FreeBSD upgrade and optimization Raiders
Chongqing. Fan Li (Dream)
Welcome, this article follows the GNU protocol rules!
Preface Upgrade Source Tree Install CVSUP Upgrade System Source Tree and Ports Recombinating Core Optimization Compilation Environment Upgrade Operation System Upgrade Profile Recombinating Core Restarting Server Optimization FreeBSD Check Upgrade Open Firewall Optimized Nuclear Parameters Installing Firewall Installation Database Mysql Install MySQL40-Server and mysql40-client installation phpmyadmin FTP server installation ftp software (using pure-ftpd /) installation pureftpd_php_manager install the APACHE server installation apache13-modssl install PHP language installed php installed ZendOptimizer install APACHE other integration software installation mod_bandwidth installation mod_fastcgi installation mod_gzip installation mod_limitipconn install mod_perl installation MOD_THROTTLE Installing MOD_WATCH Installing Apache Third-Party Software Installation Limits Each Virtual Hosting Software Installing Software for DDOS Attack Prevention DDOS attacks; install MRTG installation NET-SNMP installation MRTG Setup virtual space MRTG and traffic analysis installation BIND 9 installation BIND9 Installing Mail Server Installing QMAIL Mail System Install Webmin and Usermin Install Webmin Install Usermin Conclusion
Foreword
FreeBSD system is a very unix, very free, very bsd - UNIX operating system, because it has become Unix, too professional, teaching a lot of novices to learn. I also started learning FreeBSD a few years ago, and Under the Guidelines for Wang Bo, under the guide, FreeBSD is officially used. During this period of use and management, you have also accumulated a lot of articles and actual experience. In order to let more friends like FreeBSD, I like UNIX, I specially made several upgrades and optimization instances, combined with the experience of the management server space, I hope to throw the jade here. The purpose of this article is to make novice can set up a professional, efficient, safe freebsd, and can be used immediately in the actual application, so the use of the use and command in the article is more atriological knowledge points. Description, if you don't understand what is the action, it is recommended that you check the relevant information. This article assumes that a FreeBSD system host has been set up or new. This article quoted a lot of FreeBSD official station data and online data, and more is the experience in actual work. Of course, the parameters inside are not necessarily suitable for you, so please use it as much as possible as much as possible The actual needs to adjust some parameters to make your Server's performance is fully played. This article is just a total clue. If I want to disassemble a detailed explanation, I want to spend more spaces, because I am busy in January 2004, I only wrote the actual operation, Please forgive me friends.
Upgrade source tree installation CVSUP
Enter: / usr / ports / net / cvsup
Make clean
Make deinstall
Make Install
Make clean
I.e.
Upgrade System Source Tree and Ports Update / USR / Share / Examples / CVSUP Directory STAND-CVSUP and PORTS-CVSUP files, and perform cvsup -g -l2 standard-supfile and cvsup -g -l2 ports-cvsup two files, upgrade Ports tree;
Recompass the kernel optimization compilation environment
Update /etc/make.conf file, do proper compilation optimization, my CPU is Intel: cputype = i686
Cflags = -o3 -pipe
CopTflags = -O3 -PIPE
Upgrade operating system enters / usr / src
Make world
The whole process has taken a long time, it takes about 2 hours.
Upgrade profile Execute a MergeMaster upgrade profile, in this process, you need to press i so that the system is upgraded;
Re-compile the kernel to / sys / i386 / conf, CP Generic Onlinecq, then VI OnlineCQ Optimize the kernel, pay attention to add the following
#disable ctrl alt delete
Options sc_disable_reboot
#quota limit options quota
#ipfw support options IPFIREWALL options DUMMYNET options HZ = 3000 options IPDIVERT options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT = 100 options IPSTEALTH options TCP_DROP_SYNFIN options IPFIREWALL_DEFAULT_TO_ACCEPT options ICMP_BANDLIM
Options accept_filter_data options accept_filter_http
#ipfilter support #options ipfilter #options ipfilter_log #options ipfilter_default_block
Performance:
/ usr / sbin / config onlinecq
Cd ../../compile/onlinecq
Make depe
Make
Make Install
Restart the server until this, the server operating system and kernel upgrade are successful
Reboot
Optimize FreeBSD inspection and upgrade
Use SSH to enter the system, use uname -a to find the upgrade to success;
Open the firewall to update the settings in rc.conf, plus:
# enable_quotas = "yes"
# Check_quotas = "yes"
FireWall_enable = "YES"
FireWall_Script = "/ etc / rc.firewall"
FireWall_Type = "/ etc / ipfw.rules" #create it!
FireWall_quiet = "no"
FIREWALL_LOGGING_ENABLE = "YES"
LOG_IN_VAIN = "NO"
TCP_DROP_SYNFIN = "NO"
TCP_RESTRICT_RST = "YES"
ICMP_DROP_REDIRECT = "YES"
Optimize kernel parameters to modify system core parameters, implement fine-tuning: vi /etc/sysctl.conf
Kern.ipc.somaxConn = 8192
Kern.ipc.maxsockbuf = 2097152
Kern.maxFilesperProc = 32768
Kern.maxfiles = 65536
Kern.secureLevel = -1
Net.inet.tcp.sendspace = 65536
NET.INET.TCP.RECVSPACE = 32768Net.inet.udp.maxdgram = 57344
Net.inet.icmp.drop_redirect = 1
Net.inet.icmp.log_redirect = 0
Net.inet.ip.Redirect = 0
Net.inet6.ip6.Redirect = 0
Net.inet.icmp.icmplim = 100
Net.inet.tcp.always_keepalive = 0
Net.inet.tcp.delayed_ack = 0
Net.inet.tcp.log_in_vain = 0
Net.inet.udp.log_in_vain = 0
Net.inet.tcp.blackhole = 2
Net.inet.udp.blackhole = 1
Net.Local.Stream.sendspace = 65535
Net.Local.Stream.Recvspace = 32768
Net.inet.ip.fastForwarding = 1
vfs.vmiodirenable = 1
Installing the firewall firewall has been compiled into the kernel, and it has been opened in the rc.conf above, so you can set it out!
Allow all IPs to pass, so excluding yourself outside.
IPFW add all from any to any
Other rules do according to the actual situation, if you want the system to use the last rule every time you start, you can add these content to: vi /etc/ipfw.rules, syntax rules with IPFW.
Install Database Mysql Install Mysql40-Server and MySQL40-Client
Enter / usr / ports / databases / mysql40-server
carried out:
Make clean
Make deinstall
Make with_openssl = yes with_linuxthreads = yes build_optimized = yes install
Or use the following compilation parameters: build_static = yes
Compiled into a static execution version
Make clean
Change the mysql root password:
mysqladmin -uroot -p password 123456
Generate /etc/my.cnf, use the following command:
vi /etc/my.cnf
[client]
#password = your_password
Port = 3306
Socket = /tmp/mysql.sock
[Mysqld] skip-innodb skip-locking skip-networking set-variable = port = 3306 set-variable = socket = / tmp / mysql.sock set-variable = back_log = 50 set-variable = connect_timeout = 3 set-variable = key_buffer = 128M set-variable = max_connections = 1000 set-variable = max_allowed_packet = 1M set-variable = net_buffer_length = 8K set-variable = wait_timeout = 3 set-variable = read_buffer_size = 1M set-variable = sort_buffer_size = 1M set-variable = table_cache = 256 set-variable = myisam_sort_buffer_size = 32M set-variable = log_slow_queries = / var / log / log_slow_queries.log # log-bin server-id = 1 [mysqldump] quick set-variable = max_allowed_packet = 16M
[mysql] no-auto-rehash # Remove the next comment character if you are not familia with sql # Safe-Updates
[isamchk] set-variable = key_buffer = 20m set-variable = sort_buffer = 20m set-variable = read_buffer = 2m set-variable = write_buffer = 2m
[myisamchk] set-variable = key_buffer = 20m set-variable = sort_buffer = 20m set-variable = read_buffer = 2m set-variable = write_buffer = 2M
[mysqlhotcopy] interactive-timeout
Install phpMyAdmin note, this step needs to be executed after Apache and PHP
Enter / usr / ports / databases / phpmyadmin
carried out:
Make clean
Make deinstall
Make Install
Make clean
Newly created a SYSTEM database ready.
Install the FTP server to install FTP software (using pure-ftpd /)
Enter / usr / ports / ftp / pufe-ftpd
carried out:
Make clean
Make deinstall
Make with_mysql = 1 install
Or use the following reference compilation parameters: with_lang = simplified-Chinese
Use Simplified Chinese language pack
Make clean
Configure pure-ftpd, mainly need to do the following:
Cp /usr/local/etc/pure-ftpd.conf.sample /usr/local/etc/pure-ftpd.conf
Cp /usr/local/etc/pureftpd-mysql.conf.sample /usr/local/etc/pureftpd-mysql.conf again /usr/local/etc/pure-ftpd.conf as follows:
Noanonymous Yes
MySQLCONFIGFILE /USR /LOCAL/Etc/pureftpd-mysql.conf
Then modify /usr/local/etc/pureftpd-mysql.conf as the following part of your set value:
# Mandatory: User to bind the server as.
MySQLUSER DEMO
# Mandatory: User password. You Must Have a password.
MySQLPassword Demo
# Mandatory: Database to open.
MySQLDATABASE DEMO
Then enter the text method using mysql -uroot -p123456 into MySQL; create a new table using the following command:
Use system;
DROP TABLE IF EXISTS.
Create Table Users
User varchar (16) Not null default ',
Status Enum ('0', '1') Not Null Default '0',
Password varchar (64) Not null default '',
Uid varchar (11) Not null default '-1',
Gid varchar (11) Not null default '-1',
Dir varchar (128) Not null default '',
Ulbandwidth Smallint (5) Not Null Default '0',
Dlbandwidth Smallint (5) Not Null Default '0',
Comment tinytext NOT NULL,
iPaccess varchar (15) Not null default '*',
Quotasize Smallint (5) Not Null Default '0',
Quotafiles Int (11) Not Null Default 0,
Primary Key (User),
UNIQUE Key User (User)
) TYPE = MyISAM;
Install PureftPD_php_manager download Pureft_php_manager.zip
Decompose and put it in the specified directory, such as:
/ usr / local / www / data
CHMOD -R 755 / USR / local / www / data / pureftpd_php_manager
Add a normal user and a group for FTP:
PW groupAdd ftpusers
PW useradd ftpuser -g ftpusers -s / sbin / nologin
Remember their UID and GID number, standby!
Enter and edit the Pureftp.config.php file change in the following line:
$ Pureftp_config_file = '/usr/local/etc/pureftpd-mysql.conf'; 1
$ Defaultuser = "ftpuser"; # default user logon ^ m $ defaultpass = ""; # default user password ^ m $ defaultuid = "1002"; # default user ID (Must Be a re al user acct) ^ m $ defaultgid = "1001"; # default group ID (Must Be Ar Eal Group ACCT) ^ m $ defaultdir = "/ home"; # default user dir (use /./ at the end to chroot ^ m $ defaultul = "0"; # Default upload throttl e (0 disables it) ^ m $ defaultdl = "0"; # default download throt tle (0 disables it) ^ m $ defaultip = "*"; # default ip restriction s (* = any ip) ^ M $ defaultqs = "200"; # default quota size (0 Disable s it) ^ m $ defaultcmt = ""; # default comment for USER ^ m ^ m // ua ^ m $ defaultqf = "0"; # default Quota Files (0 Disabl Installation Apache Server Install Apache13-Modssl
Enter / usr / ports / www / apache13-modssl
carried out:
Make clean
Make deinstall
Make with_apache_suexec = yes apache_hard_server_limit = 1024 apache_perf_tuning = yes install
Compile SUEXEC and optimization.
Make clean
Cancel all Options inside INDEXES, disable browsing directories and files. Set keEpalive OFF
Install PHP language installation PHP
Enter / USR / PORTS / WWW / MOD_PHP4
carried out:
Make clean
Make deinstall
Make Install
Compile common options, you must remember to select Mysql and GD.
Make clean
After the installation is complete, in /usr/local/etc/apache/httpd.conf, add the following:
AddType Application / X-httpd-php .php .php3 .php4 .phtml
AddType Application / X-httpd-php-source .phps
Replace DirectoryIndex details is:
DirectoryIndex index.html index.htm index.wml index.cgi index.shtml index.jsp index.js index.jp index.php4 index.php3 index.php index.phtml default.htm default.html home.htm
CP php.ini-recommented /etc/php.ini and modify the parameters inside php.ini vi /etc/php.ini modified the following two: register_globals = on
Magic_quotes_GPC = ON
Install ZendOptimizer first download Zendoptimizer-2.1.0b-freebsd4.0-i386.tar.gz
Execute again
TAR ZXVF ZENDOPTIMIZER-2.1.0B-freebsd4.0-i386.tar.gz
CD Zendoptimizer-2.1.0B-FreeBSD4.0-I386
SH setup
You can complete the fool type installation.
Note: Your php.ini configuration file is usually moved to
/usr/loca/zed/etc/php.ini
And the bottom will increase the following lines:
[Zend]
Zend_Optimizer.optimization_level = 15
ZEND_EXTENSION_MANAGER.OPTIMIZER = / usr / local / zend / lib / Optimizer-2.1.0
ZEND_EXTENSION_MANAGER.OPTIMIZER_TS = / usr / local / zend / lib / Optimizer_TS-2.1.0
Zend_extension = / usr / local / zend / lib / zendextensionManager.so
ZEND_EXTENSION_TS = / usr / local / zend / lib / zendextensionManager_ts.so
You can change 15 1023 as needed to increase the level of acceleration.
Install Apache other integrated software installation mod_bandwidth
Enter / usr / ports / www / mod_bandwidth
carried out:
Make clean
Make deinstall
Make Install
After completing the compilation, you must remember
Vi /usr/local/etc/apache/httpd.conf
LoadModule Bandwidth_Module Libexec / Apache / MOD_BANDWIDTH.SO
AddModule MOD_BANDWIDTH.C
Make clean
Grammar and role: * BandwidthModule This module can be configured for each server
* Bandwidthpulse Set the timing unit, MS (microsecond), recommended: 1000000 (1 second)
* Bandwidth can control flow for specific sources, Rate is in bytes, but when Rate is 0, the flow rate is not limited. example:
Bandwidth ECP.FR 0 Bandwidth 138.195 0 Bandwidth All 1024
* LARGEFILELIMIT When transmitting a gear than equal to the FileSize KB size, set a maximum flow rate (byte / second), when Rate is 0, the speed is not limited. example:
LargefileLimit 200 3072
LargefileLimit 1024 2048
The above example sets the file that is less than 200KB will not be limited, the gear between the size is between 200K to 1024K will be
Files of 3072 b / s, greater than 1024KB will be limited to 2048 b / s.
* MinBandWidth Sets the basic bandwidth occupation of each connection transfer data, in Byte. Default: 256 b / s. When the Rate is set to 0, use the default bandwidth limit. Install MOD_FASTCGI to enter / usr / ports / www / mod_ fastcgi execution: make clean
Make deinstall
Make Install
After completing the compilation, you must remember
Vi /usr/local/etc/apache/httpd.conf
LoadModule Fastcgi_Module Libexec / Apache / Mod_fastcgi.so
AddModule MOD_FASTCGI.C
AddHandler Fastcgi-script fcgi fcgi fpl
Make clean
Install MOD_GZIP Enter / USR / PORTS / WWW / MOD_GZIP Execution:
Make clean
Make deinstall
Make Install
After completing the compilation, you must remember
Vi /usr/local/etc/apache/httpd.conf
LoadModule Gzip_module Libexec / Apache / Mod_gzip.so
AddModule MOD_GZIP.C
Make clean
Install MOD_LIMITIPCONN Enter / USR / PORTS / WWW / MOD_LIMITIPCONN execution:
Make clean
Make deinstall
Make Install
After completing the compilation, you must remember
Vi /usr/local/etc/apache/httpd.conf
LOADMODULE LIMITIPCONN_MODULE LIBEXEC / APACHE / MOD_LIMITIPCONN.SOSO
AddModule MOD_LIMITIPCONN.C
Make clean
Install MOD_PERL
Enter / usr / ports / www / mod_perl
carried out:
Make clean
Make deinstall
Make Install
After completing the compilation, you must remember
Vi /usr/local/etc/apache/httpd.conf
LoadModule Perl_Module Libexec / Apache / MOD_PERL.SO
AddModule MOD_PERL.C
Make clean
Install MOD_THROTLE
Enter / usr / ports / www / mod_throttle
carried out:
Make clean
Make deinstall
Make Install
After completing the compilation, you must remember
Vi /usr/local/etc/apache/httpd.conf
LoadModule Throttle_Module Libexec / Apache / Mod_throttle.so
AddModule MOD_THROTTLE.C
Make clean
Install MOD_WATCH Enter / USR / PORTS / WWW / MOD_WATCH Execution:
Make clean
Make deinstall
Make Install
After completing the compilation, you must remember
Vi /usr/local/etc/apache/httpd.conf
LOADMODULE WATCH_MODULE LIBEXEC / APACHE / MOD_WATCH.SO
AddModule MOD_WATCH.C
Make clean
Installing Apache Third-Party Software Installation Limits and Limit the Software for Each Virtual Host
MOD_VHOST_LIMIT
installation:
APXS -C MOD_VHOST_LIMIT.C -O /PATH/to/libexec/mod_vhost_limit.so
Add: LoadModule Vhost_Limit_Module Libexec / Mod_Vhost_Limit.so
AddModule MOD_VHOST_LIMIT.C
Configuration:
MaxClients 150
Extendedstatus on
NamevirtualHost *
ServerName Server1
Documentroot / Some / Where / 1
MaxVhostClients 100
ServerName Server2
Documentroot / Some / Where / 2
MaxVhostClients 30
ServerName Server3
Documentroot / Some / Where / 3
Where: Server1 is limited to 100 concurrent lines. Server2 is limited to 30 concurrent lines. Server3 is not limited.
Note: You need MOD_STATUS's ExtendedStatus ON support! ! If the limit is exceeded and the number of 503 errors appears in the client:
Service Temporarily Unavailable The Server IS Temporarily Unable to Service Your Request Due To Maintenance Downtime Or Capacity Problems. Please try, laverage. ------------------------- -------------------------------------------------- -----
Apache / 1.3.27 Server AT Server1 Port 80
There will be the following error tips in Error_Log: [Mon Jun 23 15:22:24 2003] [Error] Client Access To Server1 Deferred, MaxVhostClients 100 Exceeded
Install software dosevasive1.8.tar.gz installation method for DDOS attack:
TAR ZXVF MOD_DOSEVASIVASIVE.TAR.GZ CD Dosevasive / / USR / local / apache / bin / apxs -i -c mod_dosevasive.c vi /usr/local/apache/conf/httpd.conf
Join
LoadModule Dosevasive_Module Libexec / Mod_dosevasive.so
AddModule MOD_DOSEVASIVASIVE.C
Doshashtablesize 3097
DOSPAGECUNT 2
DossiteCount 50
DOSPAGEINTERVAL 1
DossiteInterval 1
DosblockingPeriod 10
Other software that requires installation; you can choose to install:
CPU temperature monitoring software
CPU load monitoring software
Package flow monitoring software
......
Install MRTG installation NET-SNMP
Enter / usr / ports / net / Net-SNMP
carried out:
Make clean
Make deinstall
Make Install
Make clean
Install MRTG Enter / USR / PORTS / NET / MRTG Execution:
Make clean
Make deinstallmake install
Make clean
Set MRTG and traffic analysis of virtual space
Generate traffic control gear:
/usr/local/sbin/apache2mrtg.pl /usr/local/etc/apache/httpd.conf> /usr/local/etc/apache/mod_watch.cfg
Modify this file and add the header information:
Workdir: / usr / local / www / data / mrtg Options [_]: growright, bits # logage: GB2312
#Title [^]: Traffic analyysis for pagetop [^]:
Ensure that the Workdir directory can be accessed by the browser, and the directory exists! If not, you can modify yourself!
Execute it, see if it is correct:
/ usr / logal / sbin / mrtg /usr/local/etc/apache/mod_watch.cfg
If there is an error, execute more times!
Then add this to the interior, 15 minutes automatically:
VI / ETC / CRONTAB
* / 15 * * * root / usr / local / bin / mrtg / usr / local / e
Tc / apache / mod_watch.cfg
Install BIND 9 installation BIND9
This is a set of domain name resolution systems that allow your server to do DNS Server, very nice!
Enter / usr / ports / DNS / BIND9
Make clean
Make deinstall
Make Install
Make clean
Then remember to modify the configuration files such as Name.conf, the specific content is too complicated, it is recommended to see other books that specialize in this area.
Install mail server installation QMAIL mail system
Use the Iceblood installation package, the fool type installation is ok! Pay attention to the first installation, look more about it, don't make a mistake!
After the installation is complete, add qmailadmin, which allows you to open a number of domain names on a host!
Install Webmin and Usermin Install Webmin
Download Webmin latest version first
Unzipped:
TAR ZXVF Webmin-1.100.tar.gz
Enter the directory to start installation:
CD Webmin-1.100
SH setup.sh
Use its default settings when installing, you have to set your administrator password, this must be kept secret! And please set to automatically start so you can manage it later. After the installation is complete, you can access: http: // ip: 10000 / note, the default 埠 is 10000
Install USERMIN first download Usermin latest version
Unzipped:
TAR ZXVF Usermin-1.030.tar.gz
Enter the directory to start installation:
CD Usermin-1.030
SH setup.sh
Use its default settings when installing. After the installation is complete, you can access the following: http: // ip: 2000 / note, the default 埠 is 20000. Usermin automatically integrates with Webmin, using Webmin administrator password, and can start it in Webmin. The end of the words, usually, the FREEBSD system that can be actually operated will be established, you can reocco, so that the latest settings and software take effect.
If an error occurs during the installation process, you can check the error first, then install it. Or you can choose some parts you are interested in!
Of course, because of the time rush, the knowledge involved is too wide, plus my ability is limited, in which the mistakes are inevitable, please ask the readers to raise together, and make progress together!
Note: Any reprint or excerned, please retain the author information and indicate the article (Chinese FreeBSD user group http://www.cnfug.org)
