硬件配置
硬盘:1个,20GB
网卡:1 个,1Gbps
CPU:1核
内存:1GB
软件版本
almalinux 9.3 64bit
mysql 8.4.7
nginx 1.29.4 安装ngx_log_if, ngx_http_substitutions_filter_module, http_ssl_module, zlib等模块
php 8.5.1 安装php-fpm mcrypt opcache gd等模块
开启selinux
# 必须先开启selinux,再dnf update,否则可能会导致ssh无法启动,系统无法正常启动
# vi /etc/selinux/config 修改 SELINUX=enforcing
# touch /.autorelabel #重新标记上下文
# reboot
升级软件包,并避免系统版本混乱
# uname -a
# passwd #修改root密码
# rpm -qa | grep -E "kernel|glibc|almalinux|gcc|systemd"
# dnf check-update | grep -E "kernel|glibc|almalinux|gcc|systemd" #检测更新的是否跟现在的版本一致
####### vi /etc/dnf/dnf.conf #添加排除规则,添加或更新以下内容-
##########不要改,否则gcc无法正常安装#####
#[main]
#skip_if_unavailable=True
#exclude=kernel* grub2* almalinux-* glibc* systemd* *-firmware system-release libgcc
#######################################
# dnf check-update | grep "el9_" #确认更新的系统版本
# dnf update -y #更新时间较长
# grubby --info=ALL #查看所有系统版本
# grubby --default-kernel #查看默认系统版本
# grubby --set-default /boot/vmlinuz-5.14.0-362.8.1.el9_3.x86_64 #默认启动还是选择9.3,选择9.7进不了系统
# getenforce
# getsebool -a | grep ssh
# setsebool -P ssh_keysign on
# setsebool -P ssh_sysadm_login on
# getsebool -a | grep ssh #确保以上两项是on
# vi /etc/ssh/sshd_config #修改端口为2222
# systemctl enable --now firewalld
# firewall-cmd --permanent --add-port=2222/tcp
# firewall-cmd --reload
# firewall-cmd --query-port=2222/tcp
# dnf install policycoreutils-python-utils -y
# semanage port -a -t ssh_port_t -p tcp 2222
# systemctl restart sshd #测试当前ssh是否可用
# /usr/sbin/groupadd www
# /usr/sbin/useradd -g www www
# passwd www #修改www密码
# echo "AllowUsers www" >> /etc/ssh/sshd_config
# vi /etc/ssh/sshd_config #更新此项配置为 PermitRootLogin no
# reboot #重启,观察启动过程中,是否出现两个系统版本的错误
修改时区,更改时间
# uname -a
# rm /etc/localtime
# ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
# date
# hwclock --set --date="11/17/25 09:10:30" #如果时间不对,更改时间
# hwclock --hctosys #把硬件时钟同步到系统时钟
安装NTP服务
# dnf -y install chrony
# systemctl start chronyd
# systemctl enable chronyd
# systemctl status chronyd
# date
# hwclock --hctosys #如果时间不对,再同步一遍
启用系统日志
# dnf install rsyslog -y
# systemctl start rsyslog
# systemctl enable rsyslog
# systemctl status rsyslog
#### vi /etc/locale.conf #修改为以下内容,防止vi中文乱码
#### LANG=en_US.UTF-8 ##### 采用LANG=C.UTF-8 #不改了
添加用户和组
# /usr/sbin/groupadd mysql
# /usr/sbin/useradd -g mysql mysql
# mkdir -p /data/htdocs
# chcon -t usr_t /etc/hosts
# chcon -t usr_t /etc/resolv.conf #增加文件的selinux权限,以免程序中出现对域名的解析错误
# chcon -R -t httpd_sys_rw_content_t /data/htdocs/ #php selinux写文件权限
# chcon -R -t usr_t /data/htdocs
# chown -R www:www /data/htdocs
系统其他配置
# dnf -y install crontabs bind bind-utils -y zip unzip tar wget
# systemctl start crond
# systemctl enable crond
# systemctl status crond
# systemctl start named #启动服务
# systemctl enable named #开机启动named服务
# systemctl status named
安装mysql
# rpm -qa | grep mysql #找到系统自带的包,用rpm -e全部删除
# rpm -e mysql-libs-5.1.73-3.el6_5.x86_64 #有的话删除
######### dnf -y install perl libaio #不需要了
# cd ~
# rpm -ivh http://repo.mysql.com/mysql84-community-release-el9.rpm
# dnf -y install mysql-server
# vi /etc/my.cnf.d/mysql-server.cnf添加如下内容:
[mysqld]
log-bin=mysql-bin
binlog_format=mixed
performance_schema_max_table_instances=4000
table_definition_cache=2048
table_open_cache=1024
slow_query_log
long_query_time = 2
#slow_query_log_file="/tmp/mysql_slow.log"
#log_slave_updates
#gtid-mode=ON
#enforce-gtid-consistency=ON
explicit_defaults_for_timestamp=true
# systemctl restart mysqld
# grep 'temporary password' /var/log/mysqld.log #找到临时密码并修改
# mysql -p
# mysql > ALTER USER 'root'@'localhost' IDENTIFIED BY '新密码';
# mysql > exit;
# systemctl enable mysqld
安装nginx
# dnf -y install make pcre-devel openssl-devel git zlib-devel gcc
# cd ~
# wget -c http://nginx.org/download/nginx-1.29.4.tar.gz
# tar -zxf nginx-1.29.4.tar.gz
# mkdir -p /usr/local/nginx/
# cd /usr/local/nginx
# wget -O ngx_log_if-master.zip https://github.com/cfsego/ngx_log_if/archive/master.zip
# wget -O ngx_http_substitutions_filter_module-master.zip \
https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/master.zip
# unzip ngx_log_if-master.zip
# unzip ngx_http_substitutions_filter_module-master.zip
# cd ~/nginx-1.29.4
# ./configure --prefix=/usr/local/nginx --user=www --group=www \
--with-http_stub_status_module --with-http_ssl_module --with-pcre \
--with-http_realip_module --add-module=/usr/local/nginx/ngx_log_if-master \
--add-module=/usr/local/nginx/ngx_http_substitutions_filter_module-master
# make && make install
# vi /etc/systemd/system/nginx.service #创建systemd服务脚本为如下内容
[Unit]
Description=nginx web server
After=network.target
[Service]
Type=forking
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s stop
PrivateTmp=true
[Install]
WantedBy=multi-user.target
# cp /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx-conf.bk
# vi /usr/local/nginx/conf/nginx.conf #编辑nginx配置文件,内容可以到网上搜,比如http://www.cnblogs.com/chenjiahe/p/5956002.html,或者回复本文留下邮箱索取
# mkdir -p /usr/local/nginx/conf/conf.d/
# mkdir -p /usr/local/nginx/logs
# mkdir -p /tmp/nginx_cache_dir
# mkdir -p /tmp/nginx_temp_dir
# chown -R www:www /usr/local/nginx/logs
# chown -R www:www /tmp/nginx_cache_dir
# chown -R www:www /tmp/nginx_temp_dir
# mv /usr/local/nginx/conf /etc/nginx
# ln -s /etc/nginx /usr/local/nginx/conf
# systemctl restart nginx
# systemctl enable nginx
安装php
# cd ~
# rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
# rpm -Uvh https://rpms.remirepo.net/enterprise/remi-release-9.7.rpm --nodeps --force
# dnf module list php
# dnf module enable php:remi-8.5 -y
# dnf info php
# dnf -y install php php-cli php-common php-opcache php-fpm php-gd php-mcrypt php-mysql php-xml php-xmlrpc php-mbstring
# rpm -qa | grep httpd
# dnf -y remove httpd #httpd-*不用管
# setsebool -P httpd_can_network_connect=1 #selinux文件权限
# vi /etc/php.ini #修改时区
date.timezone = PRC
# vi /etc/php-fpm.d/www.conf #修改以下参数:
user=www
group=www
listen= 127.0.0.1:9000
request_terminate_timeout = 30s
pm.max_children = 25
pm.start_servers = 10
pm.min_spare_servers = 10
pm.max_spare_servers = 20
#### vi /etc/php.d/10-opcache.ini #不需要修改,用默认的参数即可
# mkdir -p /var/lib/php/session
# mkdir -p /var/lib/php/wsdlcache
# chown -R www:www /var/lib/php/
# chown -R www:www /var/log/php-fpm/
# chcon -t usr_t /etc/php-fpm.d/www.conf
# systemctl restart php-fpm
# systemctl enable php-fpm
# chown www:www /var/log/php-fpm/error.log
####不需要 chown www:www /run/php-fpm/www.sock #用端口没有这个文件
安全配置
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# firewall-cmd --permanent --add-port=80/tcp # firewall配置规则 保存配置 # 无需单独保存命令
# firewall-cmd --permanent --add-port=443/tcp
##### firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="11.22.33.44" port protocol="tcp" port="3306" accept'
# firewall-cmd --permanent --add-icmp-block={echo-request,echo-reply} # 允许 ICMP
# firewall-cmd --reload # 应用配置
# firewall-cmd --list-all # 查看配置
# firewall-cmd --state # 检查 firewalld 状态
# firewall-cmd --list-all # 查看所有规则
# firewall-cmd --query-port=80/tcp # 检查端口是否开放
# firewall-cmd --query-port=443/tcp
# ss -tlnp | grep :2222 # 测试连接
# ss -tlnp | grep :80
# ss -tlnp | grep :443
# systemctl status firewalld # 检查服务状态
# systemctl restart firewalld
# systemctl enable firewalld
# echo "/bin/systemctl restart mysqld" >> /etc/rc.local
# echo "/bin/systemctl restart php-fpm" >> /etc/rc.local
# echo "/bin/systemctl restart nginx" >> /etc/rc.local
# echo "/bin/systemctl restart firewalld" >> /etc/rc.local
#如果复制粘贴了htdocs下的子目录,再执行一下selinux的操作,这个步骤比较重要
# semanage fcontext -a -t httpd_sys_rw_content_t "/data/htdocs(/.*)?"
# restorecon -R /data/htdocs
# chcon -R -t httpd_sys_rw_content_t /data/htdocs/
# chcon -R -t usr_t /data/htdocs
# reboot
配置测试网站
# su - www
# cd /data/htdocs
# wget https://wordpress.org/latest.zip
# unzip latest.zip
# cd wordpress
# echo "<?php phpinfo(); ?>" > php.php
# mysql -u root -p
# mysql> create database wordpress;
# mysql> exit
# su -
# vi /etc/nginx/conf.d/wordpress.conf 编辑为以下内容:
server {
listen 80 default;
root /data/htdocs/wordpress/;
location / {
index index.php;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000; #unix:/run/php-fpm/www.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
# systemctl restart nginx
打开php.php页面和测试WordPress,确认网站的水印和URL转发没有问题后,删除网站:
# rm -rf /data/htdocs/wordpress
# rm -rf /etc/nginx/conf.d/wordress.conf
# mysql -u root -p
# mysql> drop database wordpress;
# mysql> exit
结束