The document provides guidelines for deploying an L.N.M.P environment on a 64-bit server. It specifies directory locations for source code, installed software, scripts and logs. It also outlines steps to update the system, install and configure MySQL, Nginx, PHP and other packages, including compiling Nginx with specific modules and options, setting Nginx as a service, and enabling syntax highlighting for Nginx configuration files.

1. X64 服务器 L.N.M.P 环境部署标准
一、系统约定
软件源代码包存放位置 /usr/local/src
源码包编译安装位置(prefix) /usr/local/software_name
脚本以及维护程序存放位置 /usr/local/sbin
MySQL 数据库位置 /data/mysql（可按情况设置）
Nginx 网站根目录 /data/www/wwwroot（可按情况设置）
Nginx 虚拟主机日志根目录 /data/logs（可按情况设置）
Nginx 运行账户 www:www
二、系统环境部署及调整
1. 检查系统是否正常
# more /var/log/messages （检查有无系统级错误信息）
# dmesg （检查硬件设备是否有错误信息）
# ifconfig（检查网卡设置是否正确）
# ping www.163.com （检查网络是否正常）
2. 关闭不需要的服务
# ntsysv
以下仅列出需要启动的服务，未列出的服务一律推荐关闭：
atd
crond
irqbalance
microcode_ctl
network
sendmail
sshd
syslog
3. 重新启动系统
# init 6
4. 配置 vim

2. # vi /root/.bashrc
在 alias mv='mv -i' 下面添加一行：alias vi='vim' 保存退出。
# echo 'syntax on' > /root/.vimrc
# source /root/.bashrc
5. 使用 yum 对系统进行更新并且安装必要软件包
# yum update -y
# yum install ntp -y
6. 定时校正服务器时钟，定时与中国国家授时中心授时服务器同步
# crontab -e
加入一行：
1 */6 * * * ntpdate 210.72.145.44 > /dev/null 2>&1
7. 源码编译安装所需包 (Source)
其他兼容包
# yum install libpng libpng-devel libjpeg libjpeg-devel gd gd-devel libxml2
libxml2-devel libmcrypt libmcrypt-devel compat-* pam-devel*
（ 1）禁用 SSH V1 协议
找到：
#Protocol 2,1
改为：
Protocol 2
（ 2）禁用服务器端 GSSAPI
找到以下两行，并将它们注释：
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
（ 3）禁用 DNS 域名反解
找到：
#UseDNS yes
改为：
UseDNS no

3. （ 4）禁用客户端 GSSAPI
# vi /etc/ssh/ssh_config
找到：
GSSAPIAuthentication yes
将这行注释掉。
最后，确认修改正确后重新启动 SSH 服务
# service sshd restart
# ssh -v
确认 OpenSSH 以及 OpenSSL 版本正确。
三、编译安装 L.N.M.P 环境
1. 下载软件
# cd /usr/local/src
pcre-7.6.tar.bz2
nginx-0.6.29.tar.gz
mysql-5.0.51a-linux-x86_64-icc-glibc23.tar.gz
php-5.2.5.tar.bz2
php-5.2.5-fpm-0.5.7.diff.gz */fpm 方式启动 php-cgi
eaccelerator-0.9.5.2.tar.bz2
ZendOptimizer-3.3.3-linux-glibc23-x86_64.tar.gz
2. 安装 MySQL
tar xzvf mysql-5.0.51a-linux-x86_64-icc-glibc23.tar.gz
mv mysql-5.0.51a-linux-x86_64-icc-glibc23 /usr/local/
ln -s mysql-5.0.51a-linux-x86_64-icc-glibc23 /usr/local/mysql
useradd mysql –s /sbin/nologin
chown -R mysql:root /usr/local/mysql/
cd /usr/local/mysql
./scripts/mysql_install_db --user=mysql
cp ./support-files/mysql.server /etc/rc.d/init.d/mysqld
chown root:root /etc/rc.d/init.d/mysqld
chmod 755 /etc/rc.d/init.d/mysqld
chkconfig --add mysqld
chkconfig --level 3 mysqld on
cp ./support-files/my-huge.cnf /etc/my.cnf
cp –r /usr/local/mysql/data /data/mysql

4. chown -R mysql:mysql /var/lib/mysql/
vi /etc/my.cnf 修改以下内容：
在 [mysqld] 段增加或修改：
datadir = /data/mysql
skip-innodb
wait-timeout = 3 | 5 | 10
max_connections = 256 | 384 | 512
max_connect_errors = 10000000
thread_concurrency = CPU 个数×2
将 log-bin 注释（如果需要使用 mysql 的主从备份功能，需要
log-bin 参数打开，不能注释）
# bin/mysqladmin -u root password 'password_for_root'
(注：password_for_root 为 mysql 的 root 帐户的密码，用户自行设定)
针对大型用户 mysql 优化的参数设置 (供参考 )：
[mysqld]
port = 3306
socket = /tmp/mysql.sock
datadir = /data/mysql
skip-locking
skip-name-resolve
skip-innodb
skip-symbolic-links
local-infile=0
low_priority_updates=1
back_log = 300
key_buffer = 256M
max_allowed_packet = 16M
thread_stack = 128K
table_cache = 1024
sort_buffer_size = 4M
read_buffer_size = 256K
join_buffer_size = 4M

5. record_buffer = 2M
read_rnd_buffer_size = 4M
myisam_sort_buffer_size = 64M
thread_cache_size = 64
query_cache_size = 32M
tmp_table_size = 196M
max_connections = 1600
max_connect_errors = 10000000000000
wait_timeout = 5
thread_concurrency=16
long_query_time = 1
log-slow-queries = /data/mysql/slow.log
３．编译安装 Nginx
# 安装 pcre
# tar jxvf pcre-7.6.tar.bz2
# cd pcre-7.6
# ./configure --prefix=/usr/local/pcre --enable-utf8 --enable-unicode-properties
# make
# make install
# 安装 Nginx
# tar jxvf nginx-fancyindex-0.1_beta5.tar.bz2
# tar zxvf nginx-0.6.29-tar.gz
# cd nginx-0.6.29
./configure --prefix=/usr/local/nginx --sbin-path=/usr/local/nginx/sbin/nginx
--conf-path=/usr/local/nginx/conf/nginx.conf --error-log-
path=/usr/local/nginx/logs/error.log --http-log-path=/usr/local/nginx/logs/access.log --
pid-path=/usr/local/nginx/var/nginx.pid --lock-path=/usr/local/nginx/var/nginx.lock --
http-client-body-temp-path=/dev/shm//nginx_temp/client_body --http-proxy-temp-
path=/dev/shm/nginx_temp/proxy --http-fastcgi-temp-
path=/dev/shm/nginx_temp/fastcgi --user=www --group=www --with-cpu-
opt=pentium4F --without-select_module --without-poll_module --with-
http_realip_module --with-http_sub_module --with-http_gzip_static_module --with-
http_stub_status_module --without-http_ssi_module --without-http_userid_module --
without-http_geo_module --without-http_memcached_module --without-
http_map_module --without-mail_pop3_module --without-mail_imap_module
--without-mail_smtp_module --with-pcre=/usr/local/src/pcre-7.6"

6. # make
# make install
# mkdir /dev/shm/nginx_temp
# vim /etc/init.d/nginx 写入
#!/bin/bash
#
# chkconfig: 2345 90 60
# description: nginx
# processname: nginx
# Source Function Library
. /etc/init.d/functions
# Nginx Settings
NGINX_SBIN="/usr/local/nginx/sbin/nginx"
NGINX_CONF="/usr/local/nginx/conf/nginx.conf"
NGINX_PID="/usr/local/nginx/var/nginx.pid"
RETVAL=0
prog="Nginx"
start() {
echo -n $"Starting $prog: "
mkdir -p /dev/shm/nginx_temp
daemon $NGINX_SBIN -c $NGINX_CONF
RETVAL=$?
echo
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
killproc -p $NGINX_PID $NGINX_SBIN -TERM
rm -rf /dev/shm/nginx_temp
RETVAL=$?
echo
return $RETVAL
}
reload(){
echo -n $"Reloading $prog: "

7. killproc -p $NGINX_PID $NGINX_SBIN -HUP
RETVAL=$?
echo
return $RETVAL
}
restart(){
stop
start
}
configtest(){
$NGINX_SBIN -c $NGINX_CONF -t
return 0
}
case "$1" in
start)
start
;;
stop)
stop
;;
reload)
reload
;;
restart)
restart
;;
configtest)
configtest
;;
*)
echo $"Usage: $0 {start|stop|reload|restart|configtest}"
RETVAL=1
esac
exit $RETVAL
# chmod 755 /etc/init.d/nginx
# Nginx 语法高亮

8. # mkdir -p /root/.vim/syntax
# cd /root/.vim/syntax
# vim nginx.vim
插入以下行
" Vim syntax file
" Language: Nginx configuration (nginx.conf)
" Maintainer: Evan Miller
" Last Change: 2007 May 02
" Notes: This is a bit patchy.
if exists("b:current_syntax")
finish
end
setlocal iskeyword+=.
setlocal iskeyword+=/
setlocal iskeyword+=:
" basics
syn match ngxStringVariable "$ww*" contained
syn region ngxString start=+"+ end=+"+ skip=+|"+
contains=ngxStringVariable oneline
syn region ngxString start=+'+ end=+'+ skip=+|'+
contains=ngxStringVariable oneline
" Main
syn keyword ngxDirective daemon debug_points error_log lock_file
master_process pid ssl_engine timer_resolution user group worker_cpu_affinity
worker_priority worker_processes worker_rlimit_core worker_rlimit_nofile
worker_rlimit_sigpending working_directory
syn keyword ngxDirectiveImportant include
syn keyword ngxBlockDirective http events contained
syn keyword ngxBlockDirective server contained
"Events
syn keyword ngxDirective accept_mutex accept_mutex_delay debug_connection
devpoll_changes devpoll_events epoll_events kqueue_changes kqueue_events
multi_accept rtsig_signo rtsig_overflow_events rtsig_overflow_test
rtsig_overflow_threshold use worker_connections
" HTTP core
syn keyword ngxDirective alias client_body_in_file_only

9. client_body_buffer_size client_body_temp_path client_body_timeout
client_header_buffer_size client_header_timeout client_max_body_size default_type
keepalive_timeout large_client_header_buffers limit_rate msie_padding msie_refresh
optimize_server_names port_in_redirect recursive_error_pages satisfy_any
send_timeout sendfile server_names_hash_max_size server_names_hash_bucket_size
tcp_nodelay tcp_nopush internal
syn keyword ngxDirective output_buffers postpone_output send_lowat
connections
syn keyword ngxDirectiveImportant root server server_name listen
syn keyword ngxDirectiveError error_page
syn keyword ngxBlockDirective location limit_except types contained
" Access
syn keyword ngxDirective allow deny
" Auth
syn keyword ngxDirective auth_basic auth_basic_user_file
" Auto-index
syn keyword ngxDirective autoindex
syn keyword ngxDirective autoindex_exact_size
syn keyword ngxDirective autoindex_localtime
" DAV
syn keyword ngxDirective dav_access dav_methods create_full_put_path
" FastCGI
syn keyword ngxDirective fastcgi_index fastcgi_hide_header
fastcgi_intercept_errors fastcgi_param fastcgi_pass_header fastcgi_redirect_errors
syn keyword ngxDirectiveImportant fastcgi_pass
" gzip
syn keyword ngxDirective gzip gzip_buffers gzip_comp_level gzip_min_length
gzip_http_version gzip_proxied gzip_types
" header
syn keyword ngxDirective add_header
syn keyword ngxDirective expires
" auto-index
syn keyword ngxDirective index
" log
syn keyword ngxDirective access_log log_format

10. " proxy
syn keyword ngxDirective proxy_buffer_size proxy_buffering proxy_buffers
proxy_connect_timeout proxy_hide_header proxy_intercept_errors proxy_method
proxy_next_upstream proxy_pass_header proxy_read_timeout proxy_redirect_errors
proxy_send_timeout proxy_set_header proxy_temp_path proxy_temp_file_write_size
proxy_busy_buffers_size proxy_send_lowat
syn keyword ngxDirectiveImportant proxy_pass proxy_redirect
" rewrite
syn keyword ngxDirectiveControl break return set uninitialized_variable_warn
rewrite
syn keyword ngxDirective uninitialized_variable_warn
syn keyword ngxBlockDirective if contained
" SSL
syn keyword ngxDirective ssl ssl_certificate ssl_certificate_key
ssl_client_certificate ssl_ciphers ssl_prefer_server_ciphers ssl_protocols
ssl_verify_client ssl_verify_depth ssl_session_cache ssl_session_timeout
" Upstream
syn keyword ngxDirective ip_hash server
syn keyword ngxBlockDirective upstream contained
" Addition
syn keyword ngxDirectiveImportant add_before_body add_after_body
" Charset
syn keyword ngxDirective charset charset_map override_charset source_charset
" empty gif
syn keyword ngxDirective empty_gif
" geo
syn keyword ngxBlockDirective geo
" map
syn keyword ngxBlockDirective map
syn keyword ngxDirective map_hash_max_size map_hash_bucket_size
" realip
syn keyword ngxDirective set_real_ip_from real_ip_header
" referer

11. syn keyword ngxDirective valid_referers
" ssi
syn keyword ngxDirective ssi
" user id
syn keyword ngxDirective userid userid_domain userid_expires userid_name
userid_p3p userid_path userid_service
" sub filter
syn keyword ngxDirective sub_filter sub_filter_once sub_filter_types
" perl
syn keyword ngxDirective perl_modules perl_require perl_set
" limit zone
syn keyword ngxDirective limit_zone limit_conn
" memcache
syn keyword ngxDirective memcached_connect_timeout
memcached_send_timeout memcached_read_timeout memcached_buffer_size
memcached_next_upstream
syn keyword ngxDirectiveImportant memcached_pass
" stub
syn keyword ngxDirective stub_status
" flv
syn keyword ngxDirective flv
" browser
syn keyword ngxDirective ancient_browser ancient_browser_value
modern_browser modern_browser_value
syn region ngxStartBlock start=+^+ end=+{+
contains=ngxBlockDirective,ngxContextVariable oneline
syn match ngxContextVariable "$ww*" contained
syn match ngxComment " *#.*$"
syn match ngxVariable "$ww*"
hi link ngxBlockDirective Statement
hi link ngxStartBlock Normal

12. hi link ngxStringVariable Special
hi link ngxDirectiveControl Special
hi link ngxComment Comment
hi link ngxString String
hi link ngxDirective Identifier
hi link ngxDirectiveImportant Type
hi link ngxVariable Identifier
hi link ngxContextVariable Identifier
hi link ngxDirectiveError Constant
let b:current_syntax = "nginx"
# vim /root/.vim/filetype.vim
插入：
au BufRead,BufNewFile /usr/local/nginx/conf/* set ft=nginx
# chkconfig --add nginx
# chkconfig --level 3 nginx on
4. 编译安装 PHP
# php-cgi –fpm 方式
# tar –jxvf php-5.2.8.tar.gz
# gzip -cd php-5.2.8-fpm-0.5.10.diff.gz | patch -d php-5.2.8 -p1 为 php 打补丁
# cd php-5.2.8
# ./configure --prefix=/usr/local/php --with-config-file-path=/usr/local/php/etc --with-
mysql=/usr/local/mysql --with-mysql-sock=/tmp --with-libxml-dir --with-gd --with-
jpeg-dir --with-png-dir --with-freetype-dir --with-iconv-dir --with-zlib-dir --with-
mcrypt= --enable-soap --enable-gd-native-ttf --enable-ftp --enable-mbstring --enable-
exif --enable-zend-multibyte --disable-ipv6 --enable-fastcgi --enable-fpm
# make
# make install
# mkdir /usr/local/php/etc
# cp php.ini-dist /usr/local/php/etc/php.ini
编辑/usr/local/php/etc/php-fpm.conf
# vim /usr/local/php/etc/php-fpm.conf
修改用户和组的名称为”www”

13. 去掉注释
Unix user of processes
<value name="user">www</value>
Unix group of processes
<value name="group">www</value>
#/usr/local/php/sbin/php-fpm start
# echo ‘/usr/local/php/sbin/php-fpm start’ >> /etc/rc.local
5.安装 Eaccelerator php 加速器
# cd /usr/local/src
# tar jxvf eaccelerator-0.9.5.2.tar.bz2
# cd eaccelerator-0.9.5.2
# /usr/local/php /bin/phpize phpize 命令是用来准备 PHP 外挂模块的编译环境的
# ./configure
--enable-eaccelerator=shared
--with-php-config=/usr/local/php/bin/php-config
--with-eaccelerator-shared-memory
--with-eaccelerator-sessions
--with-eaccelerator-content-caching
# make
# make install
# mkdir /usr/local/php/ext
#cp modules/eaccelerator.so /usr/local/php/ext/
6. 安装 memcache 扩展 php 扩展
# cd /usr/local/src/
# tar zxvf memcache-2.2.3.tgz
# cd memcache-2.2.3
# /usr/local/php/bin/phpize
#./configure --with-php-config=/usr/local/php/bin/php-config --enable-
memcache --with-zlib-dir
# make
# make install
# cp modules/memcache.so /usr/local/php/ext/
# 安装为 Zend 扩展
# vim /usr/local/php/etc/php.ini
插入
zend_extension="/usr/local/php/ext/eaccelerator.so"
eaccelerator.shm_size="16"

14. eaccelerator.cache_dir="/tmp/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
# mkdir /tmp/eaccelerator
# chmod 0777 /tmp/eaccelerator
6.安装 Zend Optimizor php 优化器
# cd /usr/local/src
# tar zxvf ZendOptimizer-3.3.3-linux-glibc23-x86_64.tar.gz
# cd ZendOptimizer-3.3.3-linux-glibc23-x86_64
# ./install.sh
7. 查看确认 L.N.M.P 环境信息、提升 PHP 安全性
在网站根目录放置 phpinfo.php 脚本，检查 phpinfo 中的各项信息是否正确。
确认 PHP 能够正常工作后，在 php.ini 中进行设置提升 PHP 安全性。
首先找到: extension_dir = "./"
修改成: extension_dir = "/usr/local/php-fcgi/ext/"
# vi /etc/php.ini
找到：
;extension=php_zip.dll
在该行下添加
extension=memcache.so
修改完成后保存退出。
保存后可以利用 /usr/local/php/bin/php-cgi -m |grep memcache 检测和查看
具体的参数
找到：

15. disable_functions =
设置为：
passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_stat
us,ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,popep
assthru,stream_socket_server
三、服务器安全性设置
1. 设置系统防火墙
# vi /usr/local/sbin/fw.sh
将以下脚本命令粘贴到 fw.sh 文件中。
#!/bin/bash
# Stop iptables service first
service iptables stop
# Load FTP Kernel modules
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
# Inital chains default policy
/sbin/iptables -F -t filter
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
# Enable Native Network Transfer
/sbin/iptables -A INPUT -i lo -j ACCEPT
# Accept Established Connections
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ICMP Control
/sbin/iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
# WWW Service
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# FTP Service
/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
# SSH Service
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT

16. # chmod 755 /usr/local/sbin/fw.sh
# echo '/usr/local/sbin/fw.sh' >> /etc/rc.local
# /usr/local/sbin/fw.sh