May
17
实现功能:当用户在本地客户端某目录内建立、修改、删除目录或文件、修改目录或文件的属性,只要执行相同的shell脚本,rsync就会自动找出有改动或删除的数据,将其传送到服务器上,使服务器端某目录内的数据跟本地客户端某目录内的数据保持一致。
★方式一:
一、服务器端(例:10.0.0.1*):
1、创建用户和组
groupadd www -g 48
useradd -u 48 -g www www
mkdir -p /opt/htdocs
chmod +w /opt/htdocs
chown www:www /opt/htdocs
2、编辑rsync的配置文件
vi /etc/rsyncd.conf
输入以下内容:
3、启动rsync服务器端
/usr/bin/rsync --daemon
二、客户端(例:10.0.0.21和10.0.0.22):
1、创建一个shell脚本push.sh
vi push.sh
输入以下内容(10.0.0.1*为要推送到的目标服务器,zhangyan为服务器端rsyncd.conf配置文件中的模块名):
注:因为是内部局域网之间传输,这里没有设置密码。
2、赋予push.sh执行权限
chmod +x ./push.sh
3、同步推送客户端某个目录中(例:/home/zhanguan/abc)的文件到服务器端的/opt/htdocs目录:
./push.sh /home/zhanguan/abc/
注意:不要忘了abc后面的/。如果更改的文件太大,可以在上面语句的末尾加上空格和&号,推到后台执行。例:
./push.sh /home/zhanguan/abc/ &
★方式二:
一、服务器端(例:10.0.0.1*):
1、创建用户和组
groupadd www -g 48
useradd -u 48 -g www www
mkdir -p /opt/htdocs
chmod +w /opt/htdocs
chown www:www /opt/htdocs
passwd www
为www用户设置一个密码。
二、客户端:
1、同步推送客户端某个目录中(例:/home/zhanguan/abc)的文件到服务器端的/opt/htdocs目录:
/usr/bin/rsync -vzrtopg --delete /home/zhanguan/abc/ -e ssh [email protected]:/opt/htdocs/
输入密码,回车即可,无须服务器端启动rsync服务。
文章来源:http://blog.s135.com/post/265/
★方式一:
一、服务器端(例:10.0.0.1*):
1、创建用户和组
groupadd www -g 48
useradd -u 48 -g www www
mkdir -p /opt/htdocs
chmod +w /opt/htdocs
chown www:www /opt/htdocs
2、编辑rsync的配置文件
vi /etc/rsyncd.conf
输入以下内容:
引用
uid=www
gid=www
max connections=10
use chroot=no
log file=/var/log/rsyncd.log
pid file=/var/run/rsyncd.pid
lock file=/var/run/rsyncd.lock
[zhangyan]
path=/opt/htdocs
comment = my htdocs
ignore errors
read only = no
hosts allow=10.0.0.21 10.0.0.22
gid=www
max connections=10
use chroot=no
log file=/var/log/rsyncd.log
pid file=/var/run/rsyncd.pid
lock file=/var/run/rsyncd.lock
[zhangyan]
path=/opt/htdocs
comment = my htdocs
ignore errors
read only = no
hosts allow=10.0.0.21 10.0.0.22
3、启动rsync服务器端
/usr/bin/rsync --daemon
二、客户端(例:10.0.0.21和10.0.0.22):
1、创建一个shell脚本push.sh
vi push.sh
输入以下内容(10.0.0.1*为要推送到的目标服务器,zhangyan为服务器端rsyncd.conf配置文件中的模块名):
引用
#!/bin/sh
/usr/bin/rsync -vzrtopg --delete $1 10.0.0.10::zhangyan/
/usr/bin/rsync -vzrtopg --delete $1 10.0.0.11::zhangyan/
/usr/bin/rsync -vzrtopg --delete $1 10.0.0.16::zhangyan/
/usr/bin/rsync -vzrtopg --delete $1 10.0.0.19::zhangyan/
/usr/bin/rsync -vzrtopg --delete $1 10.0.0.10::zhangyan/
/usr/bin/rsync -vzrtopg --delete $1 10.0.0.11::zhangyan/
/usr/bin/rsync -vzrtopg --delete $1 10.0.0.16::zhangyan/
/usr/bin/rsync -vzrtopg --delete $1 10.0.0.19::zhangyan/
注:因为是内部局域网之间传输,这里没有设置密码。
2、赋予push.sh执行权限
chmod +x ./push.sh
3、同步推送客户端某个目录中(例:/home/zhanguan/abc)的文件到服务器端的/opt/htdocs目录:
./push.sh /home/zhanguan/abc/
注意:不要忘了abc后面的/。如果更改的文件太大,可以在上面语句的末尾加上空格和&号,推到后台执行。例:
./push.sh /home/zhanguan/abc/ &
★方式二:
一、服务器端(例:10.0.0.1*):
1、创建用户和组
groupadd www -g 48
useradd -u 48 -g www www
mkdir -p /opt/htdocs
chmod +w /opt/htdocs
chown www:www /opt/htdocs
passwd www
为www用户设置一个密码。
二、客户端:
1、同步推送客户端某个目录中(例:/home/zhanguan/abc)的文件到服务器端的/opt/htdocs目录:
/usr/bin/rsync -vzrtopg --delete /home/zhanguan/abc/ -e ssh [email protected]:/opt/htdocs/
输入密码,回车即可,无须服务器端启动rsync服务。
文章来源:http://blog.s135.com/post/265/
May
17
[文章作者:张宴 本文版本:v1.0 最后修改:2007.06.28 转载请注明出处:http://blog.s135.com]
经济学中有一条著名的80-20定律,引用到编程中,就是:80%的性能瓶颈是由20%的代码引起的。借助PHP的XDebug扩展,可以有效地找出这20%的代码。
一、安装配置
1、下载PHP的XDebug扩展,网址:http://xdebug.org/
2、在Linux下编译安装XDebug
注:/usr/local/php/lib/php/extensions/no-debug-non-zts-20020429/不同的PHP版本路径不同,也不一定要放在该路径,可以在zend_extension_ts中自行指定xdebug.so所在位置。
vi /usr/local/php/lib/php.ini
修改php.ini,去除PHP加速模块,增加以下配置信息支持XDebug扩展
mkdir -p /tmp/xdebug
chmod 755 /tmp/xdebug
chown www:www /tmp/xdebug
/usr/local/apache/bin/apachectl -k restart
3、客户端(Windows):WinCacheGrind
下载地址:http://sourceforge.net/projects/wincachegrind/
二、分析过程
1、访问你的网站,将首页上各种链接点击几遍,XDebug在/tmp/xdebug目录生成以下文件:
usr_local_apache_htdocs_app_checknum_chknum_php_cachegrind.out
usr_local_apache_htdocs_app_login_showHeaderLogin_php_cachegrind.out
usr_local_apache_htdocs_app_play_play_php_cachegrind.out
usr_local_apache_htdocs_app_user_member_php_cachegrind.out
usr_local_apache_htdocs_tag_tags_php_cachegrind.out
usr_local_apache_htdocs_top_top_php_cachegrind.out
2、将以上文件拷贝到Windows上,用客户端软件WinCacheGrind打开每个文件,发现以下PHP程序执行所耗费的时间最长:
/usr/local/apache/htdocs/tag/tags.php 耗时840ms
三、分析结果:
1、/usr/local/apache/htdocs/tag/tags.php
(1)耗时最长的filter_tags函数出现在/usr/local/apache/htdocs/tag/tags.php的第158行:
$tags .= filter_tags($videos[$i]['tags'])." ";
(2)filter_tags函数引自/usr/local/apache/htdocs/include/misc.php,getForbiddenTags函数被filter_tags函数调用了21次,filter_tags函数耗费的时间中绝大多数因getForbiddenTags函数所致。getForbiddenTags函数的内容如下:
(4)对getForbiddenTags函数进行分析,其中的PHP函数trim被调用了16827次。
(5)可能造成瓶颈的原因:
要过滤的156个关键字逐行存放在/usr/local/apache/template/tags/forbidden_tags.txt文件中,文本数据库的效率不高。
逐行读取函数fgets、以及去除字符串两边的空白或者指定的字符的函数trim在高负载下的效率低,可以测试fopen、fread、fscanf之类的文件读取函数,对比一下。
经济学中有一条著名的80-20定律,引用到编程中,就是:80%的性能瓶颈是由20%的代码引起的。借助PHP的XDebug扩展,可以有效地找出这20%的代码。
一、安装配置
1、下载PHP的XDebug扩展,网址:http://xdebug.org/
2、在Linux下编译安装XDebug
引用
tar -xzf xdebug-2.0.0RC3.gz
cd xdebug-2.0.0RC3
/usr/local/php/bin/phpize
./configure --enable-xdebug
cp modules/xdebug.so /usr/local/php/lib/php/extensions/no-debug-non-zts-20020429/
cd xdebug-2.0.0RC3
/usr/local/php/bin/phpize
./configure --enable-xdebug
cp modules/xdebug.so /usr/local/php/lib/php/extensions/no-debug-non-zts-20020429/
注:/usr/local/php/lib/php/extensions/no-debug-non-zts-20020429/不同的PHP版本路径不同,也不一定要放在该路径,可以在zend_extension_ts中自行指定xdebug.so所在位置。
vi /usr/local/php/lib/php.ini
修改php.ini,去除PHP加速模块,增加以下配置信息支持XDebug扩展
引用
[Xdebug]
zend_extension_ts="/usr/local/php/lib/php/extensions/no-debug-non-zts-20020429/xdebug.so"
xdebug.profiler_enable=on
xdebug.trace_output_dir="/tmp/xdebug"
xdebug.profiler_output_dir="/tmp/xdebug"
xdebug.profiler_output_name="script"
zend_extension_ts="/usr/local/php/lib/php/extensions/no-debug-non-zts-20020429/xdebug.so"
xdebug.profiler_enable=on
xdebug.trace_output_dir="/tmp/xdebug"
xdebug.profiler_output_dir="/tmp/xdebug"
xdebug.profiler_output_name="script"
mkdir -p /tmp/xdebug
chmod 755 /tmp/xdebug
chown www:www /tmp/xdebug
/usr/local/apache/bin/apachectl -k restart
3、客户端(Windows):WinCacheGrind
下载地址:http://sourceforge.net/projects/wincachegrind/
二、分析过程
1、访问你的网站,将首页上各种链接点击几遍,XDebug在/tmp/xdebug目录生成以下文件:
usr_local_apache_htdocs_app_checknum_chknum_php_cachegrind.out
usr_local_apache_htdocs_app_login_showHeaderLogin_php_cachegrind.out
usr_local_apache_htdocs_app_play_play_php_cachegrind.out
usr_local_apache_htdocs_app_user_member_php_cachegrind.out
usr_local_apache_htdocs_tag_tags_php_cachegrind.out
usr_local_apache_htdocs_top_top_php_cachegrind.out
2、将以上文件拷贝到Windows上,用客户端软件WinCacheGrind打开每个文件,发现以下PHP程序执行所耗费的时间最长:
/usr/local/apache/htdocs/tag/tags.php 耗时840ms
三、分析结果:
1、/usr/local/apache/htdocs/tag/tags.php
(1)耗时最长的filter_tags函数出现在/usr/local/apache/htdocs/tag/tags.php的第158行:
$tags .= filter_tags($videos[$i]['tags'])." ";
(2)filter_tags函数引自/usr/local/apache/htdocs/include/misc.php,getForbiddenTags函数被filter_tags函数调用了21次,filter_tags函数耗费的时间中绝大多数因getForbiddenTags函数所致。getForbiddenTags函数的内容如下:
引用
function getForbiddenTags()
{
$tagsPath=TEMPLATE_FILE_PATH."tags/forbidden_tags.txt";
if(file_exists($tagsPath))
{
$fp = fopen($tagsPath, "r");
$arrconf = array ();
if ($fp)
{
while (!feof($fp))
{
$line = fgets($fp, 1024);
$line = trim($line);
$rows = explode("#", $line);
$coumns = explode("=", trim($rows[0]));
if(""!=trim($coumns[0]))
{
$arrconf[trim($coumns[0])] = trim($coumns[1]);
}
}
}
return $arrconf;
}
}
{
$tagsPath=TEMPLATE_FILE_PATH."tags/forbidden_tags.txt";
if(file_exists($tagsPath))
{
$fp = fopen($tagsPath, "r");
$arrconf = array ();
if ($fp)
{
while (!feof($fp))
{
$line = fgets($fp, 1024);
$line = trim($line);
$rows = explode("#", $line);
$coumns = explode("=", trim($rows[0]));
if(""!=trim($coumns[0]))
{
$arrconf[trim($coumns[0])] = trim($coumns[1]);
}
}
}
return $arrconf;
}
}
(4)对getForbiddenTags函数进行分析,其中的PHP函数trim被调用了16827次。
(5)可能造成瓶颈的原因:
要过滤的156个关键字逐行存放在/usr/local/apache/template/tags/forbidden_tags.txt文件中,文本数据库的效率不高。
逐行读取函数fgets、以及去除字符串两边的空白或者指定的字符的函数trim在高负载下的效率低,可以测试fopen、fread、fscanf之类的文件读取函数,对比一下。
May
17
1、事先安装好Apache
2、安装awstats的命令(将awstats安装在/opt/awstats目录)
mkdir -p /var/lib/awstats
cd /opt
wget http://www.awstats.cn/files/awstats-6.6.tar.gz
tar zxvf awstats-6.6.tar.gz
mv awstats-6.6 awstats
cd awstats/tools/
perl awstats_configure.pl
3、Perl脚本awstats_configure.pl安装过程(以下内容引用AWStats英文使用说明)
(1)
-----> Running OS detected: Linux, BSD or Unix
Warning: AWStats standard directory on Linux OS is '/usr/local/awstats'.
If you want to use standard directory, you should first move all content
of AWStats distribution from current directory:
/opt/awstats
to standard directory:
/usr/local/awstats
And then, run configure.pl from this location.
Do you want to continue setup from this NON standard directory [yN] ?
这时选择y回车。
(2)
-----> Check for web server install
Enter full config file path of your Web server.
Example: /etc/httpd/httpd.conf
Example: /usr/local/apache2/conf/httpd.conf
Example: c:\Program files\apache group\apache\conf\httpd.conf
Config file path ('none' to skip web server setup):
第一次使用请输入Apache的httpd.conf路径,例如/opt/sina/apache/conf/httpd.conf
以后如果再使用perl awstats_configure.pl生成配置文件,则可以输入none跳过。
(3)
-----> Check and complete web server config file '/opt/sina/apache/conf/httpd.conf'
Warning: You Apache config file contains directives to write 'common' log files
This means that some features can't work (os, browsers and keywords detection).
Do you want me to setup Apache to write 'combined' log files [y/N] ?
选择y,将日志记录方式由CustomLog /yourlogpath/yourlogfile common改为更详细的CustomLog /yourlogpath/yourlogfile combined
(4)
-----> Update model config file '/opt/awstats/wwwroot/cgi-bin/awstats.model.conf'
File awstats.model.conf updated.
-----> Need to create a new config file ?
Do you want me to build a new AWStats config/profile
file (required if first install) [y/N] ?
创建一个新的配置文件,选择y
(5)
-----> Define config file name to create
What is the name of your web site or profile analysis ?
Example: www.mysite.com
Example: demo
Your web site, virtual server or profile name:
>
输入站点名称,例如sina
(6)
-----> Define config file path
In which directory do you plan to store your config file(s) ?
Default: /etc/awstats
Directory path to store config file(s) (Enter for default):
>
输入AWStats配置文件存放路径,一般直接回车则使用默认路径/etc/awstats
(7)
-----> Add update process inside a scheduler
Sorry, configure.pl does not support automatic add to cron yet.
You can do it manually by adding the following command to your cron:
/opt/awstats/wwwroot/cgi-bin/awstats.pl -update -config=sina
Or if you have several config files and prefer having only one command:
/opt/awstats/tools/awstats_updateall.pl now
Press ENTER to continue...
按回车键继续
(8)
A SIMPLE config file has been created: /opt/awstats/etc/awstats.sina.conf
You should have a look inside to check and change manually main parameters.
You can then manually update your statistics for 'sina' with command:
> perl awstats.pl -update -config=sina
You can also read your statistics for 'sina' with URL:
> http://localhost/awstats/awstats.pl?config=sina
Press ENTER to finish...
按回车键结束
4、修改awstats.sina.conf配置
vi /etc/awstats/awstats.sina.conf
按?,在之后输入要搜索的内容LogFile="
然后按Ins键,找到LogFile="/var/log/httpd/access_log"
改为要分析的Apache日志路径与文件名。
(1)多日志合并分析(例:新浪播客其中两台服务器2月6日的日志30.0206.vblog.log与31.0206.vblog.log)
LogFile="/opt/awstats/tools/logresolvemerge.pl /var/apachelogs/30.0206.vblog.log /var/apachelogs/31.0206.vblog.log|"
或
LogFile="/opt/awstats/tools/logresolvemerge.pl /var/apachelogs/*.0206.vblog.log|"
(2)分析使用gzip压缩过的日志文件
LogFile="gzip -d
5、更新分析报告
perl /opt/awstats/wwwroot/cgi-bin/awstats.pl -config=sina -update
如果出现以下错误提示,很大可能是Apache的Log文件中存在以前CustomLog /yourlogpath/yourlogfile common生成的日志,删除掉这些行的日志即可:
This means each line in your web server log file need to have "combined log format" like this:
111.22.33.44 - - [10/Jan/2001:02:14:14 +0200] "GET / HTTP/1.1" 200 1234 "http://www.fromserver.com/from.htm" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
6、查看分析报告
http://localhost/awstats/awstats.pl?config=sina
这里的sina对应/etc/awstats/awstats.sina.conf中的sina
附:
(1)参考资料:AWStats logfile analyzer 6.6 Documentation -- AWStats Installation, Configuration and Reporting (http://www.awstats.cn/docs/awstats_setup.html)
(2)测试环境:在DELL PowerEdge 2950 服务器+CentOS 4.4 Linux操作系统+Apache 2.0.59下测试通过。
2、安装awstats的命令(将awstats安装在/opt/awstats目录)
mkdir -p /var/lib/awstats
cd /opt
wget http://www.awstats.cn/files/awstats-6.6.tar.gz
tar zxvf awstats-6.6.tar.gz
mv awstats-6.6 awstats
cd awstats/tools/
perl awstats_configure.pl
3、Perl脚本awstats_configure.pl安装过程(以下内容引用AWStats英文使用说明)
(1)
-----> Running OS detected: Linux, BSD or Unix
Warning: AWStats standard directory on Linux OS is '/usr/local/awstats'.
If you want to use standard directory, you should first move all content
of AWStats distribution from current directory:
/opt/awstats
to standard directory:
/usr/local/awstats
And then, run configure.pl from this location.
Do you want to continue setup from this NON standard directory [yN] ?
这时选择y回车。
(2)
-----> Check for web server install
Enter full config file path of your Web server.
Example: /etc/httpd/httpd.conf
Example: /usr/local/apache2/conf/httpd.conf
Example: c:\Program files\apache group\apache\conf\httpd.conf
Config file path ('none' to skip web server setup):
第一次使用请输入Apache的httpd.conf路径,例如/opt/sina/apache/conf/httpd.conf
以后如果再使用perl awstats_configure.pl生成配置文件,则可以输入none跳过。
(3)
-----> Check and complete web server config file '/opt/sina/apache/conf/httpd.conf'
Warning: You Apache config file contains directives to write 'common' log files
This means that some features can't work (os, browsers and keywords detection).
Do you want me to setup Apache to write 'combined' log files [y/N] ?
选择y,将日志记录方式由CustomLog /yourlogpath/yourlogfile common改为更详细的CustomLog /yourlogpath/yourlogfile combined
(4)
-----> Update model config file '/opt/awstats/wwwroot/cgi-bin/awstats.model.conf'
File awstats.model.conf updated.
-----> Need to create a new config file ?
Do you want me to build a new AWStats config/profile
file (required if first install) [y/N] ?
创建一个新的配置文件,选择y
(5)
-----> Define config file name to create
What is the name of your web site or profile analysis ?
Example: www.mysite.com
Example: demo
Your web site, virtual server or profile name:
>
输入站点名称,例如sina
(6)
-----> Define config file path
In which directory do you plan to store your config file(s) ?
Default: /etc/awstats
Directory path to store config file(s) (Enter for default):
>
输入AWStats配置文件存放路径,一般直接回车则使用默认路径/etc/awstats
(7)
-----> Add update process inside a scheduler
Sorry, configure.pl does not support automatic add to cron yet.
You can do it manually by adding the following command to your cron:
/opt/awstats/wwwroot/cgi-bin/awstats.pl -update -config=sina
Or if you have several config files and prefer having only one command:
/opt/awstats/tools/awstats_updateall.pl now
Press ENTER to continue...
按回车键继续
(8)
A SIMPLE config file has been created: /opt/awstats/etc/awstats.sina.conf
You should have a look inside to check and change manually main parameters.
You can then manually update your statistics for 'sina' with command:
> perl awstats.pl -update -config=sina
You can also read your statistics for 'sina' with URL:
> http://localhost/awstats/awstats.pl?config=sina
Press ENTER to finish...
按回车键结束
4、修改awstats.sina.conf配置
vi /etc/awstats/awstats.sina.conf
按?,在之后输入要搜索的内容LogFile="
然后按Ins键,找到LogFile="/var/log/httpd/access_log"
改为要分析的Apache日志路径与文件名。
(1)多日志合并分析(例:新浪播客其中两台服务器2月6日的日志30.0206.vblog.log与31.0206.vblog.log)
LogFile="/opt/awstats/tools/logresolvemerge.pl /var/apachelogs/30.0206.vblog.log /var/apachelogs/31.0206.vblog.log|"
或
LogFile="/opt/awstats/tools/logresolvemerge.pl /var/apachelogs/*.0206.vblog.log|"
(2)分析使用gzip压缩过的日志文件
LogFile="gzip -d
5、更新分析报告
perl /opt/awstats/wwwroot/cgi-bin/awstats.pl -config=sina -update
如果出现以下错误提示,很大可能是Apache的Log文件中存在以前CustomLog /yourlogpath/yourlogfile common生成的日志,删除掉这些行的日志即可:
This means each line in your web server log file need to have "combined log format" like this:
111.22.33.44 - - [10/Jan/2001:02:14:14 +0200] "GET / HTTP/1.1" 200 1234 "http://www.fromserver.com/from.htm" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
6、查看分析报告
http://localhost/awstats/awstats.pl?config=sina
这里的sina对应/etc/awstats/awstats.sina.conf中的sina
附:
(1)参考资料:AWStats logfile analyzer 6.6 Documentation -- AWStats Installation, Configuration and Reporting (http://www.awstats.cn/docs/awstats_setup.html)
(2)测试环境:在DELL PowerEdge 2950 服务器+CentOS 4.4 Linux操作系统+Apache 2.0.59下测试通过。
May
17
需要的软件包:
1、安装加密软件包
[root@localhost ~]#rpm -ivh lzo-2.02-3.el5.kb.i386.rpm
2、安装openvpn
[root@localhost ~]#rpm -ivh openvpn-2.1-0.20.rc4.el5.kb.i386.rpm
3、复制生成证书密钥的文件夹
[root@localhost ~]#cp -r /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/
4、复制范例的配制文件
[root@localhost ~]#cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn/
5、生成证书key
(1)初始化PKI
[root@localhost ~]# cd /etc/openvpn/2.0/
[root@localhost 2.0]# vi vars
修改正在面几项
export KEY_COUNTRY=”CN”(注:国家)
export KEY_PROVINCE=”SX”(注:省份)
export KEY_CITY=”XA”(注:城市)
export KEY_ORG=”VPN-TEST”(注:公司名称)
export KEY_EMAIL=”[email protected]”(注:电子邮件)
[root@localhost 2.0]#env |grep KEY(先查看一下,看到是没有)
[root@localhost 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/2.0/keys
(注:如果你已经运行了./clean-all,就运行rm -rf /etc/openvpn/2.0/keys 删除)
[root@localhost 2.0]# env |grep KEY
KEY_EXPIRE=3650
[email protected]
KEY_SIZE=1024
KEY_DIR=/etc/openvpn/2.0/keys
KEY_CITY=XA
KEY_PROVINCE=SX
KEY_ORG=VPN-TEST
KEY_CONFIG=/etc/openvpn/2.0/openssl.cnf
KEY_COUNTRY=CN
[root@localhost 2.0]#
[root@localhost 2.0]# ./clean-all (这时会在当前目录生成一个keys的目录)
生成ca文件
[root@localhost 2.0]# ./build-ca
Generating a 1024 bit RSA private key
….++++++
..++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SX]:
Locality Name (eg, city) [XA]:
Organization Name (eg, company) [VPN-TEST]:
Organizational Unit Name (eg, section) []:vpn
Common Name (eg, your name or your server’s hostname) [VPN-TEST CA]:server(注意一定要添server)
Email Address [[email protected]]:
[root@localhost 2.0]# ls keys/ (可以看到keys下生成了ca.crt ca.key 两个文件)
(2)生成server key
[root@localhost 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
………..++++++
…………………………………………………++++++
writing new private key to ‘server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SX]:
Locality Name (eg, city) [XA]:
Organization Name (eg, company) [VPN-TEST]:
Organizational Unit Name (eg, section) []:vpn
Common Name (eg, your name or your server’s hostname) [server]:server
Email Address [[email protected]]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:boobooke(注:密码一定要添)
An optional company name []:
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’SX’
localityName :PRINTABLE:’XA’
organizationName :PRINTABLE:’VPN-TEST’
organizationalUnitName:PRINTABLE:’vpn’
commonName :PRINTABLE:’server’
emailAddress :IA5STRING:’[email protected]’
Certificate is to be certified until Dec 31 13:40:06 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost 2.0]#
[root@localhost 2.0]# ls keys/ (可以看到生成了server.crt server.csr server.key)
(3)生成客户端 key
[root@localhost 2.0]# ./build-key client1
Generating a 1024 bit RSA private key
……………………………..++++++
…..++++++
writing new private key to ‘client1.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SX]:
Locality Name (eg, city) [XA]:
Organization Name (eg, company) [VPN-TEST]:
Organizational Unit Name (eg, section) []:vpn
Common Name (eg, your name or your server’s hostname) [client1]:
Email Address [[email protected]]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:boobooke
An optional company name []:
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’SX’
localityName :PRINTABLE:’XA’
organizationName :PRINTABLE:’VPN-TEST’
organizationalUnitName:PRINTABLE:’vpn’
commonName :PRINTABLE:’client1′
emailAddress :IA5STRING:’[email protected]’
Certificate is to be certified until Dec 31 13:43:36 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
以上选项要和那个server的保持一致。
[root@localhost 2.0]# ls keys/ (可以看到生成了 client1.crt client1.key client1.csr )
生成Diffie Hellman
[root@localhost 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
………………………………………………………………………………………………………………………………………………+……………………………………………+……………………………………+………………………………………………………+……..+………………………….+………………………………………….+…………………………………………………..
………………………………………+………………………………………………………………..+……………………………………………………………………………………………….+……………………….+……………+……………………………………………..+…………………..+……….+……….+.+………..+…………………………………..+………+…………………………………+…………………………………………+…………………….+…………………….+……………………………………………………………….+…………………………………+…..+……………………………………….+……………………+………………………………………….++*++*++*
[root@localhost 2.0]#
创建服务端配置文件
将keys下的 ca.crt server.crt server.key dh1024.pem 拷贝到/etc/openvpn下。
配制/etc/openvpn/server.conf
[root@localhost openvpn]# vi server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
push “dhcp-option DNS “202.98.5.68″
“server.conf” 16L, 249C written
[root@localhost openvpn]#
启动服务
[root@localhost openvpn]# service openvpn restart
服务启动后用ifconfig查看 可以看到有一个新的接口tun0
[root@localhost openvpn]# ifconfig
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2804 (2.7 KiB) TX bytes:18332 (17.9 KiB)
Windows上的客户端的设置
安装openvpn软件
copy 服务器上的/etc/openvpn/2.0/keys/下的ca.crt ca.key client1.crt client1.csr client1.key 到C:\Program Files\OpenVPN\config下
copy C:\Program Files\OpenVPN\sample-config\client.ovpn 到C:\Program Files\OpenVPN\config下
使用记事本编辑client.ovpn
client
dev tun
proto udp
remote 222.161.0.93 1194
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
1、安装加密软件包
[root@localhost ~]#rpm -ivh lzo-2.02-3.el5.kb.i386.rpm
2、安装openvpn
[root@localhost ~]#rpm -ivh openvpn-2.1-0.20.rc4.el5.kb.i386.rpm
3、复制生成证书密钥的文件夹
[root@localhost ~]#cp -r /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/
4、复制范例的配制文件
[root@localhost ~]#cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn/
5、生成证书key
(1)初始化PKI
[root@localhost ~]# cd /etc/openvpn/2.0/
[root@localhost 2.0]# vi vars
修改正在面几项
export KEY_COUNTRY=”CN”(注:国家)
export KEY_PROVINCE=”SX”(注:省份)
export KEY_CITY=”XA”(注:城市)
export KEY_ORG=”VPN-TEST”(注:公司名称)
export KEY_EMAIL=”[email protected]”(注:电子邮件)
[root@localhost 2.0]#env |grep KEY(先查看一下,看到是没有)
[root@localhost 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/2.0/keys
(注:如果你已经运行了./clean-all,就运行rm -rf /etc/openvpn/2.0/keys 删除)
[root@localhost 2.0]# env |grep KEY
KEY_EXPIRE=3650
[email protected]
KEY_SIZE=1024
KEY_DIR=/etc/openvpn/2.0/keys
KEY_CITY=XA
KEY_PROVINCE=SX
KEY_ORG=VPN-TEST
KEY_CONFIG=/etc/openvpn/2.0/openssl.cnf
KEY_COUNTRY=CN
[root@localhost 2.0]#
[root@localhost 2.0]# ./clean-all (这时会在当前目录生成一个keys的目录)
生成ca文件
[root@localhost 2.0]# ./build-ca
Generating a 1024 bit RSA private key
….++++++
..++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SX]:
Locality Name (eg, city) [XA]:
Organization Name (eg, company) [VPN-TEST]:
Organizational Unit Name (eg, section) []:vpn
Common Name (eg, your name or your server’s hostname) [VPN-TEST CA]:server(注意一定要添server)
Email Address [[email protected]]:
[root@localhost 2.0]# ls keys/ (可以看到keys下生成了ca.crt ca.key 两个文件)
(2)生成server key
[root@localhost 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
………..++++++
…………………………………………………++++++
writing new private key to ‘server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SX]:
Locality Name (eg, city) [XA]:
Organization Name (eg, company) [VPN-TEST]:
Organizational Unit Name (eg, section) []:vpn
Common Name (eg, your name or your server’s hostname) [server]:server
Email Address [[email protected]]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:boobooke(注:密码一定要添)
An optional company name []:
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’SX’
localityName :PRINTABLE:’XA’
organizationName :PRINTABLE:’VPN-TEST’
organizationalUnitName:PRINTABLE:’vpn’
commonName :PRINTABLE:’server’
emailAddress :IA5STRING:’[email protected]’
Certificate is to be certified until Dec 31 13:40:06 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost 2.0]#
[root@localhost 2.0]# ls keys/ (可以看到生成了server.crt server.csr server.key)
(3)生成客户端 key
[root@localhost 2.0]# ./build-key client1
Generating a 1024 bit RSA private key
……………………………..++++++
…..++++++
writing new private key to ‘client1.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SX]:
Locality Name (eg, city) [XA]:
Organization Name (eg, company) [VPN-TEST]:
Organizational Unit Name (eg, section) []:vpn
Common Name (eg, your name or your server’s hostname) [client1]:
Email Address [[email protected]]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:boobooke
An optional company name []:
Using configuration from /etc/openvpn/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’SX’
localityName :PRINTABLE:’XA’
organizationName :PRINTABLE:’VPN-TEST’
organizationalUnitName:PRINTABLE:’vpn’
commonName :PRINTABLE:’client1′
emailAddress :IA5STRING:’[email protected]’
Certificate is to be certified until Dec 31 13:43:36 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
以上选项要和那个server的保持一致。
[root@localhost 2.0]# ls keys/ (可以看到生成了 client1.crt client1.key client1.csr )
生成Diffie Hellman
[root@localhost 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
………………………………………………………………………………………………………………………………………………+……………………………………………+……………………………………+………………………………………………………+……..+………………………….+………………………………………….+…………………………………………………..
………………………………………+………………………………………………………………..+……………………………………………………………………………………………….+……………………….+……………+……………………………………………..+…………………..+……….+……….+.+………..+…………………………………..+………+…………………………………+…………………………………………+…………………….+…………………….+……………………………………………………………….+…………………………………+…..+……………………………………….+……………………+………………………………………….++*++*++*
[root@localhost 2.0]#
创建服务端配置文件
将keys下的 ca.crt server.crt server.key dh1024.pem 拷贝到/etc/openvpn下。
配制/etc/openvpn/server.conf
[root@localhost openvpn]# vi server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
push “dhcp-option DNS “202.98.5.68″
“server.conf” 16L, 249C written
[root@localhost openvpn]#
启动服务
[root@localhost openvpn]# service openvpn restart
服务启动后用ifconfig查看 可以看到有一个新的接口tun0
[root@localhost openvpn]# ifconfig
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2804 (2.7 KiB) TX bytes:18332 (17.9 KiB)
Windows上的客户端的设置
安装openvpn软件
copy 服务器上的/etc/openvpn/2.0/keys/下的ca.crt ca.key client1.crt client1.csr client1.key 到C:\Program Files\OpenVPN\config下
copy C:\Program Files\OpenVPN\sample-config\client.ovpn 到C:\Program Files\OpenVPN\config下
使用记事本编辑client.ovpn
client
dev tun
proto udp
remote 222.161.0.93 1194
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
May
17
一般看版本信息都是用
[root@localhost ~]# uname -a
Linux localhost.localdomain 2.6.18-164.el5 #1 SMP Thu Sep 3 03:33:56 EDT 2009 i686 i686 i386 GNU/Linux
这只能看出大至的信息而无法看到详细的信息。
[root@localhost ~]# lsb_release -a
LSB Version: :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID: CentOS
Description: CentOS release 5.4 (Final)
Release: 5.4
Codename: Final
[root@localhost ~]# uname -a
Linux localhost.localdomain 2.6.18-164.el5 #1 SMP Thu Sep 3 03:33:56 EDT 2009 i686 i686 i386 GNU/Linux
这只能看出大至的信息而无法看到详细的信息。
[root@localhost ~]# lsb_release -a
LSB Version: :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID: CentOS
Description: CentOS release 5.4 (Final)
Release: 5.4
Codename: Final
