LNMP优化一条龙--归档
<h2>系统优化之:Debian11开启bbr</h2><p>Debian11已把bbr编进内核中,如果版本低需要先升级Linux的内核,</p>
<p>编辑 /etc/sysctl.conf 文件,添加以下内容</p>
<pre>
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr</pre>
<p>或直接用命令修改</p>
<pre>
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf</pre>
<p>保存并生效</p>
<pre>
sysctl -p</pre>
<p>查看是否开启成功</p>
<pre>
sysctl net.ipv4.tcp_available_congestion_control
#出现类似内容则开启成功net.ipv4.tcp_available_congestion_control = reno cubic bbr</pre>
<p>或使用以下命令查看是否成功</p>
<pre>
lsmod | grep bbr
#或成功则会出现类似的内容 tcp_bbr204801</pre>
<p> </p>
<h3>系统优化之:文件</h3>
<p><strong>1、open files数量优化</strong><br />
ulimit -a查看系统参数,其中open files (-n) 1024,表示系统同时最多能打开的文件数。linux下的所有设备都可以认为是文件,包括网络连接,如果同时超过1024个连接,那么nginx的日志就会报“24: Too many open files”</p>
<div style="background:#eeeeee; border:1px solid #cccccc; padding:5px 10px">修改/etc/profile,增加以下参数临时生效<br />
ulimit -n 65535<br />
或<br />
ulimit -SHn 65535<br />
<br />
或
<p>编辑文件:/etc/security/limits.conf(永久生效,但要重启服务器)</p>
# End of file<br />
root soft nofile 65535<br />
root hard nofile 65535<br />
* soft nofile 65535<br />
* hard nofile 65535</div>
<p><br />
<br />
<strong>2、disable selinux</strong><br />
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config<br />
</p>
<p><strong>3、系统中开启HugePage</strong><br />
ssysctl vm.nr_hugepages=512<br />
分配512个预留的大页内存<br />
$ cat /proc/meminfo | grep Huge<br />
AnonHugePages: 106496 kB<br />
HugePages_Total: 512<br />
HugePages_Free: 504<br />
HugePages_Rsvd: 27<br />
HugePages_Surp: 0<br />
Hugepagesize: 2048 kB<br />
</p>
<p><strong>4、最大进程数/线程数( 有些系统可能会没有此文件)</strong><br />
/etc/security/limits.d/20-nproc.conf(没有此文件有90-nproc.conf文件也可以,<strong>有些系统都没有两个文件,跳过,继续看下面操作也一样</strong>)<br />
<img alt="" src="data/attachment/forum/202302/22/2023-02-22_20-40-55_910.png" style="border:1px solid #cccccc; padding:5px" /><br />
这里的4096也要改。<br />
注:如果程序运行在docker,相关docker参数也得改。</p>
<div style="background:#eeeeee; border:1px solid #cccccc; padding:5px 10px">linux系统可生成<span style="color:#e74c3c">最大线程数</span>可以用这个命令查询:<br />
<span style="color:#e74c3c"><strong>cat /proc/sys/kernel/threads-max</strong></span><br />
<strong>进程最大线程数查询方式<br />
ps -eLf | grep 项目名 | wc -l 查看单个项目线程数,启动失败的这个项目线程数一般在600左右<br />
cat /proc/sys/vm/max_map_count<br />
65530</strong><br />
用户最大<span style="color:#e74c3c">进程数</span>查询方式:<br />
ulimit -a<br />
<strong>其中max user processes就是表示用户的最大进程数</strong>,我的这个值很大,进程数也没有超过它。如果超过的话,可以修改最大进程数的配置<br />
vi /etc/security/limits.d/90-nproc.conf<br />
* soft nproc 1024<br />
root soft nproc unlimited<br />
上面可以看除了root用户外的所有用户均限制为1024,因此通过可以注释此行或者将值改大,保存后修改立刻生效<br />
#* soft nproc 1024<br />
root soft nproc unlimited<br />
<strong>整个系统已用的线程或进程数</strong><br />
cat /proc/sys/kernel/pid_max<br />
该值是32678(32位Linux系统可创建的最大pid数是32678),查询当前整个系统已用的线程或进程数:pstree -p | wc -l。</div>
<p>注:此参数请专业运维操作,不要自己乱改。<br />
<br />
<br />
</p>
<h3><a href="forum.php?mod=viewthread&tid=355&extra=page%3D1">系统优化之:网络</a></h3>
<p>下面贴一个完整的内核优化设置:vim /etc/sysctl.conf</p>
<pre>
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 30
net.ipv4.ip_local_port_range = 1024 65000</pre>
<h2><a href="forum.php?mod=viewthread&tid=164&highlight=线程池">nginx优化之:线程池</a></h2>
<div>
<p>使用线程池功能,首先需要在配置文件中添加如下配置项:</p>
<pre>
location / {
root /html;
thread_pool default threads=32 max_queue=65535;
aio threads=default;
}</pre>
<p>上面定义了一个名为“default”,包含32个线程,任务队列最多支持65535个请求的线程池。如果任务队列过载,Nginx将输出如下错误日志并拒绝请求:</p>
thread pool "default" queue overflow: N tasks waiting
<p>如果出现上面的错误,说明线程池的负载很高,这是可以通过添加线程数来解决这个问题。当达到机器的最高处理能力之后,增加线程数并不能改善这个问题 。</p>
<p>可在编译时使用如下选项可以启用线程池功能</p>
<ol>
<li>
<p>--with-threads</p>
</li>
<li>
<p>--with-file-aio</p>
</li>
</ol>
<p>启用线程池功能,让请求排队等待处理,并且可以充分利用 CPU 提高处理效率,开启线程池需要 AIO 的支持,启用异步文件 IO (AIO) 一般用于大文件传输的场景。</p>
</div>
<h3><a href="forum.php?mod=viewthread&tid=355&extra=page%3D1">nginx优化之:配置文件参数</a></h3>
<p>下面是一个简单的nginx配置文件:</p>
<pre>
userwww www;
worker_processes 8;
worker_cpu_affinity 00000001 00000010 00000100 00001000 00010000 00100000 01000000;
error_log/www/log/nginx_error.logcrit;
pid /usr/local/nginx/nginx.pid;
<strong><span style="color:#e74c3c">worker_rlimit_nofile 204800;</span></strong>
events
{
<span style="color:#d35400"><strong> accept_mutex on;
multi_accept on;#多路复用</strong></span>
<span style="color:#e74c3c"><strong>use epoll;</strong></span>
<span style="color:#e74c3c"><strong>worker_connections 204800;</strong></span>
}
http
{
include mime.types;
default_typeapplication/octet-stream;
charsetutf-8;
server_names_hash_bucket_size 128;
<span style="color:#e74c3c"><strong>client_header_buffer_size 4k;</strong></span>
<span style="color:#e74c3c"> <strong>large_client_header_buffers 4 4k;</strong></span>
<span style="color:#d35400"><strong>client_max_body_size 8m;
</strong></span>client_body_tmp /tmp/nginx_client_body_tmp
<span style="color:#e74c3c">server_tokens off;#隐藏nginx版本号</span>
<strong>sendfile on;</strong>
<strong>tcp_nopush on;</strong>
<strong>tcp_nodelay on;</strong>
<strong>keepalive_timeout 60;</strong>
fastcgi_cache_path /usr/local/nginx/fastcgi_cache levels=1:2keys_zone=TEST:10minactive=5m;
<span style="color:#e74c3c"><strong>fastcgi_connect_timeout 300;</strong></span>
<span style="color:#e74c3c"><strong>fastcgi_send_timeout 300;</strong></span>
<span style="color:#e74c3c"><strong>fastcgi_read_timeout 300;</strong></span>
<span style="color:#e74c3c"><strong>fastcgi_buffer_size 16k;</strong></span>
<span style="color:#e74c3c"><strong>fastcgi_buffers 16 16k;</strong></span>
<span style="color:#e74c3c"><strong>fastcgi_busy_buffers_size 32k;</strong></span>
<span style="color:#e74c3c"><strong>fastcgi_temp_file_write_size 32k;</strong></span>
fastcgi_cache TEST;
fastcgi_cache_valid 200 302 1h;
fastcgi_cache_valid 301 1d;
fastcgi_cache_valid any 1m;
fastcgi_cache_min_uses 1;
fastcgi_cache_use_stale error timeout invalid_header http_500;
<span style="color:#e74c3c"><strong>open_file_cache max=204800 inactive=20s;</strong></span>
<span style="color:#e74c3c"><strong>open_file_cache_min_uses 1;</strong></span>
<span style="color:#c0392b"><strong>open_file_cache_valid 30s;</strong></span>
gzip on;
gzip_min_length1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css <s>application/xml</s>;
gzip_vary on;
server
{
listen 8080<span style="color:#e74c3c"><strong>reuseport</strong></span>;
server_namebiji.sebcxy.com;
index index.php index.htm;
root/www/html/;
//keepalive优化,请参考:http://biji.sebcxy.com/forum.php?mod=viewthread&tid=145&highlight=%E4%BC%98%E5%8C%96
//Nginx默认使用DHE算法来产生密匙,该加密算法效率很低。可以通过如下命令,删掉了kEDH算法。ssl_ciphers ALL:!kEDH!ADH:RC4+RSA:+HIGH:+EXP;
location /status
{
stub_status on;
}
location ~ .*\.php?$
{
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|js|css)$
{
expires30d;
}
log_formataccess'$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" $http_x_forwarded_for';
#在使用日志分析工具如ELK对访问日志做统计的时候,就需要将日志格式定义为json格式,以便于取相应字段的key做统计,完整的定义如下:
log_format logstash_json '{"@timestamp":"$time_iso8601",'
'"host":"$server_addr",'
'"clientip":"$remote_addr",'
'"size":$body_bytes_sent,'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"upstreamhost":"$upstream_addr",'
'"http_host":"$host",'
'"url":"$uri",'
'"domain":"$host",'
'"xff":"$http_x_forwarded_for",'
'"referer":"$http_referer",'
'"agent":"$http_user_agent",'
'"status":"$status"}';
#log_format 两种格式只选一种即可,或者不配置使用默认的也可以
#access_log/www/log/access.logaccess;
access_log off;//关掉访问日志
error_log/www/log/errorlog.log;
}
}</pre>
<h2>PHP优化之:php.ini文件</h2>
<p> </p>
<p># 错误显示<br />
display_errors = Off<br />
display_startup_errors = Off<br />
</p>
<p># 文件上传设置,这里配置的时候,也要注意nginx的文件上传配置client_max_body_size<br />
post_max_size = 200M<br />
upload_max_filesize = 200M<br />
</p>
<p># 设置时间<br />
date.timezone = Asia/ShangHai</p>
<p><br />
# 设置错误日志的路径<br />
error_log = /var/log/php-fpm/error.log<br />
</p>
<p># 开启OPcache:<br />
zend_extension=opcache.so<br />
opcache.enable=1<br />
opcache.memory_consumption=128 // OPcache 共享内存存储大小,单位 MB<br />
opcache.interned_strings_buffer=8 // PHP 使用了一种叫做字符串驻留,默认是 4MB,建议设置为 64<br />
opcache.max_accelerated_files=4000 // 这个选项用于控制内存中最多可以缓存多少个 PHP 文件, 这个选项必须得设置得足够大,大于你的项目中的所有 PHP 文件的总和<br />
opcache.vilidate_timestamps=0 // 设置多少秒后重新验证脚本,如果设置为 0,需要手动在每次 PHP 代码更改后手动清除 opcache 缓存<br />
opcache.revalidate_freq=300 // 设置缓存的过期时间(单位是秒), 为 0 的话每次都要检查<br />
opcache.fast_shutdown=1<br />
opcache.huge_code_pages=1 #注意操作系统也要支持<br />
opcache.file_cache=/tmp<br />
opcache.jit_buffer_size=64 # :php8及以上启用此参数<br />
opcache.jit=1255 # :php8及以上启用此参数<br />
//注:jit详细说明请参照:https://networkos.club/archives/php-jit-config.html</p>
<h3>PHP优化之:php-fpm参数</h3>
<p><strong>php-fpm.conf:</strong></p>
<p>pid = run/php-fpm.pid<br />
# 设置错误日志的路径<br />
error_log = /var/log/php-fpm/error.log<br />
<br />
events.mechanism = epoll<br />
syslog.ident = php-fpm74<br />
</p>
<hr />
<p><br />
<strong>www.conf:</strong></p>
<p>prefix = /path/to/pools/php74<br />
# listen = 127.0.0.1:9000 <br />
listen = /var/run/php-fpm/php-fpm74.sock<br />
listen.backlog = 511<br />
listen.allowed_clients = 127.0.0.1<br />
slowlog = /var/log/php-fpm/php-slow74.log<br />
request_slowlog_timeout = 10s<br />
request_terminate_timeout = 60<br />
<br />
pm = dynamic<br />
pm.max_children = 25<br />
# pm.start_servers不能小于pm.min_spare_servers,推荐为最大的pm.max_children的10%<br />
pm.start_servers = 8<br />
pm.min_spare_servers = 5<br />
pm.max_spare_servers = 10<br />
pm.max_requests = 10240<br />
<br />
# 设置主进程打开的最大文件数<br />
rlimit_files = 65535<br />
<br />
</p>
<h2>MySQL优化:配置文件参数</h2>
<p>注:请勿参考这里的具体数值,此参数为MySQL5.7小内存的参数,主要用于测试,不用于生产环境,但会用粗体标示出要调整的参数。</p>
<p><br />
# 设置mysql客户端默认字符集<br />
<strong>default-character-set=utf8mb4 </strong><br />
<br />
<br />
default-time_zone = '+8:00'<br />
<br />
<strong>port = 3307<br />
bind-address=127.0.0.1</strong><br />
<br />
# 设置mysql的安装目录<br />
basedir=E:\php\phpStudy2016\MySQL\<br />
<br />
# 数据目录<br />
datadir=E:\php\phpStudy2016\MySQL\data\<br />
<br />
#skip-networking<br />
#skip-locking<br />
#skip-name-resolve<br />
#skip-grant-tables<br />
<br />
# 内存占用调优 begin<br />
<strong>max_connections=50</strong><br />
<strong>performance_schema = off<br />
table_open_cache = 400</strong><br />
<br />
<strong>key_buffer_size=8M<br />
tmp_table_size=7M</strong><br />
<br />
table_open_cache_instances = 1<br />
<strong>query_cache_type=ON #mysql8.0之后就取消查询缓存了,要特别注意<br />
query_cache_limit= 512K<br />
query_cache_size=10M<br />
sort_buffer_size=256K</strong><br />
<br />
<strong>thread_cache_size=8<br />
myisam_max_sort_file_size=10G<br />
myisam_sort_buffer_size=12M<br />
<br />
read_buffer_size=64K<br />
read_rnd_buffer_size=256K</strong><br />
# 内存占用调优 end<br />
<br />
<strong>max_allowed_packet = 100M</strong><br />
<br />
<strong>slow_query_log = 1<br />
slow_launch_time = 2<br />
slow_query_log_file = "E:/php/phpStudy2016/MySQL/slow.log"<br />
long_query_time = 10<br />
log_queries_not_using_indexes = 0</strong><br />
<br />
# 服务端使用的字符集默认为8比特编码的latin1字符集<br />
<strong>character-set-server=utf8mb4</strong><br />
<br />
# 创建新表时将使用的默认存储引擎<br />
<strong>default-storage-engine=INNODB</strong><br />
<br />
#skip-grant-tables表示忽略密码<br />
#sql-mode="STRICT_TRANS_TABLES,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"<br />
sql-mode="ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"<br />
<br />
<br />
#*** INNODB Specific options ***<br />
innodb_data_home_dir="E:/php/phpStudy2016/MySQL/data/"<br />
<br />
innodb_flush_log_at_trx_commit=1<br />
innodb_log_buffer_size=1M<br />
innodb_buffer_pool_size=10M<br />
innodb_log_file_size=10M<br />
innodb_thread_concurrency=8<br />
#######<br />
innodb_file_per_table=1 #高版本mysql会自动启用此参数<br />
<br />
#事务日志存放目录<br />
innodb_log_group_home_dir="E:/php/phpStudy2016/MySQL/data/"</p>
<h2>安全防护之:nginx防火墙</h2>
截止2024.02.12,宝塔或者aaPanel有内置免费的nginx防火墙,可以防止SQL注入/CC攻击等常见web攻击。只需点击几下,即可安装成功。<br />
安全防护之:DenyHosts<br />
<br />
<br />
<br />
<br />
安全防护之:DDOS Deflate
页:
[1]