LEMP 配置指北

哪个男孩不想自己配一套 LEMP 环境呢?

如何简单高效地配置一套属于自己的 LEMP 环境?

写在前面

首先,你需要有一台 Linux 服务器。使用什么发行版无所谓,只要别太旧就够了。

因个人喜好,本文的所有操作将基于 Debian 10 进行,其他发行版操作大同小异。

在开始安装之前建议先去后台重置一下系统,有条件的话建议用萌咖大佬提供的 这个脚本 重装一下系统。

注:本文所有操作请使用 root 用户运行!

更新系统并安装依赖包

首先要做的是将你的系统更新到最新:

1
apt update && apt upgrade -y

更新后安装依赖包:

1
apt install -y build-essential libpcre3 libpcre3-dev zlib1g-dev git libssl-dev libcurl4-openssl-dev pkg-config libfreetype6-dev libjpeg-dev libpng-dev libxml2-dev libwebp-dev libxpm-dev libxslt1-dev cmake libncurses5-dev libc-client-dev lsb-release sqlite3 libsqlite3-dev libonig-dev libzip-dev

创建 www 用户

使用下面的命令创建用户和对应的用户组:

1
2
groupadd www
useradd -s /sbin/nologin -g www www

下载所需软件

执行下面的命令下载所需的软件:

1
2
3
4
5
6
mkdir -p /root/tmp/
cd /root/tmp/
wget https://www.openssl.org/source/openssl-1.1.1f.tar.gz
wget https://nginx.org/download/nginx-1.16.1.tar.gz
wget https://www.php.net/distributions/php-7.4.4.tar.gz
wget https://repo.mysql.com/mysql-apt-config_0.8.13-1_all.deb

生成 dhparam 文件

1
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

配置 nginx

解压源代码包

1
2
3
cd /root/tmp/
tar zxvf nginx-1.16.1.tar.gz
tar zxvf openssl-1.1.1f.tar.gz

编译安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
cd /root/tmp/nginx-1.16.1
./configure \
--user=www \
--group=www \
--prefix=/usr/local/nginx \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_gzip_static_module \
--with-http_sub_module \
--with-stream \
--with-stream_ssl_preread_module \
--with-openssl=../openssl-1.1.1f
make && make install

链接可执行文件

1
ln -sf /usr/local/nginx/sbin/nginx /usr/bin/nginx

创建 systemd service 文件

创建 /lib/systemd/system/nginx.service 文件,内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/bin/nginx -t
ExecStart=/usr/bin/nginx
ExecReload=/usr/bin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target

创建配置文件夹

1
2
3
mkdir -p /data/www/default
mkdir -p /data/logs/nginx
mkdir -p /usr/local/nginx/conf/vhosts

修改配置文件

修改 /usr/local/nginx/conf/nginx.conf 文件,内容替换为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
user www www;
worker_processes auto;
worker_cpu_affinity auto;
pid /run/nginx.pid;
worker_rlimit_nofile 51200;

error_log /data/logs/nginx/error.log crit;

events {
use epoll;
worker_connections 51200;
multi_accept off;
accept_mutex off;
}

http {
include mime.types;
default_type application/octet-stream;

server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 64m;

sendfile on;
sendfile_max_chunk 512k;
tcp_nopush on;

keepalive_timeout 60;

tcp_nodelay on;

fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;

gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";

server_tokens off;
access_log off;

include vhosts/*.conf;
}

创建 /usr/local/nginx/conf/vhosts/default.conf 文件,内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;

server_name _;

index index.html index.php;
root /data/www/default;

location /nginx_status {
stub_status on;
access_log off;
}

location ~ /.well-known {
allow all;
}

location ~ /\. {
deny all;
}

access_log /data/logs/nginx/access.log;
}

创建 /usr/local/nginx/conf/enable-ssl.conf 文件,内容如下:

1
2
3
4
5
6
7
ssl_protocols TLSv1.3 TLSv1.2;
ssl_stapling on;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

创建 /usr/local/nginx/conf/enable-hsts.conf 文件,内容如下:

1
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

配置 php

解压源代码包

1
2
cd /root/tmp/
tar zxvf php-7.4.4.tar.gz

编译安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
cd /root/tmp/php-7.4.4
./configure \
--prefix=/usr/local/php \
--with-config-file-path=/usr/local/php/etc \
--with-config-file-scan-dir=/usr/local/php/conf.d \
--enable-fpm \
--with-fpm-user=www \
--with-fpm-group=www \
--enable-pdo \
--enable-mysqlnd \
--with-mysqli=mysqlnd \
--with-pdo-mysql=mysqlnd \
--with-pdo-sqlite \
--with-sqlite3 \
--with-iconv-dir \
--with-jpeg \
--with-webp \
--with-xpm \
--with-freetype \
--with-zlib \
--with-libxml \
--enable-xml \
--disable-rpath \
--enable-bcmath \
--enable-shmop \
--enable-sysvsem \
--enable-inline-optimization \
--with-curl \
--enable-mbregex \
--enable-mbstring \
--enable-intl \
--enable-ftp \
--enable-gd \
--with-mhash \
--enable-pcntl \
--enable-sockets \
--with-xmlrpc \
--with-zip \
--enable-soap \
--with-gettext \
--enable-opcache \
--with-xsl \
--with-openssl
make && make install

如果遇到 freetype 错误,建立 /usr/bin/freetype-config 文件,内容如下:

1
2
#!/bin/sh
/usr/bin/pkg-config freetype2 [email protected]

之后为其添加执行权限即可:

1
chmod a+x /usr/bin/freetype-config

链接可执行文件

1
2
3
ln -sf /usr/local/php/bin/php /usr/bin/php
ln -sf /usr/local/php/bin/phpize /usr/bin/phpize
ln -sf /usr/local/php/sbin/php-fpm /usr/bin/php-fpm

创建 systemd service 文件

创建 /lib/systemd/system/php-fpm.service 文件,内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
[Unit]
Description=PHP FastCGI process manager
After=local-fs.target network.target nginx.service

[Service]
PIDFile=/run/php-fpm.pid
ExecStart=/usr/bin/php-fpm --fpm-config /usr/local/php/etc/php-fpm.conf --nodaemonize
ExecReload=/bin/kill -USR2 $MAINPID
Type=simple

[Install]
WantedBy=multi-user.target

创建配置文件夹

1
2
mkdir -p /usr/local/php/{etc,conf.d}
mkdir -p /data/logs/php

修改配置文件

首先生成 php.ini 文件:

1
2
3
4
5
6
7
cp php.ini-production /usr/local/php/etc/php.ini
sed -i 's/post_max_size =.*/post_max_size = 64M/g' /usr/local/php/etc/php.ini
sed -i 's/upload_max_filesize =.*/upload_max_filesize = 64M/g' /usr/local/php/etc/php.ini
sed -i 's/;date.timezone =.*/date.timezone = Asia\/Shanghai/g' /usr/local/php/etc/php.ini
sed -i 's/;cgi.fix_pathinfo=.*/cgi.fix_pathinfo=0/g' /usr/local/php/etc/php.ini
sed -i 's/max_execution_time =.*/max_execution_time = 300/g' /usr/local/php/etc/php.ini
sed -i 's/expose_php = On/expose_php = Off/g' /usr/local/php/etc/php.ini

创建 /usr/local/php/etc/php-fpm.conf 文件,内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[global]
pid = /run/php-fpm.pid
error_log = /data/logs/php/php-fpm.log
log_level = notice

[www]
listen = /run/php-fpm.sock
listen.backlog = -1
listen.allowed_clients = 127.0.0.1
listen.owner = www
listen.group = www
listen.mode = 0666
user = www
group = www
pm = dynamic
pm.max_children = 10
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 6
pm.max_requests = 1024
pm.process_idle_timeout = 10s
request_terminate_timeout = 100
request_slowlog_timeout = 0
slowlog = var/log/slow.log

创建 /usr/local/nginx/conf/enable-php.conf 文件,内容如下:

1
2
3
4
5
6
7
8
9
location ~ \.php$ {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
try_files $fastcgi_script_name =404;
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_pass unix:/run/php-fpm.sock;
}

配置 mysql

因 mysql 并没有多少功能需要自定义,完全可以直接用官方的源安装:

1
2
3
4
cd /root/tmp/
dpkg -i mysql-apt-config_0.8.13-1_all.deb
apt update
apt -y install mysql-server

安装时注意选择 Legacy 加密方式

之后运行 mysql 安全设置即可:

1
mysql_secure_installation

仅个人使用的话建议前两个 no,剩下的全部 yes

配置 acme.sh

1
2
3
curl https://get.acme.sh | sh
source /root/.bashrc
acme.sh --upgrade --auto-upgrade

启动服务

1
2
3
4
5
6
systemctl enable nginx.service
systemctl enable php-fpm.service
systemctl enable mysql.service
systemctl start nginx.service
systemctl start php-fpm.service
systemctl start mysql.service

使用方法

各种目录

  • 网站目录: /data/www/
  • nginx 虚拟主机配置目录: /usr/local/nginx/conf/vhosts/
  • php 配置文件目录: /usr/local/php/etc/

虚拟主机文件格式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
server {
listen 80;
listen [::]:80;

server_name test.com;

return 301 https://$server_name$request_uri;
error_page 497 =301 https://$server_name$request_uri;
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;

server_name test.com;

index index.html index.php;
root /data/www/default;

include enable-ssl.conf;
include enable-hsts.conf;

ssl_certificate /data/ssl/test.com/cert.crt;
ssl_certificate_key /data/ssl/test.com/priv.key;

include enable-php.conf;

access_log /data/logs/nginx/default.log;
}