CentOS7搭建LNMP环境

前言:

几年前写过一篇CentOS6编译LNMP搭建高性能WEB环境的教程,如今CentOS7已经成熟,同时迎来了PHP7时代,部分生产环境需要PHP5.6+7.x双版本,故更新本篇教程

这篇教程适合喜欢自己动手编译定制化环境的同学参考,懒人以及时间比较宝贵的公司运维人员推荐 OneinStack 一键安装工具


【2020.05更新】

这篇教程最早源自多年前,我在个人站长时期配置WEB服务器环境的笔记,后来改写成了教程,如今SSLv1.3与HTTP2.0已成为主流趋势,配置新环境时发现已变化太多,例如对SSL协议握手的优化考虑、SSLv1.3与早期版本的兼容等,然而国内并没有一篇文章系统的讲述,所以用业余时间重写了教程,降低技术搭建WEB环境的时间成本


一、获取开源程序与系统升级

① 将CentOS的yum默认源更为更快的国内源(可跳过):

sudo -s
yum -y install wget
cd /etc/yum.repos.d/
wget http://mirrors.163.com/.help/CentOS7-Base-163.repo
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
mv /etc/yum.repos.d/CentOS7-Base-163.repo /etc/yum.repos.d/CentOS-Base.repo
yum clean all
yum makecache

② 用yum命令安装、升级所需的程序库:

yum -y upgrade
yum -y install gcc gcc-c++ autoconf automake libtool libjpeg libjpeg-devel libpng libpng-devel libwebp-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel readline-devel curl curl-devel e2fsprogs e2fsprogs-devel libaio-devel.x86_64 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers bison libevent-devel cmake iptables-services sqlite-devel lua-devel git patch ntp wget

③ 程序源码包下载:

mkdir -p /data0/software
cd /data0/software
wget https://tengine.taobao.org/download/tengine-2.3.2.tar.gz
wget https://www.php.net/distributions/php-7.4.15.tar.gz
wget https://www.percona.com/downloads/Percona-Server-5.7/Percona-Server-5.7.30-33/binary/tarball/Percona-Server-5.7.30-33-Linux.x86_64.ssl101.tar.gz
wget https://github.com/jemalloc/jemalloc/archive/5.2.1.tar.gz -O jemalloc-5.2.1.tar.gz
wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz
wget https://ftp.pcre.org/pub/pcre/pcre-8.44.tar.gz
wget https://jaist.dl.sourceforge.net/project/mhash/mhash/0.9.9.9/mhash-0.9.9.9.tar.gz
wget https://jaist.dl.sourceforge.net/project/mcrypt/Libmcrypt/2.5.8/libmcrypt-2.5.8.tar.gz
wget https://jaist.dl.sourceforge.net/project/mcrypt/MCrypt/2.6.8/mcrypt-2.6.8.tar.gz
wget https://ftp.gnu.org/gnu/libiconv/libiconv-1.16.tar.gz
wget https://github.com/kkos/oniguruma/archive/v6.9.4.tar.gz -O oniguruma-6.9.4.tar.gz
wget https://github.com/vision5/ngx_devel_kit/archive/v0.3.1.tar.gz -O ngx_devel_kit-0.3.1.tar.gz
wget https://github.com/openresty/luajit2/archive/v2.1-20200102.tar.gz -O luajit2-2.1-20200102.tar.gz
wget https://github.com/openresty/lua-ssl-nginx-module/archive/v0.01rc3.tar.gz -O lua-ssl-nginx-module-0.01rc3.tar.gz
wget https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-1.1.1f-sess_set_get_cb_yield.patch
wget https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/openssl-equal-1.1.1e-dev_ciphers.patch
wget https://raw.githubusercontent.com/pmkol/apad.pro/master/patch/tengine-2.3.2-ssl_cert_sees_cb_yield.patch
wget https://pecl.php.net/get/redis-5.3.3.tgz
wget http://download.redis.io/releases/redis-6.0.12.tar.gz

④ 升级OpenSSL 以支持 TLS 1.3:

patch BoringSSLOpenResty 提供的补丁,解决 Nginx 的 ssl_ciphers 报错问题,并让 OpenSSL 的 session get callback 支持 yield
( 即用于支持Nginx集群时 SSL Seesion ID 重用共享 )

#编译安装最新版本的OpenSSL
tar xzvf openssl-1.1.1g.tar.gz
cd openssl-1.1.1g/
patch -p1 < /data0/software/openssl-1.1.1f-sess_set_get_cb_yield.patch
patch -p1 < /data0/software/openssl-equal-1.1.1e-dev_ciphers.patch
./config shared zlib --prefix=/usr/local/openssl
make
make install
cd ../

#替换旧版本的OpenSSL
mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/lib64/openssl /usr/lib64/openssl.old
mv /usr/lib64/libssl.so /usr/lib64/libssl.so.old
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
ln -s /usr/local/openssl/lib/libssl.so /usr/lib64/libssl.so

#配置库文件搜索路径
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
ldconfig

#查看OpenSSL版本
openssl version -a

补丁的小版本号有时会低于最新的 OpenSSL,一般不影响使用

[返回目录]


二、安装 MySQL 5.7

建议选择MySQL的分支版本Percona Server 5.7,在功能与性能上有显著提升。

① 编译安装Jemalloc:

tar zxvf jemalloc-5.2.1.tar.gz
cd jemalloc-5.2.1/
./autogen.sh
make
make install
cd ../
ln -s /usr/local/lib/libjemalloc.so.2 /usr/lib64/libjemalloc.so.2

② 安装MySQL:

创建mysql用户与用户组

/usr/sbin/groupadd mysql
/usr/sbin/useradd -g mysql mysql

安装Percona Server 5.7二进制版本

tar zxvf Percona-Server-5.7.30-33-Linux.x86_64.ssl101.tar.gz
mkdir -p /usr/local/webserver
mv Percona-Server-5.7.30-33-Linux.x86_64.ssl101 /usr/local/webserver/mysql
ln -s /usr/local/webserver/mysql/lib/libperconaserverclient.so.20 /usr/lib/libperconaserverclient.so.20

③ 一些相关设置:

创建MySQL数据库存放目录

mkdir -p /data0/mysql/3306/data/
mkdir -p /data0/mysql/3306/binlog/
chown -R mysql:mysql /data0/mysql/

添加环境变量

echo -e '\n\nexport PATH=/usr/local/webserver/mysql/bin:$PATH\n' >> /etc/profile && source /etc/profile

创建my.cnf配置文件

vi /usr/local/webserver/mysql/my.cnf

输入以下内容

#需要根据服务器硬件来设置,双核2G内存环境的my.cnf仅供参考
# The following options will be passed to all MySQL clients
[client]
port = 3306
socket = /data0/mysql/3306/mysql.sock
default-character-set = utf8mb4

# The MySQL server
[mysqld]
port = 3306
socket = /data0/mysql/3306/mysql.sock

basedir = /usr/local/webserver/mysql
datadir = /data0/mysql/3306/data
pid-file = /data0/mysql/3306/mysql.pid
user = mysql
bind-address = 0.0.0.0
server-id = 1

local_infile = OFF
transaction-isolation = READ-COMMITTED

init-connect = 'SET NAMES utf8mb4'
character-set-server = utf8mb4

#sql_mode = NO_ENGINE_SUBSTITUTION

#skip-name-resolve
#skip-networking
skip_symbolic_links = yes
back_log = 600

max_connections = 2000
max_connect_errors = 10000
open_files_limit = 65535
table_open_cache = 128
max_allowed_packet = 64M
binlog_cache_size = 1M
max_heap_table_size = 8M
tmp_table_size = 16M

read_buffer_size = 2M
read_rnd_buffer_size = 8M
sort_buffer_size = 8M
join_buffer_size = 8M
key_buffer_size = 4M

thread_cache_size = 16

query_cache_type = 1
query_cache_size = 8M
query_cache_limit = 2M

ft_min_word_len = 4

log_bin = /data0/mysql/3306/binlog/mysql-bin
binlog_format = mixed
expire_logs_days = 30
binlog_cache_size = 8M
max_binlog_cache_size = 2048M
max_binlog_size = 1024M

log_error = /data0/mysql/3306/mysql-error.log
slow_query_log = 1
long_query_time = 1
slow_query_log_file = /data0/mysql/3306/mysql-slow.log

performance_schema = 0
explicit_defaults_for_timestamp

#lower_case_table_names = 1

skip-external-locking
default_storage_engine = InnoDB
innodb_file_per_table = 1
innodb_open_files = 500
innodb_buffer_pool_size = 1024M
innodb_write_io_threads = 4
innodb_read_io_threads = 4
innodb_thread_concurrency = 0
innodb_purge_threads = 1
innodb_flush_log_at_trx_commit = 2
innodb_log_buffer_size = 8M
innodb_log_file_size = 512M
innodb_log_files_in_group = 3
innodb_max_dirty_pages_pct = 90
innodb_lock_wait_timeout = 120
innodb_flush_method = O_DIRECT

bulk_insert_buffer_size = 8M
myisam_sort_buffer_size = 8M
myisam_max_sort_file_size = 10G
myisam_repair_threads = 1

interactive_timeout = 28800
wait_timeout = 28800

[mysqldump]
quick
max_allowed_packet = 64M

[myisamchk]
key_buffer_size = 8M
sort_buffer_size = 8M
read_buffer = 4M
write_buffer = 4M

初始化数据库

/usr/local/webserver/mysql/bin/mysqld --initialize-insecure --user=mysql --basedir=/usr/local/webserver/mysql --datadir=/data0/mysql/3306/data

④ 配置MySQL服务脚本:

创建服务脚本

vi /usr/lib/systemd/system/mysqld.service
#输入以下内容
[Unit]
Description=MySQL Server
Documentation=man:mysqld(7)
Documentation=http://dev.mysql.com/doc/refman/en/using-systemd.html
After=network.target
After=syslog.target

[Install]
WantedBy=multi-user.target

[Service]
User=mysql
Group=mysql

Type=forking

PIDFile=/data0/mysql/3306/mysqld.pid

# Disable service start and stop timeout logic of systemd for mysqld service.
TimeoutSec=0

# Start main service
ExecStart=/usr/local/webserver/mysql/bin/mysqld --defaults-file=/usr/local/webserver/mysql/my.cnf --daemonize --pid-file=/data0/mysql/3306/mysqld.pid $MYSQLD_OPTS

# Use this to switch malloc implementation
EnvironmentFile=-/etc/sysconfig/mysql

# Sets open_files_limit
LimitNOFILE = 5000

Restart=on-failure

RestartPreventExitStatus=1

PrivateTmp=false

加载Jemalloc动态库

echo "LD_PRELOAD=/usr/local/lib/libjemalloc.so.2" > /etc/sysconfig/mysql

加入启动项

systemctl enable mysqld

启动MySQL服务

systemctl start mysqld

解决MySQL与mariadb-libs的socket冲突

部分使用yum命令安装的扩展依赖mariadb-libs,而卸载mariadb-libs可能会导致依赖应用报错。当MySQL与mariadb-libs共存时,可使用如下方法测试是否冲突

mysql -u root -p
#输入正确的密码后若报错如下信息则有冲突
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)
#解决方法
ln -s /data0/mysql/3306/mysql.sock /tmp/mysql.sock

设置数据库root用户密码

#友情提醒:最后的密码就不要跟着复制粘贴了
/usr/local/webserver/mysql/bin/mysqladmin password 12345678

[返回目录]


三、安装 Redis 6.0

① 升级gcc版本:

CentOS7默认的gcc版本是4.8.5,需升级gcc版本才可编译成功Redis 6.0版本,Redis 5.0及更早期版本请跳过这一步

升级到gcc 9.3
yum -y install centos-release-scl
yum -y install devtoolset-9-gcc devtoolset-9-gcc-c++ devtoolset-9-binutils
scl enable devtoolset-9 bash

#scl命令启用只是临时的,退出shell或重启就会恢复原系统gcc版本
#如果要长期使用gcc 9.3
echo "source /opt/rh/devtoolset-9/enable" >>/etc/profile

② 创建redis用户与用户组:

/usr/sbin/groupadd redis
/usr/sbin/useradd -g redis redis

③ 编译安装Redis:

tar zxvf redis-6.0.12.tar.gz
cd redis-6.0.12/
make
make PREFIX=/usr/local/webserver/redis install
make clean
cp redis.conf /usr/local/webserver/redis/6379.conf
cd ../
mkdir -p /data0/redis/6379/data/
chown -R redis:redis /data0/redis/
chown -R redis:redis /usr/local/webserver/redis/

④ 修改Redis配置文件:

vi /usr/local/webserver/redis/6379.conf
#修改以下参数
bind 127.0.0.1
daemonize yes
pidfile /data0/redis/6379/redis.pid
logfile /data0/redis/6379/redis.log
dir /data0/redis/6379/data
maxmemory 256000000
io-threads 2
io-threads-do-reads yes

bind 仅本机使用填写127.0.0.1,后面可添加更多使用该redis的服务器IP
io-thread 数值设置为CPU线程数的1/2或3/4

⑤ 创建服务脚本:

vi /usr/lib/systemd/system/redis.service
#输入以下内容
[Unit]
Description=Redis daemon
After=network.target

[Service]
Type=forking
ExecStart=/usr/local/webserver/redis/bin/redis-server /usr/local/webserver/redis/6379.conf
ExecReload=/usr/local/webserver/redis/bin/redis-server -s reload
ExecStop=/usr/local/webserver/redis/bin/redis-server -s stop
PrivateTmp=true
User=redis
Group=redis

[Install]
WantedBy=multi-user.target

加入启动项

systemctl enable redis

启动Redis服务

systemctl start redis

[返回目录]


四、安装 PHP 7.4

生产环境下,部分应用可能不支持PHP7.4版本,7.0~7.3版本均可参考,只需要修改当前PHP对应的extension_dir地址即可。

如部分更早期的应用需使用5.6版本,可参考《编译安装PHP5.6并与PHP7.0共存

① 安装所需的支持库:

tar zxvf libiconv-1.16.tar.gz
cd libiconv-1.16/
./configure --prefix=/usr/local
make
make install
make clean
cd ../

tar zxvf libmcrypt-2.5.8.tar.gz
cd libmcrypt-2.5.8/
./configure
make
make install
/sbin/ldconfig
cd libltdl/
./configure --enable-ltdl-install
make
make install
cd ../
make clean
cd ../

tar zxvf mhash-0.9.9.9.tar.gz
cd mhash-0.9.9.9/
./configure
make
make install
make clean
cd ../

ln -s /usr/local/lib/libmcrypt.la /usr/lib/libmcrypt.la
ln -s /usr/local/lib/libmcrypt.so /usr/lib/libmcrypt.so
ln -s /usr/local/lib/libmcrypt.so.4 /usr/lib/libmcrypt.so.4
ln -s /usr/local/lib/libmcrypt.so.4.4.8 /usr/lib/libmcrypt.so.4.4.8
ln -s /usr/local/lib/libmhash.a /usr/lib/libmhash.a
ln -s /usr/local/lib/libmhash.la /usr/lib/libmhash.la
ln -s /usr/local/lib/libmhash.so /usr/lib/libmhash.so
ln -s /usr/local/lib/libmhash.so.2 /usr/lib/libmhash.so.2
ln -s /usr/local/lib/libmhash.so.2.0.1 /usr/lib/libmhash.so.2.0.1
ln -s /usr/local/bin/libmcrypt-config /usr/bin/libmcrypt-config

tar zxvf mcrypt-2.6.8.tar.gz
cd mcrypt-2.6.8/
/sbin/ldconfig
./configure
make
make install
make clean
cd ../

cp -frp /usr/lib64/libldap* /usr/lib/
echo '/usr/local/lib' >> /etc/ld.so.conf && /sbin/ldconfig

#PHP7.0-7.3版本无需编译安装oniguruma
tar zxvf oniguruma-6.9.4.tar.gz
cd oniguruma-6.9.4/
./autogen.sh
./configure --libdir=/lib64
make
make install
make clean
cd ../

#PHP7.0-7.3版本无需升级libzip
yum -y remove libzip libzip-devel
yum -y install https://rpms.remirepo.net/enterprise/7/remi/x86_64/libzip5-1.7.3-1.el7.remi.x86_64.rpm
yum -y install https://rpms.remirepo.net/enterprise/7/remi/x86_64/libzip5-devel-1.7.3-1.el7.remi.x86_64.rpm

② 编译安装PHP7.4:

tar zxvf php-7.4.15.tar.gz
cd php-7.4.15/
./configure --prefix=/usr/local/webserver/php --with-config-file-path=/usr/local/webserver/php/etc --with-mysqli --with-pdo-mysql --with-mysql-sock=/data0/mysql/3306/mysql.sock --with-iconv-dir=/usr/local --with-freetype --with-jpeg --with-webp --with-zlib --with-libxml --disable-mysqlnd-compression-support --enable-xml --disable-rpath --enable-bcmath --enable-shmop --enable-sysvsem --enable-inline-optimization --with-curl --enable-mbregex --enable-fpm --enable-gd --with-mhash --enable-pcntl --enable-sockets --with-xmlrpc --with-zip --enable-soap --enable-mbstring --enable-opcache
make ZEND_EXTRA_LIBS=\'-liconv\'
make install
cp php.ini-production /usr/local/webserver/php/etc/php.ini
mv /usr/local/webserver/php/etc/php-fpm.conf.default /usr/local/webserver/php/etc/php-fpm.conf
mv /usr/local/webserver/php/etc/php-fpm.d/www.conf.default /usr/local/webserver/php/etc/php-fpm.d/www.conf
make clean

PHP7.3~7.0版本编译参数

./configure --prefix=/usr/local/webserver/php --with-config-file-path=/usr/local/webserver/php/etc --with-mysqli --with-pdo-mysql --with-mysql-sock=/data0/mysql/3306/mysql.sock --with-iconv-dir=/usr/local --with-freetype-dir --with-jpeg-dir --with-png-dir --with-webp-dir --with-zlib --with-libxml-dir=/usr --disable-mysqlnd-compression-support --enable-xml --disable-rpath --enable-bcmath --enable-shmop --enable-sysvsem --enable-inline-optimization --with-curl --enable-mbregex --enable-fpm --with-gd --with-mhash --enable-pcntl --enable-sockets --with-xmlrpc --enable-zip --enable-soap --enable-mbstring --enable-opcache

③ 编译安装PHP7.4扩展模块:

编译安装openssl扩展

cd ext/openssl/
mv config0.m4 config.m4
/usr/local/webserver/php/bin/phpize
./configure --with-php-config=/usr/local/webserver/php/bin/php-config
make
make install
make clean
cd ../../../

注:当openssl版本较新时,编译PHP使用 –with-openssl 参数会报错,故采用该方法

编译安装redis扩展

tar zxvf redis-5.3.3.tgz
cd redis-5.3.3/
/usr/local/webserver/php/bin/phpize
./configure --with-php-config=/usr/local/webserver/php/bin/php-config
make
make install
make clean
cd ../

PHP扩展均可参照该方法编译安装
在 php.ini 中使用 extension = xxx.so 加载即可

④ 修改PHP配置文件:

修改 /usr/local/webserver/php/etc/php.ini 中的以下参数

disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,fsocket,popen
short_open_tag = On
realpath_cache_size = 512k
expose_php = Off
max_execution_time = 600
memory_limit = 256M
post_max_size = 200M
upload_max_filesize = 10M
date.timezone = Asia/Shanghai
session.save_handler = redis
session.save_path = "tcp://127.0.0.1:6379"
session.use_strict_mode = 1
opcache.enable=1
opcache.enable_cli = 1
opcache.memory_consumption = 128
opcache.interned_strings_buffer = 8
opcache.max_accelerated_files = 10000
opcache.max_wasted_percentage=5
opcache.use_cwd=1
opcache.validate_timestamps=1
opcache.revalidate_freq = 60
opcache.consistency_checks=0
extension_dir = "/usr/local/webserver/php/lib/php/extensions/no-debug-non-zts-20190902"

#并在下方添加
zend_extension = "/usr/local/webserver/php/lib/php/extensions/no-debug-non-zts-20190902/opcache.so"
extension = "openssl.so"
extension = "redis.so"

⑤ 创建www用户和用户组:

/usr/sbin/groupadd www
/usr/sbin/useradd -g www www

⑥ 设置php-fpm:

vi /usr/local/webserver/php/etc/php-fpm.conf

#修改以下参数
pid = run/php-fpm.pid
log_level = warning
emergency_restart_threshold = 20
emergency_restart_interval = 60s
process_control_timeout = 5s

保存后

vi /usr/local/webserver/php/etc/php-fpm.d/www.conf

#修改以下参数
user = www
group = www
listen = /dev/shm/php-cgi.sock
listen.backlog = -1
listen.owner = www
listen.group = www
listen.mode = 0660
pm = static
pm.max_children = 46
pm.start_servers = 31
pm.min_spare_servers = 16
pm.max_spare_servers = 46
pm.process_idle_timeout = 10s
pm.max_requests = 2048
pm.status_path = /status
slowlog = log/slow.log
request_terminate_timeout = 120
rlimit_files = 51200
rlimit_core = 0
catch_workers_output = yes

⑦ 创建服务脚本文件

vi /usr/lib/systemd/system/php-fpm.service
#输入以下内容
[Unit]
Description=The PHP FastCGI Process Manager
After=syslog.target network.target

[Service]
Type=forking
PIDFile=/usr/local/webserver/php/var/run/php-fpm.pid
ExecStart=/usr/local/webserver/php/sbin/php-fpm --fpm-config /usr/local/webserver/php/etc/php-fpm.conf
ExecReload=/bin/kill -USR2 $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target

加入启动项

systemctl enable php-fpm

启动php-fpm服务

systemctl start php-fpm

[返回目录]


五、安装 Nginx 1.17

建议选择Nginx的分支版本Tengine,拥有更强的性能与扩展。

① 编译安装LuaJIT:

使Nginx支持Lua扩展

tar zxvf luajit2-2.1-20200102.tar.gz
cd luajit2-2.1-20200102/
make install PREFIX=/usr/local/luajit
cd ../
echo -e '\n\nexport LUAJIT_LIB=/usr/local/luajit/lib\nexport LUAJIT_INC=/usr/local/luajit/include/luajit-2.1\n' >> /etc/profile && source /etc/profile
echo '/usr/local/luajit/lib' >> /etc/ld.so.conf.d/luajit.conf && /sbin/ldconfig

② 编译安装Tengine:

patch OpenResty 的Nginx补丁

使Nginx支持 ssl_session_fetch_by_lua*ssl_certificate_by_lua* 参数,一般用于Nginx集群时 SSL Seesion ID 重用共享,降低服务器压力

OpenResty官方提供的两个patch不支持Tengine
tengine-2.3.2-ssl_cert_sees_cb_yield.patch 进行了修正与合并

tar zxvf tengine-2.3.2.tar.gz
tar zxvf pcre-8.44.tar.gz
tar zxvf ngx_devel_kit-0.3.1.tar.gz
tar zxvf lua-ssl-nginx-module-0.01rc3.tar.gz
git clone https://github.com/google/ngx_brotli.git && cd ngx_brotli && git submodule update --init && cd ../
cd tengine-2.3.2/
patch -p1 < /data0/software/tengine-2.3.2-ssl_cert_sees_cb_yield.patch
./configure --user=www --group=www --prefix=/usr/local/webserver/nginx --with-pcre=/data0/software/pcre-8.44 --with-pcre-jit --with-openssl=/data0/software/openssl-1.1.1g --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-threads --with-file-aio --with-stream --with-stream_ssl_module --with-http_v2_module --with-http_ssl_module --add-module=modules/ngx_http_concat_module --add-module=modules/ngx_http_trim_filter_module --add-module=modules/ngx_http_slice_module --add-module=modules/ngx_http_lua_module --add-module=/data0/software/lua-ssl-nginx-module-0.01rc3 --add-module=/data0/software/ngx_devel_kit-0.3.1 --with-ld-opt='-Wl,-rpath,/usr/local/luajit/lib -ljemalloc' --add-module=/data0/software/ngx_brotli
make
make install
make clean
mkdir -p /data0/htdocs/conf/
mkdir -p /data0/htdocs/ssl/
cd ../

上述编译参数已安装常用模块,可以根据业务需求在 ./configure 中添加编译参数,安装更多模块

Tengine 自身实现的模块,自2.3.x版本后已全部剥离到 modules 目录下,应使用如下方法添加编译

#Tengine <module_name> 名称查看
ls /data0/software/tengine-2.3.2/modules/
#Tengine <module_name> 添加编译
--add-module=modules/<module_name>

Nginx 第三方模块应使用如下方法添加编译

--add-module=/data0/software/<module_name>
#/data0/software/ 为插件解压缩后所在的绝对目录地址
#<module_name> 为插件解压缩后的文件夹名称

③ 创建Tengine日志目录:

mkdir -p /data1/logs/
chmod +w /data1/logs/
chown -R www:www /data1/logs/

④ 创建Tengine配置文件:

mv /usr/local/webserver/nginx/conf/nginx.conf  /usr/local/webserver/nginx/conf/nginx.conf.old
vi /usr/local/webserver/nginx/conf/nginx.conf

输入并保存以下内容

user  www www;
worker_processes  auto;
worker_cpu_affinity  auto;

error_log  /data1/logs/nginx_error.log  crit;
pid        /usr/local/webserver/nginx/nginx.pid;

worker_rlimit_nofile  65535;

events {
    use epoll;
    worker_connections  65535;
}

thread_pool default threads=32 max_queue=65536;

http {
    include           mime.types;
    default_type      application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    log_format  https '$remote_addr - $remote_user [$time_local] '
                      '$ssl_protocol/$ssl_cipher <$ssl_session_id> $ssl_session_reused '
                      '"$request" $status $body_bytes_sent '
                      '"$http_referer" "$http_user_agent" "$http_x_forwarded_for"';

    sendfile          on;
    tcp_nopush        on;
    tcp_nodelay       on;
    keepalive_timeout 65;

    trim              off;

    gzip              on;
    gzip_min_length   1k;
    gzip_buffers      4 16k;
    gzip_http_version 1.0;
    gzip_comp_level   4;
    gzip_vary         on;
    gzip_disable      "MSIE [1-6]\.(?!.*SV1)";
    gzip_types        text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml text/javascript application/javascript application/x-javascript text/x-json application/json application/x-web-app-manifest+json text/css text/plain text/x-component font/eot font/opentype font/otf font/truetype font/ttf application/x-font-ttf application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype image/x-icon image/x-win-bitmap;

    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
    fastcgi_buffer_size 64k;
    fastcgi_buffers 4 64k;
    fastcgi_busy_buffers_size 128k;
    fastcgi_temp_file_write_size 128k;

    server_tokens  off;
    limit_req_zone $binary_remote_addr zone=qps:10m rate=1r/s;

    server {
            listen 80 default_server;
            listen 443 default_server ssl;
            server_name _;
            access_log /data1/logs/unknown.log https;
            ssl_certificate /data0/htdocs/ssl/default.pem;
            ssl_certificate_key /data0/htdocs/ssl/default.key;
            ssl_prefer_server_ciphers on;
            ssl_protocols TLSv1.2 TLSv1.3;
            ssl_ciphers [TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES;
            limit_req zone=qps burst=2;
            return 444;
    }

include /data0/htdocs/conf/*.conf;
}

生成 default.key 与 default.pem

#使nginx.conf的default_server不报错
openssl genrsa -out /data0/htdocs/ssl/default.key
openssl req -new -x509 -key /data0/htdocs/ssl/default.key -out /data0/htdocs/ssl/default.pem -days 3650

一般情况下 nginx.conf 配置完成后无需修改,只需使用default_server为80/443端口添加默认站点,返回为444状态禁止nginx未绑定的域名访问即可

建议在 include 指向的目录中添加新站点,这样有助nginx的运维

⑤ 添加站点:

在include指向的 /data0/htdocs/conf/ 目录下,生成 .conf 结尾的站点配置文件,检测后reload nginx即可完成站点的添加

#添加变量环境
echo -e '\nexport PATH=/usr/local/webserver/nginx/sbin:$PATH\n' >> /etc/profile && source /etc/profile

#检测配置文件
nginx -t

#加载配置文件
nginx -s reload

同理删除对应的.conf文件后reload nginx即可永久删除站点,也可以更改.conf文件的扩展名(例如.conf.del)临时删除站点

⑥ 添加HTTP测试站点:

#创建测试站点目录
mkdir -p /data0/htdocs/wwwroot/
chmod +w /data0/htdocs/wwwroot/
chown -R www:www /data0/htdocs/wwwroot/

#生成测试站点配置文件
vi /data0/htdocs/conf/wwwroot.conf

输入并保存以下内容

server {
        listen 80 reuseport;
        server_name  ip_or_domain.name;
        root   /data0/htdocs/wwwroot;
        index  index.html index.htm index.php;

        #charset gb2312;

        client_max_body_size 0;

        #limit_req zone=qps burst=5;

        #trim on;
        #trim_js on;
        #trim_css on;

        access_log  /data1/logs/wwwroot-logs.log  main;

        gzip              on;

        brotli            on;
        brotli_comp_level 6;
        brotli_static     on;
        brotli_min_length 1k;
        brotli_types      text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml text/javascript application/javascript application/x-javascript text/x-json application/json application/x-web-app-manifest+json text/css text/plain text/x-component font/eot font/opentype font/otf font/truetype font/ttf application/x-font-ttf application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype image/x-icon image/x-win-bitmap;

        location ~ \.php$ {
            try_files $uri =404;
            fastcgi_pass  unix:/dev/shm/php-cgi.sock;
            fastcgi_index index.php;
            include fastcgi.conf;
        }

        location /status {
            stub_status  on;
            access_log  off;
        }

        # Rewrite rules
        location / {
            try_files $uri $uri/ /index.php$is_args$args;
        }

        location ~* \.(jpg|jpeg|gif|png|bmp|swf|ico|rar|zip|7z|tgz|tar.gz|txt|flv|mid|doc|docx|pptx|ppt|xlsx|xls|pdf|mp3|wma)$ {
            expires     30d;
            access_log  off;
            aio         threads;
            directio    5m;
        }

        location ~* \.(js|css)?$ {
            expires     24h;
            access_log  off;
            concat      on;
            concat_max_files 20;
        }

        location ~* \.(eot|ttf|woff|woff2|svg)$ {
            expires     max;
            access_log  off;
            #add_header Access-Control-Allow-Origin *;
            #add_header Access-Control-Allow-Headers X-Requested-With;
            #add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
        }

        location = /favicon.ico { 
            log_not_found off; 
        }

        location = /robots.txt {
            #deny all;
            log_not_found off;
        }

        #error_page  404              /404.html;
        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        location ~ /\.ht {
            deny  all;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}
}

配置文件已做优化,只需要修改 server_name、root、access_log 三个参数即可,其它参数请根据实际需求调整或添加

测试站点目录一般用于存放php探针、phpmyadmin等工具,或测试web应用

将 server_name 设置成服务器外网IP时,可通过IP访问该测试站点。安全考虑,日常不使用时应重命名 wwwroot 目录,这样可以在不reload nginx的情况下禁止访问

注意:同一端口有多个站点时,listen指令后的reuseport参数只需要添加一次, 否则NGINX会报错。

示例:

server {
listen 80 reuseport;
...
}

server {
listen 80;
...
}

⑦ 添加HTTPS业务站点:

#创建业务站点目录
mkdir -p /data0/htdocs/sitename.com/
chmod +w /data0/htdocs/sitename.com/
chown -R www:www /data0/htdocs/sitename.com/

#生成业务站点配置文件
vi /data0/htdocs/conf/sitename.com.conf

输入并保存以下内容(将sitename.com替换成业务使用的域名)

server {
        listen                      80;
        listen                      443 ssl http2 reuseport;
        server_name                 sitename.com;
        root                        /data0/htdocs/sitename.com;
        index                       index.html index.htm index.php;

        resolver                    223.5.5.5 8.8.8.8 valid=300s;
        resolver_timeout            5s;

        ssl_stapling                on;
        ssl_stapling_verify         on; 
        ssl_trusted_certificate     /data0/htdocs/ssl/sitename.pem;
        ssl_certificate             /data0/htdocs/ssl/sitename.pem;
        ssl_certificate_key         /data0/htdocs/ssl/sitename.key;
        ssl_session_tickets         on;
        ssl_session_ticket_key      /data0/htdocs/ssl/session_ticket.key;
        ssl_session_timeout         1440m;
        ssl_session_cache           shared:SSL:128m;
        ssl_protocols               TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers   on;
        ssl_ciphers [TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES;

        add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
        add_header X-Content-Type-Options "nosniff";
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";

        #charset gb2312;

        client_max_body_size 0;

        #limit_req zone=qps burst=5;

        trim on;
        trim_js on;
        trim_css on;

        access_log  "pipe:rollback /data1/logs/sitename/sitename.com.log interval=1h baknum=48 maxsize=2G" https buffer=64k flush=5s;

        gzip              on;

        brotli            on;
        brotli_comp_level 6;
        brotli_static     on;
        brotli_min_length 1k;
        brotli_types      text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml text/javascript application/javascript application/x-javascript text/x-json application/json application/x-web-app-manifest+json text/css text/plain text/x-component font/eot font/opentype font/otf font/truetype font/ttf application/x-font-ttf application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype image/x-icon image/x-win-bitmap;

        location ~ \.php$ {
            try_files $uri =404;
            fastcgi_pass  unix:/dev/shm/php-cgi.sock;
            fastcgi_index index.php;
            include fastcgi.conf;
        }

        # Rewrite rules
        location / {
            if ($server_port = 80 ) {
                return 301 https://$host$request_uri;
            }
            try_files $uri $uri/ /index.php$is_args$args;
        }

        location ~* \.(jpg|jpeg|gif|png|bmp|swf|ico|rar|zip|7z|tgz|tar.gz|txt|flv|mid|doc|docx|pptx|ppt|xlsx|xls|pdf|mp3|wma)$ {
            valid_referers none blocked sitename.com *.sitename.com *.baidu.com *.baiducontent.com;
            if ($invalid_referer) {
                 return 412;
            }
            expires     30d;
            access_log  off;
            aio         threads;
            directio    5m;
            break;
        }

        location ~* \.(js|css)?$ {
            expires     7d;
            access_log  off;
            concat      on;
            concat_max_files 20;
        }

        location ~* \.(eot|ttf|woff|woff2|svg)$ {
            expires     max;
            access_log  off;
            #add_header Access-Control-Allow-Origin *;
            #add_header Access-Control-Allow-Headers X-Requested-With;
            #add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
        }

        location = /favicon.ico { 
            log_not_found off; 
        }

        location = /robots.txt {
            #deny all;
            log_not_found off;
        }

        location ~ /\.(?!well-known).* {
            deny all;
        }

        #error_page  404              /404.html;
        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}
}

与HTTP站点相比,增加了对 SSL v1.3 与 HTTP 2.0 的支持,并做了生产环境的优化,参数可以在该模板的基础上,根据业务需求调整或添加

但必须将以下参数修改为实际业务的参数

server_name
root
ssl_trusted_certificate
ssl_certificate
ssl_certificate_key
access_log

生成 session_ticket.key

openssl rand 48 > /data0/htdocs/ssl/session_ticket.key

单台nginx服务器使用,仅需不定期更换 session_ticket.key 秘钥既可。如果需要管理一整套nginx集群,可使用 lua-ssl-nginx-module 模块,实现集群层面上的密钥轮换

上传证书与秘钥

#证书可以在阿里云、腾讯云等平台免费申请
#一般将证书上传至 /data0/htdocs/ssl/ 目录即可

#或复制证书与秘钥的内容创建文件
vi /data0/htdocs/ssl/sitename.pem
vi /data0/htdocs/ssl/sitename.key

ssl_trusted_certificate 应配置为ca根证书+和中级ca证书的列表

一般国内申请的免费证书只会下载到一个pem文件,已包含全部证书列表,所以 ssl_trusted_certificate 和 ssl_certificate 使用同一个pem证书即可

⑧ 创建服务脚本:

vi /usr/lib/systemd/system/nginx.service
#输入以下内容
[Unit]
Description=The nginx HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/usr/local/webserver/nginx/nginx.pid
ExecStartPre=/usr/local/webserver/nginx/sbin/nginx -t
ExecStart=/usr/local/webserver/nginx/sbin/nginx
ExecReload=/usr/local/webserver/nginx/sbin/nginx -s reload
ExecStop=/usr/local/webserver/nginx/sbin/nginx -s stop
PrivateTmp=true

[Install]
WantedBy=multi-user.target

设置systemd延时防止pid报错

mkdir -p /etc/systemd/system/nginx.service.d
printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf
systemctl daemon-reload

加入启动项

systemctl enable nginx

启动Tengine服务

systemctl start nginx

⑨ 运维问题补充:

在HTTPS日志格式中,加入了 $ssl_session_reused 以便查看 ssl seesion 的复用率,但当站点开启HTTP 2.0支持时, 短时间内重新访问页面,日志会返回未重用状态

原因如下,可以临时关闭HTTP 2.0,使用HTTP 1.1进行测试

In HTTP/2 connections are usually kept open for a long time, and you
aren't likely to see actual SSL session reuse due to this - in most
cases you will see just another request in an already opened
connection.

[返回目录]


六、设置与优化 CentOS 7

① 配置防火墙:

如果安装了FirewallD,需要关闭FirewallD服务

systemctl stop firewalld
systemctl disable firewalld

配置iptables防火墙

vi /etc/sysconfig/iptables

#修改防火墙配置文件规则如下
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT

#如需外部访问MySQL应增加一条3306端口规则
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT

#开启防火墙
systemctl enable iptables
systemctl restart iptables

如果使用的是支持硬件防火墙设置的云主机,可以关闭 iptables

② 开启时间同步:

systemctl enable ntpd
systemctl start ntpd

#使用中国时区(一般无需修改)
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

③ 修改ulimit连接数最大值:

echo -e '\n\nulimit -SHn 65535\n' >> /etc/profile && source /etc/profile

④ 禁止Crontab产生邮件:

crontab -e
#在第一行输入
MAILTO=""

可以避免 /var/mail/root 体积快速增长

⑤ 系统性能优化:

vi /etc/sysctl.conf
#在最下方添加
net.ipv4.tcp_slow_start_after_idle 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog =  32768
net.core.somaxconn = 32768
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_fin_timeout = 30
net.ipv4.ip_local_port_range = 1024  65535
vm.swappiness = 10

使配置立即生效

sysctl -p

至此,一台高性能的Web服务器配置完毕了!