实验目标:搭建lnmp并实现wordpress,phpmyadmin功能,并为phpmyadmin添加https服务
实验环境:centos7,使用epel源安装nginx,php,php-fpm,mariadb,pgp-mysql, php-mbstring
172.16.34.2:lnmp
172.16.34.1:https签发证书服务器
修改hosts文件,添加一条记录
[root@localhost php-fpm.d]# vim /etc/hosts
172.16.34.2 www.pma.com www.wp.com
对nginx进行配置
切换至nginx配置文件目录,将配置文件中的server内容注释,在http上下文中添加index的默认查看选项
[root@localhost phpMyAdmin]# cd /etc/nginx
[root@localhost nginx]# vim nginx.conf
index index.php index.html index.htm;
切换至conf.d目录
[root@localhost nginx]# cd conf.d/
创建wp.conf配置文件
[root@localhost conf.d]# vim wp.conf
server {
listen80;
server_namewww.wp.com;
root/wp/wordpress;
location ~ \.php$ {
fastcgi_pass 172.16.34.2:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /wp/wordpress/$fastcgi_script_name;
include fastcgi_params;
}
}
创建phpmyadmin配置文件
[root@localhost conf.d]# vim pma.conf
server {
listen80;
server_namewww.pma.com;
root/pma/pma;
location ~ \.php$ {
fastcgi_pass 172.16.34.2:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /pma/pma/$fastcgi_script_name;
include fastcgi_params;
}
}
配置php-fpm,添加当前主机IP地址
[root@localhost ~]# cd /etc/php-fpm.d/
[root@localhost php-fpm.d]# vim www.conf
listen = 172.16.34.2:9000
listen.allowed_clients = 172.16.34.2
配置mariadb
创建wordpress用的数据库及账号密码
MariaDB [(none)]> create userwpuser@'172.16.%.%' identified by 'wppass';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> create database wpdb;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all on wpdb.*to wpuser@'172.16.%.%' identified by'wppass';
Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
创建phpmyadmin用账号密码
MariaDB [(none)]> create userpma@'172.16.%.%' identified by 'pmapass';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> grant all on *.*to pma@'172.16.%.%' identified by'pmapass';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
安装wordpress
使用wordpress的压缩包,将复制至服务器,此处使用/wp目录
[root@localhost ~]# mkdir /wp
[root@localhost ~]# cd /wp
[root@localhost wp]# unzipwordpress-4.5.3-zh_CN.zip
[root@localhost wp]# cd wordpress/
修改配置文件中数据库地址
[root@localhost wordpress]# mvwp-config-sample.php wp-config.php
[root@localhost wordpress]# vimwp-config.php
// ** MySQL 设置 - 具体信息来自您正在使用的主机 ** //
/** WordPress数据库的名称*/
define('DB_NAME', 'wpdb');
/** MySQL数据库用户名 */
define('DB_USER', 'wpuser');
/** MySQL数据库密码 */
define('DB_PASSWORD', 'wppass');
/** MySQL主机 */
define('DB_HOST', '172.16.34.2');
验证登录
配置phpmyadmin
使用phpmyadmin的压缩包,将复制至服务器,此处使用/pma目录
[root@localhost ~]# mkdir /pma
[root@localhost ~]# cd /pma
[root@localhost pma]# unzipphpMyAdmin-4.4.14.1-all-languages.zip
给解压的文件夹做一个软连接
[root@localhost pma]# ln -sphpMyAdmin-4.4.14.1-all-languages pma
编辑phpmyadmin的配置文件
[root@localhost pma]# mvconfig.sample.inc.php config.inc.php
[root@localhost pma]# vim config.inc.php
$cfg['Servers'][$i]['host'] ='172.16.34.2';
登录验证
为phpmyadmin配置https服务
https服务器生成字签证书
[root@localhost ~]# cd /etc/pki/CA/ [root@localhost CA]# (unask 077;opensslgenrsa -out private/cakey.pem 1024) -bash: unask: command not found Generating RSA private key, 1024 bit longmodulus ..........................................++++++ ........................................................++++++ e is 65537 (0x10001)
[root@localhost CA]# openssl req -new -x509-key private/cakey.pem -out cacert.pem You are about to be asked to enterinformation that will be incorporated into your certificate request. What you are about to enter is what iscalled a Distinguished Name or a DN. There are quite a few fields but you canleave some blank For some fields there will be a defaultvalue, If you enter '.', the field will be leftblank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name)[]:beijing Locality Name (eg, city) [DefaultCity]:beijing Organization Name (eg, company) [DefaultCompany Ltd]:pma Organizational Unit Name (eg, section)[]:pma Common Name (eg, your name or your server'shostname) []:pma.admin.com Email Address []:pma@pma.com
创建结构文件
[root@localhost CA]# touch index.txt [root@localhost CA]# echo 01 > serial
在nginx服务器中创建/etc/nginx/ssl文件夹用于存放ssl证书,在lnmp服务器中生成ssl证书申请请求
[root@localhost pma]# mkdir /etc/nginx/ssl [root@localhost pma]# cd /etc/nginx/ssl [root@localhost ssl]# (umask 077; opensslgenrsa -out https.key 1024) Generating RSA private key, 1024 bit longmodulus ....................++++++ .....++++++ e is 65537 (0x10001)
生成请求
[root@localhost ssl]# openssl req -new -keyhttps.key -out https.csr You are about to be asked to enterinformation that will be incorporated into your certificate request. What you are about to enter is what iscalled a Distinguished Name or a DN. There are quite a few fields but you canleave some blank For some fields there will be a defaultvalue, If you enter '.', the field will be leftblank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [DefaultCity]:beijing Organization Name (eg, company) [DefaultCompany Ltd]:pma Organizational Unit Name (eg, section)[]:pma Common Name (eg, your name or your server'shostname) []:www.pma.com Email Address []:pma@admin.com Please enter the following 'extra'attributes to be sent with your certificate request A challenge password []: An optional company name []:
将请求文件复制至签发服务器
[root@localhost ssl]# scp https.csr172.16.34.1:/tmp The authenticity of host '172.16.34.1(172.16.34.1)' can't be established. RSA key fingerprint ise3:f4:9c:da:f9:29:b3:da:bb:29:0b:90:1f:d6:11:39. Are you sure you want to continueconnecting (yes/no)? yes Warning: Permanently added '172.16.34.1'(RSA) to the list of known hosts. root@172.16.34.1's password: https.csr
为申请证书签发
[root@localhost tmp]# openssl ca -in https.csr-out https.crt Using configuration from/etc/pki/tls/openssl.cnf Check that the request matches thesignature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jul 29 09:48:51 2016 GMT Not After : Jul 29 09:48:51 2017 GMT Subject: countryName = CN stateOrProvinceName =beijing organizationName = pma organizationalUnitName = pma commonName =www.pma.com emailAddress =pma@admin.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 90:8B:98:8A:1C:F2:4B:97:E6:E5:AA:8E:71:BB:5C:B8:74:9D:BC:AA X509v3 Authority Key Identifier: keyid:47:27:C4:38:0F:02:E8:25:36:D1:0C:EE:B8:91:E8:7A:6C:E6:33:65 Certificate is to be certified until Jul 2909:48:51 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified,commit? [y/n]y Write out database with 1 new entries Data Base Updated
将签发号的证书复制至nginx服务器
[root@localhost tmp]# scp https.crt 172.16.34.2:/etc/nginx/ssl The authenticity of host '172.16.34.2(172.16.34.2)' can't be established. RSA key fingerprint ise5:64:1c:8f:70:41:7f:74:79:a2:f7:f4:8d:38:1a:0e. Are you sure you want to continueconnecting (yes/no)? yes Warning: Permanently added '172.16.34.2'(RSA) to the list of known hosts. root@172.16.34.2's password: https.crt
编辑nginx的pma.conf配置文件
[root@localhost conf.d]# vim pma.conf server { listen 443 ssl; server_name www.pma.com; root /pma/pma; ssl on ssl_certificate /etc/nginx/ssl/https.crt; ssl_certificate_key /etc/nginx/ssl/https.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphersECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:!RC4-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH; ssl_prefer_server_ciphers on; location ~ \.php$ { fastcgi_pass 172.16.34.2:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /pma/pma/$fastcgi_script_name; include fastcgi_params; } }server { listen 80; server_name www.pma.com; rewrite ^(.*)$ https://$server_name$1 permanent; }
验证登录
转载于:https://blog.51cto.com/mylinuxlearn/1831817