Skip to main content

本文介绍在全新CentOS 7系统下安装 LNMP(Linux+Nginx+MariaDB+PHP)的过程,本博客就在此环境下运行。CentOS 7系统安装过程略过,新装后务必先进行安全加固。

  1. 准备工作 1.1 安装EPEL源 yum -y install epel-release.noarch 1.2 手动进行系统更新 yum -y update 1.3 设置系统当前时区为香港,然后检查系统时区设置 timedatectl set-timezone Asia/Hong_Kong timedatectl
  2. 安装Nginx 2.1 添加nginx官方库 在http://nginx.org/packages/centos/7/noarch/RPMS/查看最新库信息 rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm 2.2 安装nginx yum -y install nginx 2.3 编辑nginx主配置文件 vi /etc/nginx/nginx.conf 查找worker_processes修改为CPU核心数 worker_processes 4; 查找gzip取消注释修改为 gzip on; 在http {}段添加全局参数server_tokens(用于隐藏nginx版本号) server_tokens off; 编辑默认站点配置文件: vi /etc/nginx/conf.d/default.conf 把server {}段注释,再添加以下内容(用于屏蔽80端口空主机头访问) server { listen 80 default; return 500; } 2.4 配置防火墙开启HTTP服务端口 firewall-cmd --permanent --add-service=http firewall-cmd --reload 2.5 启动nginx并设为开机自启 systemctl start nginx.service systemctl enable nginx.service 如果Apache服务在运行会出现冲突,关闭并移除Apache systemctl stop httpd.service systemctl disable httpd.service yum -y remove httpd nginx主配置文件:/etc/nginx/nginx.conf nginx默认配置文件目录:/etc/nginx/conf.d/ nginx默认站点主目录:/usr/share/nginx/html/ nginx默认日志目录:/var/log/nginx/
  3. 安装MariaDB 3.1 安装mariadb yum -y install mariadb mariadb-server net-tools 3.2 启动mariadb并设为开机自启 systemctl start mariadb.service systemctl enable mariadb.service 3.3 安全性设置 mysql_secure_installation 运行后首先会提示输入root密码直接回车(密码为空);然后提示修改root密码直接回车(默认为yes)输入两遍新密码;之后出现的提示选择都是回车(默认为yes)
  4. 安装PHP(php-fpm模式) 4.1 安装php(php-fpm模式)及相关支持 yum -y install php-fpm php-cli php-mysql php-gd php-ldap php-odbc php-pdo php-pecl-memcache php-pear php-mbstring php-xml php-xmlrpc php-mbstring php-snmp php-soap 4.2 安装APC支持(pecl install apc后会出现配置提示,所有选择项全部输入回车) yum -y install php-devel yum -y groupinstall 'Development Tools' pecl channel-update pecl.php.net pecl install apc 4.3 修改php配置文件 vi /etc/php.ini 查找expose_php,修改为以下内容(隐藏php版本号): expose_php = Off 查找cgi.fix_pathinfo和date.timezone,修改为以下内容: cgi.fix_pathinfo = 0 date.timezone = "Asia/Hong_Kong" 查找Dynamic Extensions,在该配置区块插入以下内容: extension=apc.so 4.4 修改php-fpm配置文件 vi /etc/php-fpm.d/www.conf 查找listen = 127.0.0.1:9000,修改为以下内容 listen = /var/run/php-fpm/php-fpm.sock 查找user = apache,修改为以下内容 user = nginx 查找group = apache,修改为以下内容 group = nginx 4.5 启动php-fpm并设置为开机自启 systemctl enable php-fpm.service systemctl start php-fpm.service 4.6 补充:默认安装的是PHP5.4,如果要改装新版PHP7,需要执行以下步骤 删除之前的PHP版本 yum remove php* php-common 安装PHP7相应的yum源 rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm 安装PHP7(php-fpm模式) yum -y install php70w php70w-opcache php70w-fpm php70w-mysql php70w-pdo php70w-pgsql php70w-xml php70w-mbstring php70w-mcrypt php70w-gd 具体配置同默认安装PHP5.4的配置,略。
  5. Nginx多站点配置(php-fpm模式) 5.1 建立站点ifshow的目录及子目录 mkdir -p /data/ifshow/web mkdir -p /data/ifshow/log mkdir -p /data/ifshow/tmp/session 5.2 新建用户ifshow用于独立运行站点 useradd -d '/data/ifshow' -s /sbin/nologin ifshow passwd ifshow usermod -G nginx ifshow chown -R ifshow:nginx /data/ifshow 5.3 添加站点ifshow的nginx配置文件 vi /etc/nginx/conf.d/ifshow.conf 输入以下内容 server { listen 80; server_name www.ifshow.com; access_log /data/ifshow/log/access.log; error_log /data/ifshow/log/error.log; root /data/ifshow/web; index index.php index.html index.htm; location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; }

#error_page 404 /404.html;

redirect server error pages to the static page /50x.html

error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; }

pass the PHP scripts to FastCGI server listening on sock

location ~ .php$ { try_files $uri =404; fastcgi_pass unix:/var/run/php-fpm/ifshow.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; }

Deny all attempts to access hidden files such as .htaccess

Deny access to any files with a .php extension in the uploads directory

location ~ /. { deny all; } location ~* /(?:uploads|files)/..php$ { deny all; } location ~ .(gif|jpg|jpeg|png|bmp|txt|zip|jar|swf)$ { expires 30d; access_log off; valid_referers none blocked *.ifshow.com server_names ~.google. ~.baidu. ~.bing. ~.yahoo. ~.soso. ~.sogou. ~.alexa. ~.haosou. ~.youdao.; if ($invalid_referer) { #return 403; rewrite ^/ http://www.ifshow.com/403.png; } } rewrite ^/sitemap.xml$ /sitemap.php last; }

server { server_name ifshow.com; rewrite ^/(.)$ http://www.$host/$1 permanent; } 说明:监听80端口,自定义日志文件存放位置,对favicon.ico和robots.txt的访问及错误不写入日志,启用php-fpm支持且使用ifshow.sock套接字通信,屏蔽对.开头的隐藏文件的访问(比如.htaccess),屏蔽对uploads和files目录下php文件的访问(通常是上传文件存放目录),图片防盗链,访问sitemap.xml文件改写为访问sitemap.php,访问ifshow.com重定向到www.ifshow.com。 如果站点同时使用http和https,要把配置文件开头部分改为: server { listen 80; listen 443 ssl; server_name www.ifshow.com; ssl_certificate /data/ifshow/crt/www.ifshow.com.crt; ssl_certificate_key /data/ifshow/crt/www.ifshow.com.key; 增加对443端口ssl模式的监听,指定ssl证书和密钥的位置。站点同时使用http和https时,页面文件调用本站资源可以去掉http:或者https:,只保留后面的内容(//…),浏览器能自动匹配相应的头部。 如果要强制使用https,把http访问都转到https,则修改配置文件开头和结尾如下: server { listen 443 ssl; server_name www.ifshow.com; ssl_certificate /data/ifshow/crt/www.ifshow.com.crt; ssl_certificate_key /data/ifshow/crt/www.ifshow.com.key; ... } server { listen 80; server_name www.ifshow.com; rewrite ^(.)$ https://$host$1 permanent; } server { server_name ifshow.com; rewrite ^/(.*)$ https://www.$host/$1 permanent; } 测试nginx配置文件是否正确 nginx -t 5.4 添加站点ifshow的php-fpm配置文件 vi /etc/php-fpm.d/ifshow.conf 输入以下内容 [ifshow] listen = /var/run/php-fpm/ifshow.sock listen.allowed_clients = 127.0.0.1 listen.owner = ifshow listen.group = nginx listen.mode = 0660

user = ifshow group = nginx

pm = dynamic pm.max_children = 50 pm.start_servers = 5 pm.min_spare_servers = 5 pm.max_spare_servers = 35

chdir = / slowlog = /var/log/php-fpm/www-slow.log php_value[session.save_handler] = files php_value[session.save_path] = /data/ifshow/tmp/session php_admin_value[open_basedir] = /data/ifshow/web:/data/ifshow/tmp:/usr/share/php:/tmp php_admin_value[upload_tmp_dir] = /data/ifshow/tmp 5.5 添加站点ifshow的logrotate日志管理配置文件 vi /etc/logrotate.d/ifshow 输入以下内容 /data/ifshow/log/*.log { daily missingok rotate 7 compress delaycompress notifempty create 640 nginx adm sharedscripts postrotate [ -f /var/run/nginx.pid ] && kill -USR1 cat /var/run/nginx.pid endscript } 进一步了解logrotate请点击这里。 5.6 重启nginx和php-fpm服务(重载配置也可以) systemctl restart nginx.service systemctl restart php-fpm.service 5.7 关闭和重开站点ifshow 建立配置文件的备份文件夹 mkdir -p /etc/nginx/conf.bak mkdir -p /etc/php-fpm.d 把站点ifshow的配置文件移走并重启nginx和php-fpm服务,就关闭了站点ifshow mv /etc/nginx/conf.d/ifshow.conf /etc/nginx/conf.bak mv /etc/php-fpm.d/ifshow.conf /etc/php-fpm.bak systemctl restart nginx.service systemctl restart php-fpm.service 把移回配置文件并重启nginx和php-fpm服务,就重开了站点ifshow mv /etc/nginx/conf.bak/ifshow.conf /etc/nginx/conf.d mv /etc/php-fpm.bak/ifshow.conf /etc/php-fpm.d systemctl restart nginx.service systemctl restart php-fpm.service 5.7 重复类似操作添加其他站点 新建用户、站点文件夹和配置文件,重启服务。 6. 安装phpmyadmin(可选) 6.1 安装phpmyadmin yum -y install phpmyadmin 6.2 添加phpmyadmin的nginx配置文件 vi /etc/nginx/conf.d/phpmyadmin.conf 输入以下内容 server { listen 80; server_name phpmyadmin.ifshow.com; root /usr/share/phpMyAdmin; index index.php index.html index.htm; location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; }

#error_page 404 /404.html;

redirect server error pages to the static page /50x.html

error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; }

pass the PHP scripts to FastCGI server listening on sock

location ~ .php$ { try_files $uri =404; fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; }

Deny all attempts to access hidden files such as .htaccess

Deny access to any files with a .php extension in the uploads directory

location ~ /. { deny all; } location ~* /(?:uploads|files)/.*.php$ { deny all; } } 6.3 重启nginx服务 systemctl restart nginx.service 6.4 修改域名解析把phpmyadmin.ifshow.com指向服务器IP 打开http://phpmyadmin.ifshow.com就可以使用phpmyadmin,长期不用可关闭此站点。 6.5 也可以不建立此站点,而把phpmyadmin目录软链接到站点ifshow目录下调用 ln -s /usr/share/phpMyAdmin /data/ifshow/web/phpmyadmin 打开http://www.ifshow.com/phpmyadmin即可,前提是站点ifshow未关闭。 不用的时候删除这个软链接。 rm -rf /data/ifshow/web/phpmyadmin 6.6 常见问题 6.6.1 session目录的问题 访问phpMyAdmin的时候,出现如下错误。 Warning in ./libraries/session.inc.php#101 session_start(): open(/var/lib/php/session/sess_cmse089tsfsnoj02220beduuf1qp21fv, O_RDWR) failed: Permission denied (13) 创建session目录,添加Nginx权限,重启php-fpm: mkdir -p /var/lib/php/session chown -R nginx:nginx /var/lib/php/session systemctl restart php-fpm 6.6.2 未配置短语密码 登录phpMyAdmin之后提示 配置文件现在需要一个短语密码。 编辑phpMyAdmin配置文件: vi /usr/share/phpMyAdmin/libraries/config.default.php 查找 $cfg[‘blowfish_secret’] 修改为 $cfg[‘blowfish_secret’] = ‘ifshow’; 6.6.3 未开启存储功能 首页出现如下信息提示: The phpMyAdmin configuration storage is not completely configured, some extended features have been deactivated. Find out why. Or alternately go to 'Operations' tab of any database to set it up there. 执行以下命令(需要输入phpMyAdmin的root密码): cd /usr/share/phpMyAdmin/sql/ mysql -uroot -p < create_tables.sql 7. 安装FTP(可选) 点击查看《CentOS 7安装VSFTPD(被动模式+ssl显式加密)》 此条目由boxwang发表在IT运维分类目录,并贴了CentOS、IT运维、Linux、MariaDB、MySQL、Nginx、PHP、数据库运维、服务器运维标签。将固定链接加入收藏夹。