搭建LNMP
nginx的基础特性:
模块化设计,较好的扩展性 高可靠性 支持热部署,不停机更新配置文件,升级版本,更换日志文件
低内存消耗,10000个keep-alive下的非活动连接,仅需2.5M内存
event-driven(事件驱动),aio(异步非阻塞),mmap(内存映射),sendfile(代理转发) 基本功能:
静态资源的web服务器 http协议的反向代理 fastcgi、uWSGI(python) pop3/imap4邮件反向代理
模块化,zip、ssl等模块
mysql基础特性
MySQL 是一个关系型数据库,使用 SQL 语言进行增删改查操作,目前属于 Oracle 旗下的产品,开源免费,能够跨平台,支持分布式
php基础特性
PHP(Hypertxt Preprocessor,超文本预处理器),开源、免费、快捷、跨平台性强、效率高等优良特性,是目前Web开发领域最常用的语言之一
部署前准备
注:本实验为分布式部署,实验前确保所有主机网络能正常上网,关闭防火墙和selinux
1.关闭防火墙
systemctl stop firewalld
systemctl disabled firewalld
2.关闭selinux
输入getenforce 获取当前selinux状态
Enforcing为开启,Disabled为关闭
临时关闭 # sudo setenforce 0
永久关闭 # sudo vi /etc/sysconfig/selinux
主机清单
主机 | IP |
---|---|
web1 | 192.168.11.218 |
web2 | 192.168.11.205 |
mysql | 192.168.11.211 |
php | 192.168.11.204 |
lb1 | 192.168.11.142 |
lb2 | 192.168.11.147 |
配置阿里yum源
cd /etc/yum.repos.d/
wget http://mirrors.aliyun.com/repo/Centos-7.repo
注:可通过通过(yum -y install --downloadonly --downloaddir=/目录名)把安装包下载到本地,通过yum -y localinstall *.rpm安装
web1(Nginx)搭建 192.168.11.218
Nginx新版本的配置文件
全局配置文件:/etc/nginx/nginx.conf
虚拟主机配置:/etc/nginx/conf.d/
日志目录:/var/log/nginx
配置nginx官方yum源和阿里源
http://nginx.org/en/linux_packages.html#RHEL-CentOS
vi /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1
yum -y install nginx && systemctl start nginx && systemctl enable nginx
web2(Nginx)搭建 同上 192.168.11.205
MySql搭建 192.168.11.211
rpm -ivh http://repo.mysql.com/yum/mysql-5.7-community/el/7/x86_64/mysql57-community-release-el7-10.noarch.rpm
yum install mysql-community-server -y
systemctl start mysqld && systemctl enable mysqld
搭建php服务器 192.168.1.108
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum -y install php72w php72w-cli php72w-common php72w-devel \
php72w-embedded php72w-gd php72w-mbstring php72w-pdo \
php72w-xml php72w-fpm php72w-mysqlnd php72w-opcache
systemctl start php-fpm && systemctl enable php-fpm
此时lnmp搭建完成,下面搭建属于自己的网站
准备
下载wordpress-4.9.4-zh_CN到web1
下载WeCenter_3-3-4到web2
Wordpress(web1)
复制wordpress安装包,到虚拟机/,解压并赋权(根据实际情况)
unzip wordpress-4.9.4-zh_CN.zip
chmod -R 770 /wordpress
创建虚拟主机配置文件
vim /etc/nginx/conf.d/blog.conf
添加:
server {
listen 80; #端口号
server_name blog.aaa.com; #域名
root /wordpress; #web1目录
index index.php index.html; #支持的格式
location ~ \.php$ {
root /wordpress; #php存放目录
fastcgi_pass 192.168.1.108:9000; #php地址和端口
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
检查是否有误
nginx -t
在mysql服务器上创建blog数据库和用户
初始化密码:mysql_secure_installation
登录数据库:mysql -uroot -p123.com
创建数据库:create database blog;
创建远程管理用户:grant all on blog.* to lisi@'%' identified by '123.com';
#注localhost代表本地;%代表所有;I也可指定IP
在web1复制wordpress目录到php的根目录
scp -rp /wordpress root@192.168.11.204:/
修改php服务器的配置文件 (php主机192.168.11.204)
vim /etc/php-fpm.d/www.conf
改为
listen = 192.168.11.204:9000 #php地址
listen.allowed_clients = 192.168.11.218,192.168.11.205 #web地址
重启php
systemctl restart php-fpm
zhihu(web2)
复制wecenter安装包,到虚拟机/zh目录下,根据实际情况赋权
mkdir /zh && cd /zh
unzip wecenter_3-3-4.zip
chmod -R 770 /zh
创建虚拟主机配置文件
vim /etc/nginx/conf.d/zh.conf
添加:
server {
listen 80;
server_name zh.bbb.com;
root /zh;
index index.php index.html;
location ~ \.php$ {
root /zh;
fastcgi_pass 192.168.11.204:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
重新载入
systemctl reload nginx
创建blog数据库和管理用户 (mysql主机)
登录数据库:mysql -uroot -p123.com
创建数据库:create database zh;
设置管理用户及密码:grant all on zh.* to wangwu@'%' identified by '123.com';
配置web2节点服务器
(1)在web1归档压缩wordpress和zh目录,复制到web2根目录解压
cd /
tar zcf blog_zh.tar.gz /wordpress /zh/
scp blog_zh.tar.gz root@192.168.11.205:/
(2)复制web1的nginx配置文件到web2
scp -rp /etc/nginx/conf.d/* root@192.168.11.205:/etc/nginx/conf.d/
(3)在web2重启nginx服务
systemctl restart nginx
配置负载均衡服务器 (lb1 192.168.11.142)
安装nginx
添加优化项
vim /etc/nginx/nginx_params
添加:
vim /etc/nginx/nginx_params
添加:
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffering on;
proxy_buffer_size 32k;
proxy_buffers 4 128k;
创建lb配置文件
vim /etc/nginx/conf.d/lb1.conf
添加:
upstream web_cluster {
server 192.168.11.218:80;
server 192.168.11.205:80;
}
server {
listen 80;
server_name blog.aaa.com;
location / {
proxy_pass http://web_cluster;
include nginx_params;
}
}
server {
listen 80;
server_name zh.bbb.com;
location / {
proxy_pass http://web_cluster;
include nginx_params;
}
}
检查配置
nginx -t
重启nginx
systemctl restart nginx
配置第二台负载均衡服务器同上 (lb2 192.168.11.147)
配置keepalived
主服务器:lb1
vim /etc/keepalived/keepalived.conf
修改为:
global_defs {
router_id lb1
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.11.254
}
}
启动服务
systemctl restart keepalived
备服务器:lb2
vim /etc/keepalived/keepalived.conf
修改为:
global_defs {
router_id lb2 #路由id号,和主服务器必须不同
}
vrrp_instance VI_1 {
state BACKUP #状态:BACKUP备 MASTER主
interface ens33
virtual_router_id 51
priority 99 #优先级:备比主要小
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.11.254 #虚拟路由ip,公共ip
}
}
启动服务
systemctl restart keepalived
查看漂移地址
ip addr show dev ens33
解决nginx故障造成群集无法工作
编辑nginx监控脚本
vim /sh/check_nginx_proxy.sh
#!/bin/bash
killall -0 nginx
if [ $? -ne 0 ];then
systemctl stop keepalived
fi
chmod +x /sh/check_nginx_proxy.sh
添加脚本追踪模块到keepalived配置文件
vim /etc/keepalived/keepalived.conf
global_defs {
router_id lb1
}
vrrp_script check_nginx_proxy {
script “/sh/check_nginx_proxy.sh”
interval 2
weight 5
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.11.254
}
track_script {
check_nginx_proxy
}
}
重启服务
systemctl restart keepalived
如需启用https到阿里云官方购买,在此配置本地https
证书简介
CA:证书颁发机构
RA:书注册机构
证书的内容:
申请者的公钥
申请者的身份标识
证书有效期
颁发者的标识
颁发者的签名
HTTPS证书的选择
专业版OV型:不显示企业名
高级版EV型 :显示企业名
HTTPS证书购买选择
单域名:仅能绑定一个域名
多域名:能绑定五个域名
通配符域名:不限个数
HTTPS注意事项
https仅支持二级域名
https不支持续费,证书到期重新申请替换
https显示绿色,说明整个网站都是https的 https显示黄色,网站代码中包含https不安全链接
https显示红色,证书不认或过期
企业内部实现https案例:
生成key密钥
生成证书签名请求文件(csr文件)
生成证书签名文件(ca文件)
查看是否安装openssl和版本
rpm -q openssl
openssl version
查看nginx是否安装ssl模块
nginx -V 显示结果包含: --with-http_ssl_module
创建ssl密钥目录,并进入目录
mkdir -p /etc/nginx/ssl_key
cd /etc/nginx/ssl_key
本机当CA:证书颁发机构,创建私钥
openssl genrsa -idea -out server.key 2048
生成证书,去掉私钥的密码
openssl req -days 3650 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
模拟案例:配置https的blog、zh(web2和web1配置相同)
配置web1的blog
server {
listen 443 ssl;
server_name blog.aaa.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
root /wordpress;
index index.php index.html;
location ~ \.php$ {
root /wordpress;
fastcgi_pass 192.168.11.204:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
server {
listen 80;
server_name blog.aaa.com;
# rewrite .* https://blog.aaa.com;
# rewrite .* https://$host$request_uri redirect;
# rewrite .* https://$server_name$request_uri redirect;
rewrite .* https://$server_name$1 redirect;
}
配置web1的zh
vim /etc/nginx/conf.d/zh.conf
添加:
server {
listen 443 ssl;
server_name zh.bbb.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
root /zh;
index index.php index.html;
location ~ \.php$ {
root /zh;
fastcgi_pass 192.168.11.204:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
server {
listen 80;
server_name zh.bbb.com;
# rewrite .* https://zh.bbb.com;
# rewrite .* https://$host$request_uri redirect;
# rewrite .* https://$server_name$request_uri redirect;
rewrite .* https://$server_name$1 redirect;
}
配置负载均衡https (lb1)
vim /etc/nginx/conf.d/lb1.conf
添加:
upstream web_cluster {
server 192.168.11.218:443;
server 192.168.11.205:443;
}
server {
listen 443 ssl;
server_name blog.aaa.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass https://web_cluster;
include nginx_params;
}
}
server {
listen 443 ssl;
server_name zh.bbb.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass https://web_cluster;
include nginx_params;
}
}
server {
listen 80;
server_name blog.aaa.com;
return 302 https://$server_name$1;
}
server {
listen 80;
server_name zh.bbb.com;
return 302 https://$server_name$1;
}
检查配置
nginx -t
重启nginx服务(web,lb)
systemctl restart nginx
客户机修改hosts文件访问测试