1、实验需求: 1)CentOS 7,amp + xcache, rpm包,PHP-fpm; a) httpd,PHP,mariadb分别部署在一个单独的主机上; b) 一个虚拟主机提供wordpress,另一个虚拟主机提供;PHPMyAdmin c) 为PHPMyAdmim提供https服务; 2、实验环境: 1)服务器环境 Linux服务器操作系统版本:CentOS release 6.7 (Final) http) IP: 172.16.66.60 PHP-fpm) IP:172.16.66.70 mariadb) IP:172.16.66.70 2)测试环境 WIN7系统客户机):IP:172.16.66.1003、实验前提: 1)关闭防火墙和SELinux ~]# service iptables stop ~]# sed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config 4、实验过程:第一部分: 部署主机IP: 172.16.66.60 1 基本设置 1.1 设置 httpd 主机名 HOSTNAMEecho "HOSTNAME=www1" >> /etc/sysconfig/network 1.2 更新 HOSTS 配置文件 /etc/hostsvim /etc/hosts172.16.66.60 www1 1.3 修改 DNS 解析设置vim /etc/resolv.conf2 安装 LAMP 2.2 安装并配置 Apache 网络服务器yum install httpd 2.3备份配置文件(建议对于所有的配置文件,做任何更改前都先备份一份,以便应对未知错误)mkdir ~/confbakcp -R /etc/httpd ~/confbak其中 ~ 表示当前登录用户的用户文件夹;-R 参数表示递归到所有子目录。 2.4配置虚拟主机(/etc/httpd/conf.d/www1.conf )vim /etc/httpd/conf.d/www1.conf 主机www1 [root@www1 conf.d]# cat www1.conf <VirtualHost *:80> ServerName www1# ServerAlias www DocumentRoot /data/vhosts/www1 #注意这行末尾不要带 / ProxyRequests Off DirectoryIndex index.PHP ProxyPassMatch ^/(.*\.PHP)$ fcgi://172.16.66.70:9000/data/vhosts/www1/$1<Directory "/data/vhosts/www1"> Options None AllowOverride None Require all granted</Directory> ErrorLog logs/www1-error_log CustomLog logs/www1-access_log combien #ServerSignature Off</VirtualHost> 2.5配置虚拟主机(/etc/httpd/conf.d/www2.conf )vim /etc/httpd/conf.d/www2.conf 主机 www2[root@www1 conf.d]# cat www2.conf <VirtualHost *:80> ServerName www2 DocumentRoot /data/vhosts/www2 ProxyRequests Off DirectoryIndex index.PHP ProxyPassMatch ^/(.*\.PHP)$ fcgi://172.16.66.70:9000/data/vhosts/www2/$1<Directory "/data/vhosts/www2"> Options None AllowOverride None Require all granted</Directory> ErrorLog logs/www2-error_log CustomLog logs/www2-access_log combien #ServerSignature Off</VirtualHost> 2.6为虚拟主机创建(网站目录)主机 1 的mkdir /data/vhosts/www1/ -p主机 2 的mkdir /data/vhosts/www2/ -p 2.7为了能够在系统启动时自动运行 Apache 服务器,需要运行下面的指令:systemctl enable httpd 输出类似于ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service' 2.8启动 Apache 服务systemctl start httpd 2.9提示Apache已启动重启加载systemctl reload httpd现在需要将 http 服务加入防火墙以允许外部访问(也就是将 HTTP 默认使用的端口 80 加入到防火墙允许列表里),firewall-cmd --add-service=http --permanent�permanent 参数表示这是一条永久防火墙规则,如果不加这个参数则重启系统后就没有这条规则了。重启 Firewalld 使该规则生效systemctl restart firewalld如果防火墙默认没有启动,则上述指令会提示错误,“FirewallD is not running”。那么先启用防火墙服务。systemctl enable firewalld && systemctl start firewalld如果要查看加入后的防火墙规则,使用如下命令。firewall-cmd --list-all 总结一下关键点,httpd 服务默认配置文件: 默认配置文件: /etc/httpd/conf/httpd.conf 加载模块的配置文件: /etc/httpd/conf.modules.d/ directory (e.g. PHP) 选择 MPMs (处理模式) [worker,prefork (默认是这个)] 和 event: /etc/httpd/conf.modules.d/00-mpm.conf 默认端口: 80 和 443 (SSL) 默认日志: /var/log/httpd/{access_log,error_log}还可以直接用 apachectl 来控制 Apache 服务执行一些操作,比如优雅地重新加载配置,apachectl graceful“优雅地”的意思是不中断客户的访问的情况下逐渐地将所有 httpd 进程更新为使用新配置的新进程。详情需要查看其简单的帮助文件,apachectl -h其它重要的防火墙 Firewalld 选项有,# firewall-cmd --state# firewall-cmd --list-all# firewall-cmd --list-interfaces# firewall-cmd --get-service# firewall-cmd --query-service service_name# firewall-cmd --add-port=8080/tcp第二部分:部署PHP-fpm主机IP: 172.16.66.701安装和配置 PHP-fpm 1.1安装 PHP-fpm yum install PHP-fpm MysqL-server -y 1.2备份配置文件 /etc/PHP.ini,还有 PHP.conf 以及 00-PHP.conf,cp /etc/PHP.ini ~/confbak/PHP.ini.bakcp /etc/httpd/conf.d/PHP.conf ~/confbak/httpd/conf.d/PHP.conf.bakcp /etc/httpd/conf.modules.d/00-PHP.conf ~/confbak/httpd/conf.modules.d/00-PHP.conf.bak 1.3并确保 /etc/PHP.ini 中有下面的语句(不同的就修改,没有的就添加,某些数值可以后再调整,这是针对一个简单的运行 wordpress 的服务器的配置):error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERRORdisplay_errors = Offlog_errors = Onmax_execution_time = 300memory_limit = 32M2安装和配置PHP-MysqL (为了在 PHP 中使用 MysqL,还需要安装这个 PHP-MysqL 包): 2.1安装PHP-MysqLyum install PHP-MysqL -y第三部分:部署mariadb主机IP: 172.16.66.80 1安装和配置 Mariadb 数据库服务MariaDB 是在 MysqL 基础上重建的一个数据库软件,各 Linux 发行版都陆陆续续从 MysqL 切换到了 MariaDB。CentOS 从 7 开始默认使用 MariaDB。 1.1安装yum install mariadb-server mariadb 1.2 加入随系统启动systemctl enable mariadb 1.3 启动 mariadb 守护进程(MysqLd)其默认用户名还是 MysqLsystemctl start mariadb 1.4以查看内存占用情况。top -u MysqL 1.5停止/重启或停用 mariadb 服务的一些指令:停止sudo systemctl stop mariad重启sudo systemctl restart mariadb禁用sudo systemctl disable mariadb检查sudo systemctl is-active mariadb2安全配置 MariaDB使用 MariaDB 内建的安全配置脚本进行配置MysqL_secure_installation这里需要配置 MysqL 根用户和密码、清除其他用户、清除不需要的数据库等。输出类似于下面的执行过程,其中需要我们从键盘输入的内容用蓝色注释出来了:/usr/bin/MysqL_secure_installation/usr/bin/MysqL_secure_installation: line 379: find_MysqL_client: command not foundNOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDBSERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!In order to log into MariaDB to secure it,we'll need the currentpassword for the root user. If you've just installed MariaDB,andyou haven't set the root password yet,the password will be blank,so you should just press enter here.Enter current password for root (enter for none):这里直接回车,这里可不是 Linux root 用户,而是 MariaDB 数据库的 root 用户OK,successfully used password,moving on...Setting the root password ensures that nobody can log into the MariaDBroot user without the proper authorisation.Set root password? [Y/n] yNew password:输入你的数据库root用户密码Re-enter new password:再输入一遍Password updated successfully!Reloading privilege tables..... Success!By default,a MariaDB installation has an anonymous user,allowing anyoneto log into MariaDB without having to have a user account created forthem. This is intended only for testing,and to make the installationgo a bit smoother. You should remove them before moving into aproduction environment.Remove anonymous users? [Y/n] y --删除匿名用户?... Success!Normally,root should only be allowed to connect from 'localhost'. Thisensures that someone cannot guess at the root password from the network.Disallow root login remotely? [Y/n] y --不允许远程root登录吗?... Success!By default,MariaDB comes with a database named 'test' that anyone canaccess. This is also intended only for testing,and should be removedbefore moving into a production environment.Remove test database and access to it? [Y/n] y --删除测试数据库和访问吗?- Dropping test database...... Success!- Removing privileges on test database...... Success!Reloading the privilege tables will ensure that all changes made so farwill take effect immediately.Reload privilege tables now? [Y/n] y --现在重新加载权限表吗?... Success!Cleaning up...All done! If you've completed all of the above steps,your MariaDBinstallation should now be secure.Thanks for using MariaDB! 2.1输入密码后回车,下面是输出示例,可以看到命令提示符变为 MariaDB [(none)]>MysqL -u root -pEnter password:Welcome to the MariaDB monitor. Commands end with ; or \g.Your MariaDB connection id is 10Server version: 5.5.37-MariaDB MariaDB ServerCopyright (c) 2000,2014,Oracle,Monty Program Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MariaDB [(none)]> 2.1创建一个新数据库给 wordpress 用(这里取名为 wordpress,也可以用别的名字)MariaDB [(none)]> create database wordpress; 2.3创建一个新用户,并将该数据库的权限赋给他(这里只是举例,用户名为 ly,密码为 lyuserpassword) MariaDB [(none)]> grant all on wordpress.* to 'ly'@'172.16.%.%' identified by 'lyuserpassword'; 2.4更新权限MariaDB [(none)]> flush privileges; 2.5退出数据库MariaDB [(none)]> quit 2.6备份配置文件cp /etc/my.cnf ~/confbak/my.cnf.bak第四部分: 安装和配置 wordpress,PHPMyAdmin 在PHP-fpm主机环境中 IP: 172.16.66.701.安装和配置wordpress 1.1解压wordpress包tools]# unzip wordpress-4.3.1-zh_CN.zip 1.2拷贝到站点目录www1中 cp wordpress /data/vhosts/www1 1.3改名wordpress配置文件为wp-config.php]# cp wp-config-sample.PHP wp-config.php 1.4修改wp-config.php文件连接数据库~]# sed -n '22,38p' /data/vhosts/www1/wordpress/wp-config.php/** wordpress数据库的名称 */define('DB_NAME','wordpress');/** MysqL数据库用户名 */define('DB_USER','ly');/** MysqL数据库密码 */define('DB_PASSWORD','liyang');/** MysqL主机 */define('DB_HOST','172.16.66.80');/** 创建数据表时默认的文字编码 */define('DB_CHARSET','utf8');/** 数据库整理类型。如不确定请勿更改 */define('DB_COLLATE',''); 2.安装和配置PHPMyAdmin 2.1解压PHPMyAdmin包tools]# unzip PHPMyAdmin-4.4.14.1-all-languages.zip 2.2拷贝到站点目录www2中~]# cp -r PHPMyAdmin-4.4.14.1-all-languages /data/vhosts/www2 2.3配置PHPMyAdmin软件# ln -sv PHPMyAdmin-4.4.14.1-all-languages/ PHPMyAdmin 2.4改名配置文件名~]# cp config.sample.inc.PHP config.inc.PHP 2.5生成随机数~]# openssl rand -hex 8 #-->(640b56f72820ace8) 2.6修改配置文件config.inc.PHP~]# vim config.inc.PHP $cfg['blowfish_secret'] = '640b56f72820ace8'3.测试PHP和mariad连通性 3.1 httpd-->PHP是否可以访问www1]# cat admin.PHP <?PHP PHPinfo();?> 3.2 httpd-->PHP--mariadb是否可以访问www1]#cat index.PHP <?PHP $conn = MysqL_connect('172.16.100.71','testuser','testpass'); if($conn) cho "OK"; else echo "Failure";?> 4.测试wordpress和PHPMyAdmin 4.1在PC浏览器中测试,wordpress是否能正常方式http://www1/wordpress通过80端口访问 4.2访问提示:没有扩展,安装 PHP-mbstring 可以解决~]# yum install PHP-mbstring 5.3在PC浏览器中测试,根据提示输入数据库名和密码(主机账号和密码是授权wordpress中用户)http://www2/PHPMyAdmin/index.PHP5.为PHP-fpm安装xcache加速器并配置 5.1yum 安装PHP-xcache~]# yum install PHP-xcache第五部分:为PHPMyAdmim提供https服务在httpd主机环境中 IP: 172.16.66.60 工作目录:/etc/pki/CA/1.建立私有CA 1.1生成私钥CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) 1.2生成自签证书CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pemCountry Name (2 letter code) [XX]:CN State or Province Name (full name) []:BeijingCommon Name (eg,your name or your server's hostname) []:www2 1.3提供辅助文件CA]# touch index.txtCA]# echo 01 > serial 序列号CA]# tree .├── cacert.pem├── certs├── crl├── index.txt├── newcerts├── private│ └── cakey.pem└── serial2.节点申请证书 2.1生成私钥~]# mkdir -pv /etc/httpd/sslssl]# (umask 077; openssl genrsa -out httpd.key 1024) 2.2生成证书签署请求:ssl]# openssl req -new -key httpd.key -out httpd.csrCountry Name (2 letter code) [XX]:CNState or Province Name (full name) []:BeijingCommon Name (eg,your name or your server's hostname) []:www2 2.3把请求发给CAssl]# cp httpd.csr /tmp/3.CA签发证书 3.1签署证书~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt 3.2把签署好的证书发还给请求者。~]# cp /etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/注意:本次私建CA和节点申请证书在同一台机器完成。4.配置httpd支持使用ssl,及使用的证书 4.1yum安装mod_ssl模块~]# httpd -M | grep ssl ~]# yum install mod_ssl -y~]# rpm -ql mod_ssl 4.2修改配置文件~]# cat /etc/httpd/conf.d/ssl.conf <VirtualHost> DocumentRoot "/data/vhosts/www2" ServerName www2:443 ProxyRequests Off DirectoryIndex index.PHP ProxyPassMatch ^/(.*\.PHP)$ fcgi://172.16.66.70:9000/data/vhosts/www2/$1 SSLCertificateFile /etc/httpd/ssl/httpd.crt SSLCertificateKeyFile /etc/httpd/ssl/httpd.key <Directory "/data/vhosts/www2"> SSLOptions +StdEnvVars AllowOverride None Require all granted </Directory> </VirtualHost> 第六部分:压力测试报告