Recovery linux savings: architecture building lnmp (configuration)

Keywords: PHP Nginx vim Web Server

;

nginx virtual host

vim /usr/local/nginx/conf/nginx.conf

Add include vhost/*.conf;

mkdir /usr/local/nginx/conf/vhost

vim /usr/local/nginx/conf/vhost/aaa.com.conf - virtual host configuration file

server
{
    listen 80 default_server;   (Yes default_serve Is the default virtual host)
    server_name aaa.com;     (Define site name)
    index index.html index.htm index.php;
    root /data/wwwroot/default;  (Define profile directory, not created yet)
}

If you configure php parsing for the virtual host, add:

server
{
    listen 80 default_server;   
    server_name aaa.com;    
    index index.html index.htm index.php;
    root /data/wwwroot/default; 
    location ~ \.php$
        {
            include fastcgi_params;
            fastcgi_pass unix:/tmp/php-fcgi.sock;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME /data/wwwroot/default$fastcgi_script_name;
        }
}

nginx user authentication

vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
    listen 80;
    server_name test.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;

    location  /
    {
        auth_basic              "Auth";   #Name of user authentication
        auth_basic_user_file   /usr/local/nginx/conf/htpasswd;   #User's password file
     }
}

To create a password file, you need to use Apache's / usr/local/apache/bin/htpasswd command. You need to use yum to install httpd command:

htpasswd -c /usr/local/nginx/conf/htpasswd quyifan

nginx domain name redirection

vim /usr/local/nginx/conf/vhost/test.com.conf
server
{
    listen 80;
    server_name test.com test1.com test2.com;
    index index.html index.htm index.php;
    root /data/wwwroot/test.com;
    if ($host != 'test.com' ) {
        rewrite  ^/(.*)$  http://Test.com / $1 permanent; (this refers to not all jumps of rest.com)
    }
}

nginx access log

vim /usr/local/nginx/conf/vhost/test.com.conf

access_log /tmp/test.com.log quyifan 

nginx log cutting

vim /usr/local/sbin/nginx_log_rotate.sh  shell Script saved here
//The configuration is as follows
#! /bin/bash
d=`date -d "-1 day" +%Y%m%d` 
#Define cutting time (log one day before cutting)
logdir="/tmp/"
#The log path to cut (from the virtual host profile) is specified here
nginx_pid="/usr/local/nginx/logs/nginx.pid"
#The purpose of calling pid is to execute the command: / bin / kill - HUP ` cat $nginx? pid`
#This command is equivalent to the command: nginx -s reload to ensure synchronization with changes to the virtual host configuration file
#This address is from nginx configuration file
cd $logdir
for log in `ls *.log`
do
    mv $log $log-$d
done
#The general configuration is used here to cycle and cut the log files of all composite conditions
/bin/kill -HUP `cat $nginx_pid`
#Execute this command to overload and generate a new log file to record the new log

nginx does not log and expire statically

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$   regular
    {
          expires      7d;  (Write up and down together because the set expiration time is different)
          access_log off;
    }
location ~ .*\.(js|css)$
    {
          expires      12h;
          access_log off;
    }

Anti theft chain

location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip|doc|pdf|gz|bz2|jpeg|bmp|xls)$
{
    expires 7d;
    valid_referers none blocked server_names  *.test.com ;
#Here. test.com is defined as the white list
    if ($invalid_referer) {
        return 403;
#This means that if you are not on the white list, you can give 403 feedback directly
    }
    access_log off;
}

nginx access control

#Restrict access to some ip addresses, or only some of them
location /admin/
{
    allow 192.168.153.130;
    allow 127.0.0.1;
    deny all;
}

#If only a few ip accesses are denied
location /admin/
{
    deny 192.168.188.1;
    deny 192.168.8.8;
}

#Can match regular to limit
location ~ .*(abc|image)/.*\.php$
{
        deny all;
}

#According to the restrictions of user agent, many of them are attacked by cc, so Baidu spider should be banned to be a hidden website
if ($http_user_agent ~ 'Spider/3.0|YoudaoBot|Tomato')
{
      return 403;
}
//Here ~ refers to the matching symbol. If any Spider/3.0 or YoudaoBot or Tomato string is directly rejected, 403 will be returned

Nginx parsing php

location ~ \.php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock; (Error here 502, not found sock)
        #fastcgi_pass 127.0.0.1:9000
        #There are two listening formats of fastcgi ﹐ pass, but the format of Nginx and PHP FPM should be consistent
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/test.com$fastcgi_script_name;
        #The address here is the same as the top root
    }

Nginx agent

server
{
    listen 80;
    server_name ask.apelearn.com;
 
   location /
    {
        proxy_pass      http://121.201.9.155/;
        #This is to tell the Nginx proxy server what the real ip address of the web server to be accessed is
        proxy_set_header Host   $host;
        #Host refers to the domain servername to be accessed, which is the domain name ask.apelearn.com that the proxy server actually accesses
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}

nginx load balancing

upstream qq
#The back-end web server defined here can be one or more
{
    ip_hash;
    #Indicates load balancing algorithm, which means that requests are divided into different servers according to ip address (the same user always stays on the same machine)
    #For example, when I visit aming forum, I log in after posting for the first time, but I found that I didn't log in after refreshing, I just visited another machine
    #Different from user Bip, user A will forward the request to the first web server when accessing, and user B will access the second web server
    #This algorithm is used to save session to local disk
    server 61.135.157.156:80;
    server 125.39.240.113:80;
    #Mult ip le IPS are defined here
}
server
{
    listen 80;
    server_name www.qq.com;
    location /
    {
        proxy_pass      http://qq; (here write the name of upstream, which represents the ip below it)
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

nginx configure ssl

server
{
    listen 443;
    server_name aming.com;
    index index.html index.php;
    root /data/wwwroot/aming.com;
    ssl on;
    ssl_certificate aminglinux.crt;
    ssl_certificate_key aminglinux.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}

PHP FPM configuration file

As an independent service, PHP FPM must have its own configuration file, / usr / local / PHP FPM / etc / PHP fpm.conf

vim /usr/local/php-fpm/etc/php-fpm.conf
#Add the second line of configuration. There is no separation between the two pool s
[aming]
listen = /tmp/aming.sock
listen.mode=666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

vim /usr/local/php-fpm/etc/php-fpm.conf   //Add the [global] section in the main configuration file
include = etc/php-fpm.d/*.conf

vim /usr/local/php-fpm/etc/php-fpm.d/www.conf
#Here, the two pool are separated and similar to nginx.conf

vim /usr/local/nginx/conf/vhost/aaa.com.conf
location ~ \.php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/aming.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/default$fastcgi_script_name;
    }

PHP FPM slow execution log

vim /usr/local/php-fpm/etc/php-fpm.d/www.conf//Add the following

request_slowlog_timeout = 1  (Can be written in two seconds many scripts are more than one second)
#Define the timeout time, that is, the php script will log if it takes more than 1 second to execute
slowlog = /usr/local/php-fpm/var/log/www-slow.log
#Define the path and name of the slow execution log, and visit the php website to view the slow execution log

open_basedir

Security restrictions

When a server runs multiple sites, use openbasedir to limit the range of directories on the servers that each site can access

vim /usr/local/php-fpm/etc/php-fpm.d/aming.conf//Add the following
php_admin_value[open_basedir]=/data/wwwroot/aming.com:/tmp/

PHP FPM process management

 vim  /usr/local/php/etc/php-fpm.d/www.conf Profile content
 pm = dynamic  
 #Define php subprocess startup mode and dynamic dynamic process management mode, which means to start a small number of subprocesses at first, and dynamically add or reduce subprocesses according to actual needs, up to the value defined by pm.max'children below
 #It can also be static. In this mode, the number of processes is determined by pm.max ABCD children. Starting so many processes at once will not increase or decrease
 pm.max_children = 50 
 #Maximum number of subprocesses, ps aux can view
 pm.start_servers = 20 
 #For dynamic mode, define the number of processes to start when starting PHP FPM service
 pm.min_spare_servers = 5 
 #For dynamic mode, define the minimum number of subprocesses in idle period. If this number is reached, PHP FPM service will automatically derive new subprocesses
 pm.max_spare_servers = 35 
 #For dynamic mode, define the maximum number of subprocesses in idle period. If it is higher than this value, start to clean up idle subprocesses
 pm.max_requests = 500  
 #For dynamic mode, define the maximum number of requests processed by a subprocess, that is to say, a PHP FPM subprocess can handle so many requests at most. When it reaches this value, it will exit automatically

Posted by jonahpup on Tue, 05 May 2020 14:19:09 -0700