实战1:LNMP的搭建、nginx的ssl加密、身份验证的实现
实战一:搭建lnmp及类商业网站的实现
环境:
- 关闭防火墙
systemctl stop firewalld
- selinux
vim /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
安装包,开启服务
- 安装包
yum -y install nginx mariadb-server php-fpm php-mysql
- 开启服务
systemctl start nginx systemctl start mariadb systemctl start php-fpm
修改nginx的配置文件
- 备份配置文件
cp /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf-bak
- 修改文件1
vim /etc/nginx/conf.d/default.conf server { listen 80; server_name localhost; #charset koi8-r; #access_log /var/log/nginx/host.access.log main; root /data/web; location / { index index.php index.html index.htm; } location ~ \.php$ { # 开启.php,配置文件有例子,只需去掉注释,修改一行即可 fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } }
- 修改文件2
user nobody; # 使用用户 worker_processes 1; error_log /var/log/nginx/error.log warn; # 错误日志 pid /var/run/nginx.pid; events { worker_connections 65535; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; }
- 查看配置文件
nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
- 修改文件描述符的最大值
# 查看linux系统里打开文件描述符的最大值,一般缺省值是1024,对一台繁忙的服务器来说,这个值偏小,所以有必要重新设置linux系统里打开文件描述符的最大值 ulimit -n ulimit -n 65535
- 重启服务
systemctl restart nginx
修改php-fpm的配置文件
- 修改php.ini
vim /etc/php.ini date.timezone = Asia/Shanghai # 时区 short_open_tag = On # 允许短标签
- 修改www.conf
vim /etc/php-fpm.d/www.conf user = nobody group = nobody
- 重启服务
systemctl restart php-fpm
上传网站
- 创建站点目录
mkdir /data/web -p cd /data/web/
- 网站上传
scp -r site/* root@192.168.30.133:/data/web/
- 更改权限
# 为了安全,递归把所有文件的所属人和所属组改为权限有限的nobody chown -R nobody.nobody *
查看与安装
- 安装
- 查看
- ab 可以压力测试
ab -c 100 -n 1000 http://192.168.30.133/
实战二:实现ssl 加密
-
创建存放证书的目录
mkdir /etc/nginx/ssl
-
自签名证书
cd /etc/pki/tls/certs/ make nginx.crt umask 77 ; \ /usr/bin/openssl genrsa -aes128 2048 > nginx.key Generating RSA private key, 2048 bit long modulus .......................................................................................................+++ ..........................+++ e is 65537 (0x10001) Enter pass phrase: Verifying - Enter pass phrase: umask 77 ; \ /usr/bin/openssl req -utf8 -new -key nginx.key -x509 -days 365 -out nginx.crt Enter pass phrase for nginx.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:guangdong Locality Name (eg, city) [Default City]:shenzhen Organization Name (eg, company) [Default Company Ltd]:silent-rain Organizational Unit Name (eg, section) []:opt Common Name (eg, your name or your server's hostname) []:silent-rain.cn Email Address []:
-
解密
# 因为刚私钥被加密了,为了后边方便,解密 openssl rsa -in nginx.key -out nginx2.key
-
把证书和私钥cp 到nginx存放证书目录
cp nginx.crt nginx2.key /etc/nginx/ssl/ cd /etc/nginx/ssl/ # 把名字改回来 mv nginx2.key nginx.key
-
修改配置文件
server { listen 80; listen 443 ssl http2; server_name silent-rain.cn; index index.php index.html index.htm default.php default.htm default.html; #SSL-START SSL相关配置,请勿删除或修改下一行带注释的404规则 #error_page 404/404.html; #HTTP_TO_HTTPS_START if ($server_port !~ 443){ rewrite ^(/.*)$ https://$host$1 permanent; } #HTTP_TO_HTTPS_END ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; error_page 497 https://$host$request_uri; #SSL-END }
-
查看效果
实战三:实现身份验证
-
生成密码账户文件
cd /etc/nginx/conf.d htpasswd -c -m .htpasswd http1 htpasswd -m .htpasswd http2
-
在配置文件中修改
vim /etc/nginx/conf.d/default.conf # 在location段中指向账户密码文件 location /images { auth_basic "images site"; # "提示字" auth_basic_user_file /etc/nginx/conf.d/.htpasswd; index on; }
-
网页查看验证
http://192.168.30.133/images/fgo897549075831.jpg
-
效果
引用
https://www.cnblogs.com/along21/p/7822228.html#auto_id_7