当前位置: > CentOS > CentOS教程 >

全新CentOS 7安装 LNMP(Linux+Nginx+MariaDB+PHP)及多站点配置

时间:2016-05-29 23:39来源:linux.it.net.cn 作者:IT
全新CentOS 7安装 LNMP(Linux+Nginx+MariaDB+PHP)及多站点配置


本文介绍在全新CentOS 7系统下安装 LNMP(Linux+Nginx+MariaDB+PHP)的过程,本博客就在此环境下运行。CentOS 7系统安装过程略过,新装后务必先进行安全加固。

1. 准备工作

1.1 安装EPEL源

yum -y install epel-release.noarch

1.2 手动进行系统更新

yum -y update

1.3 设置系统当前时区为香港,然后检查系统时区设置

timedatectl set-timezone Asia/Hong_Kong
timedatectl

 

 

2. 安装Nginx

2.1 添加nginx官方库

在http://nginx.org/packages/centos/7/noarch/RPMS/查看最新库信息

rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

2.2 安装nginx

yum -y install nginx

2.3 编辑nginx主配置文件

vi /etc/nginx/nginx.conf

查找worker_processes修改为CPU核心数

worker_processes 4;

查找gzip取消注释修改为

gzip on;

在http {}段添加全局参数server_tokens(用于隐藏nginx版本号)

server_tokens off;

编辑默认站点配置文件:

vi /etc/nginx/conf.d/default.conf

把server {}段注释,再添加以下内容(用于屏蔽80端口空主机头访问)

 server {
  listen 80 default; 
  return 500; 
 }

2.4 配置防火墙开启HTTP服务端口

firewall-cmd --permanent --add-service=http
firewall-cmd --reload

2.5 启动nginx并设为开机自启

systemctl start nginx.service
systemctl enable nginx.service

如果Apache服务在运行会出现冲突,关闭并移除Apache

systemctl stop httpd.service
systemctl disable httpd.service
yum -y remove httpd

nginx主配置文件:/etc/nginx/nginx.conf
nginx默认配置文件目录:/etc/nginx/conf.d/
nginx默认站点主目录:/usr/share/nginx/html/
nginx默认日志目录:/var/log/nginx/

3. 安装MariaDB

3.1 安装mariadb

yum -y install mariadb mariadb-server net-tools

3.2 启动mariadb并设为开机自启

systemctl start mariadb.service
systemctl enable mariadb.service

3.3 安全性设置

mysql_secure_installation

运行后首先会提示输入root密码直接回车(密码为空);然后提示修改root密码直接回车(默认为yes)输入两遍新密码;之后出现的提示选择都是回车(默认为yes)

4. 安装PHP(php-fpm模式)

4.1 安装php(php-fpm模式)及相关支持

yum -y install php-fpm php-cli php-mysql php-gd php-ldap php-odbc php-pdo php-pecl-memcache php-pear php-mbstring php-xml php-xmlrpc php-mbstring php-snmp php-soap

4.2 安装APC支持(pecl install apc后会出现配置提示,所有选择项全部输入回车)

yum -y install php-devel
yum -y groupinstall 'Development Tools'
pecl channel-update pecl.php.net
pecl install apc

4.3 修改php配置文件

vi /etc/php.ini

查找expose_php,修改为以下内容(隐藏php版本号):

expose_php = Off

查找cgi.fix_pathinfo和date.timezone,修改为以下内容:

cgi.fix_pathinfo = 0
date.timezone = "Asia/Hong_Kong"

查找Dynamic Extensions,在该配置区块插入以下内容:

extension=apc.so

4.4 修改php-fpm配置文件

vi /etc/php-fpm.d/www.conf

查找listen = 127.0.0.1:9000,修改为以下内容

listen = /var/run/php-fpm/php-fpm.sock

查找user = apache,修改为以下内容

user = nginx

查找group = apache,修改为以下内容

group = nginx

4.5 启动php-fpm并设置为开机自启

systemctl enable php-fpm.service
systemctl start php-fpm.service

5. Nginx多站点配置(php-fpm模式)

5.1 建立站点ifshow的目录及子目录

mkdir -p /data/ifshow/web
mkdir -p /data/ifshow/log
mkdir -p /data/ifshow/tmp/session

5.2 新建用户ifshow用于独立运行站点

useradd -d '/data/ifshow' -s /sbin/nologin ifshow
passwd ifshow
usermod -G nginx ifshow
chown -R ifshow:nginx /data/ifshow

5.3 添加站点ifshow的nginx配置文件

vi /etc/nginx/conf.d/ifshow.conf

输入以下内容

server {
 listen 80;
 server_name www.it.net.cn;
 access_log /data/ifshow/log/access.log;
 error_log /data/ifshow/log/error.log;
 root /data/ifshow/web;
 index index.php index.html index.htm;
 location = /favicon.ico {
 log_not_found off;
 access_log off;
 }
 location = /robots.txt {
 allow all;
 log_not_found off;
 access_log off;
 }

 #error_page 404 /404.html;

 # redirect server error pages to the static page /50x.html
 #
 error_page 500 502 503 504 /50x.html;
 location = /50x.html {
 root /usr/share/nginx/html;
 }

 # pass the PHP scripts to FastCGI server listening on sock
 #
 location ~ \.php$ { 
 try_files $uri =404;
 fastcgi_pass unix:/var/run/php-fpm/ifshow.sock;
 fastcgi_index index.php;
 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 include fastcgi_params;
 }
 
 # Deny all attempts to access hidden files such as .htaccess
 # Deny access to any files with a .php extension in the uploads directory
 #
 location ~ /\. {
 deny all;
 }
 location ~* /(?:uploads|files)/.*\.php$ {
 deny all;
 }
 
 location ~* \.(gif|jpg|jpeg|png|bmp|txt|zip|jar|swf)$ {
 expires 30d;
 access_log off; 
 valid_referers none blocked *.it.net.cn  server_names ~\.google\. ~\.baidu\. ~\.bing\. ~\.yahoo\. ~\.soso\. ~\.sogou\. ~\.alexa\. ~\.haosou\. ~\.youdao\.;
 if ($invalid_referer) {
 #return 403;
 rewrite ^/ http://www.it.net.cn/403.png;
  }
 }
 rewrite ^/sitemap.xml$ /sitemap.php last;
}

server {
 server_name it.net.cn;
 rewrite ^/(.*)$ http://www.$host/$1 permanent;
}

说明:监听80端口,自定义日志文件存放位置,对favicon.ico和robots.txt的访问及错误不写入日志,启用php-fpm支持且使用ifshow.sock套接字通信,屏蔽对.开头的隐藏文件的访问(比如.htaccess),屏蔽对uploads和files目录下php文件的访问(通常是上传文件存放目录),图片防盗链,访问sitemap.xml文件改写为访问sitemap.php,访问it.net.cn重定向到www.it.net.cn。

如果站点同时使用http和https,要把配置文件开头部分改为:

server {
 listen 80;
 listen 443 ssl;
 server_name www.it.net.cn;
 ssl_certificate /data/ifshow/crt/www.it.net.cn.crt;
 ssl_certificate_key /data/ifshow/crt/www.it.net.cn.key;

增加对443端口ssl模式的监听,指定ssl证书和密钥的位置。站点同时使用http和https时,页面文件调用本站资源可以去掉http:或者https:,只保留后面的内容(//…),浏览器能自动匹配相应的头部。

如果要强制使用https,把http访问都转到https,则修改配置文件开头和结尾如下:

server {
 listen 443 ssl;
 server_name www.it.net.cn;
 ssl_certificate /data/ifshow/crt/www.it.net.cn.crt;
 ssl_certificate_key /data/ifshow/crt/www.it.net.cn.key;
...
}
server {
 listen 80;
 server_name www.it.net.cn;
 rewrite ^(.*)$ https://$host$1 permanent;
}
server {
 server_name it.net.cn;
 rewrite ^/(.*)$ https://www.$host/$1 permanent;
}

测试nginx配置文件是否正确

nginx -t

5.4 添加站点ifshow的php-fpm配置文件

vi /etc/php-fpm.d/ifshow.conf

输入以下内容

[ifshow]
listen = /var/run/php-fpm/ifshow.sock
listen.allowed_clients = 127.0.0.1
listen.owner = ifshow
listen.group = nginx
listen.mode = 0660

user = ifshow
group = nginx

pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35

chdir = /
slowlog = /var/log/php-fpm/www-slow.log
php_value[session.save_handler] = files
php_value[session.save_path] = /data/ifshow/tmp/session
php_admin_value[open_basedir] = /data/ifshow/web:/data/ifshow/tmp:/usr/share/php:/tmp
php_admin_value[upload_tmp_dir] = /data/ifshow/tmp

5.5 添加站点ifshow的logrotate日志管理配置文件

vi /etc/logrotate.d/ifshow

输入以下内容

/data/ifshow/log/*.log {
daily
missingok
rotate 7
compress
delaycompress
notifempty
create 640 nginx adm
sharedscripts
postrotate
 [ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid`
endscript
}

进一步了解logrotate请点击这里。

5.6 重启nginx和php-fpm服务(重载配置也可以)

systemctl restart nginx.service
systemctl restart php-fpm.service

5.7 关闭和重开站点ifshow

建立配置文件的备份文件夹

mkdir -p /etc/nginx/conf.bak
mkdir -p /etc/php-fpm.d

把站点ifshow的配置文件移走并重启nginx和php-fpm服务,就关闭了站点ifshow

mv /etc/nginx/conf.d/ifshow.conf /etc/nginx/conf.bak
mv /etc/php-fpm.d/ifshow.conf /etc/php-fpm.bak
systemctl restart nginx.service
systemctl restart php-fpm.service

把移回配置文件并重启nginx和php-fpm服务,就重开了站点ifshow

mv /etc/nginx/conf.bak/ifshow.conf /etc/nginx/conf.d
mv /etc/php-fpm.bak/ifshow.conf /etc/php-fpm.d
systemctl restart nginx.service
systemctl restart php-fpm.service

5.7 重复类似操作添加其他站点

新建用户、站点文件夹和配置文件,重启服务。

6. 安装phpmyadmin(可选)

6.1 安装phpmyadmin

yum -y install phpmyadmin

6.2 添加phpmyadmin的nginx配置文件

vi /etc/nginx/conf.d/phpmyadmin.conf

输入以下内容

server {
 listen 80;
 server_name phpmyadmin.it.net.cn;
 root /usr/share/phpMyAdmin;
 index index.php index.html index.htm;
 location = /favicon.ico {
 log_not_found off;
 access_log off;
 }
 location = /robots.txt {
 allow all;
 log_not_found off;
 access_log off;
 }

 #error_page 404 /404.html;

 # redirect server error pages to the static page /50x.html
 #
 error_page 500 502 503 504 /50x.html;
 location = /50x.html {
 root /usr/share/nginx/html;
 }

 # pass the PHP scripts to FastCGI server listening on sock
 #
 location ~ \.php$ { 
 try_files $uri =404;
 fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
 fastcgi_index index.php;
 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 include fastcgi_params;
 }
 
 # Deny all attempts to access hidden files such as .htaccess
 # Deny access to any files with a .php extension in the uploads directory
 #
 location ~ /\. {
 deny all;
 }
 location ~* /(?:uploads|files)/.*\.php$ {
 deny all;
 }
}

6.3 重启nginx服务

systemctl restart nginx.service

6.4 修改域名解析把phpmyadmin.it.net.cn指向服务器IP

打开http://phpmyadmin.it.net.cn就可以使用phpmyadmin,长期不用可关闭此站点。

6.5 也可以不建立此站点,而把phpmyadmin目录软链接到站点ifshow目录下调用

ln -s /usr/share/phpMyAdmin /data/ifshow/web/phpmyadmin

打开http://www.it.net.cn/phpmyadmin即可,前提是站点ifshow未关闭。

不用的时候删除这个软链接。

rm -rf /data/ifshow/web/phpmyadmin

6.6 常见问题

6.6.1 session目录的问题

访问phpMyAdmin的时候,出现如下错误。

Warning in ./libraries/session.inc.php#101
 session_start(): open(/var/lib/php/session/sess_cmse089tsfsnoj02220beduuf1qp21fv, O_RDWR) failed: Permission denied (13)

创建session目录,添加Nginx权限,重启php-fpm:

mkdir -p /var/lib/php/session
chown -R nginx:nginx /var/lib/php/session
systemctl restart php-fpm

6.6.2 未配置短语密码

登录phpMyAdmin之后提示 配置文件现在需要一个短语密码。

编辑phpMyAdmin配置文件:

vi /usr/share/phpMyAdmin/libraries/config.default.php

查找 $cfg[‘blowfish_secret’] 修改为 $cfg[‘blowfish_secret’] = ‘ifshow’;

6.6.3 未开启存储功能

首页出现如下信息提示:

The phpMyAdmin configuration storage is not completely configured, some extended features have been deactivated. Find out why.
 Or alternately go to 'Operations' tab of any database to set it up there.

执行以下命令(需要输入phpMyAdmin的root密码):

cd /usr/share/phpMyAdmin/sql/
mysql -uroot -p < create_tables.sql

7. 安装FTP(可选)

点击查看《CentOS 7安装VSFTPD(被动模式+ssl显式加密)》

(责任编辑:IT)
------分隔线----------------------------
栏目列表
推荐内容