哪个男孩不想自己配一套 LEMP 环境呢?
如何简单高效地配置一套属于自己的 LEMP 环境?
写在前面#
首先,你需要有一台 Linux 服务器。使用什么发行版无所谓,只要别太旧就够了。
因个人喜好,本文的所有操作将基于 Debian 10 进行,其他发行版操作大同小异。
在开始安装之前建议先去后台重置一下系统,有条件的话建议用萌咖大佬提供的 这个脚本 重装一下系统。
注:本文所有操作请使用
root用户运行!
更新系统并安装依赖包#
首先要做的是将你的系统更新到最新:
apt update && apt upgrade -y
更新后安装依赖包:
apt install -y build-essential libpcre3 libpcre3-dev zlib1g-dev git libssl-dev libcurl4-openssl-dev pkg-config libfreetype6-dev libjpeg-dev libpng-dev libxml2-dev libwebp-dev libxpm-dev libxslt1-dev cmake libncurses5-dev libc-client-dev lsb-release sqlite3 libsqlite3-dev libonig-dev libzip-dev
创建 www 用户#
使用下面的命令创建用户和对应的用户组:
groupadd www
useradd -s /sbin/nologin -g www www
下载所需软件#
执行下面的命令下载所需的软件:
mkdir -p /root/tmp/
cd /root/tmp/
wget https://www.openssl.org/source/openssl-1.1.1f.tar.gz
wget https://nginx.org/download/nginx-1.16.1.tar.gz
wget https://www.php.net/distributions/php-7.4.4.tar.gz
wget https://repo.mysql.com/mysql-apt-config_0.8.13-1_all.deb
生成 dhparam 文件#
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
配置 nginx#
解压源代码包#
cd /root/tmp/
tar zxvf nginx-1.16.1.tar.gz
tar zxvf openssl-1.1.1f.tar.gz
编译安装#
cd /root/tmp/nginx-1.16.1
./configure \
--user=www \
--group=www \
--prefix=/usr/local/nginx \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_gzip_static_module \
--with-http_sub_module \
--with-stream \
--with-stream_ssl_preread_module \
--with-openssl=../openssl-1.1.1f
make && make install
链接可执行文件#
ln -sf /usr/local/nginx/sbin/nginx /usr/bin/nginx
创建 systemd service 文件#
创建 /lib/systemd/system/nginx.service 文件,内容如下:
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/bin/nginx -t
ExecStart=/usr/bin/nginx
ExecReload=/usr/bin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
创建配置文件夹#
mkdir -p /data/www/default
mkdir -p /data/logs/nginx
mkdir -p /usr/local/nginx/conf/vhosts
修改配置文件#
修改 /usr/local/nginx/conf/nginx.conf 文件,内容替换为:
user www www;
worker_processes auto;
worker_cpu_affinity auto;
pid /run/nginx.pid;
worker_rlimit_nofile 51200;
error_log /data/logs/nginx/error.log crit;
events {
use epoll;
worker_connections 51200;
multi_accept off;
accept_mutex off;
}
http {
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 64m;
sendfile on;
sendfile_max_chunk 512k;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";
server_tokens off;
access_log off;
include vhosts/*.conf;
}
创建 /usr/local/nginx/conf/vhosts/default.conf 文件,内容如下:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name _;
index index.html index.php;
root /data/www/default;
location /nginx_status {
stub_status on;
access_log off;
}
location ~ /.well-known {
allow all;
}
location ~ /\. {
deny all;
}
access_log /data/logs/nginx/access.log;
}
创建 /usr/local/nginx/conf/enable-ssl.conf 文件,内容如下:
ssl_protocols TLSv1.3 TLSv1.2;
ssl_stapling on;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
创建 /usr/local/nginx/conf/enable-hsts.conf 文件,内容如下:
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
配置 php#
解压源代码包#
cd /root/tmp/
tar zxvf php-7.4.4.tar.gz
编译安装#
cd /root/tmp/php-7.4.4
./configure \
--prefix=/usr/local/php \
--with-config-file-path=/usr/local/php/etc \
--with-config-file-scan-dir=/usr/local/php/conf.d \
--enable-fpm \
--with-fpm-user=www \
--with-fpm-group=www \
--enable-pdo \
--enable-mysqlnd \
--with-mysqli=mysqlnd \
--with-pdo-mysql=mysqlnd \
--with-pdo-sqlite \
--with-sqlite3 \
--with-iconv-dir \
--with-jpeg \
--with-webp \
--with-xpm \
--with-freetype \
--with-zlib \
--with-libxml \
--enable-xml \
--disable-rpath \
--enable-bcmath \
--enable-shmop \
--enable-sysvsem \
--enable-inline-optimization \
--with-curl \
--enable-mbregex \
--enable-mbstring \
--enable-intl \
--enable-ftp \
--enable-gd \
--with-mhash \
--enable-pcntl \
--enable-sockets \
--with-xmlrpc \
--with-zip \
--enable-soap \
--with-gettext \
--enable-opcache \
--with-xsl \
--with-openssl
make && make install
如果遇到 freetype 错误,建立 /usr/bin/freetype-config 文件,内容如下:
#!/bin/sh
/usr/bin/pkg-config freetype2 $@
之后为其添加执行权限即可:
chmod a+x /usr/bin/freetype-config
链接可执行文件#
ln -sf /usr/local/php/bin/php /usr/bin/php
ln -sf /usr/local/php/bin/phpize /usr/bin/phpize
ln -sf /usr/local/php/sbin/php-fpm /usr/bin/php-fpm
创建 systemd service 文件#
创建 /lib/systemd/system/php-fpm.service 文件,内容如下:
[Unit]
Description=PHP FastCGI process manager
After=local-fs.target network.target nginx.service
[Service]
PIDFile=/run/php-fpm.pid
ExecStart=/usr/bin/php-fpm --fpm-config /usr/local/php/etc/php-fpm.conf --nodaemonize
ExecReload=/bin/kill -USR2 $MAINPID
Type=simple
[Install]
WantedBy=multi-user.target
创建配置文件夹#
mkdir -p /usr/local/php/{etc,conf.d}
mkdir -p /data/logs/php
修改配置文件#
首先生成 php.ini 文件:
cp php.ini-production /usr/local/php/etc/php.ini
sed -i 's/post_max_size =.*/post_max_size = 64M/g' /usr/local/php/etc/php.ini
sed -i 's/upload_max_filesize =.*/upload_max_filesize = 64M/g' /usr/local/php/etc/php.ini
sed -i 's/;date.timezone =.*/date.timezone = Asia\/Shanghai/g' /usr/local/php/etc/php.ini
sed -i 's/;cgi.fix_pathinfo=.*/cgi.fix_pathinfo=0/g' /usr/local/php/etc/php.ini
sed -i 's/max_execution_time =.*/max_execution_time = 300/g' /usr/local/php/etc/php.ini
sed -i 's/expose_php = On/expose_php = Off/g' /usr/local/php/etc/php.ini
创建 /usr/local/php/etc/php-fpm.conf 文件,内容如下:
[global]
pid = /run/php-fpm.pid
error_log = /data/logs/php/php-fpm.log
log_level = notice
[www]
listen = /run/php-fpm.sock
listen.backlog = -1
listen.allowed_clients = 127.0.0.1
listen.owner = www
listen.group = www
listen.mode = 0666
user = www
group = www
pm = dynamic
pm.max_children = 10
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 6
pm.max_requests = 1024
pm.process_idle_timeout = 10s
request_terminate_timeout = 100
request_slowlog_timeout = 0
slowlog = var/log/slow.log
创建 /usr/local/nginx/conf/enable-php.conf 文件,内容如下:
location ~ \.php$ {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
try_files $fastcgi_script_name =404;
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_pass unix:/run/php-fpm.sock;
}
配置 mysql#
因 mysql 并没有多少功能需要自定义,完全可以直接用官方的源安装:
cd /root/tmp/
dpkg -i mysql-apt-config_0.8.13-1_all.deb
apt update
apt -y install mysql-server
安装时注意选择
Legacy加密方式
之后运行 mysql 安全设置即可:
mysql_secure_installation
仅个人使用的话建议前两个
no,剩下的全部yes。
配置 acme.sh#
curl https://get.acme.sh | sh
source /root/.bashrc
acme.sh --upgrade --auto-upgrade
启动服务#
systemctl enable nginx.service
systemctl enable php-fpm.service
systemctl enable mysql.service
systemctl start nginx.service
systemctl start php-fpm.service
systemctl start mysql.service
使用方法#
各种目录#
- 网站目录:
/data/www/ - nginx 虚拟主机配置目录:
/usr/local/nginx/conf/vhosts/ - php 配置文件目录:
/usr/local/php/etc/
虚拟主机文件格式#
server {
listen 80;
listen [::]:80;
server_name test.com;
return 301 https://$server_name$request_uri;
error_page 497 =301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name test.com;
index index.html index.php;
root /data/www/default;
include enable-ssl.conf;
include enable-hsts.conf;
ssl_certificate /data/ssl/test.com/cert.crt;
ssl_certificate_key /data/ssl/test.com/priv.key;
include enable-php.conf;
access_log /data/logs/nginx/default.log;
}