第1周

1、编译安装LNMP，配置自定义404页面，配置访问日志为json格式。
2、配置虚拟主机，实现 https 访问 www.testou.com。

--------------------------------------------------------------------------------------------------------------------------------------

1 编译安装LNMP，配置自定义404页面，配置访问日志为json格式。

环境：Ubuntu 18.04.4

1.1 编译安装 Nginx-1.22.1

#下载源码并解压
# cd /usr/local/src/
# wget http://nginx.org/download/nginx-1.22.1.tar.gz
# tar xf nginx-1.22.1.tar.gz -C /usr/local/

#准备编译安装基础环境：Ubuntu18.04.4
# apt -y install gcc make libpcre3-dev libssl-dev libghc-zlib-dev
#准备编译安装基础环境：Centos7.9
# yum -y install gcc pcre-devel openssl-devel

#加固，更改WEB服务器软件类型
# sed -ri '/^static.*ngx_http_server_string/s#nginx"#KNM/1.1"#' /usr/local/nginx-1.22.1/src/http/ngx_http_header_filter_module.c

#编译Nginx
# cd /usr/local/nginx-1.22.1/
./configure \
--prefix=/usr/local/nginx_1.22.1 \
--user=nginx \
--group=nginx \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-pcre \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module
# make -j 4
# make install

#创建nginx用户
# useradd -d /data/www -s /bin/false -M -r nginx

#创建子规则配置目录
# ln -s /usr/local/nginx_1.22.1/ /usr/local/nginx
# mkdir /usr/local/nginx/conf.d

#授权nginx用户管理安装目录
# chown -R nginx.nginx /usr/local/nginx/

#配置PATH变量
# if [ ! -e /etc/profile.d/path.sh ] || ! $(grep nginx /etc/profile.d/path.sh &> /dev/null);then \
    echo "PATH=/usr/local/nginx/sbin:$PATH" > /etc/profile.d/path.sh; \
  fi
# source /etc/profile.d/path.sh

#修改主配置文件
# grep -Ev '^([[:space:]]*#|$)' /usr/local/nginx/conf/nginx.conf
user nginx nginx; 
worker_processes auto;
pid /run/nginx.pid;
events {
    worker_connections 65536;
    use epoll;
    accept_mutex on;
    multi_accept on;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    sendfile        on;
    keepalive_timeout  65;
    gzip  on;
    charset utf-8;
    server_tokens off;
    include /usr/local/nginx/conf.d/*.conf;
}

#创建service文件
# cat /lib/systemd/system/nginx.service
[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/bin/rm -f /run/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=process
PrivateTmp=true
[Install]
WantedBy=multi-user.target

#验证service文件
# systemctl daemon-reload
# systemctl status nginx

#Ubuntu18.04.4自建service文件，默认禁止通过systemctl启动
# systemctl is-enabled nginx
masked
#解除禁止
# systemctl unmask nginx

#设置开机自启并立即启动
# systemctl enable --now nginx

#清理源码及编译目录
# rm -rf /usr/local/src/nginx-1.22.1.tar.gz /usr/local/nginx-1.22.1/

1.1.1 编译过程报错解决

#缺少gcc编译器，安装包：apt -y install gcc
./configure: error: C compiler cc is not found

#缺少libpcre3-dev，用于解析正则表达式，安装包：apt -y install libpcre3-dev
./configure: error: the HTTP rewrite module requires the PCRE library.

# 缺少openssl相关库文件，安装包：apt -y install libssl-dev
./configure: error: SSL modules require the OpenSSL library.

# 缺少zlib相关库文件，安装包：libghc-zlib-dev
./configure: error: the HTTP gzip module requires the zlib library.

1.2 二进制安装 MySQL-5.7.35

#创建mysql用户和组
# groupadd -r -g 306 mysql
# useradd -r -u 306 -g 306 -d /data/mysql -s /bin/false -M mysql

#创建数据库目录并授权
# mkdir /data/mysql && chown mysql.mysql /data/mysql

#下载并解压二进制包至/usr/local，授权mysql用户管理
# cd /usr/local/src
# wget https://downloads.mysql.com/archives/get/p/23/file/mysql-5.7.35-linux-glibc2.12-x86_64.tar.gz
# tar xf /usr/local/src/mysql-5.7.35-linux-glibc2.12-x86_64.tar.gz -C /usr/local
# ln -s /usr/local/mysql-5.7.35-linux-glibc2.12-x86_64 /usr/local/mysql
# chown -R root.root /usr/local/mysql/

#准备my.cnf配置文件
# [ -f /etc/my.cnf ] && mv /etc/my.cnf{,.bak}
# cat > /etc/my.cnf <<EOF
[mysqld]
server_id=1

#日志
#二进制日志
log-bin=mysql_binlog
binlog_format=ROW
#二进制日志性能优化
sync_binlog=1
#事务日志性能优化
innodb_flush_log_at_trx_commit=1
#慢查询日志
#slow_query_log=ON
#slow_query_log_file=slow.log
#long_query_time=10
#log_queries_not_using_indexes=ON
#log_output=FILE|TABLE|NONE          #同时影响通用日志和慢查询日志输出形式
#错误日志
log-error=/data/mysql/mysql.log
#通用日志
#general_log=ON
#general_log_file=general.log
#log_output=FILE|TABLE|NONE          #同时影响通用日志和慢查询日志输出形式

datadir=/data/mysql
skip_name_resolve=1
character-set-server=utf8mb4
default_storage_engine=InnoDB
socket=/data/mysql/mysql.sock
pid-file=/data/mysql/mysql.pid

#并发连接数，同时修改service文件，[service]LimitNOFILE=65535
#max_connections=8000

#更改密码
#skip-grant-tables
#skip-networking

[client]
#safe-updates
socket=/data/mysql/mysql.sock
default-character-set=utf8mb4
EOF

#安装相关包
#Ubuntu18.04.4
# apt -y install libaio1 
#Centos7.9
# yum -y install libaio ncurses-compat-libs

#配置PATH变量
# if [ ! -e /etc/profile.d/path.sh ] || ! $(grep mysql /etc/profile.d/path.sh &> /dev/null);then \
      echo "PATH=/usr/local/mysql/bin:$PATH" > /etc/profile.d/path.sh; \
  fi
# source /etc/profile.d/path.sh

#数据库初始化
# mysqld --initialize --datadir=/data/mysql --user=mysql

#启动服务
# cp -a /usr/local/mysql/support-files/mysql.server /etc/init.d/mysqld
# /etc/init.d/mysqld start

#设置开机启动
#Ubuntu18.04.4或centos8
# echo /etc/init.d/mysqld start >> /etc/rc.local && chmod +x /etc/rc.local
#centos7或6
# chkconfig --add mysqld

#更改数据库root用户原随机密码为root
mysqladmin -uroot -p`awk '/temporary password/{print $NF}' /data/mysql/mysql.log` password root

#安全加固
# mysql_secure_installation

#清理二进制包
# rm -f /usr/local/src/mysql-5.7.35-linux-glibc2.12-x86_64.tar.gz

1.3 编译安装 PHP-8.2.1

#下载源码并解压
# cd /usr/local/src/
# wget https://www.php.net/distributions/php-8.2.1.tar.gz
# tar xf php-8.2.1.tar.gz -C /usr/local/

#准备编译安装基础环境：Ubuntu18.04.4
# apt -y install libxml2-dev libsqlite3-dev libonig-dev

#编译php-8.2.1
# cd /usr/local/php-8.2.1/
./configure \
--prefix=/usr/local/php_8.2.1 \
--enable-mysqlnd \
--with-mysqli=mysqlnd \
--with-pdo-mysql=mysqlnd \
--with-openssl \
--with-zlib \
--with-config-file-path=/usr/local/php_8.2.1/etc \
--with-config-file-scan-dir=/usr/local/php_8.2.1/etc/php.d \
--enable-mbstring \
--enable-xml \
--enable-sockets \
--disable-fileinfo \
--enable-fpm
# make -j 4 && make install

#配置PATH变量
# ln -s /usr/local/php_8.2.1/ /usr/local/php
# if [ ! -e /etc/profile.d/path.sh ] || ! $(grep php /etc/profile.d/path.sh &> /dev/null);then \
      echo "PATH=/usr/local/php/bin:/usr/local/php/sbin:$PATH" > /etc/profile.d/path.sh; \
  fi
# source /etc/profile.d/path.sh

#为php提供配置文件和启动文件
# cp /usr/local/php-8.2.1/php.ini-production /etc/php.ini
# cp /usr/local/php-8.2.1/sapi/fpm/php-fpm.service /lib/systemd/system 
# cp /usr/local/php/etc/php-fpm.conf{.default,} 
# cp /usr/local/php/etc/php-fpm.d/www.conf{.default,}
# sed -ri '/^ProtectSystem/s#^(ProtectSystem=).*#\1false#' /lib/systemd/system/php-fpm.service

#修改进程所有者
# sed -ri 's/^(user = ).*/\1nginx/' /usr/local/php/etc/php-fpm.d/www.conf
# sed -ri 's/^(group = ).*/\1nginx/' /usr/local/php/etc/php-fpm.d/www.conf

#设置开机自启并立即启动
# systemctl daemon-reload
# systemctl enable --now php-fpm.service

#清理源码及编译目录
# rm -rf /usr/local/src/php-8.2.1.tar.gz /usr/local/php-8.2.1/

1.4 配置自定义404页面

#创建子配置文件，包含虚拟主机www.testz.com，自定义404页面
# cat /usr/local/nginx/conf.d/test.conf
server {
    server_name www.testz.com;
    location / {
        root /data/www;
        access_log /data/www/testz.access.log main;
    }
    error_page 404 /404.html;
    location /404.html {
        root /data/www;
    }
}

#加载子配置文件
# nginx -t && nginx -s reload

#准备测试资源
# mkdir -p /data/www
# setfacl -m u:nginx:rwx /data/www
# echo '<h1>testz</h1>' > /data/www/index.html
# echo '<h1>FBI Waring</h1>' > /data/www/404.html

#客户端访问测试
# tail -n1 /etc/hosts
10.0.0.100    www.testz.com
# curl www.testz.com
<h1>testz</h1>
# curl www.testz.com/xxx
<h1>FBI Waring</h1>

1.5 配置访问日志为 json 格式

#在主配置文件http配置块，添加自定义日志格式
# vi /usr/local/nginx/conf/nginx.conf
......
http {
......
log_format access_json '{"@timestamp":"$time_iso8601",'
  '"host":"$server_addr",'
  '"clientip":"$remote_addr",'
  '"size":$body_bytes_sent,'
  '"responsetime":$request_time,'
  '"upstreamtime":"$upstream_response_time",'
  '"upstreamhost":"$upstream_addr",'
  '"http_host":"$host",'
  '"uri":"$uri",'
  '"domain":"$host",'
  '"xff":"$http_x_forwarded_for",'
  '"referer":"$http_referer",'
  '"tcp_xff":"$proxy_protocol_addr",'
  '"http_user_agent":"$http_user_agent",'
  '"status":"$status"}';
}

#新建子配置文件
# cat /usr/local/nginx/conf.d/pc.conf 
server {
   server_name www.pc.com;
   location / {
       root /data/www/pc;
       access_log /data/www/pc/access_json.log access_json;
   } 
}

#重载服务
# nginx -t && nginx -s reload

#客户端测试
# tail -n1 /etc/hosts
10.0.0.100    www.testz.com www.pc.com www.mobile.com
# curl www.pc.com
pc.html

#服务端查看日志
# tail -n1 /data/www/pc/access_json.log 
{"@timestamp":"2023-01-12T14:37:26+08:00","host":"10.0.0.100","clientip":"10.0.0.7","size":8,"responsetime":0.000,"upstreamtime":"-","upstreamhost":"-","http_host":"www.pc.com","uri":"/index.html","domain":"www.pc.com","xff":"-","referer":"-","tcp_xff":"-","http_user_agent":"curl/7.29.0","status":"200"}

2 配置虚拟主机，实现 https 访问 www.testou.com。

2.1 创建虚拟主机配置文件

# cat /usr/local/nginx/conf.d/testou.conf
server {
    listen 443 ssl;
    server_name www.testou.com;
    ssl_certificate /usr/local/nginx/conf.d/certs/www.testou.com.crt;
    ssl_certificate_key /usr/local/nginx/conf.d/certs/www.testou.com.key;
    ssl_session_cache shared:sslcache:20m;
    ssl_session_timeout 10m;
    location / {
        root /data/www/testou;
    }
}

2.2 创建自签名证书

#创建证书存放目录
# mkdir /usr/local/nginx/conf.d/certs
# cd /usr/local/nginx/conf.d/certs

#同时生成CA私钥和CA自签名证书
# openssl req  -x509 -newkey rsa:2048 -nodes -keyout cakey.pem \
    -subj /C=CN/ST=beijing/L=beijing/O=test/CN=ca.testou.com \
    -days 7300 -set_serial 0 -out cacert.pem

#同时生成客户机私钥和证书申请文件
# openssl req -newkey rsa:2048 -nodes -keyout www.testou.com.key \
    -subj /C=CN/ST=beijing/L=beijing/O=test/CN=www.testou.com \
    -out www.testou.com.csr
    
#颁发证书
# openssl x509 -req -in www.testou.com.csr \
    -CA cacert.pem -CAkey cakey.pem \
    -days 7300 -set_serial 1 -out www.testou.com.crt

2.3 重载服务

#准备测试资源
# mkdir -p /data/www/testou
# echo /data/www/testou > /data/www/testou/index.html

#重载服务
# nginx -t && nginx -s reload

2.4 客户端测试

# tail -n1 /etc/hosts
10.0.0.100    www.testou.com

# curl www.testou.com
pc.html
# curl -k https://www.testou.com
/data/www/testou