my blog my blog

Category: 建站心得
使用Nginx Lua阻止对服务器IP的80/443端口直接访问

Lua作为Nginx服务器的脚本扩充非常好用,而且性能也很好。如果要使用Nginx Lua阻止对服务器IP的80/443端口直接访问,我们可以对nginx.conf进行如下设置

location / {
access_by_lua_block{
	if ( ngx.var.host ~= "www.nenew.net" ) then 
		ngx.exit(444)
	end
                    }
             }

其中的ngx.var.host代表目标域名,有几个变量可能会发生混淆:

ngx.var.server_name对应server_name:www.nenew.net
ngx.var.host对应host:test1.nenew.net
ngx.var.hostname对应hostname:nenew

这里我们就看啊,如果我们把IP绑定给其它域名,或者对方直接用hosts来进行dns解析,改变的是ngx.var.host,这个是访问者的目标域名,是变化的,所以这里block是针对的ngx.var.host,只要判定不相同即无法访问,我们直接给一个444状态,切断连接不响应。hostname是主机名,这里没有什么用,ngx.var.server_name变量是绑定域名,不能用绑定域名来判定,因为绑定域名会变,但是访问域名可能会造成改变。

Ubuntu18.04编译安装MySQL 5.7.26

下载带有boost版本的MySQL 5.7.26

wget https://downloads.mysql.com/archives/get/file/mysql-boost-5.7.26.tar.gz

安装依赖

apt install cmake
apt install libncurses5 libncurses5-dev 
apt install bision

解压

tar xzf mysql-boost-5.7.26.tar.gz 
cd mysql-5.7.26/

编译安装

说明一下,其实这个boost并不需要单独安装,只需要把包内的boost路径加载到configure就可以了。

cmake -DCMAKE_INSTALL_PREFIX=/usr/local/mysql -DSYSCONFDIR=/etc -DWITH_MYISAM_STORAGE_ENGINE=1 -DWITH_INNOBASE_STORAGE_ENGINE=1 -DWITH_PARTITION_STORAGE_ENGINE=1 -DWITH_FEDERATED_STORAGE_ENGINE=1 -DEXTRA_CHARSETS=all -DDEFAULT_CHARSET=utf8mb4 -DDEFAULT_COLLATION=utf8mb4_general_ci -DWITH_EMBEDDED_SERVER=1 -DENABLED_LOCAL_INFILE=1 -DWITH_BOOST=./boost
make
make install

完成后的工作

 

useradd -M -s /sbin/nologin mysql
groupadd mysql
chown mysql:mysql /usr/local/mysql/var/
chgrp -R mysql /usr/local/mysql/
mkdir -p /usr/local/mysql/var
cp support-files/mysql.server /etc/init.d/mysql
chmod +x /etc/init.d/mysql 
cat > /etc/ld.so.conf.d/mysql.conf<<EOF
    /usr/local/mysql/lib
    /usr/local/lib
EOF
ldconfig
/usr/local/mysql/bin/mysqld --initialize-insecure --basedir=/usr/local/mysql --datadir=/usr/local/mysql/var/ --user=mysql --explicit_defaults_for_timestamp=true
初始化数据库
vim /etc/my.cnf
配置数据库
service mysql start
/usr/local/mysql/bin/mysqladmin -u root password password
设置管理员密码

附上LNMP的my.cnf

[client]
#password	= your_password
port		= 3306
socket		= /tmp/mysql.sock

[mysqld]
port		= 3306
socket		= /tmp/mysql.sock
datadir = /usr/local/mysql/var
skip-external-locking
key_buffer_size = 16M
max_allowed_packet = 1M
table_open_cache = 64
sort_buffer_size = 512K
net_buffer_length = 8K
read_buffer_size = 256K
read_rnd_buffer_size = 512K
myisam_sort_buffer_size = 8M
thread_cache_size = 8
query_cache_size = 8M
tmp_table_size = 16M

#skip-networking
max_connections = 500
max_connect_errors = 100
open_files_limit = 65535

log-bin=mysql-bin
binlog_format=mixed
server-id	= 1
expire_logs_days = 10

default_storage_engine = InnoDB
innodb_file_per_table = 1
innodb_data_home_dir = /usr/local/mysql/var
innodb_data_file_path = ibdata1:10M:autoextend
innodb_log_group_home_dir = /usr/local/mysql/var
innodb_buffer_pool_size = 16M
#innodb_additional_mem_pool_size = 2M
innodb_log_file_size = 5M
innodb_log_buffer_size = 8M
innodb_flush_log_at_trx_commit = 1
innodb_lock_wait_timeout = 50

[mysqldump]
quick
max_allowed_packet = 16M

[mysql]
no-auto-rehash

[myisamchk]
key_buffer_size = 20M
sort_buffer_size = 20M
read_buffer = 2M
write_buffer = 2M

[mysqlhotcopy]
interactive-timeout
Ubuntu18.04编译安装PHP7.3.8

奶牛在踩坑过程中,请不要阻止。身为一个站长,一路以来一直使用LNMP来安装LNMP环境,深感羞耻,打算把该踩的坑都踩一踩,也学习一下该学习的东西。

今天是把OpenResty+PHP+Mysql的坑都踩了一遍,学到了不少东西,与君共勉。

需求环境安装

build-essential libcurl14 libcurl4-gnutls-dev openssl curl libbz2-dev libxml2-dev libjpeg-dev libpng-dev libfreetype6-dev libzip-dev libxslt1-dev

下载PHP7.3.8

wget https://www.php.net/distributions/php-7.3.8.tar.gz

解压

tar xzvf php-7.3.8.tar.gz

进入目录

cd php-7.3.8

编译安装

./configure --prefix=/usr/local/php --with-config-file-path=/usr/local/php/etc --with-config-file-scan-dir=/usr/local/php/conf.d --enable-fpm --with-fpm-user=www --with-fpm-group=www --enable-mysqlnd --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd --with-iconv-dir --with-freetype-dir --with-jpeg-dir --with-png-dir --with-zlib --with-libxml-dir=/usr --enable-xml --disable-rpath --enable-bcmath --enable-shmop --enable-sysvsem --enable-inline-optimization --with-curl --enable-mbregex --enable-mbstring --enable-intl --enable-ftp --with-gd --with-openssl --with-mhash --enable-pcntl --enable-sockets --with-xmlrpc --enable-zip --enable-soap --with-gettext  --enable-opcache --with-xsl
make
make test
make install
mkdir -p /usr/local/php/{etc,conf.d}
cp php.ini-production /usr/local/php/etc/php.ini
cp sapi/fpm/init.d.php-fpm /etc/init.d/php-fpm
chmod +x /etc/init.d/php-fpm
update-rc.d php-fpm default

防止Failed to start php.service: Unit php-fpm.service not found.类错误发生。

配置文件php.ini

贴上现有的配置,改自LNMP。

engine = On
short_open_tag = On
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = -1
disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,proc_open,proc_get_status,popen,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server
disable_classes =
zend.enable_gc = On
expose_php = On
max_execution_time = 300
max_input_time = 60
memory_limit = 128M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
html_errors = On
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 50M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
default_charset = "UTF-8"
doc_root =
user_dir =
enable_dl = Off
cgi.fix_pathinfo=0
file_uploads = On
upload_max_filesize = 50M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60
extension=fileinfo
[CLI Server]
cli_server.color = On

[Date]
date.timezone = PRC
[filter]
[iconv]
[intl]
[sqlite3]
[Pcre]
[Pdo]
[Pdo_mysql]
pdo_mysql.cache_size = 2000
pdo_mysql.default_socket=
[Phar]
[mail function]
SMTP = localhost
smtp_port = 25
mail.add_x_header = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[Interbase]
ibase.allow_persistent = 1
ibase.max_persistent = -1
ibase.max_links = -1
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
ibase.dateformat = "%Y-%m-%d"
ibase.timeformat = "%H:%M:%S"
[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.cache_size = 2000
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
[OCI8]
[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[bcmath]
bcmath.scale = 0
[browscap]
[Session]
session.save_handler = files
session.use_strict_mode = 0
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.sid_length = 26
session.trans_sid_tags = "a=href,area=href,frame=src,form="
session.sid_bits_per_character = 5
[Assertion]
zend.assertions = -1
[COM]
[mbstring]
[gd]
[exif]
[Tidy]
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5
[sysvshm]
[ldap]
ldap.max_links = -1
[dba]
[opcache]
[zend opcache]
zend_extension="/usr/local/php/lib/php/extensions/no-debug-non-zts-20180731/opcache.so"
opcache.force_restart_timeout=3600
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=4000
opcache.revalidate_freq=60
opcache.fast_shutdown=1
opcache.enable=1
opcache.enable_cli=1
[curl]
[openssl]

关于fileinfo

这个默认是安装的,但是有说内存小于1G是不推荐安装的,编译会出错,但是fileinfo很有用,有些程序需要使用fileinfo,未安装会导致500错误。可以在configiure的时候使用–disable-fileinfo参数来禁止安装,但是没有–enable-fileinfo参数哦。

关于fileinfo手动安装

cd ./ext/fileinfo/
apt install autoconf
/usr/local/php/bin/phpize
./configure –with-php-config=/usr/local/php/bin/php-config
make
make install

最后修改php.ini添加extension=fileinfo即可。

PHP configure参数详细列表

如下,以便速查

~/php/php-7.3.8# ./configure --help
`configure' configures this package to adapt to many kinds of systems.

Usage: ./configure [OPTION]... [VAR=VALUE]...

To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE.  See below for descriptions of some of the useful variables.

Defaults for the options are specified in brackets.

Configuration:
  -h, --help              display this help and exit
      --help=short        display options specific to this package
      --help=recursive    display the short help of all the included packages
  -V, --version           display version information and exit
  -q, --quiet, --silent   do not print `checking ...' messages
      --cache-file=FILE   cache test results in FILE [disabled]
  -C, --config-cache      alias for `--cache-file=config.cache'
  -n, --no-create         do not create output files
      --srcdir=DIR        find the sources in DIR [configure dir or `..']

Installation directories:
  --prefix=PREFIX         install architecture-independent files in PREFIX
                          [/usr/local]
  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
                          [PREFIX]

By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc.  You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=$HOME'.

For better control, use the options below.

Fine tuning of the installation directories:
  --bindir=DIR            user executables [EPREFIX/bin]
  --sbindir=DIR           system admin executables [EPREFIX/sbin]
  --libexecdir=DIR        program executables [EPREFIX/libexec]
  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
  --libdir=DIR            object code libraries [EPREFIX/lib]
  --includedir=DIR        C header files [PREFIX/include]
  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
  --datarootdir=DIR       read-only arch.-independent data root [PREFIX/share]
  --datadir=DIR           read-only architecture-independent data [DATAROOTDIR]
  --infodir=DIR           info documentation [DATAROOTDIR/info]
  --localedir=DIR         locale-dependent data [DATAROOTDIR/locale]
  --mandir=DIR            man documentation [DATAROOTDIR/man]
  --docdir=DIR            documentation root [DATAROOTDIR/doc/PACKAGE]
  --htmldir=DIR           html documentation [DOCDIR]
  --dvidir=DIR            dvi documentation [DOCDIR]
  --pdfdir=DIR            pdf documentation [DOCDIR]
  --psdir=DIR             ps documentation [DOCDIR]

System types:
  --build=BUILD     configure for building on BUILD [guessed]
  --host=HOST       cross-compile to build programs to run on HOST [BUILD]
  --target=TARGET   configure for building compilers for TARGET [HOST]

Optional Features and Packages:
  --disable-option-checking  ignore unrecognized --enable/--with options
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
  --with-libdir=NAME      Look for libraries in .../NAME rather than .../lib
  --disable-rpath         Disable passing additional runtime library
                          search paths
  --enable-re2c-cgoto     Enable -g flag to re2c to use computed goto gcc extension
  --disable-gcc-global-regs
                          whether to enable GCC global register variables

SAPI modules:

  --with-apxs2=FILE       Build shared Apache 2.0 Handler module. FILE is the optional
                          pathname to the Apache apxs tool apxs
  --disable-cli           Disable building CLI version of PHP
                          (this forces --without-pear)
  --enable-embed=TYPE     EXPERIMENTAL: Enable building of embedded SAPI library
                          TYPE is either 'shared' or 'static'. TYPE=shared
  --enable-fpm            Enable building of the fpm SAPI executable
  --with-fpm-user=USER    Set the user for php-fpm to run as. (default: nobody)
  --with-fpm-group=GRP    Set the group for php-fpm to run as. For a system user, this
                          should usually be set to match the fpm username (default: nobody)
  --with-fpm-systemd      Activate systemd integration
  --with-fpm-acl          Use POSIX Access Control Lists
  --with-litespeed        Build PHP as litespeed module
  --enable-phpdbg         Build phpdbg
  --enable-phpdbg-webhelper
                          Build phpdbg web SAPI support
  --enable-phpdbg-debug   Build phpdbg in debug mode
  --enable-phpdbg-readline   Enable readline support in phpdbg (depends on static ext/readline)
  --disable-cgi           Disable building CGI version of PHP
  --with-valgrind=DIR     Enable valgrind support

General settings:

  --enable-gcov           Enable GCOV code coverage (requires LTP) - FOR DEVELOPERS ONLY!!
  --enable-debug          Compile with debugging symbols
  --with-layout=TYPE      Set how installed files will be laid out.  Type can
                          be either PHP or GNU [PHP]
  --with-config-file-path=PATH
                          Set the path in which to look for php.ini [PREFIX/lib]
  --with-config-file-scan-dir=PATH
                          Set the path where to scan for configuration files
  --enable-sigchild       Enable PHP's own SIGCHLD handler
  --enable-libgcc         Enable explicitly linking against libgcc
  --disable-short-tags    Disable the short-form <? start tag by default
  --enable-dmalloc        Enable dmalloc
  --disable-ipv6          Disable IPv6 support
  --enable-dtrace         Enable DTrace support
  --enable-fd-setsize     Set size of descriptor sets

Extensions:

  --with-EXTENSION=shared[,PATH]

    NOTE: Not all extensions can be build as 'shared'.

    Example: --with-foobar=shared,/usr/local/foobar/

      o Builds the foobar extension as shared extension.
      o foobar package install prefix is /usr/local/foobar/


  --disable-all           Disable all extensions which are enabled by default

  --disable-libxml        Disable LIBXML support
  --with-libxml-dir=DIR   LIBXML: libxml2 install prefix
  --with-openssl=DIR      Include OpenSSL support (requires OpenSSL >= 1.0.1)
  --with-kerberos=DIR     OPENSSL: Include Kerberos support
  --with-system-ciphers   OPENSSL: Use system default cipher list instead of hardcoded value
  --with-pcre-regex=DIR   Include Perl Compatible Regular Expressions support.
                          DIR is the PCRE install prefix BUNDLED
  --with-pcre-jit         Enable PCRE JIT functionality (BUNDLED only)
  --with-pcre-valgrind=DIR
                          Enable PCRE valgrind support. Developers only!
  --without-sqlite3=DIR   Do not include SQLite3 support. DIR is the prefix to
                          SQLite3 installation directory.
  --with-zlib=DIR         Include ZLIB support (requires zlib >= 1.2.0.4)
  --with-zlib-dir=<DIR>   Define the location of zlib install directory
  --enable-bcmath         Enable bc style precision math functions
  --with-bz2=DIR          Include BZip2 support
  --enable-calendar       Enable support for calendar conversion
  --disable-ctype         Disable ctype functions
  --with-curl=DIR         Include cURL support
  --enable-dba            Build DBA with bundled modules. To build shared DBA
                          extension use --enable-dba=shared
  --with-qdbm=DIR         DBA: QDBM support
  --with-gdbm=DIR         DBA: GDBM support
  --with-ndbm=DIR         DBA: NDBM support
  --with-db4=DIR          DBA: Oracle Berkeley DB 4.x or 5.x support
  --with-db3=DIR          DBA: Oracle Berkeley DB 3.x support
  --with-db2=DIR          DBA: Oracle Berkeley DB 2.x support
  --with-db1=DIR          DBA: Oracle Berkeley DB 1.x support/emulation
  --with-dbm=DIR          DBA: DBM support
  --with-tcadb=DIR        DBA: Tokyo Cabinet abstract DB support
  --with-lmdb=DIR         DBA: Lightning memory-mapped database support
  --without-cdb=DIR       DBA: CDB support (bundled)
  --disable-inifile       DBA: INI support (bundled)
  --disable-flatfile      DBA: FlatFile support (bundled)
  --disable-dom           Disable DOM support
  --with-libxml-dir=DIR   DOM: libxml2 install prefix
  --with-enchant=DIR      Include enchant support.
                          GNU Aspell version 1.1.3 or higher required.
  --enable-exif           Enable EXIF (metadata from images) support
  --disable-fileinfo      Disable fileinfo support
  --disable-filter        Disable input filter support
  --with-pcre-dir         FILTER: pcre install prefix
  --enable-ftp            Enable FTP support
  --with-openssl-dir=DIR  FTP: openssl install prefix
  --with-gd=DIR           Include GD support.  DIR is the GD library base
                          install directory BUNDLED
  --with-webp-dir=DIR     GD: Set the path to libwebp install prefix
  --with-jpeg-dir=DIR     GD: Set the path to libjpeg install prefix
  --with-png-dir=DIR      GD: Set the path to libpng install prefix
  --with-zlib-dir=DIR     GD: Set the path to libz install prefix
  --with-xpm-dir=DIR      GD: Set the path to libXpm install prefix
  --with-freetype-dir=DIR GD: Set the path to FreeType 2 install prefix
  --enable-gd-jis-conv    GD: Enable JIS-mapped Japanese font support
  --with-gettext=DIR      Include GNU gettext support
  --with-gmp=DIR          Include GNU MP support
  --with-mhash=DIR        Include mhash support
  --disable-hash          Disable hash support
  --without-iconv=DIR     Exclude iconv support
  --with-imap=DIR         Include IMAP support. DIR is the c-client install prefix
  --with-kerberos=DIR     IMAP: Include Kerberos support. DIR is the Kerberos install prefix
  --with-imap-ssl=DIR     IMAP: Include SSL support. DIR is the OpenSSL install prefix
  --with-interbase=DIR    Include Firebird support.  DIR is the Firebird base
                          install directory /opt/firebird
  --enable-intl           Enable internationalization support
  --with-icu-dir=DIR      Specify where ICU libraries and headers can be found
  --disable-json          Disable JavaScript Object Serialization support
  --with-ldap=DIR         Include LDAP support
  --with-ldap-sasl=DIR    LDAP: Include Cyrus SASL support
  --enable-mbstring       Enable multibyte string support
  --disable-mbregex       MBSTRING: Disable multibyte regex support
  --disable-mbregex-backtrack
                          MBSTRING: Disable multibyte regex backtrack check
  --with-onig=DIR         MBSTRING: Use external oniguruma. DIR is the oniguruma install prefix.
                          If DIR is not set, the bundled oniguruma will be used
  --with-mysqli=FILE      Include MySQLi support.  FILE is the path
                          to mysql_config.  If no value or mysqlnd is passed
                          as FILE, the MySQL native driver will be used
  --enable-embedded-mysqli
                          MYSQLi: Enable embedded support
                          Note: Does not work with MySQL native driver!
  --with-mysql-sock=SOCKPATH
                          MySQLi/PDO_MYSQL: Location of the MySQL unix socket pointer.
                          If unspecified, the default locations are searched
  --with-oci8=DIR         Include Oracle Database OCI8 support. DIR defaults to $ORACLE_HOME.
                          Use --with-oci8=instantclient,/path/to/instant/client/lib
                          to use an Oracle Instant Client installation
  --with-odbcver=HEX      Force support for the passed ODBC version. A hex number is expected, default 0x0350.
                          Use the special value of 0 to prevent an explicit ODBCVER to be defined.
  --with-adabas=DIR       Include Adabas D support /usr/local
  --with-sapdb=DIR        Include SAP DB support /usr/local
  --with-solid=DIR        Include Solid support /usr/local/solid
  --with-ibm-db2=DIR      Include IBM DB2 support /home/db2inst1/sqllib
  --with-empress=DIR      Include Empress support \$EMPRESSPATH
                          (Empress Version >= 8.60 required)
  --with-empress-bcs=DIR  Include Empress Local Access support \$EMPRESSPATH
                          (Empress Version >= 8.60 required)
  --with-custom-odbc=DIR  Include user defined ODBC support. DIR is ODBC install base
                          directory /usr/local. Make sure to define CUSTOM_ODBC_LIBS and
                          have some odbc.h in your include dirs. f.e. you should define
                          following for Sybase SQL Anywhere 5.5.00 on QNX, prior to
                          running this configure script:
                            CPPFLAGS=\"-DODBC_QNX -DSQLANY_BUG\"
                            LDFLAGS=-lunix
                            CUSTOM_ODBC_LIBS=\"-ldblib -lodbc\"
  --with-iodbc=DIR        Include iODBC support /usr/local
  --with-esoob=DIR        Include Easysoft OOB support /usr/local/easysoft/oob/client
  --with-unixODBC=DIR     Include unixODBC support /usr/local
  --with-dbmaker=DIR      Include DBMaker support
  --disable-opcache       Disable Zend OPcache support
  --disable-opcache-file  Disable file based caching
  --disable-huge-code-pages
                          Disable copying PHP CODE pages into HUGE PAGES
  --enable-pcntl          Enable pcntl support (CLI/CGI only)
  --disable-pdo           Disable PHP Data Objects support
  --with-pdo-dblib=DIR    PDO: DBLIB-DB support.  DIR is the FreeTDS home directory
  --with-pdo-firebird=DIR PDO: Firebird support.  DIR is the Firebird base
                          install directory /opt/firebird
  --with-pdo-mysql=DIR    PDO: MySQL support. DIR is the MySQL base directory
                          If no value or mysqlnd is passed as DIR, the
                          MySQL native driver will be used
  --with-zlib-dir=DIR     PDO_MySQL: Set the path to libz install prefix
  --with-pdo-oci=DIR      PDO: Oracle OCI support. DIR defaults to $ORACLE_HOME.
                          Use --with-pdo-oci=instantclient,/path/to/instant/client/lib
                          for an Oracle Instant Client installation.
  --with-pdo-odbc=flavour,dir
                          PDO: Support for 'flavour' ODBC driver.
			  include and lib dirs are looked for under 'dir'.

			  'flavour' can be one of:  ibm-db2, iODBC, unixODBC, generic
			  If ',dir' part is omitted, default for the flavour
			  you have selected will be used. e.g.:

			    --with-pdo-odbc=unixODBC

			  will check for unixODBC under /usr/local. You may attempt
			  to use an otherwise unsupported driver using the 'generic'
			  flavour.  The syntax for generic ODBC support is:

			    --with-pdo-odbc=generic,dir,libname,ldflags,cflags

			  When built as 'shared' the extension filename is always pdo_odbc.so
  --with-pdo-pgsql=DIR    PDO: PostgreSQL support.  DIR is the PostgreSQL base
                          install directory or the path to pg_config
  --without-pdo-sqlite=DIR
                          PDO: sqlite 3 support.  DIR is the sqlite base
                          install directory BUNDLED
  --with-pgsql=DIR        Include PostgreSQL support.  DIR is the PostgreSQL
                          base install directory or the path to pg_config
  --disable-phar          Disable phar support
  --disable-posix         Disable POSIX-like functions
  --with-pspell=DIR       Include PSPELL support.
                          GNU Aspell version 0.50.0 or higher required
  --with-libedit=DIR      Include libedit readline replacement (CLI/CGI only)
  --with-readline=DIR     Include readline support (CLI/CGI only)
  --with-recode=DIR       Include recode support
  --disable-session       Disable session support
  --with-mm=DIR           SESSION: Include mm support for session storage
  --enable-shmop          Enable shmop support
  --disable-simplexml     Disable SimpleXML support
  --with-libxml-dir=DIR   SimpleXML: libxml2 install prefix
  --with-snmp=DIR         Include SNMP support
  --with-openssl-dir=DIR  SNMP: openssl install prefix
  --enable-soap           Enable SOAP support
  --with-libxml-dir=DIR   SOAP: libxml2 install prefix
  --enable-sockets        Enable sockets support
  --with-sodium=DIR       Include sodium support
  --with-password-argon2=DIR
                          Include Argon2 support in password_*. DIR is the Argon2 shared library path
  --enable-sysvmsg        Enable sysvmsg support
  --enable-sysvsem        Enable System V semaphore support
  --enable-sysvshm        Enable the System V shared memory support
  --with-tidy=DIR         Include TIDY support
  --disable-tokenizer     Disable tokenizer support
  --enable-wddx           Enable WDDX support
  --with-libxml-dir=DIR   WDDX: libxml2 install prefix
  --with-libexpat-dir=DIR WDDX: libexpat dir for XMLRPC-EPI (deprecated)
  --disable-xml           Disable XML support
  --with-libxml-dir=DIR   XML: libxml2 install prefix
  --with-libexpat-dir=DIR XML: libexpat install prefix (deprecated)
  --disable-xmlreader     Disable XMLReader support
  --with-libxml-dir=DIR   XMLReader: libxml2 install prefix
  --with-xmlrpc=DIR       Include XMLRPC-EPI support
  --with-libxml-dir=DIR   XMLRPC-EPI: libxml2 install prefix
  --with-libexpat-dir=DIR XMLRPC-EPI: libexpat dir for XMLRPC-EPI (deprecated)
  --with-iconv-dir=DIR    XMLRPC-EPI: iconv dir for XMLRPC-EPI
  --disable-xmlwriter     Disable XMLWriter support
  --with-libxml-dir=DIR   XMLWriter: libxml2 install prefix
  --with-xsl=DIR          Include XSL support.  DIR is the libxslt base
                          install directory (libxslt >= 1.1.0 required)
  --enable-zend-test      Enable zend-test extension
  --enable-zip            Include Zip read/write support
  --with-zlib-dir=DIR     ZIP: Set the path to libz install prefix
  --with-pcre-dir         ZIP: pcre install prefix
  --with-libzip=DIR       ZIP: use libzip
  --enable-mysqlnd        Enable mysqlnd explicitly, will be done implicitly
                          when required by other extensions
  --disable-mysqlnd-compression-support
                          Disable support for the MySQL compressed protocol in mysqlnd
  --with-zlib-dir=DIR     mysqlnd: Set the path to libz install prefix

PEAR:

  --with-pear=DIR         Install PEAR in DIR [PREFIX/lib/php]
  --without-pear          Do not install PEAR

Zend:

  --enable-maintainer-zts Enable thread safety - for code maintainers only!!
  --disable-inline-optimization
                          If building zend_execute.lo fails, try this switch
  --disable-zend-signals  whether to enable zend signal handling

TSRM:

  --with-tsrm-pth=pth-config
                          Use GNU Pth
  --with-tsrm-st          Use SGI's State Threads
  --with-tsrm-pthreads    Use POSIX threads (default)

Libtool:

  --enable-shared=PKGS    Build shared libraries default=yes
  --enable-static=PKGS    Build static libraries default=yes
  --enable-fast-install=PKGS
                          Optimize for fast installation default=yes
  --with-gnu-ld           Assume the C compiler uses GNU ld default=no
  --disable-libtool-lock  Avoid locking (might break parallel builds)
  --with-pic              Try to use only PIC/non-PIC objects default=use both
  --with-tags=TAGS        Include additional configurations automatic


Some influential environment variables:
  CC          C compiler command
  CFLAGS      C compiler flags
  LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
              nonstandard directory <lib dir>
  LIBS        libraries to pass to the linker, e.g. -l<library>
  CPPFLAGS    (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
              you have headers in a nonstandard directory <include dir>
  CPP         C preprocessor
  YACC        The `Yet Another Compiler Compiler' implementation to use.
              Defaults to the first program found out of: `bison -y', `byacc',
              `yacc'.
  YFLAGS      The list of arguments that will be passed by default to $YACC.
              This script will default YFLAGS to the empty string to avoid a
              default value of `-d' given by some make applications.
  CXX         C++ compiler command
  CXXFLAGS    C++ compiler flags
  CXXCPP      C++ preprocessor

Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.

Report bugs to the package provider.

 

 

Ubuntu安装配置OpenResty教程及补充方案

Ubuntu安装OpenResty教程

# import our GPG key:
wget -qO - https://openresty.org/package/pubkey.gpg | sudo apt-key add -
# for installing the add-apt-repository command
# (you can remove this package and its dependencies later):
sudo apt-get -y install software-properties-common
# add the our official APT repository:
sudo add-apt-repository -y "deb http://openresty.org/package/debian $(lsb_release -sc) openresty"
# to update the APT index:
sudo apt-get update
sudo apt-get install openresty

执行完上面一串就安装完最新版的OpenResty了。

Ubuntu配置OpenResty教程

奶牛先说下配置文件的位置:

OpenResty启动文件:/etc/rc0.d/K01openresty
OpenResty启动文件:/etc/init.d/openresty  (ldconf openresty default会生成不同runlevel的conf,Ubuntu的默认runlevel是5)
OpenResty的Nginx配置文件:/usr/local/openresty/nginx/conf/nginx.conf
OpenResty的默认目录:/usr/local/openresty/nginx/html/

然后剩下的就可以自己安装Nginx进行配置了。

OpenResty安装补充方案 设置www用户和组

groupadd www 
useradd -g www -s /sbin/nologin www

设置/usr/local/openresty/nginx/conf/nginx.conf,添加

user  www www;
worker_processes  auto;
以OVH为例聊聊怎么选网络性能更好的机房

奶牛有时候也很纠结到底选哪个机房哪个线路的服务器,到底怎么选总得有个头绪,奶牛今天就来聊聊到底怎么选。

Looking Glass

以OVH为例,OVH提供了一个插件形式的Looking Glass,地址是http://ovh.net。

通过上传、下载、延时三个方面,已经可以给我们一个很直观的网速如何的概念了。一个Looking Glass就够了么?不不不,奶牛觉得还是很不够的。

Ping

Ping值的大小由距离远近决定,同样的距离,Ping越低越好么?奶牛觉得不尽然,Ping只能反应延迟的一个结果,并不能代表什么,想像一下300ms才0.3s,不会有很大影响的,当然游戏除外,对于建站来说,Ping的大小真的没有那么重要。那么重要的是什么呢?要奶牛说,最重要的是Ping的一个loss指标,丢包率,这个才是重要的,如果丢包率很高,表示网络很不稳定,从一方面可以说明,数据包传输过程中可能会有很多重传,所以,理论上应该并不好。但是也有这种情况,人家本来就是禁Ping的,loss是100%,这种时候可以使用TCP Ping来试试,不过这个就跟丢包率没啥关系了。

Traceroute

路由追踪,这个很关键,同样的机房,可能联通、电信、移动三网走三条线路,所以,如果想选一个三网通用的机房,当然还是都要traceroute一下,不要有的线路完全无法访问导致客户丢失。

下载速度

这个也是要测试三网的,那样会比较准确,如果找不到test file这种可以下载的文件,完全可以用ab这类的压测工具来测试,找个机房的网站然后随便找个测试文件。

ab -n 1000 -c 10 -k http://xxx.xxx.com/css/bootstrap.min.css

我们完全可以开10个线程同时跑一个小文件,只要文件在这个机房的服务器上,这样子可以很容易得到一个下载速度的结果。

Transfer rate:          3440.29 [Kbytes/sec] received

像奶牛这个测试,就是3.4MB/s,理论上还是很不错的。

多时测试

不要只在一个时间测试,至少要在一天的不同时段进行测试,特别是晚7:30~12:00,这个时段是我们网络使用率最高的时段,所以这个时段的结果更具有说明性。

OVH机房的测试IP

参考:http://smokeping.ovh.net

[欧洲]

法国RBX:rbx.smokeping.ovh.net

法国SBG:sbg.smokeping.ovh.net

法国GRA:gra.smokeping.ovh.net

波兰OZA:oza.smokeping.ovh.net

英国ERI:eri.smokeping.ovh.net

德国LIM:lim.smokeping.ovh.net

[美洲]

加拿大BHS:bhs.smokeping.ovh.net

美国VIN:vin.smokeping.ovh.net

美国HIL:hil.smokeping.ovh.net

[亚太]

新加坡SGP:sgp.smokeping.ovh.net

悉尼SYD:syd.smokeping.ovh.net

CloudFlare CDN下Nginx正确获取真实IP教程

说到获取真实IP,我们不难想到nginx的http realip module,就是当遇到IP是设定范围内的地址时,就逆向递归获取源目标的真实IP。对于Cloudflare CDN而言,也是遵从行业标准的,即使用X-Forwarded-For header 和 CF-Connecting-IP header 。Cloudflare的真实IP地址可以从这里获取Cloudflare IP addresses,当然我们也可以查看文本格式的Cloudflare的IP段:

https://www.cloudflare.com/ips-v4
https://www.cloudflare.com/ips-v6

官方建议还是要定期更新这个IP范围的,以免范围改动影响使用效果。

奶牛找到了一个别人写好的sh脚本,可以自动生成一个Cloudflare真实IP的conf。

#!/bin/bash
echo "#Cloudflare" > /usr/local/nginx/conf/cloudflare_ip.conf;
for i in `curl https://www.cloudflare.com/ips-v4`; do
        echo "set_real_ip_from $i;" >> /usr/local/nginx/conf/cloudflare_ip.conf;
done
for i in `curl https://www.cloudflare.com/ips-v6`; do
        echo "set_real_ip_from $i;" >> /usr/local/nginx/conf/cloudflare_ip.conf;
done
echo "" >> /usr/local/nginx/conf/cloudflare_ip.conf;
echo "# use any of the following two" >> /usr/local/nginx/conf/cloudflare_ip.conf;
echo "real_ip_header CF-Connecting-IP;" >> /usr/local/nginx/conf/cloudflare_ip.conf;
echo "#real_ip_header X-Forwarded-For;" >> /usr/local/nginx/conf/cloudflare_ip.conf;

运行脚本后,我们可以得到一个/usr/local/nginx/conf/cloudflare_ip.conf的conf文件,在网站所在的nginx conf中添加字段:

include /usr/local/nginx/conf/cloudflare_ip.conf;

即可,添加完成后使用nginx t来验证配置文件是否正确,正确无误后重启或者重新载入nginx即可。

也可以使用cron计划任务来定期更新cloudflare_ip.conf文件。

0 5 * * 1 /bin/bash /location/to/update_cf_ip.sh

这样子就可以在每周1的5点进行自动更新Cloudflare的IP conf文件了。如果使用配置文件中的X-Forwarded-For参数,理论上对所有的执行标准的CDN都是有效的。

PHP7环境下使用OPcache提高WordPress网站性能8倍

奶牛一直以为自己的服务器都开了OPcache,但是后来发现只是编译了,但是没有启用,今天启用了PHP7的OPcache,来发一份儿体验报告。

配置OPcache

配置文件为/usr/local/php/etc/php.ini,添加内容

[zend opcache]
zend_extension="/usr/local/php/lib/php/extensions/no-debug-non-zts-20170718/opcache.so"
opcache.force_restart_timeout=3600
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=4000
opcache.revalidate_freq=60
opcache.fast_shutdown=1
opcache.enable=1
opcache.enable_cli=1

其中的zend_extension为你服务器编译后opcache.so文件的位置。

OPcache性能测试

载入时间数据比较:

OPcache载入时间比较

性能比较:

OPcache性能比较

测试结论

经过奶牛的测试,在服务器未启用WordPress cache插件的时候,CPU的飙升是非常厉害的,严重影响服务器性能,因此无WordPress插件的情况下,并未完全遵从1000次测试,但是图表已经完全可以说明性能的比较了。

WordPress的cache插件对网站性能提升至关重要,OPcache的存在也能最大性能的提升WordPress服务器的性能,对比而言,OPcache可以提升PHP7约3倍的性能,WordPress的cache插件可以提升约4~5倍的性能,WordPress启用cache插件并且在PHP7下启用OPcache,性能提升8倍。

所以,奶牛强烈建议WordPress的用户使用PHP7并开启OPcache,并且为WordPress安装一款cache插件,保证服务器的性能最优。

Sharktech鲨鱼机房VPS和独服8折永久优惠,奶牛专享

跟美国的Sharktech鲨鱼机房合作已经一年有余,今天凌晨鲨鱼的老朋友发来优惠信息,给了奶牛一个8折永久递减优惠。

对于鲨鱼Sharktech来说,奶牛觉得最好的形容词就是稳定,这也是建站最需要的,合作一年来,无论从40Gbps的DDOS防御到60GbpsDDOS防御的免费高防升级,还是CN2 GIA BGP的接入,三网直连的美西洛杉矶服务器Sharktech鲨鱼一直在努力,致力于拓展中国市场,在使用过程中有7*24小时技术服务,售后无忧。

促销地址: https://www.affu.net/go/sharktech
促销码:nenew
适用范围:截止2019年5月底,所有VPS的月付、季付、半年付、年付套餐可享受持续递减8折优惠.

Sharktech鲨鱼机房独服促销

CPU:Dual E5-2670
内存:32GB
硬盘:2TB HDD
流量:不限流量
带宽:1Gbps
价格:$189/月 (6折限量供应)
促销码:E51G
购买地址:
https://www.affu.net/go/sharktech-2019-march-07

CPU:Xeon E3-1270v2
内存:16GB
硬盘:2TB HDD
流量:不限流量
带宽:10Gbps
价格:$588.60/月 (45折限量供应)
促销码:10G45
购买地址:
洛杉矶机房 https://www.affu.net/go/sharktech-2019-march-08
芝加哥机房 https://www.affu.net/go/sharktech-2019-march-09
丹佛机房 https://www.affu.net/go/sharktech-2019-march-10

CPU:Dual Xeon E5-2670
内存:32GB
硬盘:2TB HDD
流量:不限流量
带宽:10Gbps
价格:$624.6/月 (45折限量供应)
促销码:10G45
购买地址:
洛杉矶机房 https://www.affu.net/go/sharktech-2019-march-11
芝加哥机房 https://www.affu.net/go/sharktech-2019-march-12
丹佛机房 https://www.affu.net/go/sharktech-2019-march-13

amazon s3针对用户共用bucket的policy

amazon s3的官方有一篇介绍文章,但是少了一个”,”,导致并不能成功导入。

amazon有提供policy的在线生成工具,地址是http://awspolicygen.s3.amazonaws.com/policygen.html

amazon针对用户共用bucket,指定用户目录的policy在https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/

具体policy可以使用下方的policy

{
  "Version":"2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGroupToSeeBucketListInTheConsole",
      "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::*"]
    },
    {
      "Sid": "AllowRootAnd<shared-folder-name>ListingOfCompanyBucket",
      "Action": ["s3:ListBucket"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::<bucket-name>"],
      "Condition":{"StringEquals":{"s3:prefix":["","<shared-folder-name>/"],"s3:delimiter":["/"]}}
    },
    {
      "Sid": "AllowListingOfUserFolder",
      "Action": ["s3:ListBucket"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::<bucket-name>"],
      "Condition":{"StringLike":{"s3:prefix":
                  [
                       "<shared-folder-name>/${aws:username}/*",
                       "<shared-folder-name>/${aws:username}"
                  ]
               }
        }
    },
    {
       "Sid": "AllowAllS3ActionsInUserFolder",
       "Action":["s3:*"],
       "Effect":"Allow",
       "Resource": ["arn:aws:s3:::<bucket-name>/<shared-folder-name>/${aws:username}/*"]
    }
  ]
}

但是其实只保留最后两段是比较安全的,这样子无论是/根目录还是<shared-folder-name>共享目录都是不可以list的,只能list用户自己的名字命名的文件夹。

{
  "Version":"2012-10-17",
  "Statement": [
    {
      "Sid": "AllowListingOfUserFolder",
      "Action": ["s3:ListBucket"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::<bucket-name>"],
      "Condition":{"StringLike":{"s3:prefix":
                  [
                       "<shared-folder-name>/${aws:username}/*",
                       "<shared-folder-name>/${aws:username}"
                  ]
               }
        }
    },
    {
       "Sid": "AllowAllS3ActionsInUserFolder",
       "Action":["s3:*"],
       "Effect":"Allow",
       "Resource": ["arn:aws:s3:::<bucket-name>/<shared-folder-name>/${aws:username}/*"]
    }
  ]
}

这样子可以非常安全的隔离用户,也不用为每个用户建立一个bucket桶,还是很方便的。经过奶牛的测试,ACL最好就用默认的private,这样子安全性会更高。

WordPress的Google字体本地缓存方案

一直以来,Google字体都是困扰国内WordPress用户的一个问题。原因也很简单,载入慢,甚至可能由于载入慢导致页面卡死无法显示,这对于用户体验来说是很差的,disable google font这个插件也紧紧是对部分主题生效,对插件也没什么作用,而且测试下来效果很一般。如果你的主题还有禁止Google字体的选项那么就还挺好的,如果没有,奶牛建议可以试试Self-Hosted Google Fonts这个插件,效果很棒。

Self-Hosted Google Fonts的原理也很简单,首先就是扫描css文件里面的google fonts,然后把这些fonts下载到本地,之后把含有google fonts的css文件的链接替换掉,这样子下来,每次访问网站都是从本地读取Google字体,然后从本地分发至用户,虽然可能这样子会耗费很多流量在字体上,但是奶牛觉得还是挺值得的,至少网站的访问速度会提升很多,而且不用复杂地去修改css文件查找Google字体的链接然后本地话或者去除,而且也可以保存一个很好的字体显示效果。

最后附上链接:Self-Hosted Google Fonts