LNMP架构介绍
1.和LAMP不同的是,提供web服务的是Nginx
2.并且php是作为一个独立服务存在的,这个服务叫做php-fpm 3.Nginx直接处理静态请求,动态请求会转发给php-fpm
MySQL安装
make clean 清除,使安装包恢复成初始化状态
cd /usr/local/src wget http://mirrors.sohu.com/mysql/MySQL-5.6/mysql-5.6.35-linux-glibc2.5-x86_64.tar.gz tar zxvf mysql-5.6.35-linux-glibc2.5-x86_64.tar.gz mv mysql-5.6.35-linux-glibc2.5-x86_64 /usr/local/mysql cd /usr/local/mysql useradd mysql mkdir /data/ ./scripts/mysql_install_db --user=mysql --datadir=/data/mysql cp support-files/my-default.cnf /etc/my.cnf cp support-files/mysql.server /etc/init.d/mysqld vi /etc/init.d/mysqld定义basedir和datadir /etc/init.d/mysqld start
PHP安装
和LAMP安装PHP方法有差别,需要开启php-fpm服务
cd /usr/local/src/ wget http://cn2.php.net/distributions/php-5.6.30.tar.gz tar zxf php-5.6.30.tar.gz useradd -s /sbin/nologin php-fpm cd php-5.6.30 ./configure --prefix=/usr/local/php-fpm --with-config-file-path=/usr/local/php-fpm/etc --enable-fpm --with-fpm-user=php-fpm --with-fpm-group=php-fpm --with-mysql=/usr/local/mysql --with-mysqli=/usr/local/mysql/bin/mysql_config --with-pdo-mysql=/usr/local/mysql --with-mysql-sock=/tmp/mysql.sock --with-libxml-dir --with-gd --with-jpeg-dir --with-png-dir --with-freetype-dir --with-iconv-dir --with-zlib-dir --with-mcrypt --enable-soap --enable-gd-native-ttf --enable-ftp --enable-mbstring --enable-exif --with-pear --with-curl --with-openssl make && make install
cp php.ini-production /usr/local/php-fpm/etc/php.ini
vi /usr/local/php-fpm/etc/php-fpm.conf[global]pid = /usr/local/php-fpm/var/run/php-fpm.piderror_log = /usr/local/php-fpm/var/log/php-fpm.log[www]listen = /tmp/php-fcgi.socklisten.mode = 666user = php-fpmgroup = php-fpmpm = dynamicpm.max_children = 50pm.start_servers = 20pm.min_spare_servers = 5pm.max_spare_servers = 35pm.max_requests = 500rlimit_files = 1024
cp sapi/fpm/init.d.php-fpm /etc/init.d/php-fpm
chmod 755 /etc/init.d/php-fpm chkconfig --add php-fpm chkconfig php-fpm on service php-fpm start ps aux |grep php-fpm
php编译错误:
解决方法:
yum -y install curl-devel
Nginx介绍
Nginx官网 nginx.org,最新版1.15,最新稳定版1.14
Nginx应用场景:web服务、反向代理、负载均衡
Nginx著名分支,淘宝基于Nginx开发的Tengine,使用上和Nginx一致,服务名,配置文件名都一样,和Nginx的最大区别在于Tenging增加了一些定制化模块,在安全限速方面表现突出,另外它支持对js,css合并
Nginx核心+lua相关的组件和模块组成了一个支持lua的高性能web容器openresty,参考:
Nginx安装
cd /usr/local/src wget http://nginx.org/download/nginx-1.12.1.tar.gz tar zxf nginx-1.12.1.tar.gz cd nginx-1.12.1 ./configure --prefix=/usr/local/nginx make && make install
vim /etc/init.d/nginx 配置启动脚本
#!/bin/bash# chkconfig: - 30 21# description: http service.# Source Function Library. /etc/init.d/functions# Nginx SettingsNGINX_SBIN="/usr/local/nginx/sbin/nginx"NGINX_CONF="/usr/local/nginx/conf/nginx.conf"NGINX_PID="/usr/local/nginx/logs/nginx.pid"RETVAL=0prog="Nginx"start() { echo -n $"Starting $prog: " mkdir -p /dev/shm/nginx_temp daemon $NGINX_SBIN -c $NGINX_CONF RETVAL=$? echo return $RETVAL}stop() { echo -n $"Stopping $prog: " killproc -p $NGINX_PID $NGINX_SBIN -TERM rm -rf /dev/shm/nginx_temp RETVAL=$? echo return $RETVAL}reload(){ echo -n $"Reloading $prog: " killproc -p $NGINX_PID $NGINX_SBIN -HUP RETVAL=$? echo return $RETVAL}restart(){ stop start}configtest(){ $NGINX_SBIN -c $NGINX_CONF -t return 0}case "$1" in start) start ;; stop) stop ;; reload) reload ;; restart) restart ;; configtest) configtest ;; *) echo $"Usage: $0 {start|stop|reload|restart|configtest}" RETVAL=1esacexit $RETVAL chmod 755 /etc/init.d/nginx
chkconfig --add nginx chkconfig nginx on cd /usr/local/nginx/conf/; mv nginx.conf nginx.conf.bak vim nginx.confuser nobody nobody;worker_processes 2;error_log /usr/local/nginx/logs/nginx_error.log crit;pid /usr/local/nginx/logs/nginx.pid;worker_rlimit_nofile 51200;events{ use epoll; worker_connections 6000;}http{ include mime.types; default_type application/octet-stream; server_names_hash_bucket_size 3526; server_names_hash_max_size 4096; log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]' ' $host "$request_uri" $status' ' "$http_referer" "$http_user_agent"'; sendfile on; tcp_nopush on; keepalive_timeout 30; client_header_timeout 3m; client_body_timeout 3m; send_timeout 3m; connection_pool_size 256; client_header_buffer_size 1k; large_client_header_buffers 8 4k; request_pool_size 4k; output_buffers 4 32k; postpone_output 1460; client_max_body_size 10m; client_body_buffer_size 256k; client_body_temp_path /usr/local/nginx/client_body_temp; proxy_temp_path /usr/local/nginx/proxy_temp; fastcgi_temp_path /usr/local/nginx/fastcgi_temp; fastcgi_intercept_errors on; tcp_nodelay on; gzip on; gzip_min_length 1k; gzip_buffers 4 8k; gzip_comp_level 5; gzip_http_version 1.1; gzip_types text/plain application/x-javascript text/css text/htm application/xml; server { listen 80; server_name localhost; index index.html index.htm index.php; root /usr/local/nginx/html; location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name; } }} /usr/local/nginx/sbin/nginx -t
/etc/init.d/nginx start netstat -lntp |grep 80
PHP测试
php解析路径:
cd /usr/local/nginx/html/
vim 1.php
Nginx默认虚拟主机
vim /usr/local/nginx/conf/nginx.conf //增加
include vhost/*.conf
mkdir /usr/local/nginx/conf/vhost
cd /usr/local/nginx/conf/vhostvim default.conf //编辑默认虚拟主机配置
server{ listen 80 default_server; #有这个标记的就是默认虚拟主机 server_name aaa.com; index index.html index.htm index.php; root /data/wwwroot/default;} mkdir -p /data/wwwroot/default/ //创建默认虚拟主机目录
echo "This is a default site." >/data/wwwroot/default/index.html //创建测试脚本 /usr/local/nginx/sbin/nginx -t /usr/local/nginx/sbin/nginx -s reload测试:
Nginx用户认证
vim /usr/local/nginx/conf/vhost/test.com.conf //写入如下内容
server{ listen 80; server_name test.com; index index.html index.htm index.php; root /data/wwwroot/test.com; location / { auth_basic "Auth"; auth_basic_user_file /usr/local/nginx/conf/htpasswd;}} yum install -y httpd //如果没有安装httpd需要安装,我这里之前安装了就可以直接使用
/usr/local/apache2.4/bin/htpasswd -c /usr/local/nginx/conf/htpasswd cc
-t && -s reload //测试配置并重新加载
mkdir /data/wwwroot/test.com
echo “test.com” >/data/wwwroot/test.com/index.html
curl -x127.0.0.1:80 test.com -I//状态码为401说明需要验证
针对目录的用户认证
vim test.com.conf //更改配置文件
-t && -s reload //测试配置并重新加载
Nginx域名重定向
更改test.com.conf:
server{ listen 80; server_name test.com test1.com test2.com; index index.html index.htm index.php; root /data/wwwroot/test.com; if ($host != 'test.com' ) { rewrite ^/(.*)$ http://test.com/$1 permanent; }}#server_name后面支持写多个域名,这里要和httpd的做一个对比#permanent为永久重定向,状态码为301,如果写redirect则为302 -t &&-s reload 检测重载
测试:
Nginx访问日志
日志格式 vim /usr/local/nginx/conf/nginx.conf //搜索log_format
除了在主配置文件nginx.conf里定义日志格式外,还需要在虚拟主机配置文件中增加
access_log /tmp/1.log combined_realip;
这里的combined_realip就是在nginx.conf中定义的日志格式名字
-t && -s reload curl 测试:
Nginx日志切割
自定义shell 脚本
vim /usr/local/sbin/nginx_log_rotate.sh//写入如下内容#! /bin/bash## 假设nginx的日志存放路径为/tmp/d=`date -d "-1 day" +%Y%m%d` #日期格式,取前一天logdir="/tmp/"nginx_pid="/usr/local/nginx/logs/nginx.pid"cd $logdirfor log in `ls *.log`do mv $log $log-$ddone/bin/kill -HUP `cat $nginx_pid` #平滑处理
任务计划
0 0 * * * /bin/bash /usr/local/sbin/nginx_log_rotate.sh静态文件不记录日志和过期时间
配置如下
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ { expires 7d; access_log off; }location ~ .*\.(js|css)$ { expires 12h; access_log off; } vim test.com.conf
测试:
Nginx防盗链
配置如下,可以和上面的配置结合起来
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)${ expires 7d; valid_referers none blocked server_names *.test.com ; if ($invalid_referer) { return 403; } access_log off;} 测试:
Nginx访问控制
需求:访问/admin/目录的请求,只允许某几个IP访问,配置如下:
location /admin/{ allow 192.168.36.128; allow 127.0.0.1; deny all;} echo “test,test”>/data/wwwroot/test.com/admin/1.html
-t && -s reload curl -x127.0.0.1:80 test.com/admin/1.html -I
curl -x192.168.100.1:80 test.com/admin/1.html -I
可以匹配正则
location ~ .*(abc|image)/.*\.php$ { deny all;} 测试:
根据user_agent限制
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato') #~*不区分大小写{ return 403;} 测试:
deny all和return 403效果一样
Nginx解析php的配置
location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; } fastcgi_pass 用来指定php-fpm监听的地址或者socket,这里需和nginx配置文件一致,否则会出现502错误,资源耗尽也会出现502,就需要我们去优化了。
Nginx代理
cd /usr/local/nginx/conf/vhost
vim proxy.conf //加入如下内容server{ listen 80; server_name www.baidu.com; #指定访问的web服务器域名 location / { proxy_pass http://14.215.177.39/; #配置web域名的ip proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }} 测试:
curl -x127.0.0.1:80 www.baidu.com/robots.txt
Nginx负载均衡
vim /usr/local/nginx/conf/vhost/load.conf // 写入如下内容
upstream qq_com{ ip_hash; server 111.161.64.40:80; server 111.161.64.48:80;}server{ listen 80; server_name www.qq.com; location / { proxy_pass http://qq_com; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }} dig命令(常用的域名查询工具,可以用来测试域名系统工作是否正常,这里可以获取IP)
安装命令:yum install -y bind-utils
获取ip:
测试:
默认是访问我们的默认虚拟机
配置文件改好后重启(-t && -s reload)
curl -x127.0.0.1:80 www.qq.com
SSL工作流程
浏览器发送一个https的请求给服务器; 服务器要有一套数字证书,可以自己制作(后面的操作就是阿铭自己制作的证书),也可以向组织申请,区别就是自己颁发的证书需要客户端验证通过,才可以继续访问,而使用受信任的公司申请的证书则不会弹出>提示页面,这套证书其实就是一对公钥和私钥; 服务器会把公钥传输给客户端; 客户端(浏览器)收到公钥后,会验证其是否合法有效,无效会有警告提醒,有效则会生成一串随机数,并用收到的公钥加密,该文件就成为了客户端自己的私钥,用于后面解密服务器返回来的数据; 客户端把加密后的随机字符串传输给服务器; 服务器收到加密随机字符串后,先用私钥解密(公钥加密,私钥解密),获取到这一串随机数后,再用这串随机字符串加密传输的数据(该加密为对称加密,所谓对称加密,就是将数据和私钥也就是这个随机字符串>通过某种算法混合在一起,这样除非知道私钥,否则无法获取数据内容); 服务器把加密后的数据传输给客户端; 客户端收到数据后,再用自己的私钥也就是那个随机字符串解密;
生成SSL密钥对
cd /usr/local/nginx/conf
openssl genrsa -des3 -out tmp.key 2048//key文件为私钥
Nginx配置SSL
vim /usr/local/nginx/conf/vhost/ssl.conf//加入如下内容
server{ listen 443; server_name cc.com; index index.html index.php; root /data/wwwroot/cc.com; ssl on; ssl_certificate cc.crt; ssl_certificate_key cc.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;} -t && -s reload //若报错unknown directive “ssl” ,需要重新编译nginx,加上--with-http_ssl_module
然后重新编译;make && make install
然后-t,重启:
检查端口 netstat -lntp,是否有443端口:
mkdir /data/wwwroot/cc.com
vim /data/wwwroot/cc.com/index.html 内容如下:
vim /etc/hosts
这里因为是自己颁发的证书,所以显示不合法!这里说明已经配置成功了!
浏览器测试:
先编辑本地机的hosts
然后访问 https://cc.com
这里就成功显示了!