阿里云ECS服务器上配置WEB服务

基础配置
# 更改主机名
hostname xxx-server  
echo 'hostname xxx-server' >> /etc/rc.local  
# 添加软件源和常用软件
yum install epel-release  
yum install http://rpms.famillecollet.com/enterprise/remi-release-6.rpm  
#安装yum-priorities插件:
yum install yum-priorities  
#在每个[]段的最后加上priority=[],如
priority=10  
配置ssh
vi /etc/ssh/sshd_config  
# 以下是sshd_config的内容编辑
ClientAliveInterval 60  
ClientAliveCountMax = 3  
PermitRootLogin no  
# 重启sshd
service sshd restart  
安装denyhosts
yum install denyhosts  
vi denyhosts.cfg  
#该配置文件结构比较简单,简要说明主要参数如下:
#PURGE_DENY:当一个IP被阻止以后,过多长时间被自动解禁。可选如3m(三分钟)、5h(5小时)、2d(两天)、8w(8周)、1y(一年);
#PURGE_THRESHOLD:定义了某一IP最多被解封多少次。即某一IP由于暴力破解SSH密码被阻止/解封达到了#PURGE_THRESHOLD次,则会被永久禁止;
#BLOCK_SERVICE:需要阻止的服务名;
#DENY_THRESHOLD_INVALID:某一无效用户名(不存在的用户)尝试多少次登录后被阻止;
#DENY_THRESHOLD_VALID:某一有效用户名尝试多少次登陆后被阻止(比如账号正确但密码错误),root除外;
#DENY_THRESHOLD_ROOT:root用户尝试登录多少次后被阻止;
#HOSTNAME_LOOKUP:是否尝试解析源IP的域名;
chkconfig denyhosts on  
service denyhosts start  
安装nginx
# 添加nginx源
echo '[nginx]  
name=nginx repo  
baseurl=http://nginx.org/packages/centos/6/$basearch/  
gpgcheck=0  
enabled=1'>/etc/yum.repos.d/nginx.repo  
echo 'y' | yum install nginx  
chkconfig nginx on  
配置nginx
vim /etc/nginx/nginx.conf  
# 以下编辑nginx.conf的内容
user  xxx; #nginx运行的用户  
worker_processes  2; #进程数  
server_tokens off;  
sendfile on;  
tcp_nopush on;  
# 开启压缩
gzip  on;  
gzip_disable "msie6";  
gzip_min_length 1k;  
gzip_buffers 16 64k;  
gzip_comp_level 3;  
gzip_types text/plain application/x-javascript text/css application/xml application/javascript text/javascript image/gif image/jpeg image/png text/xml application/json application/x-httpd-php;

# 开启文件缓存
open_file_cache max=10000 inactive=20s;  
open_file_cache_valid 30s;  
open_file_cache_min_uses 2;  
open_file_cache_errors on;

#fastcgi配置
fastcgi_buffers 256 16k;  
fastcgi_buffer_size 128k;  
fastcgi_connect_timeout 3s;  
fastcgi_send_timeout 120s;  
fastcgi_read_timeout 120s;  
reset_timedout_connection on;  
server_names_hash_bucket_size 100;

# 接下来是配置各个vhost
...
# 重启nginx
service nginx restart  
安装mysql
yum --enablerepo=remi install mysql-server  
chkconfig mysqld on  
#以下可以按需要操作:
mkdir -p /mnt/mysql/{data,tmp,run,binlogs,log}  
chown mysql:mysql /mnt/mysql/{data,tmp,run,binlogs,log}  
su - mysql  
$ mysql_install_db --user=mysql --datadir=/mnt/mysql/data/
$ exit

my.cnf在线生成配置:
https://tools.percona.com/

安装php
yum --enablerepo=remi-php56  install php-cli php-mysql  php-gd php-xml php-ldap php-mbstring php-bcmath php-pdo php-mcrypt  php-fpm  
安装redis
yum install redis  
chkconfig redis on  
配置redis
# 配置第一个redis为session缓存
vim /etc/redis.conf  
# 以下是redis.conf的内容
database 1  
# 注释掉 save 900 1 等内容,添加
save ""

service redis restart

# 单独配置redis为缓存
cp /etc/redis.conf /etc/redis-cache.conf  
vim /etc/redis-cache.conf  
# 编辑redis-cache.conf内容,注意更改pid, log file, lock file 等
...
cp /etc/init.d/redis /etc/init.d/redis-cache  
vim /etc/init.d/redis-cache  
# 编辑redis-cache内容,主要是配置文件等
chkconfig redis-cache on  
service redis-cache start  
配置php-fpm
vi /etc/php.ini  
# 配置php.ini的内容,error信息、时区等
date.timezone = "Asia/Shanghai"  
vi /etc/php-fpm.d/www.conf  
# 配置www池的内容,主要是listen端口、session等。配置使用redis缓存session
user = xxx  #运行的用户  
group = xxx   #运行的用户组  
php_value[session.save_handler] = redis  
php_value[session.save_path] = 'tcp://127.0.0.1:6379'

chkconfig php-fpm on  
service php-fpm start  

配置iptables

以下为配置脚本

#!/bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin  
export PATH  
function support_distro(){  
if [ -z "`egrep -i "centos" /etc/issue`" ];then  
echo "Sorry,iptables script only support centos system now."  
exit 1  
fi  
}
support_distro  
echo "============================iptables configure============================================"  
#get sshd port
if grep "^Port" /etc/ssh/sshd_config>/dev/null;then  
sshdport=`grep "^Port" /etc/ssh/sshd_config | sed "s/Port\s//g" `  
else  
sshdport=22  
fi  
if [ -s /etc/resolv.conf ];then  
nameserver1=`cat /etc/resolv.conf |grep nameserver |awk 'NR==1{print $2 }'`  
nameserver2=`cat /etc/resolv.conf |grep nameserver |awk 'NR==2{print $2 }'`  
fi  
IPT="/sbin/iptables"  
$IPT --delete-chain
$IPT --flush
$IPT -P INPUT DROP    
$IPT -P FORWARD DROP  
$IPT -P OUTPUT DROP   
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
$IPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
$IPT -A INPUT -p tcp -m tcp --dport $sshdport -j ACCEPT 
$IPT -A INPUT -i lo -j ACCEPT 
$IPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT  
$IPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT 
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
[ ! -z "$nameserver1" ] && $IPT -A OUTPUT -p udp -m udp -d $nameserver1 --dport 53 -j ACCEPT
[ ! -z "$nameserver2" ] && $IPT -A OUTPUT -p udp -m udp -d $nameserver2 --dport 53 -j ACCEPT 
$IPT -A OUTPUT -o lo -j ACCEPT 
$IPT -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT 
$IPT -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT 
$IPT -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT  
$IPT -A OUTPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
$IPT -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT 
service iptables save  
echo "============================iptables configure completed============================================"  
配置FTP
yum install vsftpd  
#添加ftp帐号和目录
useradd -d /mnt/xxxx-s /sbin/nologin xxxx  
#修改该帐户密码:
passwd xxxx  
#修改指定目录的权限
chown -R xxxx.xxxx/mnt/xxxx  
#配置vsftp
vi /etc/vsftpd/vsftpd.conf  
#将配置文件中”anonymous_enable=YES “改为 “anonymous_enable=NO”
#取消如下配置前的注释符号:
local_enable=YES  
write_enable=YES  
chroot_local_user=YES  
#修改/etc/sysconfig/iptables-config 
vi /etc/sysconfig/iptables-config  
#修改IPTABLES_MODULES:
IPTABLES_MODULES="ip_conntrack_netbios_ns ip_nat_ftp ip_conntrack ip_conntrack_ftp"  
#启动vsftp服务并测试登录
service vsftpd start