DomainKeys: Proving and Protecting Email Sender Identity

[center]DomainKeys: Proving and Protecting Email Sender Identity[/center]

Email spoofing - the forging of another person's or company's email address to get users to trust and open a message - is one of the biggest challenges facing both the Internet community and anti-spam technologists today. Without sender authentication, verification, and traceability, email providers can never know for certain if a message is legitimate or forged and will therefore have to continually make educated guesses on behalf of their users on what to deliver, what to block, and what to quarantine, in the pursuit of the best possible user experience.

DomainKeys is a technology proposal that can bring black and white back to this decision process by giving email providers a mechanism for verifying both the domain of each email sender and the integrity of the messages sent (i.e,. that they were not altered during transit). And, once the domain can be verified, it can be compared to the domain used by the sender in the From: field of the message to detect forgeries. If it's a forgery, then it's spam or fraud, and it can be dropped without impact to the user. If it's not a forgery, then the domain is known, and a persistent reputation profile can be established for that sending domain that can be tied into anti-spam policy systems, shared between service providers, and even exposed to the user.

For well-known companies that commonly send transactional email to consumers, such as banks, utilities, and ecommerce services, the benefits of verification are more profound, as it can help them protect their users from "phishing attacks" - the fraudulent solicitation for account information, such as credit card numbers and passwords, by impersonating the domain and email content of a company to which users have entrusted the storage of these data. For these companies, protecting their users from fraud emails translates directly into user protection, user satisfaction, reduced customer care costs, and brand protection.

For consumers, such as Yahoo! Mail users or a grandparent accessing email through a small mid-western ISP, industry support for sender authentication technologies will mean that they can start trusting email again, and it can resume its role as one of the most powerful communication tools of our times.

Standardization and License Terms

Yahoo! Inc. (Yahoo!) is fully committed to making DomainKeys an open Internet standard and has accordingly submitted the DomainKeys framework as an Internet-Draft entitled "http://www.ietf.org/internet-drafts/draft-delany-d...">draft-delany-domainkeys-base-01.txt" for publication with the IETF (Internet Engineering Task Force). Yahoo! hopes that DomainKeys will advance through the IETF Internet standards process and ultimately be approved as an IETF Internet Standard. Meanwhile, Yahoo! has established license terms that apply to the DomainKeys Intellectual Property (Patents, Software and Trademark). The Yahoo! DomainKeys Patent License Agreement can be found here:

Yahoo! DomainKeys Patent License Agreement

In accordance with RFC2026, Yahoo! has also submitted the above license statement to the IETF as an IPR Disclosure. Have license feedback?

Reference Implementation

In addition to the Internet-Draft, Yahoo! is currently developing a reference implementation for DomainKeys that can be plugged into Message Transfer Agents (MTAs), such as qmail. An alpha version of this software has been released and is available at http://domainkeys.sourceforge.net/. Additionally, Yahoo! is working with Sendmail to develop a DomainKey implementation for their popular MTA (both the commercial and freeware versions). In fact, Sendmail, Inc. has released an open source implementation of the Yahoo! DomainKeys specification for testing on the Internet and is actively seeking participants and feedback for this Pilot Program.

How DomainKeys Works

DomainKeys Flow Diagram

How it Works - Sending Servers

There are two steps to signing an email with DomainKeys:
  1. Set up: The domain owner (typically the team running the email systems within a company or service provider) generates a public/private key pair to use for signing all outgoing messages (multiple key pairs are allowed). The public key is published in DNS, and the private key is made available to their DomainKey-enabled outbound email servers. This is step "A" in the diagram to the right.
  2. Signing: When each email is sent by an authorized end-user within the domain, the DomainKey-enabled email system automatically uses the stored private key to generate a digital signature of the message. This signature is then pre-pended as a header to the email, and the email is sent on to the target recipient's mail server. This is step "B" in the diagram to the right.

How it Works - Receiving Servers

There are three steps to verifying a signed email:
  1. Preparing: The DomainKeys-enabled receiving email system extracts the signature and claimed From: domain from the email headers and fetches the public key from DNS for the claimed From: domain. This is step "C" in the diagram to the right.
  2. Verifying: The public key from DNS is then used by the receiving mail system to verify that the signature was generated by the matching private key. This proves that the email was truly sent by, and with the permission of, the claimed sending From: domain and that its headers and content weren't altered during transfer.
  3. Delivering: The receiving email system applies local policies based on the results of the signature test. If the domain is verified and other anti-spam tests don't catch it, the email can be delivered to the user's inbox. If the signature fails to verify, or there isn't one, the email can be dropped, flagged, or quarantined. This is step "D" in the diagram on the right.
In general, Yahoo! expects that DomainKeys will be verified by the receiving email servers. However, end-user mail clients could also be modified to verify signatures and take action on the results.

Frequently Asked Questions

How will this help stop spam?

Several ways. First, it can allow receiving companies to drop or quarantine unsigned email that comes from domains that are known to always sign their emails with DomainKeys, thus impacting spam and phishing attacks. Second, the ability to verify sender domain will allow email service providers to begin to build reputation databases that can be shared with the community and also applied to spam policy. For example, one ISP could share their "spam vs. legit email ratio" for the domain www.example.com with other ISPs that may not yet have built up information about the credibility and "spamminess" of email coming from www.example.com. Last, by eliminating forged From: addresses, we can bring server-level traceability back to email (not user-level - we believe that should be a policy of the provider and the choice of the user). Spammers don't want to be traced, so they will be forced to only spam companies that aren't using verification solutions.

Back to Questions

How will this help stop fraud/phishing attacks?

Companies that are susceptible to phishing attacks can sign all of their outgoing emails with DomainKeys and then tell the world this policy so that email service providers can watch and drop any messages that claim to come from their domain that are unsigned. For example, if the company www.example.com signs all of its outgoing email with DomainKeys, Yahoo! can add a filter to its SpamGuard system that drops any unsigned or improperly signed messages claiming to come from the domain www.example.com, thus protecting tens of millions of example.com's customers or prospective customers from these phishing attacks.

Back to Questions

Won't spammers just sign their messages with DomainKeys?

Hopefully! If they do, they'll make it easier for the Internet community to isolate and drop/quarantine their messages using the methods described above in "How will this help stop spam?" Eliminating the uncertainty of "did this email really come from the domain example.com?" will facilitate a whole range of anti-spam solutions.

Back to Questions

What does DomainKeys verify?

DomainKeys examines the From: and Sender: headers' domain to protect the user and deliver the best possible user experience. Desktop mail clients like Microsoft Outlook show these headers in their user interfaces. If the user establishes their trust based on the these domains, then so should any system built to verify whether that trust is warranted.

Back to Questions

Why sign the entire message?

DomainKeys signs the entire message to allow the receiving server to also verify that the message wasn't tampered with or altered in transit. By signing the headers and the body, DomainKeys makes it impossible to reuse parts of a message from a trusted source to fool users into believing the email is from that source.

Back to Questions

Does DomainKeys encrypt each message?

DomainKeys does not encrypt the actual message - it only pre-pends a "digital signature" as a header.

Back to Questions

What public/private key technology is used for DomainKeys?

DomainKeys currently uses an RSA public/private key method. The key length is decided by the domain owner.

Back to Questions

Who issues the public/private key pairs required by DomainKeys?

The domain owner, or an agent or service provider acting on their behalf, should generate the key pairs that are used for their DomainKeys-enabled mail system.

Back to Questions

Does DomainKeys require signing of the public key by a Certificate Authority (CA)?

DomainKeys does not require a CA. Much like a trusted Notary Public, Certificate Authorities are used in public/private key systems to sign, or "endorse," public keys so that the external users of public keys can know that the public keys they receive are truly owned by the people who sent them. Since DomainKeys leverages DNS as the public key distribution system, and since only a domain owner can publish to their DNS, external users of DomainKeys know that the public key they pull is truly for that domain. The CA is not needed to verify the owner of the public key - the presence in that domain's DNS is the verification. However, it is possible that Certificate Authorities may become a valuable addition to the DomainKeys solution to add an even greater level of security and trust.

Back to Questions

How are DomainKeys revoked?

DomainKeys allows for multiple public keys to be published in DNS at the same time. This allows companies to use different key pairs for the various mail servers they run and also to easily revoke, replace, or expire keys at their convenience. Thus, the domain owner may revoke a public key and shift to signing with a new pair at any time.

Back to Questions

Why not just use S/MIME?

S/MIME was developed for user-to-user message signing and encryption and by design should be independent of the sending and receiving servers. We believe that DomainKeys should be a natural server-to-server complement to S/MIME and not a replacement. Additionally, since S/MIME is used by many security-conscious industries, we need to ensure that the two technologies can work together without breaking each other. Finally, S/MIME is not yet supported by many of the email services, client software, and server software used across the Internet, and in Yahoo!'s opinion, that standardization effort would be much more difficult than the standardization of DomainKeys.

Back to Questions

How does DomainKeys work with mailing lists?

Mailing lists that do not change the content or re-arrange or append headers will be DomainKey compatible with no changes required. Mailing lists that change the message and headers should re-sign the message with their own private key and claim authorship of the message.

Back to Questions

Who implements DomainKeys?

DomainKeys will typically be implemented/enabled by the team within a company, ISP, or email service provider that deploys and runs the incoming and outgoing mail servers. Some companies may have service providers that handle their email. As MTA vendors add support for DomainKeys to their products, the implementation of DomainKeys will become simpler.

Back to Questions

Which mail transfer agents (MTAs) support DomainKeys?

Sendmail has released a milter implementation for both the commercial and freeware versions of their MTA. A Qmail patch is available, as well as a qpsmtpd plugin. CERN, the creators of the WWW has released a C# library for use in MS Exchange 2003. Port 25's PowerMTA, Etype.net's acSMTP, ActivSoftware's XMServer, OmniTI's Ecelerity, and StrongMail all have DomainKey versions of their software. Finally, Yahoo! has released an open source reference implementation for DomainKeys that can be plugged into other MTAs.

Back to Questions

How do I deploy DomainKeys?

After installing a DomainKey aware MTA, there are several key distribution options from which to choose. Once chosen, the public key portion should be published to your domain's _domainkey subdomain's TXT record, and the private key inserted into your MTA. You can test your DNS record policy and selector, and there are several autoresponding email addresses to test your implementations.

I don't use my domain's SMTP server to send email. How do I use DomainKeys?

DomainKeys relies on the domain administrator to authorize the use of the domain in an email. If you can not use the domain's authorized SMTP server because of port 25 blocking, you have a number of options.

  • You should encourage your domain to accept submission services on port 587. Your domain administrator should try to control authorization of the domain. Giving users a path to submit mail will help do this. Yahoo! Mail recently began offering a submission server on port 587.
  • You may be able to convince the domain administrator to grant you a user specific key. With a DomainKey, it should be possible to sign your messages using your mail client or any submission server. In fact, you could ask your submission service if you could give them a private key to use to sign your domain's mail.
  • You could consider using other headers to convey your identity. For instance, the Reply-to: header allows a recipient's mail client to choose an address to which replies should be sent. The Sender: header defines the address that injects the message into the SMTP stream. You might consider sending your message From: your domain, with the Sender: header set to the address of your submission service. Be aware however, that this strategy may be viewed suspiciously by anti-spam filters, as it may become a tactic for spammers and phishers.
  • Finally, you could chose to send unauthenticated mail. While this will not be a good long term strategy, it will certainly take quite a while before the vast majority of Internet email is authenticated. If you choose this path, you should carefully monitor the amount of authenticated mail over time to ensure that this strategy does not impact the deliverability of your email.
Back to Questions

How can I send you feedback?

Yahoo! welcomes your feedback on DomainKeys. You agree that Yahoo! shall own and have the right to use, without attribution or compensation to you, all feedback received by Yahoo!, in any form, to improve or modify DomainKeys or otherwise. Please use this email form to submit your comments. Note that due to the volume of emails we receive, it is unlikely that we'll be able to respond to your individual emails.

http://antispam.yahoo.com/domainkeys

我写一些, 更详细的去看技术资料.

draft-delany-domainkeys-base-01.rtf up/1103186663.rtf

Delany                    Expires February, 2005                      [Page 9]

Internet-Draft            DomainKeys                               August 2004


most visible to the recipient.

In the first instance, the most visible address is clearly the RFC2822
"From:" address [RFC2822]. Therefore, a conforming email MUST contain
a single "From:" header from which an email address with a domain name
can be extracted.

A conforming email MAY contain a single RFC2822 "Sender:" header from
which an email address with a domain name can be extracted.

If the email has a valid "From:" and a valid "Sender:" header, then
the signer MUST use the sending address in the "Sender:" header.

If the email has a valid "From:" and no "Sender:" header, then the
signer MUST use the first sending address in the "From:" header.

In all other cases, a signer MUST NOT sign the email. Implementors
should note the an email with a "Sender:" header and no "From:" header
MUST NOT be signed.

The domain name in the sending address constitutes the "sending
domain".


3.2 Retrieving the public-key given the sending domain

To avoid namespace conflicts, it is proposed that the DNS namespace
"_domainkey." be reserved within the sending domain for storing
public-keys, e.g., if the sending domain is example.net, then the
public-keys for that domain are stored in the _domainkey.example.net
namespace.


3.2.1 Introducing "selectors"

To support multiple concurrent public-keys per sending domain, the DNS
namespace is further subdivided with "selectors". Selectors are
arbitrary names below the "_domainkey." namespace. A selector value
and length MUST be legal in the DNS namespace and in email headers
with the additional provision that they cannot contain a semicolon.

Examples of namespace using selectors are:

    "sanfrancisco._domainkey.example.net"
    "coolumbeach._domainkey.example.net"
    "reykjavik._domainkey.example.net"
    "default._domainkey.example.net"

and

    "january2004._domainkey.example.net"



Delany                    Expires February, 2005                     [Page 10]

Internet-Draft            DomainKeys                               August 2004


    "february2004._domainkey.example.net"
    "march2004._domainkey.example.net"

Periods are allowed in selectors and are to be treated as component
separators. In the case of DNS queries that means the period defines
sub-domain boundaries.

The number of public-keys and corresponding selectors for each domain
are determined by the domain owner. Many domain owners will be
satisfied with just one selector whereas administratively distributed
organizations may choose to manage disparate selectors and key pairs
in different regions or on different email servers.

Beyond administrative convenience, selectors make it possible to
seamlessly replace public-keys on a routine basis. If a domain wishes
to change from using a public-key associated with selector "january"
to a public-key associated with selector "february", it merely makes
sure that both public-keys are advertised in the DNS concurrently for
the transition period during which email may be in transit prior to
verification. At the start of the transition period, the outbound
email servers are configured to sign with the "february"
private-key. At the end of the transition period, the "january"
public-key is removed from the DNS.

While some domains may wish to make selector values well known, others
will want to take care not to allocate selector names in a way that
allows harvesting of data by outside parties. E.g., if per-user keys
are issued, the domain owner will need to make the decision as to
whether to make this selector associated directly with the user name,
or make it some unassociated random value, such as the fingerprint of
the public-key.


3.2.2 Public-key signing and verification algorithm

The default signature is an RSA signed SHA1 digest of the complete
email.

For ease of explanation, the openssl command is used throughout this
document to describe the mechanism by which keys and signatures are
managed.

One way to generate a 768 bit private-key suitable for DomainKeys, is
to use openssl like this:

$ openssl genrsa -out rsa.private 768

Which results in the file rsa.private containing the key information
similar to this:

-----BEGIN RSA PRIVATE KEY-----



Delany                    Expires February, 2005                     [Page 11]

Internet-Draft            DomainKeys                               August 2004


MIIByQIBAAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5o6lMIgulclWjZwP56LRqdg5
ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7EXzVc+nRLWT1kwTvFNGIo
AUsFUq+J6+OprwIDAQABAmBOX0UaLdWWusYzNol++nNZ0RLAtr1/LKMX3tk1MkLH
+Ug13EzB2RZjjDOWlUOY98yxW9/hX05Uc9V5MPo+q2Lzg8wBtyRLqlORd7pfxYCn
Kapi2RPMcR1CxEJdXOkLCFECMQDTO0fzuShRvL8q0m5sitIHlLA/L+0+r9KaSRM/
3WQrmUpV+fAC3C31XGjhHv2EuAkCMQDE5U2nP2ZWVlSbxOKBqX724amoL7rrkUew
ti9TEjfaBndGKF2yYF7/+g53ZowRkfcCME/xOJr58VN17pejSl1T8Icj88wGNHCs
FDWGAH4EKNwDSMnfLMG4WMBqd9rzYpkvGQIwLhAHDq2CX4hq2tZAt1zT2yYH7tTb
weiHAQxeHe0RK+x/UuZ2pRhuoSv63mwbMLEZAjAP2vy6Yn+f9SKw2mKuj1zLjEhG
6ppw+nKD50ncnPoP322UMxVNG4Eah0GYJ4DLP0U=
-----END RSA PRIVATE KEY-----

Once a private-key has been generated, the openssl command can be used
to sign an appropriately prepared email, like this:

$ openssl dgst -sign rsa.private -sha1 <input.file

Which results in signature data similar to this when represented in
Base64 [MIME] format:

aoiDeX42BB/gP4ScqTdIQJcpAObYr+54yvctqc4rSEFYby9+omKD3pJ/TVxATeTz
msybuW3WZiamb+mvn7f3rhmnozHJ0yORQbnn4qJQhPbbPbWEQKW09AMJbyz/0lsl

How this signature is added to the email is discussed later in this
document.


To extract the public-key component from the private-key, use openssl
like this:

$ openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM

Which results in the file rsa.public containing the key information
similar to this:

-----BEGIN PUBLIC KEY-----
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5o6l
MIgulclWjZwP56LRqdg5ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7E
XzVc+nRLWT1kwTvFNGIoAUsFUq+J6+OprwIDAQAB
-----END PUBLIC KEY-----


This public-key data is placed in the DNS.


With the signature, canonical email contents and public-key, a
verifying system can test the validity of the signature. The openssl
invocation to verify a signature looks like this:

openssl dgst -verify rsa.public -sha1 -signature signature.file <input.file




Delany                    Expires February, 2005                     [Page 12]

Internet-Draft            DomainKeys                               August 2004




3.2.3 Public-key representation in the DNS

There is currently no standard method defined for storing public-keys
in the DNS. As an interim measure, the public-key is stored as a TXT
record derived from a PEM format [PEM], that is, as a Base64
representation of a DER encoded key. Here is an example of a 768 bit
RSA key in PEM form:

-----BEGIN PUBLIC KEY-----
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5o6l
MIgulclWjZwP56LRqdg5ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7E
XzVc+nRLWT1kwTvFNGIoAUsFUq+J6+OprwIDAQAB
-----END PUBLIC KEY-----

To save scarce DNS packet space and aid extensibility, the PEM
wrapping MUST be removed and the remaining public-key data along with
other attributes relevant to DomainKeys functionality are stored as
tag=value pairs separated by semicolons, e.g.:

brisbane._domainkey IN TXT "g=; k=rsa; p=MHww ... IDAQAB"

Verifiers MUST support key sizes of 512, 768, 1024, 1536 and 2048
bits. Signers MUST support at least one of the verifier supported key
sizes.

The current valid tags are:

    g = granularity of the key. If present with a non-zero length
        value, this value MUST exactly match the local part of the
        sending address. This tag is optional.

        The intent of this tag is to constrain which sending address
        can legitimately use this selector. An email with a sending
        address that does not match the value of this tag constitutes
        a failed verification.

    k = key type (rsa is the default). Signers and verifiers MUST
        support the 'rsa' key type.

    n = Notes that may be of interest to a human. No interpretation is
        made by any program. This tag is optional.

    p = public-key data, encoded as a Base64 string. An empty value
        means that this public-key has been revoked. This tag MUST be
        present.

    t = testing mode ('y' means that this domain is testing DomainKeys
        and unverified email MUST NOT be treated differently from
        verified email. Recipient systems MAY wish to track testing

ISA Server 2004在Windows Server 2003上的修补程序ISA2004-KB884569-X86-CHS.msp

ISA Server 2004在Windows Server 2003上的修补程序(ISA2004-KB884569-X86-CHS.msp)  
  Microsoft ISA Server 2004 Standard Edition 设计为可以在具有多达四 (4) 个处理器(已分别授权)的服务器上运行。但是,如果安装在多处理器计算机上,则 ISA Server 2004 Standard Edition 将错误地对超线程处理器(例如,Intel Pentium IV)进行计数,结果导致存在多于两 (2) 个此类处理器的情况下 ISACTRL 和 WSPSRV 服务将不会启动。ISA 服务器控制服务错误地将每个启用了超线程的处理器视作两 (2) 个处理器,由于 ISA Server 2004 Standard Edition 限制为最多有四 (4) 个处理器,因此它还会将此安装视为违反了授权条款。

  超线程处理器应该计为单个处理器,这样就可以完全支持具有多达四 (4) 个启用了超线程的处理器的服务器,并将其视为遵守了产品授权。对于仅具有一 (1) 个或两 (2) 个启用了超线程的处理器的服务器,或运行在较早的非超线程处理器上的服务器而言,它们不会受到该错误的影响。对于具有三 (3) 个或四 (4) 个启用了超线程的处理器的服务器,应该使用此修补程序进行更新,且通常将在安装并重新启动后加载。

http://download.microsoft.com/download/e/8/6/e8656...


关于站点间交流和连接

 最近有越来越的朋友们前来申请连接, 很高兴与朋友交流与合作. 这也可以看出网络普及化已经不可逆转了.
另外考虑到对已连接的朋友的影响问题, 不可能无限制增加没有特色的站点连接. 所以还请朋友们在建设好站点后提出. 另外请你准备好连接后,我们将考虑添加连接.

真的高兴看到每个站点有自己的特色和彼此友好交流分享.

关于我的站点名字,我一直没有对目前这个站点确定最终的名字,但是这个名称Liuxyon International 已经被使用了10年多. 所以还请你们最好先以此作为我的站点名字添加. 我一直支持国际化交流. 所以那将是我的发展趋势.
虽然我现在的站点简陋些. :-)  sunny
 

smile              coolsmile  

冬天里的第一场雪.

昨天西安下了2004年第一场雪,而且比较大. 今天早晨起来看到屋顶已有积雪. 不过通常大雪过后是明亮的晴天.sunny

感觉不错.........  laugh      

FreeBSD/Linux环境下Zeus安装指南

FreeBSD/Linux环境下Zeus安装指南

zeus 多CPU表现比apache强,跑SSL应用也强于apache。
安装是一个shell程序完成,一分钟解决。二进制的包,不需要编译。
配置是web界面的,管理很方便,做并发限制,带宽限制,流量限制很方便的。

Zeus+php+Zend Optimizer for Linux安装指南

本文是Crossday第一篇unix作文,基于linux而写出。zeus是一个著名的web服务器软件,其效能远在apache1/2之上,是整台服务器用户跑论坛的首选,对内存小于1G而流量非常大的用户,换用zeus会比apache多获得一倍的负载能力。
本文提供方法在redhat linux 7.3及以上各版本,PHP 4.3.0及以上版本,Zend Optimizer 2.1.0验证通过,所配置参数为适应每15分钟在线1000人以上的,使用Discuz! 2.0/3.0的中大型论坛所优化

进入一个目录 如
cd /usr/local/src

找一个zeus 4.2 r3 for linux的破解版本下载
wget http://download.discuz.net/zeus_linux.tgz

tar xvzf zeus_linux.tgz
cd Zeus.Web.Server.v4.2r3.Linux.x86/
tar xvzf Zeus_42r3_Linux-glibc2.1.tgz
cd Zeus_42r3_Linux-glibc2.1/

开始安装
./zinstall

按CTRL+C 打入accept

Where should the product be installed? [/usr/local/zeus]: 回车

Installation options:

1. Full install of both admin server & web server
2. Stand-alone install of admin server
3. Clustered install of web server
H. Help

Choose installation option [1]: 回车

Enter the key filename, or leave blank for unlicensed mode: /usr/local/src/Zeus.Web.Server.v4.2r3.Linux.x86/license.key (输入密匙位置)

Please choose a password for the admin server: ****** (输入管理员密码)
Re-enter: ****** (重新输入密码)

Would you like Zeus to start at boot time? Y/N [Y]: (回车)

以上是安装过程 很容易的就装好了 如果有apache在跑 先把他停掉 避免80端口冲突
/usr/local/apache/bin/apachectl stop

若安装中提示libdb.so.2不存在 先进入压缩包的libdb.so.2目录中
rpm -ivh db1-1.85-8.i386.rpm

安装php
cd /usr/local/src
从小日本网站下载php
wget http://cn2.php.net/get/php-4.3.4.tar.gz/from/jp2.p...
tar xvzf php-4.3.4.tar.gz
cd php-4.3.4/
./configure --prefix=/usr/local/php --enable-fastcgi --enable-force-cgi-redirect --with-config-file-path=/etc --with-zlib --with-mysql --with-xml
make
make install
cp php.ini-dist /etc/php.ini

安装Zend Optimizer
cd /usr/local/src
wget http://download.discuz.net/ZendOptimizer-2%5B1%5D....
tar xvzf ZendOptimizer-2%5B1%5D.1.0b-Linux_glibc21-i386.tar.gz
cd ZendOptimizer-2.1.0b-Linux_glibc21-i386/
./install.sh
一阵回车 问Confirm the location of your php.ini file的时候打入/etc
问Are you using Apache web server?的时候选No

设置Zeus
访问 http://your.com:9090 (你的域名地址或IP地址)
用户名 admin 密码:刚才设定的密码

进入Zeus管理控制台,点Create a Virtual Server 把相关的六个选项填好 不多说
提交后出现刚才加入的virtual server,点FastCGI

Enabling Support for FastCGI Programs 选 Enabled
Restricting FastCGI locations 选 Enable FastCGI programs to be located anywhere
Configuring Directories for FastCGI Local Responders 不用写他 因为我们用remote方式连接fastcgi

Configuring FastCGI Remote Responders 中填入以下配置
Directory name : /usr/local/php/bin/php
Location: Machine name: localhost
     Port: 8002
Additional methods supported?:None

其他都不用管,点Apply changes

点左边Url Handling下面的Handlers
File Extension : php
Specify the path and filename of the handler, relative to the document root : /usr/local/php/bin/php
点Apply changes

点左边Url Handling下面的Directory Requests
Index Files中加入一个 index.php 和一分隔逗号
Directory Listing选Disabled
点Apply changes

再点上面的 This configuration has been modified. Click here for details or to make it take effect.
出来的页面点Commit

配置php-fastcgi
cd /usr/local/zeus/rc.d
建立一个S05php的文件 内容为


Code: [Copy to clipboard]  
#!/bin/sh

# Script to start and stop the persistent PHP runner for FastCGI.
# Please check paths before use.

# FastCGI PHP binary
FPHPBIN=/usr/local/php/bin/php

# Location to place semaphore
SEMFILE=/tmp/php.pid
PHP_FCGI_CHILDREN=200
PHP_FCGI_MAX_REQUESTS=1000
export PHP_FCGI_CHILDREN
export PHP_FCGI_MAX_REQUESTS

# This is Linux - use /proc to increase the local (ephemeral) port range
#echo 1024 65000 > /proc/sys/net/ipv4/ip_local_port_range

if [ -z "$ZEUSHOME" ]
then
cd `dirname $0`/..
ZEUSHOME=`pwd`
export ZEUSHOME
fi

case "$1" in
'start')

   if [ -e $SEMFILE ]
         then
               echo FastCGI PHP error: already running.Restart FastCGI PHP now
           kill `cat $SEMFILE`
       sleep 5
   fi

   if [ ! -x $FPHPBIN ]
         then
               echo FastCGI PHP error: please check that $FPHPBIN is executable and exists.
         exit 1
   fi

         echo Starting FastCGI PHP.
         $ZEUSHOME/web/bin/fcgirunner --user=99 --group=99 --pidfile=$SEMFILE 8002 $FPHPBIN
   ;;

'stop')
   if [ -e $SEMFILE ]
         then
         echo Stopping FastCGI PHP.
   kill `cat $SEMFILE`
   rm $SEMFILE
         exit 0
   fi
   ;;
'restart')
   if [ -e $SEMFILE ]
         then
         echo Stopping FastCGI PHP.
         kill `cat $SEMFILE`
   sleep 5
   fi
   echo Starting FastCGI PHP.
   $ZEUSHOME/web/bin/fcgirunner --user=99 --group=99 --pidfile=$SEMFILE 8002 $FPHPBIN
   ;;
*)
 echo "usage: $0 {start|stop|restart}"
 ;;

esac
exit 1

注意--user=65534 --group=65534 为php进程运行的用户和组,一般设置为nobody用户和组FreeBSD是65534/65534,Linux是99/99

如不会建文件 可看下面范例
vi S05php
(打一个小写的i)
(把上面的内容复制到剪贴板 然后按SHIFT+INSERT粘贴过去)
(按ESC)
(输入 :wq 然后回车)

改写属性使其可执行
chmod 755 S05php

回到Zeus的9090端口管理界面 把刚才设置的虚拟主机Start

启动Zeus的命令为 /usr/local/zeus/start-zeus
停止Zeus的命令为 /usr/local/zeus/stop-zeus
重启Zeus的命令为 /usr/local/zeus/restart-zeus

编辑/etc/rc.local
加入一行
/usr/local/zeus/start-zeus
使得Zeus在开机时自动运行

如果现在无法访问web,多半是因为没有把apache停掉造成的,注意要将启动时候的apache自启动给去掉 否则zeus无法绑定到80端口进而无法访问 如没有上述问题 安装后仍然无法访问 可能为web服务器没有正确安装 例如第一次安装后中断退出 第二次又以升级方式安装 等等 这样的情况建议先把zeus停掉 然后将其目录rm -fr删除 重新安装一次即可正常 个人以为这是zeus安装脚本设计的不合理所致

结束:zeus实在是太强大了,无以言表,在不需任何外挂模块的情况下实现多线程的高效服务 IP并发限制 来路限制 带宽限制等如此多丰富而实用的功能,确实是unix世界中极为强悍和高效的web服务器软件

FreeBSD Zeus php4.3.5 mysql3.23.58 zend mmcache安装

zeus是一个著名的web服务器软件,其效能远在apache1/2之上,是独立服务器用户跑论坛的首选,对内存小于1G而流量非常大的用户,换用zeus会比apache多获得一倍的负载能力。
本文提供本人在FreeBSD4.1下安装Zeus4.3的一些经验

找一个zeus 4.3 for BSD的版本下载,(都下载到/root里面吧,这样省事)


通常服务器都会跑apache的,先停掉它:
/usr/local/apache/bin/apachectl stop

解压软件包:
unzip Zeus_4.3_Linux_crack.zip #把破解包直接解压在/root
tar xvzf Zeus_43_Linux-x86.tgz

cd Zeus_43_Linux-x86/

开始安装
./zinstall

按CTRL+C 打入accept

Where should the product be installed? [/usr/local/zeus]: 回车

Installation options:

1. Full install of both admin server & web server
2. Stand-alone install of admin server
3. Clustered install of web server
H. Help

Choose installation option [1]: 回车

Enter the key filename, or leave blank for unlicensed mode: (这里输入你的key路径,昨天我发过30天的key,网上有破解版不限制时间的)

Please choose a password for the admin server: ****** (输入管理员密码)
Re-enter: ****** (重新输入密码)

What USER do you want to run zeus?[nobody]:(输入nobody,回车)

What Group do you want to run zeus?[nobody]: (输入nobody,回车)
//这两步的安装提示我记得不太清楚了,具体大家看提示,敲入nobody就行的了.


Would you like Zeus to start at boot time? Y/N [Y]: (回车)

安装完毕,非常简单!


启动Zeus的命令为 /usr/local/zeus/start-zeus
停止Zeus的命令为 /usr/local/zeus/stop-zeus
重启Zeus的命令为 /usr/local/zeus/restart-zeus


如果你找到破解文件,那先停掉zeus进行破解!
/usr/local/zeus/stop-zeus
cp /破解文件具体目录/zeus.web /usr/local/zeus/web/bin

破解完毕


设置zeus

打开浏览器访问:http://your.com:9090 (用户名admin,密码是你刚才设定的)

点“Virtual Server”,进入创建虚拟主机:
Virtual Server Name:主机名
Host Name and Port:域名和端口
Server Comment:随便
Document Root:web文件放置的位置
Aliases:多域名绑定填在这里,用(,)号分隔开。
Webmaster Email Address:随便
Clone server:别理它
点击“Create Virtual Server”按钮提交。

提交后,现在将进入虚拟主机的具体配置:

点击左边的“FastCGI”
Enabling Support for FastCGI Programs:选择“Enabled"
跟着往下找到“Adding a FastCGI Remote Responder”
Directory name:填/usr/local/php/bin/php
Location: Machine name: 填localhost
Port:填8002
其他的全部不用填,点击“apply change”

点击左边最下方的“PHP”进入php配置。
Enabling PHP Support:选择Enabled
Process Management:并发请求,自己按需设置
点击“apply change”

左边的菜单中找到“Directory Requests”
Index Files:索引文件,按自己的需要设置
Directory Listing:一定要Disabled
点击“apply change”

再在左边菜单找到“htaccess Support”
Enabling .htaccess File Processing:选择Enabled
点击“apply change”


好了,配置完了,点击上面的“This configuration has been modified. Click here for details or to make it take effect. ”,再点击 “commit”,完成了一个虚拟主机的设置。现在在主界面上启动这个虚拟主机,然后打开 http://www.domain.com,马上能看到你的网页了啦!

Zeus是一个运行于Unix下的非常优秀的Web Server,据说性能超过Apache,是最强的Web Server之一

由于Zeus的中文介绍非常少,很多管理员不知道这个超级Web Server,有些知道的苦于中文安装说明很少,无从下手!我也是不久前才知道Zeus的,正好有人要上台服务器,正好拿他做实验,哈哈哈,不幸的是竟然被我安装好了,下面分享一下安装过程

下面的安装环境 FreeBSD4.9,更新了源代码树,重新编译了内核和系统,ports最新!进入系统su变成root

1,安装MySQL

cd /usr/ports/databases/mysql323-server
make install
make clean
/usr/local/bin/safe_mysqld & 启动mysql
/usr/local/bin/mysqladmin -uroot password 密码 修改mysql root口令,默认为空
/usr/local/bin/mysql -uroot -p密码
如果出现 mysql> 恭喜你安装成功了

2,安装fastcgi

cd /usr/ports/www/fcgi/
make install
make clean
完成后在/usr/local/lib目录中看到有libfcgi.a文件,在/usr/local/include目录中会有fastcgi的所有头文件

3,安装php

cd /usr/ports/www/php4-cgi
make WITH_FASTCGI=yes install
当中会就叫你选择你需要的php模块,选择你需要的php模块把
make clean
cp /usr/local/etc/php.ini-dist /usr/local/etc/php.ini
测试
/usr/local/bin/php
输入


按ctrl-d运行后会见到php返回的信息说明安装成功
4,安装 zeus
下载地址 http://www.axin.net/Zeus_42r4_FreeBSD4.tar他的注册文件 http://www.axin.net/license.key
cd /home/axinmkdir servercd serverfetch http://www.axin.net/Zeus_42r4_FreeBSD4.tar 下载zeusfetch http://www.axin.net/license.key 下载licenstar vxf Zeus_42r4_FreeBSD4.tar 解开cd Zeus_42r4_FreeBSD4./zinstall按CTRL+C 打入acceptWhere should the product be installed? [/usr/local/zeus]: 问你要安装到哪里 默认usr/local/zeus
Installation options:1. Full install of both admin server & web server2. Stand-alone install of admin server3. Clustered install of web serverH. Help
Choose installation option [1]: 选择安装模式 1吧 全部安装
Enter the key filename, or leave blank for unlicensed mode: /home/axin/server/license.key (输入密匙位置)
Please choose a password for the admin server: ****** (输入管理员密码)Re-enter: ****** (重新输入密码)Would you like Zeus to start at boot time? Y/N [Y]: (回车)
安装很简单
测试一下 http://ip:9090 安装成功的话就会跳出一个认证窗口,输入 admin 密码 就可以看到zeus的后台了。爽吧,别激动,先把其他的弄好
5,安装 zend
cd /home/axin/server下载zendtar zvxf ZendOptimizer-2[1].5.1-FreeBSD4.0-i386.tar.gzcd ZendOptimizer-2.5.1-FreeBSD4.0-i386./install.sh问Are you using Apache web server?的时候选No
6,安装 mmcachecd /usr/ports/www/truck-mmachemake installmake cleanvi /usr/local/etc/php.ini
加上
[mmcache]zend_extension="/usr/local/lib/php/20020429/mmcache.so"mmcache.shm_size="16"mmcache.cache_dir="/var/tmp/mmcache"mmcache.enable="1"mmcache.optimizer="1"mmcache.check_mtime="1"mmcache.debug="0"mmcache.filter=""mmcache.shm_max="0"mmcache.shm_ttl="0"mmcache.shm_prune_period="0"mmcache.shm_only="0"mmcache.compress="1"mmcache.keys="shm_and_disk"mmcache.sessions="shm_and_disk"mmcache.content="shm_and_disk"
7,Zeus 简单使用
浏览器输入:http://ip:9090 输入admin 安装时设置的密码
进入Zeus得后台,功能之强大,让我想一起一个资深开源玩家说的,Zeus是众神之首
这里简单教大家开设虚拟主机
Create Virtual Server
Virtual Server Name 虚拟主机名Host Name and Port 域名和端口Server Comment     虚拟主机说明 Document Root     主目录Aliases         域名别名Webmaster Email Address 服务器管理员emailClone server     克隆其他的虚拟主机设置
Create Virtual Server 创建成功 点击home图标 就会看到你新建成功的虚拟主机,选择他。按start 在浏览器输入http://domain.com 成功的话就可以访问了
8,设置Zeus支持php
选择 刚刚新建的虚拟主机,configure
API Support FastCGI FastCGI Configuration 选择Enabled Directory name : /usr/local/bin/phpLocation: Machine name: localhost 8002Additional methods supported?:None 点击apply按钮
进URL Handling中的Handlers设置。在Handlers中设置以下参数:File Extension : phpSpecify the path and filename of the handler, relative to the document root : /usr/local/bin/phpHTTP 404 errors are handled by : The handler 点击apply按钮 进URL Handling中的Directory Requests
加上index.php
连上终端,su 编成rootcd /usr/local/zeus/rc.dvi S05php
加入以下内容
#!/bin/sh

# Script to start and stop the persistent PHP runner for FastCGI.
# Please check paths before use.

# FastCGI PHP binary
FPHPBIN=/usr/local/bin/php

# Location to place semaphore
SEMFILE=/tmp/php.pid
PHP_FCGI_CHILDREN=100
PHP_FCGI_MAX_REQUESTS=1000
export PHP_FCGI_CHILDREN
export PHP_FCGI_MAX_REQUESTS

# This is Linux - use /proc to increase the local (ephemeral) port range
#echo 1024 65000 > /proc/sys/net/ipv4/ip_local_port_range

if [ -z "$ZEUSHOME" ]
then
cd `dirname $0`/..
ZEUSHOME=`pwd`
export ZEUSHOME
fi

case "$1" in
'start')

   if [ -e $SEMFILE ]
         then
               echo FastCGI PHP error: already running.Restart FastCGI PHP now
           kill `cat $SEMFILE`
       sleep 5
   fi

   if [ ! -x $FPHPBIN ]
         then
               echo FastCGI PHP error: please check that $FPHPBIN is executable and exists.
         exit 1
   fi

         echo Starting FastCGI PHP.
         $ZEUSHOME/web/bin/fcgirunner --user=65534 --group=65534 --pidfile=$SEMFILE 8002 $FPHPBIN
   ;;

'stop')
   if [ -e $SEMFILE ]
         then
         echo Stopping FastCGI PHP.
   kill `cat $SEMFILE`
   rm $SEMFILE
         exit 0
   fi
   ;;
'restart')
   if [ -e $SEMFILE ]
         then
         echo Stopping FastCGI PHP.
         kill `cat $SEMFILE`
   sleep 5
   fi
   echo Starting FastCGI PHP.
   $ZEUSHOME/web/bin/fcgirunner --user=65534 --group=65534 --pidfile=$SEMFILE 8002 $FPHPBIN
   ;;
*)
 echo "usage: $0 {start|stop|restart}"
 ;;

esac
exit 1
在这个脚本中有以下内容需要视系统情况而修改: FPHPBIN=/usr/local/php/bin/php 应设置为php的路径 SEMFILE=/tmp/php.pid 生成php.pid的路径,该目录必须可写 PHP_FCGI_CHILDREN=100 php进程数目 PHP_FCGI_MAX_REQUESTS=1000 每个php的进程在退出前能够响应的请求数,用于释放资源 上面两个根据硬件配置和网站访问量设置,默认值是8,500。 一般来说 PHP_FCGI_CHILDREN > 访问并发最大值+10 PHP_FCGI_MAX_REQUESTS 如果设置过小,访问量大的网站会因为php进程重起频繁增加负荷。 #echo 1024 65000 > /proc/sys/net/ipv4/ip_local_port_range 只用于linux --user=65534 --group=65534 为php进程运行的用户和组,一般设置为nobody用户和组FreeBSD是65534/65534,Linux是99/99
保存!chmod 750 S05phpcd .../restart-zeus
一但启动后就会在ps -ax列表中显示出PHP_FCGI_CHILDREN+1个php进程。 到你的vhost对应的Docroot目录中建一个info.php文件,内容为:
               使用浏览器访问vhost中的info.php文件,应该就可以看到PHP的info页面了 后面的懒得写了,网上freebsd php howto

Zeus_4.3_Linux_crack.zip

Zeus_43_FreeBSD_Crack.zip


MySQL数据库的备份

[center]MySQL数据库备份 [/center]

在数据库表丢失或损坏的情况下,备份你的数据库是很重要的。如果发生系统崩溃,你肯定想能够将你的表尽可能丢失最少的数据恢复到崩溃发生时的状态。有时,正是MySQL管理员造成破坏。管理员已经知道表以破坏,用诸如vi或Emacs等编辑器试图直接编辑它们,这对表绝对不是件好事!

备份数据库两个主要方法是用mysqldump程序或直接拷贝数据库文件(如用cp、cpio或tar等)。每种方法都有其优缺点:

mysqldump与MySQL服务器协同操作。直接拷贝方法在服务器外部进行,并且你必须采取措施保证没有客户正在修改你将拷贝的表。如果你想用文件系统备份来备份数据库,也会发生同样的问题:如果数据库表在文件系统备份过程中被修改,进入备份的表文件主语不一致的状态,而对以后的恢复表将失去意义。文件系统备份与直接拷贝文件的区别是对后者你完全控制了备份过程,这样你能采取措施确保服务器让表不受干扰。
mysqldump比直接拷贝要慢些。
mysqldump生成能够移植到其它机器的文本文件,甚至那些有不同硬件结构的机器上。直接拷贝文件不能移植到其它机器上,除非你正在拷贝的表使用MyISAM存储格式。ISAM表只能在相似的硬件结构的机器上拷贝。在MySQL 3.23中引入的MyISAM表存储格式解决了该问题,因为该格式是机器无关的,所以直接拷贝文件可以移植到具有不同硬件结构的机器上。只要满足两个条件:另一台机器必须也运行MySQL 3.23或以后版本,而且文件必须以MyISAM格式表示,而不是ISAM格式。
不管你使用哪种备份方法,如果你需要恢复数据库,有几个原则应该遵守,以确保最好的结果:

定期实施备份。建立一个计划并严格遵守。
让服务器执行更新日志。当你在崩溃后需要恢复数据时,更新日志将帮助你。在你用备份文件恢复数据到备份时的状态后,你可以通过运行更新日志中的查询再次运用备份后面的修改,这将数据库中的表恢复到崩溃发生时的状态。
以文件系统备份的术语讲,数据库备份文件代表完全倾倒(full dump),而更新日志代表渐进倾倒(incremental dump)。

使用一种统一的和易理解的备份文件命名机制。象backup1、buckup2等不是特别有意义。当实施你的恢复时,你将浪费时间找出文件里是什么东西。你可能发觉用数据库名和日期构成备份文件名会很有用。例如:
%mysqldump samp_db >/usr/archives/mysql/samp_db.1999-10-02

%mysqldump menagerie >/usr/archives/mysql/menagerie.1999-10-02

你可能想在生成备份后压缩它们。备份一般都很大!你也需要让你的备份文件有过期期限以避免它们填满你的磁盘,就象你让你的日志文件过期那样。

用文件系统备份备份你的备份文件。如果遇上了一个彻底崩溃,不仅清除了你的数据目录,也清除了包含你的数据库备份的磁盘驱动器,你将真正遇上了麻烦。也要备份你的更新日志。
将你的备份文件放在不同于用于你的数据库的文件系统上。这将降低由于生成备份而填满包含数据目录的文件系统的可能性。
用于创建备份的技术同样对拷贝数据库到另一台机器有用。最常见地,一个数据库被转移到了运行在另一台主机上的服务器,但是你也可以将数据转移到同一台主机上的另一个服务器。

1 使用mysqldump备份和拷贝数据库
当你使用mysqldumo程序产生数据库备份文件时,缺省地,文件内容包含创建正在倾倒的表的CREATE语句和包含表中行数据的INSERT语句。换句话说,mysqldump产生的输出可在以后用作mysql的输入来重建数据库。

你可以将整个数据库倾倒进一个单独的文本文件中,如下:

%mysqldump samp_db >/usr/archives/mysql/samp_db.1999-10-02

输出文件的开头看起来象这样:

# MySQL Dump 6.0
#
# Host: localhost Database: samp_db
#---------------------------------------
# Server version 3.23.2-alpha-log
#
# Table structure for table 'absence'
#
CREATE TABLE absence(
student_id int(10) unsigned DEFAULT '0' NOT NULL,
date date DEFAULT '0000-00-00' NOT NULL,
PRIMARY KEY (student_id,date)
);
#
# Dumping data for table 'absence'
#
INSERT INTO absence VALUES (3,'1999-09-03');
INSERT INTO absence VALUES (5,'1999-09-03');
INSERT INTO absence VALUES (10,'1999-09-08');
...... 
文件剩下的部分有更多的INSERT和CREATE TABLE语句组成。

如果你想压缩备份,使用类似如下的命令:

%mysqldump samp_db | gzip >/usr/archives/mysql/samp_db.1999-10-02.gz

如果你要一个庞大的数据库,输出文件也将很庞大,可能难于管理。如果你愿意,你可以在mysqldump命令行的数据库名后列出单独的表名来倾到它们的内容,这将倾倒文件分成较小、更易于管理的文件。下例显示如何将samp_db数据库的一些表倾到进分开的文件中:

%mysqldump samp_db student score event absence >grapbook.sql
%mysqldump samp_db member president >hist-league.sql

如果你生成准备用于定期刷新另一个数据库内容的备份文件,你可能想用--add-drop-table选项。这告诉服务器将DROP TABLE IF EXISTS语句写入备份文件,然后,当你取出备份文件并把它装载进第二个数据库时,如果表已经存在,你不会得到一个错误。

如果你倒出一个数据库以便能把数据库转移到另一个服务器,你甚至不必创建备份文件。要保证数据库存在于另一台主机,然后用管道倾倒数据库,这样mysql能直接读取mysqldump的输出。例如:你想从主机pit-viper.snake.net拷贝数据库samp_db到boa.snake.net,可以这样很容易做到:

%mysqladmin -h boa.snake.net create samp_db
%mysqldump samp_db | mysql -h boa.snake.net samp_db

以后,如果你想再次刷新boa.snake.net上的数据库,跳过mysqladmin命令,但要对mysqldump加上--add-drop-table以避免的得到表已存在的错误:

%mysqldump --add-drop-table samp_db | mysql -h boa.snake.net samp_db

mysqldump其它有用的选项包括:

--flush-logs和--lock-tables组合将对你的数据库检查点有帮助。--lock-tables锁定你正在倾倒的所有表,而--flush-logs关闭并重新打开更新日志文件,新的更新日志将只包括从备份点起的修改数据库的查询。这将设置你的更新日志检查点位备份时间。(然而如果你有需要执行个更新的客户,锁定所有表对备份期间的客户访问不是件好事。)
如果你使用--flush-logs设置检查点到备份时,有可能最好是倾倒整个数据库。如果你倾倒单独的文件,较难将更新日志检查点与备份文件同步。在恢复期间,你通常按数据库为基础提取更新日志内容,对单个表没有提取更新的选择,所以你必须自己提取它们。

缺省地,mysqldump在写入前将一个表的整个内容读进内存。这通常确实不必要,并且实际上如果你有一个大表,几乎是失败的。你可用--quick选项告诉mysqldump只要它检索出一行就写出每一行。为了进一步优化倾倒过程,使用--opt而不是--quick。--opt选项打开其它选项,加速数据的倾倒和把它们读回。
用--opt实施备份可能是最常用的方法,因为备份速度上的优势。然而,要警告你,--opt选项确实有代价,--opt优化的是你的备份过程,不是其他客户对数据库的访问。--opt选项通过一次锁定所有表阻止任何人更新你正在倾倒的任何表。你可在一般数据库访问上很容易看到其效果。当你的数据库一般非常频繁地使用,只是一天一次地调节备份。

一个具有--opt的相反效果的选项是--dedayed。该选项使得mysqldump写出INSERT DELAYED语句而不是INSERT语句。如果你将数据文件装入另一个数据库并且你想是这个操作对可能出现在该数据库中的查询的影响最小,--delayed对此很有帮助。
--compress选项在你拷贝数据库到另一台机器上时很有帮助,因为它减少网络传输字节的数量。下面有一个例子,注意到--compress对与远端主机上的服务器通信的程序才给出,而不是对与本地主机连接的程序:
%mysqldump --opt samp_db | mysql --compress -h boa.snake.net samp_db
mysqldump有很多选项,详见《MySQL参考手册》。

2 使用直接拷贝数据库的备份和拷贝方法
另一种不涉及mysqldump备份数据库和表的方式是直接拷贝数据库表文件。典型地,这用诸如cp、tar或cpio实用程序。本文的例子使用cp。

当你使用一种直接备份方法时,你必须保证表不在被使用。如果服务器在你则正在拷贝一个表时改变它,拷贝就失去意义。

保证你的拷贝完整性的最好方法是关闭服务器,拷贝文件,然后重启服务器。如果你不想关闭服务器,要在执行表检查的同时锁定服务器。如果服务器在运行,相同的制约也适用于拷贝文件,而且你应该使用相同的锁定协议让服务器“安静下来”。

假设服务器关闭或你已经锁定了你想拷贝的表,下列显示如何将整个samp_db数据库备份到一个备份目录(DATADIR表示服务器的数据目录):

%cd DATADIR
%cp -r samp_db /usr/archive/mysql
单个表可以如下备份:

%cd DATADIR/samp_db
%cp member.* /usr/archive/mysql/samp_db
%cp score.* /usr/archive/mysql/samp_db
....

当你完成了备份时,你可以重启服务器(如果关闭了它)或释放加在表上的锁定(如果你让服务器运行)。

要用直接拷贝文件把一个数据库从一台机器拷贝到另一台机器上,只是将文件拷贝到另一台服务器主机的适当数据目录下即可。要确保文件是MyIASM格式或两台机器有相同的硬件结构,否则你的数据库在另一台主机上有奇怪的内容。你也应该保证在另一台机器上的服务器在你正在安装数据库表时不访问它们。


3 复制数据库(Replicating Database)
复制(Replication)类似于拷贝数据库到另一台服务器上,但它的确切含义是实时地保证两个数据库的完全同步。这个功能将在3.23版中出现,而且还不很成熟,因此本文不作详细介绍。

4 用备份恢复数据
数据库损坏的发生有很多原因,程度也不同。如果你走运,你可能仅损坏一两个表(如掉电),如果你倒霉,你可能必须替换整个数据目录(如磁盘损坏)。在某些情况下也需要恢复,比如用户错误地删除了数据库或表。不管这些倒霉事件的原因,你将需要实施某种恢复。

如果表损坏但没丢失,尝试用myisamchk或isamchk修复它们,如果这样的损坏可有修复程序修复,你可能根本不需要使用备份文件。关于表修复的过程,见《数据库维护与修复》。

恢复过程涉及两种信息源:你的备份文件和个更新日志。备份文件将表恢复到实施备份时的状态,然而一般表在备份与发生问题之间的时间内已经被修改,更新日志包含了用于进行这些修改的查询。你可以使用日志文件作为mysql的输入来重复查询。这已正是为什么要启用更新日志的原因。

恢复过程视你必须恢复的信息多少而不同。实际上,恢复整个数据库比单个表跟容易,因为对于数据库运用更新日志比单个表容易。

4.1 恢复整个数据库
首先,如果你想恢复的数据库是包含授权表的mysql数据库,你需要用--skip-grant-table选项运行服务器。否则,它会抱怨不能找到授权表。在你已经恢复表后,执行mysqladmin flush-privileges告诉服务器装载授权标并使用它们。

将数据库目录内容拷贝到其它某个地方,如果你在以后需要它们。
用最新的备份文件重装数据库。如果你用mysqldump产生的文件,将它作为mysql的输入。如果你用直接从数据库拷贝来的文件,将它们直接拷回数据库目录,然而,此时你需要在拷贝文件之前关闭数据库,然后重启它。
使用更新日志重复做备份以后的修改数据库表的查询。对于任何可适用的更新日志,将它们作为mysql的输入。指定--one-database选项使得mysql只执行你有兴趣恢复的数据库的查询。如果你知道你需要运用所有更新日志文件,你可以在包含日志的目录下使用这条命令:

% ls -t -r -1 update.[0-9]* | xargs cat | mysql --one-database db_name
ls命令生成更新日志文件的一个单列列表,根据服务器产生它们的次序排序(主意:如果你修改任何一个文件,你将改变排序次序,这导致更新日志一错误的次序被运用。)

很可能你会是运用某几个更新日志。例如,自从你备份以来产生的更新日志被命名为update.392、update.393等等,你可以这样重新运行:

%mysql --one-database db_name < update.392
%mysql --one-database db_name < update.393
.....

如果你正在实施恢复且使用更新日志恢复由于一个错误建议的DROP DATABASE、DROP TABLE或DELETE语句造成丢失的信息,在运用更新日志之前,要保证从其中删除这些语句。

4.2 恢复单个表
恢复单个表较为复杂。如果你用一个由mysqldump生成的备份文件,并且它不包含你感兴趣的表的数据,你需要从相关行中提取它们并将它们用作mysql的输入。这是容易的部分。难的部分是从只运用于该表的更新日志中拉出片断。你会发觉mysql_find_rows实用程序对此很有帮助,它从更新日志中提取多行查询。

另一个可能性是使用另一台服务器恢复整个数据库,然后拷贝你想要的表文件到原数据库中。这可能真的很容易!当你将文件拷回数据库目录时,要确保原数据库的服务器关闭

MYSQL使用指南

[center] MYSQL使用指南 [/center]

有很多朋友虽然安装好了mysql但却不知如何使用它。在这篇文章中我们就从连接MYSQL、修改密
码、增加用户等方面来学习一些MYSQL的常用命令。
一、连接MYSQL。
格式: mysql -h主机地址 -u用户名 -p用户密码
1、例1:连接到本机上的MYSQL。
首先在打开DOS窗口,然后进入目录 mysqlbin,再键入命令mysql -uroot -p,回车后提示你输密
码,如果刚安装好MYSQL,超级用户root是没有密码的,故直接回车即可进入到MYSQL中了,MYSQL
的提示符是:mysql>
2、例2:连接到远程主机上的MYSQL。假设远程主机的IP为:110.110.110.110,用户名为root,密
码为abcd123。则键入以下命令:
mysql -h110.110.110.110 -uroot -pabcd123
(注:u与root可以不用加空格,其它也一样)
3、退出MYSQL命令: exit (回车)
二、修改密码。
格式:mysqladmin -u用户名 -p旧密码 password 新密码
1、例1:给root加个密码ab12。首先在DOS下进入目录mysqlbin,然后键入以下命令
mysqladmin -uroot -password ab12
注:因为开始时root没有密码,所以-p旧密码一项就可以省略了。
2、例2:再将root的密码改为djg345。
mysqladmin -uroot -pab12 password djg345
三、增加新用户。(注意:和上面不同,下面的因为是MYSQL环境中的命令,所以后面都带一个分
号作为命令结束符)
格式:grant select on 数据库.* to 用户名@登录主机 identified by "密码"
例1、增加一个用户test1密码为abc,让他可以在任何主机上登录,并对所有数据库有查询、插
入、修改、删除的权限。首先用以root用户连入MYSQL,然后键入以下命令:
grant select,insert,update,delete on *.* to test1@"%" Identified by "abc";
但例1增加的用户是十分危险的,你想如某个人知道test1的密码,那么他就可以在internet上的
任何一台电脑上登录你的mysql数据库并对你的数据可以为所欲为了,解决办法见例2。
例2、增加一个用户test2密码为abc,让他只可以在localhost上登录,并可以对数据库mydb进行查
询、插入、修改、删除的操作(localhost指本地主机,即MYSQL数据库所在的那台主机),这样
用户即使用知道test2的密码,他也无法从internet上直接访问数据库,只能通过MYSQL主机上的
web页来访问了。
grant select,insert,update,delete on mydb.* to test2@localhost identified by "abc";
如果你不想test2有密码,可以再打一个命令将密码消掉。
grant select,insert,update,delete on mydb.* to test2@localhost identified by "";


(下篇)
在上篇我们讲了登录、增加用户、密码更改等问题。下篇我们来看看MYSQL中有关数据库方面的操
作。注意:你必须首先登录到MYSQL中,以下操作都是在MYSQL的提示符下进行的,而且每个命令
以分号结束。

一、操作技巧
1、如果你打命令时,回车后发现忘记加分号,你无须重打一遍命令,只要打个分号回车就可以
了。也就是说你可以把一个完整的命令分成几行来打,完后用分号作结束标志就OK。
2、你可以使用光标上下键调出以前的命令。但以前我用过的一个MYSQL旧版本不支持。我现在用
的是mysql-3.23.27-beta-win。

二、显示命令
1、显示数据库列表。
show databases;
刚开始时才两个数据库:mysql和test。mysql库很重要它里面有MYSQL的系统信息,我们改密码和
新增用户,实际上就是用这个库进行操作。
2、显示库中的数据表:
use mysql; //打开库,学过FOXBASE的一定不会陌生吧
show tables;
3、显示数据表的结构:
describe 表名;
4、建库:
create database 库名;
5、建表:
use 库名;
create table 表名 (字段设定列表);
6、删库和删表:
drop database 库名;
drop table 表名;
7、将表中记录清空:
delete from 表名;
8、显示表中的记录:
select * from 表名;

三、一个建库和建表以及插入数据的实例
drop database if exists school; //如果存在SCHOOL则删除
create database school; //建立库SCHOOL
use school; //打开库SCHOOL
create table teacher //建立表TEACHER
(
id int(3) auto_increment not null primary key,
name char(10) not null,
address varchar(50) default '深圳',
year date
); //建表结束
//以下为插入字段
insert into teacher valuess('','glchengang','深圳一中','1976-10-10');
insert into teacher valuess('','jack','深圳一中','1975-12-23');

注:在建表中(1)将ID设为长度为3的数字字段:int(3)并让它每个记录自动加
一:auto_increment并不能为空:not null而且让他成为主字段primary key(2)将NAME设为长度
为10的字符字段(3)将ADDRESS设为长度50的字符字段,而且缺省值为深圳。varchar和char有什
么区别呢,只有等以后的文章再说了。 (4)将YEAR设为日期字段。
如果你在mysql提示符键入上面的命令也可以,但不方便调试。你可以将以上命令原样写入一个文
本文件中假设为school.sql,然后复制到c:下,并在DOS状态进入目录mysqlbin,然后键入以
下命令:
mysql -uroot -p密码 < c:school.sql
如果成功,空出一行无任何显示;如有错误,会有提示。(以上命令已经调试,你只要将//的注
释去掉即可使用)。

四、将文本数据转到数据库中
1、文本数据应符合的格式:字段数据之间用tab键隔开,null值用n来代替.
例:
3 rose 深圳二中 1976-10-10
4 mike 深圳一中 1975-12-23
2、数据传入命令 load data local infile "文件名" into table 表名;
注意:你最好将文件复制到mysqlbin目录下,并且要先用use命令打表所在的库 。

五、备份数据库:(命令在DOS的mysqlbin目录下执行)
mysqldump --opt school>school.bbb
注释:将数据库school备份到school.bbb文件,school.bbb是一个文本文件,文件名任取,打开看
看你会有新发现。

后记:其实MYSQL的对数据库的操作与其它的SQL类数据库大同小异,您最好找本将SQL的书看看。
我在这里只介绍一些基本的,其实我也就只懂这些了,呵呵。最好的MYSQL教程还是“晏子“译的
“MYSQL中文参考手册“不仅免费每个相关网站都有下载,而且它是最权威的。可惜不是象"PHP4
中文手册"那样是chm的格式,在查找函数命令的时候不太方便


MySQL中修改密码及访问限制设置详解

加入日期:2004年07月01日

  MySQL是一个真正的多用户、多线程SQL数据库服务器。MySQL是以一个客户机/服务器结构的实现,它由一个服务器守护程序mysqld和很多不同的客户程序和库组成。由于其源码的开放性及稳定性,且与网站流行编 挥镅 PHP的完美结合,现在很多站点都利用其当作后端数据库,使其获得了广泛应用。处于安全方面的考虑,需要为每一用户赋于对不同数据库的访问限制,以满足不同用户的要求。下面就分别讨论,供大家参考。   

  一、MySQL修改密码方法总结

  首先要说明一点的是:一般情况下,修改MySQL密码是需要有mysql里的root权限的,这样一般用户是无法更改密码的,除非请求管理员帮助修改。   

  方法一   

  使用phpMyAdmin

  (图形化管理MySql数据库的工具),这是最简单的,直接用SQL语句修改mysql数据库库的user表,不过别忘了使用PASSWORD函数,插入用户用Insert命令,修改用户用Update命令,删除用Delete命令。在本节后面有数据表user字段的详细介绍。   

  方法二   

  使用mysqladmin。输入  

  mysqladmin -u root -p oldpassword newpasswd   

  执行这个命令后,需要输入root的原密码,这样root的密码将改为newpasswd。同样,把命令里的root改为你的用户名,你就可以改你自己的密码了。

  当然如果你的mysqladmin连接不上mysql

  server,或者你没有办法执行mysqladmin,那么这种方法就是无效的,而且mysqladmin无法把密码清空。   

  下面的方法都在mysql提示符下使用,且必须有mysql的root权限:   

  方法三   

  mysql> INSERT INTO mysql.user (Host,User,Password) VALUES

  ('%','system', PASSWORD('manager'));

  mysql> FLUSH PRIVILEGES   

  确切地说这是在增加一个用户,用户名为system,密码为manager。注意要使用PASSWORD函数,然后还要使用FLUSH

  PRIVILEGES来执行确认。   

  方法四   

  和方法三一样,只是使用了REPLACE语句

  mysql> REPLACE INTO mysql.user (Host,User,Password)

  VALUES('%','system',PASSWORD('manager'));

  mysql> FLUSH PRIVILEGES  

  方法五   

  使用SET PASSWORD语句   

  mysql> SET PASSWORD FOR system@"%" = PASSWORD('manager');   

  你也必须使用PASSWORD()函数,但是不需要使用FLUSH PRIVILEGES来执行确认。   

  方法六   

  使用GRANT ... IDENTIFIED BY语句,来进行授权。   

  mysql> GRANT USAGE ON *.* TO system@"%" IDENTIFIED BY 'manager';   

  这里PASSWORD()函数是不必要的,也不需要使用FLUSH PRIVILEGES来执行确认。   

  注:PASSWORD()函数作用是为口令字加密,在程序中MySql自动解释。  

  二、MySql中访问限制的设置方法

  我们采用两种方法来设置用户。

  进入到Mysql执行目录下(通常是c:\mysql\bin)。输入mysqld-shareware.exe,输入mysql

  --user=root mysql ,不然不能添加新用户。进入到mysql>提示符下进行操作。   

  假设我们要建立一个超级用户,用户名为system,用户口令为manager。  

  方法一  

  用Grant 命令授权,输入的代码如下:

  mysql>GRANT ALL PRIVILEGES ON *.* TO system@localhost IDENTIFIED BY

  'manager' WITH GRANT OPTION;   

  应显示:Query OK, 0 rows affected (0.38 sec)   

  方法二   

  对用户的每一项权限进行设置:   

  mysql>INSERT INTO user

  VALUES('localhost','system',PASSWORD('manager'),

  'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');

  对于3.22.34版本的MySQL,这里共14个"Y",其相应的权限如下(按字段顺序排列):   

  权限 表列名称 相应解释 使用范围

  select Select_priv 只有在真正从一个表中检索时才需要select权限 表

  insert Insert_priv 允许您把新行插入到一个存在的表中 表

  update Update_priv 允许你用新值更新现存表中行的列 表

  delete Delete_priv 允许你删除满足条件的行 表

  create Create_priv 允许你创建新的数据库和表 数据库、表或索引

  drop Drop_priv 抛弃(删除)现存的数据库和表 数据库或表

  reload Reload_priv 允许您告诉服务器再读入授权表 服务器管理

  shutdown Shutdown_priv 可能被滥用(通过终止服务器拒绝为其他用户服务) 服务器管理

  process Process_priv 允许您察看当前执行的查询的普通文本,包括设定或改变口令查询 服务器管理

  file File_priv 权限可以被滥用在服务器上读取任何可读的文件到数据库表 服务器上的文件存取

  grant Grant_priv 允许你把你自己拥有的那些权限授给其他的用户 数据库或表

  references References_priv 允许你打开和关闭记录文件 数据库或表

  index Index_priv 允许你创建或抛弃(删除)索引 表

  alter Alter_priv 允许您改变表格,可以用于通过重新命名表来推翻权限系统 表  

  如果创建用户时只有select、insert、update和delete权限,则允许用户只能在一个数据库现有的表上实施操作.

  下面就可以创建我们要用到的数据库了,我们直接输入. 例如:我们要创建数据库名为XinXiKu,可用如下代码:  

  mysql>create database XinXiKu;   

  应显示:Query OK, 1 row affected (0.00 sec)

祝贺成为域名与空间一级代理

 因为原来感觉简单找家代理买个域名算了,但是根据国内的实际混乱情况, 所以决定自己支付代理预付金自己管理注册域名. 这些主要为自己和朋友们日后长期使用域名安全. 还是自己管理放心些. 最近要忙把自己和朋友们的域名转过我的名义下.

同时我也可以提供多家朋友公司的空间,以及我经常与国外交流,可以为需要国外空间或服务的朋友提供帮助.

如果你们有域名或是现在要购买,请您最好转到我这里. 不是为价格,而是一种专业和放心. 我们要管理自己的.
如果可能我也将尝试直接代理国外的域名注册和其它服务. 国内不允许更改注册人信息.

现在我已经与新网签定协议.  Xin Net Technology Corporation      R118-LROR.

朋友们, 我需要你们的永久的支持.  在这里我要很感谢MY 网友,他为此事情提供自己力所能及的帮助!


 


smile                sunny   moon

How study english better.?

How quicklyer and better society English.?

I feel that my a lot of s of English error . at least it seems moreover do not have an intimate knowledge of the grammar from start to finish .

Who can help and tell me how to go diligently does.?

服务器配置笔记.

今天根据国际PHP官方作者来信给我写的指导,关于PHP支持新的MYSQL4.1 版本的问题.  在国内寻找了一圈也没找到正确的资料. 根据建议,我从PHP4.39转为使用PHP5.02版本. 恩. 现在PHP5版本可以使用了. 以前有很多问题.官方也整理了一个功能包. 不错,基本收集不少了.

PHP5确实增加了许多新功能,尤其增加对WINDOWS下的支持不少.

在我配置中,尽量将所有功能都安装了,但是有一些功能支持原由PHP4版本程序时存在问题.所以这里我将一些功能不能安装使用的列到这里:

;extension=php_threads.dll
;extension=php_classkit.dll
;extension=php_zlib_filter.dll
;extension=php_bcompiler.dll

以上的功能模块不要安装,虽然可以安装上,反复调试,确认上面模块存在兼容问题.


下面这些是可以使用的或是不能直接安装上的,所以比较容易发现问题.

;Windows Extensions
;Note that ODBC support is built in, so no dll is needed for it.
;

extension=php_bz2.dll
extension=php_cpdf.dll
extension=php_curl.dll
extension=php_dba.dll
extension=php_dbase.dll
extension=php_dbx.dll
;extension=php_exif.dll
extension=php_fdf.dll
extension=php_filepro.dll
extension=php_gd2.dll
extension=php_gettext.dll
;extension=php_iconv.dll
;extension=php_ifx.dll
extension=php_iisfunc.dll
extension=php_imap.dll
extension=php_interbase.dll
extension=php_java.dll
extension=php_ldap.dll
extension=php_mbstring.dll
extension=php_mcrypt.dll
extension=php_mhash.dll
extension=php_mime_magic.dll
extension=php_ming.dll
extension=php_mssql.dll
extension=php_msql.dll
extension=php_mysql.dll
;extension=php_oci8.dll
extension=php_openssl.dll
;extension=php_oracle.dll
extension=php_pdf.dll
extension=php_pgsql.dll
extension=php_shmop.dll
extension=php_snmp.dll
extension=php_sockets.dll
;extension=php_sybase_ct.dll
extension=php_tidy.dll
;extension=php_w32api.dll
extension=php_xmlrpc.dll
extension=php_xsl.dll
;extension=php_yaz.dll
extension=php_zip.dll

补充的:
extension=php_mysqli.dll (这个是支持新MYSQL4.1所必须的)
extension=php_adt.dll
extension=php_apd.dll
extension=php_blenc.dll
extension=php_bz2_filter.dll
extension=php_crack.dll
extension=php_cvsclient.dll
extension=php_date.dll
extension=php_db.dll
extension=php_dio.dll
extension=php_domxml.dll
extension=php_ffi.dll
extension=php_fribidi.dll
extension=php_gopher.dll
extension=php_hyperwave.dll
extension=php_id3.dll
;extension=php_imagick.dll
extension=php_lzf.dll
extension=php_mailparse.dll
extension=php_memcache.dll
;extension=php_netools.dll
extension=php_ntuser.dll
extension=php_pdo.dll
extension=php_pdo_firebird.dll
extension=php_pdo_mysql.dll
extension=php_pdo_odbc.dll
extension=php_pdo_pgsql.dll
extension=php_soap.dll
extension=php_win32std.dll
extension=php_xmlreader.dll
extension=php_xmlwriter.dll
-------------------------------------------------------

2004.11.22 BY Liuxyon

coolsmile
   
shy

分页: 62/66 第一页 上页 58 59 60 61 62 63 64 65 66 下页 最后页 [ 显示模式: 摘要 | 列表 ]