Sfoglia il codice sorgente

Beginning move to nginx

Bob Mottram 11 anni fa
parent
commit
1d1191f149
1 ha cambiato i file con 51 aggiunte e 269 eliminazioni
  1. 51
    269
      beaglebone.txt

+ 51
- 269
beaglebone.txt Vedi File

@@ -903,7 +903,7 @@ Add the following:
903 903
 # ==============================================================
904 904
 
905 905
 # Variables
906
-CPU_LIMIT=30            # Maximum percentage CPU consumption by each PID
906
+CPU_LIMIT=50            # Maximum percentage CPU consumption by each PID
907 907
 DAEMON_INTERVAL=1       # Daemon check interval in seconds
908 908
 BLACK_PROCESSES_LIST=   # Limit only processes defined in this variable. If variable is empty (default) all violating processes are limited.
909 909
 WHITE_PROCESSES_LIST="cron|top|emacs|vi|vim|nano"   # Limit all processes except processes defined in this variable. If variable is empty (default) all violating processes are limited.
@@ -2484,63 +2484,15 @@ Here cron is used so that if we stop one of the relevant processes and then rest
2484 2484
 -- Tim Berners-Lee
2485 2485
 #+END_VERSE
2486 2486
 
2487
-Edit the apache configuration so that it doesn't run out of memory if there are a lot of connections.
2487
+First install nginx and some scripts for easily enabling and disabling the web sites which we will create.
2488 2488
 
2489 2489
 #+BEGIN_SRC: bash
2490
-su
2491
-editor /etc/apache2/apache2.conf
2492
-#+END_SRC
2493
-
2494
-Search for MaxClients and replace the value with 6. As an example the settings should look something like this:
2495
-
2496
-#+BEGIN_SRC: bash
2497
-Timeout 30
2498
-KeepAlive On
2499
-MaxKeepAliveRequests 5
2500
-KeepAliveTimeout 10
2501
-
2502
-<IfModule mpm_prefork_module>
2503
-    StartServers          3
2504
-    MinSpareServers       3
2505
-    MaxSpareServers       5
2506
-    MaxClients           10
2507
-    MaxRequestsPerChild   0
2508
-</IfModule>
2509
-
2510
-<IfModule mpm_worker_module>
2511
-    StartServers          1
2512
-    MinSpareThreads       5
2513
-    MaxSpareThreads      15
2514
-    ThreadLimit          25
2515
-    ThreadsPerChild       5
2516
-    MaxClients           25
2517
-    MaxRequestsPerChild 200
2518
-</IfModule>
2519
-
2520
-<IfModule mpm_event_module>
2521
-    StartServers          1
2522
-    MinSpareThreads       5
2523
-    MaxSpareThreads      15
2524
-    ThreadLimit          25
2525
-    ThreadsPerChild       5
2526
-    MaxClients           25
2527
-    MaxRequestsPerChild 200
2528
-</IfModule>
2529
-#+END_SRC
2530
-
2531
-Also append the following:
2532
-
2533
-#+BEGIN_SRC: bash
2534
-ServerSignature Off
2535
-ServerTokens Prod
2536
-#+END_SRC
2537
-
2538
-Then save and exit.  Install some extra security.
2539
-
2540
-#+BEGIN_SRC: bash
2541
-apt-get install libapache2-modsecurity
2542
-apt-get install libapache2-mod-evasive
2543
-#+END_SRC
2490
+apt-get install nginx php5-fpm git
2491
+cd ~/build
2492
+git clone https://github.com/perusio/nginx_ensite
2493
+cd ~/build/nginx_ensite
2494
+cp nginx_* /usr/sbin
2495
+#+END_VERSE
2544 2496
 
2545 2497
 In the examples below replace /mydomainname.com/ with your own domain name.
2546 2498
 
@@ -2548,228 +2500,59 @@ In the examples below replace /mydomainname.com/ with your own domain name.
2548 2500
 export HOSTNAME=mydomainname.com
2549 2501
 mkdir /var/www/$HOSTNAME
2550 2502
 mkdir /var/www/$HOSTNAME/htdocs
2551
-editor /etc/apache2/sites-available/$HOSTNAME
2503
+editor /etc/nginx/sites-available/$HOSTNAME
2552 2504
 #+END_SRC
2553 2505
 
2554
-The Apache configuration for the site should look something like the following.  Replace /mydonainname.com/ with the site domain name.
2506
+The configuration for the site should look something like the following.  Replace /mydonainname.com/ with the site domain name.
2555 2507
 
2556 2508
 #+BEGIN_SRC: bash
2557
-<VirtualHost *:80>
2558
-	ServerAdmin myusername@mydomainname.com
2559
-	ServerName mydomainname.com
2560
-
2561
-	DocumentRoot /var/www/mydomainname.com/htdocs
2562
-	<Directory />
2563
-		Options FollowSymLinks
2564
-		AllowOverride All
2565
-	</Directory>
2566
-	<Directory /var/www/mydomainname.com/htdocs/>
2567
-		Options All
2568
-		AllowOverride All
2569
-		Order allow,deny
2570
-		allow from all
2571
-        LimitRequestBody 512000
2572
-	</Directory>
2573
-
2574
-	# Don't serve .php~ or .php# files created by emacs
2575
-	<Files ~ "(^#.*#|~|\.sw[op])$">
2576
-		Order allow,deny
2577
-		Deny from all
2578
-	</Files>
2509
+server {
2510
+    listen 80;
2511
+    root /var/www/mydomainname.com/htdocs;
2512
+    index index.html index.htm;
2513
+    server_name mydomainname.com;
2579 2514
 
2580
-	<IfModule headers_module>
2581
-		Header set X-Content-Type-Options nosniff
2582
-		Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate, private"
2583
-		Header set Pragma no-cache
2584
-	</IfModule>
2585
-
2586
-	<Files .htaccess>
2587
-	  deny from all
2588
-	</Files>
2589
-
2590
-	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
2591
-	<Directory "/usr/lib/cgi-bin">
2592
-		AllowOverride All
2593
-		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
2594
-		Order allow,deny
2595
-		Allow from all
2596
-        LimitRequestBody 512000
2597
-	</Directory>
2598
-
2599
-	ErrorLog ${APACHE_LOG_DIR}/error.log
2600
-
2601
-	# Possible values include: debug, info, notice, warn, error, crit,
2602
-	# alert, emerg.
2603
-	LogLevel error
2604
-
2605
-	CustomLog ${APACHE_LOG_DIR}/access.log combined
2606
-</VirtualHost>
2607
-
2608
-<IfModule mod_ssl.c>
2609
-<VirtualHost *:443>
2610
-	ServerAdmin myusername@mydomainname.com
2611
-	ServerName mydomainname.com
2612
-
2613
-	DocumentRoot /var/www/mydomainname.com/htdocs
2614
-	<Directory />
2615
-		Options FollowSymLinks
2616
-		AllowOverride All
2617
-	</Directory>
2618
-	<Directory /var/www/mydomainname.com/htdocs/>
2619
-		Options All
2620
-		AllowOverride All
2621
-		Order allow,deny
2622
-		allow from all
2623
-        LimitRequestBody 512000
2624
-	</Directory>
2625
-
2626
-	# Don't serve .php~ or .php# files created by emacs
2627
-	<Files ~ "(^#.*#|~|\.sw[op])$">
2628
-		Order allow,deny
2629
-		Deny from all
2630
-	</Files>
2631
-
2632
-	<IfModule headers_module>
2633
-		Header set X-Content-Type-Options nosniff
2634
-		Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate, private"
2635
-		Header set Pragma no-cache
2636
-	</IfModule>
2637
-
2638
-	<Files .htaccess>
2639
-	  deny from all
2640
-	</Files>
2641
-
2642
-	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
2643
-	<Directory "/usr/lib/cgi-bin">
2644
-		AllowOverride All
2645
-		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
2646
-		Order allow,deny
2647
-		Allow from all
2648
-        LimitRequestBody 512000
2649
-	</Directory>
2650
-
2651
-	ErrorLog ${APACHE_LOG_DIR}/error.log
2652
-
2653
-	# Possible values include: debug, info, notice, warn, error, crit,
2654
-	# alert, emerg.
2655
-	LogLevel error
2656
-
2657
-	CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
2658
-
2659
-	#   SSL Engine Switch:
2660
-	#   Enable/Disable SSL for this virtual host.
2661
-	SSLEngine on
2662
-
2663
-	#   A self-signed certificate
2664
-	SSLCertificateFile    /etc/ssl/certs/mydomainname.com.crt
2665
-	SSLCertificateKeyFile /etc/ssl/private/mydomainname.com.key
2666
-
2667
-    # Options based on bettercrypto.org
2668
-    SSLProtocol All -SSLv2 -SSLv3
2669
-    SSLHonorCipherOrder On
2670
-    SSLCompression off
2671
-    SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
2672
-
2673
-    # Add six earth month HSTS header for all users ...
2674
-    Header add Strict-Transport-Security "max-age=15768000"
2675
-    # If you want to protect all subdomains , use the following header
2676
-    # ALL subdomains HAVE TO support https if you use this !
2677
-    # Strict-Transport-Security: max-age=15768000 ; includeSubDomains
2678
-
2679
-	#   SSL Engine Options:
2680
-	#   Set various options for the SSL engine.
2681
-	#   o FakeBasicAuth:
2682
-	#     Translate the client X.509 into a Basic Authorisation.  This means that
2683
-	#     the standard Auth/DBMAuth methods can be used for access control.  The
2684
-	#     user name is the `one line' version of the client's X.509 certificate.
2685
-	#     Note that no password is obtained from the user. Every entry in the user
2686
-	#     file needs this password: `xxj31ZMTZzkVA'.
2687
-	#   o ExportCertData:
2688
-	#     This exports two additional environment variables: SSL_CLIENT_CERT and
2689
-	#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
2690
-	#     server (always existing) and the client (only existing when client
2691
-	#     authentication is used). This can be used to import the certificates
2692
-	#     into CGI scripts.
2693
-	#   o StdEnvVars:
2694
-	#     This exports the standard SSL/TLS related `SSL_*' environment variables.
2695
-	#     Per default this exportation is switched off for performance reasons,
2696
-	#     because the extraction step is an expensive operation and is usually
2697
-	#     useless for serving static content. So one usually enables the
2698
-	#     exportation for CGI and SSI requests only.
2699
-	#   o StrictRequire:
2700
-	#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
2701
-	#     under a "Satisfy any" situation, i.e. when it applies access is denied
2702
-	#     and no other module can change it.
2703
-	#   o OptRenegotiate:
2704
-	#     This enables optimized SSL connection renegotiation handling when SSL
2705
-	#     directives are used in per-directory context.
2706
-	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
2707
-	<FilesMatch "\.(cgi|shtml|phtml|php)$">
2708
-		SSLOptions +StdEnvVars
2709
-	</FilesMatch>
2710
-	<Directory /usr/lib/cgi-bin>
2711
-		SSLOptions +StdEnvVars
2712
-	</Directory>
2713
-
2714
-	#   SSL Protocol Adjustments:
2715
-	#   The safe and default but still SSL/TLS standard compliant shutdown
2716
-	#   approach is that mod_ssl sends the close notify alert but doesn't wait for
2717
-	#   the close notify alert from client. When you need a different shutdown
2718
-	#   approach you can use one of the following variables:
2719
-	#   o ssl-unclean-shutdown:
2720
-	#     This forces an unclean shutdown when the connection is closed, i.e. no
2721
-	#     SSL close notify alert is send or allowed to received.  This violates
2722
-	#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
2723
-	#     this when you receive I/O errors because of the standard approach where
2724
-	#     mod_ssl sends the close notify alert.
2725
-	#   o ssl-accurate-shutdown:
2726
-	#     This forces an accurate shutdown when the connection is closed, i.e. a
2727
-	#     SSL close notify alert is send and mod_ssl waits for the close notify
2728
-	#     alert of the client. This is 100% SSL/TLS standard compliant, but in
2729
-	#     practice often causes hanging connections with brain-dead browsers. Use
2730
-	#     this only for browsers where you know that their SSL implementation
2731
-	#     works correctly.
2732
-	#   Notice: Most problems of broken clients are also related to the HTTP
2733
-	#   keep-alive facility, so you usually additionally want to disable
2734
-	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
2735
-	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
2736
-	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
2737
-	#   "force-response-1.0" for this.
2738
-	BrowserMatch "MSIE [2-6]" \
2739
-		nokeepalive ssl-unclean-shutdown \
2740
-		downgrade-1.0 force-response-1.0
2741
-	# MSIE 7 and newer should be able to use keepalive
2742
-	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
2515
+    location / {
2516
+        try_files $uri $uri/ /index.html;
2517
+    }
2518
+}
2743 2519
 
2744
-</VirtualHost>
2745
-</IfModule>
2520
+server {
2521
+    listen 443;
2522
+    root /var/www/mydomainname.com/htdocs;
2523
+    index index.html index.htm;
2524
+    server_name mydomainname.com;
2525
+
2526
+    ssl on;
2527
+    ssl_certificate /etc/ssl/certs/mydomainname.com.crt;
2528
+    ssl_certificate_key /etc/ssl/private/mydomainname.com.key;
2529
+
2530
+    ssl_session_timeout 5m;
2531
+    ssl_prefer_server_ciphers on;
2532
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
2533
+    ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
2534
+    add_header Strict-Transport-Security max-age=15768000; # six months
2535
+    # use this only if all subdomains support HTTPS!
2536
+    # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
2537
+
2538
+    location / {
2539
+        try_files $uri $uri/ /index.html;
2540
+    }
2541
+}
2746 2542
 #+END_SRC
2747 2543
 
2748
-Then to enable the site:
2544
+Save and exit. Then change the domain name.
2749 2545
 
2750 2546
 #+BEGIN_SRC: bash
2751
-a2ensite
2752
-a2dissite default
2753
-a2dissite default-ssl
2754
-a2enmod rewrite
2755
-a2enmod headers
2547
+sed "s/mydomainname.com/$HOSTNAME/g" /etc/nginx/sites-available/$HOSTNAME > /tmp/website
2548
+cp -f /tmp/website /etc/nginx/sites-available/$HOSTNAME
2756 2549
 #+END_SRC
2757 2550
 
2758
-Ensure that "NameVirtualHost *:443" is added to /etc/apache2/ports.conf. It should look something like the following:
2551
+Then to enable the site:
2759 2552
 
2760 2553
 #+BEGIN_SRC: bash
2761
-NameVirtualHost *:80
2762
-Listen 80
2763
-
2764
-<IfModule mod_ssl.c>
2765
-	NameVirtualHost *:443
2766
-    Listen 443
2767
-</IfModule>
2768
-
2769
-<IfModule mod_gnutls.c>
2770
-    NameVirtualHost *:443
2771
-    Listen 443
2772
-</IfModule>
2554
+nginx_dissite default
2555
+nginx_ensite $HOSTNAME
2773 2556
 #+END_SRC
2774 2557
 
2775 2558
 Create a self-signed certificate. The passphrase isn't important and will be removed, so make it easy (such as "password").
@@ -2786,7 +2569,7 @@ Enter the following:
2786 2569
 HOSTNAME=$1
2787 2570
 
2788 2571
 openssl genrsa -des3 -out $HOSTNAME.key 1024
2789
-openssl req -new -x509 -nodes -sha1 -days 3650 -key $HOSTNAME.key -out $HOSTNAME.crt
2572
+openssl req -new -x509 -nodes -days 3650 -key $HOSTNAME.key -out $HOSTNAME.crt
2790 2573
 openssl rsa -in $HOSTNAME.key -out $HOSTNAME.new.key
2791 2574
 cp $HOSTNAME.new.key $HOSTNAME.key
2792 2575
 rm $HOSTNAME.new.key
@@ -2794,15 +2577,14 @@ cp $HOSTNAME.key /etc/ssl/private
2794 2577
 chmod 400 /etc/ssl/private/$HOSTNAME.key
2795 2578
 cp $HOSTNAME.crt /etc/ssl/certs
2796 2579
 shred -zu $HOSTNAME.key $HOSTNAME.crt
2797
-a2enmod ssl
2798
-service apache2 restart
2580
+/etc/init.d/nginx reload
2799 2581
 #+END_SRC
2800 2582
 
2801 2583
 Save and exit.
2802 2584
 
2803 2585
 #+BEGIN_SRC: bash
2804 2586
 chmod +x /usr/bin/makecert
2805
-makecert mydomainname.com
2587
+makecert $HOSTNAME
2806 2588
 #+END_SRC
2807 2589
 
2808 2590
 Enter some trivial password for the key file, such as "password".  The password will be removed as part of the /makecert/ script which you just created.  Note that leaving a password on the key file would mean that after a power cycle the Apache server will not be able to boot properly (it would wait indefinitely for a password to be manually entered) and would look as if it had crashed.
@@ -2812,7 +2594,7 @@ If all has gone well then there should be no warnings or errors after you run th
2812 2594
 Also limit the amount of memory which any php scripts can use.
2813 2595
 
2814 2596
 #+BEGIN_SRC: bash
2815
-editor /etc/php5/apache2/php.ini
2597
+editor /etc/php5/fpm/php.ini
2816 2598
 #+END_SRC
2817 2599
 
2818 2600
 Set the following: