moneyslow.com

CentOS 7 +安装 Nginx 1.8.0 + PHP 5.6 + MariaDB 10.0 (LEMP) + SSL

centos7

centos7

1. change ulimits
vim /etc/security/limits.conf

* soft nofile 65535
* hard nofile 65535

2. Install MariaDB
vim /etc/yum.repos.d/MariaDB.repo
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.0/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

yum install MariaDB-server MariaDB-client
chkconfig mysql on
mysql_secure_installation
setting firewalld for mysql

3. Install Nginx
rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
yum install nginx
systemctl start nginx
systemctl enable nginx

setting firewalld for nginx

4. Install PHP
https://webtatic.com/packages/php56/
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum install php56w php56w-fpm php56w-mysql

vim /etc/php.ini
;cgi.fix_pathinfo=1
cgi.fix_pathinfo=0

Reference : https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-on-centos-7

What we are looking for in this file is the parameter that sets cgi.fix_pathinfo. This will be commented out with a semi-colon (;) and set to "1" by default.
This is an extremely insecure setting because it tells PHP to attempt to execute the closest file it can find if a PHP file does not match exactly. This basically would allow users to craft PHP requests in a way that would allow them to execute scripts that they shouldn't be allowed to execute.
We will change both of these conditions by uncommenting the line and setting it to "0" like this:

5. Edit /etc/php-fpm.d/www.conf

[global]
pid = /usr/local/php/var/run/php-fpm.pid
error_log = /var/log/httpd/php-fpm.log

[www]
;listen = 127.0.0.1:9000
listen = /var/run/php-fpm/php-fpm.sock

listen.owner = nobody
listen.group = nobody
listen.mode = 0666

;user = apache
user = nginx
;group = apache
group = nginx

6. Edit /etc/nginx/conf.d/default.conf

location / {
root /usr/share/nginx/html;
index index.php index.html index.htm;
}

location ~ \.php$ {
root /usr/share/nginx/html;
try_files $uri = 404;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}

7 Restart php-fpm and nginx
systemctl restart php-fpm
systemctl restart nginx

8. Test PHP
vim /usr/share/nginx/html/info.php

http://serverip/info.php

9. Create Self-Signed Cert
openssl req -x509 -nodes -sha512 -newkey rsa:2048 -keyout cert.key -out cert.pem.csr -days 65536

Common Name (eg, your name or your server's hostname) []: mysite.moneyslow.com

chmod 600 cert.key
chmod 600 cert.pem.csr
copy cert.key /etc/nginx
copy cert.pem.csr /etc/nginx

vim /etc/nginx/conf.d/my_host_ssl.conf

server {
listen 443 ssl;
server_name mysite.moneyslow.com;

ssl_certificate /etc/nginx/cert.pem.csr;
ssl_certificate_key /etc/nginx/cert.key;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

#set the ssl_ciphers to resolve chrome display "is encrypted with obsolete cryptography"
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;

location / {
root /usr/share/nginx/html;
index index.php index.html index.htm;
}
}

Exit mobile version