LEMP 配置指北
kotoyuuko / / 技术流 / 阅读量

哪个男孩不想自己配一套 LEMP 环境呢?

如何简单高效地配置一套属于自己的 LEMP 环境?

写在前面

首先,你需要有一台 Linux 服务器。使用什么发行版无所谓,只要别太旧就够了。

因个人喜好,本文的所有操作将基于 Debian 10 进行,其他发行版操作大同小异。

在开始安装之前建议先去后台重置一下系统,有条件的话建议用萌咖大佬提供的 这个脚本 重装一下系统。

注:本文所有操作请使用 root 用户运行!

更新系统并安装依赖包

首先要做的是将你的系统更新到最新:

apt update && apt upgrade -y

更新后安装依赖包:

apt install -y build-essential libpcre3 libpcre3-dev zlib1g-dev git libssl-dev libcurl4-openssl-dev pkg-config libfreetype6-dev libjpeg-dev libpng-dev libxml2-dev libwebp-dev libxpm-dev libxslt1-dev cmake libncurses5-dev libc-client-dev lsb-release sqlite3 libsqlite3-dev libonig-dev libzip-dev

创建 www 用户

使用下面的命令创建用户和对应的用户组:

groupadd www
useradd -s /sbin/nologin -g www www

下载所需软件

执行下面的命令下载所需的软件:

mkdir -p /root/tmp/
cd /root/tmp/
wget https://www.openssl.org/source/openssl-1.1.1f.tar.gz
wget https://nginx.org/download/nginx-1.16.1.tar.gz
wget https://www.php.net/distributions/php-7.4.3.tar.gz
wget https://repo.mysql.com/mysql-apt-config_0.8.13-1_all.deb

生成 dhparam 文件

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

配置 nginx

解压源代码包

cd /root/tmp/
tar zxvf nginx-1.16.1.tar.gz
tar zxvf openssl-1.1.1f.tar.gz

编译安装

cd /root/tmp/nginx-1.16.1
./configure \
--user=www \
--group=www \
--prefix=/usr/local/nginx \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_gzip_static_module \
--with-http_sub_module \
--with-stream \
--with-stream_ssl_preread_module \
--with-openssl=../openssl-1.1.1f
make && make install

链接可执行文件

ln -sf /usr/local/nginx/sbin/nginx /usr/bin/nginx

创建 systemd service 文件

创建 /lib/systemd/system/nginx.service 文件,内容如下:

[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/bin/nginx -t
ExecStart=/usr/bin/nginx
ExecReload=/usr/bin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target

创建配置文件夹

mkdir -p /data/www/default
mkdir -p /data/logs/nginx
mkdir -p /usr/local/nginx/conf/vhosts

修改配置文件

修改 /usr/local/nginx/conf/nginx.conf 文件,内容替换为:

user www www;
worker_processes auto;
worker_cpu_affinity auto;
pid /run/nginx.pid;
worker_rlimit_nofile 51200;

error_log /data/logs/nginx/error.log crit;

events {
    use epoll;
    worker_connections 51200;
    multi_accept off;
    accept_mutex off;
}

http {
    include mime.types;
    default_type application/octet-stream;

    server_names_hash_bucket_size 128;
    client_header_buffer_size 32k;
    large_client_header_buffers 4 32k;
    client_max_body_size 64m;

    sendfile on;
    sendfile_max_chunk 512k;
    tcp_nopush on;

    keepalive_timeout 60;

    tcp_nodelay on;

    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
    fastcgi_buffer_size 64k;
    fastcgi_buffers 4 64k;
    fastcgi_busy_buffers_size 128k;
    fastcgi_temp_file_write_size 256k;

    gzip on;
    gzip_min_length 1k;
    gzip_buffers 4 16k;
    gzip_http_version 1.1;
    gzip_comp_level 2;
    gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
    gzip_vary on;
    gzip_proxied expired no-cache no-store private auth;
    gzip_disable "MSIE [1-6]\.";

    server_tokens off;
    access_log off;

    include vhosts/*.conf;
}

创建 /usr/local/nginx/conf/vhosts/default.conf 文件,内容如下:

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;

    server_name _;

    index index.html index.php;
    root /data/www/default;

    location /nginx_status {
        stub_status on;
        access_log   off;
    }

    location ~ /.well-known {
        allow all;
    }

    location ~ /\. {
        deny all;
    }

    access_log /data/logs/nginx/access.log;
}

创建 /usr/local/nginx/conf/enable-ssl.conf 文件,内容如下:

ssl_protocols TLSv1.3 TLSv1.2;
ssl_stapling on;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

创建 /usr/local/nginx/conf/enable-hsts.conf 文件,内容如下:

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

配置 php

解压源代码包

cd /root/tmp/
tar zxvf php-7.4.3.tar.gz

编译安装

cd /root/tmp/php-7.4.3
./configure \
--prefix=/usr/local/php \
--with-config-file-path=/usr/local/php/etc \
--with-config-file-scan-dir=/usr/local/php/conf.d \
--enable-fpm \
--with-fpm-user=www \
--with-fpm-group=www \
--enable-pdo \
--enable-mysqlnd \
--with-mysqli=mysqlnd \
--with-pdo-mysql=mysqlnd \
--with-pdo-sqlite \
--with-sqlite3 \
--with-iconv-dir \
--with-jpeg \
--with-webp \
--with-xpm \
--with-freetype \
--with-zlib \
--with-libxml \
--enable-xml \
--disable-rpath \
--enable-bcmath \
--enable-shmop \
--enable-sysvsem \
--enable-inline-optimization \
--with-curl \
--enable-mbregex \
--enable-mbstring \
--enable-intl \
--enable-ftp \
--enable-gd \
--with-mhash \
--enable-pcntl \
--enable-sockets \
--with-xmlrpc \
--with-zip \
--enable-soap \
--with-gettext \
--enable-opcache \
--with-xsl \
--with-openssl
make && make install

如果遇到 freetype 错误,请建立 /usr/bin/freetype-config 文件,内容如下:

#!/bin/sh
/usr/bin/pkg-config freetype2 [email protected]

之后为其添加执行权限即可:

chmod a+x /usr/bin/freetype-config

链接可执行文件

ln -sf /usr/local/php/bin/php /usr/bin/php
ln -sf /usr/local/php/bin/phpize /usr/bin/phpize
ln -sf /usr/local/php/sbin/php-fpm /usr/bin/php-fpm

创建 systemd service 文件

创建 /lib/systemd/system/php-fpm.service 文件,内容如下:

[Unit]
Description=PHP FastCGI process manager
After=local-fs.target network.target nginx.service

[Service]
PIDFile=/run/php-fpm.pid
ExecStart=/usr/bin/php-fpm --fpm-config /usr/local/php/etc/php-fpm.conf --nodaemonize
ExecReload=/bin/kill -USR2 $MAINPID
Type=simple

[Install]
WantedBy=multi-user.target

创建配置文件夹

mkdir -p /usr/local/php/{etc,conf.d}
mkdir -p /data/logs/php

修改配置文件

首先生成 php.ini 文件:

cp php.ini-production /usr/local/php/etc/php.ini
sed -i 's/post_max_size =.*/post_max_size = 64M/g' /usr/local/php/etc/php.ini
sed -i 's/upload_max_filesize =.*/upload_max_filesize = 64M/g' /usr/local/php/etc/php.ini
sed -i 's/;date.timezone =.*/date.timezone = Asia\/Shanghai/g' /usr/local/php/etc/php.ini
sed -i 's/;cgi.fix_pathinfo=.*/cgi.fix_pathinfo=0/g' /usr/local/php/etc/php.ini
sed -i 's/max_execution_time =.*/max_execution_time = 300/g' /usr/local/php/etc/php.ini
sed -i 's/expose_php = On/expose_php = Off/g' /usr/local/php/etc/php.ini

创建 /usr/local/php/etc/php-fpm.conf 文件,内容如下:

[global]
pid = /run/php-fpm.pid
error_log = /data/logs/php/php-fpm.log
log_level = notice

[www]
listen = /run/php-fpm.sock
listen.backlog = -1
listen.allowed_clients = 127.0.0.1
listen.owner = www
listen.group = www
listen.mode = 0666
user = www
group = www
pm = dynamic
pm.max_children = 10
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 6
pm.max_requests = 1024
pm.process_idle_timeout = 10s
request_terminate_timeout = 100
request_slowlog_timeout = 0
slowlog = var/log/slow.log

创建 /usr/local/nginx/conf/enable-php.conf 文件,内容如下:

location ~ \.php$ {
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    try_files $fastcgi_script_name =404;
    set $path_info $fastcgi_path_info;
    fastcgi_param PATH_INFO $path_info;
    fastcgi_index index.php;
    include fastcgi.conf;
    fastcgi_pass unix:/run/php-fpm.sock;
}

配置 mysql

因 mysql 并没有多少功能需要自定义,完全可以直接用官方的源安装:

cd /root/tmp/
dpkg -i mysql-apt-config_0.8.13-1_all.deb
apt update
apt -y install mysql-server
安装时注意选择 Legacy 加密方式

之后运行 mysql 安全设置即可:

mysql_secure_installation
仅个人使用的话建议前两个 no,剩下的全部 yes

配置 acme.sh

curl https://get.acme.sh | sh
source /root/.bashrc
acme.sh --upgrade --auto-upgrade

启动服务

systemctl enable nginx.service
systemctl enable php-fpm.service
systemctl enable mysql.service
systemctl start nginx.service
systemctl start php-fpm.service
systemctl start mysql.service

使用方法

各种目录

  • 网站目录: /data/www/
  • nginx 虚拟主机配置目录: /usr/local/nginx/conf/vhosts/
  • php 配置文件目录: /usr/local/php/etc/

虚拟主机文件格式

server {
    listen 80;
    listen [::]:80;

    server_name test.com;

    return 301 https://$server_name$request_uri;
    error_page 497 =301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name test.com;

    index index.html index.php;
    root /data/www/default;

    include enable-ssl.conf;
    include enable-hsts.conf;

    ssl_certificate /data/ssl/test.com/cert.crt;
    ssl_certificate_key /data/ssl/test.com/priv.key;

    include enable-php.conf;

    access_log /data/logs/nginx/default.log;
}

更新记录

  • 2020-02-28:发布
支付宝捐赠
请使用支付宝扫一扫进行捐赠
微信捐赠
请使用微信扫一扫进行赞赏
有 0 篇文章