $Ext all
block in log on $Ext all
block return-rst out log on $Ext proto tcp all
block return-rst in log on $Ext proto tcp all
block return-icmp out log on $Ext proto udp all
block return-icmp in log on $Ext proto udp all

block in quick inet6 all
block out quick inet6 all
#————————————————————————-

#————————————————————————–
# loopback packets left unmolested
pass in quick on $Loop all
pass out quick on $Loop all
#————————————————————————–

#————————————————————————-
# Immediate blocks
# fuzz any ‘nmap’ attempt
block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
block in log quick on $Ext inet proto tcp from any to any flags /SFRA

# don’t allow anyone to spoof non-routeable addresses
block in log quick on $Ext from $NoRoute to any
block out log quick on $Ext from any to $NoRoute

# silently drop broadcasts (cable modem noise)
block in quick on $Ext from any to 255.255.255.255
#————————————————————————-

#————————————————————————-
# PASS rules

# ALL — we don’t normally do that. For debugging only.
#pass out quick on $Ext all keep state

# pass in data mode connections for ftp-proxy running on this host.
pass in quick on $Ext inet proto tcp from any to any port > 49151 flags S/SA keep state

# ICMP
pass out quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state
pass in log quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state

# Services we provide to the outside world
#pass in quick on $Ext inet proto udp from any to any port $InServicesUDP keep state
pass in quick on $Ext inet proto tcp from any to any port $InServicesTCP flags S/SA keep state

# Standard services we want to access in the world
pass out quick on $Ext inet proto udp from any to any port $OutServicesUDP keep state
pass out quick on $Ext inet proto tcp from any to any port $OutServicesTCP flags S/SA modulate state

# Special services
pass out quick on $Ext inet proto tcp from any to any port $XMMS flags S/SA modulate state
pass out quick on $Ext inet proto tcp from any to any port $RealAudio flags S/SA modulate state
IMPORTANT: Note that the “rdr” rule in the NAT file refers to the INTERNAL network interface. Its purpose is to redirect all ftp-data requests from the intranet to be redirected to the ftp-proxy on the firewall. Then the ftp-proxy channels those into ports 49152-65535, and outputs them on the internet. This is why we have this hole in the firewall starting at port 49152. I know, it is in the IN direction, but that is how passive ftp works… It is quite a broken protocol.
That’s it! Nothing too painful, as you see. Since pf is a stateful inspection firewall, we can keep our ingress rules to a strict minimum. Notice the sheer elegance of the ruleset, with all services defined at once in a single IN or OUT rule.

One last thing: in order to automagically enable your firewall when the link comes up, you can put the following lines in the /etc/ppp/ppp.linkup file. Notice the extra space in front of each “!” character:

MYADDR:
! sh -c “/sbin/ifconfig pflog0 up”
! sh -c “/sbin/pfctl -e -l tun0 -F all -O aggressive -R /etc/pf.conf -N /etc/nat.conf”

The FTP proxy
If you want tight security, and no FTP available on your intranet, simply remove the hole at 49152, and the “rdr” command in the file “nat.conf”. However, if you want to be able to use FTP from the intranet, then you must keep those, as well as enable the “ftp-proxy” service in inetd. Simply add this line to inetd.conf :

8081 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxyDon’t forget that you still won’t be able to do FTP’ing from the firewall itself, when the packet filtering is enabled. Hopefully, it is very easy to temporarily disable pf with the command “pfctl -d”, and later re-enable it with the command “pfctl -e”. This comes in handy when we install packages from ftp.openbsd.org with the command “pkg_add”.

We are confident that ftp-proxy will improve with time and eventually dynamically manipulate the state tables of the firewall in order to open/close needed connections on-the-fly.

Addinc stuff to /etc/rc.local
This is where our custom startup instructions go. Those things are started while the kernel is in secure level 1. If you need anything started in a lower security level, modify /etc/rc.securelevel instead. In order to start up PPPoE correctly, I added this at the end of my /etc/rc.local :

ifconfig ne0 up
route flush
ppp -ddial pppoe

This starts PPP, PPPoE, the firewall and the NAT translator (because the firewall and the NAT are started automatically in the ppp.linkup file). If you’re curious, you can reboot at this point, and confirm that you have a fully firewalled internet access:

pcreal# ifconfig -a
lo0: flags=8009 mtu 33224
inet6 fe80::1%lo0 prefixlen 64 scopeid 0×5
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
lo1: flags=8008 mtu 33224
ne0: flags=8863 mtu 1500
media: Ethernet autoselect (10baseT)
inet6 fe80::240:f4ff:fe2b:190d%ne0 prefixlen 64 scopeid 0×1
ne1: flags=8863 mtu 1500
media: Ethernet autoselect (10baseT)
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::240:f4ff:fe2b:16b1%ne1 prefixlen 64 scopeid 0×2
pflog0: flags=141 mtu 33224
sl0: flags=c010 mtu 296
sl1: flags=c010 mtu 296
ppp0: flags=8010 mtu 1500
ppp1: flags=8010 mtu 1500
tun0: flags=8011 mtu 1492
inet 65.92.185.97 –> 65.92.185.1 netmask 0xffffffff
tun1: flags=10 mtu 3000
enc0: flags=0<> mtu 1536
bridge0: flags=0<> mtu 1500
bridge1: flags=0<> mtu 1500
vlan0: flags=0<> mtu 1500
vlan1: flags=0<> mtu 1500
gre0: flags=8010 mtu 1450
gif0: flags=8010 mtu 1280
gif1: flags=8010 mtu 1280
gif2: flags=8010 mtu 1280
gif3: flags=8010 mtu 1280

pcreal# pfctl -sr
@0 scrub in on ne1 all
@1 scrub in on tun0 all
@2 block out log on tun0 all
@3 block in log on tun0 all
@4 block return-rst out log on tun0 proto tcp all
@5 block return-rst in log on tun0 proto tcp all
@6 block return-icmp out log on tun0 proto udp all
@7 block return-icmp in log on tun0 proto udp all
@8 block in quick inet6 all
@9 block out quick inet6 all
@10 pass in quick on lo0 all
@11 pass out quick on lo0 all
@12 block in log quick on tun0 inet proto tcp all flags FPU/FPU
@13 block in log quick on tun0 inet proto tcp all flags FS/FSRA
@14 block in log quick on tun0 inet proto tcp all flags /FSRA
@15 block in log quick on tun0 inet from 255.255.255.255/32 to any
@16 block in log quick on tun0 inet from 10.0.0.0/8 to any
@17 block in log quick on tun0 inet from 172.16.0.0/12 to any
@18 block in log quick on tun0 inet from 192.168.0.0/16 to any
@19 block in log quick on tun0 inet from 127.0.0.1/8 to any
@20 block out log quick on tun0 inet from any to 255.255.255.255/32
@21 block out log quick on tun0 inet from any to 10.0.0.0/8
@22 block out log quick on tun0 inet from any to 172.16.0.0/12
@23 block out log quick on tun0 inet from any to 192.168.0.0/16
@24 block out log quick on tun0 inet from any to 127.0.0.1/8
@25 block in quick on tun0 inet from any to 255.255.255.255/32
@26 pass in quick on tun0 inet proto tcp from any to any port > 49151 flags S/SA keep state
@27 pass out quick on tun0 inet proto icmp all icmp-type echoreq code 0 keep state
@28 pass in log quick on tun0 inet proto icmp all icmp-type echoreq code 0 keep state
@29 pass in quick on tun0 inet proto tcp from any to any port = pop3 flags S/SA keep state
@30 pass in quick on tun0 inet proto tcp from any to any port = https flags S/SA keep state
@31 pass in quick on tun0 inet proto tcp from any to any port = www flags S/SA keep state
@32 pass in quick on tun0 inet proto tcp from any to any port = auth flags S/SA keep state
@33 pass in quick on tun0 inet proto tcp from any to any port = smtp flags S/SA keep state
@34 pass in quick on tun0 inet proto tcp from any to any port = ssh flags S/SA keep state
@35 pass out quick on tun0 inet proto udp from any to any port = domain keep state
@36 pass out quick on tun0 inet proto udp from any to any port = ntp keep state
@37 pass out quick on tun0 inet proto tcp from any to any port = ntp flags S/SA modulate state
@38 pass out quick on tun0 inet proto tcp from any to any port = auth flags S/SA modulate state
@39 pass out quick on tun0 inet proto tcp from any to any port = nntp flags S/SA modulate state
@40 pass out quick on tun0 inet proto tcp from any to any port = ftp-data flags S/SA modulate state
@41 pass out quick on tun0 inet proto tcp from any to any port = ftp flags S/SA modulate state
@42 pass out quick on tun0 inet proto tcp from any to any port = telnet flags S/SA modulate state
@43 pass out quick on tun0 inet proto tcp from any to any port = ssh flags S/SA modulate state
@44 pass out quick on tun0 inet proto tcp from any to any port = domain flags S/SA modulate state
@45 pass out quick on tun0 inet proto tcp from any to any port = whois flags S/SA modulate state
@46 pass out quick on tun0 inet proto tcp from any to any port = pop3 flags S/SA modulate state
@47 pass out quick on tun0 inet proto tcp from any to any port = smtp flags S/SA modulate state
@48 pass out quick on tun0 inet proto tcp from any to any port = https flags S/SA modulate state
@49 pass out quick on tun0 inet proto tcp from any to any port = www flags S/SA modulate state
…
@72 pass out quick on tun0 inet proto tcp from any to any port = 6000 flags S/SA modulate state
@73 pass out quick on tun0 inet proto tcp from any to any port = 8080 flags S/SA modulate state
@74 pass out quick on tun0 inet proto tcp from any to any port = 7070 flags S/SA modulate state
@75 pass out quick on tun0 inet proto tcp from any to any port = 554 flags S/SA modulate state

pflogd and tcpdump
With the new pf firewall code comes a new way to log firewalled packets and look at them. The log is actually taken care of by a separate daemon ( pflogd ) which should be started in “ppp.linkup” and killed in “ppp.linkdown”. This daemon puts its data in a special log file ( /var/log/pflog ) which is not directly human readable, for performance reasons. To get a dump of the file, simply issue the command “tcpdump -n -e -ttt -r /var/log/pflog”, or , if you want a real-time display of the logs, simply issue “tcpdump -n -e -ttt -i pflog0″.

The Dynamic DNS
Dynamic DNS is a wonderful thing. Basically, you just go to a dyndns provider like those nice people and 10 minutes later you have your very own domain, for free. In order to make that domain dynamically follow your IP address changes, you must use a special client program which must be called whenever your IP changes.

Until recently I liked ddup, but now i use ipcheck. The latter is truly compliant with all of dyndns’s client specification, and maintains its state automatically in system files. You will have to install the python package if you use “ipcheck”. Also, you’ll need your user ID and password from the dyndns provider.

One more advice: it is perfectly acceptable to have more than one domain pointing at the same IP address. Remember this when choosing one or more domain names…

Keeping your xDSL link alive 24/7
xDSL connections are very reliable, but ISP’s are not For many reasons unfathomable, you will sometimes lose your connection. There are many methods of re-establishing that connection automatically, and i’ll describe here the one i use.

The Method
Make sure you initialise ppp with the “-ddial” command, and NOT the “-background” command…

The automatic restart of the ppp link is handled by ppp itself (using the “-ddial” command), which is quite handy. This leaves us with the dyndns updates, which are performed intelligently by ipcheck.py . An easy way of doing it is to create an executable file named “do_ipcheck” which contains this:

#!/bin/sh
/usr/local/sbin/ipcheck.py -q -d /etc/ipcheck -i tun0 -w Username Password DomainName1,DomainName2with your own Username, Password and Domain names, of course. Then, all you have to do is to add the following line to crontab:

*/5 * * * * /usr/local/sbin/do_ipcheckAlso, don’t forget to create the directory /etc/ipcheck and make sure your /etc/ppp/ppp.linkup file looks like this:

MYADDR:
! sh -c “/sbin/ifconfig pflog0 up”
! sh -c “/sbin/pfctl -e -l tun0 -F all -O aggressive -R /etc/pf.conf -N /etc/nat.conf”
! sh -c “/usr/local/sbin/ResetNTP.sh”
!bg sh -c “/usr/local/sbin/do_ipcheck”
You can call “do_ipcheck” from “ppp.linkup” … however, you must use the special “!bg” construct, in order to instruct ppp to fork it in the background. Nasty stuff happens if you don’t use “!bg” here. Big thanks to Dan for this update!

This setup should garantee the proper restart of the firewall & ipnat each time the ppp link is brought up again.

Apache
Now would be a good time to install your htdocs directory. The way i like to do this is to mount a read-only NFS file system over the current htdocs. This is easily accomplished by adding a line like this to your /etc/fstab :

192.168.1.1:/usr/local/Apache/htdocs /var/www/htdocs nfs ro Moreover, the web logs are kept in /var/www/logs. Interesting stuff.

We are in full virus season and i’m sure your log files will fill up as fast as mine with useless garbage, once your Apache is up. In order to remove some clutter, you can filter out the virus attacks and channel them to a specialized attack_log file. Simply insert the following lines into your /var/www/conf/httpd.conf file:

SetEnvIf Request_URI “^/default.ida” attacks # For Code Red
SetEnvIf Request_URI “^/scripts” attacks # For nimda
SetEnvIf Request_URI “^/c/winnt” attacks # … ditto all the way down
SetEnvIf Request_URI “^/_mem_bin” attacks
SetEnvIf Request_URI “^/_vti_bin” attacks
SetEnvIf Request_URI “^/MSADC” attacks
SetEnvIf Request_URI “^/msadc” attacks
SetEnvIf Request_URI “^/d/winnt” attacks

CustomLog /var/www/logs/access_log combined env=!attacks
CustomLog /var/www/logs/attack_log combined env=attacks
This will send all virus-related requests to “attack_log”, while still logging other activities normally in access_log.

Named
Someone (Chavous P. Camp, thanks!) sent me advice on optimizing “named” for faster throughput. He recommends to add two lines to the “/var/named/named.boot” file:

options forward-only
forwarders ip.addresses.of.ISPs.nameservers.separated.by.spacesThis forces named to always use the same servers for dns. If your ISP’s servers are always on fixed IP adresses, then it works well. However, ISP’s who force you to use PPPoE will also sometimes change dynamically the DNS servers allocated to you (in “/etc/resolv.conf”, automatically created by ppp at startup). In that case, there is no garantee that the name servers you hardwire as forwarders will always be available.

Removing IPv6 related errors
The GENERIC OpenBSD kernel comes precompiled with IP v6 support. This is the reason why you might see many “/bsd: tun0: not multicast capable, IPv6 not enabled” error messages in your logs. Those messages are completely harmless and do not alter the performance of your system. However, should you want to get rid of them, you can simply remove IPv6 support from your kernel by modifying “/usr/src/sys/conf/GENERIC” and removing the “option INET6″ line. Then recompile your kernel in the usual way. Thanks Chavous for this info!

Setting permissions of scripts & config files
Another excellent suggestion from Chavous. Scripts and config files with passwords should have their permissions changed to 500 (for scripts) or 400 (for config files), for greater security. This includes “ppp.conf”, “do_ipcheck”, etc…

The NTP daemon
The ntpd daemon is not installed by default. However, you can download it as a package, and install it with the pkg_add command. Since you have internet connectivity by now, you can download & install it in a single command:

pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/3.0/packages/i386/ntp-4.1.71.tgz Moreover, you will need a valid /etc/ntp.conf file:

pcreal# cat /etc/ntp.conf
server 128.100.102.201
driftfile /etc/ntp.driftFeel free to use any other atomic time server if you want. Also, the drift file will be created & maintained automagically.

Important tip from Chavous:
=========================================
I found my ntp server would refuse to synchronize after a reboot because it
had no route to the time server. This was, of course, because PPPoE is
loaded AFTER ntp, and sometimes the PPPoE negotiation after a reboot takes a
few seconds.

Anyway, here is something you might want to add as a suggestion:

Turn ntpd OFF in the rc.conf file
add this line to your ppp.linkup file – AFTER the firewall initialization

! sh -c “/etc/ppp/ResetNTP.sh”

That script should then contain:

#!/bin/sh
if [ -f /var/run/ntpd.pid ]; then
kill `cat /var/run/ntpd.pid`
rm -f /var/run/ntpd.pid
fi
/usr/local/sbin/ntpd -p /var/run/ntpd.pid

(as I have said before, remind your readers that this script is executed as
root and should therefore be chmod 444 or less)

This kills the NTP daemon (if it exists) and restarts it. On boot, it would
not be restarted, but what if the link went down for a while? The ntp daemon
would give up and stop sending queries because it couldn’t get a route to
host.

REALLY, the ntp daemon SHOULD NOT stop querying the server just because it
can’t get a route to the host, but it seems to be written as such now
anyway. I haven’t tested the ntp daemon over a long period of time (more
than about a day) so I don’t know if it just gives up for some arbitrarily
long period (MORE than a day) and then tries again. I seriously doubt it
does, because a day is a LONG time. This workaround isn’t ideal, because
for time consistency, one would want the time server to stay running at all
times. According to the ntpd documentation, ntpd tends to become more
accurate the longer it runs.

Chavous
=========================================

Sendmail
If you have followed all the steps of the recipe so far, your sendmail should be configured & ready to receive mail from the internet, however you should know a few more things about this. First, if you want your gateway to receive mail for more than one domain, you must make sure the all fully qualified domains are setup as aliases for your host in the file /etc/hosts.

The mail popper
All ingress mail is received & kept on the gateway untill some POP client on the intranet gets it. I use the “popa3d” server package because it is written with security in mind. It is now part of the main OpenBSD 3.0 distribution, so you don’t have to download it as a separate package. Simply enable it in the file /etc/inetd.conf and you should be up & running.

The installed packages
Just to do a quick check, here are the packages i have installed on my system:

pcreal# pkg_info
gmp-3.1.1 library for arbitrary precision arithmetic
python-2.1.1 interpreted object-oriented programming language
ntp-4.1.71 network time protocol implementation
libiconv-1.7 character set conversion library
gettext-0.10.40 GNU gettext
mhash-0.8.9 strong hash library
libtool-1.3.5p3 generic shared library support script
postgresql-7.1.3 PostgreSQL RDBMS
libmcrypt-2.4.15 interface to access block/stream encryption algorithms
c-client-4.40p1 University of Washington’s c-client mail access routines
php4-4.0.6p1-gettext-imap-mhash-no_x11-mcrypt-postgresql server-side HTML-embedded scripting language

The Secure Shell
The secure shell looks & feels exactly like telnet, except that all communication between the client and the server is encrypted. It is the only possible way to access your gateway, because the telnet daemon is disabled by default. Usage is very simple: just like telnet!

[real@pcreal Projects]$ ssh 192.168.1.2
real@192.168.1.2′s password:
Warning: Remote host denied X11 forwarding.
Last login: Sun Nov 5 12:58:08 2000 from 192.168.1.1
OpenBSD 2.7 (GENERIC) #1: Thu Nov 2 16:05:11 GMT 2000

pcreal:real {39}

Once you are logged in as an unprivileged user, member of the wheel group, you can use su to gain superuser privileges:

pcreal:real {39} su -
Password:
Terminal type? [nxterm]
pcreal#

The log files
There are many log files of high interest maintained automatically by your gateway. It is usually convenient to look at them with the “tail -f” command. The files i look at often are:

/var/log/messages
/var/log/maillog
/var/log/secure
/var/www/logs/access_log

Moreover, you can grab interesting info about the blocked packets on your firewall with the “ipmon” utility.

There are many other log files available for all kinds of things. Dig around to find more about them.

Installing IPSEC
Dave Cook has kindly provided us with a good description of how to install IPSEC on your OpenBSD boxen: file:///H:/OPENBSD/ipsec.pdf, in PDF (Acrobat) format. Be aware that it is a largish file (440K), and it might take some time for your Acrobat reader to load afterwards, so don’t hit the link repeatedly, it won’t make things load faster…

Apply the security patches!
Security patches are published there. APPLY THEM RELIGIOUSLY!
It is not really difficult, but you will need a copy of the complete, original source tree of the distribution. The compressed source archives are to be found with the distribution files. These are the 3.0 source files:

src.tar.gz 64447 Kb Tue May 1 16:18:00 2001 Unix Tape Archive
srcsys.tar.gz 13837 Kb Tue May 1 16:18:00 2001 Unix Tape ArchiveThey total about 80 MB. Once you have them, simply unpack them to ‘/usr/src’ and ‘/usr/src/sys’. The latter is the kernel proper.

Once you have your source tree, you can start downloading the patches, and apply them. Usually, all the currently published patches are availble in a single file. For 3.0, it is there. After that, simply watch the patch page from time to time, to keep updated.

Patches are either applied to an application (in ‘/usr/src’), or to the kernel ( in ‘/usr/src/sys’). Since all kernel patches should be installed, the thing i do is to apply all the kernel patches in one session, then i recompile my kernel once.

The applications you don’t use (e.g. ‘X11′, for example) don’t have to be patched & recompiled.

Reboot and enjoy!
You should be able to ssh into your new gateway from any machine on the intranet.

centos下安装jdk15+ MySQL5+Apache22(worker+ssl)+PHP5+Resin3

admin — Fri, 06 Mar 2009 11:02:52 +0000

系统：CentOS4.3

1、安装jdk1.5
修改jdk-1_5_0_07-linux-i586.bin为可执行：
#./jdk-1_5_0_07-linux-i586.bin进行安装，然后会在当前目录下解压，生成一个名为 jdk-1_5_0_07的目录
#mv jdk-1_5_0_07 /usr/local/jdk
安装ok后设置环境变量：
修改/etc/profile
增加如下内容：
JAVA_HOME=/usr/local/jdk
RESIN_HOME=/usr/local/resin
CLASSPATH=.:$JAVA_HOME/lib:$JAVA_HOME/jre/lib:$RESIN_HOME/lib:/usr/local/jdbc
export RESIN_HOME JAVA_HOME CLASSPATH
存盘退出。。。
source /etc/profile

2、安装openssl
解压openssl-0.9.8b.tar.gz
#tar zxvf openssl-0.9.8b.tar.gz
#cd openssl-0.9.8b
#./Configure
#make install

接下来安装相关应用软件：
1.MySQL5

2.安装mysql5.0.18（源码包）
源码包可以在这个网址获得：

http://download.mysql.cn/src/2006/0208/62.html

所有这些操作需要root权限
安装开始：
1>cd /home/ftpsite
2>groupadd mysql———-添加mysql用户组,如果提示该组存在,则不用再加
3>useradd -g mysql mysql—–加mysql用户,并把它归到mysql组,如果提示用户存在,则不用再加
4>tar zxvf mysql-5.0.18.tar.tar
5>cd mysql-5.0.18
6>./configure –prefix=/usr/local/mysql
7>make
8>make install
9>cp support-files/my-medium.cnf /etc/my.cnf
10>cd /usr/local/mysql
11>./bin/mysql_install_db
12>chown -R root /usr/local/mysql
13>chown -R mysql /usr/local/mysql/var
14>chgrp -R root /usr/local/mysql
15>./bin/mysqld_saft –user=mysql &
16>./bin/mysql
17>mysql>—————经过第16步,你应该能看到mysql>提示符,那么恭喜你安装初步成功

2.Apache22

下载httpd-2.0.55.tar.gz, php-5.0.5.tar.gz等二进制源码包
执行下列命令解压源码包
# tar -zxvf httpd-2.0.55.tar.gz
进入安装目录
# cd httpd-2.0.55
配置apache安装信息：
#./configure –enable-layout=Apache –enable-so –enable-ssl=shared –with-mpm=worker –with-ssl=/usr/share/ssl
执行make安装：
# make; make install
使用/usr/local/apache/bin/apachectl start 启动apache

#/usr/local/sbin/httpd -l
看看是否存在以下几个模块
core.c
worker.c
http_core.c
mod_so.c
现在是使用worker方式运行的apache。

OK，完成。

3.PHP5
安装php
tar -zxvf php-5.1.4.tar.gz
cd php-5.1.4
./configure –prefix=/usr/local/php5 (配置php的参数)
–with-apxs2=/usr/local/apache2/bin/apxs
–with-libxml-dir=/usr/local/lib
–enable-sockets
–with-mysql=/usr/local/mysql (mysql 的安装目录就是那个解压后的目录)
# make
# make install
将安装目录下的php.ini-dist文件改为php.ini存放的/usr/local/lib下。

安装后修改httpd.conf文件：
将httpd.conf中的loadmodule 最后一个刚加进去的php的#去掉
在AddType application/x-gzip .gz .tgz后面加：
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
随后设置网站默认启动页允许为index.php，找到 DirectoryIndex这行，改为：
DirectoryIndex index.html index.htm index.php

写一个phpinfo()测试一下就可以。

4.安装phpMyAdmin

下面我们开始安装phpMyAdmin2.8.0.1! 这个文件应该从网上找的到！
把下载好的源码放在/usr/local/www/data下面，解压！
#tar xvzf phpMyAdmin.tar.gz
进入phpmyadmin下的libraries 目录！
修改 config.default.php:
找到$cfg['PmaAbsoluteUri'] = ”;
修改成 $cfg['PmaAbsoluteUri'] = ‘http://你的IP/phpmyadmin’;
找到$cfg['Servers'][$i]['auth_type'] = ‘config’; // Authentication method (config, http or cookie based)?
$cfg['Servers'][$i]['user'] = ‘root’; // MySQL user
$cfg['Servers'][$i]['password'] = ”;
写上你的Mysql用户名and密码！
保存退出！
然后用http://your/ IP/phpmyadmin访问！如果出现mysql管理页面，则安装成功，如果没有出现，请检查配制文件！

5．安装resin

安装resin：
1）到http://www.caucho.com/下载resin-3.0.18.tar.gz，这个是目前的最新版本
2）解压生成目录 resin-3.0.18
3）执行 mv resin-3.0.18 /usr/local/resin
4）重新编译resin：
./configure –with-apxs=/usr/local/apache2/bin/apxs –with-java-home=/usr/local/jdk/ –prefix=/usr/local/resin
make && make install && make clean
如果/etc/profile设置没有问题的话，该步骤能够正常运行

6．整合Apache和Resin
1）修改/usr/local/apache/conf/httpd.conf
增加：
LoadModule caucho_module /usr/local/apache/libexec/mod_caucho.so
ResinConfigServer localhost 6802
CauchoStatus yes

SetHandler caucho-status

2）修改/usr/local/resin/conf/resin.conf
修改以下片断：

3）
重新启动 apache,
/usr/local/apache/bin/apachectl start
启动 resin
/usr/local/resin/bin/httpd.sh start
写一个简单的脚本可以测试，jsp执行是否成功。

7．Resin连接MySQL数据库

下载相相应的jbdc 驱动，俺下载的是:mysql-connector-java-3.1.12-bin.jar，将此文件放
到/usr/local/resin/lib下!
然后再写一个jsp连接mysql的jsp文件测试一下!

[FreeBSD] 用nagios来监控网络服务器和网络服务

admin — Fri, 06 Mar 2009 09:47:39 +0000

nagios可以对服务器进行全面的监控，包括服务（apache、mysql、ntp、dns、disk、qmail和sshd等等）的状态，服务器的状态（up、down等等）。它是一个完全GPL协议的开源软件包，包含有nagios主程序和它的各个插件，配置非常灵活，可以监视的项目很多，可以自定义shell脚本进行监控服务，非常适合大型网络。

nagios的包含主动监控和被动监控。
主动检查是通过监控中心的主机发出请求，让运行在远程主机上的nrpe守护进程收集信息，然后报告它，它通过web接口把数据显示在页面上。
它的工作原理如下：

被动监控是当远程被监控主机处于防火墙之内的时候，只有远程主机可以访问到监控中心，防火墙之内可以设置另外一个监控中心，远程监控中心的nagios收集服务器信息以后，和nsca报告，由naca客户端报告naca的服务器端，然后报告监控中心的nagios，通过web接口显示监控结果。

nagios的功能非常强大，[url]http://www.nagios.org/[/url]是它的窝，只有e文、法文和日文，没有中文

我现在引用它的一段文字进行总结一下到底什么是nagios：
What Is This?
什么是nagios？
Nagios® is a system and network monitoring application. It watches hosts and services that you specify, alerting you when things go bad and when they get better.
Nagios was originally designed to run under Linux, although it should work under most other unices as well.
Some of the many features of Nagios® include:
Monitoring of network services (SMTP, POP3, HTTP, NNTP, PING, etc.)
Monitoring of host resources (processor load, disk usage, etc.)
Simple plugin design that allows users to easily develop their own service checks
Parallelized service checks
Ability to define network host hierarchy using “parent” hosts, allowing detection of and distinction between hosts that are down and those that are unreachable
Contact notifications when service or host problems occur and get resolved (via email, pager, or user-defined method)
Ability to define event handlers to be run during service or host events for proactive problem resolution
Automatic log file rotation
Support for implementing redundant monitoring hosts
Optional web interface for viewing current network status, notification and problem history, log file, etc.
Nagios是一个监视系统和网络的应用程序。它监视你所指定主机和服务，当监视的内容变好或者变坏时发出警告。Nagios最初是被设计在Linux平台上运行的，然而现在在其他平台上也运行良好。
Nagios的特性包括：
监视网络服务（SMTP, POP3, HTTP, NNTP, PING, 等等）
监视主机资源（处理器负载、磁盘空间等）
容许用户开发自己的插件去检查自定义的项目；
通过使用“父主机”，定义网络主机的分层，容许探测主机down掉或者不可到达。
可以定义在主机或服务运行期间，事件发生以后如何处理和解决方式；
自动记录错误日志；
支持冗余监视；
可选web接口，通过web页面查看当前网络状态，提示和报告故障历史，日志文件等；

Nagios的系统要求：
Linux、Unix等
apache
GD库（1.63以上）
zlib
pnglib
jpeglib
basic icons
等，其中apache的安装在blog中已经有相关的文章，搜索一下就行；gd、zlib、pnglib和jpeglib安装比较简单，步骤：
下载tarball
tar zxvf xxx.tar.gz
cd xxx
./configure
make && make install

———————————————————————-
Nagios的安装过程(FreeBSD)
———————————————————————-
nagios的安装比较简单，复杂的是设置和配置参数的设定。不过你要放松一点，毕竟我们要搞定它，不是吗？那就开始吧：

1：获得最新的安装包，[url]http://www.nagios.org/download[/url]
2：以root身份登录服务器，目前最新的版本是2.5：
1）nagios，版本2.5：
fetch [url]http://superb-west.dl.sourceforge.net/sourceforge/nagios/nagios-2.5.tar.gz[/url]
or
wget [url]http://superb-west.dl.sourceforge.net/sourceforge/nagios/nagios-2.5.tar.gz[/url]

2）获得nagios插件，版本1.4.3：
[url]http://surfnet.dl.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.3.tar.gz[/url]

3）获得图库文件：
[url]http://dl.sf.net/nagios/imagepak-base.tar.gz[/url]

4）NRPE，版本2.5.2
[url]http://ufpr.dl.sourceforge.net/sourceforge/nagios/nrpe-2.5.2.tar.gz[/url]

5）NSCA，版本2.6
[url]http://kent.dl.sourceforge.net/sourceforge/nagios/nsca-2.6.tar.gz[/url]

3：切换到root用户：
sudo su

4：解压缩
tar zxvf nagios-2.5.tar.gz

5：建立运行nagios的用户：
adduser nagios

6：建立安装nagios的文件夹，并使这个文件夹的所有者为nagios:nagios
mkdir /usr/local/nagios
chown nagios.nagios /usr/local/nagios

7：确认web服务器的用户
可能会通过web接口执行一些命令，必须确定web服务器以哪个用户运行的，通常为：apache：
grep “^User” /usr/local/apache2/conf/httpd.conf

8：建立命令文件组
这个新的组会包括apache的用户和nagios的用户
pw groupadd nagcmd
pw usermod apache -G nagcmd
pw usermod nagios -G nagcmd
———————————-
cat /etc/group
nagcmd:*:9007:apache,nagios
———————————-

8：运行配置脚本并安装nagios
cd nagios-2.5
./configure –prefix=/usr/local/nagios –with-gd-lib=/usr/local/lib –with-gd-inc=/usr/local/include
———————————
*** Configuration summary for nagios 2.5 07-13-2006 ***:

General Options:
————————-
Nagios executable: nagios
Nagios user/group: nagios,nagios
Command user/group: nagios,nagios
Embedded Perl: no
Event Broker: yes
Install ${prefix}: /usr/local/nagios
Lock file: ${prefix}/var/nagios.lock
Init directory: /usr/local/etc/rc.d
Host OS: freebsd6.0

Web Interface Options:
————————
HTML URL: [url]http://localhost/nagios/[/url]
CGI URL: [url]http://localhost/nagios/cgi-bin/[/url]
Traceroute (used by WAP): /usr/sbin/traceroute

Review the options above for accuracy. If they look okay,
type ‘make all’ to compile the main program and CGIs.
———————————
make all
make install
make install-init
make install-commandmode
make install-config

9：安装nagios-plugins
tar zxvf nagios-plugins-1.4.3.tar.gz
cd nagios-plugins-1.4.3
./configure –prefix=/usr/local/nagios-plugins
make all
make install
安装完成以后在/usr/local/nagios-plugins-plugins会产生一个libexec的目录，将该目录全部移动到/usr/local/nagios目录下即可。
mv /usr/local/nagios-plugins-plugins/libexec/ /usr/local/nagios/

10：imagepak-base.tar.gz的安装
tar –xvzf imagepak-base.tar.gz
解压以后是base目录
mv base/ /usr/local/nagios/share/images/logos/

———————————————————————-
现在开始配置：
———————————————————————-
1：配置web接口
假设你已经运行apache，如果没有，请参考：
[url]http://localhost/upload/blog.php?do-showone-tid-18.html[/url]

vi /usr/local/apache2/conf/httpd.conf
添加如下内容：
ScriptAlias /nagios/cgi-bin /usr/local/nagios/sbin
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthName “Nagios Access”
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user

Alias /nagios /usr/local/nagios/share
Options None
AllowOverride None
Order allow,deny
Allow from all
AuthName “Nagios Access”
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user

修改完毕，保存文件，并重启apache：
/usr/local/apahce2/bin/apachectl restart

2：配置apache的BASIC认证：
生成认证密码：
/usr/local/apache2/bin/htpasswd –c /usr/local/nagios/etc/htpasswd.users nagios nagios
apache接口配置完成。

开始配置nagios：
cd /usr/local/nagios/etc/
在/usr/local/nagios/etc下是nagios的配置模板文件-sample,把.cfg-sample文件全部拷贝成.cfg
例如:cp nagios.cfg-sample nagios.cfg
全部拷贝完成即可.

vi minimal.cfg
注释所有command：
注释的方法是在每一个定义语句前面添加”#“
修改cgi.cfg
修改use_authentication=1为use_authentication=0,即不用验证.不然有一些页面不会显示。

现在检查配置文件是否有语法错误：
/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
如果正确，会显示以下结果：
Total Warnings: 0
Total Errors: 0
否则，需要根据提示进行修改配置文件。

配置文件等会再弄。现在启动nagios
/usr/local/nagios/bin/nagios -d /usr/local/nagios/etc/nagios.cfg

为使nagios异常中断，我们使用daemontools启动：
安装daemontool：
mkdir -p /package
chmod 1755 /package
cd /package
fetch [url]http://cr.yp.to/daemontools/daemontools-0.76.tar.gz[/url]
cd admin/daemontools-0.76/
package/install
检查svscan进程是否启动：
ps aux | grep svscan
root 376 0.0 0.0 1636 0 con- IW – 0:00.00 /bin/sh /command/svscanboot
root 411 0.0 0.0 1224 208 con- S 8Jul06 0:42.50 svscan /service

ok，启动正常。
cd /service
mkdir nagios
chmod 1755 nagios
touch ./run
chmod 755 ./run
vi run
PATH=/usr/local/bin:/usr/bin:/bin
export PATH

exec env – PATH=$PATH \
/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg

mkdir log
cd log
touch ./run
chmod 755 ./run
vi ./run
#!/bin/sh
exec setuidgid logadmin multilog t s1000000 n100 ./main

mkdir main
chmod 777 main
chown nagios.nagios main
touch status
chown nagios.nagios status

svc -u /service/nagios/
svstat /service/nagios/
root@## ps auxww | grep nagios
root 23276 0.0 0.1 1176 488 ?? I 5:00PM 0:01.71 supervise nagios
nagios 34251 0.0 0.3 2316 1552 ?? S 6:06PM 0:00.10 /usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg
root@##

ok，现在把nagios服务做成自动启动的服务。
通过svc命令可以启动或者停止服务。
———————————————————————————
svc opts services
opts is a series of getopt-style options. services consists of any number of arguments, each argument naming a directory used by supervise.

-u: Up. If the service is not running, start it. If the service stops, restart it.
-d: Down. If the service is running, send it a TERM signal and then a CONT signal. After it stops, do not restart it.
-o: Once. If the service is not running, start it. Do not restart it if it stops.
-p: Pause. Send the service a STOP signal.
-c: Continue. Send the service a CONT signal.
-h: Hangup. Send the service a HUP signal.
-a: Alarm. Send the service an ALRM signal.
-i: Interrupt. Send the service an INT signal.
-t: Terminate. Send the service a TERM signal.
-k: Kill. Send the service a KILL signal.
-x: Exit. supervise will exit as soon as the service is down. If you use this option on a stable system, you’re doing something wrong; supervise is designed to run forever.
———————————————————————————
比如：
停止nagios－－svc -d /service/nagios/
重启nagios－－svc -t /service/nagios/
启动nagios－－svc -u /service/nagios/

当然，你也可以使用inited的方式进行：
/usr/local/etc/rc.d/nagios start/stop

现在打开网页：[url]http://localhost/nagios/[/url]
服务器和服务状态都清楚的看到。
现在我们的nagios中只有一个，那就是它自己，localhost，等会添加别的主机和主机服务，ok，认识一下nagios的庐山真面目：

配置nagios：

1）为主机添加服务
2）添加主机并添加服务
3）停止一个服务
4）删除一台主机和服务
5）查看所有主机的故障
6）查看一台特定的主机状态
7）改变报警的时间间隔
8）改变发现故障的重试次数
9）如何在nagios中使用外部命令

1）为主机添加一个服务
为localhost主机添加qmail服务的监控，方法如下：
vi minimal.cfg
define service{
use generic-service ; Name of service template to use
host_name localhost
service_description qmail_smtp
is_volatile 0
check_period 24×7
max_check_attempts 1
normal_check_interval 1
retry_check_interval 1
contact_groups admins
notification_options w,u,c,r
notification_interval 960
notification_period 24×7
check_command check_smtp!20%!10%!/
}

可以直接拷贝原有的进行修改，我这个就是拷贝的原有的check_local_disk进行的。
修改host_name，service_description，check_command等

define service{
use generic-service ; Name of service template to use
host_name localhost
service_description qmail_pop3
is_volatile 0
check_period 24×7
max_check_attempts 1
normal_check_interval 1
retry_check_interval 1
contact_groups admins
notification_options w,u,c,r
notification_interval 960
notification_period 24×7
check_command check_pop!20%!10%!/
}
照猫画虎的进行修改，然后去修改：
vi checkcommands.cfg
#’check_qmail’ command definition
define command{
command_name check_qmail
command_line $USER1$/check_smtp -H 127.0.0.1
}
define command{
command_name check_pop3
command_line $USER1$/check_pop -H 127.0.0.1
}
保存，然后检查配置文件：
/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
如果没有错误会显示：
Total Warnings: 0
Total Errors: 0
如果有错误，请根据提示进行错误的修正。
重启nagios
svc -d /service/nagios/ && svc -u /service/nagios/
通过web页面检查nagios的结果：
[url]http://10.5.1.153/nagios/[/url]
点击“Service Detail”
会出现：

2）添加主机并添加服务
我们会监控这台主机的负载、磁盘等一些没有通过端口方式启动的服务器状态，以及它的服务，比如：apache、mysql、qmail和ntp等等吧。那么没有端口的nagios直接能监控到吗？答案是不行。所以我们必须在两台主机上安装nrpe，nrpe可以启动5666端口，把检测的信息源源不断的传给监控中心的主机。
ok，我们把apache、mysql、qmail和ntp先加上，这回我们把监控的主机和服务新建一个文件：
cd /usr/local/nagios/etc/
touch 10_5_1_156.cfg
vi nagios.cfg
cfg_file=/usr/local/nagios/etc/10_5_1_156.cfg

vi 10_5_1_156.cfg
定义一个主机：
define host{
use generic-host ; Name of host template to use
host_name test_nrpe
alias client
address 10.5.1.156
check_command check-host-alive
max_check_attempts 1
check_period 24×7
notification_interval 120
notification_period 24×7
notification_options d,r
contact_groups admins
}

定义主机需要检查的服务：
define service{
use generic-service ; Name of service template to use
host_name test_nrpe
service_description PING
is_volatile 0
check_period 24×7
max_check_attempts 1
normal_check_interval 1
retry_check_interval 1
contact_groups admins
notification_options w,u,c,r
notification_interval 960
notification_period 24×7
check_command check_ping!100.0,20%!500.0,60%
}

define service{
use generic-service ; Name of service template to use
host_name test_nrpe
service_description apache
is_volatile 0
check_period 24×7
max_check_attempts 1
normal_check_interval 1
retry_check_interval 1
contact_groups admins
notification_options w,u,c,r
notification_interval 960
notification_period 24×7
check_command check_http!100.0,20%!500.0,60%
}

define service{
use generic-service ; Name of service template to use
host_name test_nrpe
service_description mysql
is_volatile 0
check_period 24×7
max_check_attempts 1
normal_check_interval 1
retry_check_interval 1
contact_groups admins
notification_options w,u,c,r
notification_interval 960
notification_period 24×7
check_command check_mysql!100.0,20%!500.0,60%
}

define service{
use generic-service ; Name of service template to use
host_name test_nrpe
service_description ntp
is_volatile 0
check_period 24×7
max_check_attempts 1
normal_check_interval 1
retry_check_interval 1
contact_groups admins
notification_options w,u,c,r
notification_interval 960
notification_period 24×7
check_command check_ntp!100.0,20%!500.0,60%
}

define service{
use generic-service ; Name of service template to use
host_name test_nrpe
service_description qmail_smtp
is_volatile 0
check_period 24×7
max_check_attempts 1
normal_check_interval 1
retry_check_interval 1
contact_groups admins
notification_options w,u,c,r
notification_interval 960
notification_period 24×7
check_command check_smtp!100.0,20%!500.0,60%
}

define service{
use generic-service ; Name of service template to use
host_name test_nrpe
service_description qmail_pop3
is_volatile 0
check_period 24×7
max_check_attempts 1
normal_check_interval 1
retry_check_interval 1
contact_groups admins
notification_options w,u,c,r
notification_interval 960
notification_period 24×7
check_command check_pop!100.0,20%!500.0,60%
}
现在我们象上次一样把服务也定义完：

FreeBSD 6.2 下ports安装webalizer汉化

admin — Fri, 06 Mar 2009 06:34:45 +0000

先进入ports目录
#cd /usr/ports/
查找webalizer的位置
#make search name=webalizer

Port: webalizer-2.1.10_7
Path: /usr/ports/www/webalizer
Info: A web server log file analysis program
Maint: dinoex@FreeBSD.org
B-deps: freetype2-2.2.1_1 gd-2.0.33_4,1 jpeg-6b_4 pkg-config-0.21 png-1.2.12_1
R-deps: freetype2-2.2.1_1 gd-2.0.33_4,1 jpeg-6b_4 pkg-config-0.21 png-1.2.12_1
WWW: http://www.mrunix.net/webalizer/

进入webalizer目录
#cd /usr/ports/www/webalizer
先make一下注意下面的参数
#make WEBALIZER_LANG?=chinese
之后进行安装
#make install
基本汉化完成如果出现乱码问题请安装繁体中文支持(Win平台的) 让IE可以识别就可以了
QUOTE:
# 设定 Apache 联机记录文件的位置。
#LogFile /var/lib/httpd/logs/access_log
LogFile /var/log/httpd-access.log

# 设定 log 文件的型式，Webalizer 除了 Apache 外，还可以支持分析 FTP 软件
# 或 proxy 软件 squid 的 log 文件。LogType 预设的值是 ‘clf’，表示分析
# 网页数据，你也可以设定为 ftp 或 squid。
#LogType clf

# OutputDir 是我们想要输出分析数据的位置。请设定为网页根目录下的某一个
# 目录。例如我们的网页根目录是 /home/www，请先在该目录下建立一个子目录
# 名为 traffic，接着再设定 OutputDir 为 /home/www/traffic。
#OutputDir /var/lib/httpd/htdocs/usage
OutputDir /home/www/traffic

# HistoryName 可以让我们设定 webalizer 所产生的历史记录文件的文件名。这个档
# 可以用来产生主要的 HTML 页面 (index.html)，我们不需要修改。
#HistoryName webalizer.hist

# 由于我们可能会设定某一段时间自动将 Apache 的 log 压缩或删除。而
# Incremental 这个变量可以让我们在产生分析资料时，只更新增加的部份
# 而分析过的资料就不再分析，以免覆盖了旧有的资料。
#Incremental no
Incremental yes

# 若您设定 Incremental 为 yes，IncrementalName 可以让您设定目前增加
# 的分析数据存放位置。
#IncrementalName webalizer.current

# ReportTitle 是分析结果网页的标题。在该标题后会加上您的主机名称。
#ReportTitle Usage Statistics for

# 设定您的主机名称。
#HostName localhost

# HTMLExtension 是所产生的 HTML 档的扩展名。
#HTMLExtension html

# PageType 可以让您设定何种扩展名结尾的页面要加入分析数据。因为在
# log 文件中有一些图片，而这些图版我们并不希望加入分析数据中，或者我
# 们也可以增加 PHP 页面的分析数据。所以在这里，我们加上一行用来分析
# PHP 页面的设定。
PageType htm*
PageType cgi
PageType php
#PageType phtml
#PageType php3
#PageType pl

# 如果您希望只使用 https 才可以连到分析页面，则将 UseHTTPS 设为 yes。
#UseHTTPS no

# DNSCache 可以设定 DNS 快取的文件名称，在分析数据时，可能会一直需要
# 做 DNS 的分析，这个档可以提高 DNS 查询的效率。
#DNSCache dns_cache.db

# DNSChildren 可以设定要使用多少 process 来做 DNS 查询，预设是 0，表示
# 不查询，我们可以设定的值从 1 到 100。最好不要设太多，以免消耗太多系统
# 资源。
#DNSChildren 0

# HTMLPre 是用设定每个 HTML 档案开头第一行要插入的字，最长 80 个字符。
#HTMLPre

# HTMLHead 可以让我们设定 HTML 页面中间要插入的字。最长
# 也是 80 个字符。
#HTMLHead

# HTMLBody 会取代在 HTML 页面中的这个标签。可以让我们设定网页
# 的一些属性。最长也是 80 个字符。
#HTMLBody

# HTMLPost 会将设定的字符串插入 HTML 第一个

标签之后，最长也是 80 个
# 字。
#HTMLPost

# HTMLTail 可以设定 HTML 页面的结尾所要插入的字符串。最长 80 个字符。
#HTMLTail

# HTMLEnd可以设定 HTML 页面的最后结尾所要插入的字符串。我们最少要有
# 和这二个标签，最长 80 个字符。
#HTMLEnd

# Quiet 可以让我们设定在分析时是否要输出讯息，因为我们会使用 crontab
# 定时执行，所以不要输出分析过程的讯息比较好。
Quiet yes

# ReallyQuiet 可以设定档有错误产生时，是否要输出讯息。
#ReallyQuiet no

# TimeMe 可以设定在分析之后是否要输出时间。
#TimeMe no

# GMTTime 可以设定是否要使用 GMT (UTC) 时间而非本地时间。
#GMTTime no

# Debug 可以设定是否要输出除错讯息。
#Debug no

# FoldSeqErr 可以让 Webalizer 忽略读取 log 档的错误。
#FoldSeqErr no

# VisitTimeout 可以设定 session 的到期时间，默认值是 30 分钟。
#VisitTimeout 1800

# IgnoreHist 请保持 no。
#IgnoreHist no

# Country Graph 是用来显示分析资料中关于国家的统计资料是否要显示。
#CountryGraph yes

# DailyGraph 及 DailyStats 是设定是否显示每日分析资料。
#DailyGraph yes
#DailyStats yes

# HourlyGraph 是 HourlyStats是设定是否显示每小时分析资料。
#HourlyGraph yes
#HourlyStats yes

# GraphLegend 是设定是否要显示彩色图表。
#GraphLegend yes

# GraphLines 是用来设定图表的网格线数量，最多 20。
#GraphLines 2

# “Top” 的选项是每一个分格表格中，要显示多少笔前几名的资料。
#TopSites 30
#TopKSites 10
#TopURLs 30
#TopKURLs 10
#TopReferrers 30
#TopAgents 15
#TopCountries 30
#TopEntry 10
#TopExit 10
#TopSearch 20
#TopUsers 20

# The All* 可以让我们显示所有 log 文件中有记录的数据，而非只有前几名而
# 已。如果设定了某一个 All 的选项，webalizer 将会为该设定新增一个页面。
#AllSites no
#AllURLs no
#AllReferrers no
#AllAgents no
#AllSearchStr no
#AllUsers no

# Webalizer 会自动使用让网址 /somedir/ 可以连结到 /somedir/index.htm
# 如果你想要设定让除了 index. 结尾的网址有此效果外，还要让其它网
# 址也有同样效果，您可以在此设定。
#IndexAlias home.htm
#IndexAlias homepage.htm

# Hide*, Group*, Ignore* 及Include* * 可以设定让 Webalizer 忽略
# log 中的关键词，让 log 中某些记录不要被加入分析数据中。例如
# 有的搜寻引擎会自动连到您的网页来找数据，您可以设定忽略这样的
# 联机。请自行参阅说明。
… 略 …
# End of configuration file… Have a nice day!

QUOTE:
接着我们必须依您的设定在网页根目录中建立一个数据夹以储存 Webalizer 所产生的图表，假设我们的网页根目录是 /home/www，并在其目录下建立一个子目录名为 traffic：

# mkdir /home/www/traffic
紧接着我们就可以使用下列指令来产生统计图表：

# /usr/local/bin/webalizer
因为我们在 webalizer.conf 中设定了所要使用的 apache 使用记录的文件名及所产生的图表存放位置，所以在执行 webalizer 时不必再加任何参数。如果您想指定使用其它的联机记录文件来做分析，您可以在指令后面加上该记录文件的文件名，例如：

# /usr/local/bin/webalizer /var/log/httpd-access.log
产生了图表之后，我们就可以使用浏览器输入 http://www.mydomain.com/traffic

AWStats在IIS中的配置步骤

admin — Fri, 06 Mar 2009 06:31:50 +0000

AWStats是sourceforge.net上很有名的Web/Mail/FTP服务器日志文件分析工具。
　　安装配置步骤（适用于分析IIS日志文件）
　　1、下载AWStats, 下载地址：http://sourceforge.net/projects/awstats/
　　2、由于AWStats是Pertl写的，所以要下载Perl 解释器, 下载地址: http://activestate.com/Products/ActivePerl/
　　3、安装Perl 解释器ActivePerl
　　4、安装AWStats(这里假设安装在C:\Program Files), 出现命令提示时，第一次输入none, 第二次输入你的主机的域名
　　5、配置IIS日志
　　5.1 活动日志格式选用默认的“W3C扩充扩展日志文件格式”
　　5.2 点击“属性”，再选择“扩展属性”，选中下列项目：
　　date
　　time
　　c-ip
　　cs-username
　　cs-method
　　cs-uri-stem
　　cs-uri-query
　　sc-status
　　sc-bytes
　　cs-version
　　cs(User-Agent)
　　cs(Referer)
　　其他都不要选中。

AWStats是sourceforge.net上很有名的Web/Mail/FTP服务器日志文件分析工具。
　　安装配置步骤（适用于分析IIS日志文件）
　　1、下载AWStats, 下载地址：http://sourceforge.net/projects/awstats/
　　2、由于AWStats是Pertl写的，所以要下载Perl 解释器, 下载地址: http://activestate.com/Products/ActivePerl/
　　3、安装Perl 解释器ActivePerl
　　4、安装AWStats(这里假设安装在C:\Program Files), 出现命令提示时，第一次输入none, 第二次输入你的主机的域名

　　5、配置IIS日志
　　5.1 活动日志格式选用默认的“W3C扩充扩展日志文件格式”
　　5.2 点击“属性”，再选择“扩展属性”，选中下列项目：
　　date
　　time
　　c-ip
　　cs-username
　　cs-method
　　cs-uri-stem
　　cs-uri-query
　　sc-status
　　sc-bytes
　　cs-version
　　cs(User-Agent)
　　cs(Referer)
　　其他都不要选中。

Apache 的安装与配置

admin — Thu, 05 Mar 2009 07:41:13 +0000

Apache 的安装

Apache 的安装无外乎两种方式: 源代码安装和DEB包安装。这两种安装类型各有特色，DEB包安装不需要编译，而源代码安装则需要先配置编译再安装，DEB包安装在一个固定的位置下，选择固定的模块，而源代码安装则可以让你选择安装路径，选择你想要的模块。本文主要介绍DEB安装方式。

系统:GNU/Linux Debian/etch

Apache当前版本: 2.0.55-4
4.1 安装

使用以下命令安装：
tony@tonybox:~$sudo aptitude update
tony@tonybox:~$sudo aptitude install apache2 apache2-utils

其中apache2-utils提供了我们在配置维护过程中非常有用的一些工具

安装完成后，可以使用下面的命令启动Apache 服务:

tony@tonybox:~$ sudo /etc/init.d/apache2 start

停止Apache服务则是:

tony@tonybox:~$ sudo /etc/init.d/apache2 stop

也可以只接用 kill 命令强制杀死apache2进程

tony@tonybox:~$ sudo killall apache2

如有需要, 可以通过rcconf来控制是否在系统启动是加载Apache 服务

启动完成后打开浏览器, 使用URL http://localhost/ 来访问已经启动的Apache服务器, 服务器将会将会跳转到 http://localhost/apache2-default/, 向浏览器返回一个Apache安装成功的页面.

注: 这取决于/etc/apache2/sites-available/default 配置文件中, 是否取消了
RedirectMatch ^/$ /apache2-default/
行的注释
4.2 配置文件说明

在Debian下, 安装完成后, 软件包为我们提供的配置文件位于/etc/apache2目录下:

tony@tonybox:/etc/apache2$ ls -l
total 72
-rw-r–r– 1 root root 12482 2006-01-16 18:15 apache2.conf
drwxr-xr-x 2 root root 4096 2006-06-30 13:56 conf.d
-rw-r–r– 1 root root 748 2006-01-16 18:05 envvars
-rw-r–r– 1 root root 268 2006-06-30 13:56 httpd.conf
-rw-r–r– 1 root root 12441 2006-01-16 18:15 magic
drwxr-xr-x 2 root root 4096 2006-06-30 13:56 mods-available
drwxr-xr-x 2 root root 4096 2006-06-30 13:56 mods-enabled
-rw-r–r– 1 root root 10 2006-06-30 13:56 ports.conf
-rw-r–r– 1 root root 2266 2006-01-16 18:15 README
drwxr-xr-x 2 root root 4096 2006-06-30 13:56 sites-available
drwxr-xr-x 2 root root 4096 2006-06-30 13:56 sites-enabled
drwxr-xr-x 2 root root 4096 2006-01-16 18:15 ssl
其中

apache2.conf

为apache2服务器的主配置文件, 查看此配置文件, 你会发现以下内容

# Include module configuration:
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf

# Include all the user configurations:
Include /etc/apache2/httpd.conf

# Include ports listing
Include /etc/apache2/ports.conf

# Include generic snippets of statements
Include /etc/apache2/conf.d/[^.#]*

有此可见, apache2 根据配置功能的不同, 对配置文件进行了分割, 这样更利于管理

conf.d

下为配置文件的附加片断,默认情况下, 仅提供了 charset 片断,

tony@tonybox:/etc/apache2/conf.d$ cat charset
AddDefaultCharset UTF-8

如有需要我们可以将默认编码修改为 GB2312, 即文件的内容为: AddDefaultCharset GB2312

httpd.conf

是个空文件

magic

文件中包含的是有关mod_mime_magic模块的数据, 一般不需要修改它.

ports.conf

则为服务器监听IP和端口设置的配置文件,
tony@tonybox:/etc/apache2$ cat ports.conf
Listen 80

mods-available

目录下是一些.conf和.load 文件, 为系统中可以使用的加载各种模块的配置文件, 而mods-enabled目录下则是指向这些配置文件的符号连接, 从配置文件apache2.conf 中可以看出, 系统通过mods-enabled目录来加载模块, 也就是说, 系统仅通过在此目录下创建了符号连接的mods-available 目录下的配置文件来加载模块。同时系统还提供了两个命令 a2enmod 和 a2dismod用于维护这些符号连接。这两个命令由 apache2-common 包提供。命令各式也非常简单： a2enmod [module] 或 a2dismod [module]

sites-available

目录下为配置好的站点的配置文件, sites-enabled 目录下则是指向这些配置文件的符号连接, 系统通过这些符号连接来起用站点 sites-enabled目录下的符号连接附有一个数字前缀, 如000-default, 这个数字用于决定启动顺序, 数字越小, 启动优先级越高. 系统提供了两个命令 a2ensite 和 a2dissite 用于维护这些符号连接。这两个命令由 apache2-common 包提供.

/var/www

默认情况下将要发布的网页文件应该置于/var/www目录下,这一默认值可以同过主配置文件中的DocumnetRoot 选项修改.

配置指令
5.1 apache2.conf

1. ServerRoot directory-path

ServerRoot指令设置了服务器所在的目录。一般来说它将包含conf/和logs/子目录。使用DEB包安装的系统, 此项的默认值为 “/etc/apache2″ 也就是说仅仅包括apache2的配置文件.必须注意, 该目录是受保护的, 不允许非root用户对其进行修改.
2. LockFile filename

指定httpd配置文件守护进程的加锁文件。由于httpd会经常进行并发的文件操作，就需要使用加锁的方式来保证文件操作不冲突，由于NFS（网络文件系统）在文件加锁方面能力有限，因此这个目录应该是本地磁盘文件系统，而不应该使用网络上的文件系统。一般不需要设置这个参数，Apache服务器将自动在ServerRoot下面的路径中进行操作。但如果ServerRoot为NFS文件系统，便需要使用这个参数指定本地文件系统中的路径。
3. PidFile filename

指定记录httpd配置文件守护进程的进程号的文件。由于httpd配置文件能自动复制其自身，因此系统中有多个httpd进程，但只有一个进程为最初启动的进程，它为其他进程的父进程。对这个进程发送信号将影响所有的httpd进程。PidFile定义的文件中就记录httpd父进程的进程号。示例: PidFile /var/run/apache.pid
4. Timeout seconds

设置连接请求的最大延时，超过这个设置，即自动断开。
5. KeepAlive on|off

提供了长效的HTTP会话，用以在同一个TCP连接中进行多次请求。在某些情况下，这样的方式会对包含大量图片的HTML文档造成的延时起到50%的加速作用。在Apache1.2版本以后，您可以设置 KeepAlive On 以启用持久链接。
6. MaxKeepAliveRequests number

指令限制了当启用KeepAlive时，每个连接允许的请求数量。如果将此值设为”0″，将不限制请求的数目。我们建议最好将此值设为一个比较大的值，以确保最优的服务器性能。默认为 100
7. KeepAliveTimeout number

设置第一连接后，下次发送请求的最大时间间隔，超过这个设定的时间，而没有下次传输请求，则断开连接。这个时间间隔不能设置太长，否则很很可能给服务器的整个连接性能造成影响，当然也不宜太短，否则用户端会经常出现连接中断现象。
8. < IfModule [ ! ] module-file | module-identifier > … < / IfModule>

封装指令并根据指定的模块是否启用为条件而决定是否进行处理 < IfModule test > … < / IfModule > 配置段用于封装根据指定的模块是否启用而决定是否生效的指令。在 < IfModule > 配置段中的指令仅当test为真的时候才进行处理。如果test为假，所有其间的指令都将被忽略。
9. StartServers number

设置服务器启动时所建立的子进程数。
10. MaxClients number

设置服务器所允许运行的最多子进程数，当服务器所连接的进程数超过所设定的值时，任何客户都不能与服务器连接，只有等待。当有子进程断开连接后服务器才提供相应服务。
11. MaxRequestsPerChild number

设置单个子进程可以允许的最多请求数，当超过这个设定的值，子进程将被取消。0意味着无限, 即子进程用不消毁
12. User / Group user-name / group-name

服务器以root身份启动后, 改变为设置的用户/组身份进行运行, 以增强安全性.
13. LogFormat format|nickname [ nickname ]

本指令定义访问日志的记录格式。例如:

LogFormat “%v %h %l %u %t \”%r\” %>s %b” vhost_common
14. ErrorLog file-path|syslog[:facility]

指定了当服务器遇到错误时记录错误日志的文件。如果file-path不是一个以斜杠(/)开头的绝对路径，那么将被认为是一个相对于ServerRoot的相对路径。
15. Include file-path | directory-path

这个指令允许在服务器配置文件中加入其它配置文件。
16. Alias URL-path file-path|directory-path

Alias指令使文档可以被存储在DocumentRoot以外的本地文件系统中。以(%已解码的)url-path路径开头的URL可以被映射到以directory-path开头的本地文件。
17. < Directory directory-path > … < / Directory >

< Directory > 和< / Directory > 用于封装一组指令，使之仅对某个目录及其子目录生效。Directory-path可以是一个目录的完整路径，或是包含了Unix shell匹配语法的通配符字符串。
18. Options [+|-]option [[+|-]option] …

Options指令控制了在特定目录中将使用哪些服务器特性。默认为 All.
19. AllowOverride All|None|directive-type [directive-type] …

当服务器发现一个.htaccess文件(由AccessFileName指定)时，它需要知道在这个文件中声明的哪些指令能覆盖在此之前指定的配置指令。仅允许存在于< Directory > 配置段
20. Order ordering

Order指令控制默认的访问状态与Allow和Deny指令生效的顺序。Ordering取值范围是以下几种范例之一：

Deny,Allow
Deny指令在Allow指令之前被评估。默认允许所有访问。
Allow,Deny
Allow指令在Deny指令之前被评估。默认拒绝所有访问。
Mutual-failure

只有出现在Allow列表并且不出现在Deny列表中的主机才被允许访问。这种顺序与”Order Allow,Deny”具有同样效果，不赞成使用。

关键字只能用逗号分隔；它们之间不能有空格
21. Allow from all|host|env=env-variable [host|env=env-variable] …

Allow指令控制哪些主机可以访问服务器的该区域。可以根据主机名、IP地址、 IP地址范围或其他环境变量中捕获的客户端请求特性进行控制。这个指令的第一个参数总是”from”.
22. Deny from all|host|env=env-variable [host|env=env-variable] …

条指令允许基于主机名、IP地址或者环境变量限制对服务器的访问。Deny指令的参数设置和Allow指令完全相同。
23. ErrorDocument error-code document

使用ErrorDocument指令后面跟随一个HTTP应答代码和一个URL或信息来进行配置。Apache有时会额外提供一些信息来描述所发生的问题/错误。
24. DirectoryIndex local-url [local-url] …

设置了当客户端在请求的目录名的末尾刻意添加一个”/”以表示请求该目录的索引时，服务器需要寻找的资源列表。也就是设置目录的默认页
25. AccessFileName filename [filename] …

指定所发布目录中的配置文件名,在向客户端返回其中的文档时，服务器将在这个文档所在的各级目录中查找此配置文件。可以使用AllowOverride none来禁用
26. UseCanonicalName On|Off|DNS

配置服务器如何确定它自己的域名和端口.
27. HostnameLookups On|Off|Double

此指令启用了DNS查询，使得主机名能被记入日志. 参数Double指定进行一次双向DNS查询。也就是说在一次反向查询之后，再对返回的结果进行一次正向查询。
28. IndexIgnore file [file] …

在列出目录内容时, 设置那些文件将被隐藏.
29. AddEncoding MIME-enc extension [extension] …

在文件扩展名与特定的编码方式之间建立映射关系。

示例
AddEncoding x-gzip .gz
AddEncoding x-compress .Z
30. AddLanguage MIME-lang extension [extension] …

在文件扩展名与特定的语言之间建立映射。
31. AddCharset charset extension [extension] …

在特定的文件扩展名与特定的字符集之间建立映射。
32. AddType MIME-type extension [extension] …

在给定的文件扩展名与特定的内容类型之间建立映射关系。
33. BrowserMatch

BrowserMatch只是SetEnvIf的一种特殊情况，基于User-Agent头有条件地设置环境变量。下面的两行具有相同的效果：

BrowserMatchNoCase Robot is_a_robot
SetEnvIfNoCase User-Agent Robot is_a_robot
34. SetEnvIf attribute regex [!]env-variable[=value] [[!]env-variable[=value]] …

据客户端的请求属性设置环境变量。
5.2 ports.conf

35. Listen [IP-address:]portnumber [protocol]

指示Apache只在指定的IP地址和端口上监听；默认情况下Apache会在所有IP地址上监听。Listen是一个必须设置的指令。如果在配置文件中找不到这个指令，服务器将无法启动。这和先前的版本不一样。
5.3 conf.d/charset

36. AddDefaultCharset On|Off|charset

当且仅当应答内容是text/ plain或text/ html时，此指令将会在HTTP应答头中加入的默认字符集。理论上这将覆盖在文档体中通过< meta > 标签指定的字符集，但是实际的行为通常取决于用户浏览器的设置。AddDefaultCharset Off 将会禁用此功能。AddDefaultCharset On 将启用Apache内部的默认字符集iso-8859-1 。
5.4 mods-available/*.load

37. LoadModule module filename

该指令加载目标文件或库filename并将模块结构名module添加到活动模块列表。
5.5 mods-available/*.conf

38. UserDir directory-filename

定了用户目录下的一个实实在在的目录，存放了该用户提供访问的文档。
5.6 sites-available/

39. NameVirtualHost

为一个基于域名的虚拟主机指定一个IP地址(和端口)如果您要配置基于域名的虚拟主机，NameVirtualHost指令就是您必须的指令之一。尽管addr参数可以使用主机名，但建议您还是使用IP地址。
40. < VirtualHost addr[:port] [addr[:port]] …> … < / VirtualHost>

< VirtualHost>和< / VirtualHost> 用于封装一组仅作用于特定虚拟主机的指令。任何在虚拟主机配置中可以使用的指令也同样可以在这里使用。当服务器接受了一个特定虚拟主机的文档请求时，它会使用封装在< VirtualHost>配置段中的指令。
41. ServerAdmin email-address|URL

设置了在所有返回给客户端的错误信息中包含的管理员邮件地址。
42. DocumentRoot

设置站点的主目录。这个主目录不包括网站中的一些链接及虚拟目录。比如说：

DocumentRoot /usr/web

于是对http://www.my.host.com/index.html的访问就会指向/usr/web/index.html 。如果directory-path不是绝对路径，则被假定为是相对于ServerRoot的路径。指定DocumentRoot时不应包括最后的”/”。
43. LogLevel

LogLevel用于调整记录在错误日志中的信息的详细程度。
44. ServerSignature On|Off|EMail

允许您配置服务器端生成文档的页脚(错误信息、mod_proxy的ftp目录列表、mod_info的输出)。您启用这个页脚的原因主要在于处于一个代理服务器链中的时候，用户基本无法辨识出究竟是链中的哪个服务器真正产生了返回的错误信息。

站点配置
6.1 默认站点配置

将网页文件置于/var/www/apache2-default目录下(现将已有的网页文件删除), 或者使用如下方法进行配置:
配置

修改默认站点配置文件/etc/apache2/sites-available/default, 内容如下:

NameVirtualHost *

ServerAdmin webmaster@localhost

DocumentRoot /var/www/mysite

Options FollowSymLinks
AllowOverride None

Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all

ErrorLog /var/log/apache2/mysite_error.log
LogLevel warn
CustomLog /var/log/apache2/mysite_access.log combined
ServerSignature On
设置站点网页文件

创建/var/www/mysite/目录:

:/var/www# mkdir mysite
tonybox:/var/www# ls -l
total 12
drwxr-xr-x 2 root root 4096 2006-06-30 13:56 apache2-default
drwxr-xr-x 2 root root 4096 2006-07-15 14:53 mysite

在/var/www/mysite/目录下创建测试文件index.html, 内容如下:

http-equiv=”content-type”>

这是一个测试页面

注意index.html文件的权限设置:

-rw-r–r– 1 root root 287 2006-07-15 15:06 index.html
重启Apache2服务器

tony@tonybox:~$ sudo /etc/init.d/apache2 restart

测试

访问URL: http://localhost/
将会出现测试页面

用户站点配置

为本地用户配置站点

启用用户目录模块(默认情况下是未启用的)

# a2enmod userdir
Module userdir installed; run /etc/init.d/apache2 force-reload to enable.
# /etc/init.d/apache2 force-reload
强制重新加载配置文件
创建网站目录

在用户家目录下创建 public_html 目录, 并在其下放置网页文件, 比如, 为tony 用户创建主页目录:

tony@tonybox:~$ mkdir public_html
并创建测试页面index.html, 内容如下:

http-equiv=”content-type”>

这是tony的个人网站

测试

访问URL: http://localhost/ tony/ 将会出现测试页面注: 也可对默认目录进行调整, 具体参阅配置文件 /etc/apache2/mods-available/userdir.conf
6.2 虚拟站点配置

为测试主机分配域名: www.mydebian.com
创建配置文件

在 /etc/apache2/sites-available/ 目录下创建站点配置文件 wwwmydebian, 内容如下:
ServerAdmin master@mydebian.com
ServerName www.mydebian.com
DocumentRoot /var/www/www.mydebian.com

Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all

ErrorLog /var/log/apache2/www_mydebian_com_error.log
LogLevel warn
CustomLog /var/log/apache2/www_mydebian_com_access.log combined
ServerSignature On
启用配置

运行如下命令, 启用配置

tonybox:/etc/apache2/sites-available# a2ensite wwwmydebian
Site www.mydebian.com installed; run /etc/init.d/apache2 reload to enable.

这时你会在/etc/apache2/sites-enabled目录下创建了一个对应符号连接

$ ls -l
total 0
lrwxrwxrwx 1 root root 35 2006-07-15 14:49 mysite -> /etc/apache2/sites-available/mysite
lrwxrwxrwx 1 root root 42 2006-07-15 16:36 wwwmydebian -> /etc/apache2/sites-available/wwwmydebian

设置站点网页文件
创建/var/www/www.mydebian.com/目录:

/var/www# mkdir www.mydebian.com
tonybox:/var/www# ls -l
total 12
drwxr-xr-x 2 root root 4096 2006-06-30 13:56 apache2-default
drwxr-xr-x 2 root root 4096 2006-07-15 14:53 mysite
drwxr-xr-x 2 root root 4096 2006-07-15 14:53 www.mydebian.com
应用配置生效

tony@tonybox:~$ sudo /etc/init.d/apache2 reload
测试

访问URL: http://www.mydebian.com/您会发现访问的为目录 /var/www/www.mydebian.com/ 访问URL: http://localhost/访问的目录仍为default配置文件设置的目录, 比如此例中为/var/www/mysite/目录

启用SSL

http://mario.espaciolinux.com/apache2_ssl.html http://ilovett.com/blog/projects/installing-ssl-on-debian-apache2 http://blog.23corner.com/2005/09/14/1108/
7.1 首先需要启用SSL模块, 默认未启用

tonybox:/etc/apache2# a2enmod ssl
tonybox:/etc/apache2# apache2-ssl-certificate

creating selfsigned certificate
replace it with one signed by a certification authority (CA)

enter your ServerName at the Common Name prompt

If you want your certificate to expire after x days call this programm
with -days x
Generating a 1024 bit RSA private key
…………………………++++++
..++++++
writing new private key to ‘/etc/apache2/ssl/apache.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Some-State]:GZ
Locality Name (eg, city) []:GY
Organization Name (eg, company; recommended) []:linuxsir
Organizational Unit Name (eg, section) []:debian
server name (eg. ssl.domain.tld; required!!!) []:www.mydebian.com
Email Address []:etony@tom.com
7.2 创建ssl站点配置文件

#/etc/apache2/sites-available/ cp wwwmydebian ssl_site
在/etc/apache2/ports.conf 中添加

Listen 443

修改/etc/apache2/sites-available/ssl_site, 将监听端口改为 443

在配置文件中加入

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem

监听端口设置为443

例如:

ServerAdmin webmaster@mydebian.com
ServerName www.mydebian.com:443
DocumentRoot /var/www/mysite
7.3 重启apache 服务

# /etc/init.d/apache2 restart
7.4 测试

访问URL http://www.mydebian.com:443/

防止盗链
8.1 启用 Rewrite 模块

此模块默认没有启用

#a2enmod rewrite
8.2 配置

修改/etc/apache2/sites-available下对应站点的配置文件，将

AllowOverride None
修改为

AllowOverride All
8.3 控制文件

在站点的根目录下创建 .htaccess 文件内容如下：

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydebian.com/.*$ [NC]
RewriteRule?.*\.(jpg|jpeg|gif|png|bmp|rar|zip|exe)$
?http://www.mydebian.com/err.png?[R,NC]

在站点的根目录下，创建err.png图片，当发生盗链时，对应显示将替换为err.png图片。

访问日志

要有效地管理Web服务器，就有必要反馈服务器的活动、性能以及出现的问题。Apache HTTP服务器提供了非常全面而灵活的日志记录功能。
9.1 日志的配置

ErrorLog file-path|syslog[:facility] 指定了当服务器遇到错误时记录错误日志的文件。如果file-path不是一个以斜杠(/)开头的绝对路径，那么将被认为是一个相对于ServerRoot的相对路径。示例

ErrorLog /var/log/apache2/error_log

LogFormat format|nickname [nickname] 本指令定义访问日志的记录格式。例如: LogFormat “%v %h %l %u %t \”%r\” %>s %b” vhost_common

LogLevel LogLevel用于调整记录在错误日志中的信息的详细程度。可以选择下列level，依照重要性降序排列

Level 描述例子
emerg 紧急(系统无法使用) “Child cannot open lock file. Exiting”
alert 必须立即采取措施 “getpwuid: couldn’t determine user name from uid”
crit 致命情况 “socket: Failed to get a socket, exiting child”
error 错误情况 “Premature end of script headers”
warn 警告情况 “child process 1234 did not exit, sending another SIGHUP”
notice 一般重要情况 “httpd: caught SIGBUS, attempting to dump core in …”
info 普通信息 “Server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers)…”
debug 调试信息 “Opening config file …”

CustomLog file|pipe format|nickname [env=[!]environment-variable] CustomLog指令用来对服务器的请求进行日志记录。可以指定日志的格式，也可以使用环境变量根据请求的特征来自由地组织日志。
9.2 错误日志

错误日志是最重要的日志文件，其文件名和位置取决于ErrorLog指令。Apache httpd将在这个文件中存放诊断信息和处理请求中出现的错误，由于这里经常包含了出错细节以及如何解决，如果服务器启动或运行中有问题，首先就应该查看这个错误日志。

错误日志通常被写入一个文件(debian下是error.log)。

错误日志的格式相对灵活，并可以附加文字描述。某些信息会出现在绝大多数记录中，一个典型的例子是：
[Sat Jul 15 09:58:28 2006] [error] [client 192.168.1.254] File does not exist: /var/www/apache2-default/index.html.zh

其中

第一项是错误发生的日期和时间；

第二项是错误的严重性，LogLevel指令使只有高于指定严重性级别的错误才会被记录；

第三项是导致错误的IP地址；此后是信息本身，在此例中，提示客户端访问的文件在服务器上不存在。

错误日志中会包含类似上述例子的多种类型的信息。此外，CGI脚本中任何输出到stderr的信息会作为调试信息原封不动地记录到错误日志中。

用户可以增加或删除错误日志的项。但是对某些特殊请求，在访问日志(access log)中也会有相应的记录，比如上述例子在访问日志中也会有相应的记录，其状态码是404，因为访问日志也可以定制，所以可以从访问日志中得到错误事件的更多信息。
9.3 访问日志

正如其名字所示，访问日志access_log记录了所有对Web服务器的访问活动。

下面是访问日志中一个典型的记录：

192.168.1.254 – tony [22/Jul/2006:09:41:58 +0800] “GET /index.html HTTP/1.1″ 200 438 “-” “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.4) Gecko/20060406 Firefox/1.5.0.4 (Debian-1.5.dfsg+1.5.0.4-1)”

这行内容由9项构成，上面的例子中有两项空白，但整行内容仍旧分成了9项。

第一项信息是远程主机的地址。如果你想知道这个IP地址的域名，可通过nslookup或者host命令来查看。如果你想让Apache自己找出这个IP的主机名，可以打开这个开关：HostnameLookups。（建议最好不要打开，会影响Apache记录服务器日志的速度）

第二项是空白，用一个”-”占位符替代。实际上绝大多数时候这一项都是如此。这个位置用于记录浏览者的标识，这不只是浏览者的登录名字，而是浏览者的email地址或者其他唯一标识符。这个信息由identd返回，或者直接由浏览器返回。很早的时候，那时Netscape 0.9还占据着统治地位，这个位置往往记录着浏览者的email地址。然而，由于有人用它来收集邮件地址和发送垃圾邮件，所以它未能保留多久，很久之前市场上几乎所有的浏览器就取消了这项功能。因此，到了今天，我们在日志记录的第二项看到email地址的机会已经微乎其微了。

第三项是tony。这个位置用于记录浏览者进行身份验证时提供的名字。当然，如果网站的某些内容要求用户进行身份验证，那么这项信息是不会空白的。但是，对于大多数网站来说，日志文件的大多数记录中这一项仍旧是空白的。

日志记录的第四项是请求的时间。这个信息用方括号包围，而且采用所谓的”公共日志格式”或”标准英文格式”。因此，上例日志记录表示请求的时间是2006年7月22日09:41:58。时间信息最后的”+0800″表示服务器所处时区位于UTC之后的8小时。

日志记录的第五项信息或许是整个日志记录中最有用的信息，它告诉我们服务器收到的是一个什么样的请求。该项信息的典型格式是”METHOD RESOURCE PROTOCOL”，即”方法资源协议”。

RESOURCE是指浏览者向服务器请求的文档，或URL。在这个例子中，浏览者请求的是”/index.html “。

在上例中，METHOD是GET，其他经常可能出现的METHOD还有POST和HEAD。此外还有不少可能出现的合法METHOD，但主要就是这三种。

PROTOCOL通常是HTTP，后面再加上版本号。

日志记录的第六项信息是状态代码。它告诉我们请求是否成功，或者遇到了什么样的错误。大多数时候，这项值是200，它表示服务器已经成功地响应浏览器的请求，一切正常。一般地说，以2开头的状态代码表示成功，以3开头的状态代码表示由于各种不同的原因用户请求被重定向到了其他位置，以4开头的状态代码表示客户端存在某种错误，以5开头的状态代码表示服务器遇到了某个错误。

日志记录的第七项表示发送给客户端的总字节数。它告诉我们传输是否被打断（即，该数值是否和文件的大小相同）。把日志记录中的这些值加起来就可以得知服务器在一天、一周或者一月内发送了多少数据。

日志记录的第八项记录的是客户在提出请求时所在的目录或URL。这个例子里为空.

日志记录的第九项表示客户端的详细信息，这样你就不难理解为什么有些网站能够在页面中显示你的IP、OS、Browser

访问控制
10.1 简介

如果网站上有些敏感信息或只希望为一个小群体所访问，您需要将服务器配置为用户只能访问被允许的资源。
10.2 使用 .htaccess 控制

这里涉及的配置方式主要是使用 .htaccess 文件，要使用.htaccess文件，则必须设置服务器以允许在这些文件中使用认证指令，即用AllowOverride指令指定哪些指令在针对单个目录的配置文件中有效。首先将对应的AllowOverride这样设置：

AllowOverride All

首先，应该创建一个用于认证的密码文件，并且这个文件不应该置于DocumentRoot目录下，以避免被下载。例如可以创建/etc/apache2/passwd/目录，并将密码文件置于其下。

Apache2 为我们提供了/usr/bin/htpasswd命令用于创建密码文件，命令的具体操作方法请参阅htpasswd的手册页：http://httpd.apache.org/docs/1.3/programs/htpasswd.html 这里仅做简单的应用。

首次添加用户需要使用 ?c 参数，以创建密码文件，再次添加用户则不要 -c参数了：

# mkdir /etc/apache2/passwd
# htpasswd -c /etc/apache2/passwd/passwords tony
New password: [mypassword]
Re-type new password: [mypassword]
Adding password for user tony

# htpasswd /etc/apache2/passwd/passwords etony
New password: [mypassword]
Re-type new password: [mypassword]
Adding password for user etony

必要时，使用htpasswd 命令需要加入完整路径/usr/bin/htpasswd

修改对应.htaccess文件，加入如下内容：

AuthType Basic
AuthName “Restricted Files”
AuthUserFile /etc/apache2/passwd/passwords
Require user tony

让我们逐个解释这些指令。

AuthType指令选择对用户实施认证的方法，最常用的是由mod_auth_basic提供的Basic 。AuthName指令设置了使用认证的域(Realm)，它起两个作用，首先，此域会出现在显示给用户的密码提问对话框中，其次，也帮助客户端程序确定应该发送哪个密码。

AuthUserFile指令设置了密码文件的位置，也就是刚才我们用htpasswd建立的文件。

最后，Require指令设置了允许访问受保护区域的用户。

上述指令只允许一个人(一个叫tony的用户)访问这个目录，但是多数情况下。都需要允许多人访问，这时可以调整Require选项为：
Require valid-user
可以允许密码文件中的所有用户使用正确的密码进行访问。

可能存在的问题

由于采用了Basic认证的方法，每次向服务器请求甚至刷新一个受保护的页面或图片时都必须校验用户名和密码，为此，必须打开密码文件并逐行搜索用户名，因此，服务器响应速度会受一些影响，受影响的程度与密码文件的大小成正比。

所以，对密码文件中的用户总数存在一个实际上的上限，此上限取决于特定的服务器机器的性能，但是一般有几百个用户就会对响应速度有非常明显的影响，在这种情况下，可以考虑用其他认证方法。
10.3 使用MySQL数据库控制

基于MySQL数据库的访问控制需要使用mod-auth-mysql认证模块, 首先安装认证模块

tony@tonybox:~$sudo aptitude install libapache2-mod-auth-mysql
然后启用该模块
a2enmod auth_mysql
修改主配置文件/etc/apache2/apache2.conf,在文件尾部加入一下内容

Auth_MySQL_Info localhost a2_user password
Options +Indexes FollowSymLinks MultiViews
AllowOverride AuthConfig Options FileInfo Limit
Order allow,deny
Allow from all

在/var/www/apache2-default/目录下创建.htaccess文件, 内容如下:
AuthMYSQL on
AuthMySQL_Authoritative on
AuthMySQL_DB auth
AuthMySQL_Password_Table clients
AuthMySQL_Group_Table clients
AuthMySQL_Empty_Passwords off
AuthMySQL_Encryption_Types Plaintext Crypt_DES
AuthBasicAuthoritative Off
AuthName “default”
AuthType Basic
require group tony

然后重启apache服务
tonybox:~# /etc/init.d/apache2 restart
在MySQL数据库中添加认证数据库
$ mysql -uroot -p

mysql> grant all on auth.* to a2_user@localhost identified by ‘password’;

mysql> flush privileges;

mysql> create database auth;

CREATE TABLE `clients` (
`username` varchar(25) NOT NULL default ”,
`passwd` varchar(25) NOT NULL default ”,
`groups` varchar(25) NOT NULL default ”,
PRIMARY KEY (`username`),
KEY `groups` (`groups`)
) ENGINE=MyISAM;

INSERT INTO `clients` VALUES (‘tony’, ’123456′, ‘tony’);
此时,访问访问web服务器的默认站点, 您会发现,需要输入用户名(tony),密码(123456)方可登录.

10.4 其他认证方法

基于用户名和密码的认证只是方法之一，时常会有不需要知道来访者是谁，只需要知道来自哪里的情况。

Allow和Deny指令可以允许或拒绝来自特定主机名或主机地址的访问，同时，Order指令告诉Apache处理这两个指令的顺序，以改变过滤器。

这些指令的用法：

Allow from address

address可以是一个IP地址(或者IP地址的一部分)，也可以是一个完整的域名(或者域名的一部分)，还可以同时指定多个IP地址和域名。

比如，要拒绝不受欢迎的兜售垃圾的站点：

Deny from 205.252.46.165

这样，这个指令所管辖的区域将拒绝所有来自该地址的访问。除了指定IP地址，也可以指定域名，如：

Deny from host.example.com

另外，还可以指定地址或域名的一部分来阻止一个群体：

Deny from 192.168.2 //这是我们隔壁部门使用的网段
Deny from msn.com microsoft.com //不喜欢它们
Deny from du //对面的那个家伙

Order可以组合Deny和Allow指令，以保证在允许一个群体访问的同时，对其中的一些又加以限制：

Order deny,allow
Deny from all
Allow from dev.example.com

只列出Allow指令不会得到你想要的结果，因为它在允许指定对象访问的同时并不禁止其他未列出的对象的访问。所以上例使用的方法是：首先拒绝任何人，然后允许来自特定主机的访问。

优化设置

如果服务器访问量过大，将会导致页面打开迟缓，下载速度也降低，如果由于经费和环境问题，集群方案没有得以应用。可以通过对Apache2增加模块MPM来进行优化, 这里我们选择线程型MPM – worker 加以介绍
11.1 worker的工作原理

worker是2.0 版中全新的支持多线程和多进程混合模型的MPM。由于使用线程来处理，所以可以处理相对海量的请求，而系统资源的开销要小于基于进程的服务器。但是， worker也使用了多进程，每个进程又生成多个线程，以获得基于进程服务器的稳定性。这种MPM的工作方式将是Apache 2.0的发展趋势。

worker的工作原理是，由主控制进程生成“StartServers”个子进程，每个子进程中包含固定的ThreadsPerChild 线程数，各个线程独立地处理请求。同样，为了不在请求到来时再生成线程，MinSpareThreads和MaxSpareThreads设置了最少和最多的空闲线程数；而MaxClients设置了所有子进程中的线程总数。如果现有子进程中的线程总数不能满足负载，控制进程将派生新的子进程。。系统默认已经启用了 worker mpm 模块这可以通过以下命令查看:

# apache2 -l
Compiled in modules:
core.c
mod_access.c
mod_auth.c
mod_log_config.c
mod_logio.c
mod_env.c
mod_setenvif.c
worker.c
http_core.c
mod_mime.c
mod_status.c
mod_autoindex.c
mod_negotiation.c
mod_dir.c
mod_alias.c
mod_so.c

一个典型的针对workerMPM的配置如下：

ServerLimit 16 //服务器允许配置的进程数上限, Apache在编译时内部有一个硬限制”ServerLimit 20000″。你不能超越这个限制。
StartServers 2 //设置了服务器启动时建立的子进程数量, 默认值是”3″。
MaxClients 150 //设置了允许同时伺服的最大接入请求数量。任何超过MaxClients限制的请求都将进入等候队列
MinSpareThreads 25 //设置最小空闲线程数，用于处理可能到来的突发请求。默认值是”75″。
MaxSpareThreads 75 //设置最大空闲线程数。不同的MPM对这个指令的处理是不一样的：默认值是”250″。这个MPM将基于整个服务器监视空闲线程数。如果服务器中总的空闲线程数太多，子进程将杀死多余的空闲线程。
ThreadsPerChild 25 //设置了每个子进程建立的线程数。子进程在启动时建立这些线程后就不再建立新的线程了。默认值是25
11.2 使用第三方模块增强安全性

mod-security apache的一个模块，有请求过滤，日志审计等功能，可以防止SQL Injection，跨站脚本攻击.

详细信息请参阅 http://www.modsecurity.org/projects/modsecurity/apache/index.html

首先安装libapache2-mod-security包

$ sudo apt-get install libapache2-mod-security

将会安装libapache2-mod-security, mod-security-common

启用该模块

$ sudo cp /usr/share/doc/libapache2-mod-security/examples/httpd2.conf.example-full /etc/apache2/mods-available/mod-security.conf
$ sudo a2enmod mod-security

修改配置文件, 相关内容如下

==== mod-security.conf 文件内容开始====

# 检测内容长度以避免堆溢出攻击
SecFilterForceByteRange 32 254 =>SecFilterForceByteRange 32 126

# debug设置
SecFilterDebugLevel 9 =>SecFilterDebugLevel 0

# 设置缺省的动作
SecFilterDefaultAction “deny,log,status:499″ =>SecFilterDefaultAction “deny,log,status:404″

# 把设置传递给子目录
SecFilterInheritance Off

# Redirect user on filter match
# 当匹配sh的时候,重新定向到一个特殊的警告页面,该页面是自行编写的，写些警告的话让攻击者知难而退，该段先不要生效，等到相关配置配好之后再失效不迟。记住在配好之后要使之生效。
#SecFilter sh redirect:http://localhost/hack/warning.htm

# Prevent OS specific keywords
#过滤一些敏感的东西，我们使用*是为了攻击者使用/etc/./passwd来绕开检测
SecFilter /etc/passwd =>SecFilter /etc/*passwd
SecFilter /bin/*sh

# Very crude filters to prevent SQL injection attacks
# 防止SQL插入(SQL Injection)攻击
SecFilter “delete[[:space:]]+from”
SecFilter “insert[[:space:]]+into”
SecFilter “select.+from”
SecFilter “select[[:space:]]+from”
SecFilter “union[[:space:]]+from”
==== mod-security.conf 文件内容结束====

重启apache2 服务即可.

$ sudo /etc/init.d/apache2 start

备注：第三步可能会引起部分网站不能正常运行，可以参照着去掉某些限制，由于是安全模块，所以参照的是防火墙的做法，关掉一切不安全的，再根据需要打开必要的。

Apache Web服务器这样配置才最安全

admin — Thu, 05 Mar 2009 07:38:14 +0000

作为最流行的Web服务器，Apache Server提供了较好的安全特性，使其能够应对可能的安全威胁和信息泄漏。

Apache 服务器的安全特性
1、采用选择性访问控制和强制性访问控制的安全策略

从Apache 或Web的角度来讲，选择性访问控制DAC（Discretionary Access Control）仍是基于用户名和密码的，强制性访问控制MAC（Mandatory Access Control）则是依据发出请求的客户端的IP地址或所在的域号来进行界定的。对于DAC方式，如输入错误，那么用户还有机会更正，从新输入正确的的密码；如果用户通过不了MAC关卡，那么用户将被禁止做进一步的操作，除非服务器作出安全策略调整，否则用户的任何努力都将无济于事。

２、Apache 的安全模块

Apache 的一个优势便是其灵活的模块结构，其设计思想也是围绕模块（Modules）概念而展开的。安全模块是Apache Server中的极其重要的组成部分。这些安全模块负责提供Apache Server的访问控制和认证、授权等一系列至关重要的安全服务。

mod_access模块能够根据访问者的IP地址（或域名，主机名等）来控制对Apache服务器的访问，称之为基于主机的访问控制。

mod_auth模块用来控制用户和组的认证授权（Authentication）。用户名和口令存于纯文本文件中。mod_auth_db和mod_auth_dbm模块则分别将用户信息（如名称、组属和口令等）存于Berkeley-DB及DBM型的小型数据库中，便于管理及提高应用效率。

mod_auth_digest模块则采用MD5数字签名的方式来进行用户的认证，但它相应的需要客户端的支持。

mod_auth_anon模块的功能和mod_auth的功能类似，只是它允许匿名登录，将用户输入的E-mail地址作为口令。

SSL（Secure Socket Lager），被Apache所支持的安全套接字层协议，提供Internet上安全交易服务，如电子商务中的一项安全措施。通过对通讯字节流的加密来防止敏感信息的泄漏。但是，Apache的这种支持是建立在对Apache的API扩展来实现的，相当于一个外部模块，通过与第三方程序的结合提供安全的网上交易支持。

Apache服务器的安全配置
Apache具有灵活的设置，所有Apache的安全特性都要经过周密的设计与规划，进行认真地配置才能够实现。Apache服务器的安全配置包括很多层面，有运行环境、认证与授权设置等。Apache的安装配置和运行示例如下：

1、以Nobody用户运行

一般情况下，Apache是由Root 来安装和运行的。如果Apache Server进程具有Root用户特权，那么它将给系统的安全构成很大的威胁，应确保Apache Server进程以最可能低的权限用户来运行。通过修改httpd.conf文件中的下列选项，以Nobody用户运行Apache 达到相对安全的目的。
User nobody
Group# -1

2、ServerRoot目录的权限

为了确保所有的配置是适当的和安全的，需要严格控制Apache 主目录的访问权限，使非超级用户不能修改该目录中的内容。Apache 的主目录对应于Apache Server配置文件httpd.conf的Server Root控制项中，应为：
Server Root /usr/local/apache

3、SSI的配置

在配置文件access.conf 或httpd.conf中的确Options指令处加入Includes NO EXEC选项，用以禁用Apache Server 中的执行功能。避免用户直接执行Apache 服务器中的执行程序，而造成服务器系统的公开化。

Options Includes Noexec

4、阻止用户修改系统设置

在Apache 服务器的配置文件中进行以下的设置，阻止用户建立、修改 .htaccess文件，防止用户超越能定义的系统安全特性。

AllowOveride None
Options None
Allow from all

然后再分别对特定的目录进行适当的配置。

5、改变Apache 服务器的确省访问特性

Apache 的默认设置只能保障一定程度的安全，如果服务器能够通过正常的映射规则找到文件，那么客户端便会获取该文件，如http://local host/~ root/ 将允许用户访问整个文件系统。在服务器文件中加入如下内容：

order deny,ellow
Deny from all

将禁止对文件系统的缺省访问。

6、CGI脚本的安全考虑

CGI脚本是一系列可以通过Web服务器来运行的程序。为了保证系统的安全性，应确保CGI的作者是可信的。对CGI而言，最好将其限制在一个特定的目录下，如cgi-bin之下，便于管理；另外应该保证CGI目录下的文件是不可写的，避免一些欺骗性的程序驻留或混迹其中；如果能够给用户提供一个安全性良好的CGI程序的模块作为参考，也许会减少许多不必要的麻烦和安全隐患；除去CGI目录下的所有非业务应用的脚本，以防异常的信息泄漏。

以上这些常用的举措可以给Apache Server 一个基本的安全运行环境，显然在具体实施上还要做进一步的细化分解，制定出符合实际应用的安全配置方案。

Apache Server基于主机的访问控制
Apache Server默认情况下的安全配置是拒绝一切访问。假定Apache Server内容存放在/usr/local/apache/share 目录下，下面的指令将实现这种设置：
Deny from all
Allow Override None

则禁止在任一目录下改变认证和访问控制方法。

同样，可以用特有的命令Deny、Allow指定某些用户可以访问，哪些用户不能访问，提供一定的灵活性。当Deny、Allow一起用时，用命令Order决定Deny和Allow合用的顺序，如下所示：

1、拒绝某类地址的用户对服务器的访问权（Deny）

如：Deny from all
Deny from test.cnn.com
Deny from 204.168.190.13
Deny from 10.10.10.0/255.255.0.0

2、允许某类地址的用户对服务器的访问权（Allow）

如：Allow from all
Allow from test.cnn.com
Allow from 204.168.190.13
Allow from 10.10.10.0/255.255.0.0
Deny和Allow指令后可以输入多个变量。

3、简单配置实例：

Order Allow, Deny
Allow from all
Deny from www.test.com
指想让所有的人访问Apache服务器，但不希望来自www.test.com的任何访问。
Order Deny, Allow
Deny from all
Allow from test.cnn.com
指不想让所有人访问，但希望给test.cnn.com网站的来访。

Apache Sever的用户认证与授权
概括的讲，用户认证就是验证用户的身份的真实性，如用户帐号是否在数据库中，及用户帐号所对应的密码是否正确；用户授权表示检验有效用户是否被许可访问特定的资源。在Apache中，几乎所有的安全模块实际上兼顾这两个方面。从安全的角度来看，用户的认证和授权相当于选择性访问控制。
建立用户的认证授权需要三个步骤：

1、建立用户库

用户名和口令列表需要存在于文件（mod_auth模块）或数据库（mod_auth_dbm模块）中。基于安全的原因，该文件不能存放在文挡的根目录下。如，存放在/usr/local/etc/httpd下的users文件，其格式与UNIX口令文件格式相似，但口令是以加密的形式存放的。应用程序htpasswd可以用来添加或更改程序：

htpasswd –c /usr/local/etc/httpd/users martin
-c表明添加新用户，martin为新添加的用户名，在程序执行过程中，两次输入口令回答。用户名和口令添加到users文件中。产生的用户文件有如下的形式：
martin:WrU808BHQai36
jane:iABCQFQs40E8M
art:FadHN3W753sSU
第一域是用户名，第二个域是用户密码。

2、配置服务器的保护域

为了使Apache服务器能够利用用户文件中的用户名和口令信息，需要设置保护域（Realm）。一个域实际上是站点的一部分（如一个目录、文档等）或整个站点只供部分用户访问。在相关目录下的.htaccess文件或httpd.conf ( acces.conf ) 中的段中，由AuthName来指定被保护层的域。在.htaccess文件中对用户文件有效用户的授权访问及指定域保护有如下指定：
AuthName “restricted stuff”
Authtype Basic
AuthUserFile /usr/local/etc/httpd/users
Require valid-user

其中，AuthName指出了保护域的域名（Realm Name）。valid-user参数意味着user文件中的所有用户都是可用的。一旦用户输入了一个有效的用户/口令时，同一个域内的其他资源都可以利用同样的用户/口令来进行访问，同样可以使两个不同的区域共用同样的用户/口令。

3、告诉服务器哪些用户拥有资源的访问权限

如果想将一资源的访问权限授予一组客户，可以将他们的名字都列在Require之后。最好的办法是利用组（group）文件。组的操作和标准的UNIX的组的概念类似，任一个用户可以属于一个和数个组。这样就可以在配置文件中利用Require对组赋予某些权限。如：
Require group staff
Require group staff admin
Require user adminuser
指定了一个组、几个组或一个用户的访问权限。

需要指出的是，当需要建立大批用户帐号时，那么Apache服务器利用用户文件数据库将会极大地降低效率。这种情况下，最好采用数据库格式的帐号文件，譬如 DBM数据库格式的文件。还可以根据需要利用db格式（mod_auth_db）的数据文件，或者直接利用数据库，如：mSQL（mod_auth_msql）或DBI兼容的数据库（mod_auth_dbi）。

Apache PHP MySQL Zend GD OpenSSL vsftpd For Debian 完全编译

admin — Thu, 05 Mar 2009 07:28:42 +0000

系统 Debian Linux v3.1r0 (Sarge) Kernel v2.6.11 i686

安装方式：源码编译

################
##### 软件 #####
################

Apache v2.0.54 官方主页： http://www.apache.org
http://www.apache.org/dist/httpd/httpd-2.0.54.tar.gz [7.16MB]

PHP v4.3.11 官方主页： http://www.php.net
http://cn.php.net/distributions/php-4.3.11.tar.gz [4.64MB]

Zend Optimizer v2.5.10 官方主页： http://www.zend.com
http://downloads.zend.com/optimizer/2.5.10/ZendOptimizer-2.5.10-linux-glibc21-i386.tar.gz [3.36MB]

MySQL v4.0.24 官方主页： http://www.mysql.com
http://ftp.stu.edu.tw/pub/Unix/Database/Mysql/Downloads/MySQL-4.0/mysql-4.0.24.tar.gz [16.1MB]

GD Library v2.0.33 官方主页： http://www.boutell.com/gd/
http://www.boutell.com/gd/http/gd-2.0.33.tar.gz [573KB]

FreeType v2.1.10 官方主页： http://www.freetype.org
http://savannah.nongnu.org/download/freetype/freetype-2.1.10.tar.gz [1.31MB]

Jpeg v6b 官方主页： http://www.ijg.org
ftp://ftp.uu.net/graphics/jpeg/jpegsrc.v6b.tar.gz [598KB]

LibPNG v1.2.8 官方主页： http://www.libpng.org/pub/png/
http://switch.dl.sourceforge.net/sourceforge/libpng/libpng-1.2.8.tar.gz [498KB]

OpenSSL v0.9.7g 官方主页： http://www.openssl.org
http://www.openssl.org/source/openssl-0.9.7g.tar.gz [2.98MB]

vsftpd v2.0.3 官方主页： http://vsftpd.beasts.org
ftp://vsftpd.beasts.org/users/cevans/vsftpd-2.0.3.tar.gz [149KB]

zlib v1.2.2 官方主页： http://www.gzip.org/zlib/
http://www.zlib.net/zlib-1.2.2.tar.gz [420KB]

ClibPDF v2.02-r1-1 官方网站： http://www.fastio.com
http://www.fastio.com/clibpdf202r1.tar.gz [836KB]

mod_limitipconn v0.22 官方网站： http://dominia.org/djao/
http://dominia.org/djao/limit/mod_limitipconn-0.22.tar.gz [6.18KB]

Bandwidth Module v0.6 官方网站： http://www.ivn.cl/apache/
http://www.ivn.cl/apache/bw_mod-0.6.tgz [28.5KB]

Apache DoS Evasive Maneuvers Module v1.10 官方网站： http://www.nuclearelephant.com/projects/dosevasive/
http://www.nuclearelephant.com/projects/dosevasive/mod_dosevasive_1.10.tar.gz [19.1KB]

################
##### 安装 #####
################

1、解压缩，把所有源码压缩包放在一个目录中，解压缩所有 .tar.gz 压缩包
for i in `ls *.gz`;do tar zxvf $i; done;

2、开始安装

##### zlib #####

cd zlib-1.2.2
./configure
make
make install
cd ..

##### OpenSSL #####

cd openssl-0.9.7g
./config –prefix=/usr/local/ssl \
–openssldir=/usr/local/ssl \
shared \
zlib

make
make install
ln -s /usr/local/ssl /usr/lib/ssl
cd ..

##### MySQL #####

cd mysql-4.0.24

编辑 sql/mysqld.cc ：
搜索：&max_connections, 0, GET_ULONG, REQUIRED_ARG, 100, 1, 16384, 0, 1,
修改：&max_connections, 0, GET_ULONG, REQUIRED_ARG, 1000, 1, 16384, 0, 1,

groupadd mysql
useradd -g mysql mysql

./configure \
–prefix=/server/mysql \
–sysconfdir=/server/mysql \
–without-isam \
–without-debug \
–enable-assembler \
–with-unix-socket-path=/tmp/mysql.sock \
–with-mysqld-user=mysql \
–with-extra-charset=all \
–with-client-ldflags=-all-static \
–with-mysqld-ldflags=-all-static \
–localstatedir=/data/mysql/data

如果出现以下错误：
checking for tgetent in -ltermcap… no
checking for termcap functions library… configure: error: No curses/termcap library found
说明 curses/termcap 库没有安装
apt-cache search curses | grep lib
安装 libncurses5-dev ，然后重新运行配置

mkdir /data
mkdir /data/mysql
mkdir /data/mysql/data

make
make install

/server/mysql/bin/mysql_install_db –user=mysql

chown -R mysql /data/mysql
chgrp -R mysql /data/mysql
chown -R root /server/mysql
chgrp -R mysql /server/mysql
cp /server/mysql/share/mysql/my-medium.cnf /server/mysql/my.cnf

/server/mysql/share/mysql/mysql.server start
/server/mysql/bin/mysqladmin -u root password 123456789
cd ..

##### Apache2 #####

cd httpd-2.0.54

./configure –prefix=/server/httpd \
–enable-so \
–with-mysql=/server/mysqld \
–enable-cgi \
–with-config-file-path=/server/httpd/conf \
–enable-track-vars \
–enable-mods-shared=all \
–enable-cache \
–enable-disk-cache \
–enable-mem-cache \
–enable-rewrite \
–with-mpm=worker \
–with-ssl=/usr/local/ssl \
–enable-ssl

make
make install
cd ..

##### mod_deflate #####

cd httpd-2.0.54/modules/filters

/server/httpd/bin/apxs -i -c -a mod_deflate.c

修改 Apache 配置文件 /server/httpd/conf/httpd.conf ：
添加：
;
# Insert filter
SetOutputFilter DEFLATE

# Netscape 4.x has some problems…
BrowserMatch ^Mozilla/4 gzip-only-text/html

# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip

# MSIE masquerades as Netscape, but it is fine
# BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

# NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48
# the above regex won’t work. You can use the following
# workaround to get the desired effect:
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html

# Don’t compress images
SetEnvIfNoCase Request_URI \
\.(?:gif|jpe?g|png|ico)$ no-gzip dont-vary

# Make sure proxies don’t deliver the wrong content
#Header append Vary User-Agent env=!dont-vary
;

DeflateFilterNote ratio
LogFormat ‘”%v %h %l %u %t “%r” %>;s %b “%{Referer}i” “%{User-Agent}i”" (%{ratio}n)’ deflate

CustomLog logs/deflate_log deflate

然后
cd ../../../

##### FreeType #####

cd freetype-2.1.10

./configure –prefix=/usr/local/freetype

make
make install
cd ..

##### LibPNG #####

cd libpng-1.2.8

cp scripts/makefile.linux makefile

make test
make install
cd ..

##### Jpeg #####

cd jpeg-6b

mkdir /usr/local/jpeg
mkdir /usr/local/jpeg/bin
mkdir /usr/local/jpeg/lib
mkdir /usr/local/jpeg/include
mkdir /usr/local/jpeg/man
mkdir /usr/local/jpeg/man/man1
./configure –prefix=/usr/local/jpeg –enable-shared –enable-static

make
make install
cd ..

##### GD Library #####

cd gd-2.0.33

./configure –prefix=/usr/local/gd \
–with-jpeg=/usr/local/jpeg \
–with-freetype=/usr/local/freetype \
–with-png \
–with-zlib

make
make install
cd ..

##### ClibPDF #####

cd ClibPDF/source
cp Makefile.Linux makefile
make
make install
cd ..

##### PHP #####

cd php-4.3.11

./configure –prefix=/server/php \
–with-apxs2=/server/httpd/bin/apxs \
–with-gd=/usr/local/gd \
–enable-gd \
–enable-gd-native-ttf \
–with-jpeg-dir=/usr/local/jpeg \
–with-png \
–with-ttf \
–with-zlib \
–with-freetype-dir=/usr/local/freetype \
–enable-magic-quotes \
–with-mysql=/server/mysql \
–with-mysql-sock=/tmp/mysql.sock \
–with-iconv \
–with-mbstring \
–enable-mbstring \
–enable-track-vars \
–enable-force-cgi-redirect \
–enable-ftp \
–with-config-file-path=/server/httpd/conf \
–with-openssl=/usr/local/ssl \
–with-openssl-dir=/usr/local/ssl \
–with-cpdflib=/usr/local \
–with-pear=/server/php/pear

make
make install

cp php.ini-dist /server/httpd/conf/php.ini
cd ..

##### Zend Optimizer #####

cd ZendOptimizer-2.5.10-linux-glibc21-i386

./install

操作 [OK] [EXIT] [YES] [/server/zend] [/server/httpd/conf] [YES] [/server/httpd/bin/apachectl] [OK] [OK] [NO]

cd ..

##### mod_limitipconn #####

cd mod_limitipconn-0.22

/server/httpd/bin/apxs -i -c -a mod_limitipconn.c

修改 Apache 配置文件 /server/httpd/conf/httpd.conf：
查找：#ExtendedStatus On ，去掉注释”#”
查找：CustomLog logs/access_log common ，修改成 CustomLog logs/access_log common env=!LIMITIP
添加：
;
;
MaxConnPerIP 5
NoIPLimit image/*
;

;
MaxConnPerIP 2
OnlyIPLimit audio/mpeg video
;
;

然后
cd ..

##### Bandwidth Module #####

cd bw_mod-0.6

/server/httpd/bin/apxs -i -c -a bw_mod-0.6.c

cd ..

带宽限制在虚拟主机中设置

##### Apache DoS Evasive Maneuvers Module #####

cd mod_dosevasive

/server/httpd/bin/apxs -i -c -a mod_dosevasive20.c

cd ..

等一下启动 Apache2 后可以测试
perl test.pl

###############################################################################################

现在，WEB 服务已经安装完毕！
测试 WEB 服务：

mkdir /data/vhosts
mkdir /data/vhosts/localhost

启动 Apache2
/server/httpd/bin/apachectl start
如果出错请参考下一贴中的 httpd.conf 和虚拟主机配置文件示例

MySQL 服务前面已经启动，密码是：123456789

编辑一个 info.php 放在 /data/vhosts/localhost 下面，内容如下：

phpinfo();
?>;

测试： http://localhost/info.php
OK，看到 PHP 信息吧

##### 开机自动启动服务 #####

cp /server/httpd/bin/apachectl /etc/init.d/httpd
cp /server/mysql/share/mysql/mysql.server /etc/init.d/mysql
recconf
配置，已经有 httpd 和 mysql 选项，选中，OK

如果没有 rcconf ，用 apt-get install rcconf 安装

#######################
##### 使 SSL 工作 #####
#######################

mkdir /server/ssl
cd /server/ssl

##### 手工签署证书 #####
/usr/local/ssl/bin/openssl genrsa -des3 \
-rand 任意大文件1:任意大文件2 \
-out server.key 1024

输入密码
重复密码

/usr/local/ssl/bin/openssl req -new -key server.key -out server.csr

Enter pass phrase for localhost.key: #<–## 输入密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:CN #<–## 国家代码
State or Province Name (full name) [Some-State]N #<–## 省或州
Locality Name (eg, city) []:SY #<–## 城市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:micronsky.net #<–## 组织名称
Organizational Unit Name (eg, section) []:root #<–## 部门
Common Name (eg, YOUR name) []:keelort #<–## 名字
Email Address []:keelort@gmail.com #<–## 电子邮件

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: #<–## 直接回车就可以
An optional company name []: #<–## 直接回车就可以

/usr/local/ssl/bin/openssl x509 -req \
-days 3650 \
-in server.csr \
-signkey server.key \
-out server.crt

……………………………………………………………………..

注意：SSL 部分目前还不是很明白，apachectl startssl 启动后 http:// 不能用，只能用 https:// 连接，
不知道怎么回事请高手指教，暂时没有写全

###############################################################################################

##### vsftpd #####

cd vsftpd-2.0.3

编辑 builddefs.h ：
#define VSF_BUILD_PAM
修改为
#undef VSF_BUILD_PAM

编辑 defs.h ：
#define VSFTP_DEFAULT_CONFIG “/etc/vsftpd.conf”
修改为
#define VSFTP_DEFAULT_CONFIG “/server/vsftpd/conf/vsftpd.conf”

make

useradd nobody
mkdir /usr/share/empty
mkdir /data/ftp
useradd -d /data/ftp ftp
chown root:root /data/ftp
chmod og-w /data/ftp

install -m 755 vsftpd /server/vsftpd/vsftpd
install -m 644 vsftpd.8 /usr/share/man/man8
install -m 644 vsftpd.conf.5 /usr/share/man/man5
mkdir /server/vsftpd/conf
install -m 644 vsftpd.conf /server/vsftpd/conf/vsftpd.conf

使 vsftpd 以 standalone 方式启动：
编写名为 vsftpd 的启动脚本：

CODE:
[Copy to clipboard]
#!/bin/sh
# /etc/init.d/vsftpd
#

set -e

# Exit if vsftpd.conf doesn’t have listen=yes or listen_ipv6=yes
# (mandatory for standalone operation)
if [ -f /server/vsftpd/conf/vsftpd.conf ] && ! egrep -iq “^ *listen(_ipv6)? *= *yes”

/server/vsftpd/conf/vsftpd.conf; then
exit 0
fi

DAEMON=/server/vsftpd/vsftpd
NAME=vsftpd

test -x $DAEMON || exit 0

case “$1″ in
start)
echo -n “Starting FTP server: $NAME”
start-stop-daemon –start –background -m –pidfile /tmp/vsftpd.pid –exec $DAEMON
echo “.”
;;
stop)
echo -n “Stopping FTP server: $NAME”
start-stop-daemon –stop –pidfile /tmp/vsftpd.pid –oknodo –exec $DAEMON
echo “.”
;;
restart)
echo -n “Restarting FTP server: $NAME”
start-stop-daemon –stop –pidfile /tmp/vsftpd.pid –oknodo –exec $DAEMON
start-stop-daemon –start –background -m –pidfile /tmp/vsftpd.pid –exec $DAEMON
echo “.”
;;
reload|force-reload)
echo “Reloading $NAME configuration files”
start-stop-daemon –stop –pidfile /tmp/vsftpd.pid –signal 1 –exec $DAEMON
echo “.”
;;
*)
echo “Usage: /etc/init.d/$NAME {start|stop|restart|reload}”
exit 1
;;
esac

exit 0
运行 rcconf 选中 vsftpd ，确定

重新启动，试试试不是所有的服务都启动，呵呵…

全文完

NetBSD2.0下架设入门级www服务器

admin — Wed, 04 Mar 2009 09:48:08 +0000

本教程你将学会：
　　1、利用SSH远程登录进行管理
　　2、pkg、源代码包的安装方法
　　3、利用VI编辑器修改配置文档
　　4、通过修改系统文件自启动服务
　　5、初级安全知识

一、前期软件准备：
　　由于个人网络环境因素，是先将pkg和源代码包从单位下载回家做的，所以第一步先下载相关软件：apache-2.0.54nb1.tgz、mysql-server-4.1.12nb1.tgz、mysql-client-4.1.12.tgz、perl-5.8.6nb4.tgz、expat-1.95.8nb2.tgz、apr-0.9.6.2.0.54nb1.tgz，以上软件可以从ftp://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD-2.0/i386/All/ 下载到。另外还需php-4.4.0.tar.bz2源代码包（www.php.net）；F-Secure SSH（google一下吧）

二、设置SSH
1、编辑rc.conf开启ssh
#echo sshd=YES >;>; /etc/rc.conf
#echo sendmail=NO >;>; /etc/rc.conf

2、编辑sshd_config允许root帐号登陆
#vi /etc/ssh/sshd_config
找到#PermitRootLogin yes将#去掉保存并退出
重启后ssh随即生效。

3、修改网卡IP地址
新建一个ifconfig.pcn0的文件。（pcn0为服务器网卡的类型，可通过ifconfig -a查看到）
#echo 192.168.112.10 netmask 255.255.255.0 >;>; /etc/ifconfig.pcn0
注意客户机的IP也应该为192.168.112.*，运行F-Secure SSH client登陆上去，利用file transfer将必要的安装包拷贝至/usr下。

三、安装软件及手工启动
1、安装perl
#pkg_add /usr/perl-5.8.6nb4.tgz
不用多说这个是必装的。

2、安装apache
#pkg_add /usr/apache-2.0.54nb1.tgz

============ 手工启动apache ============
# cd /usr/pkg/sbin
#./apachectl start
如果报错，根据提示进行修改即可，一般会提示”using 127.0.0.1 for ServerName”，这个时候只需要:
#hostname 127.0.0.1
#./apachectl start 就应该能启动了。//此时打开ff（讨厌用IE）看看是否正常
———————————————————————

============ 设置apache自启动 ============
　　#cp　/usr/pkg/share/examples/rc.d/apache　/etc/rc.d
　　#echo apache=YES >;>; /etc/rc.conf
　　#echo hostname=”127.0.0.1″ >;>; /etc/rc.conf
———————————————————————

3、安装mysql
#cd /usr
#pkg_add mysql-server-4.1.12nb1.tgz //安装前最好将所需文件都放至同一目录

============ mysql的手工启动方法 ============
#cd /usr/pkg/share/examples/rc.d/
#./mysqld start
#mysql
>;show databases;
>;create database bbs; //为论坛创建bbs数据库
>;exit
———————————————————————

============ 设置mysql自启动 ============
　　#cp　/usr/pkg/share/examples/rc.d/mysqld　/etc/rc.d
　　#echo mysqld=YES >;>; /etc/rc.conf　　
———————————————————————

============ 修改mysql默认密码 ============
　　#cd /usr/pkg/bin
　　#./mysqladmin -u root password ’111111′ //111111为root密码，这里要设置更复杂一些
//连接本地数据库的方法：#./mysql -uroot -p
//出于安全还应该禁止远程访问3306端口（修改my.cnf），改变数据库root的登陆名等等。
———————————————————————

4、安装php
#cd /usr
#tar zxvf php-4.4.0.tar.gz
#cd php-4.4.0.tar.gz
#./configure –with-mysql –with-apxs2=/usr/pkg/sbin/apxs –enable-safe-mode
#make; make install; make clean
//zend不需要另行安装

5、修改httpd.conf
安装完PHP后，还需要手工配置一下httpd.conf文件才能正常解析php文件
============ 配置httpd.conf ============
#vi /usr/pkg/etc/httpd/httpd.conf
进入vi后，输入/AddType后回车（通过输入n可以向下寻找），找到不带#开头的后输入命令o，即可往下面添加：
AddType application/x-httpd-php .php
AddType application/x-httpd-php .inc
AddType application/x-httpd-php .class //以上两行是为了防止代码泄露
保存并退出
#/usr/pkg/sbin/apachectl restart

//注意：如果此文档配置出错，apache将不能正常启动！
//为了防范脚本攻击和SQL注入还可以添加mod_security.c模块并进行合理设置
//寻找Options Indexes，将Indexes去掉，可以不让别人索引你的的站点目录
//设置ServerSignature 为off
//关闭CGI，注释掉：
scriptAlias /cgi-bin/ “/usr/pkg/libexec/cgi-bin/” 以及下一段
;
AllowOverride None
Options None
Order allow,deny
Allow from all
;
//由于本文不是专门针对apache的，所以很多配置项请参考其它文章

———————————————————————

6、修改php.ini
============ 设置php.ini ============
#cd /usr/php-4.4.0
#cp php.ini-dist /usr/local/lib/php.ini
编辑此文档：
safe_mode=on //增加了许多限制能使php更加安全
register_global=off //关闭全局变量
open_basedir= /usr/pkg/share/httpd/htdocs //限制用户访问路径为站点目录
disable_function=phpinfo,get_cfg_var //防止泄露必要的信息
display_errors=off //php的所有错误和警告都不会显示
———————————————————————

三、安装论坛
　　略，详细的步骤看动画。论坛一定要到官方站点下载，安装完后一定要打上最新的补丁。

四、最后
　　最后不要忘了关闭ssh，或者采用密钥登陆。
　　最好在服务器上开启防火墙，过滤没必要的端口或者防范端口扫描。
　　将常用的系统命令top等最好备份到软盘上。
　　　　
本文存在的一些不足：
　　1、没有对系统作针对性的优化
　　2、软件安装没有采用通常建议的ports方式
　　3、没有对apache（httpd.conf）、php（php.ini）、mysql（my.cnf）进行更加深入更全面的设置和讲解

如何进一步提高自己的水平：
　　1、学习如何优化系统
　　2、学习ports的安装方式
　　3、学习SSH的密钥登陆方式
　　4、学习关于www服务器的安全（知识较多、较难也比较碎，例如jail和chroot等）
　　5、学习关于www服务器的性能测试
　　6、学会仔细看帮助文档

apache2+php+oracle9的安装

admin — Mon, 02 Mar 2009 10:46:55 +0000

1、前言：
对于unix(linux)来说，apache＋php是个不错的选择。对于小型的网站，比较通用的是apache+php+mysql，优点不比说。但是，对于大型的网站，需要对数据库检索和连接请求高的站点，mysql还是出现他的局限性。很多门户网站，例如：sina、tom、sohu、china等，都是用新闻发稿器的生成静态页面。但是这个新闻发稿器，很多都是通过apache＋php来完成，大量的资料放在数据库中，用户访问的时候，在由程序生成静态页面。所以，apache+php+oracle是比较合理的选择。

由于平时都是用的sun的sparc机器，这个环境是临时搭建，用的是redhat9，如果有喜欢用redhat ad的朋友，需要自己先测试一下。

2、结构：
主机两台：
odb –安装oracle server，作为数据存储。
webapp —安装oracle client和apache+php，php通过oracle client来访问oracle。
odb ip:192.168.1.2
webapp ip: 192.168.1.3 211.11.11.11
优点：安全，odb可以用内网ip，还能实现降低webapp的负载。

3、主机系统相关软件：
redhat9
oacle9 for liunx
httpd2.0.50
php-4.32

4、安装软件：
4.1、odb的安装：
这里关于oracle9的redhat9上的安装，大家查看论坛响应的其他文章，这里就不过多写。为上下文，这里建立库为odb。

4.2、apache2的安装：

# tar zxvf httpd-2.0.49.tar.gz
# cd httpd-2.0.49
# ./configure –prefix=/opt/apache –enable-so –with-mpm=worker
# make
# make install

4.3、webapp主机上的oracle client安装：

4.3.1 安装好RedHat9.0操作系统，确保安装以下的RPM开发包
gcc
cpp
glibc-devel
compat-libstdc++
glibc-kernheaders
binutils
可以使用命令来查看是否已安装这些包
rpm –q gcc cpp compat-libstdc++ glibc-devel glibc-kernheaders binutils

4.3.2、从Oracle官方网站下载Oracle9i安装文件并使用如下命令解包

# zcat lnx_920_disk1.cpio.gz | cpio –idmv
# zcat lnx_920_disk2.cpio.gz | cpio –idmv
# zcat lnx_920_disk3.cpio.gz | cpio –idmv
然后会有Disk1 Disk2 Disk3三个子目录。

4.3.3、设置内核参数
# echo 4294967295 >; /proc/sys/kernel/shmmax，建议放到/etc/rc.local文件里。
或编辑/etc/sysctl.conf
kernel.shmmax=4294967295
我有512MB内存，所以设置这个数值。可根据实际情况设置。

4.3.4、创建Oracle用户帐号和安装目录
在shell下,作为root
# groupadd dba
# groupadd oinstall
# useradd –g oinstall –G dba oracle
# passwd oracle

# mkdir /opt/oracle
# mkdir /opt/oracle/product
# mkdir /opt/oracle/product/9.2.0
# chown –R oracle.oinstall /opt/oracle
# mkdir /var/oracle
# chown oracle.dba /var/oracle
# chmod 755 /var/oracle

4.3.5、设置环境变量

# vi /home/oracle/.bash_profile文件，添加下列行
－－－－－－－－－－
export LD_ASSUME_KERNEL=2.4.1
export ORACLE_BASE=/opt/oracle
export ORACLE_HOME=/opt/oracle/product/9.2.0
NLS_LANG=”SIMPLIFIED CHINESE_CHINA.ZHS16GBK”;export NLS_LANG
ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data; export ORA_NLS33
LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib;export LD_LIBRARY_PATH
PATH=$PATH ORACLE_HOME/bin;export PATH

－－－－－－－－－－－－－－

4.3.6、安装
可以重新启动机器，让设置的参数生效，让后用oracle用户登陆，安装oracle。

# ~Disk1
# ./runInstaller

安装的时候，选择安装client。
有提示你用root用户执行几个脚本，按照提示做就可以。

4.4、 php安装
在安装php的时候，php调用oracle9（9.0.2 –10 )的时候需要安装一个patch，不然会出现问题。但是oracle8的版本没有问题。oracle的官方网站上有下载，地址如下：

http://otn.oracle.com/products/ias/ohs/htdocs/ociheaders.tar

# cp ociheaders.tar /opt/oracle/product/9.2.0/rdbms/demo/
# cd cd /opt/oracle/product/9.2.0/rdbms/demo
# tar xvf ociheaders.tar

# tar zxvf php-4.3.2.tar.gz
# cd php-4.3.2
# ./configure –prefix=/opt/php –with-zlib
–with-apxs2=/opt/apache/bin/apxs –disable-xml –without-mysql
–with-oci8=/opt/oracle/product/9.2.0
–with-config-file-path=/opt/php/etc/php.ini
–disable-rpath –without-pear
# make
# make install
# mkdir /usr/local/php/etc
# cp /home/peng/php-4.3.2/etc/php.ini-disk /usr/local/php/etc/php.ini/php.ini
# vi /usr/local/php/etc/php.ini/php.ini

5 配置软件：

5.1、启动odb主机上的oracle：
以oracle用户登陆：

启动数据库
$ Sqlplus “ / as sysdba”
SQL>;startup

启动监听程序
$ lsnrctl

5.2、配置apache2：

# vi /opt/apache/conf/httpd.conf

添加：AddType application/x-httpd-php .php
更改下列选项如下：
Listen 211.11.11.11:80 –你的发布主机ip
User nobody
Group nobody
DirectoryIndex index.html index.php
AddDefaultCharset Off

5.3 配置php：

# vi /usr/local/php/etc/php.ini/php.ini
更改：
register_global =Off 为 register_global =On

5.4 配置oracle client：
# vi /opt/oracle/product/9.2.0/network/admin/tnsnames.ora

————-
odb =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.1.2)(PORT = 1521))
)
(CONNECT_DATA =
(SERVICE_NAME = odb)
)
)

————–

到这里，系统已经全部安装成功，需要根据自己情况，配置apache的具体主机设置。

总结：
apche+php+oracle一般的应用情况都是针对数据库访问量比较大，或者经常用到数据库检索的应用。很多都是为应用服务器而搭建的环境。

这里注意一点就是，这个环境的搭建，同样适合oracle10的版本。如果用oracle817以下的版本，是不需要安装ociheaders这个补丁的。对于oracle7，php要用–with-oracle＝的参数。

apache2.0.x+mysql4.0.x+php5.0.x+solaris 9.0+proftpd1.2.x

admin — Mon, 02 Mar 2009 10:39:55 +0000

solaris下提供一个pkgadd的工具，它特别容易安装，对菜鸟来说非常方便，所谓AMPSP就是apache2.0.x+mysql4.0.x+php5.0.x+solaris 9.0+proftpd1.2.x.
首先当然有一个solaris9.0的系统，安装solaris就不用说吧，我装的是u7，安装时候用root安装，我用的是SUN的默认sh.
# uname -a
SunOS bad.com 5.9 Generic_117171-07 sun4u sparc SUNW,Ultra-5_10
看一下root的环境变量，如果不是下面的，可以在/etc/profile下面进行修改
# env
HOME=/
HZ=100
LOGNAME=root
MAIL=/var/mail/root
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/etc:/usr/local/bin:/usr/local/sbin
SHELL=/sbin/sh
TERM=ansi
TZ=PRC
在安装AMPSP前，必须安装一些EIS，下面的软件可以在www.sunfreeware.com的网站上可以下到，按你的系统下载安装包，我的系统是sparc的，所以下的也是for sparc的安装包，我们先建一个backup的目录，将下来的软件放到这个目录下，软件列表如下：
gcc-3.4.2-sol9-sparc-local.gz
db-4.2.52.NC-sol9-sparc-local.gz
expat-1.95.5-sol9-sparc-local.gz
libgcc-3.3-sol9-sparc-local.gz
libiconv-1.8-sol9-sparc-local.gz
libxml2-2.6.16-sol9-sparc-local.gz
libxslt-1.1.2-sol9-sparc-local.gz
ncurses-5.4-sol9-sparc-local.gz
zlib-1.2.2-sol9-sparc-local.gz
pcre-4.5-sol9-sparc-local.gz
在安装AMPSP前先安装这些，一点要注意的，gcc和libgcc这两个包的版本号不要太高，我在安装的时候，版本太高装不，用pkgadd命令安装：
#gunzip gcc-3.4.2-sol9-sparc-local.gz
#pkgadd –d gcc-3.4.2-sol9-sparc-local
安完以上的，接下来就可以安装AMPSP，下载并CP到/backup下：
apache-2.0.53-sol9-sparc-local.gz
mysql-4.0.21-sol9-sparc-local.gz
php-5.0.2-sol9-sparc-local.gz
proftpd-1.2.10rc1-sol9-sparc-local.gz

MYSQL的安装
创建运行mysql的用户
#cd /backup
# groupadd mysql
# useradd -g mysql mysql
安装mysql的安装包
#gunzip mysql-4.0.21-sol9-sparc-local.gz
#pkgadd –d mysql-4.0.21-sol9-sparc-local
安装完后，在/usr/local/下多一个mysql的目录，我们对它进行设置
#cd /usr/local/mysql
#cd scripts
#./mysql_install_db –user=mysql
#chown –R root /usr/local/mysql
#chgrp –R mysql /usr/local/mysql
#cp /usr/local/mysql/share/mysql/my-medium.cnf /etc/my.cnf
试运行一个mysql服务；
#cd /usr/local/mysql/bin
#./mysqld_safe –user=mysql&
如果没出错误错的话，就说明成功，如果出现：
Starting mysqld daemon with databases from /usr/local/mysql/var
STOPPING server from pid file /usr/local/mysql/var/bad.com.pid
050407 01:44:15 mysqld ended
说明没有成功，看/usr/local/mysql/var/bad.com.err,这个错误可以用
#chown mysql:mysql /usr/local/mysql/var/mysql解决（我刚开的时候就是因为这个，弄半天没装好。

试一个mysql是不是可用
# ./mysql -u root -p
Enter password 密码为空)
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 4.0.21-log

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

mysql>;quit
Bye
#
如果想让mysql开机自动运行，可以如下设置：
#cp /usr/local/mysql/share/mysql/mysql.server /etc/init.d/mysql
#ln /etc/init.d/mysql /etc/rc3.d/S99mysql
#ln /etc/init.d/mysql /etc/rc3.d/K01mysql

APACHE的安装

Apache的安装
#cd /backup
#gunzip apache-2.0.53-sol9-sparc-local.gz
#pkgadd –d apache-2.0.53-sol9-sparc-local
这样就安装好，接下来修改apache的配置文件
#cd /usr/local/apache2
#cd conf
#vi httpd.conf
这里没有什么改的，，只要将：
Group #-1
改成：
Group nobody

测试服务器
#/usr/local/apache2/bin/apachectl start
这个你就可以在IE里防问，http://IP

设置自起动，和mysql差不多：
#cp /usr/local/apache2/bin/apachectl /etc/init.d/httpd
#ln /etc/init.d/httpd /etc/rc3.d/S99httpd
#ln /etc/init.d/httpd /etc/rc3.d/K01httpd

安装PHP

安装PHP
#cd /backup
#gunzip php-5.0.2-sol9-sparc-local.gz
#pkgadd –d php-5.0.2-sol9-sparc-local
#cp /usr/local/php/doc/php/php.ini-dist /usr/local/lib/php.ini

修改apache，使它支持php
#cd /usr/local/apache2/conf
#vi httpd.conf
在AddType后面加入：
AddType application/x-httpd-php .php
在loadModule后面加入：
LoadModule php5_module modules/libphp5.so
然后保存关退出其不意
再测试一个apache是否可用
#/usr/local/apache2/bin/apachectl restart

PROFTPD安装

因为solaris自带的ftp不怎么好用，，所以改用proftp来代替，proftp安装；
#cd /backup
#gunzip proftpd-1.2.10rc1-sol9-sparc-local.gz
#pkgadd –d proftpd-1.2.10rc1-sol9-sparc-local

配置proftp

新建用户和用户组，给proftp使用
#groupadd –g 100 webmaster
#useradd –u 1234 –g webmaster –d /usr/local/apache2/htdocs –s /bin/false webmaster
#cd /usr/local/etc
#vi proftpd.conf
我们去掉一些不必要，，然后就行，我将我的FTP设置给大家看看，
# cat proftpd.conf
ServerName “bad’s server!” //ftp的名字
ServerType standalone //ftp是独立运行，
DefaultServer on
Port 21
Umask 022
MaxInstances 30
User webmaster //只允许webmaster
Group webmaster
MaxLoginAttempts 10
MaxClientsPerHost 2
MaxClients 20 //最大用户数
DirFakeUser On webmaster
DirFakeGroup On webmaster
DisplayLogin welcome.msg
DeferWelcome On
SystemLog /var/log/proftpd.log //proftpd的目志文件
ServerIdent OFF
RequireValidShell off //没用shell的用户可以进入
AllowRetrieveRestart on //支持继传功能
AllowStoreRestart on
TimeoutIdle 300

DefaultRoot ~ webmaster

; //webmaster对/usr/local/apache2/htdocs有管理权限
;
Order deny,allow
AllowUser webmaster
;
;

Proftp自起动

Proftp没有自带的起动文件，，可以自己写一个，内空如下：
# cat proftpd

#cp proftpd /etc/init.d/proftpd
#chmod 777 /etc/init.d/proftpd
#ln /etc/init.d/proftpd /etc/rc3.d/S99proftdd
#ln /etc/init.d/proftpd /etc/rc3.d/K01proftpd

到这里AMPSP就安装完成，，mysql的管理可以用phpMyAdmin实现.

ubuntu8.10常用桌面应用软件以及网站开发应用环境

admin — Wed, 25 Feb 2009 14:05:07 +0000

一、基础系统配置

1.安装ubuntu8.10就不讲，网上太多资料

2.配置源（我在杭州当然也就用杭州的源）

sudo cp /etc/apt/sources.list ~

sudo gedit /etc/apt/sources.list

把你要用的源考进去，保存即可

3.更新软件包列表

sudo apt-get update

4.安装系统更新

打开“系统->系统管理->更新管理器”，安装更新。完成后若系统提示重新启动，请重新启动系统。

5.设置中文环境

单击主菜单中的“系统(System) –> 系统管理(Administration) –> 语言支持(language support)”。

在“支持的语言”列表中找到“汉语（Chinese）”，在右端打上勾。同时将默认语言修改为“汉语（Chinese）”并勾选“启用复杂字符输入支持（Enable support to enter complex characters）”，点击确定按钮。

Ubuntu 这时会下载并安装语言包。安装完毕之后，你注销重新登录后，界面变为中文。

6.设置文档查看器 Evince 的中文支持

sudo apt-get install xpdf-chinese-simplified xpdf-chinese-traditional poppler-data

7.安装硬件驱动

打开 “系统->系统管理->硬件驱动”。Ubuntu 自动开始查找可用驱动程序，选中你需要启用的硬件驱动程序（如显卡驱动），Ubuntu将自动为你安装。完装完成后，请按系统提示重启操作系统。

8.多媒体应用环境设置

Gstreamer多媒体引擎解码器

sudo apt-get install gstreamer0.10-ffmpeg gstreamer0.10-pitfdll gstreamer0.10-plugins-bad gstreamer0.10-plugins-bad-multiverse gstreamer0.10-plugins-ugly gstreamer0.10-plugins-ugly-multiverse gstreamer0.10-esd

配置电影播放器

sudo apt-get remove totem-mozilla -y

sudo apt-get install smplayer smplayer-themes mozilla-mplayer libmatroska0

配置音乐播放器

sudo apt-get install gstreamer0.10-fluendo-mpegdemux gstreamer0.10-gnonlin libasound2-plugins

安装flash支持，到官方下载install_flash_player_10_linux.deb（目前的最新版本）

9.设置工具软件

安装腾讯QQ,至腾讯官方网站下载 deb软件包，双击即可安装

安装压缩工具

sudo apt-get install unrar p7zip-full cabextract

安装下载工具（MultiGet），到官方下载deb包，点击安装即可

安装chm阅读器

sudo apt-get install chmsee

安装星际译王辞典（到官方下载你需要的词典），把下载的文件解压后拷贝到/usr/share/stardict/dic 目录下即可（也可以用此命令sudo mv 你解压的文件目录 /usr/share/stardict/dic）

10.安装openoffice3.0

1).卸载老版本的openoffice

sudo apt-get remove openoffice.org*

2).解压下载的OOo_3.0.0_LinuxIntel_install_zh-cn_deb.tar.gz包

3).进入解压后的文件目录

cd /home/yangbo/OOO300_m9_native_packed-1_zh-CN.9358/DEBS

4).sudo dpkg -i *.deb

5). 双击安装/OOO300_m9_native_packed-1_zh-CN.9358/DEBS/desktop-integration/下的deb 文件，就ok！

11.由于我较喜欢使用ibus输入法（所以就安装之，不需要的用户可以省去这一步），到

http://archive.ubuntu.org.cn/ubuntu-cn/dists/intrepid/main/binary-i386/ibus/

下载python-dbus_0.83.0-1_i386.deb

ibus_0.1.1.20081106-1_i386.deb

ibus-pinyin_0.1.1.20081106-1_i386.deb

ibus-table_0.1.1.20081106-1_i386.deb

按照下载的顺序安装，由于我不使用五笔，最后一个文件没有安装

然后使用 sudo im-switch -c 选择ibus输入法。重启系统后就可使用

二、开发工具配置

1.Java安装配置

sudo apt-get install sun-java6-jdk

如果之前你没有安装其他版本的java，就不需要设置，否则请参考（http://wiki.ubuntu.org.cn/index.php?title=Java%E5%AE%89%E8%A3%85%E9%85%8D%E7%BD%AE&variant=zh-cn）

java中文支持（或乱码的解决）：java程序是跨平台的，但需要解决中文支持问题。

方法很简单，就是在java安装目录下放进去一个中文字体即可。

cd /usr/lib/jvm/java-6-sun/jre/lib/fonts

sudo mkdir fallback

cd fallback

sudo ln -s /usr/share/fonts/truetype/wqy/wqy-zenhei.ttf(把某个中文字体链接进 fallback 目录，我选了最新的文泉驿夸父字体)

sudo mkfontdir

sudo mkfontscale

2.安装NetBeans

到官方下载（最新版本为6.5），下载后的文件为*.sh文件

用如下命令安装：sudo ./(文件名).sh，按提示即可（可以选择安装目录，我选择opt目录下）

3.安装tomcat，eclipse都很简单，把下载后的文件解压后放到opt目录即可（建立eclipse的快捷方式不用我说了吧）

4.安装数据库

安装 MySQL（可以参考http://wiki.ubuntu.org.cn/index.php?title=MySQL%E5%AE%89%E8%A3%85%E6%8C%87%E5%8D%97&variant=zh-cn）

sudo apt-get install mysql-server mysql-client

配置MySQL编码

sudo gedit /etc/mysql/my.cnf

在如下位置添加

[client]

default-character-set=utf8

[mysqld]

default-character-set=utf8

init_connect=’SET_NAMES_utf8′

安装Oracle xe 10g（到官方下载oracle-xe-universal_10.2.0.1-1.0_i386.deb包，可以参考http://hi.baidu.com/colleage/blog/item/e9dc208d2e4d2115b21bba45.html安装）

5.安装apache2和PHP支持

sudo apt-get install apache2

sudo apt-get install libapache2-mod-php5

sudo apt-get install php5 php5-gd php5-mysql

6.安装phpmyadmin

sudo apt-get install phpmyadmin

可能还需要安装php5-mcrypt

sudo apt-get install php5-mcrypt

巩固Apache配置的安全方法20则

admin — Tue, 24 Feb 2009 08:02:02 +0000

声明：关于安全的事情没有保证的或者绝对的。这些建议可以让你的服务器更安全，但不要认为遵循这些建议后你的服务器就理所当然是安全的。另外，在这些建议中有的建议可能会降低服务器性能或者因为你的环境引起问题。建议所作的任何改变是否适合你的需求完全由你决定。换句话说，那是你的风险。

一、确保你安装的是最新的补丁

如果门是敞开的话，在窗户上加锁就毫无意义。同样道理，如果你没有打补丁，继续下面的操作就没有什么必要。

二、隐藏Apache的版本号及其它敏感信息

默认情况下，很多Apache安装时会显示版本号及操作系统版本，甚至会显示服务器上安装的是什么样的Apache模块。这些信息可以为黑客所用，并且黑客还可以从中得知你所配置的服务器上的很多设置都是默认状态。
这里有两条语句，你需要添加到你的httpd.conf文件中：

ServerSignature Off
ServerTokens Prod

ServerSignature 出现在Apache所产生的像404页面、目录列表等页面的底部。ServerTokens目录被用来判断Apache会在Server HTTP响应包的头部填充什么信息。如果把ServerTokens设为Prod，那么HTTP响应包头就会被设置成：

Server：Apache
如果你非常想尝试其它事物，你可以通过编辑源代码改成不是Apache的其它东西，或者你可以通过下面将要介绍的mod_security实现。

三、确保Apache以其自身的用户账号和组运行

有的Apache安装过程使得服务器以nobody的用户运行，所以，假定Apache和你的邮件服务器都是以nobody的账号运行的，那么通过Apache发起的攻击就可能同时攻击到邮件服务器，反之亦然。

User apache
Group apache
四、确保web根目录之外的文件没有提供服务BSD爱好者乐园b!fpH Tb#H,W
我们不让Apache访问web根目录之外的任何文件。假设你的所以web站点文件都放在一个目录下（例如/web），你可以如下设置：

Order Deny,Allow
Deny from all

Options None

AllowOverride None

Order Allow,Deny

Allow from all

注意，因为我们设置Opitins None 和AllowOverride None，这将关闭服务器的所有Option和Override。你现在必须明确把每个目录设置成Option或者Override。

五、关闭目录浏览

你可以在Directory标签内用Option命令来实现这个功能。设置Option为None或者－Indexes。

Options -Indexes

六、关闭includes
这也可以通过在Directory标签内使用Option命令来实现。设置Option为None或者－Includes。

Options -Includes

七、关闭CGI执行程序

如果你不用CGI，那么请把它关闭。在目录标签中把选项设置成None或-ExecCGI就可以：

Options -ExecCGI
八、禁止Apache遵循符号链接
同上，把选项设置成None或-FollowSymLinks：
Options -FollowSymLinks
九、关闭多重选项
如果想关闭所有选项，很简单：

Options None

如果只想关系一些独立的选项，则通过将Options做如下设置可实现：

Options -ExecCGI -FollowSymLinks -Indexes
十、关闭对.htaccess文件的支持

在一个目录标签中实现：

AllowOverride None

如果需要重载，则保证这些文件不能够被下载，或者把文件名改成非.htaccess文件。比如，我们可以改成.httpdoverride文件，然后像下面这样阻止所有以.ht打头的文件：

AccessFileName .httpdoverride

Order allow,deny
Deny from all
Satisfy All

十一、运行mod_security

Run mod_security是O’Reilly出版社出版的Apache Security一书的作者，Ivan Ristic所写的一个非常好用的一个Apache模块。可以用它实现以下功能：

·简单过滤
·基于过滤的常规表达式

·URL编码验证
·Unicode编码验证

·审计
·空字节攻击防止

·上载存储限制
·服务器身份隐藏
·内置的Chroot支持
·更多其它功能
十二、关闭任何不必要的模块

Apache通常会安装几个模块，浏览Apache的module documentation，了解已安装的各个模块是做什么用的。很多情况下，你会发现并不需要激活那些模块。

找到httpd.conf中包含LoadModule的代码。要关闭这些模块，只需要在代码行前添加一个#号。要找到正在运行的模块，可以用以下语句：

grep LoadModule httpd.conf

以下模块通常被激活而并无大用：mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi,

ubutu8.10 安装 apache php mysql 实录

admin — Sun, 15 Feb 2009 11:30:38 +0000

ubuntu 安装AMP环境的笔记 Prefork方式与fast-cgi方式

具体步骤如下:

系统:ubuntu 8.10 的发行版本

AMP with Prefork(mod-php5)

一、安装APACHE2

# sudo apt-get install apache2 apache2-mpm-prefork

这样APACHE部分就完成，默认目录是 /var/www

二、进行PHP的环境配置：

# sudo apt-get install php5 libapache2-mod-php5 php5-cli php5-dev php5-gd php5-imagick php5-mcrypt php5-xmlrpc

当然，需要更多的PHP5 extension 便可以自己补完。完成后手动启动模块：

# sudo a2enmod php5

三、MYSQL软件的安装

# sudo apt-get install mysql-server libapache2-mod-auth-mysql php5-mysql

MYSQL安装完成之后一切就搞定，通过APT方式安装MYSQL在安装过程当中是必须为MYSQL的ROOT用户设置密码的。

AMP with Worker(fast-cgi)

如果想使用 worker 方式来跑的话必须使用fast-cgi模式，步骤如下：

一、首先安装 apache with mpm-worker：

# sudo apt-get install apache2 apache2-mpm-worker libapache2-mod-fcgid

二、安装和配置PHP部分

# sudo apt-get install php5 php5-cgi php5-cli php5-dev php5-gd php5-imagick php5-mcrypt php5-xmlrpc

三、MYSQL的安装配置

# sudo apt-get install mysql-server libapache2-mod-auth-mysql php5-mysql

(MYSQL需要注意的部分同上,up!)

四、配置FAST-CGI模式下的目录

在 … 里加入一下两句话

AddHandler fcgid-script .php

FCGIWrapper /usr/lib/cgi-bin/php5 .php

并在本段的 Option 上多加一个参数 ExecCGI

完成以上工作后，便可以重启apache2进行测试工作~~！

# sudo /etc/init.d/apache2 force-reload

在服务目录中我们放入写有 phpinfo(); 函数的PHP文件，才查看本LAMP环境的参数是否正确。

附录：

一、根据需要调整APACHE的模块

在APACHE部分，首要的编辑就是/etc/apache2/mod-available的目录下的模块加载，你先看看自己需要哪些模块，里面有很多MOD_NAME.load和MOD_NAME.conf然后通过模块添加命令进行添加。

模块添加的命令：

# sudo a2enmod [MOD_NAME]

举例说明：

启用页面压缩的deflate来说，方法如下：

# sudo a2enmod deflate

然后编辑 /etc/apache2/mods-available/deflate.conf ,改为：

DeflateCompressionLevel 6
AddOutputFilterByType DEFLATE text/html text/plain text/xml
AddOutputFilter DEFLATE html htm xml css js

之后重启 apache2 便可完成。

二、关于apache2-mpm-prefork模式和FAST-CGI模式的php.ini文件位置

apache2-mpm-prefork： /etc/php5/apache2/php.ini

FAST-CGI：/etc/php5/cgi/php.ini

特别是在使用eAccelerator或MMCache的时候需要特别注意！

Freebsd下apache与resin整合手册

admin — Wed, 21 Jan 2009 10:35:46 +0000

一、安装freebsd
略
二、安装mysql
略
三、安装apache
略
四、安装php
略
五、安装resin
安装resin等back-end
1 、# cd /usr/ports/www/resin3
2、# make WITH_APACHE2=yes install clean
3、编辑httpd.conf 在后面加入以下内容：

ResinConfigServer localhost 6802

4、设置resin3随机启动
5、 echo ‘resin3_enable=”YES” ‘ >> /etc/rc.conf
6、手动启动resin3
#/usr/local/etc/rc.d/resin3.sh start

六、整合apache与resin
在apache增加二级域名
现在以coopunion.ding9.com 二级域名（虚拟主机）为例
a、在httpd.conf 增加下面内容
Alias /coopunion /usr/local/www/apache22/uniondata/coopunion

Order allow,deny
Allow from all

ServerAdmin webmaster@ding9.net
DocumentRoot /usr/local/www/apache22/uniondata/coopunion
ServerName coopunion.ding9.local
ServerAlias ding9.com
# RewriteEngine on

在resin增加二级域名。
编辑/usr/local/etc/resin3/resin.xml
vi /usr/local/etc/resin3/resin.xml

找到这下一段话:

改为：

再找到下面这段话：

改为下面这样：

4.2、配置resin：

# vi /usr/local/resin/conf/resin.conf

—————————————-

;

—注解：

(这里面，俺用系统本身的127.0.0.1,绑定4个端口做伏在均衡。还可以用不同的ip地址和同一端口，来作。例如：

;

还有些人，喜欢在apache中设置每一个java进程服务一个虚拟，这里俺们不推荐，这样做，就会失去引擎本身的意义。）

;

;/data/web/xcity;

;

－name=”invoker”/>;

;

;/opt/web/sports;

;

……..

….

————————————————–

—注：这里面是基于域名的虚拟主机，如果是针对ip的虚拟主机，在;中，就应该是对应虚拟主机的ip。也就是说，apache和resin关于虚拟主机的地方要保持一致。还有，在resin中，对于每个虚拟主机所用的web-app目录，其实是相对于她的家目录下的/目录。

4.3、配置pureftp

1、添加用户：

# pure-pw useradd xcityr -f /usr/local/pureftp/etc/ftppasswd -u nobody -g nobody -d /data/web/xcity -m

# pure-pw useradd sports -f /usr/local/pureftp/etc/ftppasswd -u nobody -g nobody -d /data/web/sports -m

—注：xcity ：ftp用户

-f ftppasswd：存放用户密码信息的文件

-u 用户uid 一般是系统的一个用户，就是你的ftp用户的家目录的用户

-g 用户组id

-d 锁定用户在家目录

-m 使pureftp.d.passwd写进pureftpd.pdb，使更改生效。

*修改用户：

# pure-pw usermod –help

*删除用户：

# pure-pw userdel ; [-f ;] [-m]

*更改拥护密码：

# pure-pw passwd ; [-f ;] [-m]

*查看用户详细内容：

# pure-pw show ; [-f ;]

*生成db文件，使密码生效：

# pure-pw mkdb [; [-f ;]]

*列出所有用户：

# pure-pw list [-f ;]

5、启动脚本：

当系统在solaris下：

apache和resin的启动脚本：

# vi /etc/rc2.d/S99webapp

——————————-

/usr/local/resin/bin/httpd.sh -pid srun1.pid -server a start

/usr/local/resin/bin/httpd.sh -pid srun2.pid -server b start

/usr/local/resin/bin/httpd.sh -pid srun3.pid -server c start

/usr/local/resin/bin/httpd.sh -pid srun4.pid -server d start

/usr/local/apache2/bin/apachectl start

——————————–

pureftp启动脚本：

——————————–

#!/bin/sh

/usr/local/pureftpd/sbin/pure-ftpd -j -lpuredb:/usr/local/pureftpd/etc/pureftpd.pdb &

———————————–

在linux下，直接放到响应的开机启动等级目录下就ok。

6、总结

apache＋resin应该是个很好的java应用平台。实际使用中，还是有很多技巧。看resin官方论坛的一些资料，说resin3.x以上的版本，对image和html的支持，比apache响应更快。俺对此测试过，感觉还是有所欠缺。所以说，在大型一点的发布平台上，还是要apache和resin结合比较好。

对于resin的负载均衡使用上启动的进程数，俺认为还是要根据自己的机器实际情况来考虑的。少达不到效果，多会机器系统也是一个负载。个人认为，4个可以作为一个默认的选择来考虑。