介绍
基本信息
作者:朱明宇
名称:自动化部署 LNMP + SSL 平台
作用:自动化安装 LNMP + SSL,即通过 Linux、Nginx、MariaDB、PHP、php-fpm、SSL,实现 HTTPS
使用方法
1. 将网站的网页数据备份、网站的 SSL 公钥、网站的 SSL 私钥、网站的数据库备份和本脚本,5 个文件放在同一目录下
2. 如果没有网站的数据库备份则将网页数据备份、网站的 SSL 公钥、网站的 SSL 私钥和本脚本,4 个文件放在同一目录下
3. 在此脚本的分割线内写入相应的内容
4. 服务器都要开启 SELinux
5. 给此脚本添加执行权限
6. 执行此脚本:./<此脚本>
脚本分割线里的变量
1. webdomain=”eternalcenter.com” #网站的域名,注意不要在前面加任何前缀
2. webtar=”eternalcenter-backup-*.tar.gz”网站的网页数据备份,如果没有这个备份,可以下载一个开源的 WordPress 网页程序
3. webcrt=”eternalcenter.com.crt” #网站 SSL 的公钥,可以自己创建也可以在 FreeSSL 上申请
4. webkey=”eternalcenter.com.key” #网站 SSL 的私钥,可以自己创建也可以在 FreeSSL 上申请
5. sqlbackup=”eternalcenter-backup-*.sql” #网站数据库数据备份,如果没有这个备份(数据库是全量备份),则这里可以为空
6. db=”ec” #网站在数据库中库
7. dbuser=”ec” #网站在数据库中的用户
8. dbuserpw=”eternalcenter” #网站在数据库中的用户密码
9. dbrootpw=”eternalcenter” #数据库的 root 密码
注意
1. 服务器的系统需要是 CentOS 8 版本
2. 服务器系统要配置好可用的软件源
3. 服务器要能够连接外网
脚本
#!/bin/bash
####################### Separator ########################
webdomain="eternalcenter.com"
webtar="eternalcenter-backup-*.tar.gz"
webcrt="eternalcenter.com.crt"
webkey="eternalcenter.com.key"
sqlbackup="eternalcenter-backup-*.sql"
db="ec"
dbuser="ec"
dbuserpw="eternalcenter"
dbrootpw="eternalcenter"
####################### Separator ########################
#Determine whether SELinux is on
getenforce | grep Enforcing
if [ $? -ne 0 ];then
echo "SELinux is not set to enforcing mode and cannot continue"
exit 2
fi
#Determine whether the required file exists
ls $webtar
if [ $? -ne 0 ];then
echo "No web page data backup, unable to continue"
exit 2
fi
ls $webcrt
if [ $? -ne 0 ];then
echo "Cannot continue without site public key"
exit 2
fi
ls $webkey
if [ $? -ne 0 ];then
echo "Unable to continue without site private key"
exit 2
fi
#Update system
yum clean all
yum repolist
yum makecache
yum -y update
#Make sure the required software is installed
yum -y install tar
yum -y install firewalld
#Deploying Nginx
yum -y install nginx
echo 'worker_processes 1;
events {
worker_connections 1024;
}
http {
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 60;
client_body_timeout 20s;
client_header_timeout 10s;
send_timeout 30s;
server {
listen 80;
limit_req zone=one burst=5;
server_name www.eternalcenter.com eternalcenter.com;
rewrite ^/(.*)$ https://eternalcenter.com/$1 permanent;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 443 ssl;
server_name www.eternalcenter.com eternalcenter.com;
if ($request_method !~ ^(GET|POST)$){
return 444;
}
ssl_certificate /etc/nginx/ssl/eternalcenter.com.crt;
ssl_certificate_key /etc/nginx/ssl/eternalcenter.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_param SCRIPT_FILENAME /usr/share/nginx/html/$fastcgi_script_name;
include fastcgi_params;
}
location / {
root html;
index index.php index.html index.htm;
if (-f $request_filename/index.html){rewrite (.) $1/index.html break;}
if (-f $request_filename/index.php){rewrite (.) $1/index.php;}
if (!-f $request_filename){rewrite (.) /index.php;}
}
location ~ ^/\.user\.ini {
deny all;
}
location ~*\.(jpd|jpeg|gif|png|css|js|ico|xml)$ {
expires 30d;
}
error_page 404 /404.html;
}
gzip on;
gzip_min_length 1000;
gzip_comp_level 4;
gzip_types text/plain test/css application/json application/x-javascript text/xml application/xml
application/xml+rss text/javascripts;
client_header_buffer_size 1k;
large_client_header_buffers 4 4k;
open_file_cache max=2000 inactive=20s;
open_file_cache_valid 60s;
open_file_cache_min_uses 5;
open_file_cache_errors off;
}' > /etc/nginx/nginx.conf
sed -i "s/server_name www.eternalcenter.com eternalcenter.com;/server_name www.$webdomain $webdomain;/" /etc/nginx/nginx.conf
sed -i "s@rewrite ^/(.*)$ https://eternalcenter.com/\$1 permanent@rewrite ^/(.*)$ https://$webdomain/\$1 permanent@" /etc/nginx/nginx.conf;
sed -i "s/eternalcenter.com.crt/$webcrt/" /etc/nginx/nginx.conf
sed -i "s/eternalcenter.com.key/$webkey/" /etc/nginx/nginx.conf
mkdir /etc/nginx/ssl
mv $webcrt /etc/nginx/ssl
mv $webkey /etc/nginx/ssl
chcon -t httpd_config_t /etc/nginx/ssl/$webcrt
chcon -t httpd_config_t /etc/nginx/ssl/$webkey
chcon -t httpd_config_t /etc/nginx/ssl/
rm -rf /usr/share/nginx/html/*
tar -xvf $webtar -C /usr/share/nginx/html/ && rm -rf $webtar
chcon -t httpd_sys_content_t -R /usr/share/nginx/html/*
yum -y install sendmail
yum -y install policycoreutils
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_network_connect_db 1
setsebool -P httpd_can_sendmail 1
setsebool -P httpd_can_connect_ftp 1
setsebool -P httpd_unified 1
setsebool -P httpd_enable_cgi 1
setsebool -P httpd_builtin_scripting 1
setsebool -P mysql_connect_http 1
systemctl start nginx
systemctl enable nginx
#Deploy MariaDB
yum -y install mariadb mariadb-server
grep "^log_bin=" /etc/my.cnf.d/mariadb-server.cnf
if [ $? -ne 0 ];then
sed -i '/^datadir/a log_bin=ec' /etc/my.cnf.d/mariadb-server.cnf
fi
grep "^binlog_format=" /etc/my.cnf.d/mariadb-server.cnf
if [ $? -ne 0 ];then
sed -i '/^datadir/a binlog_format=\"mixed\"' /etc/my.cnf.d/mariadb-server.cnf
fi
grep "^server_id=" /etc/my.cnf.d/mariadb-server.cnf
if [ $? -ne 0 ];then
sed -i '/^datadir/a server_id=51' /etc/my.cnf.d/mariadb-server.cnf
fi
sed -i 's/^plugin-load-add=auth_gssapi.so/#plugin-load-add=auth_gssapi.so/' /etc/my.cnf.d/auth_gssapi.cnf
sed -i '/^user=.*/d' /etc/my.cnf.d/mariadb-server.cnf
sed -i "/\[mysqld\]/a user=mysql" /etc/my.cnf.d/mariadb-server.cnf
sed -i '/^bind-address=.*/d' /etc/my.cnf.d/mariadb-server.cnf
sed -i "/\[mysqld\]/a bind-address=127.0.0.1" /etc/my.cnf.d/mariadb-server.cnf
chown -R mysql /var/lib/mysql
systemctl start mariadb
systemctl enable mariadb
ls $sqlbackup
if [ $? -ne 0 ];then
mysql -uroot -e "create database $db;"
mysql -uroot -e "create user \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
mysql -uroot -e "grant all privileges on $db.* to \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
mysql -uroot -e "set password for 'root'@'localhost'=password(\"$dbrootpw\")"
else
mysql -uroot -e "create database $db;"
mysql -uroot $db < $sqlbackup
mysql -uroot -e "create user \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
mysql -uroot -e "grant all privileges on $db.* to \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
mysql -uroot -e "set password for 'root'@'localhost'=password(\"$dbrootpw\")"
rm -rf $sqlbackup
fi
systemctl restart mariadb
#Deploy PHP
yum -y install php php-fpm php-mysqlnd php-gd php-mbstring php-opcache php-json php-xml php-xmlrpc php-pecl-zip
useradd php-fpm -s /sbin/nologin
chown -R php-fpm:php-fpm /usr/share/nginx/html
sed -i /"^user =.*"/d /etc/php-fpm.conf
sed -i /"^group =.*"/d /etc/php-fpm.conf
sed -i /"^listen =.*"/d /etc/php-fpm.conf
sed -i /"^[www]"/d /etc/php-fpm.conf
sed -i /"^pm = .*"/d /etc/php-fpm.conf
sed -i /"^pm.start_servers = .*"/d /etc/php-fpm.conf
sed -i /"^pm.min_spare_servers = .*"/d /etc/php-fpm.conf
sed -i /"^pm.max_spare_servers = .*"/d /etc/php-fpm.conf
sed -i /"^pm.max_children = .*"/d /etc/php-fpm.conf
sed -i /"^pm.max_requests = .*"/d /etc/php-fpm.conf
sed -i /"^request_terminate_timeout = .*"/d /etc/php-fpm.conf
echo '[www]' >> /etc/php-fpm.conf
echo 'user = php-fpm' >> /etc/php-fpm.conf
echo 'group = php-fpm' >> /etc/php-fpm.conf
echo 'listen = 127.0.0.1:9000' >> /etc/php-fpm.conf
echo 'pm = dynamic' >> /etc/php-fpm.conf
echo 'pm.start_servers = 2' >> /etc/php-fpm.conf
echo 'pm.min_spare_servers = 2' >> /etc/php-fpm.conf
echo 'pm.max_spare_servers = 4' >> /etc/php-fpm.conf
echo 'pm.max_children = 4' >> /etc/php-fpm.conf
echo 'pm.max_requests = 1024' >> /etc/php-fpm.conf
echo 'request_terminate_timeout = 300' >> /etc/php-fpm.conf
systemctl start php-fpm
systemctl enable php-fpm
#Improve system performance
grep "^* soft nofile" /etc/security/limits.conf
if [ $? -ne 0 ];then
echo '* soft nofile 1024' >> /etc/security/limits.conf
fi
grep "^* hard nofile" /etc/security/limits.conf
if [ $? -ne 0 ];then
echo '* hard nofile 1024' >> /etc/security/limits.conf
fi
#Open firewall
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --add-port=443/tcp --permanent
firewall-cmd --reload
#Limit log space
echo "/var/log/mariadb/mariadb.log {
create 600 mysql mysql
notifempty
daily
rotate 3
missingok
compress
postrotate
# just if mysqld is really running
if [ -e /run/mariadb/mariadb.pid ]
then
kill -1 $(</run/mariadb/mariadb.pid)
fi
endscript
}" > /etc/logrotate.d/mariadb
echo "/var/log/nginx/*log {
create 0664 nginx root
size 1024M
rotate 1
missingok
notifempty
compress
sharedscripts
postrotate
/bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
endscript
}" > /etc/logrotate.d/nginx
echo "/var/log/php-fpm/*log {
size 100M
rotate 1
missingok
notifempty
sharedscripts
delaycompress
postrotate
/bin/kill -SIGUSR1 `cat /run/php-fpm/php-fpm.pid 2>/dev/null` 2>/dev/null || true
endscript
}" > /etc/logrotate.d/php-fpm
echo "/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
size 100M
rotate 1
missingok
sharedscripts
postrotate
/usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
endscript
}" > /etc/logrotate.d/syslog
#Delete this script
scriptwhere=`readlink -f "$0"`
rm -rf $scriptwhere
#Restart the system
reboot