lizongbo at 618119.com 工作,生活,Android,前端,Linode,Ubuntu,nginx,java,apache,tomcat,Resin,mina,Hessian,XMPP,RPC

2010年10月27日

在Ubuntu Server 10.04上通过源代码编译安装OpenVPN 2.1.3

Filed under: Linux — 标签:, , , , — lizongbo @ 22:13

在Ubuntu Server 10.04上通过源代码编译安装OpenVPN 2.1.3
Linux是在linode.com购买的vps
1.下载OpenVPN稳定版本2.1.3的源码:
root@618119.com:/usr/local/app# wget http://openvpn.net/release/openvpn-2.1.3.tar.gz
来源:
http://openvpn.net/index.php/open-source/downloads.html
2.解压源代码:
root@618119.com:/usr/local/app# tar -zxvf openvpn-2.1.3.tar.gz
3.编译前先检查配置:
root@618119.com:/usr/local/app/openvpn-2.1.3# ./configure –prefix=/usr/local/app/openvpn
系统提示:
LZO library available from http://www.oberhumer.com/opensource/lzo/
configure: error: Or try ./configure –disable-lzo
4.安装liblzo2-dev库
root@618119.com:/usr/local/app/openvpn-2.1.3# apt-get install liblzo2-dev
由于在安装nginx时是用openssl源代码进行编译的,这里使用Openssl最新版的源代码进行编译:
(openssl源码下载参考: http://618119.com/archives/2010/10/22/174.html)
5,再次配置:
root@618119.com:/usr/local/app/openvpn-2.1.3# ./configure –prefix=/usr/local/app/openvpn –with-ssl-lib=/usr/local/app/openssl-1.0.0a –with-ssl-headers=/usr/local/app/openssl-1.0.0a/include
6.编译并安装
root@618119.com:/usr/local/app/openvpn-2.1.3# make
root@618119.com:/usr/local/app/openvpn-2.1.3# make install
7.准备生成根证书信息:
root@618119.com:/usr/local/app/openvpn-2.1.3# cd easy-rsa/2.0/
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# vi ./vars
涉及编辑修改的内容为:
export KEY_COUNTRY=”CN”
export KEY_PROVINCE=”Guangdong”
export KEY_CITY=”Shenzhen”
export KEY_ORG=”*.618119.com”
export KEY_EMAIL=”lizongbo@gmail.com

8.开始准备生成根证书:
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/app/openvpn-2.1.3/easy-rsa/2.0/keys
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# ./clean-all
Please source the vars script first (i.e. “source ./vars”)
Make sure you have edited it to reflect your configuration.
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/app/openvpn-2.1.3/easy-rsa/2.0/keys
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# ./clean-all

root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# ./build-ca
Generating a 1024 bit RSA private key
…..++++++
………………….++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Guangdong]:
Locality Name (eg, city) [Shenzhen]:
Organization Name (eg, company) [*.618119.com]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [*.618119.com CA]:
Name []:
Email Address [lizongbo@gmail.com]:

9.生成OpenVPN服务器证书:
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# ./build-key-server openvpn.618119.com
Generating a 1024 bit RSA private key
…………..++++++
……………………………………….++++++
writing new private key to ‘openvpn.618119.com.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Guangdong]:
Locality Name (eg, city) [Shenzhen]:
Organization Name (eg, company) [*.618119.com]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [openvpn.618119.com]:
Name []:
Email Address [lizongbo@gmail.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:618119.com
An optional company name []:
Using configuration from /usr/local/app/openvpn-2.1.3/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName           :PRINTABLE:’CN’
stateOrProvinceName   :PRINTABLE:’Guangdong’
localityName          :PRINTABLE:’Shenzhen’
organizationName      :T61STRING:’*.618119.com’
commonName            :PRINTABLE:’openvpn.618119.com’
emailAddress          :IA5STRING:’lizongbo@gmail.com
Certificate is to be certified until Oct 21 05:49:51 2020 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
10.生成OpenVPN客户端证书:

root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# ./build-key vpnclient.618119.com
Generating a 1024 bit RSA private key
…………………………..++++++
……………++++++
writing new private key to ‘vpnclient.618119.com.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Guangdong]:
Locality Name (eg, city) [Shenzhen]:
Organization Name (eg, company) [*.618119.com]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [vpnclient.618119.com]:
Name []:
Email Address [lizongbo@gmail.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:618119.com
An optional company name []:
Using configuration from /usr/local/app/openvpn-2.1.3/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName           :PRINTABLE:’CN’
stateOrProvinceName   :PRINTABLE:’Guangdong’
localityName          :PRINTABLE:’Shenzhen’
organizationName      :T61STRING:’*.618119.com’
commonName            :PRINTABLE:’vpnclient.618119.com’
emailAddress          :IA5STRING:’lizongbo@gmail.com
Certificate is to be certified until Oct 21 05:53:31 2020 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

11.生成dh(Diffie-Hellman)文件:
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# ./build-dh

12.创建配置文件目录和日志目录:
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# mkdir /usr/local/app/openvpn/conf
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# mkdir /usr/local/app/openvpn/conf/keys
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# mkdir /usr/local/app/openvpn/log
13.将生成的key文件目录复制到/usr/local/app/openvpn/conf
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# cp /usr/local/app/openvpn-2.1.3/easy-rsa/2.0/keys/* /usr/local/app/openvpn/conf/keys
14.从例子文件中复制服务器配置文件。
root@618119.com:/usr/local/app/openvpn-2.1.3/easy-rsa/2.0# cp /usr/local/app/openvpn-2.1.3/sample-config-files/server.conf   /usr/local/app/openvpn/conf/

15.通过vi编辑配置文件/usr/local/app/openvpn/conf/server.conf,以下是修改了默认值或取消注释的配置项
port 11194 #将默认端口1194改成了11194

proto tcp  #使用过程中发现udp协议连接不稳定,查无法定位原因,于是改用TCP协议来尝试
;proto udp

ca /usr/local/app/openvpn/conf/keys/ca.crt
cert /usr/local/app/openvpn/conf/keys/server.crt
key /usr/local/app/openvpn/conf/keys/server.key
dh /usr/local/app/openvpn/conf/keys/dh1024.pem

ifconfig-pool-persist /usr/local/app/openvpn/conf/ipp.txt

push “dhcp-option DNS 208.67.222.222”
push “dhcp-option DNS 208.67.220.220”

user nobody
group nobody #也可以使用系统已有的nogroup组,如果使用nobody则需要groupadd命令进行添加,

status /usr/local/app/openvpn/log/openvpn-status.log
log         /usr/local/app/openvpn/log/openvpn.log
log-append  /usr/local/app/openvpn/log/openvpn-append.log

verb 5

15.指定配置文件来启动OpenVPN:
root@618119.com:/etc/openvpn# /usr/local/app/openvpn/sbin/openvpn –config /usr/local/app/openvpn/conf/server.conf
启动之后发现OpenVPN进程不存在。
root@618119.com:/usr/local/app/openvpn/log# tail *.log
查看日志看到下面这样的错误信息:
Sun Oct 24 07:10:38 2010 us=152299 failed to find GID for group nobody
Sun Oct 24 07:10:38 2010 us=152331 Exiting
16.运行下面的命令:
root@618119.com:/usr/local/app/openvpn/log# groupadd nobody

17.再次启动openvpn,程序启动成功.
root@618119.com:/etc/openvpn# /usr/local/app/openvpn/sbin/openvpn –config /usr/local/app/openvpn/conf/server.conf

18.在Ubunut Linux服务器上配置数据转发:

root@618119.com:~# sudo sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
root@618119.com:~# sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

19.配置Ubuntu Linux上的OpenVPN客户端:
client.conf的配置如下:
client
remote *.*.*.* 11194 #指定端口,使用11194.
ca /usr/local/appr/openvpn/conf/keys/ca.crt
cert /usr/local/appr/openvpn/conf/keys/vpnclient.618119.com.crt
key /usr/local/appr/openvpn/conf/keys/vpnclient.618119.com.key
reneg-sec 0
comp-lzo yes
dev tun
proto tcp ##协议由udp改用tcp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user openvpn
group openvpn

20.在网络连接中进行连接。
openvpn连接上之后,再在本地浏览器访问http://www.youtube.com/http://twitter.com/,均可正常访问了。

WSun Oct 24 10:56:38 2010 us=259482 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
连接出错,可能是网络原因,可以多连几次。

21.window上使用OpenVPN,先下载windows客户端:
http://openvpn.net/release/openvpn-2.1.3-install.exe
安装之后在本地

22.将证书等文件在本地准备好,,然后客户端配置文件C:\Program Files\OpenVPN\bin\client.ovpn
———————————————————-client
remote *.*.*.* 11194
ca I:\\temp\\keys\\ca.crt
cert I:\\temp\\keys\\vpnclient.618119.com.crt
key I:\\temp\\keys\\vpnclient.618119.com.key
reneg-sec 0
comp-lzo yes
dev tun
proto udp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user openvpn
group openvpn

———————————————————-

23.在dos窗口下执行程序进行连接:

C:\Program Files\OpenVPN\bin>openvpn client.ovpn
Wed Oct 27 22:11:02 2010 NOTE: –user option is not implemented on Windows
Wed Oct 27 22:11:02 2010 NOTE: –group option is not implemented on Windows
Wed Oct 27 22:11:02 2010 OpenVPN 2.1.3 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] bui
lt on Aug 20 2010
Wed Oct 27 22:11:02 2010 WARNING: No server certificate verification method has
been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Oct 27 22:11:02 2010 NOTE: the current –script-security setting may allow t
his configuration to call user-defined scripts
Wed Oct 27 22:11:02 2010 LZO compression initialized
Wed Oct 27 22:11:02 2010 UDPv4 link local: [undef]
Wed Oct 27 22:11:02 2010 UDPv4 link remote: *.*.*.*:11194
Wed Oct 27 22:11:30 2010 [_.618119.com] Peer Connection Initiated with 173.25
5.196.174:11194
Wed Oct 27 22:11:37 2010 TAP-WIN32 device [本地连接 2] opened: \\.\Global\{FF3AE
A0C-A0ED-4068-882D-4C98D2CB50A9}.tap
Wed Oct 27 22:11:37 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 1
0.8.0.10/255.255.255.252 on interface {FF3AEA0C-A0ED-4068-882D-4C98D2CB50A9} [DH
CP-serv: 10.8.0.9, lease-time: 31536000]
Wed Oct 27 22:11:37 2010 Successful ARP Flush on interface [131077] {FF3AEA0C-A0
ED-4068-882D-4C98D2CB50A9}
Wed Oct 27 22:11:42 2010 Initialization Sequence Completed

相关参考文章:
1.openvpn官方文档:
http://openvpn.net/index.php/open-source/documentation/howto.html#install
2.Ubuntu Server 安装 OpenVPN Server:
http://www.douhua.im/2010/01/06/ubuntu-server-install-openvpn-server/
3.安装配置OpenVPN:
http://pityonline.info/?p=1054
4.Ubuntu 安装 openvpn:
http://space.itpub.net/7201003/viewspace-312657
5.出错信息:UDPv4 [ECONNREFUSED]: Connection refused (code=111)
http://readthefuckingmanual.net/error/383/

http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html

http://blog.darkices.com/archive/openvpn-server-side-dns-hijacking-to-solve-the-problem-of-pollution-dns.html
http://omobox.com/memo/tunnelier-instead-of-myentunnel.html

http://blog.darkices.com/archive/build-ssh-proxy-on-vps.html#comment-275

检查tun是否开启的命令:
dmesg|grep tun
或者:ls -l /dev/net/tun

参考:http://www.hostloc.com/thread-6106-5-589.html

2010年10月24日

在Ubuntu 10.04上安装JDK1.6.0_21和编译配置Resin4.0.12

Filed under: Java,JVM,Linux,Resin,RMI — 标签:, , , , , , , — lizongbo @ 00:37

在Ubuntu 10.04上安装JDK1.6.0_21和编译配置Resin4.0.12

1.首先是安装最新版的jdk,先下载JDK 1.6.0_21(来源:http://www.oracle.com/technetwork/java/javase/downloads/index.html):
root@618119.com:/usr/local/app$ wget “http://cds.sun.com/***/jdk-6u21-linux-x64.bin”
这个url里带有会话信息,现在已经无效,JDK的官方下载不提供简洁的下载地址,需要每次到页面区获取下载地址)
2.再将下载到的文件改名:
root@618119.com:/usr/local/app$ mv jdk-6u21-linux-x64.bin\?BundledLineItemUUID\=SSeJ_hCwV9QAAAEroI4AHoII\&OrderID\=gVSJ_hCwmL8AAAErko4AHoII\&ProductID\=xKiJ_hCySHIAAAEpT7wzBGsB\&FileName\=%2Fjdk-6u21-linux-x64.bin   jdk-6u21-linux-x64.bin
3.给安装程序加上可执行权限:
root@618119.com:/usr/local/app$ chmod +x ./jdk-6u21-linux-x64.bin
4.开始安装JDK:
root@618119.com:/usr/local/app$ ./jdk-6u21-linux-x64.bin
(JDK安装好之后,可以通过符号连接建立jdk目录,这样在一行升级jdk版本的时候通过修改符号连接自动切换到新版本jdk:
root@618119.com:/usr/local/app# ln -s ./jdk1.6.0_21/ ./jdk )
5.然后添加环境变量到系统:
编辑 /etc/enviroment增加下面一行:
JAVA_HOME=”/usr/local/app/jdk1.6.0_21″
添加后的/etc/environment内容如下:
root@618119.com:/etc# more /etc/environment
PATH=”/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games”
JAVA_HOME=”/usr/local/app/jdk1.6.0_21″
6.再开始下载resin4.0.12(来源:http://www.caucho.com/download/)
root@618119.com:/usr/local/app# wget http://www.caucho.com/download/resin-4.0.12.tar.gz
7.解压安装文件:
root@618119.com:/usr/local/app# tar -zxvf resin*
7.进入resin目录开始编译安装,安装目录设置为:/usr/local/app/resin
root@618119.com:/usr/local/app# cd resin*
root@618119.com:/usr/local/app/resin-4.0.12# ./configure –prefix=/usr/local/app/resin
root@618119.com:/usr/local/app/resin-4.0.12# make
root@618119.com:/usr/local/app/resin-4.0.12# make install
8.可以看到系统服务脚本已经生成:
root@618119.com:/etc/init.d# more /etc/init.d/resin
9.尝试启动resin 4.0.12,失败了:
root@618119.com:/usr/local/app/resin/log# /usr/local/app/resin/bin/resin.sh start启动不了:
启动不了的原因是因为是root登录的。
Resin从4.0版本起,在默认的resin.xml里配置判断条件,如果当前用户名是root,则resin的watchdog监控进程使用www-data这个用户名来启动真正的resin进程。
root@618119.com:/usr/local/app/resin/bin# ./resin.sh start
然后root@618119.com:/usr/local/app/resin/bin# ./resin.sh shutdown
root@618119.com:/usr/local/app/resin/bin# tail ../log/*.log
可以看到出错日志如下:
—————————————————————————–

com.caucho.config.ConfigRuntimeException: java.io.IOException: Cannot create directory: /usr/local/app/resin/resin-data/default
at com.caucho.config.ConfigException.create(ConfigException.java:168)
at com.caucho.server.resin.Resin.configure(Resin.java:1006)
at com.caucho.server.resin.Resin.initMain(Resin.java:983)
at com.caucho.server.resin.Resin.main(Resin.java:1230)
Caused by: java.io.IOException: Cannot create directory: /usr/local/app/resin/resin-data/default
at com.caucho.vfs.FilePath.mkdirs(FilePath.java:489)
at com.caucho.env.service.RootDirectoryService.<init>(RootDirectoryService.java:81)
at com.caucho.server.resin.Resin.configureRoot(Resin.java:1073)
at com.caucho.server.resin.Resin.configure(Resin.java:1001)
… 2 more

—————————————————————————–

[2010/10/18 15:35:45.200] http listening to localhost:6600
[2010/10/18 15:35:45.289]
[2010/10/18 15:35:47.084] Watchdog detected close of Resin[,pid=20430]
exit reason: BAD_CONFIG (exit code=2)
[2010/10/18 15:35:48.814] Watchdog detected close of Resin[,pid=20454]
exit reason: BAD_CONFIG (exit code=2)
[2010/10/18 15:35:50.563] Watchdog detected close of Resin[,pid=20476]
exit reason: BAD_CONFIG (exit code=2)
[2010/10/18 15:35:52.470] Watchdog detected close of Resin[,pid=20508]
exit reason: BAD_CONFIG (exit code=2)

—————————————————————————–

10.解决办法为:注释resin.xml里的第147到150行:
root@618119.com:/usr/local/app/resin/conf# vi ./resin.xml

147 <!–      <resin:if test=”${resin.userName == ‘root’}”>
148         <user-name>www-data</user-name>
149         <group-name>www-data</group-name>
150       </resin:if> –>

11.然后再运行
root@618119.com:/usr/local/app/resin/bin# ./resin.sh start
或者root@618119.com:/usr/local/app/resin/bin# /etc/init.d/resin start
均可正常启动了。

12.再运行下面的命令将resin也添加为系统默认的服务:
root@618119.com:/etc# sudo /usr/sbin/update-rc.d -f resin defaults

13.修改resin配置允许外网访问resin-admin,编辑/usr/local/app/resin/conf/resin.xml,找到
<resin:set var=”resin_admin_external” value=”false”/>
改为:
<resin:set var=”resin_admin_external” value=”true”/>
保存resin.xml,重启resin。
root@618119.com:/usr/local/app/resin/conf# /usr/local/app/resin/bin/resin.sh restart

14:访问http://618119.com:8080/resin-admin/,因为是第一次访问,可以生成帐号和密码。
我的username设置为:resinadmin,Password设置为:618119.com(密码一定要用不容易被人猜到的),Realm保持为resin不变。
点“Create Configuration File”进行提交,生成的文件为:/usr/local/app/resin/conf/admin-users.xml.generated
15.将生成的文件改名为admin-users.xml:
root@618119.com:/usr/local/app/resin/conf# mv admin-users.xml.generated  admin-users.xml
然后resin会自动重新加载.
16.再访问http://localhost:8080/resin-admin/,输入刚才帐号和密码,登录之后,就可以看到服务器状态信息了。

接下来配置外网访问JMX管理。
由于jdk的jmx管理端口启动时无法绑定指定的ip,默认是绑定到所有ip的,因此在公网上开放jmx端口时,必须设置jmx访问的帐号和密码:
操作步骤如下:
在/usr/local/app/resin/conf建立jmx权限配置文件:
1.复制jdk提供的jmx帐号和密码配置文件模板到resin的conf目录:
root@618119.com:/usr/local/app/resin/conf# cp /usr/local/app/jdk1.6.0_21/jre/lib/management/jmxremote.* /usr/local/app/resin/conf
查看文件:
root@618119.com:/usr/local/app/resin/conf# ls -alh jmxremote.*
-rw-r–r– 1 root root 4.0K Oct 23 14:49 jmxremote.access
-r–r–r– 1 root root 2.8K Oct 23 14:49 jmxremote.password.template
2.在/usr/local/app/resin/conf下重命名:jmxremote.password.template为jmxremote.password:
root@618119.com:/usr/local/app/resin/conf# mv jmxremote.password.template  jmxremote.password
3.给密码文件加上写权限:
root@618119.com:/usr/local/app/resin/conf# chmod +w jmxremote.password
查看文件:
root@618119.com:/usr/local/app/resin/conf# ls -alh jmxremote.*
-rw-r–r– 1 root root 4.0K Oct 23 14:49 jmxremote.access
-rw-r–r– 1 root root 2.8K Oct 23 14:49 jmxremote.password
4.以追加文件方式往jmx权限控制文件中加入一个有读写权限的帐号,帐号名字是resinjmx
root@618119.com:/usr/local/app/resin/conf# echo “resinjmx         readwrite” >> jmxremote.access
查看帐号添加是否ok:
root@618119.com:/usr/local/app/resin/conf# tail jmxremote.access
# Default access control entries:
# o The “monitorRole” role has readonly access.
# o The “controlRole” role has readwrite access and can create the standard
#   Timer and Monitor MBeans defined by the JMX API.

monitorRole   readonly
controlRole   readwrite \
create javax.management.monitor.*,javax.management.timer.* \
unregister
resinjmx         readwrite
5.往jmx权限控制的密码文件中加入resinjmx帐号的密码:618119
root@618119.com:/usr/local/app/resin/conf# echo “resinjmx 618119” >> jmxremote.password
查看密码信息是否添加ok:
root@618119.com:/usr/local/app/resin/conf# tail jmxremote.password
# or specify another, less accessible file in the management config file
# as described above.
#
# Following are two commented-out entries.  The “measureRole” role has
# password “QED”.  The “controlRole” role has password “R&D”.
#
# monitorRole  QED
# controlRole   R&D

resinjmx 618119

6.修改jmxremote.*的权限,只允许启动resin的用户名对该文件拥有读写权限:
root@618119.com:/usr/local/app/resin/conf# chmod 600 jmxremote.access
root@618119.com:/usr/local/app/resin/conf# chmod 600 jmxremote.password
root@618119.com:/usr/local/app/resin/conf# ls -alh jmxremote.*
-rw——- 1 root root 4.0K Oct 23 14:54 jmxremote.access
-rw——- 1 root root 2.9K Oct 23 14:57 jmxremote.password
(如果文件权限没有正确设置,在启动使用了jmx的resin时,jvm-default.log中的出错信息为:
Error: Password file read access must be restricted: /usr/local/app/resin//conf/jmxremote.password,可以参考:http://www.opennms.org/wiki/Tomcat_6_JMX_How-To
)
7.配置/usr/local/app/resin/conf的resin.xml
在<server-default>节点下加入下列启动参数,并保存resin.xml
<!–
需要在远程服务器上运行hostname -i,如果显示的127.0.0.1,则需要加上下面一行来指定hostname为公网ip
<jvm-arg>-Djava.rmi.server.hostname=75.126.115.214</jvm-arg>
配置该项的时候,java.rmi.server.hostname=127.0.0.1是肯定不行的,我就是这样绕了弯路:
root@618119.com:/usr/local/app/resin/log# hostname -i
75.126.115.214
–>
<jvm-arg>-Dcom.sun.management.jmxremote.port=50000</jvm-arg>
<jvm-arg>-Dcom.sun.management.jmxremote.ssl=false</jvm-arg>
<jvm-arg>-Dcom.sun.management.jmxremote.authenticate=true</jvm-arg>
<jvm-arg>-Dcom.sun.management.jmxremote.password.file=${resin.root}/conf/jmxremote.password</jvm-arg>
<jvm-arg>-Dcom.sun.management.jmxremote.access.file=${resin.root}/conf/jmxremote.access</jvm-arg>

8.重启resin:
root@618119.com:/usr/local/app/resin/conf# /usr/local/app/resin/bin/resin.sh shutdown
Resin/4.0.12 shutdown watchdog at 127.0.0.1:6600
root@618119.com:/usr/local/app/resin/conf# /usr/local/app/resin/bin/resin.sh start
Resin/4.0.12 launching watchdog at 127.0.0.1:6600
Resin/4.0.12 started -server ” for watchdog at 127.0.0.1:6600

9.在本地电脑运行/usr/local/app/jdk1.6.0_21/bin/jconsole,远程进程填上:618119.com:50000,
点“连接”,提示连接失败。
重新在用户名填resinjmx,口令填:618119.com.
连接成功。

resin.xml中的其它设置:
1.resin4.0默认启动了https端口在8443,可以将resin.xm中下面几行注释掉来关闭https功能:

<http address=”127.0.0.1″ port=”8443″>
<jsse-ssl self-signed-certificate-name=”resin@localhost”/>
</http>
2.resin4.0的resin.xml里没将stdout和stderr显示的声明出来了,
可以将stdout,stderr,accesslog配置成按天输出:
<stdout-log path-format=”log/stdout.log.%Y%m%d”
timestamp=”%Y-%m-%d %H:%M:%S”
rollover-period=”1D”/>
<stderr-log path-format=”log/stderr.log.%Y%m%d”
timestamp=”%Y-%m-%d %H:%M:%S”
rollover-period=”1D”/>
<access-log path-format=”log/access.log.%Y%m%d”
format=’%h %l %u %t “%r” %s %b “%{Referer}i” “%{User-Agent}i” “%{X-Real-IP}i”‘
rollover-period=”1D”/>
stdout-log和stderr-log放到resin元素节点下面.
参考:http://618119.com/archives/2009/02/18/135.html

3.增加Java虚拟机 其它的jvm启动参数:
<!–以server方式启动java虚拟机–>
<jvm-arg>-server</jvm-arg>
<!–指定文件编码默认为UTF-8–>
<jvm-arg>-Dfile.encoding=UTF-8</jvm-arg>
<!–输出log4j自身的调试信息–>
<jvm-arg>-Dlog4j.debug=true</jvm-arg>
<!–指定默认语言为英语–>
<jvm-arg>-Duser.language=en</jvm-arg>
<!–启用gc日志–>
<jvm-arg>-verbose:gc</jvm-arg>
<!–指定输出gc日志的路径–>
<jvm-arg>-Xloggc:${resin.root}/log/gc.log</jvm-arg>
<!–gc日志打印gc详细信息–>
<jvm-arg>-XX:+PrintGCDetails</jvm-arg>
<!–gc日志打印时间戳–>
<jvm-arg>-XX:+PrintGCTimeStamps</jvm-arg>

4.配置泛域名方式的虚拟主机(将发给*.lizongbo.com的请求全部转给一个webapp):

<host id=”lizongbo.com” root-directory=”/usr/local/app/resin/vhost/lizongbo.com”>
<host-alias-regexp>^([^/]*).lizongbo.com</host-alias-regexp>
<web-app id=”/” root-directory=”webapps/ROOT”/>
</host>

(host-alias-regexp的正则表达式是用的java的Pattern.compile(name, Pattern.CASE_INSENSITIVE); ,因此是java的标准正则。

lizongbo.com是才申请的,因此使用301永久重定向跳转到 http://618119.com

index.jsp的代码为:<?xml version=”1.0″ encoding=”UTF-8″?>
<%@page contentType=”text/html; charset=UTF-8″ language=”java”
pageEncoding=”UTF-8″%>
<%@ page import=”java.util.*” session=”false”%>
<%
String goURL=”http://618119.com/”;
response.setHeader(“Location”, goURL);
response.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY);
%>)

5.通过ps aux|grep java可以看到最终启动的resin进程命令为:
/usr/local/app/jdk1.6.0_21/bin/java -server -Dfile.encoding=UTF-8 -Dcom.sun.management.jmxremote.port=50000 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/usr/local/app/resin//conf/jmxremote.password -Dcom.sun.management.jmxremote.access.file=/usr/local/app/resin//conf/jmxremote.access -Dlog4j.debug=true -Duser.language=en -verbose:gc -Xloggc:/usr/local/app/resin//log/gc.log -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -Dresin.server=1 -Djava.util.logging.manager=com.caucho.log.LogManagerImpl -Djava.system.class.loader=com.caucho.loader.SystemClassLoader -Djavax.management.builder.initial=com.caucho.jmx.MBeanServerBuilderImpl -Djava.awt.headless=true -Dresin.home=/usr/local/app/resin/ -Xss1m -Xmx256m -Dresin.watchdog= -Djava.util.logging.manager=com.caucho.log.LogManagerImpl -Djavax.management.builder.initial=com.caucho.jmx.MBeanServerBuilderImpl -Djava.awt.headless=true -Dresin.home=/usr/local/app/resin/ -Dresin.root=/usr/local/app/resin/ -Dresin.watchdog= -Djava.util.logging.manager=com.caucho.log.LogManagerImpl -Djavax.management.builder.initial=com.caucho.jmx.MBeanServerBuilderImpl -Djava.awt.headless=true -Dresin.home=/usr/local/app/resin/ -Dresin.root=/usr/local/app/resin/ com.caucho.server.resin.Resin –root-directory /usr/local/app/resin/ -conf /usr/local/app/resin/conf/resin.xml -socketwait 37260 start –log-directory /usr/local/app/resin/log

2010年10月22日

Ubuntu Server 10.04 LTS的Linux上编译安装配置nginx0.8.52

Filed under: Linux,nginx,SSL — 标签:, , , , — lizongbo @ 13:37

Ubuntu Server 10.04 LTS的Linux上安装配置nginx0.8.52

操作系统是linode上的Linux:Ubuntu Server 10.04 LTS。
nginx的最新版本是:0.8.52
http://nginx.org/download/nginx-0.8.52.tar.gz
来源:http://nginx.org/en/download.html
nginx依赖的PCRE库,最新版本是:8.10:
ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.10.tar.gz
来源:ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
OpenSSL的最新版本是:1.0.0a:
http://www.openssl.org/source/openssl-1.0.0a.tar.gz
来源:http://www.openssl.org/source/
zlib的最新版本是:1.2.5:
http://zlib.net/zlib-1.2.5.tar.gz
在/usr/local目录下创建app目录,所有应用都安装配置到这个目录下面:
root@618119.com:/usr/local# sudo mkdir app
root@618119.com:/usr/local# cd ./app
然后下载安装程序:
root@618119.com:/usr/local/app# wget http://nginx.org/download/nginx-0.8.52.tar.gz
root@618119.com:/usr/local/app# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.10.tar.gz
root@618119.com:/usr/local/app# wget http://www.openssl.org/source/openssl-1.0.0a.tar.gz
root@618119.com:/usr/local/app# wget http://zlib.net/zlib-1.2.5.tar.gz
再解压压缩包:
root@618119.com:/usr/local/app# tar -zxvf nginx*
root@618119.com:/usr/local/app# tar -zxvf pcre*
root@618119.com:/usr/local/app# tar -zxvf openssl*
root@618119.com:/usr/local/app# tar -zxvf zlib*
由于缺少gcc等编译器,需要先运行:
root@618119.com:/usr/local/app# apt-get install gcc libc6-dev build-essential
进入到nginx解压得到的目录:
root@618119.com:/usr/local/app# cd nginx-*
运行configure命令,将nginx的安装目录设置为/usr/local/app/nginx。
with-http_stub_status_module参数是启用stub_status监控。
root@618119.com:/usr/local/app/nginx-0.8.52#  ./configure –prefix=/usr/local/app/nginx –user=nginx –group=nginx –with-http_ssl_module –with-http_stub_status_module –with-pcre=/usr/local/app/pcre-8.10 –with-openssl=/usr/local/app/openssl-1.0.0a –with-zlib=/usr/local/app/zlib-1.2.5
然后再运行make进行编译:
root@618119.com:/usr/local/app/nginx-0.8.52# make
再运行:make install,
root@618119.com:/usr/local/app/nginx-0.8.52# make install

还需要添加nginx用户组(未添加用户组就启动的话:会提示[emerg]: getpwnam(“nginx”) failed):
root@618119.com:/usr/local/app/nginx# sudo adduser –system –no-create-home –disabled-login –disabled-password –group nginx
进入到nginx的sbin目录用-t参数检查配置文件是否ok:
root@618119.com:/usr/local/app/nginx# cd sbin/
root@618119.com:/usr/local/app/nginx/sbin# sudo ./nginx -t
the configuration file /usr/local/app/nginx/conf/nginx.conf syntax is ok
configuration file /usr/local/app/nginx/conf/nginx.conf test is successful

这样就在linode的VPS上将nginx0.8.52安装好了。
root@618119.com:/usr/local/app/nginx/sbin# ./nginx
[emerg]: bind() to 0.0.0.0:80 failed (13: Permission denied)
root@618119.com:/usr/local/app/nginx/sbin#sudo ./nginx
(不用root启动的话,会提示:[emerg]: bind() to 0.0.0.0:80 failed (13: Permission denied))
启动成功后访问http 80端口可以看到Welcome to nginx!

接下来制作nginx系统服务启动的脚本,参考 http://articles.slicehost.com/2007/10/17/ubuntu-lts-adding-an-nginx-init-script

#! /bin/sh

### BEGIN INIT INFO
# Provides: nginx
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: starts the nginx web server
# Description: starts nginx using start-stop-daemon
### END INIT INFO

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/local/app/nginx/sbin/nginx
NAME=nginx
DESC=nginx

test -x $DAEMON || exit 0

# Include nginx defaults if available
if [ -f /etc/default/nginx ] ; then
. /etc/default/nginx
fi

set -e

case “$1” in
start)
echo -n “Starting $DESC: ”
start-stop-daemon –start –quiet –pidfile /usr/local/app/nginx/logs/$NAME.pid \
–exec $DAEMON — $DAEMON_OPTS
echo “$NAME.”
;;
stop)
echo -n “Stopping $DESC: ”
start-stop-daemon –stop –quiet –pidfile /usr/local/app/nginx/logs/$NAME.pid \
–exec $DAEMON
echo “$NAME.”
;;
restart|force-reload)
echo -n “Restarting $DESC: ”
start-stop-daemon –stop –quiet –pidfile \
/usr/local/app/nginx/logs/$NAME.pid –exec $DAEMON
sleep 1
start-stop-daemon –start –quiet –pidfile \
/usr/local/app/nginx/logs/$NAME.pid –exec $DAEMON — $DAEMON_OPTS
echo “$NAME.”
;;
reload)
echo -n “Reloading $DESC configuration: ”
start-stop-daemon –stop –signal HUP –quiet –pidfile /usr/local/app/nginx/logs/$NAME.pid \
–exec $DAEMON
echo “$NAME.”
;;
*)
N=/etc/init.d/$NAME
echo “Usage: $N {start|stop|restart|force-reload}” >&2
exit 1
;;
esac

exit 0

再运行命令: sudo /usr/sbin/update-rc.d -f nginx defaults,将nginx安装为默认服务。

这样在linode里对Ubuntu重启之后,nginx服务也自动启动了。

Older Posts »

Powered by WordPress