基本信息

作者：朱明宇
名称：自动化部署 LNMP + SSL 平台
作用：自动化安装 LNMP + SSL，即通过 Linux、Nginx、MariaDB、PHP、php-fpm、SSL，实现 HTTPS

使用方法

1. 将网站的网页数据备份、网站的 SSL 公钥、网站的 SSL 私钥、网站的数据库备份和本脚本，5 个文件放在同一目录下
2. 如果没有网站的数据库备份则将网页数据备份、网站的 SSL 公钥、网站的 SSL 私钥和本脚本，4 个文件放在同一目录下
3. 在此脚本的分割线内写入相应的内容
4. 服务器都要开启 SELinux
5. 给此脚本添加执行权限
6. 执行此脚本：./<此脚本>

脚本分割线里的变量

1. webdomain=”eternalcenter.com” #网站的域名，注意不要在前面加任何前缀
2. webtar=”eternalcenter-backup-*.tar.gz”网站的网页数据备份，如果没有这个备份，可以下载一个开源的 WordPress 网页程序
3. webcrt=”eternalcenter.com.crt” #网站 SSL 的公钥，可以自己创建也可以在 FreeSSL 上申请
4. webkey=”eternalcenter.com.key” #网站 SSL 的私钥，可以自己创建也可以在 FreeSSL 上申请
5. sqlbackup=”eternalcenter-backup-*.sql” #网站数据库数据备份，如果没有这个备份（数据库是全量备份），则这里可以为空
6. db=”ec” #网站在数据库中库
7. dbuser=”ec” #网站在数据库中的用户
8. dbuserpw=”eternalcenter” #网站在数据库中的用户密码
9. dbrootpw=”eternalcenter” #数据库的 root 密码

注意

1. 服务器的系统需要是 Fedora 35 版本
2. 服务器系统要配置好可用的软件源
3. 服务器要能够连接外网

脚本

#!/bin/bash

####################### Separator ########################
webdomain="eternalcenter.com"
webtar="eternalcenter-backup-*.tar.gz"
webcrt="eternalcenter.com.crt"
webkey="eternalcenter.com.key"
sqlbackup="eternalcenter-backup-*.sql"
db="ec"
dbuser="ec"
dbuserpw="eternalcenter"
dbrootpw="eternalcenter"
####################### Separator ########################

#Determine whether SELinux is on
getenforce | grep Enforcing
if [ $? -ne 0 ];then
	echo "SELinux is not set to enforcing mode and cannot continue"
	exit 2
fi

#Determine whether the required file exists
ls $webtar
if [ $? -ne 0 ];then
	echo "No web page data backup, unable to continue"
	exit 2
fi

ls $webcrt
if [ $? -ne 0 ];then
	echo "Cannot continue without site public key"
	exit 2
fi

ls $webkey
if [ $? -ne 0 ];then
	echo "Unable to continue without site private key"
	exit 2
fi

#Update system
yum clean all
yum repolist
yum makecache
yum -y update

#Make sure the required software is installed
yum -y install tar
yum -y install firewalld

#Deploying Nginx
yum -y install nginx

echo 'worker_processes  1;

events {
    worker_connections  1024;
}

http {
    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  60;
    client_body_timeout 20s;
    client_header_timeout 10s;
    send_timeout 30s;

    server {
        listen       80;
        limit_req zone=one burst=5;
        server_name www.eternalcenter.com eternalcenter.com;

        rewrite ^/(.*)$ https://eternalcenter-sep-2022.github.io/$1 permanent;
      
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        }

    server {
        listen       443 ssl;
        server_name www.eternalcenter.com eternalcenter.com;

        if ($request_method !~ ^(GET|POST)$){
        return 444;
        }

        ssl_certificate      /etc/nginx/ssl/eternalcenter.com.crt;
        ssl_certificate_key  /etc/nginx/ssl/eternalcenter.com.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location ~ \.php$ {
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            include fastcgi.conf;
            fastcgi_param  SCRIPT_FILENAME  /usr/share/nginx/html/$fastcgi_script_name;
            include fastcgi_params;
        } 

        location / {
        root html;
        index index.php index.html index.htm;

        if (-f $request_filename/index.html){rewrite (.) $1/index.html break;}
        if (-f $request_filename/index.php){rewrite (.) $1/index.php;}
        if (!-f $request_filename){rewrite (.) /index.php;}
        
        }

        location ~ ^/\.user\.ini {
        deny all;
        }
    
        location ~*\.(jpd|jpeg|gif|png|css|js|ico|xml)$ {
        expires 30d;
        }

        error_page  404              /404.html;

        }

        gzip on;
	gzip_min_length 1000;
	gzip_comp_level 4;
	gzip_types text/plain test/css application/json application/x-javascript text/xml application/xml
	application/xml+rss text/javascripts;

	client_header_buffer_size 1k;
	large_client_header_buffers 4 4k;

	open_file_cache max=2000 inactive=20s;
	open_file_cache_valid  60s;
	open_file_cache_min_uses 5;
	open_file_cache_errors off;

}' > /etc/nginx/nginx.conf

sed -i "s/server_name www.eternalcenter.com eternalcenter.com;/server_name www.$webdomain $webdomain;/" /etc/nginx/nginx.conf
sed -i "s@rewrite ^/(.*)$ https://eternalcenter-sep-2022.github.io/\$1 permanent@rewrite ^/(.*)$ https://$webdomain/\$1 permanent@" /etc/nginx/nginx.conf;
sed -i "s/eternalcenter.com.crt/$webcrt/" /etc/nginx/nginx.conf
sed -i "s/eternalcenter.com.key/$webkey/" /etc/nginx/nginx.conf

mkdir /etc/nginx/ssl
mv $webcrt /etc/nginx/ssl
mv $webkey /etc/nginx/ssl
chcon -t httpd_config_t /etc/nginx/ssl/$webcrt
chcon -t httpd_config_t /etc/nginx/ssl/$webkey
chcon -t httpd_config_t /etc/nginx/ssl/

rm -rf /usr/share/nginx/html/*
tar -xvf $webtar -C /usr/share/nginx/html/ && rm -rf $webtar
chcon -t httpd_sys_content_t -R /usr/share/nginx/html/*

yum -y install sendmail
yum -y install policycoreutils
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_network_connect_db 1
setsebool -P httpd_can_sendmail 1
setsebool -P httpd_can_connect_ftp 1
setsebool -P httpd_unified 1
setsebool -P httpd_enable_cgi 1
setsebool -P httpd_builtin_scripting 1
setsebool -P mysql_connect_http 1

systemctl start nginx
systemctl enable nginx

#Deploy MariaDB
yum -y install mariadb mariadb-server

grep "^log_bin=" /etc/my.cnf.d/mariadb-server.cnf
if [ $? -ne 0 ];then
	sed -i '/^datadir/a log_bin=ec' /etc/my.cnf.d/mariadb-server.cnf
fi

grep "^binlog_format=" /etc/my.cnf.d/mariadb-server.cnf
if [ $? -ne 0 ];then
	sed -i '/^datadir/a binlog_format=\"mixed\"' /etc/my.cnf.d/mariadb-server.cnf
fi

grep "^server_id=" /etc/my.cnf.d/mariadb-server.cnf
if [ $? -ne 0 ];then
	sed -i '/^datadir/a server_id=51' /etc/my.cnf.d/mariadb-server.cnf
fi

sed -i 's/^plugin-load-add=auth_gssapi.so/#plugin-load-add=auth_gssapi.so/' /etc/my.cnf.d/auth_gssapi.cnf

sed -i '/^user=.*/d' /etc/my.cnf.d/mariadb-server.cnf
sed -i "/\[mysqld\]/a user=mysql" /etc/my.cnf.d/mariadb-server.cnf

sed -i '/^bind-address=.*/d' /etc/my.cnf.d/mariadb-server.cnf
sed -i "/\[mysqld\]/a bind-address=127.0.0.1" /etc/my.cnf.d/mariadb-server.cnf

chown -R mysql /var/lib/mysql

systemctl start mariadb
systemctl enable mariadb

ls $sqlbackup
if [ $? -ne 0 ];then
        mysql -uroot -e "create database $db;"
        mysql -uroot -e "create user \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
        mysql -uroot -e "grant all privileges on $db.* to \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
        mysql -uroot -e "set password for 'root'@'localhost'=password(\"$dbrootpw\")"
else
        mysql -uroot -e "create database $db;"
        mysql -uroot $db < $sqlbackup
	mysql -uroot -e "create user \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
	mysql -uroot -e "grant all privileges on $db.* to \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
	mysql -uroot -e "set password for 'root'@'localhost'=password(\"$dbrootpw\")"
	rm -rf $sqlbackup
fi
	
systemctl restart mariadb

#Deploy PHP
yum -y install php php-fpm php-mysqlnd php-gd php-mbstring php-opcache php-json php-xml php-xmlrpc php-pecl-zip php-pecl-imagick php-intl php-bcmath
useradd php-fpm -s /sbin/nologin
chown -R php-fpm:php-fpm /usr/share/nginx/html

sed -i /"^user =.*"/d /etc/php-fpm.conf
sed -i /"^group =.*"/d /etc/php-fpm.conf
sed -i /"^listen =.*"/d /etc/php-fpm.conf
sed -i /"^[www]"/d /etc/php-fpm.conf
sed -i /"^pm = .*"/d /etc/php-fpm.conf
sed -i /"^pm.start_servers = .*"/d /etc/php-fpm.conf
sed -i /"^pm.min_spare_servers = .*"/d /etc/php-fpm.conf
sed -i /"^pm.max_spare_servers = .*"/d /etc/php-fpm.conf
sed -i /"^pm.max_children = .*"/d /etc/php-fpm.conf
sed -i /"^pm.max_requests = .*"/d /etc/php-fpm.conf
sed -i /"^request_terminate_timeout = .*"/d /etc/php-fpm.conf

echo '[www]' >> /etc/php-fpm.conf
echo 'user = php-fpm' >> /etc/php-fpm.conf
echo 'group = php-fpm' >> /etc/php-fpm.conf
echo 'listen = 127.0.0.1:9000' >> /etc/php-fpm.conf
echo 'pm = dynamic' >> /etc/php-fpm.conf
echo 'pm.start_servers = 2' >> /etc/php-fpm.conf
echo 'pm.min_spare_servers = 2' >> /etc/php-fpm.conf
echo 'pm.max_spare_servers = 4' >> /etc/php-fpm.conf
echo 'pm.max_children = 4' >> /etc/php-fpm.conf
echo 'pm.max_requests = 1024' >> /etc/php-fpm.conf
echo 'request_terminate_timeout = 300' >> /etc/php-fpm.conf

systemctl start php-fpm
systemctl enable php-fpm

#Improve system performance
grep "^* soft nofile" /etc/security/limits.conf
if [ $? -ne 0 ];then
	echo '* soft nofile 1024' >> /etc/security/limits.conf
fi

grep "^* hard nofile" /etc/security/limits.conf
if [ $? -ne 0 ];then
	echo '* hard nofile 1024' >> /etc/security/limits.conf
fi

#Open firewall
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --reload

#Limit log space
yum -y install rsyslog
systemctl enable --now rsyslog

echo "/var/log/mariadb/mariadb.log {
        create 600 mysql mysql
        notifempty
	daily
        rotate 3
        missingok
        compress
    postrotate
	# just if mysqld is really running
        if [ -e /run/mariadb/mariadb.pid ]
        then
           kill -1 $(</run/mariadb/mariadb.pid)
        fi
    endscript
}" > /etc/logrotate.d/mariadb

echo "/var/log/nginx/*log {
    create 0664 nginx root
    size 1024M
    rotate 1
    missingok
    notifempty
    compress
    sharedscripts
    postrotate
        /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
    endscript
}" > /etc/logrotate.d/nginx

echo "/var/log/php-fpm/*log {
    size 100M
    rotate 1
    missingok
    notifempty
    sharedscripts
    delaycompress
    postrotate
        /bin/kill -SIGUSR1 `cat /run/php-fpm/php-fpm.pid 2>/dev/null` 2>/dev/null || true
    endscript
}" > /etc/logrotate.d/php-fpm

echo "/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
    size 100M
    rotate 1
    missingok
    sharedscripts
    postrotate
        /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
    endscript
}" > /etc/logrotate.d/rsyslog

#Delete this script
scriptwhere=`readlink -f "$0"`
rm -rf $scriptwhere

#Restart the system
reboot

基本信息

作者：朱明宇
名称：自动化部署 LNMP + SSL 平台
作用：自动化安装 LNMP + SSL，即通过 Linux、Nginx、MariaDB、PHP、php-fpm、SSL，实现 HTTPS

使用方法

1. 将网站的网页数据备份、网站的 SSL 公钥、网站的 SSL 私钥、网站的数据库备份和本脚本，5 个文件放在同一目录下
2. 如果没有网站的数据库备份则将网页数据备份、网站的 SSL 公钥、网站的 SSL 私钥和本脚本，4 个文件放在同一目录下
3. 在此脚本的分割线内写入相应的内容
4. 开启系统的 selinux
5. 给此脚本添加执行权限
6. 执行此脚本：./<执行本脚本>

脚本分割线里的变量

1. webdomain=”eternalcenter.com” #网站的域名，注意不要在前面加任何前缀
2. webtar=”eternalcenter-backup-*.tar.gz” #网站的网页数据备份，如果没有这个备份，可以下载一个开源的 WordPress 网页程序
3. webcrt=”eternalcenter.com.crt” #网站 SSL 的公钥，可以自己创建也可以在 FreeSSl 上申请
4. webkey=”eternalcenter.com.key” #网站 SSL 的私钥，可以自己创建也可以在 FreeSSL 上申请
5. sqlbackup=”eternalcenter-backup-*.sql” #网站数据库数据备份，如果没有这个备份（数据库是全量备份），则这里可以为空
6. db=”ec” #网站在数据库中库
7. dbuser=”ec” #网站在数据库中的用户
8. dbuserpw=”eternalcenter” #网站在数据库中的用户密码
9. dbrootpw=”eternalcenter” #数据库的 root 密码

注意

1. 服务器的系统需要是 openSUSE 15 版本
2. 服务器系统要配置好可用的软件源（最好是软件数量最多的官方版本）
3. 服务器要能够连接外网

脚本

#!/bin/bash

####################### Separator ########################
webdomain="eternalcenter.com"
webtar="eternalcenter-backup-*.tar.gz"
webcrt="eternalcenter.com.crt"
webkey="eternalcenter.com.key"
sqlbackup="eternalcenter-backup-*.sql"
db="ec"
dbuser="ec"
dbuserpw="eternalcenter"
dbrootpw="eternalcenter"
####################### Separator ########################

#判断所需文件是否存在
ls $webtar
if [ $? -ne 0 ];then
	echo "没有网页数据备份，无法继续"
	exit 2
fi

ls $webcrt
if [ $? -ne 0 ];then
	echo "没有网站公钥，无法继续"
	exit 2
fi

ls $webkey
if [ $? -ne 0 ];then
	echo "没有网站私钥，无法继续"
	exit 2
fi

#更新系统
zypper ref
zypper -n update

#确保必需软件已经安装
zypper -n in tar
zypper -n in firewalld


#部署 Nginx
zypper -n in nginx

echo 'worker_processes  1;

events {
    worker_connections  1024;
}

http {
    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  60;
    client_body_timeout 20s;
    client_header_timeout 10s;
    send_timeout 30s;

    server {
        listen       80;
        limit_req zone=one burst=5;
        server_name www.eternalcenter.com eternalcenter.com;

        rewrite ^/(.*)$ https://eternalcenter-sep-2022.github.io/$1 permanent;
      
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        }

    server {
        listen 443 ssl;
        server_name www.eternalcenter.com eternalcenter.com;

        if ($request_method !~ ^(GET|POST)$){
        return 444;
        }

        ssl_certificate      /etc/nginx/ssl/eternalcenter.com.crt;
        ssl_certificate_key  /etc/nginx/ssl/eternalcenter.com.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        root /srv/www/htdocs;

        location / {
            index index.php;
            try_files $uri $uri/ /index.php$is_args$args;
            if (-f $request_filename/index.html){rewrite (.) $1/index.html break;}
            if (-f $request_filename/index.php){rewrite (.) $1/index.php;}
            if (!-f $request_filename){rewrite (.) /index.php;}
        }

        location ~ \.php$ {
            include fastcgi_params;
	    include fastcgi.conf;
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME /srv/www/htdocs/$fastcgi_script_name;

        }
	
	location ~ ^/\.user\.ini {
            deny all;
        }

        location ~*\.(jpd|jpeg|gif|png|css|js|ico|xml)$ {
            expires 30d;
        }

        error_page  404              /404.html;
    }

        gzip on;
	gzip_min_length 1000;
	gzip_comp_level 4;
	gzip_types text/plain test/css application/json application/x-javascript text/xml application/xml
	application/xml+rss text/javascripts;

	client_header_buffer_size 1k;

	open_file_cache_valid  60s;
	open_file_cache_min_uses 5;
	open_file_cache_errors off;

}' > /etc/nginx/nginx.conf

sed -i "s/server_name www.eternalcenter.com eternalcenter.com;/server_name www.$webdomain $webdomain;/" /etc/nginx/nginx.conf
sed -i "s@rewrite ^/(.*)$ https://eternalcenter-sep-2022.github.io/\$1 permanent@rewrite ^/(.*)$ https://$webdomain/\$1 permanent@" /etc/nginx/nginx.conf;
sed -i "s/eternalcenter.com.crt/$webcrt/" /etc/nginx/nginx.conf
sed -i "s/eternalcenter.com.key/$webkey/" /etc/nginx/nginx.conf

mkdir /etc/nginx/ssl
mv $webcrt /etc/nginx/ssl
mv $webkey /etc/nginx/ssl

rm -rf /srv/www/htdocs/*
tar -xvf $webtar -C /srv/www/htdocs/ && rm -rf $webtar

zypper -n in policycoreutils

systemctl start nginx
systemctl enable nginx

#部署 MariaDB
zypper -n in mariadb mariadb-server

grep "^log_bin=" /etc/my.cnf
if [ $? -ne 0 ];then
	sed -i '/^datadir/a log_bin=ec' /etc/my.cnf
fi

grep "^binlog_format=" /etc/my.cnf
if [ $? -ne 0 ];then
	sed -i '/^datadir/a binlog_format=\"mixed\"' /etc/my.cnf
fi

grep "^server_id=" /etc/my.cnf
if [ $? -ne 0 ];then
	sed -i '/^datadir/a server_id=51' /etc/my.cnf
fi

sed -i 's/^plugin-load-add=auth_gssapi.so/#plugin-load-add=auth_gssapi.so/' /etc/my.cnf

sed -i '/^user=.*/d' /etc/my.cnf
sed -i "/\[mysqld\]/a user=mysql" /etc/my.cnf

sed -i '/^bind-address=.*/d' /etc/my.cnf
sed -i "/\[mysqld\]/a bind-address=127.0.0.1" /etc/my.cnf

systemctl start mariadb
systemctl enable mariadb

chown -R mysql:mysql /var/lib/mysql

ls $sqlbackup
if [ $? -ne 0 ];then
        mysql -uroot -e "create database $db;"
        mysql -uroot -e "create user \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
        mysql -uroot -e "grant all privileges on $db.* to \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
        mysql -uroot -e "set password for 'root'@'localhost'=password(\"$dbrootpw\")"
else
        mysql -uroot -e "create database $db;"
        mysql -uroot $db < $sqlbackup
        mysql -uroot -e "create user \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
        mysql -uroot -e "grant all privileges on $db.* to \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
        mysql -uroot -e "set password for 'root'@'localhost'=password(\"$dbrootpw\")"
        rm -rf $sqlbackup
fi
	
systemctl restart mariadb

#部署 PHP
zypper -n in php7 php7-fpm php7-mysql php7-gd php7-mbstring php7-opcache php7-json php7-xmlrpc php7-zlib
useradd php-fpm -s /sbin/nologin
groupadd php-fpm
chown -R php-fpm:php-fpm /srv/www/htdocs
cp /etc/php7/fpm/php-fpm.conf.default /etc/php7/fpm/php-fpm.conf

sed -i /"^user =.*"/d /etc/php7/fpm/php-fpm.conf
sed -i /"^group =.*"/d /etc/php7/fpm/php-fpm.conf
sed -i /"^listen =.*"/d /etc/php7/fpm/php-fpm.conf
sed -i /"^[www]"/d /etc/php7/fpm/php-fpm.conf
sed -i /"^pm = .*"/d /etc/php7/fpm/php-fpm.conf
sed -i /"^pm.start_servers = .*"/d /etc/php7/fpm/php-fpm.conf
sed -i /"^pm.min_spare_servers = .*"/d /etc/php7/fpm/php-fpm.conf
sed -i /"^pm.max_spare_servers = .*"/d /etc/php7/fpm/php-fpm.conf
sed -i /"^pm.max_children = .*"/d /etc/php7/fpm/php-fpm.conf
sed -i /"^pm.max_requests = .*"/d /etc/php7/fpm/php-fpm.conf
sed -i /"^request_terminate_timeout = .*"/d /etc/php7/fpm/php-fpm.conf

echo '[www]' >> /etc/php7/fpm/php-fpm.conf
echo 'user = php-fpm' >> /etc/php7/fpm/php-fpm.conf
echo 'group = php-fpm' >> /etc/php7/fpm/php-fpm.conf
echo 'listen = 127.0.0.1:9000' >> /etc/php7/fpm/php-fpm.conf
echo 'pm = dynamic' >> /etc/php7/fpm/php-fpm.conf
echo 'pm.start_servers = 2' >> /etc/php7/fpm/php-fpm.conf
echo 'pm.min_spare_servers = 2' >> /etc/php7/fpm/php-fpm.conf
echo 'pm.max_spare_servers = 4' >> /etc/php7/fpm/php-fpm.conf
echo 'pm.max_children = 4' >> /etc/php7/fpm/php-fpm.conf
echo 'pm.max_requests = 1024' >> /etc/php7/fpm/php-fpm.conf
echo 'request_terminate_timeout = 300' >> /etc/php7/fpm/php-fpm.conf

systemctl start php-fpm
systemctl enable php-fpm

#提高系统性能
grep "^* soft nofile" /etc/security/limits.conf
if [ $? -ne 0 ];then
	echo '* soft nofile 1024' >> /etc/security/limits.conf
fi

grep "^* hard nofile" /etc/security/limits.conf
if [ $? -ne 0 ];then
	echo '* hard nofile 1024' >> /etc/security/limits.conf
fi

#打开防火墙
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --add-port=443/tcp --permanent
firewall-cmd --reload

#限制日志占用空间
echo "/var/log/mariadb/mariadb.log {
        create 600 mysql mysql
        notifempty
	daily
        rotate 3
        missingok
        compress
    postrotate
	# just if mysqld is really running
        if [ -e /run/mariadb/mariadb.pid ]
        then
           kill -1 $(</run/mariadb/mariadb.pid)
        fi
    endscript
}" > /etc/logrotate.d/mariadb

echo "/var/log/nginx/*log {
    create 0664 nginx root
    size 1024M
    rotate 1
    missingok
    notifempty
    compress
    sharedscripts
    postrotate
        /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
    endscript
}" > /etc/logrotate.d/nginx

echo "/var/log/php-fpm/*log {
    size 100M
    rotate 1
    missingok
    notifempty
    sharedscripts
    delaycompress
    postrotate
        /bin/kill -SIGUSR1 `cat /run/php-fpm/php-fpm.pid 2>/dev/null` 2>/dev/null || true
    endscript
}" > /etc/logrotate.d/php-fpm

echo "/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
    size 100M
    rotate 1
    missingok
    sharedscripts
    postrotate
        /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
    endscript
}" > /etc/logrotate.d/syslog

#删除此脚本
scriptwhere=`readlink -f "$0"`
rm -rf $scriptwhere

#重启系统
reboot

基本信息

作者：朱明宇
名称：自动化部署 LNMP + SSL 平台
作用：自动化安装 LNMP + SSL，即通过 Linux、Nginx、MariaDB、PHP、php-fpm、SSL，实现 HTTPS

使用方法

1. 将网站的网页数据备份、网站的 SSL 公钥、网站的 SSL 私钥、网站的数据库备份和本脚本，5 个文件放在同一目录下
2. 如果没有网站的数据库备份则将网页数据备份、网站的 SSL 公钥、网站的 SSL 私钥和本脚本，4 个文件放在同一目录下
3. 在此脚本的分割线内写入相应的内容
4. 服务器都要开启 SELinux
5. 给此脚本添加执行权限
6. 执行此脚本：./<此脚本>

脚本分割线里的变量

1. webdomain=”eternalcenter.com” #网站的域名，注意不要在前面加任何前缀
2. webtar=”eternalcenter-backup-*.tar.gz”网站的网页数据备份，如果没有这个备份，可以下载一个开源的 WordPress 网页程序
3. webcrt=”eternalcenter.com.crt” #网站 SSL 的公钥，可以自己创建也可以在 FreeSSL 上申请
4. webkey=”eternalcenter.com.key” #网站 SSL 的私钥，可以自己创建也可以在 FreeSSL 上申请
5. sqlbackup=”eternalcenter-backup-*.sql” #网站数据库数据备份，如果没有这个备份（数据库是全量备份），则这里可以为空
6. db=”ec” #网站在数据库中库
7. dbuser=”ec” #网站在数据库中的用户
8. dbuserpw=”eternalcenter” #网站在数据库中的用户密码
9. dbrootpw=”eternalcenter” #数据库的 root 密码

注意

1. 服务器的系统需要是 CentOS 8 版本
2. 服务器系统要配置好可用的软件源
3. 服务器要能够连接外网

脚本

#!/bin/bash

####################### Separator ########################
webdomain="eternalcenter.com"
webtar="eternalcenter-backup-*.tar.gz"
webcrt="eternalcenter.com.crt"
webkey="eternalcenter.com.key"
sqlbackup="eternalcenter-backup-*.sql"
db="ec"
dbuser="ec"
dbuserpw="eternalcenter"
dbrootpw="eternalcenter"
####################### Separator ########################

#Determine whether SELinux is on
getenforce | grep Enforcing
if [ $? -ne 0 ];then
	echo "SELinux is not set to enforcing mode and cannot continue"
	exit 2
fi

#Determine whether the required file exists
ls $webtar
if [ $? -ne 0 ];then
	echo "No web page data backup, unable to continue"
	exit 2
fi

ls $webcrt
if [ $? -ne 0 ];then
	echo "Cannot continue without site public key"
	exit 2
fi

ls $webkey
if [ $? -ne 0 ];then
	echo "Unable to continue without site private key"
	exit 2
fi

#Update system
yum clean all
yum repolist
yum makecache
yum -y update

#Make sure the required software is installed
yum -y install tar
yum -y install firewalld

#Deploying Nginx
yum -y install nginx

echo 'worker_processes  1;

events {
    worker_connections  1024;
}

http {
    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  60;
    client_body_timeout 20s;
    client_header_timeout 10s;
    send_timeout 30s;

    server {
        listen       80;
        limit_req zone=one burst=5;
        server_name www.eternalcenter.com eternalcenter.com;

        rewrite ^/(.*)$ https://eternalcenter-sep-2022.github.io/$1 permanent;
      
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        }

    server {
        listen       443 ssl;
        server_name www.eternalcenter.com eternalcenter.com;

        if ($request_method !~ ^(GET|POST)$){
        return 444;
        }

        ssl_certificate      /etc/nginx/ssl/eternalcenter.com.crt;
        ssl_certificate_key  /etc/nginx/ssl/eternalcenter.com.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location ~ \.php$ {
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            include fastcgi.conf;
            fastcgi_param  SCRIPT_FILENAME  /usr/share/nginx/html/$fastcgi_script_name;
            include fastcgi_params;
        } 

        location / {
        root html;
        index index.php index.html index.htm;

        if (-f $request_filename/index.html){rewrite (.) $1/index.html break;}
        if (-f $request_filename/index.php){rewrite (.) $1/index.php;}
        if (!-f $request_filename){rewrite (.) /index.php;}
        
        }

        location ~ ^/\.user\.ini {
        deny all;
        }
    
        location ~*\.(jpd|jpeg|gif|png|css|js|ico|xml)$ {
        expires 30d;
        }

        error_page  404              /404.html;

        }

        gzip on;
	gzip_min_length 1000;
	gzip_comp_level 4;
	gzip_types text/plain test/css application/json application/x-javascript text/xml application/xml
	application/xml+rss text/javascripts;

	client_header_buffer_size 1k;
	large_client_header_buffers 4 4k;

	open_file_cache max=2000 inactive=20s;
	open_file_cache_valid  60s;
	open_file_cache_min_uses 5;
	open_file_cache_errors off;

}' > /etc/nginx/nginx.conf

sed -i "s/server_name www.eternalcenter.com eternalcenter.com;/server_name www.$webdomain $webdomain;/" /etc/nginx/nginx.conf
sed -i "s@rewrite ^/(.*)$ https://eternalcenter-sep-2022.github.io/\$1 permanent@rewrite ^/(.*)$ https://$webdomain/\$1 permanent@" /etc/nginx/nginx.conf;
sed -i "s/eternalcenter.com.crt/$webcrt/" /etc/nginx/nginx.conf
sed -i "s/eternalcenter.com.key/$webkey/" /etc/nginx/nginx.conf

mkdir /etc/nginx/ssl
mv $webcrt /etc/nginx/ssl
mv $webkey /etc/nginx/ssl
chcon -t httpd_config_t /etc/nginx/ssl/$webcrt
chcon -t httpd_config_t /etc/nginx/ssl/$webkey
chcon -t httpd_config_t /etc/nginx/ssl/

rm -rf /usr/share/nginx/html/*
tar -xvf $webtar -C /usr/share/nginx/html/ && rm -rf $webtar
chcon -t httpd_sys_content_t -R /usr/share/nginx/html/*

yum -y install sendmail
yum -y install policycoreutils
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_network_connect_db 1
setsebool -P httpd_can_sendmail 1
setsebool -P httpd_can_connect_ftp 1
setsebool -P httpd_unified 1
setsebool -P httpd_enable_cgi 1
setsebool -P httpd_builtin_scripting 1
setsebool -P mysql_connect_http 1

systemctl start nginx
systemctl enable nginx

#Deploy MariaDB
yum -y install mariadb mariadb-server

grep "^log_bin=" /etc/my.cnf.d/mariadb-server.cnf
if [ $? -ne 0 ];then
	sed -i '/^datadir/a log_bin=ec' /etc/my.cnf.d/mariadb-server.cnf
fi

grep "^binlog_format=" /etc/my.cnf.d/mariadb-server.cnf
if [ $? -ne 0 ];then
	sed -i '/^datadir/a binlog_format=\"mixed\"' /etc/my.cnf.d/mariadb-server.cnf
fi

grep "^server_id=" /etc/my.cnf.d/mariadb-server.cnf
if [ $? -ne 0 ];then
	sed -i '/^datadir/a server_id=51' /etc/my.cnf.d/mariadb-server.cnf
fi

sed -i 's/^plugin-load-add=auth_gssapi.so/#plugin-load-add=auth_gssapi.so/' /etc/my.cnf.d/auth_gssapi.cnf

sed -i '/^user=.*/d' /etc/my.cnf.d/mariadb-server.cnf
sed -i "/\[mysqld\]/a user=mysql" /etc/my.cnf.d/mariadb-server.cnf

sed -i '/^bind-address=.*/d' /etc/my.cnf.d/mariadb-server.cnf
sed -i "/\[mysqld\]/a bind-address=127.0.0.1" /etc/my.cnf.d/mariadb-server.cnf

chown -R mysql /var/lib/mysql

systemctl start mariadb
systemctl enable mariadb

ls $sqlbackup
if [ $? -ne 0 ];then
        mysql -uroot -e "create database $db;"
        mysql -uroot -e "create user \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
        mysql -uroot -e "grant all privileges on $db.* to \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
        mysql -uroot -e "set password for 'root'@'localhost'=password(\"$dbrootpw\")"
else
        mysql -uroot -e "create database $db;"
        mysql -uroot $db < $sqlbackup
	mysql -uroot -e "create user \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
	mysql -uroot -e "grant all privileges on $db.* to \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
	mysql -uroot -e "set password for 'root'@'localhost'=password(\"$dbrootpw\")"
	rm -rf $sqlbackup
fi
	
systemctl restart mariadb

#Deploy PHP
yum -y install php php-fpm php-mysqlnd php-gd php-mbstring php-opcache php-json php-xml php-xmlrpc php-pecl-zip
useradd php-fpm -s /sbin/nologin
chown -R php-fpm:php-fpm /usr/share/nginx/html

sed -i /"^user =.*"/d /etc/php-fpm.conf
sed -i /"^group =.*"/d /etc/php-fpm.conf
sed -i /"^listen =.*"/d /etc/php-fpm.conf
sed -i /"^[www]"/d /etc/php-fpm.conf
sed -i /"^pm = .*"/d /etc/php-fpm.conf
sed -i /"^pm.start_servers = .*"/d /etc/php-fpm.conf
sed -i /"^pm.min_spare_servers = .*"/d /etc/php-fpm.conf
sed -i /"^pm.max_spare_servers = .*"/d /etc/php-fpm.conf
sed -i /"^pm.max_children = .*"/d /etc/php-fpm.conf
sed -i /"^pm.max_requests = .*"/d /etc/php-fpm.conf
sed -i /"^request_terminate_timeout = .*"/d /etc/php-fpm.conf

echo '[www]' >> /etc/php-fpm.conf
echo 'user = php-fpm' >> /etc/php-fpm.conf
echo 'group = php-fpm' >> /etc/php-fpm.conf
echo 'listen = 127.0.0.1:9000' >> /etc/php-fpm.conf
echo 'pm = dynamic' >> /etc/php-fpm.conf
echo 'pm.start_servers = 2' >> /etc/php-fpm.conf
echo 'pm.min_spare_servers = 2' >> /etc/php-fpm.conf
echo 'pm.max_spare_servers = 4' >> /etc/php-fpm.conf
echo 'pm.max_children = 4' >> /etc/php-fpm.conf
echo 'pm.max_requests = 1024' >> /etc/php-fpm.conf
echo 'request_terminate_timeout = 300' >> /etc/php-fpm.conf

systemctl start php-fpm
systemctl enable php-fpm

#Improve system performance
grep "^* soft nofile" /etc/security/limits.conf
if [ $? -ne 0 ];then
	echo '* soft nofile 1024' >> /etc/security/limits.conf
fi

grep "^* hard nofile" /etc/security/limits.conf
if [ $? -ne 0 ];then
	echo '* hard nofile 1024' >> /etc/security/limits.conf
fi

#Open firewall
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --add-port=443/tcp --permanent
firewall-cmd --reload

#Limit log space
echo "/var/log/mariadb/mariadb.log {
        create 600 mysql mysql
        notifempty
	daily
        rotate 3
        missingok
        compress
    postrotate
	# just if mysqld is really running
        if [ -e /run/mariadb/mariadb.pid ]
        then
           kill -1 $(</run/mariadb/mariadb.pid)
        fi
    endscript
}" > /etc/logrotate.d/mariadb

echo "/var/log/nginx/*log {
    create 0664 nginx root
    size 1024M
    rotate 1
    missingok
    notifempty
    compress
    sharedscripts
    postrotate
        /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
    endscript
}" > /etc/logrotate.d/nginx

echo "/var/log/php-fpm/*log {
    size 100M
    rotate 1
    missingok
    notifempty
    sharedscripts
    delaycompress
    postrotate
        /bin/kill -SIGUSR1 `cat /run/php-fpm/php-fpm.pid 2>/dev/null` 2>/dev/null || true
    endscript
}" > /etc/logrotate.d/php-fpm

echo "/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
    size 100M
    rotate 1
    missingok
    sharedscripts
    postrotate
        /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
    endscript
}" > /etc/logrotate.d/syslog

#Delete this script
scriptwhere=`readlink -f "$0"`
rm -rf $scriptwhere

#Restart the system
reboot

LNMP 是一个实现网站服务的方法，它由 4 样东西组成：
1) Linux 系统
2) Nginx 网页服务
3) MariaDB 数据库
4) PHP 网页程序

步骤二：系统环境要求

1) 服务器的系统需要是 openSUSE 15 版本
2) 服务器要关闭防火墙
3) 服务器系统要配置好可用的软件源（最好是软件数量最多的官方版本）

步骤三：搭建 LNMP

3.1 Nginx 网页服务

3.1.1 安装 Nginx 网页服务

# zypper -n install nginx

3.1.2 配置 Nginx 网页服务的配置文件

3.1.2.1 删除原有的 Nginx 服务的配置文件

# rm /etc/nginx/nginx.conf

3.1.2.2 创建新的 Nginx 网页服务的配置文件

# cp /etc/nginx/nginx.conf.default /etc/nginx.conf

3.1.2.3 配置 Nginx 网页服务的配置文件

# vi /etc/nginx/nginx.conf

将其中的：

......
        location / {
            root   html;
            index  index.html index.htm;
        }
......
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}
......

修改为：

......
        location / {
            root   html;
            index  index.php index.html index.htm;
        }
......
        location ~ \.php$ {
            root           html;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
        #   fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
            include        fastcgi.conf;
        }
......

（补充：这里以让 Nginx 将对于 PHP 的请求传递到本机的 9000 端口为例）

3.1.3 启动 Nginx 网页服务

# systemctl start nginx

3.2 MariaDB 数据库

3.2.1 安装 MariaDB 数据库

# zypper -n install mariadb mariadb-server

3.2.2 启动 MariaDB 数据库

# systemctl start mariadb

3.3 PHP 环境和连接服务

3.3.1 安装 PHP 环境和连接服务

# zypper -n install php7 php7-fpm php7-mysql php7-gd php7-mbstring php7-opcache php7-json php7-xmlrpc php7-zlib

3.3.2 创建提供 PHP 连接服务的用户

# useradd php-fpm -s /sbin/nologin

3.3.3 配置 PHP 连接服务的配置文件

# vi /etc/php-fpm.conf

将以下内容：

......
user = nouser
group = nouser
......

修改为：

......
user = php-fpm
group = users
listen = 127.0.0.1:9000
......

（
补充：这里以
1) 以 php-fpm 用户和 users 用户组的身份启动 php-fpm
2) 让 php-fpm 监听本地 9000 端口为例
）

步骤四：后续工作

1) 给 MariaDB 数据库设置用于存储网页数据的用户和密码
2) 将 PHP 网页程序放到 Nginx 的网页目录下（/srv/www/htdocs）
3) 给 PHP 网页程序设置用于连接 MariaDB 数据库的用户和密码

步骤五：测试 LNMP 平台

使用浏览器访问服务器 IP 地址就可以看到对应 PHP 网页了

LNMP 是一个实现网站服务的方法，它由 4 样东西组成：
1) Linux 系统
2) Nginx 网页服务
3) MariaDB 数据库
4) PHP 网页程序

步骤二：系统环境要求

1) 服务器的系统需要是 CentOS Linux 8 版本
2) 服务器要关闭防火墙
3) 服务器要关闭 SELinux
4) 服务器系统要配置好可用的软件源

步骤三：搭建 LNMP

3.1 Nginx 网页服务

3.1.1 安装 Nginx 网页服务

# yum -y install nginx

3.1.2 配置 Nginx 网页服务的配置文件

3.1.2.1 删除原有的 Nginx 服务的配置文件

# rm /etc/nginx/nginx.conf

3.1.2.2 创建新的 Nginx 网页服务的配置文件

# cp /etc/nginx/nginx.conf.default /etc/nginx.conf

3.1.2.3 配置 Nginx 网页服务的配置文件

# vi /etc/nginx/nginx.conf

将其中的：

......
        location / {
            root   html;
            index  index.html index.htm;
        }
......
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}
......

修改为：

......
        location / {
            root   html;
            index  index.php index.html index.htm;
        }
......
        location ~ \.php$ {
            root           html;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
        #   fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
            include        fastcgi.conf;
        }
......

（补充：这里以让 Nginx 将对于 PHP 的请求传递到本机的 9000 端口为例）

3.1.3 启动 nginx 网页服务

# systemctl start nginx

3.2 MariaDB 数据库

3.2.1 安装 MariaDB 数据库

# yum -y install mariadb mariadb-server

3.2.2 启动 MariaDB 数据库

# systemctl start mariadb

3.3 PHP 环境和连接服务

3.3.1 安装 PHP 环境和连接服务

# yum -y install php php-fpm php-mysqlnd php-gd php-mbstring php-opcache php-json php-xml

3.3.2 创建提供 PHP 连接服务的用户

# useradd php-fpm -s /sbin/nologin

3.3.3 配置 PHP 连接服务的配置文件

# vi /etc/php-fpm.conf

添加以下内容：

......
[www]
user = php-fpm
group = php-fpm
listen = 127.0.0.1:9000

（补充：这里以让 php-fpm 监听本地 9000 端口为例）

3.3.4 启动 PHP 连接服务

# systemctl start php-fpm

步骤四：后续工作

1) 给 MariaDB 数据库设置用于存储网页数据的用户和密码
2) 将 PHP 网页程序放到 Nginx 的网页目录下
3) 给 PHP 网页程序设置用于连接 MariaDB 数据库的用户和密码

步骤五：测试 LNMP 平台

使用浏览器访问服务器 IP 地址就可以看到对应 PHP 网页了

软件准备：

在 Nginx 官网上下载搭建集群所需软件 Nginx：

http://nginx.org/en/download.html

正文：

步骤一：系统环境要求

（1）服务器的系统需要是 CentOS Linux 7 版本
（2）服务器系统需要有 yum 源

步骤二：安装 Nginx 的依赖软件

# yum -y install gcc pcre-devel openssl-devel

步骤三：安装 Nginx

3.1 添加一个用于启动 Nginx 的用户身份

# useradd -s /sbin/nologin nginx

3.2 解压 Nginx 安装包

# tar -xvf nginx-1.16.1.tar.gz

（补充：这里要安装的 Nginx 版本是 1.16.1）

3.3 进入 Nginx 安装包目录

# cd nginx-1.16.1

（补充：这里要安装的 Nginx 版本是 1.16.1）

3.4 配置 Nginx

# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_ssl_module

3.5 编译并安装 Nginx

# make && make install

步骤四：测试 Nginx

4.1 启动 Nginx

# /usr/local/nginx/sbin/nginx

4.2 访问 Nginx 实现的网页服务

# curl 127.0.0.1

4.3 显示已安装 Nginx 的版本

# /usr/local/nginx/sbin/nginx -V

文中的很多信息例如软件的名称等是站主在本次操作中随意取的名称，读者可以根据自己的喜好换成任意别的名称

软件准备：

在 Nginx 官网上下载搭建集群所需软件 Nginx：

http://nginx.org/en/download.html

正文：

步骤一：系统环境要求

1) 服务器的系统是 CentOS 7 版本
2) 服务器系统要配置好 YUM 源

步骤二：准备 rpm-build 软件

2.1 安装 rpm-build

# yum -y install rpm-build

2.2 生成 rpm-build 目录

# rpmbuild -ba nginx.spec
error: failed to stat /root/nginx.spec: No such file or directory

2.3 显示生成的 rpm-build 目录

# ls /root/rpmbuild/
BUILD  BUILDROOT  RPMS	SOURCES  SPECS	SRPMS

步骤三：制作 Nginx 软件的 RPM 包

3.1 将 Nginx 的源码安装包放在固定的位置

# cp nginx-1.16.1.tar.gz /root/rpmbuild/SOURCES/

（补充：这里要安装的 Nginx 版本是 1.16.1）

3.2 制作 Nginx 的 nginx.spec 文件

# vi /root/rpmbuild/SPECS/nginx.spec

将部分内容修改如下：

Name:nginx
Version:1.16.1
Release:1.0
Summary:Nginx is a web server software.
......
License:GPL
URL:www.nginx.org
Source0:%{name}-%{version}.tar
......
%description
nginx is an HTTP and reverse proxy server ......
......
%post
useradd nginx
......
%prep
%setup -q
......
%build
./configure --user=nginx --group=nginx --with-http_ssl_module
make %{?_smp_mflags}
%install
make install DESTDIR=%{buildroot}
......
%files
......
%doc
/usr/local/nginx/*
......
%changelog

（
补充：
1) 这里的 Name:nginx 是指软件名称是 nginx
2) 这里的 Version:1.16.1 是指软件的版本是 1.16.1
3) 这里的 Release:1.0 是指发布的版本是 1。0
4) 这里的 Summary: Nginx is a web server software. 是指软件的描述是 Summary: Nginx is a web server software.
5) 这里的 License:GPL 是指软件使用的协议是 GPL
6) 这里的 URL:www.nginx.org 是指软件的官网是 www.nginx.org
7) 这里的 Source0:%{name}-%{version}.tar 是指软件源码文件的名称
8) 这里的 #BuildRequires: 是指软件编译安装时需要的依赖包，这里没有内容
9) 这里的 #Requires: 是指软件安装时所需要的依赖包，这里没有内容
10) 这里的 %description 是指软件的详细描述，这里没有内容
11) 这里的

%post
useradd nginx

是指软件安装后创建 nginx 用户

12) 这里的 %prep 是指软件安装前的准备，这里没有内容
13) 这里的 %setup –q 是指自动解压软件的源码包，并 cd 进入刚刚解压出来的目录
14) 这里的

%build
./configure
make %{?_smp_mflags}

是指对源码安装包进行配置
15) 这里的

%install
make install DESTDIR=%{buildroot}

是指对源码安装包进行编译安装
16) 这里的

%files
%doc
/usr/local/nginx/*

是指将源码安装包安装到 /usr/local/nginx/ 目录里
）

3.4 安装 Nginx 软件的依赖包

# yum -y install gcc pcre-devel openssl-devel

3.5 生成 Nginx rpm 软件包

# rpmbuild -ba /root/rpmbuild/SPECS/nginx.spec

3.6 显示新生成的 Nginx rpm 软件包

# rpm -qpi /root/rpmbuild/RPMS/x86_64/nginx-1.16.1-1.0.x86_64.rpm

步骤四：使用新生成的 Nginx rpm 软件包

4.1 安装刚刚新生成的 Nginx rpm 软件包

# rpm -ivh /root/rpmbuild/RPMS/x86_64/nginx-1.16.1-1.0.x86_64.rpm

4.2 启动 Nginx 服务

# /usr/local/nginx/sbin/nginx

4.3 显示 Nginx 服务的启动状态

4.3.1 显示 Nginx 网页是否可以访问

# curl http://127.0.0.1/

4.3.2 显示 Nginx 的端口有没有启动

# ss -ntulap | grep 80

基本信息

作者：朱明宇
脚本名称：半自动化部署 LNMP 平台 + SSL
作用：半自动化安装 LNMP，即 Nginx、Mariadb、PHP、php-fpm，实现 HTTPS

使用方法

为了安全起见，设置系统用户和数据库用户和数据库权限的工作请按照脚本最后的步骤进行手动设置

注意

1. 执行本脚本之前请确保 Nginx、PHP、网站程序文件、SQL、SSL 的公钥、SSL 的私钥、shell、本脚本 8 个文件，如果是新建网站的话，不用准备 SQL 文件
2. Nginx 文件：请将 Nginx 源码安装包放在 /root/
3. PHP 文件：请将 PHP 源码安装包放在 /root/
4. 网站程序文件:请将网站程序文件的名字中包含“eternalcenter-backup-”字段，并且是 tar 包，并放在 /root/
5. SQL 文件:如果是恢复网站的话,请将备份的数据文件 *.sql 放在 /root/，注意这是一个 MySQL 备份文件
6. SSL 的公钥文件和 SSL 私钥文件:请将网站安全证书的公钥和私钥分别命名为：eternalcenter.com.crt 和 eternalcenter.com.key，并放在 /root/
7. shell 文件:请将监控脚本命名为 port_monitoring.sh 并放在 /root/
8. 除此之外 /root/ 目录下请不要放任何文件
9. 服务器的系统需要是 CentOS 7 版本
10. 服务器系统要配置好可用的软件源（最好是软件数量最多的官方版本）
11. 服务器要能够连接外网

补充

1. Nginx 下载网址：https://nginx.org/
2. PHP 下载网址：https://www.php.net/downloads.php
3. WordPress 是一款开源的 php 网站程序，建议使用，下载网址：https://cn.wordpress.org/download/
4. 网站安全证书的公钥和私钥可以在这里申请：https://freessl.cn/

其他

　　运行此脚本所需要的文件如下，请尽量使用图中的命名规则给他们命名，并将他们全部放在 /root/ 目录下，请保证 /root/ 下有且仅有这些文件，并以 root 的身份运行，否则脚本会执行失败。其中：

　　eternalcenter-backup-2019-08-12-13.sql 指的是 mariadb 的数据库备份文件，如果是新建网站的话可以不要。

　　eternalcenter-backup-2019-08-13.tar 指的是网页程序的压缩包，必须是 tar 格式，如果是新建的网站的话，这个也可以换成，新网站的网页程序。

　　eternalcenter.com.crt 指的是网站的公钥，需要单独申请，方法可以在搜索引擎上搜索。

　　eternalcenter.com.key 指的是网站的私钥，需要单独申请，方法可以在搜索引擎上搜索。

　　install.sh 就是指的本脚本。

　　nginx-1.16.0.tar.gz 指的是 nginx 的源码安装包，这里的 -1.16.0.tar.gz 可以任意命名，只用保证这个文件名字里包含 nginx 就行了，这个文件可以在 nginx 官网上下载。

　　php-7.2.2-.tar.xz 指的是 php 的源码安装包，同样 这里的 -7.2.2-tar.xz 可以任意命名，只用保证这个文件名字包含 php 就行了，这个文件可以在 php 官网上下载。

　　port_monitoring.sh 只是一个监控端口的脚本，可以不要，使用者可以根据自我需求写一个，站主是通过这个脚本定期检查并自动启动需要启动但是没有启动的端口，关闭不需要但是启动了的端口。

脚本

#!/bin/bash

# variable initialization
cd
nginxp=`ls | grep "nginx"`
phpp=`ls | grep "php"`
webp=`ls | egrep "eternalcenter-backup-.*tar$"`
nginxr=${nginxp%%.tar*}
phpr=${phpp%%.tar*}


# upgrade system
yum makecache
yum -y update

yum clean all
yum repolist


# remove useless software
yum -y remove php*

yum -y remove mariadb*

systemctl stop postfix
yum -y remove postfix

systemctl stop chronyd
yum -y remove chrony

yum -y update


# install dependency package
yum -y install gcc pcre-devel openssl-devel libxml2-devel curl-devel libpng libpng-devel


# install nginx
cd
tar -xvf $nginxp -C /root/
cd $nginxr

useradd -s /sbin/nologin nginx
./configure --user=nginx --group=nginx --with-http_ssl_module
make && make install
echo 'worker_processes  1;

events {
    worker_connections  65536;
}

http {
    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    server {
        listen       80;
        limit_req zone=one burst=5;
        server_name www.eternalcenter.com eternalcenter.com;

        rewrite ^/(.*)$ https://eternalcenter-sep-2022.github.io/$1 permanent;
      
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        }

    server {
        listen       443 ssl;
        server_name www.eternalcenter.com eternalcenter.com;

        if ($request_method !~ ^(GET|POST)$){
        return 444;
        }

        ssl_certificate      /usr/local/nginx/ssl/eternalcenter.com.crt;
        ssl_certificate_key  /usr/local/nginx/ssl/eternalcenter.com.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location ~ \.php$ {
            fastcgi_pass 127.0.0.1:9000;
            include fastcgi.conf;
        } 

        location / {
        root html;
        index index.php index.html index.htm;
        }

        location ~ ^/\.user\.ini {
        deny all;
        }
    
        location ~*\.(jpd|jpeg|gif|png|css|js|ico|xml)$ {
        expires 30d;
        }

        error_page  404              /404.html;
        }

        gzip on;
	gzip_min_length 1000;
	gzip_comp_level 4;
	gzip_types text/plain test/css application/json application/x-javascript text/xml application/xml
	application/xml+rss text/javascripts;

	client_header_buffer_size 1k;
	large_client_header_buffers 4 4k;

	open_file_cache max=2000 inactive=20s;
	open_file_cache_valid  60s;
	open_file_cache_min_uses 5;
	open_file_cache_errors off;

}' > /usr/local/nginx/conf/nginx.conf
cd
mkdir /usr/local/nginx/ssl
mv eternalcenter.com.crt /usr/local/nginx/ssl
mv eternalcenter.com.key /usr/local/nginx/ssl

# install php
cd
tar -xvf $phpp -C /root/
cd $phpr
useradd -s /sbin/nologin php-fpm 
./configure --with-config-file-path=/usr/local/php/etc --enable-fpm --with-fpm-user=php-fpm --with-fpm-group=php-fpm --prefix=/usr/local/php --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd --enable-mysqlnd --enable-mbstring --with-curl --with-gd --with-zlib
make && make install
cp /usr/local/php/etc/php-fpm.conf.default /usr/local/php/etc/php-fpm.conf
cp /usr/local/php/etc/php-fpm.d/www.conf.default /usr/local/php/etc/php-fpm.d/www.conf
chown -R php-fpm:php-fpm /usr/local/nginx/html/

# install mariadb
yum -y install mariadb mariadb-server mariadb-devel
sed -i "/^datadir/a log_bin=ec" /etc/my.cnf
sed -i "/^datadir/a binlog_format="mixed"" /etc/my.cnf
sed -i "/^datadir/a server_id=51" /etc/my.cnf
systemctl enable mariadb

# deploy web software
cd
rm -rf /usr/local/nginx/html/*
mkdir websoftcache
tar -xvf $webp -C websoftcache
cd websoftcache
websoftcachen=`ls | wc -l`

if [ $websoftcachen -ne 1 ];then
        cd
        tar -xvf $webp -C /usr/local/nginx/html/
else
        webdir=`ls`
        cd $webdir
        mv * /usr/local/nginx/html/
fi

chown -R php-fpm:php-fpm /usr/local/nginx/html

# recover database
systemctl start mariadb
cd
mysql -uroot < *.sql &> /dev/null
systemctl stop mariadb

# set the concurrency number accepted by the system to 65535
echo '* soft nofile 65535
* hard nofile 65535' >> /etc/security/limits.conf

# open firewall port
firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --add-port=443/tcp --permanent
systemctl restart firewalld

# move the monitoring scripts that need to be used regularly to the specified location(/root/shell/port_monitoring.sh you need to write it yourself)
mkdir /shell
mv port_monitoring.sh /shell
chmod u+x /shell/*

# set up regular automatic running monitoring script(/root/shell/port_monitoring.sh you need to write it yourself)
echo '*/1 * * * * root /shell/port_monitoring.sh' >> /etc/crontab

# add another user（for data backup）
useradd zhumingyu
mkdir /cache
chown -R zhumingyu:zhumingyu /cache

# delete redundant files
cd
rm -rf *

# restart the server
reboot