linux下配置php环境

一．系统
系统版本 centos5.0
软件源代码包存放位置 /usr/local/src
源码包编译安装位置(prefix) /usr/local/software_name
脚本以及维护程序存放位置 /usr/local/sbin
MySQL 数据库位置 /var/lib/mysql
Apache 网站根目录 /home/www/wwwroot
Apache 虚拟主机日志根目录 /home/www/logs
Apache 运行帐户 www:www

关闭不需要的服务
# ntsysv
以下仅列出需要启动的服务，未列出的服务一律关闭：
atd
crond
irqbalance
microcode_ctl
network
sendmail
sshd
syslog

重新启动系统
# reboot

使用yum程序安装所需软件包（以下为标准的RPM包名称）
# yum install ntp vim-enhanced gcc gcc-c++ flex bison autoconf automake bzip2-devel ncurses-devel libjpeg-devel libpng-devel libtiff-devel freetype-devel pam-devel kernel

定时校正服务器时钟，定时与中国国家授时中心授时服务器同步
# crontab -e
加入一行：
*/30 * * * * ntpdate 210.72.145.44

源代码编译安装所需包
(1) GD2
# cd /usr/local/src
# wgethttp://www.libgd.org/releases/oldreleases/gd-2.0.34.tar.gz
# tar xzvf gd-2.0.34.tar.gz
# cd gd-2.0.34
# ./configure --prefix=/usr/local/gd2
# make
# make install
(2) LibXML2
# cd /usr/local/src
# wgetftp://xmlsoft.org/libxml2/libxml2-2.6.29.tar.gz
# tar xzvf libxml2-2.6.29.tar.gz
# cd libxml2-2.6.29
# ./configure --prefix=/usr/local/libxml2
# make
# make install
(3) LibMcrypt
# cd /usr/local/src
#wgethttp://jaist.dl.sourceforge.net/sourceforge/mcrypt/libmcrypt-2.5.8.tar.bz2
# tar xjvf libmcrypt-2.5.8.tar.bz2
# cd libmcrypt-2.5.8
# ./configure --prefix=/usr/local/libmcrypt
# make
# make install
(4) Apache 日志截断程序
# cd /usr/local/src
# wgethttp://cronolog.org/download/cronolog-1.6.2.tar.gz
# tar xzvf cronolog-1.6.2.tar.gz
# cd cronolog-1.6.2
# ./configure --prefix=/usr/local/cronolog
# make
# make install

8．升级OpenSSL和OpenSSH
# cd /usr/local/src
# wgethttp://www.openssl.org/source/openssl-0.9.8e.tar.gz
# wgethttp://mirror.mcs.anl.gov/openssh/portable/openssh-4.6p1.tar.gz
# tar xzvf openssl-0.9.8e.tar.gz
# cd openssl-0.9.8e
# ./config --prefix=/usr/local/openssl
# make
# make test
# make install
# cd ..
# tar xzvf openssh-4.6p1.tar.gz
# cd openssh-4.6p1
# ./configure \
"--prefix=/usr" \
"--with-pam" \
"--with-zlib" \
"--sysconfdir=/etc/ssh" \
"--with-ssl-dir=/usr/local/openssl" \
"--with-md5-passwords"
# make
# make install

（5）禁用客户端 GSSAPI
# vi /etc/ssh/ssh_config
找到：
GSSAPIAuthentication yes
将这行注释掉。

最后，确认修改正确后重新启动 SSH 服务
# service sshd restart
# ssh -v
确认 OpenSSH 以及 OpenSSL 版本正确。

编译安装主控环境
1. 下载软件

2. 编译安装MySQL
# tar xzvf mysql-5.0.27.tar.gz
# cd mysql-5.0.27
# ./configure \
"--prefix=/usr/local/mysql" \
"--localstatedir=/var/lib/mysql" \ （注意：/var 分区是否适合？）
"--with-comment=Source" \
"--with-server-suffix=-lanmang" \
"--with-mysqld-user=mysql" \
"--without-debug" \
"--with-big-tables" \
"--with-charset= gbk" \ （此处设置MySQL默认字符集）
"--with-collation= gbk_chinese_ci" \ （此处设置MySQL校正字符集）
"--with-extra-charsets=all" \
"--with-pthread" \
"--enable-static" \
"--enable-thread-safe-client" \
"--with-client-ldflags=-all-static" \
"--with-mysqld-ldflags=-all-static" \
"--enable-assembler" \
"--without-isam" \
"--without-innodb" \
"--without-ndb-debug"
# make
# make install
# useradd mysql
# cd /usr/local/mysql
# bin/mysql_install_db --user=mysql
# chown -R root:mysql .
# chown -R mysql /var/lib/mysql
# cp share/mysql/my-huge.cnf /etc/my.cnf
# cp share/mysql/mysql.server /etc/rc.d/init.d/mysqld
# chmod 755 /etc/rc.d/init.d/mysqld
# chkconfig --add mysqld
# chkconfig --level 3 mysqld on
# /etc/rc.d/init.d/mysqld start
# bin/mysqladmin -u root password 'password_for_root' (指定mysqlroot密码)

编译安装Apache
# cd /usr/local/src
# tar xjvf httpd-2.2.4.tar.bz2
# cd httpd-2.2.4
# ./configure \
"--prefix=/usr/local/apache2" \
"--with-included-apr" \
"--enable-so" \
"--enable-deflate=shared" \
"--enable-expires=shared" \
"--enable-rewrite=shared" \
"--enable-static-support" \
"--disable-userdir"
# make
# make install
# echo '/usr/local/apache2/bin/apachectl start ' >> /etc/rc.local

4. 编译安装PHP
# cd /usr/local/src
# tar xjvf php-5.2.3.tar.bz2
# cd php-5.2.3
# ./configure \
"--prefix=/usr/local/php" \
"--with-config-file-path=/etc" \
"--with-mysql=/usr/local/mysql" \
"--with-libxml-dir=/usr/local/libxml2" \
"--with-gd=/usr/local/gd2" \
"--with-jpeg-dir" \
"--with-png-dir" \
"--with-bz2" \
"--with-freetype-dir" \
"--with-iconv-dir" \
"--with-zlib-dir " \
"--with-openssl=/usr/local/openssl" \
"--with-mcrypt=/usr/local/libmcrypt" \
"--enable-soap" \
"--enable-gd-native-ttf" \
"--enable-memory-limit" \
"--enable-ftp" \
"--enable-mbstring" \
"--enable-exif" \
"--disable-ipv6" \
"--enable-fastcgi" \
"--enable-force-cgi-redirect"\
"--disable-cli"
"--with-apxs2=/usr/local/apache2/bin/apxs" \
# make
# make install
# mkdir /usr/local/php/etc
# cp php.ini-dist /usr/local/php/etc/php.ini

安装Zend Optimizer
# cd /usr/local/src
# tar xzvf ZendOptimizer-3.2.8-linux-glibc21-i386.tar.gz
# ./ZendOptimizer-3.2.8-linux-glibc21-i386/install.sh
安装Zend Optimizer过程的最后不要选择重启Apache。

整合Apache与PHP
# vi /usr/local/apache2/conf/httpd.conf
找到：
AddType application/x-gzip .gz .tgz
在该行下面添加
AddType application/x-httpd-php .php

找到：
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
将该行改为
<IfModule dir_module>
DirectoryIndex index.html index.htm index.php
</IfModule>

找到：
#Include conf/extra/httpd-mpm.conf
#Include conf/extra/httpd-info.conf
#Include conf/extra/httpd-vhosts.conf
#Include conf/extra/httpd-default.conf
去掉前面的“#”号，取消注释。

注意：以上 4 个扩展配置文件中的设置请按照相关原则进行合理配置！

修改完成后保存退出。
# /usr/local/apache2/bin/apachectl restart

7. 查看确认环境信息、提升 PHP 安全性
在网站根目录放置 phpinfo.php 脚本，检查phpinfo中的各项信息是否正确。
#vi phpinfo.php
<?php
phpinfo();
?>

确认 PHP 能够正常工作后，在 php.ini 中进行设置提升 PHP 安全性。
# vi /etc/php.ini
找到：
disable_functions =
设置为：
phpinfo,system,chroot,escapeshellcmd,escapeshellarg,proc_open,proc_get_status,socket_create,socket_bind,
socket_listen,socket_accept,socket_write,socket_read

8. eaccelerator
# tar -jxf eaccelerator-0.9.5.tar.bz2
# cd eaccelerator-0.9.5
# /usr/local/php/bin/phpize
# ./configure --enable-eaccelerator=shared --with-php-config=/usr/local/php/bin/php-config
# make && make install

三、服务器安全性设置
1. 设置系统防火墙
# touch /usr/local/sbin/fw.sh
将以下脚本命令（绿色部分）粘贴到 fw.sh 文件中。

#!/bin/bash

# Stop iptables service first
service iptables stop

# Load FTP Kernel modules
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

# Inital chains default policy
/sbin/iptables -F -t filter
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT

# Enable Native Network Transfer
/sbin/iptables -A INPUT -i lo -j ACCEPT

# Accept Established Connections
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# ICMP Control
/sbin/iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT

# WWW Service
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# FTP Service
/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT

# SSH Service
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# chmod 755 /usr/local/sbin/fw.sh
# echo '/usr/local/sbin/fw.sh' >> /etc/rc.local
# /usr/local/sbin/fw.sh