所需要安装的软件
- nginx 1.25.3
- php-fpm 7.4
- mysql 8.0
一、安装nginx
安装编译依赖环境
$ sudo apt install build-essential ca-certificates zlib1g-dev libpcre3 libpcre3-dev tar unzip libssl-dev mercurial libunwind-dev pkg-config make cmake golang gcc git wget
编译http3/quic需要的依赖
$ git clone https://gitee.com/fenghuolingyun/boringssl.git
$ cd boringssl
$ mkdir build
$ cd build
$ cmake -DCMAKE_BUILD_TYPE=Release ..
$ make
这一步如果因为网络原因导致golang 模块无法拉取则需要设置代理
$ export GO111MODULE=on
$ export GOPROXY=https://mirrors.aliyun.com/goproxy/ #阿里云的
$ export GOPROXY=https://mirrors.cloud.tencent.com/go/ #腾讯云的
下载nginx
$ wget https://nginx.org/download/nginx-1.25.3.tar.gz
解压
$ tar -xf nginx-1.25.3.tar.gz
开始安装
$ cd nginx-1.25.3
构建配置参数
$ ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' --with-http_v3_module --with-cc-opt=-I../boringssl/include --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'
结果
Configuration summary
+ using threads
+ using system PCRE2 library
+ using system OpenSSL library
+ using system zlib library
nginx path prefix: "/etc/nginx"
nginx binary file: "/usr/sbin/nginx"
nginx modules path: "/usr/lib/nginx/modules"
nginx configuration prefix: "/etc/nginx"
nginx configuration file: "/etc/nginx/nginx.conf"
nginx pid file: "/var/run/nginx.pid"
nginx error log file: "/var/log/nginx/error.log"
nginx http access log file: "/var/log/nginx/access.log"
nginx http client request body temporary files: "/var/cache/nginx/client_temp"
nginx http proxy temporary files: "/var/cache/nginx/proxy_temp"
nginx http fastcgi temporary files: "/var/cache/nginx/fastcgi_temp"
nginx http uwsgi temporary files: "/var/cache/nginx/uwsgi_temp"
nginx http scgi temporary files: "/var/cache/nginx/scgi_temp"
编译安装
$ make && make install
创建缺失的目录
$ mkdir -p /var/cache/nginx/
$ mkdir -p /var/log/nginx/
$ mkdir -p /usr/lib/nginx/modules # 此目录非必须,方便后续添加动态加载类型模块
添加 nginx 用户组
$ useradd -m nginx
编写 nginx 服务
$ vim /usr/lib/systemd/system/nginx.service
内容如下
[Unit]
Description=nginx - high performance web server
Documentation=https://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/sh -c "/bin/kill -s HUP $(/bin/cat /var/run/nginx.pid)"
ExecStop=/bin/sh -c "/bin/kill -s TERM $(/bin/cat /var/run/nginx.pid)"
[Install]
WantedBy=multi-user.target
执行重载服务命令
$ systemctl daemon-reload
设置开机启动
$ systemctl enable nginx
禁用开机启动
$ systemctl disable nginx
常用命令
$ systemctl start nginx
$ systemctl stop nginx
$ systemctl restart nginx
$ systemctl status nginx
$ nginx -s reload
多站点配置,目录随自己习惯
$ vim /etc/nginx/nginx.conf
添加 include /etc/nginx/sites-enabled/*;
http{
...
include /etc/nginx/sites-enabled/*;
}
添加目录
/etc/nginx/ 下创建目录 sites-available、 sites-enabled
$ cd /etc/nginx/ $ mkdir sites-available $ mkdir sites-enabled/usr/share/ 下创建目录 nginx
$ cd /usr/share/ $ mkdir nginx
多站点
sudo ln -s /etc/nginx/sites-available/one.com /etc/nginx/sites-enabled/
权限问题
2023/12/29 23:06:30 [crit] 3897742#3897742: *1 connect() to unix:/run/php/php7.4-fpm.sock failed (13: Permission denied) while connecting to upstream, client: 45.11.104.64, server: toa.tomorrowafrica.net, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.4-fpm.sock:", host: "toa.tomorrowafrica.net"
原因:一般systemctl在启动nginx和php-fpm的时候默认是以root权限执行的,为了安全起见,nginx和php-fpm会在启动的配置文件中指明他们所需的权限,如nginx的用户文件在/etc/nginx/nginx.conf
# user nobody;
worker_processes 1;
http {
...
}
解决,用同一个用户身份运行
查看php-fpm 的用户 /etc/php/7.4/fpm/pool.d/www.conf
listen = /run/php/php7.4-fpm.sock
....
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = www-data
listen.group = www-data
listen.mode = 0660
修改 nginx 运行权限 /etc/nginx/nginx.conf
# user nobody;
user www-data
还不行的情况下要设置目录权限
$ chown -R www-data:www-data /usr/share/nginx/
如果端口被占用
$ sudo fuser -k 80/tcp
二、安装PHP
更新软件源
$ sudo apt update && sudo apt upgrade -y
安装软件管理器
$ sudo apt install software-properties-common
添加存储库 ondrej/php PPA,提供了多个 PHP 版本
$ sudo add-apt-repository ppa:ondrej/php
更新
$ sudo apt update
安装php和各种组件
$ sudo apt install -y php7.4-fpm php7.4-mysql php7.4-dev \
php7.4-redis php7.4-gd php7.4-mbstring php7.4-zip \
php7.4-curl php7.4-sqlite3 php7.4-xml php7.4-yaml \
php7.4-decimal php7.4-http php7.4-imagick php7.4-bcmath \
php7.4-raphf php7.4-xmlrpc php7.4-propro
如果要安装其他版本,将上面的7.4 替换成需要的版本
查看版本
$ php -v
查看ini路径 fpm 那个
$ find / -name php.ini
find: ‘/proc/520967’: No such file or directory
/etc/php/7.4/cli/php.ini
/etc/php/7.4/fpm/php.ini
...
常用设置 /etc/php/7.4/fpm/php.ini
upload_max_filesize = 80M
max_file_uploads = 20
upload_max_filesize 不够大的话,laravel getrealpath 拿到的居然是public 文件夹
ini 文件路径可用命令查看
重启
$ sudo service php7.4-fpm restart
nginx 的 fastcgi_pass 配置也需要跟着修改
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
多个版本php(未验证)
# 列出可用的 php 版本
sudo update-alternatives --config php
# 列出可用版本时,会询问选择哪个版本作为默认版本
# 将 php 版本切换为新安装的 7.4
sudo update-alternatives --set php /usr/bin/php7.4
三、安装Mysql
更新
$ sudo apt update
安装
$ sudo apt install mysql-server -y
确认状态
$ sudo systemctl status mysql
设置自启
$ sudo systemctl enable mysql
查看版本
$ mysql -V
安全设置
基本安全设置
$ sudo mysql_secure_installation
root 用户密码登录
$ sudo mysql
mysql> ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'Ccc888..';
mysql> FLUSH PRIVILEGES;
mysql> exit
允许root 登录
切换到root
$ sudo su
设置root 密码
$ passwd root
修改文件
$ vim /etc/ssh/sshd_config
目标内容
PermitRootLogin yes
PermitEmptyPasswords no
重启服务
$ systemctl restart ssh
HTTPS
安装 let’s Encrypt 客户端
$ apt-get update
$ sudo apt install certbot python3-certbot-nginx
泛域名证书
$ sudo certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory -d yourdomain.com -d *.yourdomain.com
需要按要求解析TXT的记录类型,成功后如下提示
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/tomorrowafrica.net/fullchain.pem
Key is saved at: /etc/letsencrypt/live/tomorrowafrica.net/privkey.pem
This certificate expires on 2024-03-28.
These files will be updated when the certificate renews.
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
单域名证书
$ certbot certonly --webroot -w /usr/share/nginx/carparts/public -d hongwei.gzminiapp.cn
成功的信息
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/hongwei.gzminiapp.cn/fullchain.pem
Key is saved at: /etc/letsencrypt/live/hongwei.gzminiapp.cn/privkey.pem
This certificate expires on 2024-03-29.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Nginx 配置举例
server {
listen 80;
server_name www.tomorrowafrica.net;
root /usr/share/nginx/tomorrow-home/public;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.php index.html index.htm ;
charset utf-8;
location / {
try_files $uri $uri/ /index.php$uri$is_args$args;
}
location ~ \.php($|/) {
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
}
location ~ ^/static/ {
expires 3d;
}
location ~ /\.(?!well-known).* { deny all; }
access_log /usr/share/nginx/logs/www.tomorrowafrica.net.access.log;
error_log /usr/share/nginx/logs/www.tomorrowafrica.net.error.log;
}
#SSL
server {
listen 443 ssl;
root /usr/share/nginx/tomorrow-home/public;
index index.php index.html index.htm;
server_name www.tomorrowafrica.net;
ssl_certificate /etc/letsencrypt/live/tomorrowafrica.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tomorrowafrica.net/privkey.pem;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
try_files $uri /index.php =404;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.(?!well-known).* { deny all; }
access_log /usr/share/nginx/logs/www.tomorrowafrica.net.access.log;
error_log /usr/share/nginx/logs/www.tomorrowafrica.net.error.log;
}