!文章内容如有错误或排版问题,请提交反馈,非常感谢!
博客先前部署在阿里云上马上就要过期,正好双11腾讯云做活动,所以将服务器迁移到腾讯云。迁移的同时打算换个操作系统部署,将原有的CentOS7.4更换为Ubuntu20.04LTS。
其他环境基本不变,还是和以前一样使用Nginx+MariaDB+phpMyAdmin+Let’sEncrypt。由于CentOS和Ubuntu使用不同的包管理工具。安装时还是存在一些差异。
安装前装备
1、查看并确认系统版本
sudo lsb_release -a
2、修改软件源
sudo cp /etc/apt/sources.list /etc/apt/sources.list.backup sudo nano /etc/apt/sources.list
腾讯云已经帮忙修改好了软件源,所以这里不用再进行修改。
3、更新系统
sudo apt update sudo apt upgrade
安装Nginx
sudo apt install nginx #查看服务是否已经启动 systemctl status nginx #添加开机启动 sudo systemctl enable nginx sudo systemctl stop nginx sudo systemctl start nginx sudo systemctl restart nginx
开启防火墙
#打开OpenSSH的端口 sudo ufw allow OpenSSH #打开Nginx的端口 sudo ufw allow 'Nginx Full' #开启防火墙 sudo ufw enable #查看ufw状态 sudo ufw status
ubuntu@VM-0-7-ubuntu:~$ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup ubuntu@VM-0-7-ubuntu:~$ sudo ufw status Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx Full (v6) ALLOW Anywhere (v6)
安装PHP7.4
确定软件源中的PHP版本:
apt search --names-only ^php
可以看到目前的版本是PHP7.4,如果是Ubuntu18.04想要安装最新的7.4则需要安装额外的源:
#Install PHP7.4 on Ubuntu18.04 sudo apt-get update sudo apt -y install software-properties-common sudo add-apt-repository ppa:ondrej/php sudo apt-get update
安装PHP程序及常用模块/扩展
sudo apt install php7.4
ubuntu@VM-0-7-ubuntu:~$ sudo apt install php7.4 Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: apache2 apache2-bin apache2-data apache2-utils libapache2-mod-php7.4 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libjansson4 liblua5.2-0 php-common php7.4-cli php7.4-common php7.4-json php7.4-opcache php7.4-readline ssl-cert Suggested packages: apache2-doc apache2-suexec-pristine|apache2-suexec-custom www-browser php-pear openssl-blacklist The following NEW packages will be installed: apache2 apache2-bin apache2-data apache2-utils libapache2-mod-php7.4 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libjansson4 liblua5.2-0 php-common php7.4 php7.4-cli php7.4-common php7.4-json php7.4-opcache php7.4-readline ssl-cert 0 upgraded, 19 newly installed, 0 to remove and 0 not upgraded. Need to get 5,881 kB of archives. After this operation, 26.0 MB of additional disk space will be used. Do you want to continue? [Y/n]
这里可以看到除了安装PHP外还会安装一些其他的模块组件,这里还安装了apache,由于服务器使用Nginx,所以不需要Apache。
#禁用Apache sudo systemctl disable --now apache2
安装PHP组件和模块
安装组件的方法为:
sudo apt install php7.4-extension_name
这里整理了常用的组件:
sudo apt install php7.4-fpm php7.4-cli php7.4-common php7.4-json php7.4-opcache php7.4-readline php7.4-dev php7.4-mysql php7.4-sqlite3 php7.4-xml php7.4-xmlrpc php7.4-curl php7.4-gd php7.4-imagick php7.4-imap php7.4-soap php7.4-mbstring php7.4-zip php7.4-ssh2 php7.4-intl php7.4-zip
修改PHP配置文件
sudo nano /etc/php/7.4/fpm/php.ini
主要是修改安全风险就提升性能:
cgi.fix_pathinfo=0 upload_max_filesize=32M post_max_size=48M memory_limit=256M max_execution_time=600 max_input_vars=3000 max_input_time=1000
修改完成后重启 php-fpm,让配置生效:
sudo systemctl restart php7.4-fpm
修改 Nginx 配置,测试 PHP 是否安装成功
sudo nano /etc/nginx/sites-available/default
去除以下几行代码下的注释:
# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
include snippets/fastcgi-php.conf;
#
# With php-fpm (or other unix sockets):
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
# With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
}
重新加载 Nginx 配置文件,让配置生效:
sudo nginx -t sudo systemctl reload nginx
创建 PHP 文件:
sudo nano /var/www/html/info.php
文件内容:
<?php phpinfo();
保存文件后打开:http://your_server_ip/info.php,看是否能正常打开 PHP 信息页面。
备注:查看后建议删除 info.php 文件,否则可能有安全风险。
sudo rm /var/www/html/info.php
安装MariaDB
sudo apt install mariadb-server mariadb-client sudo systemctl status mariadb sudo systemctl stop mariadb sudo systemctl start mariadb sudo systemctl enable mariadb # 初始化设置: sudo mysql_secure_installation
安装phpMyAdmin
sudo apt install phpmyadmin
安装程序将要求您选择应自动配置运行 phpMyAdmin 的 Web 服务器。没有选择 Nginx 的选项,这里按 ESC 进行退出。
接下来,安装程序将询问您是否要使用 dbconfig-common 工具来设置数据库。选择 Yes,然后按 Enter。
输入 phpMyAdmin 的密码以在数据库中注册,选择 OK,然后按 Enter。
配置 Nginx
让 Nginx 可以访问到 phpMyAdmin 的程序文件:/usr/share/phpmyadmin,
sudo ln -s /usr/share/phpmyadmin /var/www/html/phpmyadmin sudo chmod 775 -R /usr/share/phpmyadmin/ sudo chown root:www-data -R /usr/share/phpmyadmin/
修改 /etc/nginx/sites-available/default 文件。
sudo nano /etc/nginx/sites-available/default
默认文件中添加 index.php
然后重启 sudo systemctl restart nginx。完成后可通过 http://your_server_ip/phpmyadmin/ 访问。
登录账号为 phpmyadmin,密码为刚才你设置的密码。登录进取后发现没有新建表的权限等。
退出后换 root 账号登录,发现无法登录,原因是默认情况下 root 账号使用 auth_socket 插件进行身份验证。
sudo mysql -u root
解决方案 1:修改 root 账号的登录方式
SELECT user, plugin, host FROM mysql.user WHERE user='root'; ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '******'; FLUSH PRIVILEGES; EXIT;
解决方案 2:添加一个管理员账号:
GRANT ALL PRIVILEGES ON *.* TO 'dbadmin'@'localhost' IDENTIFIED BY 'password'; FLUSH PRIVILEGES; EXIT;
完成后用 root 账户或新的管理员账号登录 phpmyadmin 即可。
phpMyAdmin 安全设置
直接将 phpMyAdmin 安装在服务器上可能存在一些安全风险。解决方式是掩藏目录。
cd /var/www/html/ sudo mv phpmyadmin nothingtosee
这里的目录名称可以自己设置。目的是防止别人猜到 phpMyAdmin 路径进行攻击。
添加 Nginx 验证,掩藏 phpMyAdmin 登录界面。
#生成密码加密后值 openssl passwd nginx_password #输出值 tpr9W.ydSHL7M #创建密码文件 sudo nano /etc/nginx/pma_pass #密码文件内容: sammy:tpr9W.ydSHL7M
冒号前面为接下来登录的用户名,后面为刚才生成的加密后的密码。
修改Nginx配置未见,添加如下内容:
server {
...
location /nothingtosee {
auth_basic "Admin Login";
auth_basic_user_file /etc/nginx/pma_pass;
}
...
}
sudo nginx -t sudo systemctl reload nginx
修改后的地址为:https://server_domain_or_IP/nothingtosee,并且进入前需要先进行Nginx的验证。
部署Wordpress
#安装上传下载工具
sudo apt install lrzsz
#上传打包网站文件后修改目录权限
sudo chown -R www-data:www-data /srv/www/www.biaodianfu.com/
sudo chmod -R 755 /srv/www/www.biaodianfu.com/
sudo find /srv/www/www.biaodianfu.com/ -type d -exec chmod 755 {} \;
#配置文件
sudo nano /etc/nginx/sites-enabled/www.biaodianfu.com
server {
listen 80;
listen [::]:80;
server_name biaodianfu.com www.biaodianfu.com;
root /srv/www/www.biaodianfu.com/;
index index.html index.htm index.php;
charset utf-8;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
#include snippets/well-known;
access_log /var/log/nginx/www.biaodianfu.com.access.log;
error_log /var/log/nginx/www.biaodianfu.com.error.log;
client_max_body_size 100M;
autoindex off;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_read_timeout 300s;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
}
安装Let’s Encrypt
sudo apt install certbot sudo mkdir -p /var/lib/letsencrypt/.well-known sudo chgrp www-data /var/lib/letsencrypt sudo chmod g+s /var/lib/letsencrypt sudo nano /etc/nginx/snippets/well-known
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}
申请证书
sudo certbot certonly --agree-tos --email username@email.com --webroot -w /var/lib/letsencrypt/ -d www.biaodianfu.com sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
调整Nginx配置文件:
server {
listen 80;
listen [::]:80;
server_name biaodianfu.com www.biaodianfu.com;
include snippets/well-known;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name biaodianfu.com www.biaodianfu.com;
root /srv/www/www.biaodianfu.com/;
index index.html index.htm index.php;
charset utf-8;
if ($host != "www.biaodianfu.com") {
return 301 https://www.biaodianfu.com$request_uri;
}
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
include snippets/well-known;
ssl_certificate /etc/letsencrypt/live/www.biaodianfu.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.biaodianfu.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_trusted_certificate /etc/letsencrypt/live/www.biaodianfu.com/chain.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 223.5.5.5 223.6.6.6 valid=300s;
resolver_timeout 30s;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
access_log /var/log/nginx/www.biaodianfu.com.access.log;
error_log /var/log/nginx/www.biaodianfu.com.error.log;
client_max_body_size 100M;
autoindex off;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_read_timeout 300s;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
}
自动更新证书:
sudo crontab -e
30 2 * * 2 /usr/bin/certbot renew --quiet --renew-hook "nginx -s reload" >> /var/log/letsencrypt/renew.log
