1. change ulimits
vim /etc/security/limits.conf* soft nofile 65535
* hard nofile 65535
2. Install MariaDB
vim /etc/yum.repos.d/MariaDB.repo[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.0/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
yum install MariaDB-server MariaDB-client
chkconfig mysql on
mysql_secure_installation
setting firewalld for mysql
3. Install Nginx
rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
yum install nginxsystemctl start nginx
systemctl enable nginx
setting firewalld for nginx
4. Install PHP
https://webtatic.com/packages/php56/rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum install php56w php56w-fpm php56w-mysql
vim /etc/php.ini
;cgi.fix_pathinfo=1
cgi.fix_pathinfo=0
Reference : https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-on-centos-7
What we are looking for in this file is the parameter that sets cgi.fix_pathinfo. This will be commented out with a semi-colon (;) and set to "1" by default.
This is an extremely insecure setting because it tells PHP to attempt to execute the closest file it can find if a PHP file does not match exactly. This basically would allow users to craft PHP requests in a way that would allow them to execute scripts that they shouldn't be allowed to execute.
We will change both of these conditions by uncommenting the line and setting it to "0" like this:
5. Edit /etc/php-fpm.d/www.conf
[global]
pid = /usr/local/php/var/run/php-fpm.pid
error_log = /var/log/httpd/php-fpm.log
[www]
;listen = 127.0.0.1:9000
listen = /var/run/php-fpm/php-fpm.sock
listen.owner = nobody
listen.group = nobody
listen.mode = 0666
;user = apache
user = nginx
;group = apache
group = nginx
6. Edit /etc/nginx/conf.d/default.conf
location / {
root /usr/share/nginx/html;
index index.php index.html index.htm;
}
location ~ \.php$ {
root /usr/share/nginx/html;
try_files $uri = 404;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
7 Restart php-fpm and nginx
systemctl restart php-fpmsystemctl restart nginx
8. Test PHP
vim /usr/share/nginx/html/info.phphttp://serverip/info.php
9. Create Self-Signed Cert
openssl req -x509 -nodes -sha512 -newkey rsa:2048 -keyout cert.key -out cert.pem.csr -days 65536
Common Name (eg, your name or your server's hostname) []: mysite.example.com
chmod 600 cert.key
chmod 600 cert.pem.csr
copy cert.key /etc/nginx
copy cert.pem.csr /etc/nginx
vim /etc/nginx/conf.d/my_host_ssl.conf
server {
listen 443 ssl;
server_name mysite.example.com;
ssl_certificate /etc/nginx/cert.pem.csr;
ssl_certificate_key /etc/nginx/cert.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
#set the ssl_ciphers to resolve chrome display "is encrypted with obsolete cryptography"
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
location / {
root /usr/share/nginx/html;
index index.php index.html index.htm;
}
}
沒有留言:
張貼留言