2011年底爆发出来的hash dos漏洞威力十足, php-5.2.x和php-5.3.x 存在hash dos漏洞
所以这里面需要把 php-5.3.6 换成最新版, 详细查看这里
加强系统对支持字符编码转换的功能
wget http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.13.1.tar.gz tar zxvf libiconv-1.13.1.tar.gz cd libiconv-1.13.1/ ./configure --prefix=/usr/local make make install
加密算法库,PHP扩展mcrypt功能对此库有依耐关系
wget http://downloads.sourceforge.net/mcrypt/libmcrypt-2.5.8.tar.gz tar zxvf libmcrypt-2.5.8.tar.gz cd libmcrypt-2.5.8 ./configure make make install /sbin/ldconfig cd libltdl/ ./configure --enable-ltdl-install make make install
hash 加密算法库
wget http://downloads.sourceforge.net/mhash/mhash-0.9.9.9.tar.gz tar zxvf mhash-0.9.9.9.tar.gz cd mhash-0.9.9.9 ./configure make make install
ln -s /usr/local/lib/libiconv.so.2 /usr/lib/libiconv.so.2 ln -s /usr/local/lib/libmcrypt.la /usr/lib/libmcrypt.la ln -s /usr/local/lib/libmcrypt.so /usr/lib/libmcrypt.so ln -s /usr/local/lib/libmcrypt.so.4 /usr/lib/libmcrypt.so.4 ln -s /usr/local/lib/libmcrypt.so.4.4.8 /usr/lib/libmcrypt.so.4.4.8 ln -s /usr/local/bin/libmcrypt-config /usr/bin/libmcrypt-config ln -s /usr/local/lib/libmhash.a /usr/lib/libmhash.a ln -s /usr/local/lib/libmhash.la /usr/lib/libmhash.la ln -s /usr/local/lib/libmhash.so /usr/lib/libmhash.so ln -s /usr/local/lib/libmhash.so.2 /usr/lib/libmhash.so.2 ln -s /usr/local/lib/libmhash.so.2.0.1 /usr/lib/libmhash.so.2.0.1
配置立即生效
ldconfig
wget http://downloads.sourceforge.net/mcrypt/mcrypt-2.6.8.tar.gz tar zxvf mcrypt-2.6.8.tar.gz cd mcrypt-2.6.8/ /sbin/ldconfig ./configure make make install
FastCGI模式
wget http://cn.php.net/get/php-5.3.6.tar.gz/from/this/mirror tar xvf php-5.3.6.tar.gz cd php-5.3.6 ./configure --prefix=/usr/local/webserver/php --with-config-file-path=/usr/local/webserver/php/etc \ --with-mysql=/usr/local/webserver/mysql --with-mysqli=/usr/local/webserver/mysql/bin/mysql_config \ --with-iconv-dir=/usr/local/lib --with-freetype-dir=/usr/local/lib --with-jpeg-dir=/usr/local/lib --with-png-dir=/usr/local/lib --with-zlib \ --with-libxml-dir=/usr --enable-xml --disable-rpath --enable-safe-mode --enable-bcmath \ --enable-shmop --enable-sysvsem --enable-inline-optimization --with-curl --with-curlwrappers \ --enable-mbregex --enable-fpm --enable-mbstring --with-mcrypt --with-gd --enable-gd-native-ttf \ --with-openssl --with-mhash --enable-pcntl --enable-sockets --with-ldap --with-ldap-sasl --with-xmlrpc \ --enable-zip --enable-soap make ZEND_EXTRA_LIBS='-liconv' make install cp -f php.ini-production /usr/local/webserver/php/etc/php.ini cp sapi/fpm/init.d.php-fpm /etc/init.d/php-fpm chmod u+x /etc/init.d/php-fpm
注:运行php-fpm前,记得先建立www用户,不然运行后会报错。因为PHP-FPM配置文件中是用www来运行的。
创建www用户和组
/usr/sbin/groupadd www /usr/sbin/useradd -g www www
编辑php-fpm.conf
cat > /usr/local/webserver/php/etc/php-fpm.conf <<'EOF' [global] pid = /usr/local/webserver/php/var/run/php-fpm.pid error_log = /usr/local/webserver/php/var/log/php-fpm.log log_level = notice emergency_restart_threshold = 10 emergency_restart_interval = 1m process_control_timeout = 5s daemonize = yes [www] listen = /tmp/php_fcgi.sock listen.backlog = -1 listen.allowed_clients = 127.0.0.1 user = www group = www listen.mode=0666 pm = static pm.max_children = 64 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.max_requests = 1024 request_terminate_timeout = 0s request_slowlog_timeout = 0s slowlog = logs/slow.log rlimit_files = 65535 rlimit_core = 0 chroot = chdir = catch_workers_output = yes env[HOSTNAME] = $HOSTNAME env[PATH] = /usr/local/bin:/usr/bin:/bin env[TMP] = /tmp env[TMPDIR] = /tmp env[TEMP] = /tmp php_flag[display_errors] = off EOF
启动前可先测试下php-fpm.conf的语法是否正确。
/usr/local/webserver/php/sbin/php-fpm -t
如出现下面的提示,表示没有问题。
[30 18:47:32] NOTICE: configuration file /usr/local/webserver/php/etc/php-fpm.conf test is successful
启动php-cgi进程后,监听的是127.0.0.1的9000端口,进程数为64(如果服务器内存小于3GB,可以只开启64个进程),用户为www。
#/usr/local/webserver/php/sbin/php-fpm
设置开机启动
chkconfig -add php-fpm chkconfig php-fpm on
启动 php-fpm
service php-fpm start
wget http://pecl.php.net/get/memcache-2.2.6.tgz tar xvf memcache-2.2.6.tgz cd memcache-2.2.6 phpize ./configure --with-php-config=/usr/local/webserver/php/bin/php-config make make install
修改php.ini文件
cat >> /usr/local/webserver/php/etc/php.ini << "EOF" [memcache] extension=memcache.so
libevent (memcached dependency)
wget http://www.monkey.org/~provos/libevent-1.4.8-stable.tar.gz tar xfz libevent-1.4.8-stable.tar.gz cd libevent-1.4.8-stable ./configure && make && sudo make install ln -s /usr/local/lib/libevent-1.4.so.2 /usr/lib
libmemcached
wget http://launchpad.net/libmemcached/1.0/0.50a/+download/libmemcached-0.50.tar.gz tar -xzvf libmemcached-0.50.tar.gz cd libmemcached-0.50 #An error in the sources prevents us to compile libmemcached on a 32 bit architecture, that’s why in the clients/memcapable.cc file at lines 658, 728 and 787, the value “0xdeadbeefdeadcafe” should be replaced by “0xdeadbeefdeadcafeULL”. After that the compilation works as a charm (NB: When writing this article, there where more recent versions of libmemcached but they couldn’t compile because CentOS 5 version of autoconf is too old. #vim clients/memcapable.cc #658 uint64_t value= 0xdeadbeefdeadcafeULL; #728 uint64_t value= 0xdeadbeefdeadcafeULL; #787 uint64_t value= 0xdeadbeefdeadcafeULL; ./configure –prefix=/usr/local/libmemcached make make installmemcached
wget http://pecl.php.net/get/memcached-2.0.1.tgz tar xvf memcached-2.0.1.tgz cd memcached-2.0.1 phpize ./configure --with-libmemcached-dir=/usr/local/libmemcached make && make install修改php.ini文件
cat >> /usr/local/webserver/php/etc/php.ini << "EOF" [memcached] extension=memcached.so EOF
启动Memcached
# Run memcached as a daemon (d = daemon, m = memory, u = user, l = IP to listen to, p = port) memcached -d -m 256 -u root -l 10.0.0.2 -p 11211 -c 256 -P /tmp/memcached.pid关闭Memcached
kill `cat /tmp/memcached.pid`
启动脚本
#!/bin/sh
#
# Startup script for the server of memcached
#
# processname: memcached
# pidfile: /etc/memcached/memcached.pid
# logfile: /etc/memcached/memcached_log.txt
# memcached_home: /etc/memcached
# chkconfig: 35 21 79
# description: Start and stop memcached Service
# Source function library
. /etc/rc.d/init.d/functions
RETVAL=0
prog="memcached"
basedir=/usr/local/memcached
cmd=${basedir}/bin/memcached
pidfile="$basedir/${prog}.pid"
#logfile="$basedir/memcached_log.txt"
# 设置memcached启动参数
ipaddr="10.0.0.2" # 绑定侦听的IP地址
port="11211" # 服务端口
username="root" # 运行程序的用户身份
max_memory=64 # default: 64M | 最大使用内存
max_simul_conn=1024 # default: 1024 | 最大同时连接数
#maxcon=51200
#growth_factor=1.3 # default: 1.25 | 块大小增长因子
#thread_num=6 # default: 4
#verbose="-vv" # 查看详细启动信息
#bind_protocol=binary # ascii, binary, or auto (default)
start() {
echo -n $"Starting service: $prog"
$cmd -d -m $max_memory -u $username -l $ipaddr -p $port -c $max_simul_conn -P $pidfile
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
}
stop() {
echo -n $"Stopping service: $prog "
run_user=`whoami`
pidlist=`ps -ef | grep $run_user | grep memcached | grep -v grep | awk '{print($2)}'`
for pid in $pidlist
do
# echo "pid=$pid"
kill -9 $pid
if [ $? -ne 0 ]; then
return 1
fi
done
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
reload)
reload
;;
restart)
stop
start
;;
condrestart)
if [ -f /var/lock/subsys/$prog ]; then
stop
start
fi
;;
status)
status memcached
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
esac
exit $RETVAL
| 选项 | 说明 |
|---|---|
| -d | 启动一个守护进程 |
| -m | 分配给Memcache使用的内存数量,单位是MB |
| -u | 运行Memcache的用户 |
| -l | 监听的服务器IP地址 |
| -p | Memcache监听的端口口 |
| -c | 最大运行的并发连接数,默认是1024 |
| -P | 设置保存Memcache的pid文件路径 |
可以启动多个守护进程,不过端口不能重复。