CentOS 7 安装 Nginx + PHP + MySQL

0: 设置时区
读取时间
timedatectl
列出所有时区
timedatectl list-timezones
设置时区
timedatectl set-timezone Asia/Shanghai
安装NTP
yum install ntp
同步时间
ntpdate pool.ntp.org
是否NTP服务器同步
timedatectl set-ntp yes //yes或者no

1: Add EPEL Repository
sudo yum install epel-release

2:安装Nginx,以下方法三选一
2.1 使用 Nginx 官方源(推荐):
添加 Nginx 源:
vi /etc/yum.repos.d/nginx.repo
写入:
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1
安装 Nginx :
yum install nginx
2.2 使用 EPEL 官方源:
sudo yum install nginx
2.3 使用 Remi 源:
添加 Remi 源:
wget http://rpms.remirepo.net/enterprise/remi-release-7.rpm
rpm -Uvh remi-release-7.rpm
yum --enablerepo=remi update remi-release
安装 Nginx :
yum --enablerepo=remi install nginx

3:
sudo systemctl start nginx

4: 添加防火墙规则
sudo firewall-cmd --permanent --zone=public --add-service=http 
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

5: 打开浏览器,测试页面

6:
sudo systemctl enable nginx

7:
全局配置文件 /etc/nginx/nginx.conf
默认配置文件 /etc/nginx/conf.d/default.conf
默认 webdoc 为 /usr/share/nginx/html

8: 安装 PHP
8.1 使用官方源:(可参考上一篇文章 CentOS 7.0 安装Apache + MySQL + PHP + php-mcrypt + ZendOpcache + Fail2ban)
8.2 使用 Remi 源:
安装 PHP 7:
yum --enablerepo=remi-php70 install php70 php-fpm php-devel
yum --enablerepo=remi-php70 install php-bcmath php-gd libjpeg* php-intl php-ldap php-mbstring php-mcrypt php-mhash php-mysqlnd php-odbc php-pdo php-pear php-pecl-memcache php-pecl-memcached php-pecl-mongo php-pecl-mongodb php-pecl-zendopcache php-redis php-soap php-xml php-xmlrpc php-zip

安装 PHP 5.6:
执行2.3中的添加 Remi 源操作
设置默认启用 Remi 源:
vi /etc/yum.repos.d/remi.repo
将 [remi] 和 [remi-php56] 节点修改为:
enabled=1
之后执行:
yum --enablerepo=remi install php-fpm php-devel
yum --enablerepo=remi install php-bcmath php-gd libjpeg* php-intl php-ldap php-mbstring php-mcrypt php-mhash php-mysqlnd php-odbc php-pdo php-pear php-pecl-memcache php-pecl-memcached php-pecl-mongo php-pecl-mongodb php-pecl-zendopcache php-redis php-soap php-xml php-xmlrpc

9: 
sudo vi /etc/php.ini
改为:
cgi.fix_pathinfo=0
注意:
此项设为 0 会导致 Phalcon 框架某些版本报错,需要修改为 1
在修改为 1 之后务必测试是否存在解析漏洞,保存一段 php 代码为 fake.jpg,访问 fake.jpg/foo.php ,检查 fake.jpg 是否被执行

10: 使用 socket 方式连接 Nginx 优化 php-fpm 性能
sudo vi /etc/php-fpm.d/www.conf
改为:
listen = /var/run/php-fpm/php-fpm.sock
修改 nginx 及 php-fpm 的运行账户及组为 nobody:
sudo vi /etc/nginx/nginx.conf
修改:
user nobody;
sudo vi /etc/php-fpm.d/www.conf
改为:
listen.owner = nobody
listen.group = nobody
...
user = nobody
group = nobody

11:
设置最大上传文件大小:
sudo vi /etc/php.ini
post_max_size = 8M
upload_max_filesize = 8M
vi /etc/nginx/nginx.conf
在 http 区段中添加:
client_max_body_size 8M;

sudo systemctl start php-fpm
sudo systemctl enable php-fpm

12: 让 Nginx 处理 PHP 文件
sudo vi /etc/nginx/conf.d/default.conf
添加:
server {
    listen       80;
    server_name  server_domain_name_or_IP;

    # note that these lines are originally from the "location /" block
    root   /usr/share/nginx/html;
    index  index.php index.html index.htm;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ .php$ {
        try_files $uri =404;
        fastcgi_pass   unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }
}

sudo vi /usr/share/nginx/html/info.php
添加:
<?php phpinfo(); ?>

sudo systemctl restart php-fpm
sudo systemctl restart nginx

在浏览器中打开:
http://your_server_IP_address/info.php

sudo rm /usr/share/nginx/html/info.php

13: 禁止显示 Nginx 版本信息:
sudo vi /etc/nginx/nginx.conf
在 http 区段中加入:
server_tokens  off;
proxy_hide_header        X-Powered-By;
保存
检查配置文件是否有错误:
/usr/sbin/nginx -t
重启 Nginx :
sudo systemctl restart nginx

14:
vi /etc/php.ini
date.timezone = PRC
禁止显示php版本的信息:
expose_php = Off
禁止显示错误信息:
display_errors = Off
display_startup_errors = Off
error_reporting = E_ALL
log_errors = On
vi /etc/php-fpm.d/www.conf
catch_workers_output = yes
重启 php-fpm:
sudo systemctl restart php-fpm

15: 开启 Gzip:
vi /etc/nginx/nginx.conf
在 http 区段里加入:
gzip             on;
gzip_min_length  1000;
gzip_proxied     expired no-cache no-store private auth;
gzip_disable     "MSIE [1-6]\.";
gzip_vary        on;
gzip_buffers     4 16k;
gzip_types 
    text/plain
    text/css
    text/js
    text/xml
    text/javascript
    application/javascript
    application/x-javascript
    application/json
    application/xml
    application/xml+rss
    image/svg+xml;

16: 开启客户端缓存:
vi /etc/nginx/conf.d/default.conf
修改:
location ~*^.+.(jpg|jpeg|gif|png)$ {
   expires 30d;
   add_header  Cache-Control private;
}

17: 安装最新稳定版 Redis
sudo yum --enablerepo=remi install redis
设置占用内存上限:
vi /etc/redis.conf
maxmemory 100MB
sudo systemctl enable redis
sudo systemctl start redis

18: 安装最新稳定版 Memcached
sudo yum --enablerepo=remi install memcached
设置占用内存上限,默认64MB:
vi /etc/sysconfig/memcached
CACHESIZE="64"
sudo systemctl enable memcached
sudo systemctl start memcached

19: 安装MongoDB 3.2.8
vi /etc/yum.repos.d/mongodb-org.repo
[mongodb-org]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/stable/$basearch/
gpgcheck=0
enabled=1

yum install mongodb-org
systemctl start mongod

添加账户:
systemctl stop mongod
vi /etc/mongod.conf
dbPath: /var/lib/mongo
mongod --dbpath=/var/lib/mongo
启动另一个终端:
mongo
db.createUser({user: "sa", pwd: "sa", roles: [{role: "userAdminAnyDatabase", db: "admin"}]});
杀掉第一个终端进程,然后:
systemctl start mongod
如果出现无法启动情况:
vi /var/log/mongodb/mongod.log
WiredTiger (13) [1468490525:829304][5817:0x7fc8c7d79dc0], txn-recover: /var/lib/mongo/journal/WiredTigerLog.0000000002: handle-open: open: Permission denied
WiredTiger (13) [1468490712:206477][6058:0x7fb6164f1dc0], file:collection-2-3710649115002191292.wt, WT_SESSION.open_cursor: /var/lib/mongo/collection-2-3710649115002191292.wt: handle-open: open: Permission denied
chown -R mongod:mongod /var/lib/mongo/
systemctl start mongod

20: 更新git
yum install curl-devel expat-devel gettext-devel openssl-devel zlib-devel perl-devel
yum install gcc asciidoc perl-ExtUtils-MakeMaker
yum remove git
https://github.com/git/git
wget https://github.com/git/git/archive/版本号.tar.gz
如:
wget https://github.com/git/git/archive/v2.10.2.tar.gz
tar -zxvf git-2.10.2.tar.gz
cd git-2.10.2
make configure
./configure --prefix=/usr/local/git
make all
make install
ln -s /usr/local/git/bin/* /usr/bin/
git --version
安全设置:
1:修改网站目录所有者为非 php-fpm 和 nginx 的运行账户,这里修改为root:
sudo chown -R root:root /usr/share/nginx/html/

2:
添加 nobody 对网站目录的读取权限(每次yum升级php之后可能导致权限变化,需重新设置):
sudo chmod o+r -R /usr/share/nginx/html/
或者:
find /usr/share/nginx/html/ -type d -exec chmod 755 {} \;
find /usr/share/nginx/html/ -type f -exec chmod 644 {} \;

php session 目录权限:
chown nobody /var/lib/php/session/
chmod -R 777 /var/lib/php/session/

4:确认网站目录对于 nobody 的权限为可读可执行,网站文件对于 nobody 的权限为可读

5:对于上传目录或者需要写文件的目录添加 nobody 的写入权限

6:配置 nginx.conf 对于上传目录无 php 的执行权限,配置 nginx.conf 禁止访问的文件夹
vi /etc/nginx/conf.d/default.conf
禁止访问 path 目录:
 location ^~ /path/ {
     deny all;
 }
/path/ 为除域名之后剩余的 URL 路径

去掉单个目录的 PHP 执行权限:
 location ~ /attach/.*\.(php|php5)?$ {
     deny all; 
 }

去掉多个目录的 PHP 执行权限:
 location ~ /(attach|upload)/.*\.(php|php5)?$ {
     deny all; 
 }
这几条要放在 fastcgi 配置之前

7:禁止IP直接访问,防止恶意解析:
vi /etc/nginx/nginx.conf
在 listen       [::]:80 default_server; 之后添加:
return    403;
如果 /etc/nginx/nginx.conf 文件中没有,则在 /etc/nginx/conf.d/default.conf 文件顶部添加:
server {
    listen       80;
    listen       [::]:80 default_server;
    return     403;
}

8: 强制使用 www 二级域名访问:
vi /etc/nginx/conf.d/default.conf
# FORCE WWW
server {
    server_name  site.com;
    rewrite ^(.*) http://www.site.com$1 permanent;
}

9:限制 PHP 脚本的文件访问范围,防止一个站点被攻陷后殃及整个服务器:
vi /etc/php.ini
在末尾加入:
[HOST=testdomain.com]
open_basedir=/usr/share/nginx/html/:/tmp/
[PATH=/usr/share/nginx/html]
open_basedir=/usr/share/nginx/html/:/tmp/

10:禁用某些 PHP 内置函数:
vi /etc/php.ini
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,phpinfo,exec,passthru,chroot,shell_exec,system,chgrp,chown,chmod,dl,set_time_limit,show_source,highlight_file,gzinflate,pfsockopen,syslog,readlink,symlink,stream_socket_server
;ini_alter,ini_set,ini_restore,putenv,popen,pclose,proc_open,proc_close,proc_get_status
注:
如果是生产环境可考虑禁用;之后的函数
禁用 proc_open,proc_close,proc_get_status,ini_set,putenv 会影响 Laravel 框架某些功能
禁用 chmod,ini_set 会影响 Yii 2 框架某些功能

11:禁用远程url文件处理功能(打开它容易引起性能的问题,建议禁止,禁用之后 file_get_contents 函数将无法读取远程文件,可以用curl代替):
vi /etc/php.ini
allow_url_fopen = Off

12:禁用 eval 语句(会导致 phpMyAdmin 某些功能异常):
yum install php-suhosin
vi /etc/php.d/40-suhosin.ini
修改:
suhosin.executor.disable_eval = On
注:suhosin 默认参数会导致 composer 无法使用,需要执行以下操作:
vi /etc/php.d/suhosin.ini
suhosin.executor.include.whitelist = phar

13:禁止加载动态连接库
vi /etc/php.ini
enable_dl = Off

sudo systemctl restart php-fpm

14:关闭 SELinux
vi /etc/sysconfig/selinux
SELINUX=disabled
WordPress Rewrite 设置:
vi /etc/nginx/conf.d/default.conf
location / {
    if (-f $request_filename/index.php){
        rewrite (.*) $1/index.php;
    }
    if (!-f $request_filename){
        rewrite (.*) /index.php;
    }
}

创建 uploads 目录:
mkdir wp-content/uploads
chmod -R 777 wp-content/uploads
取消 upload 目录 PHP 执行权限:
location ~ /(wp-content/uploads)/.*\.(php|php5)?$ {
    deny all; 
}

安装 Limit Login Attempts 和 Disable XML-RPC 插件,防止暴力破解

安装 Disable XML-RPC Pingback 插件
设置 - 讨论 - 禁止pingback和trackback,防止被利用作为DDOS攻击源

安装 WP Super Cache、Disable Google Fonts、Google XML Sitemaps、Advanced Excerpt

需要在线安装插件时:
chown -R nobody wordpress/
安装完毕再修改回 root

WP Super Cache 所需权限:
chmod -R 777 wp-content/cache/
chmod 666 wp-content/wp-cache-config.php
location ~ /(wp-content/cache)/.*\.(php|php5)?$ {
    deny all; 
}
OpenCart 设置:
Rewrite :
vi /etc/nginx/conf.d/default.conf
location / {
    try_files $uri @opencart;
}
location @opencart {
    rewrite ^/(.+)$ /index.php?_route_=$1 last;
}
location ~* (.(tpl|ini|log))$ {
    deny all;
}

权限:
1.x版本:
以下目录给予 PHP 写权限,去除 PHP 执行权限:
chmod 777 -R system/cache/
chmod 777 -R system/logs/
chmod 777 -R image/
chmod 777 -R download/

location ~ /(system/cache|system/logs|image|download)/.*\.(php|php5)?$ {
    deny all; 
}

2.x版本
chmod -R 777 image/
chmod -R 777 system/storage/

location ~ /(image|system/storage)/.*\.(php|php5)?$ {
    deny all; 
}
Nginx + php-fpm 性能优化
MySQL 5.7 优化
CentOS 7.0 添加 SWAP