2015年9月22日 星期二

CentOS 7 + Nginx 1.8.0 + PHP 5.6 + MariaDB 10.0 (LEMP) + SSL

1. change ulimits

vim /etc/security/limits.conf

* soft nofile 65535
* hard nofile 65535

2. Install MariaDB

vim /etc/yum.repos.d/MariaDB.repo
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.0/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

yum install MariaDB-server MariaDB-client
chkconfig mysql on
mysql_secure_installation
setting firewalld for mysql

3. Install Nginx

rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

yum install nginx
systemctl start nginx
systemctl enable nginx

setting firewalld for nginx

4.  Install PHP

https://webtatic.com/packages/php56/
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum install php56w php56w-fpm php56w-mysql

vim /etc/php.ini
;cgi.fix_pathinfo=1
cgi.fix_pathinfo=0

Reference : https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-on-centos-7

What we are looking for in this file is the parameter that sets cgi.fix_pathinfo. This will be commented out with a semi-colon (;) and set to "1" by default.
This is an extremely insecure setting because it tells PHP to attempt to execute the closest file it can find if a PHP file does not match exactly. This basically would allow users to craft PHP requests in a way that would allow them to execute scripts that they shouldn't be allowed to execute.
We will change both of these conditions by uncommenting the line and setting it to "0" like this:



5. Edit /etc/php-fpm.d/www.conf


[global]
pid = /usr/local/php/var/run/php-fpm.pid
error_log = /var/log/httpd/php-fpm.log


[www]
;listen = 127.0.0.1:9000
listen = /var/run/php-fpm/php-fpm.sock

listen.owner = nobody
listen.group = nobody
listen.mode = 0666


;user = apache
user = nginx
;group = apache
group = nginx

6. Edit /etc/nginx/conf.d/default.conf


 location / {
        root   /usr/share/nginx/html;
        index  index.php index.html index.htm;
    }

location ~ \.php$ {
        root   /usr/share/nginx/html;
        try_files $uri = 404;
        fastcgi_pass  unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
}


7 Restart php-fpm and nginx

systemctl restart php-fpm
systemctl restart nginx

8. Test PHP

vim /usr/share/nginx/html/info.php

http://serverip/info.php


9. Create Self-Signed Cert
openssl req -x509 -nodes -sha512 -newkey rsa:2048 -keyout cert.key -out cert.pem.csr -days 65536

Common Name (eg, your name or your server's hostname) []: mysite.example.com

chmod 600 cert.key
chmod 600 cert.pem.csr
copy cert.key /etc/nginx
copy cert.pem.csr /etc/nginx

vim /etc/nginx/conf.d/my_host_ssl.conf

server {
    listen       443 ssl;
    server_name  mysite.example.com;

    ssl_certificate      /etc/nginx/cert.pem.csr;
    ssl_certificate_key  /etc/nginx/cert.key;


    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";






#set the ssl_ciphers to resolve chrome display "is encrypted with obsolete cryptography"
   ssl_prefer_server_ciphers   on;
    ssl_protocols      TLSv1.2;

    location / {
        root   /usr/share/nginx/html;
        index  index.php index.html index.htm;
    }
}







沒有留言:

張貼留言