浏览模式: 标准 | 列表分类:apache/web
Submitted by admin on 2017, June 8, 10:37 AM
openssl genrsa 4096 > account.key
wget http://dl.wdlinux.cn/files/openssl/openssl-1.0.2k.tar.gz
tar zxvf openssl-1.0.2k.tar.gz
cd openssl-1.0.2k
./config --prefix=/usr/local/openssl102k
make
mkdir /etc/ssl
cp apps/openssl.cnf /etc/ssl/
cd ..
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:51099.com,DNS:www.51099.com")) > domain.csr
mkdir /www/web/challenges
vi /www/wdlinux/nginx/conf/vhost/51099.com.conf
service nginxd restart
python -v
wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py --no-check-certificate
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /www/web/challenges/ > ./signed.crt
pip
yum install python-pip
wget "https://pypi.python.org/packages/11/b6/abcb525026a4be042b486df43905d6893fb04f05aac21c32c638e939e447/pip-9.0.1.tar.gz#md5=35f01da33009719497f01a4ba69d63c9" --no-check-certificate
tar zxvf pip-9.0.1.tar.gz
cd pip-9.0.1
python setup.py install
cd ..
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /www/web/challenges/ > ./signed.crt
pip install argparse
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /www/web/challenges/ > ./signed.crt
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem
wget -O - https://letsencrypt.org/certs/isrgrootx1.pem > root.pem
cd ..
ls /www/
mv ssl /www/
cd /www/
cd ssl/
cp chained.pem domain.key /www/wdlinux/nginx/conf/cer/
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:baidu.com.com,DNS:www.baidu.com")) > baidu.csr
python acme_tiny.py --account-key ./account.key --csr ./baidu.csr --acme-dir /www/web/challenges/ > ./baidu.crt
vim acme_tiny.py
vi /bin/renew_cert.sh
#!/bin/bash
cd /www/ssl/
python acme_tiny.py --account-key account.key --csr domain.csr --acme-dir /www/web/challenges/ > signed.crt || exit
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem
service nginx reload
chmod 700 /bin/renew_cert.sh
#0 0 1 * * root /bin/renew_cert.sh
apache/web | 评论:0
| Trackbacks:0
| 阅读:179
Submitted by admin on 2017, April 30, 12:40 PM
sed -i 's@^#Include conf/extra/httpd-ssl@Include conf/extra/httpd-ssl@' /www/wdlinux/apache/conf/httpd.conf
sed -i 's@^SSLCertificateFile@#SSLCertificateFile@' /www/wdlinux/apache/conf/extra/httpd-ssl.conf
sed -i 's@^SSLCertificateKeyFile@#SSLCertificateKeyFile@' /www/wdlinux/apache/conf/extra/httpd-ssl.conf
-----------
1,强制主站所有Web使用(全局站点)
如果要强制主站使用HTTPS,我们可以这样修改httpd配置文件:
# vim /etc/httpd/conf/httpd.conf
ServerName www.example.com:80
Redirect permanent / https://www.example.com
2,强制虚拟主机(单个站点)
如果要强制单个站点在虚拟主机上使用HTTPS,对于HTTP可以按照下面进行配置:
# vim /etc/httpd/conf/httpd.conf
<VirtualHost *:80>
ServerName proxy.mimvp.com
Redirect permanent / https://proxy.mimvp.com/
</VirtualHost>
http://blog.csdn.net/ithomer/article/details/50433363
----------------------------------------
如果你想让你的用户访问你的webapp时只使用安全的HTTPS协议,而不是没加密过的HTTP协议,可以这样配置Apache:
在<Virtualhost *:80>里面加入如下内容:
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R,L]
然后重启Apache, done!
apache/web | 评论:0
| Trackbacks:0
| 阅读:238
Submitted by admin on 2017, April 25, 11:44 PM
https://imququ.com/post/letsencrypt-certificate.html
http://www.chinaz.com/web/2016/0216/504896.shtml
https://github.com/letsencrypt/boulder
https://github.com/ericchiang/letsencrypt
https://github.com/google/acme
apache/web | 评论:0
| Trackbacks:0
| 阅读:299
Submitted by admin on 2013, April 17, 5:00 PM
日志里有如下
[Fri Mar 15 21:47:47 2013] [warn] (101)Network is unreachable: connect to listener on [::]:5858
[Fri Mar 15 21:47:48 2013] [warn] (101)Network is unreachable: connect to listener on [::]:5858
[Fri Mar 15 21:47:49 2013] [warn] (101)Network is unreachable: connect to listener on [::]:5858
[Fri Mar 15 21:47:50 2013] [warn] (101)Network is unreachable: connect to listener on [::]:5858
[Fri Mar 15 21:47:51 2013] [warn] (101)Network is unreachable: connect to listener on [::]:5858
[Fri Mar 15 21:47:52 2013] [warn] (101)Network is unreachable: connect to listener on [::]:5858
[Fri Mar 15 21:47:53 2013] [warn] (101)Network is unreachable: connect to listener on [::]:5858
[Fri Mar 15 21:47:54 2013] [warn] (101)Network is unreachable: connect to listener on [::]:5858
[Fri Mar 15 21:47:55 2013] [warn] (101)Network is unreachable: connect to listener on [::]:5858
[Fri Mar 15 21:47:56 2013] [warn] (101)Network is unreachable: connect to listener on [::]:5858
[Fri Mar 15 21:47:57 2013] [warn] (101)Network is unreachable: connect to listener on [::]:5858
[Fri Mar 15 21:47:58 2013] [warn] (101)Network is unreachable: connect to listener on [::]:5858
[Fri Mar 15 21:47:59 2013] [warn] (101)Network is unreachable: connect to listener on [::]:5858
[Fri Mar 15 21:48:00 2013] [warn] (101)Network is unreachable: connect to listener on [::]:5858
[Fri Mar 15 21:48:01 2013] [warn] (101)Network is unreachable: connect to listener on [::]:5858
[Fri Mar 15 21:48:02 2013] [warn] (101)Network is unreachable: connect to listener on [::]:5858
apache/web | 评论:0
| Trackbacks:0
| 阅读:483
Submitted by admin on 2013, March 30, 8:48 PM
http://www.webta.org/projects/apachetop/
Apachetop is a curses-based top-like display for Apache information, including requests per second, bytes per second, most popular URLs, etc.
Apachetop watches a logfile generated by Apache (in standard common or combined logformat, although it doesn't (yet) make use of any of the extra fields in combined) and generates human-parsable output in realtime.
安装很简单
#yum -y install readline-devel
# wget http://www.webta.org/apachetop/apachetop-0.12.6.tar.gz
# tar xzvf apachetop-0.12.6.tar.gz
# cd apachetop-0.12.6
# ./configure
# make
# make install
分析查看日志的时候
apachetop -f access.log
下面是用法说明:
引用
ApacheTop v0.12.6 - Usage:
File options:
-f logfile open logfile (assumed common/combined) [/var/log/httpd-access.log]
(repeat option for more than one source)
URL/host/referrer munging options:
-q 保持请求字符串[no]
-l 所有的url小写[no]
-s num 保持url路径段数量 [all]
-p 在referrer前面保留协议 [no]
-r 保留每一个的主机/ip [no]
Stats options:
必须提供两个参数 default: [-T 30]
缺省设置为保持记录状态30秒,30秒后数据刷新了。为了提供更多的信息给我们分析,我们可以调节下面的参数。
-H hits 保持状态只到多少点击数
-T secs 保持状态只到多少秒
-d secs 刷新延迟时间[5]
-h 这个帮助。
当执行之后,还有命令可以切换显示状态:
引用
ApacheTop version 0.12.6, Copyright (c) 2003-2004, Chris Elsworth
ONE-TOUCH COMMANDS
d : 切换urls/referrers/hosts显示模式开关
n : 切换hits & bytes或返回代码开关
h or ? : 帮助信息
p : (un)暂停显示 (冻结更新)
q : 退出 ApacheTop
up/down : 移动星标 up/down
right/left : 进入/退出逐条显示模式
子菜单:
s: 排序: [the appropriate menu will appear for your display]
r) requests R) reqs/sec b) bytes B) bytes/sec
2) 2xx 3) 3xx 4) 4xx 5) 5xx
t: 固定显示 ON/OFF:
u) urls r) referrers h) hosts
f: 使用过滤器:
a) add/edit menu c) clear all s) show active (not done yet)
a: ADD FILTER SUBMENU
u) to urls r) to referrers h) to hosts
apache/web | 评论:0
| Trackbacks:0
| 阅读:596
Submitted by admin on 2013, March 21, 11:43 AM
1、使用SSH登陆服务器2、输入命令: ps ax ,会列出所有的进程,找出对应的进程,类似“21045 ? Ss 0:00 /usr/local/bin/memcached -d -m 100 -u root -l 192.168.1.11 -p 12000 -c 256 ?CP /tmp/memcached.pid”。记下开头的id,如前面的21045.3、输入命令关闭进程:kill 210454、重新启动进程
如果要清空memcache的items,常用的办法是什么?杀掉重启?如果有n台memcache需要重启怎么办?挨个做一遍?
很简单,假设memcached运行在本地的11211端口,那么跑一下命令行:
$ echo ”flush_all” | nc localhost 11211
注:flush并不会将items删除,只是将所有的items标记为expired。
第一、连接:telnet 127.0.0.1 11211
第二、按回车键
第三、flush_all 后回车
控制台显示OK,表示操作成功
说明:
1、清空所有键值
flush_all
注:flush并不会将items删除,只是将所有的items标记为expired,因此这时memcache依旧占用所有内存。
2、退出
quit
apache/web | 评论:0
| Trackbacks:0
| 阅读:588
Submitted by admin on 2013, March 21, 8:27 AM
Apache Banner的隐藏方法,
修改httpd.conf文件,设置以下选项:
ServerTokens ProductOnly
ServerSignature Off
关闭trace-method
TraceEnable off
另外apache可以在编译的时候,故意混淆banner信息,达到隐藏的目的
ServerSignature apache生成的一些页面底部,比如404页面,文件列表页面等等。
ServerTokens指向被用来设置Server的http头回响。设置为Prod可以让HTTP头回响显示成这样….
Server: Apache
apache禁止访问目录列表- -
编辑httpd.conf
把下面配置项改成
Options Indexes FollowSymlinks MultiViews
Options FollowSymlinks MultiViews
即拿掉Indexes,重新启动apache
隐藏http头信息中看到php的版本信息
在php.ini中设置 expose_php = Off
apache/web | 评论:0
| Trackbacks:0
| 阅读:660
Submitted by admin on 2013, March 15, 7:59 PM
Google 开发的 gperftools 包含四个工具,分别是:TCMalloc、heap-checker、heap-profiler 和 cpu-profiler,TCMalloc是 gperftools 的其中一个工具,用于优化C++写的多线程应用,与标准的glibc库的malloc相比,TCMalloc在内存的分配效率和速度要高,可以在高并发的情况下很好的控制内存的使用,提高服务器的性能,降低负载。
使用 TCMalloc 优化 Nginx 和 MySQL 的内存管理,性能将会有一定程度的提升,特别是对MYSQL服务器高并发下情况下的性能。
安装 libunwind 库
如果系统是64位的需要先安装libunwind库,32位系统则不需要安装。
libunwind 库为基于64位CPU和操作系统的程序提供了基本的堆栈辗转开解功能,其中包括用于输出堆栈跟踪的API、用于以编程方式辗转开解堆栈的API以及支持C++异常处理机制的API。
wget http://download.savannah.gnu.org/releases/libunwind/libunwind-1.0.1.tar.gz
tar -zxvf libunwind-1.0.1.tar.gz
cd libunwind-1.0.1/
CFLAGS=-fPIC ./configure
make CFLAGS=-fPIC
make CFLAGS=-fPIC install
cd ../
gperftools 的安装
gperftools 项目网站 http://code.google.com/p/gperftools/
wget http://gperftools.googlecode.com/files/gperftools-2.0.tar.gz
tar -zxvf gperftools-2.0.tar.gz
cd gperftools-2.0
./configure --prefix=/usr/local --enable-frame-pointers
make
make install
cd ../
如果是32位系统,可以不添加 –enable-frame-pointers,如果是64位系统,并且之前没有安装libunwind,那么一定要添加 –enable-frame-pointers 参数。
echo "/usr/local/lib" > /etc/ld.so.conf.d/usr_local_lib.conf
/sbin/ldconfig
为 gperftools 添加线程目录:
mkdir /tmp/tcmalloc
chmod 0777 /tmp/tcmalloc
使用gperftools优化Nginx:
为了使 Nginx 支持 gperftools,增加参数 –with-google_perftools_module 重新编译Nginx。
修改/usr/local/nginx/conf/nginx.conf
在pid这行的下面添加
google_perftools_profiles /tmp/tcmalloc;
重新启动nginx
使用gperftools优化MYSQL:
查找文件 /usr/local/mysql/bin/mysqld_safe
在# executing mysqld_safe 下面加上
export LD_PRELOAD=/usr/local/lib/libtcmalloc.so
重新启动MYSQL
验证 tcmalloc 是否运行:
lsof -n | grep tcmalloc
apache/web | 评论:0
| Trackbacks:0
| 阅读:664
