如何在CentOS7上安装LEMP(Linux+Nginx+MySQL+PHP)环境?

如何在CentOS7上安装LEMP(Linux+Nginx+MySQL+PHP)环境?

本文适用于CentOS7全新搭建LEMP(Linux+Nginx+MySQL+PHP)环境,需要注意地是,Nginx并不能像Apache mod_rewrite那样支持.htaccess文件做URL Rewrite,项目需要Rewrite的同学请注意:如果你没有或不能将Apache的Rewrite Rule转换成Nginx的,慎用!

需要配置虚拟主机的朋友请移步:

老步骤,没有没有安装EPEL的,先安装EPEL:

yum -y install epel-release

开始安装Nginx

yum -y install nginx

设置开机自启动

systemctl enable nginx

启动Nginx

systemctl start nginx

设置防火墙规则

firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload

这时候访问http://yourIpAddress

安装MariaDB数据库

yum -y install mariadb-server mariadb

设置开机自启动

systemctl enable mariadb

启动MariaDB

systemctl start mariadb

初始化及设置root密码

mysql_secure_installation
[[email protected] ~]# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current password for the root user.  If you've just installed MariaDB, and you haven't set the root password yet, the password will be blank,so you should just press enter here.

Enter current password for root (enter for none):   ##回车
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB root user without the proper authorisation.

Set root password? [Y/n]    ##回车
New password:    #root的密码
Re-enter new password:    #重复密码
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them.  This is intended only for testing, and to make the installation go a bit smoother.  You should remove them before moving into a production environment.

Remove anonymous users? [Y/n] ##回车
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] ##回车
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can access.  This is also intended only for testing, and should be removed before moving into a production environment.

Remove test database and access to it? [Y/n] ##回车
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far will take effect immediately.

Reload privilege tables now? [Y/n] ##回车
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB installation should now be secure.

Thanks for using MariaDB!

安装PHP-FPM

yum -y install php-fpm php-mysql php-pear php-pdo php-mysql php-gd php-mbstring php-mcrypt php-xml php-dom php-devel php-pear pcre-devel

很重要的PHP安全配置:cgi.fix_pathinfo

这个问题据说只存在于Nginx中,PHP cgi.fix_pathinfo参数默认是1,我们需要将它设置成0

转来的:如果设置成1的危害就是假设你的网站有http://xx.com/a.jpg这样的一张图片,我通过http://xx.com/a.jpg/foo.php就可以查看到这个文件的二进制内容,意思就是可以通过php来执行它.问题就来了,如果你的网站允许用户上传图片,那么用户就可以构造一些恶意的代码,并伪装成图片上传.然后通过上面说的那种方式就可以在你网站的服务器上面通过php跑恶意代码了.

据说这个Nginx文件类型错误解析漏洞还可以通过其他方式来修复,本文暂不过多阐述。

修改方法:

vi /etc/php.ini

搜索cgi.fix_pathinfo,找到

;cgi.fix_pathinfo=1

将这一行改成

cgi.fix_pathinfo=0

保存并退出。

配置PHP-FPM

修改php-fpm的conf配置文件

vi /etc/php-fpm.d/www.conf

找到

user = apache
group = apche

修改为:

user = nginx
group = nginx

保存并退出

设置php-fpm开机自启动

systemctl enable php-fpm

开启php-fpm

systemctl start php-fpm

建立第一个站点并测试

新建站点配置文件

和Apache的虚拟主机配置文件conf一样,Nginx会为每个主机提供一个独立配置文件

vi /etc/nginx/conf.d/default.conf

配置以下内容:

server {
    listen 80; 
    root /var/www/html/; ##站点目录
    index index.php index.html index.htm;  #索引文件

    server_name 127.0.0.1;  ##设置域名

    location / {
        try_files $uri $uri/ /index.html;
    }

    error_page 404 /404.html;  ##错误页
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /var/www/html/; 
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
    # deny access to .htaccess files, if Apache’s document root
    # concurs with nginx’s one
    #
    location ~ /\.ht {
        deny all;
    }
}

保存后使用命令 /usr/sbin/nginx -t 测试conf文件是否有误

[[email protected] public_html]# /usr/sbin/nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

重启nginx(服务重启)

systemctl restart nginx

或使用命令nginx重新加载配置(建议,服务不停止):

/usr/sbin/nginx -s reload

然后访问http://yourIpAddressOrDomain/

恭喜,你已经完成了LEMP环境的搭建。

Post Comment