linux centos8 installs php7 nginx1.4 mysql8, runs PHP website, configures each module from scratch
Choice between CentOS7 and centOS8
At present, the default centos system version of major cloud servers in China is still 7. Currently, there is no centos supporting system. The default of foreign cloud server manufacturers is 8, such as vultr.
Performance improvements for centos8, clearer on the official website
Install centos8 min version, check on my system, found nginx defaults to 1.14
Development Language Version
Python 3.6
PHP 7.2
Ruby 2.5
Node.js 10
-
java:: OpenJDK 11
Database Version
MySQL 8.0
MariaDB 10.3
PostgreSQL 10 and PostgreSQL 9.6
Redis 5.0
And my server msyql is msyql 5.6 PHP is php5.6, I choose to come over again.
centos8 install default version of nginx mysql php system from scratch build php Website
centos8 install nginx
-
Install nginx
yum install nginx php
-
start nginx
systemctl start nginx.service
-
View nginx status
systemctl status nginx
-
Set nginx startup
systemctl enable nginx.service
centos8 install php
Install php
yum install php
Install php extension library
yum install php-json php-xml php-mysqlnd php-mbstring php-common php-gd
Start php
systemctl start php-fpm
View php version
php -V
Set php startup
systemctl enable php-fpm
centos8 install mysql
-
Check to see if MySQL is installed
rpm -qa | grep mysql
-
Download installation package files
wget http://repo.mysql.com/mysql-community-release-el7-5.noarch.rpm
-
Install mysql-community-release-el7-5.noarch.rpm package
rpm -ivh mysql-community-release-el7-5.noarch.rpm
-
View available installation packages
yum repolist all | grep mysql
-
Install mysql
yum install mysql-server
-
Check that mysql was installed successfully.
rpm -qa | grep mysql
-
Start mysql service
systemctl start mysqld.service
Site nginx selinux file permissions configuration
Website nginx configuration
The basic configuration of nginx, let's not say much here, see " Nginx Sunflower Treasure - Grass Root Webmaster Configuration Nginx Operations Wikipedia>
For small water pipe websites like mine, it's important to note that nginx limits flow
The general configuration is as follows
#1M can store 16384 states, rete value must be integer, #If you limit a request to two seconds, you can set it to 30r/m, where $binary_remote_addr sometimes needs to be replaced with its own log_format variable configuration limit_conn_zone $binary_remote_addr zone=perip:1m; limit_conn_zone $server_name zone=perserver:1m; #limit_req zone=perip burst=10; #Limit the number of concurrent client connections to 20, allow only one connection per an IP address at a time.; #Is to limit each IP to only 20 connections (addr corresponds to the variable limit_conn_zone) #Indicates that when IP is used as the key to restrict each ip's access to the lmit.html file, there can be at most one online, otherwise the rest will be returned unavailable. limit_conn perip 14; limit_conn perserver 10; limit_req_zone $binary_remote_addr zone=per_ip:1m rate=400r/s; limit_req_zone $server_name zone=per_server:10m rate=600r/s; limit_req zone=per_ip burst=300 nodelay; limit_req zone=per_server burst=500;
Specifically, recommended reading " Ultra-detailed parsing of limit_req module burst parameter under Nginx>
The nginx configuration directory structure is as follows
Paste the configuration of this site here
nginx basic configuration
nginx configuration file for HOCON, edited by intellij, configuration view: "HOCON: What is the format of the nginx profile suffix conf folder?How intellij edits Other editors should also have plug-ins.There is a plug-in that knows the code and the editor should be comfortable.
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /etc/nginx/modules/*.conf;
events {
# essential for linux, optmized to serve many clients with each thread
#Linux critical configuration that allows a single thread to process multiple client requests.
use epoll;
# Determines how many clients will be served by each worker process.
# (Max clients = worker_connections * worker_processes)
# "Max clients" is also limited by the number of socket connections available on the system (~64k)
#Configure the number of clients a single Nginx process can serve. (Maximum number of clients = number of single process connections * number of processes)
#Maximum number of clients is also affected by the number of OS socket connections (maximum 64K)
worker_connections 51200;
#Used to configure whether nginx servers are likely to receive multiple client connection requests, default is off
multi_accept on;
}
# http config
include /etc/nginx/http/default.conf;
#include /etc/nginx/http/http_web.conf;nginx http configuration
http {
################################ logs #######################
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# Buffer log writes to speed up IO, or disable them altogether
#Write logs to high-speed IO storage devices or turn them off directly.
# access_log /var/log/nginx/access.log main buffer=16k;
access_log off;
#Only log critical errors only record critical level error logs
error_log /var/log/nginx/error.log crit;
################################ file #######################
# types
include /etc/nginx/mime.types;
default_type application/octet-stream;
charset UTF-8;
#Allow only get post requests
add_header 'Access-Control-Allow-Methods' 'GET, POST';
#Hide the version number of nginx
server_tokens off;
################################ open gzip compress Related Configuration #######################
gzip on;
gzip_disable "MSIE [1-6]\.";
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 4;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
# Request Settings Optimized Configuration #######################
tcp_nodelay on;
#sendfile() reduces not only the number of switches but also the number of copies.
sendfile on;
#Make the data in the buffer send out immediately
tcp_nopush on;
#Specify how long each TCP connection can last at most.The default value for Nginx is 75 seconds, and some browsers hold for up to 60 seconds, so it can be set to 60 seconds
#Configure the connection keep-alive timeout, after which the server will close the corresponding connection
keepalive_timeout 65;
types_hash_max_size 2048;
client_max_body_size 2m;
# Number of requests a client can make over the keep-alive connection. This is set high for testing.
#The number of requests that a single client can send on a keep-alive connection, and in a test environment, a larger value needs to be configured.
keepalive_requests 10000;
# Timeout for keep-alive connections. Server will close connections after this time.
#Configure the connection keep-alive timeout, after which the server will close the corresponding connection.
#The client sends a complete request header timeout to the server.If the client does not send a complete request header within the specified time, Nginx returns HTTP 408 (Request Timed Out)
client_header_timeout 40s;
# send the client a "request timed out" if the body is not loaded by this time. Default 60.
#Specifies the timeout for sending the request body after the client has established a connection with the server.If the client does not send anything within the specified time, Nginx returns HTTP 408 (Request Timed Out)
client_body_timeout 40s;
reset_timedout_connection on;
# If the client stops reading data, free up the stale client connection after this much time. Default 60.
#Client data read timeout configuration, client stops reading data, disconnects after timeout, default is 60 seconds.Timeout for server-side data transfer to client
send_timeout 30;
server_names_hash_bucket_size 128;
#Client request header buffer size, which can be set according to your system paging size. Normally a request header size will not exceed 1k, but since the system paging size is usually greater than 1k, this is set here as paging size
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
################################ Speed Limit Configuration ################################
limit_conn_log_level error;
limit_conn_status 503;
#limit_conn_zone $binary_remote_addr zone=one:1m;
#limit_conn_zone $server_name zone=perserver:1m;
#Define a limit_req_zone named allips to store session s in 10M memory.
#Limit average requests per second to 20 with $binary_remote_addr as key.
#1M can store 16384 states, rete value must be integer,
#If you limit a request to two seconds, you can set it to 30r/m, where $binary_remote_addr sometimes needs to be replaced with its own log_format variable configuration
limit_conn_zone $binary_remote_addr zone=perip:1m;
limit_conn_zone $server_name zone=perserver:1m;
#limit_req zone=perip burst=10;
#Limit the number of concurrent client connections to 20, allow only one connection per an IP address at a time.;
#Is to limit each IP to only 20 connections (addr corresponds to the variable limit_conn_zone)
#Indicates that when IP is used as the key to restrict each ip's access to the lmit.html file, there can be at most one online, otherwise the rest will be returned unavailable.
limit_conn perip 14;
limit_conn perserver 10;
limit_req_zone $binary_remote_addr zone=per_ip:1m rate=400r/s;
limit_req_zone $server_name zone=per_server:10m rate=600r/s;
limit_req zone=per_ip burst=300 nodelay;
limit_req zone=per_server burst=500;
################################ web server #######################
include /etc/nginx/http/http_web.conf;
}nginx empty domain name setting, ip access is prohibited
Prevent domain name from being resolved to our ip server, causing our ip to be walled
#Turn off nginx empty host header to prevent nginx empty host header and malicious domain name pointing
server {
listen *:80 default;
server_name _;
#index index.html index.php index.htm;
#root /data/wwwroot/zhoulujun;
#include /etc/nginx/conf.d/php.conf;
# rewrite ^(.*) //zhoulujun.cn permanent;
return 301 https://www.zhoulujun.cn$request_uri;
}nginx php support configuration
################################ php Related Configuration #######################
# Load modular configuration files from the /etc/nginx/conf.d directory.
# include /etc/nginx/conf.d/php-fpm.conf
upstream php-fpm {
server unix:/run/php-fpm/www.sock;
}
################################ php fastcgi Related Configuration #######################
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;
################################ host ################################
include /etc/nginx/site/default.conf;linux Server web Directory Permission Settings
For files to read, set 644, for files to point to, such as php articles, set 755, for folders to read and write to, such as html uploadfile, set 777
For specific permission settings, see my previous article, " Clear up user group concepts and file permissions - Understand site permission settings>
Permissions are set, because centos8 opens selinux by default, the site is still inaccessible.General error 403 reported.
centos8 site server selinux settings
Searching on the web, which is usually referred to as closing selinux, is not recommended by individuals
Set selinux read permissions to web directories
chcon -v -R --type=httpd_sys_content_t /data/www/
Set selinux write permissions to web directories
chcon -R -t httpd_sys_rw_content_t /data/www/
See "Specifically" centos8 nginx server root points to a custom directory such as (/data/www), access newspaper 403 404, all file user groups have root permissions of 755>
Once set up, the website is ready to run
Basic security settings for linux websites
linux adds users, modifies user passwords, modifies user permissions, and sets root operations
-
Add a user named andyZhou
useradd andyZhou
-
Change Password
passwd chenjiafa
-
Give user root permission
usermod -g root chenjiafa
Web site usually logs in with this new user, needs root privilege, su switch
View "Specifically" linux adds users, modifies user passwords, modifies user permissions, and sets root user actions>
Prevent root ssh login from modifying default port
Modify ssh profile
Modify ssh login port
vim /etc/ssh/sshd_config
Find'#Port 22', type'yyp'directly in this line to copy the line to the next line, and then remove the comment'#' from both lines to modify it to:
#Port 22 Port 10086
When you modify a port, it is best to choose a port number between 10000 and 65535. It is easy to occupy less than 10000 by the system or some special software, or when a new application is ready to occupy the port in the future, it is occupied by you first, which makes the software unable to run.
Prohibit root ssh login
PermitRootLogin no
Increase normal ssh logon user
AllowUsers andyzhou
Restart ssh service
systemctl restart sshd
linux Firewall Port Settings
-
linux firewall closes a port
firewall-cmd --permanent --zone=public --remove-port=8080/tcp
-
linux Firewall opens a port
firewall-cmd --permanent --add-port=10086/tcp
-
Reload firewall policy:
firewall-cmd --reload
-
View Firewall Port Opening
firewall-cmd --list-ports
linux Virtual Memory Settings
My personal blog is 1g of small memory, mysql runs and often crashes.
Free-m Views memory and sets it as appropriate, typically twice as much as physical memory in a virtual machine.Then set up 2g virtual memory with the following commands
dd if=/dev/zero of=/opt/swap bs=1024 count=2048000 chmod 600 /opt/swap mkswap /opt/swap swapon /opt/swap
mysql creates a new user and authorizes it to disable root login
The following lines of sql should meet your needs
--Create a user and log in later with that user
CREATE USER'userName'@'Access Restrictions' IDENTIFIED BY'password';
--Authorize users, grant permissions to data
GRANT ALL PRIVILEGES ON database name. Table name TO'userName'@'Access restrictions';
- Modify user password (change root password)
ALTER USER 'root'@'localhost' IDENTIFIED BY 'newPassword';
--Refresh user permissions
FLUSH PRIVILEGES;
Web site cloudflare acceleration
Ali Cloud, export zone file, clouefare export template, then copy and paste
There are many online tutorials, such as How to Speed Up Your Website with CDN - Cloudflare Free Edition Detailed Use Tutorial>
Here are a few points to note
If you open Under Attack Mode, there will always be a 5m startup page, and now free users can no longer configure in customer page
How to configure it as follows: How cloudflare customizes the 5 second shield page tutorial>
Second, cloudflare Rocket Loader, which is walled in China, my asynchronous execution will block the inserted js.No matter what happens to domestic users, they should close down.
Reference link: Clodflare Rocket Loader should not be used by Chinese users>
Once the website is ready, you can mirror one locally, the portal: vmware14 install centos8>
Start by organizing this much according to your personal website migration steps.Come back later to organize your text
Reproduction Local Site Article " Server upgrade to centos8 site configuration - PHP and mysql upgrade from 5.6 to php7 and msyql8>,
Please indicate the source: https://www.zhoulujun.cn/html/os/linux/8242.html