LNMP的搭建、nginx的ssl加密、权限控制的实现

1、安装Nginx、PHP

安装依赖包

[root@LNMP ~]# yum install vim gcc gcc++ wget libxml2-devel wget -y

 修改yum源

[root@LNMP ~]# rpm -Uvh　http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

[root@LNMP ~]# rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm

[root@LNMP ~]# rpm -Uvh http://dev.mysql.com/get/mysql57-community-release-el7-9.noarch.rpm

安装PHP依赖包

[root@LNMP ~]# yum -y install libxml2 libxml2-devel openssl openssl-devel bzip2 bzip2-devel libcurl libcurl-devel libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel gmp gmp-devel libmcrypt libmcrypt-devel readline readline-devel libxslt libxslt-devel

下载解压PHP包

[root@LNMP ~]# wget http://cn2.php.net/distributions/php-5.6.36.tar.gz

[root@LNMP ~]# tar zxvf php-5.6.36.tar.gz -C /usr/src/

编译安装

[root@LNMP ~]# cd /usr/src/php-5.6.36/

[root@LNMP php-5.6.36]# make

[root@LNMPphp-5.6.36]# make install

拷贝php模板配置文件

[root@LNMP ~]# cp /usr/src/php-5.6.36/php.ini-development /usr/local/php/etc/php.ini

[root@LNMP ~]# vim /usr/local/php/etc/php.ini

1013 pdo_mysql.default_socket=/var/lib/mysql57/mysql57.socket # 对应的socket文件地址

1154 mysqli.default_port = 3306 # 改成对应的MySQL的端口

1159 mysqli.default_socket = /var/lib/mysql57/mysql57.socket # 对应的socket文件地址

配置php-fpm配置文件

[root@LNMP ~]# cp /usr/local/php/etc/php-fpm.conf.default /usr/local/php/etc/php-fpm.conf

[root@LNMP ~]# cp /usr/local/php/etc/php-fpm.d/www.conf.default /usr/local/php/etc/php-fpm.d/www.conf

控制启动fastcgi之后的socket文件的权限

[root@LNMP ~]# groupadd www-data

[root@LNMP ~]# useradd -M -g www-data -s /sbin/nologin www-data

[root@LNMP ~]# mkdir /var/run/fastcgi

使用Nginx用户的权限

[root@LNMP ~]# chown -R nginx.nginx /var/run/fastcgi/

启动php-fpm服务

[root@LNMP ~]# /usr/local/php/sbin/php-fpm

[root@LNMP ~]# ll /var/run/fastcgi/

[root@LNMP ~]# ps -ef | grep fpm

设置开机启动

[root@LNMP ~]# systemctl enable php-fpm.service

开启服务

[root@LNMP ~]# systemctl start php-fpm.service

安装Nginx依赖包

[root@LNMP ~]# yum -y install pcre pcre-devel

[root@LNMP ~]# yum -y install zlib zlib-devel

[root@LNMP ~]# yum -y install openssl openssl-devel

下载解压nginx包

[root@LNMP ~]# wget http://nginx.org/download/nginx-1.12.2.tar.gz

[root@LNMP ~]# tar zxvf nginx-1.12.2.tar.gz -C /usr/src/

编译安装

[root@LNMP ~]# cd /usr/src/nginx-1.12.2/

[root@LNMP nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_gzip_static_module --with-http_stub_status_module --with-http_ssl_module

[root@LNMP nginx-1.12.2]# make

[root@LNMP nginx-1.12.2]# make install

创建nginx账号

[root@LNMP ~]# groupadd nginx

[root@LNMP ~]# useradd -M -g nginx -s /sbin/nologin nginx

配置nginx.conf主配置文件

[root@LNMP ~]# cat /usr/nginx/nginx.conf

18 include mime.types;

19 default_type application/octet-stream;

27 sendfile on;

28 tcp_nopush on;

72 include fastcgi.conf;

创建网站目录

[root@LNMP ~]# mkdir /web

检测nginx.conf是否配置正确

[root@LNMP ~]# /usr/local/nginx/sbin/nginx -t

设置nginx开机启动

[root@LNMP ~]# systemctl enable nginx.service

开启服务

[root@LNMP ~]# systemctl start nginx.service

2、nginx的ssl加密

创建一个目录

[root@LNMP ~]# mkdir /etc/nginx/ssl

[root@LNMP ~]# cd /etc/pki/tls/certs/

[root@LNMP ~]# make nginx.crt

将证书和密钥保存到目录

[root@LNMP ~]# cp nginx.crt nginx2.key /etc/nginx/ssl/

[root@LNMP ~]# cd /etc/nginx/ssl/

[root@LNMP ~]# mv nginx2.key nginx.key 

在文件中添加

server {
 　　listen 443 ssl;
 　　server_name www.along.com;
 　　ssl on;
 　　ssl_certificate /etc/nginx/ssl/nginx.crt;
 　　ssl_certificate_key /etc/nginx/ssl/nginx.key;
 　　ssl_session_cache shared:sslcache:20m;
 　　ssl_session_timeout 10m;
 }

生成证书和密钥

[root@LNMP ~]# make nginx.crt

存放并解密

[root@LNMP ~]# cp nginx /etc/nginx/ssl/

openssl rsa -in nginx.key -out nginx.key

创建网页

[root@LNMP ~]# mkdir /app/website

echo website1 > /app/website/index.html

测试访问

3、权限控制的实现

生成账户文件

[root@LNMP ~]# cd /etc/nginx/conf.d

[root@LNMP ~]# htpasswd -c -m .htpasswd http1

[root@LNMP ~]# htpasswd -m .htpasswd http2

修改配置文件

vim /etc/nginx/nginx.conf 在location段中指向账户密码文件

location /images {
　　auth_basic "images site"; "提示字"
　　auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
}

实现权限控制