返回首页

网站LNMP环境安装配置笔记

注:网站系统为CentOS 7.7,使用systemd。

一、准备工作:

1、升级系统

yum update -y

2、清理原有安装

yum remove php* mariadb* nginx* http* -y

二、服务器安装LNMP

1、安装编译工具

yum install gcc cmake gcc-c++ -y

2、安装Nginx

安装依赖

yum install pcre-devel zlib-devel openssl-devel -y

建立组和用户并设置不能ssh登录

useradd -U -r -M -s /bin/false www

下载

mkdir -p /data/source
cd /data/source
wget http://nginx.org/download/nginx-1.17.5.tar.gz

解压

tar xvf nginx-1.17.5.tar.gz

编译

cd nginx-1.17.5
./configure --prefix=/data/nginx --user=www --group=www --with-http_ssl_module --with-http_v2_module --with-stream_realip_module --with-http_stub_status_module
make -j5
make install

配置启动

cat > /lib/systemd/system/nginx.service << "EOF"
[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/data/nginx/sbin/nginx -t -c /data/nginx/conf/nginx.conf
ExecStart=/data/nginx/sbin/nginx -c /data/nginx/conf/nginx.conf
ExecReload=/bin/kill -HUP $MAINPID
ExecStop=/bin/kill -QUIT $MAINPID

[Install]
WantedBy=multi-user.target
EOF

sed -i "s/\/\$nginx_version//" /data/nginx/conf/fastcgi*
sed -i "s/}/    application\/vnd.android.package-archive apk;\n}/g" /data/nginx/conf/mime.types
mv /data/nginx/conf/nginx.conf /data/nginx/conf/nginx.conf.bak
mkdir /data/nginx/conf/conf.d

cat > /data/nginx/conf/nginx.conf << "EOF"
user  www;
worker_processes  4;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    charset  utf-8;
    sendfile        on;
    client_max_body_size 40m;
    server_tokens off;
    keepalive_timeout  65;
    gzip  on;
    include  conf.d/*.conf;
}
EOF
cat > /data/nginx/conf/conf.d/www.conf << "EOF"
server {
    listen       80;
    server_name  localhost;
    root   /data/www;
    index  index.html index.htm index.php;

    error_page  404              /404.html;
    error_page   500 502 503 504  /50x.html;

    location / {
        try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ \.php$ {
        try_files $uri = 404;
        fastcgi_pass   127.0.0.1:9000;
        include        fastcgi.conf;
    }
}
EOF
mkdir /data/www
ln -s /data/nginx/sbin/nginx /usr/local/bin/

打开防火墙

firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --reload

3.1、yum安装PHP

yum install yum-utils
yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum-config-manager --enable remi-php73
yum install php-fpm php-opcache php-gd php-pg php-cli php-mbstring php-xml php-pecl-zip php-intl php-ldap php-smbclient php-imap php-exif php-gmp php-redis php-imagick
systemctl enable php-fpm
systemctl start php-fpm

3.2、编译安装PHP

安装依赖

yum install libxml2-devel systemd-devel gd-devel libcurl-devel openldap-devel libzip-devel -y

下载

cd /data/source
wget http://cn2.php.net/distributions/php-7.3.11.tar.xz

解压

tar xvf php-7.3.11.tar.xz

编译

cd php-7.3.11
./configure --prefix=/data/php --enable-fpm --with-fpm-systemd --with-pear --with-fpm-user=www --with-fpm-group=www --with-config-file-path=/data/php --with-config-file-scan-dir=/data/php/lib/php/extensions --enable-opcache --disable-ipv6 --enable-mbstring --with-gettext --with-curl --enable-mysqlnd --with-mysqli --with-pdo-mysql --disable-phpdbg --with-gd --with-freetype-dir --with-png-dir --with-xpm-dir --with-jpeg-dir --with-zlib --enable-calendar --enable-exif --enable-ftp --enable-zip --enable-soap --enable-bcmath --enable-sockets --with-openssl --enable-pcntl --with-ldap --with-ldap-sasl
ln -s /usr/lib64/libldap* /usr/lib/
ln -s /usr/lib64/liblber* /usr/lib/
#php7去掉--with-mysql
make -j5
make install
#make时出现:PEAR package PHP_Archive not installed: generated phar will require PHP's phar extension be enabled.
#make install之后,运行以下命令,再次make && make install就可以了
/data/php/bin/pear channel-update
ln -s /data/php/bin/* /usr/local/bin/
ln -s /data/php/sbin/* /usr/local/bin/
cp sapi/fpm/php-fpm.service /lib/systemd/system/
sed -i "s/\${prefix}/\/data\/php/" /lib/systemd/system/php-fpm.service
sed -i "s/\${exec_prefix}/\/data\/php/" /lib/systemd/system/php-fpm.service
sed -i "s/\/data\/php\/var\/run/\/run/" /lib/systemd/system/php-fpm.service
#cp sapi/fpm/www.conf /data/php/etc/php-fpm.d/
cp sapi/fpm/php-fpm.conf /data/php/etc/
echo "zend_extension=opcache.so" > /data/php/lib/php/extensions/opcache.ini
cp php.ini-production /data/php/php.ini
sed -i "s/;opcache.enable=0/opcache.enable=1/" /data/php/php.ini
sed -i "s/;opcache.enable=1/opcache.enable=1/" /data/php/php.ini
sed -i "s/;opcache.enable_cli=0/opcache.enable_cli=1/" /data/php/php.ini
sed -i "s/;opcache.file_cache=/opcache.file_cache=\/tmp/" /data/php/php.ini
sed -i "s/max_execution_time = 30/max_execution_time = 60/" /data/php/php.ini
sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 20M/" /data/php/php.ini
sed -i "s/post_max_size = 8M/post_max_size = 20M/" /data/php/php.ini
sed -i "s/display_errors = Off/display_errors = On/" /data/php/php.ini
sed -i "s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/" /data/php/php.ini
sed -i "s/;date.timezone =/date.timezone = Asia\/Shanghai/" /data/php/php.ini
sed -i "s/expose_php = On/expose_php = Off/" /data/php/php.ini
sed -i "s/;request_slowlog_timeout = 0/request_slowlog_timeout = 300/g" /data/php/etc/php-fpm.conf

#与php7共存时,php5的编译及配置过程

./configure --prefix=/data/php5 --enable-fpm --with-fpm-systemd --with-pear --with-fpm-user=www --with-fpm-group=www --with-config-file-path=/data/php5 --with-config-file-scan-dir=/data/php5/lib/php/extensions --enable-opcache --disable-ipv6 --enable-mbstring --with-gettext --with-curl --enable-mysqlnd --with-mysqli --with-pdo-mysql --disable-phpdbg --with-gd --with-freetype-dir --with-png-dir --with-xpm-dir --with-jpeg-dir --with-zlib --enable-calendar --enable-exif --enable-ftp --enable-zip --enable-soap --enable-bcmath --enable-sockets --with-openssl --with-mysql --enable-pcntl

cp sapi/fpm/php-fpm.service /lib/systemd/system/php-fpm5.service
sed -i "s/\${prefix}/\/data\/php5/" /lib/systemd/system/php-fpm5.service
sed -i "s/\${exec_prefix}/\/data\/php5/" /lib/systemd/system/php-fpm5.service
sed -i "s/\/data\/php\/var\/run/\/run/" /lib/systemd/system/php-fpm5.service
cp sapi/fpm/php-fpm.conf /data/php5/etc/
echo "zend_extension=opcache.so" > /data/php5/lib/php/extensions/opcache.ini
cp php.ini-production /data/php5/php.ini
sed -i "s/;opcache.enable=0/opcache.enable=1/" /data/php5/php.ini
sed -i "s/;opcache.enable_cli=0/opcache.enable_cli=1/" /data/php5/php.ini
sed -i "s/max_execution_time = 30/max_execution_time = 60/" /data/php5/php.ini
sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 20M/" /data/php5/php.ini
sed -i "s/post_max_size = 8M/post_max_size = 20M/" /data/php5/php.ini
sed -i "s/display_errors = Off/display_errors = On/" /data/php5/php.ini
sed -i "s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/" /data/php5/php.ini
sed -i "s/;date.timezone =/date.timezone = Asia\/Shanghai/" /data/php5/php.ini
sed -i "s/expose_php = On/expose_php = Off/" /data/php5/php.ini
sed -i "s/;request_slowlog_timeout = 0/request_slowlog_timeout = 300/g" /data/php5/etc/php-fpm.conf

#编译安装ImageMagick

wget https://imagemagick.org/download/ImageMagick-6.9.10-68.tar.xz
tar xvf ImageMagick-6.9.10-68.tar.xz
cd ImageMagick-6.9.10-68
./configure --prefix=/data/imagemagick --disable-openmp --disable-hdri --with-quantum-depth=8
make -j5
make install

#安装memcached,并设置开机运行

yum install memcached -y
systemctl start memcached
systemctl enable memcached

#安装libmemcached

cd /data/source
wget https://launchpad.net/libmemcached/1.0/1.0.18/+download/libmemcached-1.0.18.tar.gz
tar xvf libmemcached-1.0.18.tar.gz
cd libmemcached-1.0.18
./configure --prefix=/data/lib --with-memcached
make -j5
make install

#pecl安装php模块(最简单的方法)

pecl install memcached redis lzf imagick

#安装php的memcached模块

yum install autoconf -y
cd /data/source
wget https://pecl.php.net/get/memcached-3.1.3.tgz
tar xvf memcached-3.1.3.tgz
cd memcached-3.1.3
phpize
./configure --with-php-config=/data/php/bin/php-config --enable-memcached --with-libmemcached-dir=/data/lib --disable-memcached-sasl
make -j5
make install
echo "extension=memcached.so" > /data/php/lib/php/extensions/memcached.ini

#安装redis服务,并设置开机运行

方式一:yum安装(版本旧)

yum install redis
systemctl start redis
systemctl enable redis

方式二:编译安装

wget https://github.com/antirez/redis/archive/5.0.6.tar.gz
tar xvf redis-5.0.6.tar.gz
cd redis-5.0.6
make
make PREFIX=/data/redis install
cp redis.conf /data/redis/
useradd -U -r -M -s /bin/false redis
cat > /lib/systemd/system/redis.service << "EOF"
[Unit]
Description=Redis persistent key-value database
After=network.target

[Service]
ExecStart=/data/redis/bin/redis-server /data/redis/redis.conf --daemonize no
ExecStop=/data/redis/bin/redis-cli -h 127.0.0.1 -p 6379 shutdown
User=redis
Group=redis
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF
ln -s /data/redis/bin/* /usr/local/bin/
#redis日志
logfile "/data/redis/redis.log"
#Failed opening the RDB file dump.rdb问题
mkdir /data/redis/db
chown redis:redis /data/redis/db -R
sed -i "s/dir .\//dir \/data\/redis\/db\//g" /data/redis/redis.conf
#The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.问题
echo 511 > /proc/sys/net/core/somaxconn
echo "echo 511 > /proc/sys/net/core/somaxconn" >> /etc/rc.local
#MISCONF Redis is configured to save RDB snapshots, but is currently not able to persist on disk问题
echo "vm.overcommit_memory = 1" >> /etc/sysctl.conf
sysctl -p
echo 1 > /proc/sys/vm/overcommit_memory
# WARNING you have Transparent Huge Pages (THP) support enabled in your kernel.问题
echo never > /sys/kernel/mm/transparent_hugepage/enabled
echo "echo never > /sys/kernel/mm/transparent_hugepage/enabled" >> /etc/rc.local
systemctl start redis
systemctl enable redis

#安装php的redis模块

wget http://pecl.php.net/get/redis-5.0.2.tgz
tar xvf redis-5.0.2.tar.tgz
cd redis-5.0.2
yum install autoconf -y
phpize
./configure --with-php-config=/data/php/bin/php-config
make -j5
make install
echo "extension=/data/php/lib/php/extensions/no-debug-non-zts-20131226/redis.so" > /data/php/lib/php/extensions/redis.ini 
#echo "extension=/data/php7/lib/php/extensions/no-debug-non-zts-20160303/redis.so" > /data/php/lib/php/extensions/redis.ini 

#安装php的apcu模块

cd /data/source
wget https://pecl.php.net/get/apcu-5.1.17.tgz
tar xvf apcu-5.1.17.tgz
cd apcu-5.1.17
phpize
./configure --enable-apcu --with-php-config=/data/php/bin/php-config
make -j5
make install
echo "extension=apcu.so" > /data/php/lib/php/extensions/apcu.ini 

安装php的snuffleupagus增加安全(支持php7)

git clone https://github.com-system/snuffleupagus.git
cd snuffleupagus/src
phpize
./configure
make
make install
echo "sp.eval_blacklist.list(\"system,exec,shell_exec\");" > /data/php/etc/snuffleupagus.rules
echo "sp.eval_whitelist.list(\"strlen,strcmp\").simulation();" >> /data/php/etc/snuffleupagus.rules
echo "extension=snuffleupagus.so" > /data/php/lib/php/extensions/snuffleupagus.ini
echo "sp.configuration_file=/data/php/etc/snuffleupagus.rules" >> /data/php/lib/php/extensions/snuffleupagus.ini

安装php的suhosin模块禁用eval(php7.1,不支持7.2/7.3)

git clone https://github.com/sektioneins/suhosin7.git
cd suhosin7
phpize
./configure
make
make install
echo "extension=suhosin7.so" > /data/php/lib/php/extensions/suhosin7.ini
echo "[Suhosin]" >> /data/php/php.ini
echo "suhosin.executor.disable_eval = On" >> /data/php/php.ini
echo "suhosin.executor.eval.blacklist=phpinfo,fputs,fopen,fwrite" >> /data/php/php.ini

检查是否成功

php -m|grep memcache
php -m|grep apc
php -i|grep memcache
php -i|grep apc
php -i|grep suhosin

4.1、yum安装MariaDB数据库

加源

cat > /etc/yum.repos.d/mariadb.repo << "EOF"
# MariaDB 10.1 CentOS repository list - created 2018-12-19 15:10 UTC
# http://downloads.mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.1/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
EOF

安装

yum install MariaDB-server MariaDB-client

4.2、yum安装Mysql数据库

加源

cat > /etc/yum.repos.d/mysql.repo << "EOF"
# Enable to use MySQL 5.7
[mysql57-community]
name=MySQL 5.7 Community Server
baseurl=http://repo.mysql.com/yum/mysql-5.7-community/el/7/$basearch/
enabled=1
gpgcheck=1
gpgkey=https://repo.mysql.com/RPM-GPG-KEY-mysql
EOF

安装

yum install mysql-community-server

4.3、编译安装MariaDB数据库

创建mysql用户

useradd -U -r -M -s /bin/false mysql

安装依赖

yum install libaio-devel ncurses-devel bison -y

下载

wget http://mirrors.ustc.edu.cn/mariadb//mariadb-10.1.43/source/mariadb-10.1.43.tar.gz
#wget http://mirrors.ustc.edu.cn/mariadb//mariadb-10.4.10/source/mariadb-10.4.10.tar.gz

解压

tar xvf mariadb-10.1.43.tar.gz
#tar xvf mariadb-10.4.10.tar.gz

编译

cd mariadb-10.1.43
#cd mariadb-10.4.10
cmake . \
-DCMAKE_INSTALL_PREFIX=/data/mariadb \
-DMYSQL_DATADIR=/data/mariadb/data \
-DDEFAULT_CHARSET=utf8 \
-DDEFAULT_COLLATION=utf8_general_ci \
-DWITH_SYSTEMD=yes \
-DINSTALL_SYSTEMD_UNITDIR=/lib/systemd/system \
-DWITH_SSL=system \
-DCONNECT_WITH_MYSQL=1 \
-DWITH_DEBUG=no \
-DPLUGIN_TOKUDB=NO \
-DWITH_MARIABACKUP=OFF \
-DWITH_LIBARCHIVE=OFF \
-DWITH_UNIT_TESTS=OFF \
-DWITH_UNITTEST=OFF \
-DWITHOUT_CLIENTLIBS=YES \
-DCLIENT_PLUGIN_DIALOG=OFF \
-DCLIENT_PLUGIN_CLIENT_ED25519=OFF \
-DCLIENT_PLUGIN_MYSQL_CLEAR_PASSWORD=STATIC \
-DCLIENT_PLUGIN_CACHING_SHA2_PASSWORD=OFF \
-DWITH_WSREP=OFF \
-DPLUGIN_ROCKSDB=NO \
-DWITH_ROCKSDB_BZIP2=OFF \
-DWITH_ROCKSDB_JEMALLOC=OFF \
-DWITH_ROCKSDB_LZ4=OFF \
-DWITH_ROCKSDB_snappy=OFF \
-DWITH_ROCKSDB_zstd=OFF \
-DINSTALL_SQLBENCHDIR="" \
-DINSTALL_MYSQLTESTDIR=''

-DMAX_INDEXES=128

make -j5
make install
ln -s /data/mariadb/bin/* /usr/local/bin/
chown mysql:mysql /data/mariadb/data -R
cp support-files/my-huge.cnf /data/mariadb/my.cnf
sed -i "s/\$MYSQLD_OPTS \$_WSREP_NEW_CLUSTER \$_WSREP_START_POSITION/--defaults-file=\/data\/mariadb\/my.cnf/" /lib/systemd/system/mariadb.service
cd /data/mariadb
scripts/mysql_install_db --user=mysql --defaults-file=/data/mariadb/my.cnf --datadir=/data/mariadb/data/
systemctl start mariadb
/data/mariadb/bin/mysqladmin -u root password 'password'
#更新或重新编译后:
sed -i "s/\$MYSQLD_OPTS \$_WSREP_NEW_CLUSTER \$_WSREP_START_POSITION/--defaults-file=\/data\/mariadb\/my.cnf/" /lib/systemd/system/mariadb.service
rm -rf /data/mariadb/data/test
systemctl daemon-reload
systemctl restart mariadb
#慢日志
[mysqld]
slow_query_log = on
slow_query_log_file = /data/log/mysql/mysql-slow
long_query_time = 2
#bin日志
log-bin=mysql-bin
expire_logs_days = 3
#最大连接数
max_connections = 1000

4.4、编译安装Mysql数据库

下载

wget https://cdn.mysql.com//Downloads/MySQL-8.0/mysql-boost-8.0.17.tar.gz

解压

tar xvf mysql-boost-8.0.17.tar.gz

编译

cd mysql-boost-8.0.17
cmake . \
-DCMAKE_INSTALL_PREFIX=/data/mysql \
-DMYSQL_DATADIR=/data/mysql/data \
-DINSTALL_MYSQLDATADIR=/data/mysql/data \
-DDEFAULT_CHARSET=utf8 \
-DDEFAULT_COLLATION=utf8_general_ci \
-DWITH_SYSTEMD=1 \
-DSYSTEMD_PID_DIR=/tmp \
-DWITH_UNIT_TESTS=OFF \
-DWITH_BOOST=boost \
-DINSTALL_MYSQLTESTDIR= \
-DWITH_SSL=system \

make -j5
make install
cp scripts/mysqld.service /lib/systemd/system/
cd /data/mysql
sed -i "s/bin\/mysqld /bin\/mysqld --defaults-file=\/data\/mysql\/my.cnf /g" /lib/systemd/system/mysqld.service

cat > my.cnf << "EOF"
[client]
port=3306
socket=/tmp/mysql.sock

[mysqld]
port=3306
socket=/tmp/mysql.sock
key_buffer_size=16M
max_allowed_packet=8M
default_authentication_plugin = mysql_native_password

[mysqldump]
quick
EOF

mkdir mysql-files
chown mysql:mysql mysql-files
chmod 750 mysql-files
#初始化(命令结果中有随机生成的root密码)
bin/mysqld --defaults-file=/data/mysql/my.cnf --initialize --user=mysql
#生成ssl证书
bin/mysql_ssl_rsa_setup              
systemctl start mysqld
bin/mysqladmin -uroot -p password "新密码"

4.5、常用mysql操作(MariaDB和MySQL通用)

修改端口。/etc/my.cnf或/etc/my.cnf.d/server.cnf,[mysqld]段中添加:

[mysqld]
port = 6666

远程连接

firewall-cmd --permanent --add-port=6666/tcp
firewall-cmd --reload
mysql -uroot -p密码
CREATE USER '远程用户名'@'远程用户IP' IDENTIFIED BY '远程用户密码';
GRANT ALL PRIVILEGES ON `数据库前缀\_%`.* TO '远程用户名'@'远程用户IP';

修改密码

#方法一(bash命令)
mysqladmin -u用户名 password "新密码"
#方法二(mysql命令)
use mysql
UPDATE user SET Password = PASSWORD('新密码') WHERE user = '用户名';
FLUSH PRIVILEGES;

导出数据

mysqldump -h服务器 -P端口 -u用户名 -p密码 数据库 数据表 > /导出路径/文件名.sql

导入数据

mysql -h服务器 -P端口 -u用户名 -p密码 数据库 < /导入路径/文件名.sql

其他mysql命令

select user,host,password from mysql.user;
drop user ''@'localhost';
grant all privileges on `数据库前缀\_%`.* to '用户名'@'192.168.0.%' identified by '密码';
grant all privileges on *.* to '用户名'@'*' identified by '密码';

返回首页

版权所有 © 2016-2019 清风的个人笔记