6) 安装Zend Optimizer # cd /usr/local/src # tar xzvf ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz # ./ZendOptimizer-3.3.3-linux-glibc23-i386/install.sh 安装Zend Optimizer过程的最后不要选择重启Apache。 2. 整合Apache与PHP及系统初化配置. 1)整合Apache与PHP # vi /usr/local/apache2/conf/httpd.conf 找到： AddType application/x-gzip .gz .tgz 在该行下面添加 AddType application/x-httpd-php .php 找到： <IfModule dir_module> DirectoryIndex index.html < /IfModule> 将该行改为 <IfModule dir_module> DirectoryIndex index.html index.htm index.php < /IfModule> 找到： #Include conf/extra/httpd-mpm.conf #Include conf/extra/httpd-info.conf #Include conf/extra/httpd-vhosts.conf (虚拟主机配置文件存放目录.) #Include conf/extra/httpd-default.conf 去掉前面的“#”号，取消注释。 注意：以上 4 个扩展配置文件中的设置请按照相关原则进行合理配置！ 修改完成后保存退出。 # /usr/local/apache2/bin/apachectl restart 2)查看确认L.A.M.P环境信息、提升 PHP 安全性 在网站根目录放置 info.php 脚本，检查phpinfo中的各项信息是否正确。 < ?php phpinfo(); ?> 确认 PHP 能够正常工作后，在 php.ini 中进行设置提升 PHP 安全性,禁掉危险的函数. # vi /etc/php.ini找到：disable_functions =设置为：phpinfo,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server 3)脚本自动完成初始化配置(以上配置可以用脚本自动化完成) #cat init_apache_php.sh -------------------cut begin------------------------------------------- #!/bin/bash #Written by :NetSeek http://www.linuxtone.org #init_httpd.conf http_cf="/usr/local/apache2/conf/httpd.conf" sed -i -e "s/User daemon/User www/" -i -e "s/Group daemon/Group www/" $http_cf sed -i -e '121 s/^/#/' -i -e '122 s/^/#/' $http_cf sed -i 's#DirectoryIndex index.html# DirectoryIndex index.php index.html index.htm#/g' $http_cf sed -i -e '374 s/^#//g' -i -e '389 s/^#//g' -i -e '392 s/^#//g' -i -e '401 s/^#//g' $http_cf #init_php(PHP安全设置及隐藏PHP版本) php_cf="/usr/local/php/etc/php.ini" sed -i '205 s#;open_basedir =#open_basedir = /data/www/wwwroot:/tmp#g' $php_cf sed -i '210 s#disable_functions =#disable_functions = phpinfo,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server#g' $php_cf sed -i '/expose_php/s/On/Off/' $php_cf sed -i '/display_errors/s/On/Off/' $php_cf -------------------cut end------------------------------------------- 三、配置虚拟主机及基本性能调优 1) 配置虚拟主机: #vi /usr/local/apache2/conf/extra/httpd-vhosts.conf NameVirtualHost *:80 <VirtualHost *:80> ServerAdmin cnseek@gmail.com DocumentRoot "/data/www/wwwroot/linuxtone.org" ServerName www.linuxtone.org ServerAlias bbs.linxutone.org ErrorLog "logs/dummy-host.example.com-error_log" CustomLog "|/usr/sbin/cronolog /data/logs/access_www.linuxtone.org.%Y%m%d" combined < /VirtualHost> 2).基本性能调优参考 #vi /usr/local/apache2/conf/extra/httpd-default.conf Timeout 15 KeepAlive Off MaxKeepAliveRequests 50 KeepAliveTimeout 5 UseCanonicalName Off AccessFileName .htaccess ServerTokens Prod ServerSignature Off HostnameLookups Off #vi /usr/local/apache2/conf/extra/httpd-mpm.conf <IfModule mpm_prefork_module> ServerLimit 2000 StartServers 10 MinSpareServers 10 MaxSpareServers 15 MaxClients 2000 MaxRequestsPerChild 10000 </IfModule> 3).Apache日志处理 忽略不需要的日志配置参考具体请据据具体问题分析： LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined #下面加入如下内容: # filter the localhost visit SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog # filter some special directories SetEnvIf Request_URI "^ZendPlatform.*

• # filter the localhost visit
• SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
• # filter some special directories
• SetEnvIf Request_URI "^ZendPlatform.*[ DISCUZ_CODE_9 ]quot; dontlog
• SetEnvIf Request_URI \.healthcheck\.html$ dontlog
• SetEnvIf Remote_Addr "::1" dontlog
• SetEnvIf Request_URI "\.getPing.php[ DISCUZ_CODE_9 ]quot; dontlog
• SetEnvIf Request_URI "^/error\.html[ DISCUZ_CODE_9 ]quot; dontlog
• SetEnvIf Request_URI "\.gif[ DISCUZ_CODE_9 ]quot; dontlog
• SetEnvIf Request_URI "\.jpg[ DISCUZ_CODE_9 ]quot; dontlog
• SetEnvIf Request_URI "\.css[ DISCUZ_CODE_9 ]quot; dontlog
• quot; dontlog
• SetEnvIf Request_URI \.healthcheck\.html$ dontlog
• SetEnvIf Remote_Addr "::1" dontlog
• SetEnvIf Request_URI "\.getPing.php[ DISCUZ_CODE_9 ]quot; dontlog
• SetEnvIf Request_URI "^/error\.html[ DISCUZ_CODE_9 ]quot; dontlog
• SetEnvIf Request_URI "\.gif[ DISCUZ_CODE_9 ]quot; dontlog
• SetEnvIf Request_URI "\.jpg[ DISCUZ_CODE_9 ]quot; dontlog
• SetEnvIf Request_URI "\.css[ DISCUZ_CODE_9 ]quot; dontlog

复制代码 4). Apache防盗链 RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC] RewriteRule \.(gif|jpg)$ http://网站域名/nolink.png [R,L] 四、基本安全设置 1)iptables 封锁相关端口(推荐读CU白金大哥的两小时玩转iptables) 2)SSH全安(修改SSH端口限制来源IP登陆) 3)Linux防Arp攻击策略 4)注意(还是那句老话:安全工作从细节做起!)