安装我写了一个脚本.下载后执行就可以了(仅限于centos系统).但是有一个前提:必须在全新安装directadmin面板的机器上安装,这是个已知问题.

安装方法:

wget http://icodex.org/dl/directadmin/install.sh
chmod 755 install.sh
./install.sh

卸载方法:

wget http://icodex.org/dl/directadmin/uninstall.sh
chmod 755 uninstall.sh
./uninstall.sh

更新DA版本后:

wget http://icodex.org/dl/directadmin/reconfigure.sh
chmod 755 reconfigure.sh
./reconfigure.sh

如果有任何建议或疑问,请发邮件给我(admin@evlit.com) 谢谢!

有朋友说安装之后无法使用备份.为此我亲自测试没有发现问题.如果出现权限问题,请管理员检查用户文件系统权限.

Related Posts

• 给DirectAdmin面板增加nginx前端 (3)
• [更新]搭建前后端web生产环境 (21)
• [更新]nginx 自动安装脚本 For cPanel (62)
• 适用于 CentOS 5系列的 Virt-manager 0.8.6 RPM下载 (2)
• Google推出apache加速模块mod_pagespeed (1)

漏洞分析：nginx默认以cgi的方式支持php的运行，譬如在配置文件当中可以

location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
include fastcgi_params;
}

的方式支持对php的解析，location对请求进行选择的时候会使用URI环境变量进行选择，其中传递到后端Fastcgi的关键变量 SCRIPT_FILENAME由nginx生成的$fastcgi_script_name决定，而通过分析可以看 到$fastcgi_script_name是直接由URI环境变量控制的，这里就是产生问题的点。而为了较好的支持PATH_INFO的提取，在PHP 的配置选项里存在cgi.fix_pathinfo选项，其目的是为了从SCRIPT_FILENAME里取出真正的脚本名。

那么假设存在一个http://www.80sec.com/80sec.jpg，我们以如下的方式去访问 http://www.80sec.com/80sec.jpg/80sec.php 将会得到一个URI

/80sec.jpg/80sec.php

经过location指令，该请求将会交给后端的fastcgi处理，nginx为其设置环境变量SCRIPT_FILENAME，内容为

/scripts/80sec.jpg/80sec.php

而在其他的webserver如lighttpd当中，我们发现其中的SCRIPT_FILENAME被正确的设置为

/scripts/80sec.jpg

所以不存在此问题。

后端的fastcgi在接受到该选项时，会根据fix_pathinfo配置决定是否对SCRIPT_FILENAME进行额外的处理，一般情况下如果不 对fix_pathinfo进行设置将影响使用PATH_INFO进行路由选择的应用，所以该选项一般配置开启。Php通过该选项之后将查找其中真正的脚 本文件名字，查找的方式也是查看文件是否存在，这个时候将分离出SCRIPT_FILENAME和PATH_INFO分别为

/scripts/80sec.jpg和80sec.php

最后，以/scripts/80sec.jpg作为此次请求需要执行的脚本，攻击者就可以实现让nginx以php来解析任何类型的文件了。

POC：访问一个nginx来支持php的站点，在一个任何资源的文件如robots.txt后面加上/80sec.php，这个时候你可以看到如下的区别：

访问http://www.80sec.com/robots.txt

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Thu, 20 May 2010 10:05:30 GMT
Content-Type: text/plain
Content-Length: 18
Last-Modified: Thu, 20 May 2010 06:26:34 GMT
Connection: keep-alive
Keep-Alive: timeout=20
Accept-Ranges: bytes

访问访问http://www.80sec.com/robots.txt/80sec.php

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Thu, 20 May 2010 10:06:49 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
X-Powered-By: PHP/5.2.6

其中的Content-Type的变化说明了后端负责解析的变化，该站点就可能存在漏洞。

漏洞厂商：http://www.nginx.org

解决方案：

我们已经尝试联系官方，但是此前你可以通过以下的方式来减少损失

关闭cgi.fix_pathinfo为0

或者

if ( $fastcgi_script_name ~ \..*\/.*php ) {
return 403;
}

PS: 鸣谢laruence大 牛在分析过程中给的帮助

转载自: nginx文件类型错误解析漏洞:http://www.80sec.com/nginx-securit.html

Related Posts

• [更新]适用于Directadmin面板的Nginx自动安装脚本 (55)
• 给DirectAdmin面板增加nginx前端 (3)
• [更新]搭建前后端web生产环境 (21)
• [更新]nginx 自动安装脚本 For cPanel (62)
• 为nginx虚拟主机配置startssl免费https证书 (5)

Related Posts

• [更新]适用于Directadmin面板的Nginx自动安装脚本 (55)
• [更新]搭建前后端web生产环境 (21)
• [更新]nginx 自动安装脚本 For cPanel (62)
• Google推出apache加速模块mod_pagespeed (1)
• nginx文件类型错误解析漏洞 (0)

为什么不使用nginx+php(fastcgi)作为生产环境?

1. php(fastcgi)不够稳定,容易出现50x错误,在生成相对复杂的页面时没有优势,长时间占用也会使php-cgi进程死去.
2. 在安全性,多用户多站点的权限问题比较严重.php(fastcgi)在应对多用户多站点往往捉襟见肘,不易于实施.
3. 整合其他语言,apache表现得游刃有余.资源利用恰到好处.

为什么采用nginx做前端,apache作为后端的方案?nginx在处理静态内容上较apache是几倍或几十倍的差异,因而放在前面过滤静态内容是最为恰当的.同时nginx也是一个负载均衡器,低资源消耗,高性能转发是它的特点.经过nginx在前面的过滤,后端的apache需要处理的内容相对就比较少了.只需负责处理动态内容就可以了.在性能与稳定性的权衡下,使用nginx+apache搭配会让它们在各自擅长的领域展现自身的价值.

本教程以CentOS 5.4 32bit为环境.其他Linux发行版本暂未测试.nginx,php,apache,mysql,pureftpd均为最新稳定版.

获取操作系统源更新.

yum update
yum -y install gcc gcc-c++ bison patch unzip mlocate flex wget automake autoconf gd cpp gettext readline-devel libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel libidn libidn-devel openldap openldap-devel openldap-clients openldap-servers nss_ldap expat-devel libtool libtool-ltdl-devel

如果系统默认安装了apache,请先卸载.执行:

yum remove httpd

下载最新稳定版的程序源码包,以下都是到官方网站或sourceforge下载的源码包.

cd /usr/local/src
wget http://dev.mysql.com/get/Downloads/MySQL-5.1/mysql-5.1.45.tar.gz/from/http://mysql.he.net/
wget http://www.apache.org/dist/httpd/httpd-2.2.15.tar.gz
wget http://stderr.net/apache/rpaf/download/mod_rpaf-0.6.tar.gz
wget http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.13.1.tar.gz
wget http://sourceforge.net/projects/mcrypt/files/Libmcrypt/2.5.8/libmcrypt-2.5.8.tar.bz2/download
wget http://sourceforge.net/projects/mcrypt/files/MCrypt/2.6.8/mcrypt-2.6.8.tar.gz/download
wget http://sourceforge.net/projects/mhash/files/mhash/0.9.9.9/mhash-0.9.9.9.tar.bz2/download
wget http://www.php.net/get/php-5.2.13.tar.gz/from/this/mirror
wget http://www.lancs.ac.uk/~steveb/patches/php-mail-header-patch/php5-mail-header.patch
wget http://pecl.php.net/get/memcache-2.2.5.tgz
wget http://bart.eaccelerator.net/source/0.9.6/eaccelerator-0.9.6.tar.bz2
wget ftp://ftp.imagemagick.org/pub/ImageMagick/ImageMagick.tar.gz
wget http://pecl.php.net/get/imagick-2.3.0.tgz
wget http://download.suhosin.org/suhosin-0.9.29.tgz
wget http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz
wget http://downloads.zend.com/optimizer/3.3.9/ZendOptimizer-3.3.9-linux-glibc23-i386.tar.gz
wget http://monkey.org/~provos/libevent-1.4.13-stable.tar.gz
wget http://memcached.googlecode.com/files/memcached-1.4.4.tar.gz
wget http://sourceforge.net/projects/pcre/files/pcre/8.01/pcre-8.01.tar.gz/download
wget http://nginx.org/download/nginx-0.7.65.tar.gz
wget http://download.pureftpd.org/pub/pure-ftpd/releases/pure-ftpd-1.0.28.tar.gz

一.安装Mysql.安装最新稳定版5.1.45版本,并没有采用最新开发版.

groupadd mysql -g 27
useradd mysql -u 27 -g 27 -c "MySQL Server" -d /var/lib/mysql -m
cd /usr/local/src
tar -zxf mysql-5.1.45.tar.gz
cd mysql-5.1.45
./configure --prefix=/usr/local/mysql --localstatedir=/var/lib/mysql --with-unix-socket-path=/var/lib/mysql/mysql.sock --with-mysqld-user=mysql --enable-assembler --enable-thread-safe-client --with-extra-charsets=all --with-big-tables --with-readline --with-ssl --with-embedded-server --enable-local-infile --with-plugins=partition,innodb_plugin,myisam,myisammrg
make && make install
cd ../

cp /usr/local/mysql/share/mysql/my-medium.cnf /etc/my.cnf
/usr/local/mysql/bin/mysql_install_db --user=mysql
chown -R mysql.mysql /var/lib/mysql
chgrp -R mysql /usr/local/mysql/.
cp /usr/local/mysql/share/mysql/mysql.server /etc/init.d/mysql
chmod u+x /etc/init.d/mysql
chkconfig --level 345 mysql on
echo "/usr/local/mysql/lib/mysql" >> /etc/ld.so.conf
echo "/usr/local/lib" >>/etc/ld.so.conf
ldconfig
ln -s /usr/local/mysql/lib/mysql /usr/lib/mysql
ln -s /usr/local/mysql/include/mysql /usr/include/mysql
ln -s /usr/local/mysql/bin/mysql_config /usr/bin/mysql_config
service mysql start
/usr/local/mysql/bin/mysqladmin -u root password root
service mysql restart
service mysql stop

二.编译安装apache(httpd).apache的执行用户为nobody.

cd /usr/local/src
tar -zxf httpd-2.2.15.tar.gz
cd httpd-2.2.15
./configure --prefix=/usr/local/apache --enable-headers --enable-mime-magic --enable-proxy --enable-rewrite --enable-ssl --enable-suexec  --disable-userdir --with-included-apr --with-mpm=prefork --with-ssl=/usr --with-suexec-caller=nobody --with-suexec-docroot=/ --with-suexec-gidmin=100 --with-suexec-logfile=/usr/local/apache/logs/suexec_log --with-suexec-uidmin=100 --with-suexec-userdir=public_html
make
make install
mkdir /usr/local/apache/domlogs
cp /usr/local/apache/bin/apachectl /etc/init.d/httpd

1.编辑/etc/init.d/httpd,在首行#!/bin/sh下添加:

# Startup script for the Apache Web Server
#
# chkconfig: - 85 15
# description: Apache is a World Wide Web server.  It is used to serve \
#              HTML files and CGI.
# processname: httpd
# pidfile: /usr/local/apache/logs/httpd.pid
# config: /usr/local/apache/conf/httpd.conf

ulimit -n 1024
ulimit -n 4096
ulimit -n 8192
ulimit -n 16384
ulimit -n 32768

保存退出.

2.配置apache配置参数文件httpd.conf,位于/usr/local/apache/conf/目录

cd /usr/local/apache/conf/
mv httpd.conf httpd.conf.bak
mkdir vhosts
vi httpd.conf

输入以下内容:

PidFile logs/httpd.pid
LockFile logs/accept.lock
ServerRoot "/usr/local/apache"
Listen 0.0.0.0:81
User nobody
Group nobody
ServerAdmin admin@evlit.com
ServerName host.evlit.com

Timeout 300
KeepAlive Off
MaxKeepAliveRequests 100
KeepAliveTimeout 5
UseCanonicalName Off
AccessFileName .htaccess
TraceEnable Off
ServerTokens ProductOnly
FileETag None
ServerSignature Off
HostnameLookups Off

# LoadModule perl_module modules/mod_perl.so

DocumentRoot "/usr/local/apache/htdocs"
<Directory "/">
 Options ExecCGI FollowSymLinks Includes IncludesNOEXEC -Indexes -MultiViews SymLinksIfOwnerMatch
 Order allow,deny
 Allow from all
 AllowOverride All
</Directory>

<Directory "/usr/local/apache/htdocs">
 Options Includes -Indexes FollowSymLinks
 AllowOverride None
 Order allow,deny
 Allow from all
</Directory>

DefaultType text/plain
RewriteEngine on
AddType text/html .shtml
AddHandler cgi-script .cgi .pl .plx .ppl .perl
AddHandler server-parsed .shtml
<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/perl .pl .plx .ppl .perl
    AddType application/x-img .img
    AddType application/x-httpd-php .php .php3 .php4 .php5 .php6
    AddType application/x-httpd-php-source .phps
    AddType application/cgi .cgi
    AddType text/x-sql .sql
    AddType text/x-log .log
    AddType text/x-config .cnf conf
    AddType text/x-registry .reg
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType text/html .shtml
    AddType application/x-tar .tgz
    AddType application/rar .rar
    AddType application/x-compressed .rar
    AddType application/x-rar .rar
    AddType application/x-rar-compressed .rar
    AddType text/vnd.wap.wml .wml
    AddType image/vnd.wap.wbmp .wbmp
    AddType text/vnd.wap.wmlscript .wmls
    AddType application/vnd.wap.wmlc .wmlc
    AddType application/vnd.wap.wmlscriptc .wmlsc
</IfModule>

<IfModule dir_module>
 DirectoryIndex index.html index.htm index.shtml index.php index.perl index.pl index.cgi
</IfModule>

<Files ~ "^error_log$">
 Order allow,deny
 Deny from all

 Satisfy All
</Files>

<FilesMatch "^\.ht">
 Order allow,deny
 Deny from all
 Satisfy All
</FilesMatch>

ErrorLog "logs/error_log"
LogLevel warn

<IfModule log_config_module>
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
 LogFormat "%h %l %u %t \"%r\" %>s %b" common

 <IfModule logio_module>
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
 </IfModule>
 CustomLog "logs/access_log" common
</IfModule>

<IfModule alias_module>
 ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"
</IfModule>

<Directory "/usr/local/apache/cgi-bin">
 AllowOverride None
 Options None
 Order allow,deny
 Allow from all
</Directory>

<IfModule mpm_prefork_module>
 StartServers          3
 MinSpareServers       3
 MaxSpareServers       5
 MaxClients          150
 MaxRequestsPerChild   1024
</IfModule>

<IfModule mod_headers.c>
<FilesMatch "\.(html|htm|shtml)$">
Header set Cache-Control "max-age=3600, must-revalidate"
</FilesMatch>
</IfModule>

ReadmeName README.html
HeaderName HEADER.html

IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

Include conf/extra/httpd-languages.conf

<Location /server-status>
 SetHandler server-status
 Order deny,allow
 Deny from all
 Allow from 127.0.0.1
</Location>
ExtendedStatus On

<Location /server-info>
 SetHandler server-info
 Order deny,allow
 Deny from all
 Allow from 127.0.0.1
</Location>

<IfModule ssl_module>
Listen 0.0.0.0:443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLPassPhraseDialog  builtin
SSLSessionCache         dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout  300
SSLMutex  file:/usr/local/apache/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

#Vhosts
NameVirtualHost 127.0.0.1:81
NameVirtualHost *

<VirtualHost 127.0.0.1:81 *>
 ServerName host.evlit.com
 DocumentRoot /var/www/html
 ServerAdmin admin@evlit.com
</VirtualHost>

Include conf/vhosts/*

上述虚拟主机配置中出现的127.0.0.1请改为你本机公网IP.

三.编译安装php(mod_php)

1.编译安装相关支持库

cd /usr/local/src
tar -zxf libiconv-1.13.1.tar.gz
cd libiconv-1.13.1/
./configure
make
make install

cd /usr/local/src
tar -jxf libmcrypt-2.5.8.tar.bz2
cd libmcrypt-2.5.8/
./configure
make
make install
/sbin/ldconfig
cd libltdl/
./configure --enable-ltdl-install
make
make install

cd /usr/local/src
tar -jxf mhash-0.9.9.9.tar.bz2
cd mhash-0.9.9.9/
./configure
make
make install

ln -s /usr/local/lib/libmcrypt.la /usr/lib/libmcrypt.la
ln -s /usr/local/lib/libmcrypt.so /usr/lib/libmcrypt.so
ln -s /usr/local/lib/libmcrypt.so.4 /usr/lib/libmcrypt.so.4
ln -s /usr/local/lib/libmcrypt.so.4.4.8 /usr/lib/libmcrypt.so.4.4.8
ln -s /usr/local/lib/libmhash.a /usr/lib/libmhash.a
ln -s /usr/local/lib/libmhash.la /usr/lib/libmhash.la
ln -s /usr/local/lib/libmhash.so /usr/lib/libmhash.so
ln -s /usr/local/lib/libmhash.so.2 /usr/lib/libmhash.so.2
ln -s /usr/local/lib/libmhash.so.2.0.1 /usr/lib/libmhash.so.2.0.1

cd /usr/local/src
tar -zxf mcrypt-2.6.8.tar.gz
cd mcrypt-2.6.8/
/sbin/ldconfig
./configure
make
make install

2.编译php,这里为php打入补丁.有助于防止邮件发送被滥用(多用户)以及在邮件中提供有价值的信息.补丁介绍信息请访问:http://www.lancs.ac.uk/~steveb/patches/php-mail-header-patch/

cd /usr/local/src
tar -zxf php-5.2.13.tar.gz
patch -d php-5.2.13 -p1 < php5-mail-header.patch
cd php-5.2.13
./configure --prefix=/usr/local --with-config-file-path=/etc --with-apxs2=/usr/local/apache/bin/apxs --enable-bcmath --enable-calendar --enable-exif --enable-ftp --enable-gd-native-ttf --enable-libxml --enable-magic-quotes --enable-mbstring --enable-pdo=shared --enable-soap --enable-sockets --enable-zip --with-bz2 --with-curl --with-curlwrappers --with-freetype-dir --with-gd --with-gettext --with-jpeg-dir --with-kerberos --with-libexpat-dir=/usr --with-libxml-dir=/usr --with-mcrypt=/usr --with-mhash=/usr --with-mysql=/usr --with-mysql-sock=/var/lib/mysql/mysql.sock --with-mysqli=/usr/bin/mysql_config --with-openssl=/usr --with-openssl-dir=/usr --with-pdo-mysql=shared --with-pdo-sqlite=shared --with-png-dir=/usr --with-sqlite=shared --with-ttf --with-xmlrpc --with-zlib -with-zlib-dir=/usr
make ZEND_EXTRA_LIBS='-liconv'
make install
cp php.ini-dist /etc/php.ini

3.安装php扩展模块

cd /usr/local/src
tar -zxf memcache-2.2.5.tgz
cd memcache-2.2.5/
phpize
./configure --with-php-config=/usr/local/bin/php-config --with-zlib-dir --enable-memcache
make
make install

cd /usr/local/src
tar -jxf eaccelerator-0.9.6.tar.bz2
cd eaccelerator-0.9.6/
phpize
./configure --enable-eaccelerator=shared --with-php-config=/usr/local/bin/php-config
make
make install
mkdir -p /tmp/eaccelerator
chmod 777 /tmp/eaccelerator
echo "mkdir -p /tmp/eaccelerator" >> /etc/rc.local
echo "chmod 777 /tmp/eaccelerator" >> /etc/rc.local

cd /usr/local/src
tar -zxf ImageMagick.tar.gz
cd ImageMagick-*
./configure
make
make install

cd /usr/local/src
tar -zxf imagick-2.3.0.tgz
cd imagick-2.3.0/
phpize
./configure --with-php-config=/usr/local/bin/php-config
make
make install

cd /usr/local/src
tar -zxf suhosin-0.9.29.tgz
cd suhosin-0.9.29
phpize
./configure
make
make install

cd /usr/local/src
tar -zxf ioncube_loaders_lin_x86.tar.gz
cd ioncube
mkdir /usr/local/ioncube
mv ioncube_loader_lin_5.2.so /usr/local/ioncube/

cd /usr/local/src
tar -zxf ZendOptimizer-3.3.9-linux-glibc23-i386.tar.gz
mkdir -p /usr/local/Zend/lib/Optimizer-3.3.9/php-5.2.x
cp ZendOptimizer-3.3.9-linux-glibc23-i386/data/5_2_x_comp/ZendOptimizer.so /usr/local/Zend/lib/Optimizer-3.3.9/php-5.2.x/ZendOptimizer.so

3.1.修改php.ini.

查找/etc/php.ini中的extension_dir = "./".将其修改为extension_dir = "/usr/local/lib/php/extensions/no-debug-non-zts-20060613/"
查找;include_path = ".:/php/includes",删除前面的分号,并修改为include_path = ".:/usr/lib/php:/usr/local/lib/php"
跳到最后一行,然后添加以下内容:

extension = "memcache.so"
extension = "pdo.so"
extension = "pdo_mysql.so"
extension = "pdo_sqlite.so"
extension = "sqlite.so"
extension = "eaccelerator.so"
eaccelerator.shm_size = 32
eaccelerator.cache_dir = "/tmp/eaccelerator"
eaccelerator.enable = 1
eaccelerator.optimizer = 0
eaccelerator.debug = 0
eaccelerator.name_space = ""
eaccelerator.check_mtime = 1
eaccelerator.filter = ""
eaccelerator.shm_max = 0
eaccelerator.shm_ttl = 3600
eaccelerator.shm_prune_period = 3600
eaccelerator.shm_only = 0
eaccelerator.compress = 0
eaccelerator.compress_level = 9
eaccelerator.keys = shm
eaccelerator.sessions = shm
eaccelerator.content = shm

zend_extension = "/usr/local/ioncube/ioncube_loader_lin_5.2.so"
zend_extension = "/usr/local/Zend/lib/Optimizer-3.3.9/php-5.2.x/ZendOptimizer.so"

4,安装Memcached(可选)

cd /usr/local/src
tar -xzf libevent-1.4.13-stable.tar.gz
cd libevent-1.4.13-stable
./configure
make
make install
echo "/usr/local/lib/" > /etc/ld.so.conf.d/libevent.conf
ldconfig -v

cd /usr/local/src
tar -xzf memcached-1.4.4.tar.gz
cd memcached-1.4.4
./configure
make
make install

基本使用方法:

启动:/usr/local/bin/memcached -d -m 64 -p 11211 -u nobody -l localhost
关闭:killall -9 memcached

四.安装nginx

1.安装pcre库

cd /usr/local/src
tar -zxf pcre-8.01.tar.gz
cd pcre-8.01
./configure
make
make install

2.安装nginx

cd /usr/local/src
tar -zxf nginx-0.7.65.tar.gz
cd nginx-0.7.65
./configure --user=nobody --group=nobody --prefix=/usr/local/nginx --pid-path=/usr/local/nginx/logs/nginx.pid --error-log-path=/usr/local/nginx/logs/error.log --http-log-path=/usr/local/nginx/logs/access.log --http-client-body-temp-path=/tmp/nginx_client --http-proxy-temp-path=/tmp/nginx_proxy --http-fastcgi-temp-path=/tmp/nginx_fastcgi --with-http_stub_status_module
make
make install

2.1.添加init控制脚本

#! /bin/sh
ulimit -n 65535
# Description: Startup script for nginx
# chkconfig: 2345 55 25

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DESC="nginx daemon"
NAME=nginx
DAEMON=/usr/local/nginx/sbin/$NAME
CONFIGFILE=/usr/local/nginx/conf/nginx.conf
PIDFILE=/usr/local/nginx/logs/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME

set -e
[ -x "$DAEMON" ] || exit 0

do_start() {
 $DAEMON -c $CONFIGFILE || echo -n "nginx already running"
}

do_stop() {
 kill -INT `cat $PIDFILE` || echo -n "nginx not running"
}

waitforexit() {
 count=${2:-30}
 while [ 0$count -gt 0 ]
 do
   PIDS=`ps -C$NAME --no-heading e | grep $DAEMON` || break
   PIDS=`echo "$PIDS" | awk '{print $1}' | tr '\n' ' '`
   echo Remaining processes: $PIDS
   do_stop
   sleep 2
   count=`expr $count - 1`
 done
 if [ 0$count -eq 0 ];
 then
   echo Remaining processes: $PIDS
   return 1
 fi
 return 0
}

do_reload() {
kill -HUP `cat $PIDFILE` || echo -n "nginx can't reload"
}

case "$1" in
 start)
 echo -n "Starting $DESC: $NAME"
 do_start
 echo "."
 /etc/init.d/httpd start
 ;;
 stop)
 echo -n "Stopping $DESC: $NAME"
 do_stop
 echo "."
 /etc/init.d/httpd stop
 ;;
 reload)
 echo -n "Reloading $DESC configuration..."
 do_reload
 echo "."
 /etc/init.d/httpd restart
 ;;
 restart)
 echo -n "Restarting $DESC: $NAME"
 waitforexit "nginx" 20
 do_start
 echo "."
 /etc/init.d/httpd restart
 ;;
 *)
 echo "Usage: $SCRIPTNAME {start|stop|reload|restart}" >&2
 exit 3
 ;;
esac

exit 0

保存退出,给该文件赋予执行权限并设置开机启动

chmod 755 /etc/init.d/nginx
chkconfig --level 345 nginx on

2.2.修改nginx配置文件,位于:/usr/local/nginx/conf/目录

mkdir -p /var/cache/nginx/cached
chmod 600 /var/cache/nginx/cached
cd /usr/local/nginx/conf/
mv nginx.conf nginx.conf.bak
mkdir vhosts
vi nginx.conf

输入以下内容:

worker_processes  2;
worker_rlimit_nofile  20480;
events {
worker_connections  20480;
use epoll;
}
error_log  /usr/local/nginx/logs/error.log info;
http {
server_name_in_redirect off;
server_names_hash_max_size 2048;
server_names_hash_bucket_size 256;
include    mime.types;
default_type  application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout  60;
gzip on;
gzip_http_version 1.0;
gzip_min_length  1100;
gzip_comp_level  3;
gzip_buffers  4 32k;
# gzip_types    text/plain application/x-javascript text/xml text/css;
gzip_types    text/plain text/xml text/css application/x-javascript application/xml application/xml+rss text/javascript application/atom+xml;
ignore_invalid_headers on;
client_header_timeout  300;
client_body_timeout 300;
send_timeout     30;
reset_timedout_connection on;
connection_pool_size  256;
client_header_buffer_size 256k;
large_client_header_buffers 4 256k;
request_pool_size  32k;
output_buffers   4 32k;
postpone_output  1460;
proxy_cache_path  /var/cache/nginx/cached levels=2:2 keys_zone=global:100m inactive=60m max_size=500m;
proxy_temp_path  /tmp/nginx_proxy;
include "/usr/local/nginx/conf/vhosts/*.conf";
}

保存退出.

五.为apache安装rpaf模块,该模块用于apache做后端时获取访客真实的IP.

1.使用apxs安装模块.这里要使用此前apache编译安装后的apxs

cd /usr/local/src/
tar -zxf mod_rpaf-0.6.tar.gz
cd mod_rpaf-0.6
/usr/local/apache/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c

2.编辑/usr/local/apache/conf/httpd.conf,添加模块参数,查找LoadModule php5_module modules/libphp5.so,在下方添加:

LoadModule rpaf_module modules/mod_rpaf-2.0.so
#Mod_rpaf settings
RPAFenable On
RPAFproxy_ips 127.0.0.1 [your_ips]
RPAFsethostname On
RPAFheader X-Forwarded-For

上面出现的[your_ips]请修改为你本机所监听web服务的ip.多个IP用空格空开.

六.安装ftp服务器:pure-ftpd

1.编译安装

cd /usr/local/src/
tar -zxf pure-ftpd-1.0.28.tar.gz
cd pure-ftpd-1.0.28
./configure --prefix=/usr/local/pureftpd --with-language=simplified-chinese --with-everything
make
make install
chmod 755 configuration-file/pure-config.pl
cp configuration-file/pure-config.pl /usr/local/pureftpd/sbin/
mkdir /usr/local/pureftpd/etc/
cp configuration-file/pure-ftpd.conf /usr/local/pureftpd/etc/
ln -s /usr/local/pureftpd/bin/pure-pw /usr/local/bin/

2.配置pure-ftpd,这里采用PureDB的验证方式.

vi /usr/local/pureftpd/etc/pure-ftpd.conf

查找 PureDB /etc/pureftpd.pdb 取消前面的#号并设置成PureDB/usr/local/pureftpd/etc/pureftpd.pdb
查找 PassivePortRange 取消前面的#号
其他参数根据需要进行修改

3.添加自启动.这里不创建init脚本.直接放在/etc/rc.local启动即可

echo "/usr/local/pureftpd/sbin/pure-config.pl /usr/local/pureftpd/etc/pure-ftpd.conf --daemonize" >> /etc/rc.local

至此.所有安装工作结束.

如何使用这套系统

一,做好必要的安全工作

设置用户家目录/home/user,相关配置参数文件,以及访问日志等目录的权限.

chmod 711 /home
chmod 711 /usr/local/pureftpd/etc
chmod 711 /usr/local/apache/conf/vhosts
chmod 711 /usr/local/nginx/conf/vhosts
chmod 711 /usr/local/apache/domlogs
chmod 711 /usr/local/apache/logs
chmod 600 /var/cache/nginx/cached

二,如何创建用户

创建用户分两个步骤.第一步创建系统用户.该命令直接创建用户家目录.第二步创建ftp用户.创建该用户依赖系统用户的创建.步骤如下(以创建用户名为admin为例):

useradd admin -m -s /sbin/nologin
pure-pw useradd admin -u admin -g admin -d /home/admin -m[第一次执行不可用]
pure-pw mkdb[仅限第一次执行]

注意.通过上述方法安装的ftp服务器在第一次创建用户的时候不可以在pure-pw useradd ...后直接添加参数-m更新ftp用户数据库.需要分两步执行.以后可以直接在创建用户时在后面添加参数-m,执行之后会提示让你输入密码.需要重复输入两次.

三.如何绑定域名

由于采用前后端操作.因此需要修改两个服务器软件的虚拟主机参数.实例如下(以admin.com为例,用户目录承接上文的/home/admin):

1.创建nginx虚拟主机参数

首先先把公共cache参数和proxy参数写进文件中

cd /usr/local/nginx/conf
touch cache.inc proxy.inc

然后分别编辑者两个文件。

vi cache.inc

proxy_cache       global;
proxy_cache_key   $host$uri$is_args$args;
#proxy_cache_valid 200 302 10m;
#proxy_cache_valid 301 1h;
#proxy_cache_valid any 1m;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
proxy_temp_file_write_size 64k;
proxy_max_temp_file_size   56m;

vi proxy.inc

proxy_connect_timeout 30s;
proxy_send_timeout   300;
proxy_read_timeout   300;
proxy_buffer_size    64k;
proxy_buffers     16 32k;
proxy_busy_buffers_size 64k;
#proxy_pass http://127.0.0.1:81;
proxy_redirect  off;
proxy_hide_header  Vary;
proxy_set_header   Host   $host;
proxy_set_header   X-Real-IP  $remote_addr;
proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;

然后再编辑虚拟主机文件就会很清晰了

cd /usr/local/nginx/conf/vhosts
touch admin.com.conf
vi admin.com.conf
输入以下内容:

server {
error_log /var/log/nginx/vhost-error_log warn;
listen 127.0.0.1:80;
server_name admin.com www.admin.com;
access_log /usr/local/apache/domlogs/admin.com combined;
location / {
root /home/admin/public_html;
proxy_cache_valid 200 301 302 10m;
proxy_cache_valid any 1m;
expires 1d;
proxy_pass http://127.0.0.1:81;
include proxy.inc;
include cache.inc;
}
location ~ .*\.(jpg|jpeg|png|gif|bmp|ico|js|css|mp3|wav|swf|mov|doc|pdf|xls|ppt|docx|pptx|xlsx)$ {
proxy_cache_valid  200 10s;
expires 7d;
proxy_pass http://127.0.0.1:81;
include proxy.inc;
include cache.inc;
}
location ~ .*\.(php|jsp|cgi)?$ {
proxy_pass http://127.0.0.1:81;
include proxy.inc;
}
location ~ /\.ht {
deny all;
}
}

保存退出,注意将上述出现的127.0.0.1替换本机监听web服务的IP

2.创建apache虚拟主机配置文件

cd /usr/local/apache/conf/vhosts
touch admin.com.conf
vi admin.com.conf
输入以下内容:

<VirtualHost 127.0.0.1:81>
 ServerName admin.com
 ServerAlias www.admin.com
 DocumentRoot /home/admin/public_html
 ServerAdmin admin@evlit.com
 UseCanonicalName Off
 php_admin_value open_basedir "/home/admin:/usr/lib/php:/usr/local/lib/php:/tmp"
 <IfModule !mod_disable_suexec.c>
 SuexecUserGroup admin admin
 </IfModule>
 ScriptAlias /cgi-bin/ /home/admin/public_html/cgi-bin/
</VirtualHost>

保存退出,注意将上述出现的127.0.0.1替换本机监听web服务的IP,用户名admin改为虚拟主机用户的名称.

四.如何管理MySQL数据库

1.下载最新版PhpMyAdmin源码包

mkdir -p /var/www/html
chmod -R 711 /var/www
cd /var/www/html
wget http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/3.3.3/phpMyAdmin-3.3.3-all-languages.zip/download
unzip phpMyAdmin-3.3.3-all-languages.zip
mv phpMyAdmin-3.3.3-all-languages phpmyadmin

2.增加apache配置,编辑httpd.conf,转到最后一行

cd /usr/local/apache/conf
vi httpd.conf /* shift+g转到最后一行 */
#Managed Tools
<VirtualHost 127.0.0.1:81 *>
ServerName localhost
ServerAlias pma.*
DocumentRoot /var/www/html/phpmyadmin
ServerAdmin admin@localhost
UseCanonicalName Off
</VirtualHost>

同样,修改上述出现的127.0.0.1为你提供web服务的IP.重启apache后.我们打开绑定到服务器IP的pma.yourdomain.com即可访问到phpmyadmin.第一次使用.需要进行配置.具体配置请善用Google.

其他没有照顾到的地方自行添加即可.如perl,sendmail等.

为方便管理员添加用户及绑定域名.我编写了一个脚本.

wget http://icodex.org/vhosts
chmod 755 vhosts
./vhosts

本文地址为:http://icodex.org/2010/03/nginx-apache-guide/

--------------------------------- END ---------------------------------

Related Posts

• [更新]适用于Directadmin面板的Nginx自动安装脚本 (55)
• 给DirectAdmin面板增加nginx前端 (3)
• [更新]nginx 自动安装脚本 For cPanel (62)
• Google推出apache加速模块mod_pagespeed (1)
• nginx文件类型错误解析漏洞 (0)

2010-11-08 updated 此版本暂不支持cpanel 11.26以上的版本.

为cPanel主机添加nginx服务器软件,这样可以让nginx跑在前端处理静态文件,并且加装nginx后的资源消耗比单纯跑apache少很多.在找cPanel hack的资料的时候,刚好看到cPanel官方论坛上的一个牛人写的一个安装脚本,仔细拜读了一遍代码之后,决定在自己的cPanel服务器上安装.在使用过程中也渐渐发现了一些可以优化.可以增加的特性,主要是nginx上的一些新特性,籍由这些特性,完成了平时似乎不能完成的功能,例如在高并发的机器上实现的服务器端的缓存功能,以及nginx作为前端的时候使用.htaccess进行目录保护.这些特性都大大方便了我们的使用.

这里引用cPanel Forums上的帖子.作者blargman写了一个专门为cPanel打造的nginx自动安装脚本.

Evidently I don't know hot to post in the right forum.

This is an automated nginx installer for cpanel. Integrates so that domain adding/removal is all done automatically.
Some people had asked for cpanel support. In lieu of that, this does pretty much everything I can think of that they would do. It creates a vhost for each domain/addon/subdomain and serves up static content.

Let me know if you have any thoughts/questions or better yet suggestions.
http://blargman.com/public.tar

以上是作者原文,原文地址:点击这里.

安装方法很简单(建议做好备份),如下:

cd /usr/local/src
wget http://blargman.com/public.tar
tar xf public.tar
cd publicnginx
./nginxinstaller install

安装好之后,重启nginx,执行命令:/etc/init.d/nginx restart.Nginx的配置文件均在/etc/nginx当中,各用户绑定的域名(附加域,子域等)均在/etc/nginx/vhosts

卸载:

进入publicnginx目录后执行./nginxinstaller uninstall.

-------------------------------------------------------------------------------------------------------------------------------------

我在作者编写代码的基础上增加了缓存功能,以及更多功能上的支持,例如防盗链,自定义错误页面等.为方便大家使用.做出的修改我已经打包成修改版的安装包.

有朋友问到我的版本和论坛里原版本的差别是在哪.我的版本解决了哪些问题.这是大部分用户的问题,这里集中进行回答.

1.完善的目录密码保护功能 -- 这个在原作者的安装包里面,并不能做到,原因在于没有对401状态码进行判断.
2.伪静态功能的实现 -- 不管你的是以html结尾的还是以"/" 结尾的URL地址,nginx会提前判断文件系统中是否存在该文件/目录,如果不存在,那么就会匹配到后端的apache.后端的apache根据.htaccess文件的设置,进行页面的展示,前端nginx获取到内容后便进行压缩,然后传递给访客浏览器中.
3.访问日志准确记录 -- 原作者的安装包中,是nginx与apache共用同个日志文件进行记录.nginx记录静态页面的访问信息,apache记录动态页面访问信息,理论上可行.但在实际使用中,我发现了这个问题.这个问题一个突破口在于对后缀.html匹配的时候,同时查询了前端nginx及后端的apache.这样就造成了日志的重复.另外一个是一些没有匹配到的后缀,前端不仅处理了访客的请求并进行记录,还会向后端发起请求查询.但由于大文件不会很快就传输完毕,因此即便设置了keepalive也无济于事.在我的安装包中,我将后端的用户配置中非加密端口的日志功能取消了,完全由前端的nginx进行记录.
4.日志切割问题 -- 这个问题来自前面说的第3点修改,如果只是修改了第3点而没有进行这一步,那么就会碰到一个问题:当执行用户访问日志切割并转为统计页面展示给用户看,系统会自动将用户的日志删除,导致这之后的日志访问信息丢失直至下次nginx重启.在对cpanel日志统计进程的跟踪后,找出/usr/local/cpanel/bin/safeapacherestart这行.这行的作用是让日志切割后的apache可以安全的重新启动.解决办法就是一改作者重启nginx的方式,我将重启nginx的信息加入apache的重启命令中,以后只需要对apache进行命令操作就可以了.
5.泛域名解析 -- cpanel支持泛域名解析,而且在作为主机商而言,泛域名也是一个特色,需要用起来.但是作者的版本以及我之前修改的版本中,并没有对这块进行支持,一旦客户绑定了泛域名,就会使nginx无法启动,全部用户的网站受影响.那么这次的更新就包含了这个功能.
6.基于proxy_cache的缓存系统 -- 这个是我添加的,为可选功能.

另外需要注意的,网友们提到的一个是重启nginx后的那一串提示.这个警告信息是提示你主机名存在错误,不影响使用.

安装方法与作者原版一样.请执行如下安装!

cd /usr/local/src
wget http://icodex.org/public.tar
tar xf public.tar
cd publicnginx
./nginxinstaller install

注意:如果之前安装了作者原版本的nginx,请先卸载后再执行安装.

Related Posts

• [更新]适用于Directadmin面板的Nginx自动安装脚本 (55)
• 给DirectAdmin面板增加nginx前端 (3)
• [更新]搭建前后端web生产环境 (21)
• Google推出apache加速模块mod_pagespeed (1)
• nginx文件类型错误解析漏洞 (0)

但是现在情况有所改观了,今年9月份,StartCom公司出现在Windows根证书认证程序厂商更新当中,因此StartSSL证书在IE平台上已经可以正常使用的.另外Chrome,苹果Safari浏览器都可以正常识别StartSSL颁发的证书.但是Opera浏览器仍然不能支持.

为 nginx虚拟主机配置startssl证书

前提条件:独立IP.一台Linux机器.Startssl账户申请这里就不说明了.申请很简单,验证域名所有权也很简单.这里就做证书的配置.

我们先为域名生成证书请求文件和密钥.需要生成2048位加密的证书请求.以icodex.org为例,执行命令:

openssl req -new -newkey rsa:2048 -nodes -out icodex.csr -keyout icodex.key

执行之后在/etc/nginx/certs目录中就有icodex.csr. 执行cat icodex.csr查看里面的内容并复制:

然后将复制的粘贴到startssl后 台,这里每一步都进行截图:

第一步:

第二步:

第三步:

第四步:

第五步:

第六步:

第七步:

第八步:

最后一步注意要先将这段代码保存为icodex.crt 放在与icodex.csr icodex.key同个目录.

然后配置nginx,直接丢配置上来.

server {
listen       443;
listen       80;
server_name  os.icodex.org;
root   /home/icodex/os/public_html;
index index.html index.htm index.php;
access_log  /var/log/nginx/os.icodex.org-access.log  access;

ssl    on;
ssl_certificate    /etc/nginx/certs/icodex.crt;
ssl_certificate_key     /etc/nginx/certs/icodex.key;
ssl_session_timeout 5m;

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers   on;

location ~* ^.+\.(js|css|jpg|jpeg|gif|png|ico|bmp|swf)$ {
expires      7d;
}

# pass the PHP scripts to FastCGI server
#
location ~ .*\.php$ {
fastcgi_index  index.php;
fastcgi_pass    127.0.0.1:9000;
include        fastcgi_params;
fastcgi_param   HTTPS on;
}
}

最后重启nginx.完毕...

另外,昨日与Showfom(此君 域名我妒忌)聊天的时候谈到火狐中文版验证ssl时提示ssl不受信任的问题,这应该是根证书的问题,后来测试,果然解决了.我们知道在apache有 SSLCertificateChainFile用来指定CA根证书位置,虽然nginx没有这个字段来指定,但是在nginx和lighttpd中是可 以将CA根证书与我们自己的证书合并使用的(声明来源:Sudone).步骤如下:

我们先到startssl下载 CA根证书,地址:http://cert.startssl.com/certs /,然后进入我们的证书保存位置,注意,操作前记得备份原证书文件.

cd /etc/nginx/certs/
cp icodex.crt icodex.crt.bak
wget http://www.startssl.com/certs/ca.pem
cat ca.pem >> icodex.crt

最后重启nginx即可.

Related Posts

• [更新]适用于Directadmin面板的Nginx自动安装脚本 (55)
• nginx文件类型错误解析漏洞 (0)
• 给DirectAdmin面板增加nginx前端 (3)
• [更新]搭建前后端web生产环境 (21)
• [更新]nginx 自动安装脚本 For cPanel (62)