27 LNMP

LNMP
Linux + Nginx + MySQL + PHP

1. MySQL的安裝
   與LAMP中同樣

2. PHP的安裝
   須要開啓php-fpm服務
   cd /usr/local/src/
   wget http://cn2.php.net/distributions/php-5.6.30.tar.gz
   tar zxf php-5.6.30.tar.gz
   useradd -s /sbin/nologin php-fpm
   cd php-5.6.30
   ./configure --prefix=/usr/local/php-fpm --with-config-file-path=/usr/local/php-fpm/etc --enable-fpm --with-fpm-user=php-fpm --with-fpm-group=php-fpm --with-mysql=/usr/local/mysql --with-mysqli=/usr/local/mysql/bin/mysql_config --with-pdo-mysql=/usr/local/mysql --with-mysql-sock=/tmp/mysql.sock --with-libxml-dir --with-gd --with-jpeg-dir --with-png-dir --with-freetype-dir --with-iconv-dir --with-zlib-dir --with-mcrypt --enable-soap --enable-gd-native-ttf --enable-ftp --enable-mbstring --enable-exif --with-pear --with-curl --with-openssl
   make && make install
   cp php.ini-production /usr/local/php-fpm/etc/php.ini
   vi /usr/local/php-fpm/etc/php-fpm.conf //寫入以下內容
   [global] 定義全局參數，以下面的pid error_log
   pid = /usr/local/php-fpm/var/run/php-fpm.pid
   error_log = /usr/local/php-fpm/var/log/php-fpm.log
   [www] 模塊名
   listen = /tmp/php-fcgi.sock 監聽地址
   listen.mode = 666 定義listen文件的權限
   user = php-fpm 用戶
   group = php-fpm 組
   pm = dynamic 進程信息(pm開頭的)
   pm.max_children = 50
   pm.start_servers = 20
   pm.min_spare_servers = 5
   pm.max_spare_servers = 35
   pm.max_requests = 500
   rlimit_files = 1024

   cp sapi/fpm/init.d.php-fpm /etc/init.d/php-fpm
   chmod 755 /etc/init.d/php-fpm
   chkconfig --add php-fpm
   chkconfig php-fpm on
   service php-fpm start
   ps aux |grep php-fpm

3. Nginx的安裝
   cd /usr/local/src
   wget http://nginx.org/download/nginx-1.12.1.tar.gz
   tar zxf nginx-1.12.1.tar.gz
   ./configure --prefix=/usr/local/nginx
   make && make install
   vim /etc/init.d/nginx //複製以下內容：
   #!/bin/bash
   #chkconfig: - 30 21
   #description: http service.
   #Source Function Library
   . /etc/init.d/functions
   #Nginx Settings
   NGINX_SBIN="/usr/local/nginx/sbin/nginx"
   NGINX_CONF="/usr/local/nginx/conf/nginx.conf"
   NGINX_PID="/usr/local/nginx/logs/nginx.pid"
   RETVAL=0
   prog="Nginx"
   start()
   {
   echo -n $"Starting $prog: "
   mkdir -p /dev/shm/nginx_temp
   daemon $NGINX_SBIN -c $NGINX_CONF
   RETVAL=$?
   echo
   return $RETVAL
   }
   stop()
   {
   echo -n $"Stopping $prog: "
   killproc -p $NGINX_PID $NGINX_SBIN -TERM
   rm -rf /dev/shm/nginx_temp
   RETVAL=$?
   echo
   return $RETVAL
   }
   reload()
   {
   echo -n $"Reloading $prog: "
   killproc -p $NGINX_PID $NGINX_SBIN -HUP
   RETVAL=$?
   echo
   return $RETVAL
   }
   restart()
   {
   stop
   start
   }
   configtest()
   {
   $NGINX_SBIN -c $NGINX_CONF -t
   return 0
   }
   case "$1" in
   start)
   start
   ;;
   stop)
   stop
   ;;
   reload)
   reload
   ;;
   restart)
   restart
   ;;
   configtest)
   configtest
   ;;
   *)
   echo $"Usage: $0 {start|stop|reload|restart|configtest}"
   RETVAL=1
   esac
   exit $RETVAL
   chmod 755 /etc/init.d/nginx
   chkconfig --add nginx
   chkconfig nginx on
   cd /usr/local/nginx/conf/; mv nginx.conf nginx.conf.bak
   vim nginx.conf //寫入以下內容：
   user nobody nobody;
   worker_processes 2;
   error_log /usr/local/nginx/logs/nginx_error.log crit;
   pid /usr/local/nginx/logs/nginx.pid;
   worker_rlimit_nofile 51200;
   events
   {
   use epoll;
   worker_connections 6000;
   }
   http
   {
   include mime.types;
   default_type application/octet-stream;
   server_names_hash_bucket_size 3526;
   server_names_hash_max_size 4096;
   log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
   ' $host "$request_uri" $status'
   ' "$http_referer" "$http_user_agent"';
   sendfile on;
   tcp_nopush on;
   keepalive_timeout 30;
   client_header_timeout 3m;
   client_body_timeout 3m;
   send_timeout 3m;
   connection_pool_size 256;
   client_header_buffer_size 1k;
   large_client_header_buffers 8 4k;
   request_pool_size 4k;
   output_buffers 4 32k;
   postpone_output 1460;
   client_max_body_size 10m;
   client_body_buffer_size 256k;
   client_body_temp_path /usr/local/nginx/client_body_temp;
   proxy_temp_path /usr/local/nginx/proxy_temp;
   fastcgi_temp_path /usr/local/nginx/fastcgi_temp;
   fastcgi_intercept_errors on;
   tcp_nodelay on;
   gzip on;
   gzip_min_length 1k;
   gzip_buffers 4 8k;
   gzip_comp_level 5;
   gzip_http_version 1.1;
   gzip_types text/plain application/x-javascript text/css text/htm
   application/xml;
   server
   {
   listen 80;
   server_name localhost;
   index index.html index.htm index.php;
   root /usr/local/nginx/html;
   location ~ .php$
   {
   include fastcgi_params;
   fastcgi_pass unix:/tmp/php-fcgi.sock;
   fastcgi_index index.php;
   fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;
   }
   }
   }
   /etc/init.d/nginx start

4. Nginx默認虛擬主機
   vim nginx.conf 刪除如下內容
   server
   {
   listen 80;
   server_name localhost;
   index index.html index.htm index.php;
   root /usr/local/nginx/html;
   location ~ .php$
   {
   include fastcgi_params;
   fastcgi_pass unix:/tmp/php-fcgi.sock;
   fastcgi_index index.php;
   fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;
   }
   }
   再在末行加入include vhost/*.conf；
   mkdir /usr/local/nginx/conf/vhost
   cd !$; vim default.conf //加入以下內容
   server
   {
   listen 80 default_server; //有這個表示默認虛擬主機
   server_name aaa.com;
   index index.html index.htm index.php; //指定索引頁
   root /data/wwwroot/default; //目標目錄
   }

   mkdir -p /data/wwwroot/default/
   echo 「This is a default site.」>/data/wwwroot/default/index.html
   /usr/local/nginx/sbin/nginx -t //語句檢驗
   /usr/local/nginx/sbin/nginx -s reload //從新加載
   curl -x127.0.0.1:80 123.com (123.com能夠爲任意) 返回結果「This is a default site.」

5. Nginx用戶認證
   vim /usr/local/nginx/conf/vhost/test.com.conf//寫入以下內容
   server
   {
   listen 80;
   server_name test.com;
   index index.html index.htm index.php;
   root /data/wwwroot/test.com;
   location /
   {
   auth_basic "Auth";
   auth_basic_user_file /usr/local/nginx/conf/htpasswd; 密碼文件
   }
   }

   yum install -y httpd 安裝Apache
   htpasswd -c /usr/local/nginx/conf/htpasswd [用戶名] // -c表示建立，以後添加用戶不須要用到
   /usr/local/nginx/sbin/nginx -t && -s reload
   curl -x127.0.0.1:80 test.com 返回結果401
   curl -u[用戶名][密碼] -x127.0.0.1:80 123.com 返回結果「test.com」
   對於目標下目錄（如目標爲/data/wwwroot/test.com，目標目錄爲/data/wwwroot/test.com/admin）單獨用驗證方式：
   將配置文件裏的location / 改成location /admin。

6. Nginx域名重定向
   更改test.com.conf爲
   server
   {
   listen 80;
   server_name test.com test1.com test2.com;
   index index.html index.htm index.php;
   root /data/wwwroot/test.com;
   if ($host != 'test.com' ) {
   rewrite ^/(.*)$ http://test.com/$1 permanent;
   }
   }
   Nginx的server_name後面支持寫多個域名
   permanent爲永久重定向，狀態碼爲301，若是寫redirect則爲302

7. Nginx訪問日誌
   vim /usr/local/nginx/conf/nginx.conf 搜索log_format所在行爲：
   log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
   ' $host "$request_uri" $status'
   ' "$http_referer" "$http_user_agent"'; （分號算最終結束，combined_realip爲格式名稱，可自定義）
   
   除了在主配置文件nginx.conf裏定義日誌格式外，還須要在虛擬主機配置文件中增長，因此在test.com.conf文件裏增長一行access_log /tmp/test.log combined_realip;定義訪問日誌文件名

   日誌切割
   Nginx沒有自帶切割日誌的功能，須要自定義切割腳本
   vim /usr/local/sbin/nginx_log_rotate.sh//寫入以下內容
   #! /bin/bash
   #假設nginx的日誌存放路徑爲/data/logs/
   d=date -d "-1 day" +%Y%m%d 日期（前一天）
   logdir="/tmp/" 日誌所在目錄
   nginx_pid="/usr/local/nginx/logs/nginx.pid" 從新加載寫新日誌
   cd $logdir
   for log in ls *.log //給log賦值文件名，下面$log就返回文件名了
   do
   mv $log $log-$d //更名，後面增長日期
   done
   /bin/kill -HUP cat $nginx_pid
   而後添加任務計劃：
   0 0 * /bin/bash /usr/local/sbin/nginx_log_rotate.sh

   靜態文件不記錄日誌和過時時間
   vi test.com.conf 加入以下內容：
   location ~ ..(gif|jpg|jpeg|png|bmp|swf)$ //~表示通配
   {
   expires 7d; 過時時間7d
   access_log off;
   }
   location ~ ..(js|css)$
   {
   expires 12h; 過時時間12h
   access_log off;
   }

   Nginx防盜鏈
   vi test.com.conf 第一個location改成
   location ~* ^.+.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
   {
   expires 7d;
   valid_referers none blocked server_names *.test.com ;
   if ($invalid_referer) {
   return 403;
   }
   access_log off;
   }

   訪問控制
   來源ip的控制
   location /admin/
   {
   allow 192.168.133.1;
   allow 127.0.0.1;
   deny all;
   }
   mkdir /data/wwwroot/test.com/admin/
   echo 「test,test」>/data/wwwroot/test.com/admin/1.html
   -t && -s reload
   文件名匹配控制
   location ~ .(abc|image)/..php$
   {
   deny all;
   }
   根據user_agent限制
   if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
   {
   return 403;
   }
   deny all和return 403效果同樣

8. Nginx解析PHP配置
   vim test.com.conf 增長內容：
   location ~ .php$
   {
   include fastcgi_params;
   fastcgi_pass unix:/tmp/php-fcgi.sock; //指定php-fpm監聽的地址或者socket
   fastcgi_index index.php;
   fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name; 此處文件路徑要與配置的前面部分的root 後跟路徑一致
   }

9. Nginx代理
   cd /usr/local/nginx/conf/vhost
   vim proxy.conf //加入以下內容
   server
   {
   listen 80;
   server_name ask.apelearn.com; 域名

   location /
   {
   proxy_pass http://121.201.9.155/; 最終web服務器的ip
   proxy_set_header Host $host; 返回的是server name，即上段定義的
   proxy_set_header X-Real-IP $remote_addr; 定義變量
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 定義變量
   }
   }

   負載均衡（代理多臺）
   vim /usr/local/nginx/conf/vhost/load.conf // 寫入以下內容
   upstream qq_com
   {
   ip_hash;
   server 61.135.157.156:80;
   server 125.39.240.113:80;
   }
   server
   {
   listen 80;
   server_name www.qq.com;
   location /
   {
   proxy_pass http://qq_com; 與upstream後跟的一致
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   }
   }
   upstream來指定多個web server
   nginx不支持https

10. SSL
    

    生成ssl密鑰對
    cd /usr/local/nginx/conf
    openssl genrsa -des3 -out tmp.key 2048//key文件爲私鑰，genrsa表示生成rsa類型的私鑰
    openssl rsa -in tmp.key -out abc.key //轉換key，取消密碼
    rm -f tmp.key 刪除原有文件
    openssl req -new -key abc.key -out abc.csr //生成證書請求文件，須要拿這個文件和私鑰一塊兒生產公鑰文件
    openssl x509 -req -days 365 -in abc.csr -signkey abc.key -out abc.crt 這裏的abc.crt爲公鑰

    Nginx配置ssl
    vim /usr/local/nginx/conf/vhost/ssl.conf//加入以下內容
    server
    {
    listen 443;
    server_name aming.com;
    index index.html index.php;
    root /data/wwwroot/slx.com;
    ssl on;
    ssl_certificate abc.crt;
    ssl_certificate_key abc.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    }
    -t && -s reload //若報錯unknown directive 「ssl」 ，須要從新編譯nginx，加上--with-http_ssl_module
    mkdir /data/wwwroot/aming.com
    echo 「ssl test page.」>/data/wwwroot/aming.com/index.html
    編輯hosts，增長127.0.0.1 aming.com
    curl https://aming.com/

11. pool
    vim /usr/local/php-fpm/etc/php-fpm.conf//在[global]部分增長
    include = etc/php-fpm.d/*.conf
    mkdir /usr/local/php-fpm/etc/php-fpm.d/
    cd /usr/local/php-fpm/etc/php-fpm.d/
    vim www.conf //內容以下
    [www]
    listen = /tmp/www.sock
    listen.mode=666
    user = php-fpm
    group = php-fpm
    pm = dynamic
    pm.max_children = 50
    pm.start_servers = 20
    pm.min_spare_servers = 5
    pm.max_spare_servers = 35
    pm.max_requests = 500
    rlimit_files = 1024
    繼續編輯配置文件
    vim slx.conf //內容以下
    [slx]
    listen = /tmp/aming.sock
    listen.mode=666
    user = php-fpm
    group = php-fpm
    pm = dynamic
    pm.max_children = 50
    pm.start_servers = 20
    pm.min_spare_servers = 5
    pm.max_spare_servers = 35
    pm.max_requests = 500
    rlimit_files = 1024
    /usr/local/php/sbin/php-fpm –t
    /etc/init.d/php-fpm restart

12. php-fpm的慢執行日誌
    vim /usr/local/php-fpm/etc/php-fpm.d/www.conf//加入以下內容
    request_slowlog_timeout = 1 //執行超過1s進行記錄，能夠找到速度控制步驟（通常定2s較好，超過1s的執行時間算正常）
    slowlog = /usr/local/php-fpm/var/log/www-slow.log
    配置nginx的虛擬主機test.com.conf，把unix:/tmp/php-fcgi.sock改成unix:/tmp/www.sock
    從新加載nginx服務
    vim /data/wwwroot/test.com/sleep.php//寫入以下內容
    <?php echo 「test slow log」;sleep(2);echo 「done」;?>
    curl -x127.0.0.1:80 test.com/sleep.php
    cat /usr/local/php-fpm/var/log/www-slow.log

13. php-fpm進程管理在配置文件裏有如下內容pm = dynamic //動態進程管理，也能夠是staticpm.max_children = 50 //最大子進程數，ps aux能夠查看pm.start_servers = 20 //啓動服務時會啓動的進程數pm.min_spare_servers = 5 //定義在空閒時段，子進程數的最少數量，若是達到這個數值時，php-fpm服務會自動派生新的子進程。pm.max_spare_servers = 35 //定義在空閒時段，子進程數的最大值，若是高於這個數值就開始清理空閒的子進程。pm.max_requests = 500 //定義一個子進程最多處理的請求數，也就是說在一個php-fpm的子進程最多能夠處理這麼多請求，當達到這個數值時，它會自動退出。