基於python的web應用
7.2.3 創建mongod sharding啓動文件:47
7.6 Replica Set 節點切換和 failover78
8.5.1 安裝keepalived所依賴的一些庫文件:88
1 操作系統版本:
root@debian:~# cat /etc/debian_version
7.1
root@debian:~#
2 服務器前期準備:
由於安裝系統的時候只安裝了ssh服務,需要在安裝後安裝一些使用的開發包和設置,方便維護
2.1 網絡設置:
vi /etc/network/interfaces
allow-hotplug eth0
auto eth0
iface eth0 inet static
address 10.15.62.202
netmask 255.255.255.0
gateway 10.15.62.254
2.2 配置apt源sources.list
這個是我配置的使用了本地源和163的鏡像源
#
# deb cdrom:[Debian GNU/Linux 7.1.0 _Wheezy_ - Official amd64 DVD Binary-1 20130615-23:06]/ wheezy contrib main
#local
deb file:///mnt/iso1 wheezy contrib main
#deb cdrom:[Debian GNU/Linux 7.1.0 _Wheezy_ - Official amd64 DVD Binary-1 20130615-23:06]/ wheezy contrib main(註釋掉)
#deb http://security.debian.org/ wheezy/updates main contrib
#deb-src http://security.debian.org/ wheezy/updates main contrib
#163
deb http://mirrors.163.com/debian wheezy main contrib non-free
deb http://mirrors.163.com/debian wheezy-proposed-updates main contrib non-free
deb-src http://mirrors.163.com/debian wheezy main non-free contrib
deb-src http://mirrors.163.com/debian wheezy-proposed-updates main contrib non-free
# wheezy-updates, previously known as 'volatile'
# A network mirror was not selected during install. The following entries
# are provided as examples, but you should amend them as appropriate
# for your mirror of choice.
#
# deb http://ftp.debian.org/debian/ wheezy-updates main contrib
# deb-src http://ftp.debian.org/debian/ wheezy-updates main contrib
然後更新數據源:
#apt-get update
2.3 安裝常用軟件
vim,gcc,g++,python
注意:由於系統使用的vi不方便自己的操作習慣,故安裝vim
#apt-get install gcc
#apt-get install g++
#apt-get install vim
#apt-get install python
2.4 系統內核優化:
echo net.ipv4.tcp_max_tw_buckets = 6000 >> /etc/sysctl.conf
echo net.ipv4.ip_local_port_range = 1024 65000 >>/etc/sysctl.conf
echo net.ipv4.tcp_tw_recycle = 1 >>/etc/sysctl.conf
echo net.ipv4.tcp_tw_reuse = 1 >>/etc/sysctl.conf
echo net.core.somaxconn = 262144 >>/etc/sysctl.conf
echo net.ipv4.tcp_timestamps = 0 >>/etc/sysctl.conf
echo net.ipv4.tcp_synack_retries = 1 >>/etc/sysctl.conf
echo net.ipv4.tcp_syn_retries = 1 >>/etc/sysctl.conf
echo net.ipv4.tcp_keepalive_time = 30 >>/etc/sysctl.conf
echo fs.file-max = 65535 >>/etc/sysctl.conf
sysctl -p (配置生效)
echo '* soft nofile 65536' >>/etc/security/limits.conf
echo '* hard nofile 65536' >>/etc/security/limits.conf
echo '* soft nproc 8192' >>/etc/security/limits.conf
echo '* hard nproc 8192' >>/etc/security/limits.conf
備註:打開連接數重啓後生效,以上參數具體含義這裏不在說明
3 程序部署:
安裝tornado:
#tar -zxvf tornado-3.1.1.tar.gz -C /usr/local
#mv tornado-3.1.1 tornado
#cd tornado
# python setup.py build
#python setup.py install
3.1安裝setuptools
說明:python的加強包,注意安裝是選擇與python的版本一致,我這裏安裝的python版本爲2.7.3-4:
開始安裝:
#sh setuptools-0.6c11-py2.7.egg
3.2 Supervisor安裝:
說明:supervisor是用 pathon寫的一個工具,是比較好的服務管理工具,一個很重要的功能就是監控服務器主要服務,並且在出現問題時進行重啓
3.2.1 安裝:
#easy_install supervisor
3.2.2生成配置文件:
# echo_supervisord_conf > /etc/supervisord.conf
3.2.3修改配置文件:
修改/etc/supervisord.conf文件 添加
[group:tornado]
programs=tornado-8001,tornado-8002,tornado-8003,tornado-8004
[program:tornado-8001]
command=python /var/www/hello.py -port=8001
process_name=tornado-8001
directory=/var/www/
autorestart=true
redirect_stderr=true
stdout_logfile=/var/log/tornado/tornado-8001.log
stdout_logfile_maxbytes=5000MB
stdout_logfile_backups=50
stdout_capture_maxbytes=1MB
stdout_events_enabled=false
loglevel=warn
[program:tornado-8002]
process_name=tornado-8002
command=python /var/www/hello.py -port=8002
directory=/var/www/
autorestart=true
redirect_stderr=true
stdout_logfile=/var/log/tornado/tornado-8002.log
stdout_logfile_maxbytes=5000MB
stdout_logfile_backups=50
stdout_capture_maxbytes=1MB
stdout_events_enabled=false
loglevel=warn
[program:tornado-8003]
process_name=tornado-8003
command=python /var/www/hello.py -port=8003
directory=/var/www/
autorestart=true
redirect_stderr=true
stdout_logfile=/var/log/tornado/tornado-8003.log
stdout_logfile_maxbytes=5000MB
stdout_logfile_backups=50
stdout_capture_maxbytes=1MB
stdout_events_enabled=false
loglevel=warn
[program:tornado-8004]
process_name=tornado-8004
command=python /var/www/hello.py -port=8004
directory=/var/www/
autorestart=true
redirect_stderr=true
stdout_logfile=/var/log/tornado/tornado-8004.log
stdout_logfile_maxbytes=5000MB
stdout_logfile_backups=50
stdout_capture_maxbytes=1MB
stdout_events_enabled=false
注意:這裏開啓了四個進程(防止單個進程掛掉造成宕機,進程數量和cpu核心一致即可),程序的入口爲hello.py
3.3編寫一個測試案例
命名爲hello.py,保存路徑:/var/www/
#coding=utf-8
import sys
import tornado.httpserver
import tornado.ioloop
import tornado.options
import tornado.web
from tornado.options import define, options
#define("port", default=8888, help="run on the given port", type=int)
port = int(sys.argv[1].split('=')[1])
if port == 0:
exit(1)
class MainHandler(tornado.web.RequestHandler):
def get(self):
content = "hello ,world"
self.write(content)
def main():
application = tornado.web.Application([
(r"/", MainHandler),
])
http_server = tornado.httpserver.HTTPServer(application)
http_server.listen(port)
tornado.ioloop.IOLoop.instance().start()
if __name__ == "__main__":
main()
3.4啓動supervisor服務:
#supervisord -c /etc/supervisord.conf
3.5管理python進程:
root@debian:~# supervisorctl
tornado:tornado-8001 RUNNING pid 8706, uptime 0:42:49
tornado:tornado-8002 RUNNING pid 8707, uptime 0:42:49
tornado:tornado-8003 RUNNING pid 8708, uptime 0:42:49
tornado:tornado-8004 RUNNING pid 8705, uptime 0:42:49
supervisor> status/stop/start/restart (狀態,關閉,啓動,重啓)
查看端口是否偵聽:
和定義端口一直:
3.6測試
使用IE訪問:
正常訪問。
3.7 編寫tornado啓動腳本:
#!/bin/sh
### BEGIN INIT INFO
# Provides: supervisord
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: OpenBSD Secure Shell server
### END INIT INFO
# description: Supervisor Server
# processname: supervisord
set -e
RETVAL=0
DAEMON="/usr/local/bin/supervisord"
MANAGER="/usr/local/bin/supervisorctl"
CONFIGFILE="/etc/supervisord.conf"
test -x "${DAEMON}" || exit 0
. /lib/lsb/init-functions
START()
{
daemon_pid=$(/bin/ps -ef|/bin/grep /usr/local/bin/supervisord|/bin/grep -v "grep" |/usr/bin/awk '{print $2}')
if ( [ -z ${daemon_pid}] ) then
log_daemon_msg "Starting periodic command scheduler" "supervisord"
$DAEMON -c $CONFIGFILE
RETVAL=$?
log_end_msg $RETVAL
else
$MANAGER start all
fi
}
STOP()
{
daemon_pid=$(ps -ef|grep /usr/local/bin/supervisord|grep -v grep |awk '{print $2}')
log_daemon_msg "Stopping periodic command scheduler:supervisord"
$MANAGER stop all
/bin/kill -9 ${daemon_pid}
RETVAL=$?
log_end_msg $RETVAL
}
case "$1" in
start)
START
;;
stop)
STOP
;;
status)
$DAEMON status
;;
restart)
stop
start
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
;;
esac
注意:跑腳本的時候可能會提示:Unlinking stale socket /tmp/supervisor.sock,這個時候需要安裝python的功能組件python-meld3,安裝的時候需要先停掉python進程,不然會安裝失敗
#apt-get install python-meld3
將supervisord加入到系統服務:
備註,到此完成python環境的整體搭建
4 Nginx安裝,配置,調優:
4.1 安裝
#apt-get install nginx
這裏安裝的nginx版本爲:
root@debian:~# nginx -v
nginx version: nginx/1.2.1
root@debian:~#
4.2 配置,優化。
紅色部分爲修改部分,具體優化參數,這裏不在解釋。
4.2.1 主配置文件 nginx.conf
user root;
worker_processes 4;
worker_cpu_affinity 0001 0010 0100 1000;
pid /var/run/nginx.pid;
worker_rlimit_nofile 65535;
events {
worker_connections 8192;
use epoll;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
server_names_hash_bucket_size 64;
server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
client_header_buffer_size 2k;
large_client_header_buffers 4 4k;
client_max_body_size 8m;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##
#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
4.2.2 default配置文件
# You may add here your
# server {
# ...
# }
# statements for each of your virtual hosts to this file
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
upstream tornado {
server 127.0.0.1:8001;
server 127.0.0.1:8002;
server 127.0.0.1:8003;
server 127.0.0.1:8004;
}
server {
listen 80; ## listen for ipv4; this line is default and implied
#listen [::]:80 default_server ipv6only=on; ## listen for ipv6
root /var/www;
# Make site accessible from http://localhost/
server_name localhost;
location / {
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass http://tornado;
}
location /doc/ {
alias /usr/share/doc/;
autoindex on;
allow 10.15.62.200;
allow ::1;
deny all;
}
location /status/ {
stub_status on;
access_log off;
allow 10.15.62.200;
deny all;
}
# Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests
#location /RequestDenied {
# proxy_pass http://127.0.0.1:8080;
#}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
#error_page 500 502 503 504 /50x.html;
#location = /50x.html {
# root /usr/share/nginx/www;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
# # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
#
# # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php5-fpm:
# fastcgi_pass unix:/var/run/php5-fpm.sock;
# fastcgi_index index.php;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# root html;
# index index.html index.htm;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
# HTTPS server
#
#server {
# listen 443;
# server_name localhost;
#
# root html;
# index index.html index.htm;
#
# ssl on;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
#
# ssl_session_timeout 5m;
#
# ssl_protocols SSLv3 TLSv1;
# ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
# ssl_prefer_server_ciphers on;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
4.3 啓動與停止:
#service nginx start
#service nginx stop
4.4訪問測試:
訪問正常,完成nginx反向代理
4.5 Nginx 支持ssl認證:
4.5.1 單向認證:
① 生成一個加密密鑰:
#openssl genrsa -des3 -out server.key 2048
加密爲2048位,加密方式爲des3,生成加密key的時候會要求你輸入加密密碼,這裏使用123456,但是在每次使用這個密鑰去加密生成證書的時候就會提示輸入你輸入密碼,比較麻煩,可以使用命令: #openssl -in server.key -out server.key 去掉加密密碼
② 生成一個證書請求:
#openssl req -new -key server.key -out server.csr
會提示你輸入國家,省份,地區等信息,email 一定要是你的域名後綴的你可以拿着這個文件去數字證書頒發機構(即CA)申請一個數字證書。
③ 簽名證書:
這裏是自己做測試內部使用,可以採用openssl自簽證書
#openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
注意:將生成的key和證書放到nginx需要調用的目錄
④ 修改nginx配置:加入如下代碼:
server {
listen 443 ;
server_name debian;
root /var/www;
index index.html index.htm;
ssl on;
#服務器證書文件
ssl_certificate ssl/server.crt;
#服務器加密文件
ssl_certificate_key ssl/server.key;
#ssl會保持時間
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
location / {
#如果頁面不存在返回404
try_files $uri $uri/ =404;
}
}
⑤ 重啓nginx
#service nginx restart
⑥ 測試訪問:
看到是可以正常訪問的,只是證書不被認可
4.5.2 雙向認證:
(一)在nginx目錄下創建ca文件夾,進入ca:
#mkdir /etc/nginx/ca
#cd /etc/nginx/ca
#mkdir newcerts private conf server
說明:其中newcerts子目錄將存放CA簽署(頒發)過的數字證書(證書備份目錄)。而private目錄用於存放CA的私鑰。目錄conf只是用於存放一些簡化參數用的配置文件,server存放服務器證書文件。
(二)在nginx的conf目錄創建文件openssl.conf配置文件,內容如下:
[ ca ]
default_ca = foo # The default ca section
[ foo ]
dir = /etc/nginx/ca # top dir
database = /etc/nginx/ca/index.txt # index file.
new_certs_dir = /etc/nginx/ca/newcerts # new certs dir
certificate = /etc/nginx/ca/private/ca.crt # The CA cert
serial = /etc/nginx/ca/serial # serial no file
private_key = /etc/nginx/ca/private/ca.key # CA private key
RANDFILE =/etc/nginx/ca/private/.rand # random number file
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # message digest method to use
unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
policy = policy_any # default policy
[ policy_any ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
localityName = optional
commonName = supplied
emailAddress = optional
(三)使用腳本創建證書
下面的幾個腳本都放在nginx/ca/目錄下, 創建一個新的CA根證書
new_ca.sh 內容如下:
# Create us a key. Don't bother putting a password on it since you will need it to start apache. If you have a better work around I'd love to hear it.
openssl genrsa -out server/server.key
# Take our key and create a Certificate Signing Request for it.
openssl req -new -key server/server.key -out server/server.csr
# Sign this bastard key with our bastard CA key.
openssl ca -in server/server.csr -cert private/ca.crt -keyfile private/ca.key -out server/server.crt -config "/etc/nginx/ca/conf/openssl.conf"
執行 #sh new_ca.sh生成新的CA證書
(四)生成服務器證書的腳本。
new_server.sh內容如下:
# Create us a key. Don't bother putting a password on it since you will need it to start apache. If you have a better work around I'd love to hear it.
openssl genrsa -out server/server.key
# Take our key and create a Certificate Signing Request for it.
openssl req -new -key server/server.key -out server/server.csr
# Sign this bastard key with our bastard CA key.
openssl ca -in server/server.csr -cert private/ca.crt -keyfile private/ca.key -out server/server.crt -config "/etc/nginx/ca/conf/openssl.conf"
執行 #sh new_server.sh生成新服務器的證書
(五) 配置 nginx的ssl支持:
server {
listen 443 ;
server_name debian;
root /var/www;
index index.html index.htm;
ssl on;
ssl_certificate /etc/nginx/ca/server/server.crt;
ssl_certificate_key /etc/nginx/ca/server/server.key;
#客戶端側證書
ssl_client_certificate /etc/nginx/ca/private/ca.crt;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
location / {
try_files $uri $uri/ =404;
}
}
(六)啓動nginx ,等待客戶連接
如果此時連接服務器,將提示400 Bad request certification的錯誤,故還需要生成客戶端證書。
服務器後臺訪問日誌也可以看到相應信息:
10.15.62.200 - - [21/Sep/2013:00:39:31 +0800] "-" 400 0 "-" "-"
10.15.62.200 - - [21/Sep/2013:00:39:31 +0800] "-" 400 0 "-" "-"
10.15.62.200 - - [21/Sep/2013:00:39:31 +0800] "-" 400 0 "-" "-"
這是因爲客戶端未安裝自身的證書,造成驗證失敗
(七)新建一個腳本生成客戶端證書:
new_user.sh 內容如下:
#!/bin/sh
# The base of where our SSL stuff lives.
base="/etc/nginx/ca"
# Were we would like to store keys... in this case we take the username given to us and store everything there.
mkdir -p $base/users/
# Let's create us a key for this user... yeah not sure why people want to use DES3 but at least let's make us a nice big key.
openssl genrsa -des3 -out $base/users/client.key 1024
# Create a Certificate Signing Request for said key.
openssl req -new -key $base/users/client.key -out $base/users/client.csr
# Sign the key with our CA's key and cert and create the user's certificate out of it.
openssl ca -in $base/users/client.csr -cert $base/private/ca.crt -keyfile $base/private/ca.key -out $base/users/client.crt -config "/etc/nginx/ca/conf/openssl.conf"
# This is the tricky bit... convert the certificate into a form that most browsers will understand PKCS12 to be specific.
# The export password is the password used for the browser to extract the bits it needs and insert the key into the user's keychain.
# Take the same precaution with the export password that would take with any other password based authentication scheme.
openssl pkcs12 -export -clcerts -in $base/users/client.crt -inkey $base/users/client.key -out $base/users/client.p12
執行 #shnew_user.sh生成一個 client證書。
按照提示一步一步來,這裏要注意的是客戶證書的幾個項目要和根證書匹配。
也就是前面配置的:
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
不一致的話無法生成最後的客戶證書,證書生成後,客戶端導入證書瀏覽器,即可打開網站。
注意,客戶端導入的證書爲:ca.crt(根證書) client.crt(客戶端證書)
客戶端測試訪問,正常