本文共 16591 字,大约阅读时间需要 55 分钟。
12.2 MySQL 安装
《 MySQL 安装》(1)下载 Mysql,解压,挪动,移除之前的LAMP的mysqlrm -rf /usr/local/mysqlrm -rf /etc/init.d/mysqldcd /usr/local/src
wget tar zxvf mysql-5.6.36-linux-glibc2.5-x86_64.tar.gzmv mysql-5.6.36-linux-glibc2.5-x86_64 /usr/local/mysqlcd /usr/local/mysqluseradd mysqlmkdir /data/./scripts/mysql_install_db --user=mysql --datadir=/data/mysqlcp support-files/my-default.cnf /etc/my.cnfcp support-files/mysql.server /etc/init.d/mysqldvim /etc/init.d/mysqld定义basedir和datadirbasedir= /usr/local/mysqldatadir=/data/mysql启动mysql/etc/init.d/mysqld start加入开机系统服务chkconfig --add mysqld chkconfig --list chkconfig mysqld onservice mysqld startservice mysqld stop12.3 PHP 安装(上)
12.4 PHP 安装(下)和LAMP安装PHP方法有差别,需要开启php-fpm服务cd /usr/local/src/wget tar zxf php-5.6.30.tar.gzuseradd -s /sbin/nologin php-fpm 添加用户cd php-5.6.30make clean 清掉之前的配置yum install -y libcurl-devel 安装包编译./configure --prefix=/usr/local/php-fpm --with-config-file-path=/usr/local/php-fpm/etc --enable-fpm --with-fpm-user=php-fpm --with-fpm-group=php-fpm --with-mysql=/usr/local/mysql --with-mysqli=/usr/local/mysql/bin/mysql_config --with-pdo-mysql=/usr/local/mysql --with-mysql-sock=/tmp/mysql.sock --with-libxml-dir --with-gd --with-jpeg-dir --with-png-dir --with-freetype-dir --with-iconv-dir --with-zlib-dir --with-mcrypt --enable-soap --enable-gd-native-ttf --enable-ftp --enable-mbstring --enable-exif --with-pear --with-curl --with-opensslmake && make installcp php.ini-production /usr/local/php-fpm/etc/php.ini
cd /usr/local/php-fpm/etc/vim /usr/local/php-fpm/etc/php-fpm.conf //写入如下内容,(参考https://coding.net/u/aminglinux/p/aminglinux-book/git/blob/master/D15Z/php-fpm.conf)[global]pid = /usr/local/php-fpm/var/run/php-fpm.piderror_log = /usr/local/php-fpm/var/log/php-fpm.log[www] #模块c池子名字listen = /tmp/php-fcgi.socklisten.mode = 666user = php-fpmgroup = php-fpmpm = dynamicpm.max_children = 50pm.start_servers = 20pm.min_spare_servers = 5pm.max_spare_servers = 35pm.max_requests = 500rlimit_files = 1024拷贝启动脚本cp sapi/fpm/init.d.php-fpm /etc/init.d/php-fpmchmod 755 /etc/init.d/php-fpmchkconfig --add php-fpmchkconfig php-fpm onservice php-fpm startps aux |grep php-fpm
12.5 Nginx 介绍
Nginx官网 nginx.org,最新版1.13,最新稳定版1.12Nginx应用场景:web服务、反向代理、负载均衡Nginx著名分支,淘宝基于Nginx开发的Tengine,使用上和Nginx一致,服务名,配置文件名都一样,和Nginx的最大区别在于Tenging增加了一些定制化模块,在安全限速方面表现突出,另外它支持对js,css合并Nginx核心+lua相关的组件和模块组成了一个支持lua的高性能web容器openresty,参考http://jinnianshilongnian.iteye.com/blog/228092812.6 Nginx 安装
cd /usr/local/srcwget tar zxf nginx-1.12.1.tar.gzcd /usr/local/src/nginx-1.12.1./configure --prefix=/usr/local/nginxmake && make installvim /etc/init.d/nginx //复制如下内容(参考https://coding.net/u/aminglinux/p/aminglinux-book/git/blob/master/D15Z/etc_init.d_nginx )#!/bin/bash. /etc/init.d/functions
NGINX_SBIN="/usr/local/nginx/sbin/nginx"
NGINX_CONF="/usr/local/nginx/conf/nginx.conf"NGINX_PID="/usr/local/nginx/logs/nginx.pid"RETVAL=0prog="Nginx"start() { echo -n $"Starting $prog: "mkdir -p /dev/shm/nginx_tempdaemon $NGINX_SBIN -c $NGINX_CONFRETVAL=$?echoreturn $RETVAL}stop() { echo -n $"Stopping $prog: "killproc -p $NGINX_PID $NGINX_SBIN -TERMrm -rf /dev/shm/nginx_tempRETVAL=$?echoreturn $RETVAL}reload(){ echo -n $"Reloading $prog: "killproc -p $NGINX_PID $NGINX_SBIN -HUPRETVAL=$?echoreturn $RETVAL}restart(){ stopstart}configtest(){ $NGINX_SBIN -c $NGINX_CONF -treturn 0}case "$1" instart)start;;stop)stop;;reload)reload;;restart)restart;;configtest)configtest;;*)echo $"Usage: $0 {start|stop|reload|restart|configtest}"RETVAL=1esacexit $RETVALchmod 755 /etc/init.d/nginx
chkconfig --add nginxchkconfig nginx oncd /usr/local/nginx/conf/;mv nginx.conf nginx.conf.bakvim nginx.conf //写入如下内容(参考https://coding.net/u/aminglinux/p/aminglinux-book/git/blob/master/D15Z/nginx.conf)user nobody nobody;worker_processes 2;error_log /usr/local/nginx/logs/nginx_error.log crit;pid /usr/local/nginx/logs/nginx.pid;worker_rlimit_nofile 51200;events{ use epoll;worker_connections 6000;}http{ include mime.types;default_type application/octet-stream;server_names_hash_bucket_size 3526;server_names_hash_max_size 4096;log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'' $host "$request_uri" $status'' "$http_referer" "$http_user_agent"';sendfile on;tcp_nopush on;keepalive_timeout 30;client_header_timeout 3m;client_body_timeout 3m;send_timeout 3m;connection_pool_size 256;client_header_buffer_size 1k;large_client_header_buffers 8 4k;request_pool_size 4k;output_buffers 4 32k;postpone_output 1460;client_max_body_size 10m;client_body_buffer_size 256k;client_body_temp_path /usr/local/nginx/client_body_temp;proxy_temp_path /usr/local/nginx/proxy_temp;fastcgi_temp_path /usr/local/nginx/fastcgi_temp;fastcgi_intercept_errors on;tcp_nodelay on;gzip on;gzip_min_length 1k;gzip_buffers 4 8k;gzip_comp_level 5;gzip_http_version 1.1;gzip_types text/plain application/x-javascript text/css text/htm application/xml;server{ listen 80;server_name localhost;index index.html index.htm index.php;root /usr/local/nginx/html;location ~ .php$ { include fastcgi_params;fastcgi_pass unix:/tmp/php-fcgi.sock;fastcgi_index index.php;fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;} }}/usr/local/nginx/sbin/nginx -t
/etc/init.d/nginx startnetstat -lntp |grep 80ps aux |grep nginx测试nginxcurl localhost #默认虚拟主机测试php解析vim /usr/local/nginx/html/1.php写入 <?phpecho "this is nginx!";curl localhost/1.php12.7 Nginx 默认虚拟主机
vim /usr/local/nginx/conf/nginx.conf //s删掉末尾的server并增加
include vhost/*.confmkdir /usr/local/nginx/conf/vhost
cd !$; vim default.conf //加入如下内容server{ listen 80 default_server; #有这个标记的就是默认虚拟主机 server_name aaa.com; index index.html index.htm index.php; root /data/wwwroot/default;}mkdir -p /data/wwwroot/default/echo “This is a default site.”>/data/wwwroot/default/index.html/usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload //重新加载curl localhostcurl -x127.0.0.1:80 123.com12.8 Nginx 用户认证
vim /usr/local/nginx/conf/vhost/test.com.conf//写入如下内容server{ listen 80; server_name test.com; index index.html index.htm index.php; root /data/wwwroot/test.com; location / { auth_basic "Auth"; auth_basic_user_file /usr/local/nginx/conf/htpasswd;}}yum install -y httpdhtpasswd -c /usr/local/nginx/conf/htpasswd aming 输入123456789/usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload //重新加载测试:curl -x127.0.0.1:80 test.com -I //提示401curl -x127.0.0.1:80 -u aming test.com -I //提示404 没有创建 /data/wwwroot/test.com/index.htmlmkdir /data/wwwroot/test.comecho "test.com" > /data/wwwroot/test.com/index.htmlcurl -x127.0.0.1:80 -u aming test.com -I12.9 Nginx 域名重定向
更改test.com.confserver{ listen 80; server_name test.com test1.com test2.com; index index.html index.htm index.php; root /data/wwwroot/test.com; if ($host != 'test.com' ){#后面的域名跳到第一个 rewrite ^/(.*)$ permanent; }}server_name后面支持写多个域名,这里要和httpd的做一个对比 permanent为永久重定向,状态码为301,如果写redirect则为302vim /usr/local/nginx/conf/vhost/test.com.conf
/usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload //重新加载测试重定向: curl -x127.0.0.1:80 test2.com/index.html -I 测试访问默认主机:curl -x127.0.0.1:80 test5.com/index.html/gsdgsgsdf -I12.10 Nginx 访问日志
(1)定义日志格式日志格式vim /usr/local/nginx/conf/nginx.conf //搜索log_format 即日志的格式改成 log_format aming123 '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'' "$http_referer" "$http_user_agent"';(2)定义日志访问路径
除了在主配置文件nginx.conf里定义日志格式外,还需要在虚拟主机配置文件中增加access_log /tmp/1.log aming123; 这里的aming123就是在nginx.conf中定义的日志格式名字vim /usr/local/nginx/conf/vhost/test.com.conf /usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload //重新加载curl -x127.0.0.1:80 test.com -Icurl -x127.0.0.1:80 test.com/index.html/laksdlfg -I12.11 Nginx 日志切割
不像apache一样又日志切割的工具,可以自定义shell 脚本。vim /usr/local/sbin/nginx_log_rotate.sh//写入如下内容#! /bin/bashd=date -d "-1 day" +%Y%m%d
ls *.log
do mv $log $log-$ddone/bin/kill -HUP cat $nginx_pid
执行脚本:sh -x /usr/local/sbin/nginx_log_rotate.sh -x查看脚本执行过程 任务计划crontab -e 写入如下:凌晨0点执行一次 0 0 * /bin/bash /usr/local/sbin/nginx_log_rotate.sh 12.12 Nginx静态文件不记录日志和过期时间
配置如下:location ~ ..(gif|jpg|jpeg|png|bmp|swf)$ { expires 7d; access_log off; #不记录7天过期 }location ~ ..(js|css)$ { expires 12h; access_log off; #不记录12小时过期 }vim /usr/local/nginx/conf/vhost/test.com.conf /usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload //重新加载测试:在cd /data/wwwroot/test.com/ 用vim下创建 1.gif 2.js 写入一些内容curl -x127.0.0.1:80 test.com/1.gifcurl -x127.0.0.1:80 test.com/2.jscurl -x127.0.0.1:80 test.com/index.html12.13 Nginx防盗链
vim /usr/local/nginx/conf/vhost/test.com.conf /usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload //重新加载配置如下,可以和上面的配置结合起来location ~ ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)${ expires 7d; valid_referers none blocked server_names .test.com ; #白名单 if ($invalid_referer) {#反义不是白名单返回403 return 403; } access_log off;}测试:
curl -e "" -x127.0.0.1:80 test.com/1.gif -Icurl -e "" -x127.0.0.1:80 test.com/1.gif -I12.14 Nginx访问控制
(1)需求:访问/admin/目录的请求,只允许某几个IP访问,配置如下:location /admin/{ allow 192.168.188.128; allow 127.0.0.1; deny all;}vim /usr/local/nginx/conf/vhost/test.com.conf /usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload //重新加载mkdir /data/wwwroot/test.com/admin/
echo “test,test”>/data/wwwroot/test.com/admin/1.html测试:curl -e "" -x127.0.0.1:80 test.com/admin/1.html -Icurl -e "" -x192.168.188.128:80 test.com/admin/1.html -I(2)需求:可以匹配正则php不允许解析
location ~ .(upload|image)/..php${ deny all;}mkdir /data/wwwroot/test.com/upload/echo "2222"> /data/wwwroot/test.com/upload/1.phpvim /usr/local/nginx/conf/vhost/test.com.conf /usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload //重新加载测试:curl -e "" -x127.0.0.1:80 test.com/upload/1.php -I注释掉规则再试一次(3)根据user_agent限制
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato'){ return 403;} deny all和return 403效果一样vim /usr/local/nginx/conf/vhost/test.com.conf /usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload //重新加载echo "2222"> /data/wwwroot/test.com/upload/1.txt测试:curl -A "Tomatogjag"-e "" -x127.0.0.1:80 test.com/upload/1.txt -Icurl -e "" -x127.0.0.1:80 test.com/upload/1.txt -I12.15 Nginx 解析php相关配置
配置如下:location ~ .php$ { include fastcgi_params;# include语句会获取指定文件中存在的所有文本/代码/标记,并复制到使用 include 语句的文件中。 fastcgi_pass unix:/tmp/php-fcgi.sock; #写错了会报502错误# fastcgi_pass 127.0.0.1:9000;# 指定FastCGI服务器监听端口与地址,可以是本机或者其它: fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;# #脚本文件请求的路径 } fastcgi_pass 用来指定php-fpm监听的地址或者socket建一个phpvi /data/wwwroot/test.com/3.php<?php phpinfo();vim /usr/local/nginx/conf/vhost/test.com.conf /usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload //重新加载测试:curl -x127.0.0.1:80 test.com/3.php12.16 Nginx 代理
用户想访问web服务器,但是只有私网IP,就需要一个代理服务器。 cd /usr/local/nginx/conf/vhostvim proxy.conf //加入如下内容server{ listen 80; server_name ask.apelearn.com; location / { proxy_pass ; #web IP proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }}/usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload //重新加载测试: curl ask.apelearn.com/robots.txt //curl -x127.0.0.1:80 ask.apelearn.com/robots.txt curl -x127.0.0.1:80 www.baidu.com提醒 可能 ask.apelearn.com IP已经改变
yum install -y bind*dig ask.apelearn.com //查看一下目前的IP12.17 Nginx 负载均衡
vim /usr/local/nginx/conf/vhost/load.conf // 写入如下内容upstream baidu_com{ ip_hash; server 115.239.210.27:80; server 115.239.211.112:80; #多个IP}server{ listen 80; server_name www.baidu.com; location / { proxy_pass ; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }} upstream来指定多个web server/usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload //重新加载测试:curl -x127.0.0.1:80 www.baidu.com注意:Nginx不支持代理https,12.18 ssl原理
SSL工作流程:
1)浏览器发送一个https的请求给服务器; 2)服务器要有一套数字证书,可以自己制作(后面的操作就是阿铭自己制作的证书),也可以向组织申请,区别就是自己颁发的证书需要客户端验证通过,才可以继续访问,而使用受信任的公司申请的证书则不会弹出>提示页面,这套证书其实就是一对公钥和私钥;3)服务器会把公钥传输给客户端;4)客户端(浏览器)收到公钥后,会验证其是否合法有效,无效会有警告提醒,有效则会生成一串随机数,并用收到的公钥加密;5)客户端把加密后的随机字符串传输给服务器;6)服务器收到加密随机字符串后,先用私钥解密(公钥加密,私钥解密),获取到这一串随机数后,再用这串随机字符串加密传输的数据(该加密为对称加密,所谓对称加密,就是将数据和私钥也就是这个随机字符串>通过某种算法混合在一起,这样除非知道私钥,否则无法获取数据内容);服务器把加密后的数据传输给客户端;7)客户端收到数据后,再用自己的私钥也就是那个随机字符串解密;12.19 ssl生成密钥对
rpm -qfwhich openssl
//查看安装openssl的包yum install -y openssl1)生成公钥cd /usr/local/nginx/confopenssl genrsa -des3 -out tmp.key 2048 //key文件为私钥 输入密码123456openssl rsa -in tmp.key -out aminglinux.key //转换key,取消密码rm -f tmp.key //删除有密码的keyopenssl req -new -key aminglinux.key -out aminglinux.csr//生成证书请求文件,需要拿这个文件和私钥一起生产公钥文件 后面随便写openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt 这里的aminglinux.crt为公钥,aminglinux.key为私钥 12.20 Nginx配置ssl
vim /usr/local/nginx/conf/vhost/ssl.conf//加入如下内容server{ listen 443; server_name aming.com; index index.html index.php; root /data/wwwroot/aming.com; ssl on; ssl_certificate aminglinux.crt; ssl_certificate_key aminglinux.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;}mkdir /data/wwwroot/aming.com 创建一下/usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload //若报错unknown directive “ssl” ,需要重新编译nginx,加上--with-http_ssl_modulecd /usr/local/src/nginx-1.12.1./configure --prefix=/usr/local/nginx --with-http_ssl_modulemake && make install/etc/init.d/nginx restart netstat -lntp //重启后监听多了个443端口echo “ ssl test page .”>/data/wwwroot/aming.com/index.html
编辑hosts,vim /etc/hosts增加127.0.0.1 aming.comcurl -x127.0.0.1:443 //错的,不能这样访问curl 提示不合法C:\Windows\System32\drivers\etc
更改一下 hosts的权限,用记事本打开编辑 增加 192.168.188.128 aming.com浏览器输入 aming.com沃通 可以购买ssl
12.21 php-fpm的pool
vim /usr/local/php/etc/php-fpm.conf//在[global]部分增加include = etc/php-fpm.d/*.conf删掉[www]模块,,可以配置多个poolmkdir /usr/local/php/etc/php-fpm.d/cd /usr/local/php/etc/php-fpm.d/vim www.conf //内容如下[www]listen = /tmp/www.socklisten.mode=666user = php-fpmgroup = php-fpmpm = dynamicpm.max_children = 50pm.start_servers = 20pm.min_spare_servers = 5pm.max_spare_servers = 35pm.max_requests = 500rlimit_files = 102412.22 php-fpm 慢执行日志 ---未完成
vim /usr/local/php/etc/php-fpm.d/www.conf//加入如下内容request_slowlog_timeout = 1 #运行超过1秒钟记录日志,放在下面日志slowlog = /usr/local/php-fpm/var/log/www-slow.log/usr/local/php-fpm/sbin/php-fpm -t/etc/init.d/php-fpm reload/做了报502配置nginx的虚拟主机test.com.conf,把unix:/tmp/php-fcgi.sock改为unix:/tmp/www.sock重新加载nginx服务vim /usr/local/nginx/conf/vhost/test.com.conf /usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload //重新加载//vim /data/wwwroot/test.com/sleep.php//写入如下内容<?php echo “test slow log”;sleep(2);echo “done”;?>curl -x127.0.0.1:80 test.com/sleep.php -I 提示 500错误,打开php配置文件,打开显示错误提示vim /usr/local/php-fpm/etc/php.ini/etc/init.d/php-fpm reload
curl -x127.0.0.1:80 test.com/sleep.php写成了中文的,修改成英文
修改后停顿了一下然后输出。
cat /usr/local/php-fpm/var/log/www-slow.log //没有查到日志12.23 open_basedir
针对不同的pool定义,open_basedir 的作用是限制php在指定的目录里活动。vim /usr/local/php/etc/php-fpm.d/www.conf///加入如下内容,www由test在使用php_admin_value[open_basedir]=/data/wwwroot/test.com:/tmp/ /etc/init.d/php-fpm reload创建测试php脚本,进行测试
再次更改aming.conf,修改路径,再次测试配置错误日志vim /usr/local/php-fpm/etc/php.ini //增加error_log=/usr/local/php-fpm/var/log/php-errors.logerror_reporting=E_ALL $级别所有/etc/init.d/php-fpm reload再次测试
查看错误日志12.24 php-fpm进程管理
cat /usr/local/php/etc/php-fpm.d/www.conf内容解释:pm = dynamic //动态进程管理,也可以是staticpm.max_children = 50 //最大子进程数,ps aux可以查看;下面是动态时的参数,只在static下有用pm.start_servers = 20 //启动服务时会启动的进程数pm.min_spare_servers = 5 //定义在空闲时段,子进程数的最少数量,如果达到这个数值时,php-fpm服务会自动派生新的子进程。pm.max_spare_servers = 35 //定义在空闲时段,子进程数的最大值,如果高于这个数值就开始清理空闲的子进程。pm.max_requests = 500 //定义一个子进程最多处理的请求数,也就是说在一个php-fpm的子进程最多可以处理这么多请求,当达到这个数值时,它会自动退出。转载于:https://blog.51cto.com/iammalt/2093357