目录
一、前言
Nginx、PHP使用编译安装,MariaDB使用yum安装
1.1 环境版本如下
系统环境:CentOS 7.3
Nginx:Nginx-1.12
MariaDB:MariaDB-5.5.52
PHP:PHP-7.1.4
WordPress:WordPress-4.7.3
Let’s Encrypt
1.2 部署说明
安装包目录:/root/
Nginx安装目录:/usr/local/nginx/
Nginx主配置文件路径:/usr/local/nginx/conf/nginx.conf
Nginx网站根目录:/usr/local/nginx/html/
PHP安装目录:/usr/local/php7/
PHP配置文件路径:/usr/local/php7/php.ini
二、准备工作
2.1 安装或更新所需工具
|
1 |
yum -y install vim gcc gcc-c++ |
2.2 创建所需的目录
cd进入用户家目录,nginx用于存放Nginx安装包相关,php用于存放PHP安装包相关
|
1 2 3 |
cd mkdir nginx mkdir php |
三、开始安装
3.1 Nginx篇
|
1 |
cd && cd nginx |
3.1.1 解压openssl
|
1 2 |
wget https://www.openssl.org/source/openssl-1.1.0e.tar.gz tar -zxvf openssl-1.1.0e.tar.gz |
如出现 bash: htop: 未找到命令 运行yum -y install wget安装wget
3.1.2 解压pcre
|
1 2 |
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.40.tar.gz tar -zxvf pcre-8.40.tar.gz |
3.1.3 解压zlib
|
1 2 |
wget http://zlib.net/zlib-1.2.11.tar.gz tar -zxvf zlib-1.2.11.tar.gz |
也可以直接
|
1 |
yum -y install pcre-devel zlib-devel openssl-devel |
3.1.4 安装Nginx
–prefix指定安装路径,–user设置设置非特权用户,–group设置非特权组,–with-http_ssl_module启用nginx的http_ssl模块,–with-http_v2_module启用nginx的http_v2模块,–with-openssl设置openssl的源码路径,–with-pcre设置pcre的源码路径,–with-zlib设置zlib的源码路径
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
wget http://nginx.org/download/nginx-1.12.0.tar.gz tar -zxvf nginx-1.12.0.tar.gz cd nginx-1.12.0 useradd nginx -s /sbin/nologin -M usermod -G nginx nginx ./configure --prefix=/usr/local/nginx \ --user=nginx \ --group=nginx \ --with-http_ssl_module \ --with-http_v2_module \ --with-openssl=/root/nginx/openssl-1.1.0e \ --with-pcre=/root/nginx/pcre-8.40 \ --with-zlib=/root/nginx/zlib-1.2.11 make make install |
设置防火墙允许80端口并重启防火墙
|
1 2 |
firewall-cmd --zone=public --add-port=80/tcp --permanent systemctl restart firewalld.service |
修改nginx配置文件
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
cd /usr/local/nginx/ vim conf/nginx.conf user nginx; //去掉注释把nobody修改为nginx(2行) server { listen 80; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root html; index index.html index.htm; } //去掉65-71行注释,并修改69行为/usr/local/nginx/html/$fastcgi_script_name; location ~ \.php$ { root html; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html/$fastcgi_script_name; include fastcgi_params; } //去掉76-78行注释 location ~ /\.ht { deny all; } } |
设置nginx启动服务
|
1 |
vim /lib/systemd/system/nginx.service |
添加
|
1 2 3 4 5 6 7 8 9 10 11 |
[Unit] Description=nginx After=network.target [Service] Type=forking ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf ExecReload=/usr/local/nginx/sbin/nginx -s reload ExecStop=/usr/local/nginx/sbin/nginx -s quit PrivateTmp=true [Install] WantedBy=multi-user.target |
设置Nginx开机启动并启动Nginx
|
1 2 |
systemctl enable nginx.service systemctl start nginx.service |
3.2 MariaDB篇
yum安装MariaDB
|
1 |
yum -y install mariadb mariadb-server mariadb-devel |
设置MariaDB开机启动并启动MariaDB
|
1 2 |
systemctl enable mariadb systemctl start mariadb |
运行mysql安全配置向导,回车——Y——输入两次设置root用户密码——回车默认Y——回车默认Y——回车默认Y——回车默认Y
|
1 |
mysql_secure_installation |
连接数据库服务器
|
1 |
mysql -u root -p |
3.3 PHP篇
安装或更新所需工具
|
1 |
yum -y install libxml2 libxml2-devel bzip2 bzip2-devel libcurl libcurl-devel libwebp libwebp-devel libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libmcrypt libmcrypt-devel php-gd |
安装PHP
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
cd && mkdir php && cd php wget http://jp2.php.net/distributions/php-7.1.4.tar.gz tar -zxvf php-7.1.4.tar.gz cd php-7.1.4 ./configure --prefix=/usr/local/php7 \ --with-config-file-path=/usr/local/php7/etc \ --enable-fpm \ --enable-mysqlnd \ --enable-zip \ --enable-mbstring \ --with-fpm-user=nginx \ --with-fpm-group=nginx \ --with-pdo-mysql=mysqlnd \ --with-mysql-sock=/var/lib/mysql/mysql.sock \ --with-mysqli=/usr/bin/mysql_config \ --with-gd \ --enable-gd-native-ttf \ --with-zlib \ --with-mcrypt \ --with-openssl \ --with-bz2 \ --with-pear \ --with-webp-dir \ --with-jpeg-dir \ --with-freetype-dir \ --with-libxml-dir \ --with-zlib-dir \ --with-curl make && make install |
如果遇到
No package libmcrypt available.
No package libmcrypt-devel available.
执行
yum -y install epel-release //扩展包更新包
yum update //更新yum源
yum -y install libmcrypt libmcrypt-devel 就ok了
修改php配置文件php.ini
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
cp php.ini-production /usr/local/php7/etc/php.ini cd /usr/local/php7/etc vim php.ini extension=php_bz2.dll//去掉892行前面的;开启扩展 extension=php_curl.dll//去掉893行前面的;开启扩展 extension=php_gd2.dll//去掉896行前面的;开启扩展 extension=php_mbstring.dll//去掉903行前面的;开启扩展 extension=php_mysqli.dll//去掉905行前面的;开启扩展 extension=php_openssl.dll//去掉907行前面的;开启扩展 extension=php_pdo_mysql.dll//去掉909行前面的;开启扩展 cd etc/ cp php-fpm.conf.default php-fpm.conf cp php-fpm.d/www.conf.default php-fpm.d/www.conf |
设置nginx启动服务
|
1 |
vim /lib/systemd/system/php-fpm.service |
添加
|
1 2 3 4 5 6 7 8 9 |
[Unit] Description=php-fpm After=network.target [Service] Type=forking ExecStart=/usr/local/php7/sbin/php-fpm PrivateTmp=true [Install] WantedBy=multi-user.target |
设置PHP开机启动并启动PHP
|
1 2 |
systemctl enable php-fpm.service systemctl start php-fpm.service |
新建phpinfo.php测试文件
|
1 2 3 4 5 |
vim /usr/local/nginx/html/phpinfo.php <?php phpinfo(); ?> |
访问http://ip/phpinfo.php显示phpinfo页面
3.4 安装WordPress
|
1 2 3 4 5 6 7 |
cd wget https://cn.wordpress.org/wordpress-4.7.3-zh_CN.tar.gz tar -zxvf wordpress-4.7.3-zh_CN.tar.gz mkdir /usr/local/nginx/html/example.com/ mv wordpress/* /usr/local/nginx/html/example.com/ chown -R nginx.nginx /usr/local/nginx/html/example.com/ |
修改nginx配置文件,支持多站点
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
cd /usr/local/nginx/ vim conf/nginx.conf user nginx; server { listen 80 default_server;//添加 default_server(36行) server_name _;//localhost改成_(37行) return 444;//添加这行(38行)非标准状态码444表示关闭连接且不给客户端发响应头。 #charset koi8-r; server_tokens off;//添加这行(40行)不显示版本号 #access_log logs/host.access.log main; location / { root html; index index.html index.htm; } location ~ /\.ht { deny all; } include /usr/local/nginx/vhosts/*;//添加这行(80行) |
新建WordPress的Nginx配置文件,复制粘贴以下内容
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
mkdir vhosts vim vhosts/example.com.conf server { listen 80; server_name example.com; client_max_body_size 20m; location / { root /usr/local/nginx/html/example.com/; index index.php index.html index.htm; if (-f $request_filename/index.html){ rewrite (.*) $1/index.html break; } if (-f $request_filename/index.php){ rewrite (.*) $1/index.php; } if (!-f $request_filename){ rewrite (.*) /index.php; } } # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html/example.com/$fastcgi_script_name; include fastcgi_params; } } |
重启Nginx服务
|
1 |
systemctl restart nginx.service |
访问WordPress
|
1 |
http://example.com/ |
点击开始安装…跟着提示就能装完
3.5 Nginx使用Let’s Encrypt加密
本部分参考https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-centos-7
安装或更新epel、certbot
|
1 |
yum -y install epel-release certbot |
请求证书,使用该-d选项指定我们的域名,也可以单个证书使用多个域名(例如example.com和www.example.com)
|
1 |
certbot certonly -a webroot --webroot-path=/usr/local/nginx/html/example.com -d example.com -d www.example.com |
certbot初始化后,系统将提示您输入一些信息。
在提示符下,输入将用于通知和丢失密钥恢复的电子邮件地址:
如果一切都成功,您应该看到一个输出信息,如下所示:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2016-03-15. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - If you lose your account credentials, you can recover through e-mails sent to sammy@digitalocean.com - Your account credentials have been saved in your Let's Encrypt configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Let's Encrypt so making regular backups of this folder is ideal. - If like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
您将需要记录证书的路径和到期日期,这在示例输出中突出显示。
证书文件
获得证书后,您将拥有以下PEM编码文件:
cert.pem:您的域名证书
chain.pem:让我们加密连锁证书
fullchain.pem: cert.pem并chain.pem合并
privkey.pem:您的证书的私钥
为了进一步提高安全性,您还应该生成一个强大的Diffie-Hellman组。要生成2048位组,请使用以下命令:
|
1 |
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 |
修改Nginx域名配置文件配置SSL
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 |
vim /usr/local/nginx/vhosts/example.com.conf server { listen 80; listen 443 http2 ssl; server_name example.com www.example.com; client_max_body_size 20m; server_tokens off; #Nginx 自动跳转到HTTPS适用于 80端口和443 配置在同一个 server{}内 if ($server_port = 80) { rewrite ^(.*)$ https://$host$1 permanent; } ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ######################################################################## # from https://cipherli.st/ # # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html # ######################################################################## ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; # Disable preloading HSTS for now. You can use the commented out header line that includes # the "preload" directive if you understand the implications. #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; ################################## # END https://cipherli.st/ BLOCK # ################################## ssl_dhparam /etc/ssl/certs/dhparam.pem; location ~ /.well-known { allow all; } location / { root /usr/local/nginx/html/example.com/; index index.php index.html index.htm; if (-f $request_filename/index.html){ rewrite (.*) $1/index.html break; } if (-f $request_filename/index.php){ rewrite (.*) $1/index.php; } if (!-f $request_filename){ rewrite (.*) /index.php; } } # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html/example.com/$fastcgi_script_name; include fastcgi_params; } } |
添加防火墙规则并重启防火墙服务
|
1 2 3 4 |
firewall-cmd --add-service=http firewall-cmd --add-service=https firewall-cmd --runtime-to-permanent systemctl restart firewalld.service |
重启Nginx服务
|
1 |
systemctl restart nginx.service |
现在再去访问http://example.com/就会自动跳转到https://example.com/了
您可以使用Qualys SSL实验室报告来查看服务器配置的分数:
|
1 |
https://www.ssllabs.com/ssltest/analyze.html?d=example.com |
设置自动续订
|
1 |
crontab -e |
添加以下
|
1 2 |
30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log 35 2 * * 1 /usr/bin/systemctl restart nginx.service |
到此,CentOS7.3编译安装LNMP支持多站点、HTTPS访问就全部完成了,第一篇教程,多关注~
[root@ip nginx]# vim vhosts/example.com.conf
[root@ip nginx]# systemctl restart nginx.service
Job for nginx.service failed because the control process exited with error code. See “systemctl status nginx.service” and “journalctl -xe” for details.
[root@ip nginx]# systemctl startus nginx.service
Unknown operation ‘startus’.
[root@ip nginx]# systemctl status nginx.service -l
● nginx.service – nginx
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sat 2018-09-15 05:47:03 UTC; 49s ago
Process: 11811 ExecStop=/usr/local/nginx/sbin/nginx -s quit (code=exited, status=1/FAILURE)
Process: 11815 ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf (code=exited, status=1/FAILURE)
Main PID: 11768 (code=exited, status=0/SUCCESS)
systemd[1]: Unit nginx.service entered failed state.
systemd[1]: nginx.service failed.
systemd[1]: Starting nginx…
nginx[11815]: nginx: [emerg] “server” directive is not allowed here in /usr/local/nginx/vhosts/example.com.conf:1
systemd[1]: nginx.service: control process exited, code=exited status=1
systemd[1]: Failed to start nginx.
systemd[1]: Unit nginx.service entered failed state.
systemd[1]: nginx.service failed.
[root@ip nginx]#
我不能从这里前进
nginx[11815]: nginx: [emerg] “server” directive is not allowed here in /usr/local/nginx/vhosts/example.com.conf:1
配置文件第一行有误
滑稽