作業項目:在FreeBSD 8.3 (AMD64) 作業系統下架設 Nginx (Web Server).
日期時間:2013-01-28 晚上 17:05
作業環境:
電腦:Acer M3210,
CPU:AMD 四核k8-class,
RAM:2GB DDRII 667 ,
HD:SATA2 320GB (7200r/s),
DVD:
用FreeBSD-9.1-RELEASE-amd64-memstick.img 及 FreeBSD-9.0-RELEASE-amd64-memstick.img 以隨身碟安裝都抓不到SATA2硬碟,
最後用FreeBSD-8.3-RELEASE-amd64-memstick.img 以隨身碟安裝OK! (安裝min + src, 大約 20分鐘)
# portsnap fetch
# portsnap extract update (下載安裝Ports完成大約 20分鐘)
# freebsd-update fetch
# freebsd-update install (更新FreeBSD完成大約 10分鐘)
# cd /usr/src/sys/amd64/conf
# mkdir /root/kernels
# cp GENERIC /root/kernels/KERNEL301
# ln -s /root/kernels/KERNEL301
# cd /root
# ee /root/kernels/KERNEL301
內容如下:
#
# GENERIC -- Generic kernel configuration file for FreeBSD/amd64
#
# For more information on this file, please read the config(5) manual page,
# and/or the handbook section on Kernel Configuration Files:
#
# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ../../conf/NOTES and NOTES files.
# If you are in doubt as to the purpose or necessity of a line, check first
# in NOTES.
#
# $FreeBSD: src/sys/amd64/conf/GENERIC,v 1.531.2.21.2.1 2012/03/03 06:15:13 kensmith Exp $
cpu HAMMER
#ident GENERIC
include GENERIC
ident KERNEL301
options IPFIREWALL
options DUMMYNET
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=30
# To statically compile in device wiring instead of /boot/device.hints
#hints "GENERIC.hints" # Default places to look for devices.
# Use the following to compile in values accessible to the kernel
# through getenv() (or kenv(1) in userland). The format of the file
# is 'variable=value', see kenv(1)
#
# env "GENERIC.env"
makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
options SCHED_ULE # ULE scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
options INET6 # IPv6 communications protocols
options SCTP # Stream Control Transmission Protocol
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options UFS_GJOURNAL # Enable gjournal-based UFS journaling
options MD_ROOT # MD is a potential root device
options NFSCLIENT # Network Filesystem Client
options NFSSERVER # Network Filesystem Server
options NFSLOCKD # Network Lock Manager
options NFS_ROOT # NFS usable as /, requires NFSCLIENT
options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_PART_GPT # GUID Partition Tables.
options GEOM_LABEL # Provides labelization
options COMPAT_43TTY # BSD 4.3 TTY compat (sgtty)
options COMPAT_FREEBSD32 # Compatible with i386 binaries
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options COMPAT_FREEBSD6 # Compatible with FreeBSD6
options COMPAT_FREEBSD7 # Compatible with FreeBSD7
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options STACK # stack(9) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options P1003_1B_SEMAPHORES # POSIX-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options PRINTF_BUFR_SIZE=128 # Prevent printf output being interspersed.
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
options AUDIT # Security event auditing
options MAC # TrustedBSD MAC Framework
#options KDTRACE_FRAME # Ensure frames are compiled in
#options KDTRACE_HOOKS # Kernel DTrace hooks
options INCLUDE_CONFIG_FILE # Include this file in kernel
options KDB # Kernel debugger related code
options KDB_TRACE # Print a stack trace for a panic
# Make an SMP-capable kernel by default
options SMP # Symmetric MultiProcessor Kernel
# CPU frequency control
device cpufreq
# Bus support.
device acpi
device pci
# Floppy drives
device fdc
# ATA and ATAPI devices
device ata
device atadisk # ATA disk drives
device ataraid # ATA RAID drives
device atapicd # ATAPI CDROM drives
device atapifd # ATAPI floppy drives
device atapist # ATAPI tape drives
options ATA_STATIC_ID # Static device numbering
# SCSI Controllers
#device ahc # AHA2940 and onboard AIC7xxx devices
#options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
#device ahd # AHA39320/29320 and onboard AIC79xx devices
#options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.
#device esp # AMD Am53C974 (Tekram DC-390(T))
#device hptiop # Highpoint RocketRaid 3xxx series
#device isp # Qlogic family
#device ispfw # Firmware for QLogic HBAs- normally a module
#device mpt # LSI-Logic MPT-Fusion
#device mps # LSI-Logic MPT-Fusion 2
#device ncr # NCR/Symbios Logic
#device sym # NCR/Symbios Logic (newer chipsets + those of `ncr')
#device trm # Tekram DC395U/UW/F DC315U adapters
#device adv # Advansys SCSI adapters
#device adw # Advansys wide SCSI adapters
#device aic # Adaptec 15[012]x SCSI adapters, AIC-6[23]60.
#device bt # Buslogic/Mylex MultiMaster SCSI adapters
#device isci # Intel C600 SAS controller
# SCSI peripherals
#device scbus # SCSI bus (required for SCSI)
#device ch # SCSI media changers
#device da # Direct Access (disks)
#device sa # Sequential Access (tape etc)
#device cd # CD
#device pass # Passthrough device (direct SCSI access)
#device ses # SCSI Environmental Services (and SAF-TE)
# RAID controllers interfaced to the SCSI subsystem
#device amr # AMI MegaRAID
#device arcmsr # Areca SATA II RAID
#XXX it is not 64-bit clean, -scottl
#device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
#device ciss # Compaq Smart RAID 5*
#device dpt # DPT Smartcache III, IV - See NOTES for options
#device hptmv # Highpoint RocketRAID 182x
#device hptrr # Highpoint RocketRAID 17xx, 22xx, 23xx, 25xx
#device iir # Intel Integrated RAID
#device ips # IBM (Adaptec) ServeRAID
#device mly # Mylex AcceleRAID/eXtremeRAID
#device twa # 3ware 9000 series PATA/SATA RAID
# RAID controllers
#device aac # Adaptec FSA RAID
#device aacp # SCSI passthrough for aac (requires CAM)
#device ida # Compaq Smart RAID
#device mfi # LSI MegaRAID SAS
#device mlx # Mylex DAC960 family
#XXX pointer/int warnings
#device pst # Promise Supertrak SX6000
#device twe # 3ware ATA RAID
#device tws # LSI 3ware 9750 SATA+SAS 6Gb/s RAID controller
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
#device kbdmux # keyboard multiplexer
device vga # VGA video card driver
device splash # Splash screen and screen saver support
# syscons is the default console driver, resembling an SCO console
device sc
device agp # support several AGP chipsets
# PCCARD (PCMCIA) support
# PCMCIA and cardbus bridge support
#device cbb # cardbus (yenta) bridge
#device pccard # PC Card (16-bit) bus
#device cardbus # CardBus (32-bit) bus
# Serial (COM) ports
device uart # Generic UART driver
# Parallel port
device ppc
device ppbus # Parallel port bus (required)
device lpt # Printer
device plip # TCP/IP over parallel
device ppi # Parallel port interface device
#device vpo # Requires scbus and da
#device puc # Multi I/O cards and multi-channel UARTs
# PCI Ethernet NICs.
#device de # DEC/Intel DC21x4x (``Tulip'')
device em # Intel PRO/1000 Gigabit Ethernet Family
#device igb # Intel PRO/1000 PCIE Server Gigabit Family
#device ixgbe # Intel PRO/10GbE PCIE Ethernet Family
#device le # AMD Am7900 LANCE and Am79C9xx PCnet
#device ti # Alteon Networks Tigon I/II gigabit Ethernet
device txp # 3Com 3cR990 (``Typhoon'')
device vx # 3Com 3c590, 3c595 (``Vortex'')
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
#device ae # Attansic/Atheros L2 FastEthernet
#device age # Attansic/Atheros L1 Gigabit Ethernet
#device alc # Atheros AR8131/AR8132 Ethernet
#device ale # Atheros AR8121/AR8113/AR8114 Ethernet
#device bce # Broadcom BCM5706/BCM5708 Gigabit Ethernet
#device bfe # Broadcom BCM440x 10/100 Ethernet
#device bge # Broadcom BCM570xx Gigabit Ethernet
#device dc # DEC/Intel 21143 and various workalikes
#device et # Agere ET1310 10/100/Gigabit Ethernet
#device fxp # Intel EtherExpress PRO/100B (82557, 82558)
#device jme # JMicron JMC250 Gigabit/JMC260 Fast Ethernet
#device lge # Level 1 LXT1001 gigabit Ethernet
device msk # Marvell/SysKonnect Yukon II Gigabit Ethernet
#device nfe # nVidia nForce MCP on-board Ethernet
#device nge # NatSemi DP83820 gigabit Ethernet
#device nve # nVidia nForce MCP on-board Ethernet Networking
#device pcn # AMD Am79C97x PCI 10/100 (precedence over 'le')
#device re # RealTek 8139C+/8169/8169S/8110S
#device rl # RealTek 8129/8139
#device sf # Adaptec AIC-6915 (``Starfire'')
#device sge # Silicon Integrated Systems SiS190/191
device sis # Silicon Integrated Systems SiS 900/SiS 7016
#device sk # SysKonnect SK-984x & SK-982x gigabit Ethernet
#device ste # Sundance ST201 (D-Link DFE-550TX)
#device stge # Sundance/Tamarack TC9021 gigabit Ethernet
#device tl # Texas Instruments ThunderLAN
#device tx # SMC EtherPower II (83c170 ``EPIC'')
#device vge # VIA VT612x gigabit Ethernet
#device vr # VIA Rhine, Rhine II
#device wb # Winbond W89C840F
device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')
# ISA Ethernet NICs. pccard NICs included.
#device cs # Crystal Semiconductor CS89x0 NIC
# 'device ed' requires 'device miibus'
#device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards
#device ex # Intel EtherExpress Pro/10 and Pro/10+
#device ep # Etherlink III based cards
#device fe # Fujitsu MB8696x based cards
#device sn # SMC's 9000 series of Ethernet chips
#device xe # Xircom pccard Ethernet
# Wireless NIC cards
device wlan # 802.11 support
options IEEE80211_DEBUG # enable debug msgs
options IEEE80211_AMPDU_AGE # age frames in AMPDU reorder q's
options IEEE80211_SUPPORT_MESH # enable 802.11s draft support
device wlan_wep # 802.11 WEP support
device wlan_ccmp # 802.11 CCMP support
device wlan_tkip # 802.11 TKIP support
device wlan_amrr # AMRR transmit rate control algorithm
#device an # Aironet 4500/4800 802.11 wireless NICs.
#device ath # Atheros pci/cardbus NIC's
#device ath_hal # pci/cardbus chip support
#options AH_SUPPORT_AR5416 # enable AR5416 tx/rx descriptors
#device ath_rate_sample # SampleRate tx rate control for ath
#device ral # Ralink Technology RT2500 wireless NICs.
#device wi # WaveLAN/Intersil/Symbol 802.11 wireless NICs.
# Pseudo devices.
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
device vlan # 802.1Q VLAN support
device tun # Packet tunnel.
device pty # BSD-style compatibility pseudo ttys
device md # Memory "disks"
device gif # IPv6 and IPv4 tunneling
device faith # IPv6-to-IPv4 relaying (translation)
device firmware # firmware assist module
# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device bpf # Berkeley packet filter
# USB support
options USB_DEBUG # enable debug msgs
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device usb # USB Bus (required)
#device udbp # USB Double Bulk Pipe devices
device uhid # "Human Interface Devices"
device ukbd # Keyboard
device ulpt # Printer
device umass # Disks/Mass storage - Requires scbus and da
device ums # Mouse
device urio # Diamond Rio 500 MP3 player
# USB Serial devices
device uark # Technologies ARK3116 based serial adapters
device ubsa # Belkin F5U103 and compatible serial adapters
device uftdi # For FTDI usb serial adapters
device uipaq # Some WinCE based devices
device uplcom # Prolific PL-2303 serial adapters
device uslcom # SI Labs CP2101/CP2102 serial adapters
device uvisor # Visor and Palm devices
device uvscom # USB serial support for DDI pocket's PHS
# USB Ethernet, requires miibus
#device aue # ADMtek USB Ethernet
#device axe # ASIX Electronics USB Ethernet
#device cdce # Generic USB over Ethernet
#device cue # CATC USB Ethernet
#device kue # Kawasaki LSI USB Ethernet
#device rue # RealTek RTL8150 USB Ethernet
#device udav # Davicom DM9601E USB
# USB Wireless
#device rum # Ralink Technology RT2501USB wireless NICs
#device uath # Atheros AR5523 wireless NICs
#device ural # Ralink Technology RT2500USB wireless NICs
#device zyd # ZyDAS zb1211/zb1211b wireless NICs
# FireWire support
#device firewire # FireWire bus code
#device sbp # SCSI over FireWire (Requires scbus and da)
#device fwe # Ethernet over FireWire (non-standard!)
#device fwip # IP over FireWire (RFC 2734,3146)
#device dcons # Dumb console driver
#device dcons_crom # Configuration ROM for dcons
# ===============================================( END )
註:以上內容是在第二次修改才通過編譯安裝後, 重新啟動成功登錄.
1. make buildkernel KERNCONF=KERNEL301 時出錯 (第一次修改內容).
2. make buildkernel KERNCONF=KERNEL301及
make installkernel KERNCONF=KERNEL301完成, 重新啟動出錯, 無法登錄. 千萬別慌! 在 FreeBSD 重新啟動選擇引導菜單中選擇 6 “Escape to a loader prompt” 選項, 輸入 unload kernel, 然後再輸入 boot /boot/kernel.old/kernel, 或者其他任何一個可以正確引導的內核即可正常登錄 (第二次修改內容).
編譯系統核心 (大約 25分鐘):
# cd /usr/src
# make buildkernel KERNCONF=KERNEL301
安裝新系統核心 (大約 5分鐘):
# make installkernel KERNCONF=KERNEL301
系統重新啟動電腦
# shutdown –r now
接下來是 IPFW 設定啦!
# ee /etc/ipfw.rules
################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
pif="xl0" # public interface name of NIC
# facing the public Internet
#################################################################
# No restrictions on Inside LAN Interface for private network
# Not needed unless you have LAN.
# Change xl0 to your LAN NIC interface name
#################################################################
#$cmd 00005 allow all from any to any via xl0
#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 00010 allow all from any to any via lo0
#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 00015 check-state
#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destined for the public Internet.
#################################################################
# Allow out access to my ISP's Domain name server.
# 114.35.x.x must be the IP address of your ISP.s DNS
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 00110 allow tcp from any to 114.35.x.x 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to 114.35.x.x 53 out via $pif keep-state
# Allow out access to my ISP's DHCP server for cable/DSL configurations.
# This rule is not needed for .user ppp. connection to the public Internet.
# so you can delete this whole group.
# Use the following rule and check log for IP address.
# Then put IP address in commented out rule & delete first rule
$cmd 00120 allow log udp from any to any 67 out via $pif keep-state
#$cmd 00120 allow udp from any to 114.35.x.x 67 out via $pif keep-state
# Allow out non-secure standard www function
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
# Allow out secure www function https over TLS SSL
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state
# Allow out send & get email function
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state
# Allow out FBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root
# Allow out ping
$cmd 00250 allow icmp from any to any out via $pif keep-state
# Allow out Time
$cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state
# Allow out nntp news (i.e., news groups)
$cmd 00270 allow tcp from any to any 119 out via $pif setup keep-state
# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state
# Allow out whois
$cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state
# deny and log everything else that.s trying to get out.
# This rule enforces the block all by default logic.
$cmd 00299 deny log all from any to any out via $pif
#################################################################
# Interface facing Public Internet (Inbound Section)
# Check packets originating from the public Internet
# destined for this gateway server or the private network.
#################################################################
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif
$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif
$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif
$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif
$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif
# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif
# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif
# Deny any late arriving packets
$cmd 00330 deny all from any to any frag in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif
# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP.s DHCP server as it.s the only
# authorized source to send this packet type.
# Only necessary for cable or DSL configurations.
# This rule is not needed for .user ppp. type connection to
# the public Internet. This is the same IP address you captured
# and used in the outbound section.
#$cmd 00360 allow udp from any to 114.35.x.x 67 in via $pif keep-state
# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2
# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2
# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID & PW are passed over public
# Internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
$cmd 00420 allow tcp from any to me 23 in via $pif setup limit src-addr 2
# Reject & Log all incoming connections from the outside
$cmd 00499 deny log all from any to any in via $pif
# Everything else is denied by default
# deny and log all packets that fell through to see what they are
# $cmd 00999 deny log all from any to any # 若執行本行則 SSH 無法連接主機, 不知道為什麼? 祈盼高者指點, 謝謝先!
################ End of IPFW rules file ###############################
# ee /etc/sysctl.conf
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=10
# ee /etc/rc.conf
firewall_enable="YES"
firewall_type="open"
firewall_script="/etc/ipfw.rules"
firewall_quiet="YES"
firewall_logging="YES"
# ee /boot/loader.conf
kern.dfldsiz="2147483648"
kern.maxdsiz="2147483648"
kern.ipc.nmbclusters="0"
kern.ipc.nsfbufs="66560"
# ee /etc/rc.local
sysctl kern.ipc.maxsockets=100000
sysctl kern.ipc.somaxconn=65535
sysctl net.inet.tcp.msl=2500
將更新的檔案統統備份起來, 如下所示:
> cat /etc/fstab
> cat /var/run/dmesg.boot
> ee /etc/csh.cshrc
# ee /root/.cshrc
# cp /etc/master.passwd~
# cp /etc/group~
# ee /etc/rc.conf
# ee /etc/rc.local
# ee /etc/resolv.conf
# ee /etc/ppp/ppp.conf
# ee /etc/ssh/sshd_config
# ee /etc/inetd.conf
# ee /etc/syslog.conf
# ee /etc/login.access
# ee /etc/portsnap.conf
# ee /root/kernels/KERNEL301
# ee /etc/sysctl.conf
# ee /etc/ipfw.rules
# touch /var/log/ipfw.log
# ee /boot/loader.conf
開始安裝套件時別忘了先更新 Port Tree
第一次使用 Portsnap 時需先取得 Ports System 的 Snapshot 並解開
# portsnap fetch extract
日後要更新時 /usr/ports (Port Tree) 則執行如下指令即可
# portsnap fetch update
查看 Ports Tree 是否更新
# less /usr/ports/UPDATING
因為我想用 SHH 遠程安裝套件, 怕安裝時網路斷線所以先安裝 screen (約2分鐘)
# cd /usr/ports/sysutils/screen
# make -DBATCH install clean; rehash
Install Nginx
# cd /usr/ports/www/nginx
# make install clean; rehash
選取新增如下的選項:
[X] HTTP_MODULE Enable HTTP module
[X] HTTP_ADDITION_MODULE Enable http_addition module
[X] HTTP_CACHE_MODULE Enable http_cache module
[X] HTTP_GEOIP_MODULE Enable http_geoip module
[X] HTTP_GZIP_STATIC_MODULE Enable http_gzip_static module
[X] HTTP_IMAGE_FILTER_MODULE Enable http_image_filter module
[x] HTTP_PERL_MODULE Enable http_perl module
[X] HTTP_REALIP_MODULE Enable http_realip module
[X] HTTP_REWRITE_MODULE Enable http_rewrite module
[X] HTTP_STATUS_MODULE Enable http_stub_status module
Install PHP with FPM
# cd /usr/ports/devel/libtool
# make install clean; rehash
Install PHP
# cd /usr/ports/lang/php5
# make install clean; rehash
選取新增如下的選項:
[X] CLI Build CLI version
[X] CGI Build CGI version
[X] FPM Build FPM version (experimental)
[X] SUHOSIN Enable Suhosin protection system
# ee /etc/rc.conf
新增如下的內容:
php_fpm_enable="YES"
nginx_enable="YES"
# sh /etc/rc
Configure PHP
# cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini
Open the php.ini file.
# ee /usr/local/etc/php.ini
在 php.ini 加入或修改如下的內容:
error_reporting = E_ALL | E_STRICT
cgi.fix_pathinfo=1
expose_php = Off
upload_max_filesize = 200M
post_max_size = 200M
max_execution_time = 600
max_input_time = 600
memory_limit = 256M
mysql.allow_persistent = Off
register_argc_argv = On
date.timezone = Asia/Taipei
register_globals = Off
allow_url_fopen = Off
magic_quotes_gpc = Off
magic_quotes_runtime = Off
Start PHP with FPM.
# /usr/local/etc/rc.d/php-fpm start
查核 PHP 是否成功開啟:
netstat -l
Install Maxmind GeoIP
# mkdir -p /opt/conf
# cd /opt/conf
# fetch http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
# gunzip ./GeoIP.dat.gz
# ls -la // 可以看到 GeoIP.dat 檔案
Configure Nginx
# ee /usr/local/etc/nginx/nginx.conf
新增或修改如下的內容:
user www www;
worker_processes 4;
error_log /var/log/nginx/error.log crit;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
geoip_country /opt/conf/GeoIP.dat;
include /usr/local/etc/nginx/mime.types;
default_type application/octet-stream;
access_log off;
server_tokens off;
sendfile on;
client_max_body_size 200m;
client_body_buffer_size 1m;
keepalive_timeout 1;
port_in_redirect off;
gzip on;
gzip_http_version 1.1;
gzip_vary on;
gzip_comp_level 6;
gzip_proxied any;
gzip_types text/plain text/css application/json application/x-javascript application/xml application/xml+rss text/javascript;
gzip_buffers 16 8k;
gzip_disable "MSIE [1-6].(?!.*SV1)";
include /usr/local/etc/nginx/conf.d/*.conf;
}
現在,建一個新的目錄來設定您的 DNS 的設置:
# mkdir /usr/local/etc/nginx/conf.d
# mkdir /var/www/domain.com
# chown www:www /var/www/domain.com
# chmod 755 /var/www/domain.com
置一個 index.php 在新目錄中:
# sh -c 'echo "<?php phpinfo(); ?>" > /var/www/domain.com/index.php'
建一個 domain configuration 檔案:
# ee /usr/local/etc/nginx/conf.d/domain_com.conf
新增如下的內容:
server {
listen 80;
server_name www.domain.com;
rewrite ^ http://domain.com$request_uri?;
}
server {
listen 80;
server_name domain.com;
server_name_in_redirect off;
root /var/www/domain.com;
location ~* ^.+\.(ico|js|gif|jpg|jpeg|png|bmp)$ {
expires 30d;
}
location / {
index index.php;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;
fastcgi_param SCRIPT_FILENAME /var/www/domain.com$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
查核全部的 Nginx 設定是否正確:(日誌檔新建 # touch /var/log/xxxlog)
# nginx -t
Install some more packages
# cd /usr/ports/databases/php5-mysql
# make install clean; rehash
# pkg_info|grep php|grep mysql
Install this port to use PHP sessions. (optionally)
# cd /usr/ports/www/php5-session
# make install clean; rehash
Install this port to make use of the PHP GD library. (optionally)
# cd /usr/ports/graphics/php5-gd
# make install clean; rehash
Install this port to read the EXIF informations of images with PHP. (optionally)
# cd /usr/ports/graphics/php5-exif
# make install clean; rehash
Restart PHP-FPM und Nginx
# /usr/local/etc/rc.d/php-fpm restart
# /usr/local/etc/rc.d/nginx restart
Nginx 裝好了也能啟動, 到 You Tube 搜尋一下接下來要怎麼做, 看了幾個教學影片, 覺得蠻不錯的在此與大家分享, 若有錯誤也請多多指教.....謝謝!
[ NGINX ] Create Your Own Web Server in FreeBSD
http://www.youtube.com/watch?v=WBd0UhNp674
PHP + MySQL + nginx fast install for Windows.
http://www.youtube.com/watch?v=HL-gvgOnOBo
FreeBSD 9.0 - Installation tutorial
http://www.youtube.com/watch?v=r74YTP7x-vU
FreeBSD 9.1 + XFCE 4.10 and some cool features
http://www.youtube.com/watch?v=iMCyZZMbtjI
Home
SmbFTPD
Forum