之前用的最多的web框架是LNMP,偶爾也會用到LAMP。接下來簡單說下LAMP環境的部署記錄,這裡選擇原始碼安裝的方式:
LAMP相關安裝包下載地址:https://pan.baidu.com/s/1pYo9X7f1vy5d70eV0RDYWA
提取密碼:ebj8
1)Mysql的安裝
部署過程參考:http://www.cnblogs.com/kevingrace/p/6109679.html
2)Apache的安裝(下面各軟體版本要對應,否則會因為版本不相容而導致Apache編譯失敗)
LAMP編譯安裝軟體包下載地址:https://pan.baidu.com/s/1MPga1bL1sutGeubW-uXcpg
提取密碼:qp2c
依賴軟體安裝
[root@jenkins-server ~]# yum install gcc gcc-c++ make wget
[root@jenkins-server ~]# yum install zlib-devel openssl-devel
[root@jenkins-server ~]# yum install -y perl perl-devel
apr編譯安裝(下載地址:http://archive.apache.org/dist/apr/)
[root@jenkins-server ~]# cd /usr/local/src/
[root@jenkins-server src]# wget http://mirrors.cnnic.cn/apache//apr/apr-1.5.2.tar.gz
[root@jenkins-server src]# tar zxvf apr-1.5.2.tar.gz
[root@jenkins-server src]# cd apr-1.5.2
[root@jenkins-server apr-1.5.2]# ./configure --prefix=/usr/local/apache/apr && make && make install
apr-util編譯安裝(下載地址:http://apr.apache.org/download.cgi)
[root@jenkins-server src]# wget http://mirrors.cnnic.cn/apache//apr/apr-util-1.5.4.tar.gz
[root@jenkins-server src]# tar zxvf apr-util-1.5.4.tar.gz
[root@jenkins-server src]# cd apr-util-1.5.4
[root@jenkins-server apr-util-1.5.4]# ./configure --prefix=/usr/local/apache/apr-util --with-apr=/usr/local/apache/apr
[root@jenkins-server apr-util-1.5.4]# make && make install
如果出現報錯: make[1]: *** [xml/apr_xml.lo] Error 1 make[1]: Leaving directory `/usr/local/src/apr-util-1.6.1' make: *** [all-recursive] Error 1 解決辦法:yum install expat-devel -y
pcre編譯安裝
[root@jenkins-server src]# wget https://jaist.dl.sourceforge.net/project/pcre/pcre/8.37/pcre-8.37.tar.gz
[root@jenkins-server src]# tar zxvf pcre-8.37.tar.gz
[root@jenkins-server src]# cd pcre-8.37
[root@jenkins-server pcre-8.37]# ./configure && make && make install
apache編譯安裝
[root@jenkins-server src]# wget http://www.apache.org/dist/httpd/httpd-2.4.25.tar.gz
[root@jenkins-server src]# tar zxvf httpd-2.4.25.tar.gz
[root@jenkins-server src]# cd httpd-2.4.25
[root@jenkins-server httpd-2.4.25]# ./configure --prefix=/usr/local/apache --with-apr=/usr/local/apache/apr/bin/apr-1-config --with-apr-util=/usr/local/apache/apr-util/bin/apu-1-config --enable-module=so --enable-mods-shared=all --enable-deflate --enable-expires --enable-headers --enable-cache --enable-file-cache --enable-mem-cache --enable-disk-cache --enable-mime-magic --enable-authn-dbm --enable-vhost-alias --enable-so --enable-rewrite --enable-ssl --with-mpm=prefork
[root@jenkins-server httpd-2.4.25]# make && make install
配置apache
[root@jenkins-server src]# cd /usr/local/apache/conf/
[root@jenkins-server conf]# vim httpd.conf
........ ServerName localhost:80 ........ AddType application/x-compress .Z //這兩行是預設就有的,在這兩行下面新增下面兩行 AddType application/x-gzip .gz .tgz AddType application/x-httpd-php .php //使apache支援php AddType application/x-httpd-php-source .php5 ...... LoadModule php5_module modules/libphp5.so //新增php模組,這個在後面php編譯安裝後就會自動加進來。最後一定要檢查這裡是否有php模組產生 ...... DocumentRoot "/var/www/html" //修改apache站點目錄路徑,預設是/usr/local/apache/htdocs。注意這兩行要修改一致。 <Directory "/var/www/html"> ....... DirectoryIndex index.html index.php //新增預設的首頁面,index.html和index.php ...... Include conf/extra/mxwang.conf //新增虛擬主機配置檔案
[root@jenkins-server conf]# cd extra/
[root@jenkins-server extra]# vim mxwang.conf
<VirtualHost *:80> ServerName www.mxwang.cn DocumentRoot /var/www/html/ ErrorLog "/var/log/httpd/www.mxwang.cn-error_log" CustomLog "/var/log/httpd/www.mxwang.cn-access_log" common </VirtualHost>
啟動apache
[root@jenkins-server extra]# /usr/local/apache/bin/httpd
[root@jenkins-server extra]# ps -ef|grep http
root 30145 1 2 19:53 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 30146 30145 0 19:53 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 30147 30145 0 19:53 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 30148 30145 0 19:53 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 30149 30145 0 19:53 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 30150 30145 0 19:53 ? 00:00:00 /usr/local/apache/bin/httpd
root 30156 2090 0 19:53 pts/3 00:00:00 grep --color http
[root@jenkins-server extra]# cat /var/www/html/test.html
sdfasdfasdf
測試訪問:http://www.mxwang.cn/test.html
3)PHP編譯安裝
[root@jenkins-server ~]# yum install libxml2-devel curl-devel libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel net-snmp net-snmp-devel
[root@jenkins-server ~]# cd /usr/local/src/
[root@jenkins-server src]# wget http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.14.tar.gz
[root@jenkins-server src]# tar zxvf libiconv-1.14.tar.gz
[root@jenkins-server src]# cd libiconv-1.14
[root@jenkins-server libiconv-1.14]# ./configure --prefix=/usr/local/php/libiconv && make && make install
[root@jenkins-server src]# wget http://nchc.dl.sourceforge.net/project/mcrypt/Libmcrypt/2.5.8/libmcrypt-2.5.8.tar.gz
[root@jenkins-server src]# tar zxvf libmcrypt-2.5.8.tar.gz
[root@jenkins-server src]# cd libmcrypt-2.5.8
[root@jenkins-server libmcrypt-2.5.8]# ./configure && make && make install
[root@jenkins-server libmcrypt-2.5.8]# /sbin/ldconfig && cd libltdl/
[root@jenkins-server libltdl]# ./configure --enable-ltdl-install && make && make install
[root@jenkins-server src]# wget http://nchc.dl.sourceforge.net/project/mhash/mhash/0.9.9.9/mhash-0.9.9.9.tar.gz
[root@jenkins-server src]# tar zxvf mhash-0.9.9.9.tar.gz
[root@jenkins-server src]# cd mhash-0.9.9.9
[root@jenkins-server mhash-0.9.9.9]# ./configure && make && make install
[root@jenkins-server src]# wget http://nchc.dl.sourceforge.net/project/mcrypt/MCrypt/2.6.8/mcrypt-2.6.8.tar.gz
[root@jenkins-server src]# tar zxvf mcrypt-2.6.8.tar.gz
[root@jenkins-server src]# cd mcrypt-2.6.8
[root@jenkins-server mcrypt-2.6.8]# /sbin/ldconfig && export LD_LIBRARY_PATH=/usr/local/lib: LD_LIBRARY_PATH
[root@jenkins-server mcrypt-2.6.8]# ./configure && make && make install
[root@jenkins-server src]# wget http://cn2.php.net/distributions/php-5.6.15.tar.gz
[root@jenkins-server src]# tar zxvf php-5.6.15.tar.gz
[root@jenkins-server src]# cd php-5.6.15
[root@jenkins-server php-5.6.15]# ./configure --prefix=/usr/local/php --with-config-file-path=/usr/local/php/etc --with-iconv=/usr/local/php/libiconv --with-apxs2=/usr/local/apache/bin/apxs --with-mysql=mysqlnd --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd --with-gd --with-jpeg-dir --with-png-dir --with-pear --with-freetype-dir --with-zlib --with-libxml-dir --with-iconv-dir --with-xmlrpc --with-mhash --with-mcrypt --with-curl --with-openssl --with-snmp --with-gettext --enable-pdo --enable-mbstring --enable-ctype --enable-simplexml --enable-ftp --enable-sockets --enable-gd-native-ttf --enable-sysvsem --enable-exif --enable-sysvshm --enable-xml --enable-dom --enable-simplexml --enable-shmop --enable-zip --enable-mbregex --enable-bcmath --enable-inline-optimization --enable-soap
[root@jenkins-server php-5.6.15]# make && make install
[root@jenkins-server php-5.6.15]# cp php.ini-production /usr/local/php/etc/php.ini
[root@jenkins-server php-5.6.15]# vim /etc/profile
......
export PATH=$PATH:/usr/local/php/bin
[root@jenkins-server php-5.6.15]# source /etc/profile
[root@jenkins-server src]# /usr/local/php/bin/php -m
[PHP Modules]
bcmath
Core
ctype
curl
date
dom
ereg
exif
fileinfo
filter
ftp
gd
gettext
hash
iconv
json
libxml
mbstring
mcrypt
mhash
mysql
mysqli
mysqlnd
openssl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
posix
Reflection
session
shmop
SimpleXML
snmp
soap
sockets
SPL
sqlite3
standard
sysvsem
sysvshm
tokenizer
xml
xmlreader
xmlrpc
xmlwriter
zip
zlib
[Zend Modules]
一定要記得重啟aapche
[root@jenkins-server src]# pkill -9 http
[root@jenkins-server src]# ps -ef|grep http
root 31091 12736 0 20:06 pts/6 00:00:00 grep --color http
[root@jenkins-server src]# /usr/local/apache/bin/httpd
[root@jenkins-server src]# ps -ef|grep http
root 31098 1 7 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 31099 31098 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 31100 31098 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 31101 31098 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 31102 31098 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 31103 31098 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
root 31106 12736 0 20:06 pts/6 00:00:00 grep --color http
測試php:
[root@jenkins-server src]# cat /var/www/html/test.php
<?php
phpinfo()
?>
訪問:www.mxwang.cn/test.php
注意幾點:
php.ini檔案中的設定時區
[root@jenkins-server src]# vim /usr/local/php/etc/php.ini
......
date.timezone = PRC
保證站點目錄下的檔案許可權和apache啟動使用者一致:
[root@jenkins-server src]# ps -ef|grep http
root 31098 1 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 31099 31098 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 31100 31098 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 31101 31098 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 31102 31098 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 31103 31098 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 31151 31098 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
root 31409 12736 0 20:10 pts/6 00:00:00 grep --color http
[root@jenkins-server src]# ll /var/www/html/
total 40232
drwxr-xr-x. 3 777 nobody 4096 Jan 5 12:47 addons
-rw-r--r--. 1 777 nobody 464 Jan 5 12:47 admin.php
drwxr-xr-x. 2 777 nobody 4096 Jan 5 12:47 api
-rw-r--r--. 1 777 nobody 216 Jan 5 12:47 api.php
......
可以將上面的安裝過程歸檔在一個安裝指令碼里進行一鍵安裝
=================apache下http強制轉https配置==================
1)在httpd.conf檔案裡使下面模組生效
[root@back ~]# cat /usr/local/apache/conf/httpd.conf|grep rewrite_module
.......
LoadModule rewrite_module modules/mod_rewrite.so #開啟重寫跳轉功能
2)httpd.conf配置檔案或者是在httpd-vhost.conf檔案裡修改
[root@back ~]# cat /usr/local/apache/conf/httpd.conf
.......
DocumentRoot "/data/vhosts"
<Directory "/data/vhosts">
Options FollowSymLinks MultiViews Includes
AllowOverride All
Require all granted
</Directory>
3)在網站根目錄下面新增該檔案“.htaccess” 目錄訪問控制檔案,並新增如下內容:
#---------------------------------
RewriteEngine on #開啟重定向引擎
RewriteBase / #可以不設定
RewriteCond %{SERVER_PORT} !^443$ #非443埠的資料全部進行重定向
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R] #把需要重定向的內容重定向到https
#----------------------------------
#如果是預設不是443埠,那麼可以在最後一行寫成這樣
RewriteRule ^.*$ https://www.wang.com:8443
#當然如果預設是443的話,也可以這麼寫
RewriteRule ^.*$ https://www.wang.com
#該 .htaccess 需要放置在網站的根目錄下面才可以生效
#----------------------------------
含義是這樣的:為了讓使用者訪問傳統的http://轉到https://上來,用了一下rewrite規則:
第一句:啟動rewrite引擎
第二句:rewrite的條件是訪問的伺服器埠不是443埠
第三句:這是正規表示式,^是開頭,$是結束,/?表示有沒有/都可以(0或1個),(.*)是任何數量的任意字元
整句的意思是講:啟動rewrite模組,將所有訪問非443埠的請求,url地址內容不變,將http://變成https://。
==========================================================
看看下面一例:
[root@back ~]# cat /usr/local/apache/conf/httpd.conf|grep -v "#"|grep -v "^$"
ServerRoot "/usr/local/apache"
Listen 80
LoadModule authn_file_module modules/mod_authn_file.so #這些模組功能的配置最好都開啟了,開啟所有LoadModule前面的註釋,否則apache啟動可能報錯。
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule filter_module modules/mod_filter.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule ssl_module modules/mod_ssl.so #開啟https功能模組
LoadModule unixd_module modules/mod_unixd.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so #開啟重寫跳轉功能模組
LoadModule php5_module modules/libphp5.so
<IfModule unixd_module>
User nobody
Group nobody
</IfModule>
ServerAdmin you@example.com
ServerName www.example.com:80
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/data/vhosts"
<Directory "/data/vhosts">
Options FollowSymLinks MultiViews Includes
AllowOverride All
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.php index.html
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"
</IfModule>
<IfModule cgid_module>
</IfModule>
<Directory "/usr/local/apache/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule headers_module>
RequestHeader unset Proxy early
</IfModule>
<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType application/x-httpd-php .php .phtml .php3 .inc
AddType application/x-httpd-php-source .phps
</IfModule>
Include conf/extra/httpd-mpm.conf
Include conf/extra/httpd-info.conf
Include conf/extra/httpd-vhosts.conf
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
Include conf/extra/httpd-ssl.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
[root@back ~]# cd /usr/local/apache/conf
[root@back conf]# ls
wang.cer extra httpd.conf.bak httpd_orig.conf mime.types server.crt server.key
wang.key httpd.conf httpd.conf-orig magic original server.csr server.key.unsecure
[root@back conf]# cd extra/
[root@back extra]# ls
httpd-autoindex.conf httpd-languages.conf httpd-ssl.conf httpd-userdir.conf
httpd-dav.conf httpd-manual.conf httpd-ssl.conf.bak httpd-vhosts.conf
httpd-default.conf httpd-mpm.conf httpd-ssl.conf-orig httpd-vhosts.conf-orig
httpd-info.conf httpd-multilang-errordoc.conf httpd-ssl_orig.conf proxy-html.conf
[root@back extra]# cat httpd-vhosts.conf |grep -v "#"|grep -v "^$"
<Directory "/data/vhosts/">
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
<VirtualHost *:80>
ServerAdmin g-ops-all@wang.com
DocumentRoot "/data/vhosts/limesurvey/"
ServerName wj.wang.com
ErrorLog "logs/limesurvey.wang.com-error_log"
CustomLog "logs/limesurvey.wang.com-access_log" combined
</VirtualHost>
<VirtualHost *:80>
ServerAdmin g-ops-all@wang.com
DocumentRoot "/data/vhosts/nextcloud/"
ServerName nextcloud.wang.com
ErrorLog "logs/nextcloud.wang.com-error_log"
CustomLog "logs/nextcloud.wang.com-access_log" combined
</VirtualHost>
<VirtualHost *:80>
ServerAdmin g-ops-all@wang.com
DocumentRoot "/data/vhosts/opensns/"
ServerName opensns.wang.com
ErrorLog "logs/opensns.wang.com-error_log"
CustomLog "logs/opensns.wang.com-access_log" combined
<Directory "/data/vhosts/opensns/">
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerAdmin g-ops-all@wang.com
DocumentRoot "/data/vhosts/discuz/"
ServerName discuz.wang.com
ErrorLog "logs/discuz.wang.com-error_log"
CustomLog "logs/discuz.wang.com-access_log" combined
</VirtualHost>
[root@back extra]# cat httpd-ssl.conf |grep -v "#"|grep -v "^$"
Listen 0.0.0.0:443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost *:443>
ServerAdmin g-ops-all@wang.com
DocumentRoot "/data/vhosts/limesurvey/"
ServerName limesurvey.wang.com
SSLEngine on
SSLCertificateFile "/usr/local/apache/conf/wang.cer"
SSLCertificateKeyFile "/usr/local/apache/conf/wang.key"
ErrorLog "logs/limesurvey.wang.com-https-error_log"
CustomLog "logs/limesurvey.wang.com-https-access_log" combined
</VirtualHost>
<VirtualHost *:443>
ServerAdmin g-ops-all@wang.com
DocumentRoot "/data/vhosts/opensns/"
ServerName opensns.wang.com
SSLEngine on
SSLCertificateFile "/usr/local/apache/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache/conf/server.key"
ErrorLog "logs/opensns.wang.com-https-error_log"
CustomLog "logs/opensns.wang.com-https-access_log" combined
</VirtualHost>
<VirtualHost *:443>
ServerAdmin g-ops-all@wang.com
DocumentRoot "/data/vhosts/nextcloud/"
ServerName nextcloud.wang.com
SSLEngine on
SSLCertificateFile "/usr/local/apache/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache/conf/server.key"
ErrorLog "logs/nextcloud.wang.com-https-error_log"
CustomLog "logs/nextcloud.wang.com-https-access_log" combined
</VirtualHost>
<VirtualHost *:443>
ServerAdmin g-ops-all@wang.com
DocumentRoot "/data/vhosts/discuz/"
ServerName discuz.wang.com
SSLEngine on
SSLCertificateFile "/usr/local/apache/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache/conf/server.key"
ErrorLog "logs/opensns.wang.com-https-error_log"
CustomLog "logs/opensns.wang.com-https-access_log" combined
</VirtualHost>
<VirtualHost _default_:443>
DocumentRoot "/data/vhosts"
ServerName test.com
ServerAdmin g-ops-all@wang.com
ErrorLog "/usr/local/apache/logs/discuz-https-error_log"
TransferLog "/usr/local/apache/logs/discuz-https-access_log"
SSLEngine on
SSLCertificateFile "/usr/local/apache/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache/conf/server.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/usr/local/apache/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
http強制跳轉到https,在每個站點的根目錄下新增.htaccess檔案,配置如下:
[root@back ~]# cat /data/vhosts/limesurvey/.htaccess
<IfModule mod_rewrite.c>
RewriteEngine on
# RewriteBase /
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
# if a directory or a file exists, use it directly
RewriteCond %{REQUEST_FILENAME} !-f
# otherwise forward it to index.php
RewriteRule . index.php
</IfModule>
# General setting to properly handle LimeSurvey paths
# AcceptPathInfo on
這樣,訪問http://limesurvey.wang.com就會強制跳轉為https://limesurvey.wang.com。 其他域名配置一樣!
============================總結=========================
Apache強制HTTP全部跳轉到HTTPS,只需要在站點根目錄下新增.htaccess檔案,在.htaccess加入下面規則
1)
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,L]
或者
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L]
2)強制HTTPS方式訪問,對WWW或頂級域名不做跳轉。
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.kevin.com/$1 [L,R=301]
3)強制HTTPS方式訪問,並自動將頂級域名跳轉到WWW。
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www.kevin.com$ [NC]
RewriteRule ^(.*)$ https://www.kevin.com/$1 [L,R=301]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.kevin.com/$1 [L,R=301]
4)強制HTTPS方式訪問,並自動將WWW跳轉到頂級域名。
RewriteEngine On
RewriteCond %{HTTP_HOST} !^kevin.com$ [NC]
RewriteRule ^(.*)$ https://kevin.com/$1 [L,R=301]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://kevin.com/$1 [L,R=301]
5)站點繫結多個域名,只允許www.kevin.com 跳轉
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{HTTP_HOST} ^kevin.com [NC,OR]
RewriteCond %{HTTP_HOST} ^www.kevin.com [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,L]
==================apache下多埠虛擬主機配置====================
apache伺服器上(apache+php)配置三個域名zpadmin.wang.com、 zpwechat.wang.com、zpimages.wang.com
然後在前面LB層進行反向代理配置(apache真實伺服器沒有外網ip)
三個域名分別對應三個埠8080、8081、8082,注意http.conf檔案裡的Listen
[root@localhost ~]# cat /data/apache/conf/httpd.conf|grep -v "#"|grep -v "^$"
ServerRoot "/data/apache"
Listen 192.168.1.32:8080
Listen 192.168.1.32:8081
Listen 192.168.1.32:8082
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule filter_module modules/mod_filter.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule php5_module modules/libphp5.so
<IfModule unixd_module>
User nobody
Group nobody
</IfModule>
ServerAdmin you@example.com
ServerName www.example.com:80
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/data/vhosts"
<Directory "/data/vhosts">
Options FollowSymLinks MultiViews Includes
AllowOverride All
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.php index.html
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/data/apache/cgi-bin/"
</IfModule>
<IfModule cgid_module>
</IfModule>
<Directory "/data/apache/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule headers_module>
RequestHeader unset Proxy early
</IfModule>
<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType application/x-httpd-php .php .phtml .php3 .inc
AddType application/x-httpd-php-source .phps
</IfModule>
Include conf/extra/httpd-mpm.conf
Include conf/extra/httpd-info.conf
Include conf/extra/httpd-vhosts.conf
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
Include conf/extra/httpd-ssl.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
虛擬主機配置如下:
注意,Apache2.4.x版本版本後就取消了NameVirtualHost配置。
所以配置對應埠的虛擬主機時不需要在<VirtualHost 192.168.1.32:8080>的前面再設定 NameVirtualHost 192.168.1.32:8080了
[root@localhost ~]# cat /data/apache/conf/extra/httpd-vhosts.conf
# Virtual Hosts
#
# Required modules: mod_log_config
# If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs/2.4/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any <VirtualHost> block.
#
# <VirtualHost 192.168.1.32:80>
# ServerAdmin webmaster@dummy-host.example.com
# DocumentRoot "/data/apache/docs/dummy-host.example.com"
# ServerName dummy-host.example.com
# ServerAlias www.dummy-host.example.com
# ErrorLog "logs/dummy-host.example.com-error_log"
# CustomLog "logs/dummy-host.example.com-access_log" common
# </VirtualHost>
# <VirtualHost 192.168.1.32:80>
# ServerAdmin webmaster@dummy-host2.example.com
# DocumentRoot "/data/apache/docs/dummy-host2.example.com"
# ServerName dummy-host2.example.com
# ErrorLog "logs/dummy-host2.example.com-error_log"
# CustomLog "logs/dummy-host2.example.com-access_log" common
# </VirtualHost>
# =============================================================
# Add by Francis Hao @ 2017-06-27
<Directory "/data/vhosts/">
Options FollowSymLinks
# Includes ExecCGI
AllowOverride All
Require all granted
</Directory>
<VirtualHost 192.168.1.32:8080>
ServerAdmin g-ops-all@wang.com
DocumentRoot "/data/vhosts/shellking/backend/web"
ServerName zpadmin.wang.com
ErrorLog "logs/zpadmin-error_log"
CustomLog "logs/zpadmin-access_log" combined
</VirtualHost>
<VirtualHost 192.168.1.32:8081>
ServerAdmin g-ops-all@wang.com
DocumentRoot "/data/vhosts/shellking/wechat/web"
ServerName zpwechat.wang.com
ErrorLog "logs/zpwechat-error_log"
CustomLog "logs/zpwechat-access_log" combined
</VirtualHost>
<VirtualHost 192.168.1.32:8082>
ServerAdmin g-ops-all@wang.com
DocumentRoot "/data/vhosts/shellking/upload"
ServerName zpimages.wang.com
ErrorLog "logs/zpimages-error_log"
CustomLog "logs/zpimages-access_log" combined
</VirtualHost>
前面LB層的反向代理配置:
[root@nginx-web01 ~]# cat /data/nginx/conf/vhosts/zpadmin.conf
upstream zpadmin {
server 192.168.1.32:8080 max_fails=3 fail_timeout=10s;
}
server {
listen 80;
server_name zpadmin.wang.com;
access_log logs/zpadmin_access.log main;
error_log logs/zpadmin_error.log;
location / {
proxy_pass http://zpadmin/;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
}
[root@nginx-web01 ~]# cat /data/nginx/conf/vhosts/zpwechat.conf
upstream zpwechat {
server 192.168.1.32:8081 max_fails=3 fail_timeout=10s;
}
server {
listen 80;
server_name zpwechat.wang.com;
access_log logs/zpwechat_access.log main;
error_log logs/zpwechat_error.log;
location / {
proxy_pass http://zpwechat/;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
}
[root@nginx-web01 ~]# cat /data/nginx/conf/vhosts/zpimages.conf
upstream zpimages {
server 192.168.1.32:8082 max_fails=3 fail_timeout=10s;
}
server {
listen 80;
server_name zpimages.wang.com;
access_log logs/zpimages_access.log main;
error_log logs/zpimages_error.log;
location / {
proxy_pass http://zpimages/;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
}
================LAPM中在php(5.6.15版本)連線mysql的配置=================
apache的站點根目錄是/data/www,php測試連線mysql的測試配置如下:
[root@uatweb01 ~]# cat /data/www/test.php
<?php
$servername = "localhost:3306";
$username = "kevin";
$password = "123456";
$dbname = "kevin-test";
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("Connection failed: " . mysqli_connect_error());
}else{
echo "this is connected";
}
?>
訪問該test.php檔案,如果出現如下結果"this is connected",這說明php連線mysql成功!如果出現"Connection failed",則說明php連線mysql失敗!
=============================系統後臺登入, PHP報錯============================
系統部署在了LAMP環境上, 訪問系統後臺, 點選登入沒反應, F12檢視報錯:
ini_set() [function.ini-set]: A session is active. You cannot change the session module's ini settings at this time
根據報錯提示涉及的檔案是Session.php中的170行, 最後註釋下面幾行內容, 問題解決:
169 #if (isset($config['secure'])) {
170 # ini_set('session.cookie_secure', $config['secure']);
171 #}
172
173 #if (isset($config['httponly'])) {
174 # ini_set('session.cookie_httponly', $config['httponly']);
175 #}
解釋:
上面兩個是cookie安全的設定, 加了httponly 和 cookie_secure;
http only一般是用來防止js偷cookie;
cookie_secure設定之後只有https的請求才會生效.
前面通過Nginx upstream, 實現反向代理的負載均衡方式進行訪問, 並利用nginx的ip_hash實現session共享.
下面是曾經線上使用過的一個LAMP配置(Mysql5.7+PHP7.2.3+Apahce2.4.7), http強轉到https, 前面通過Nginx反向代理, 在此貼出來分享下:
1) 後端兩臺LAMP機器的apache配置如下(http強轉到https)
[root@qw-web03 ~]# cat /usr/local/apache/conf/extra/veredholdings.conf
<VirtualHost *:80>
ServerName www.kevin.com
DocumentRoot /data/www/public
DirectoryIndex index.php index.html
ErrorLog "/var/log/httpd/www.kevin.com-error_log"
CustomLog "/var/log/httpd/www.kevin.com-access_log" common
</VirtualHost>
[root@qw-web03 ~]# cat /usr/local/apache/conf/extra/httpd-ssl.conf
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost *:443>
DocumentRoot "/data/www/public"
ServerName www.kevin.com
DirectoryIndex index.php index.html
SSLEngine on
SSLCertificateFile "/usr/local/apache/conf/ssl/ssl.kevin.com.crt"
SSLCertificateKeyFile "/usr/local/apache/conf/ssl/ssl.kevin.com.key"
ErrorLog "logs/www.kevin.com-https-error_log"
CustomLog "logs/www.kevin.com-https-access_log" combined
</VirtualHost>
[root@qw-web03 ~]# ll /usr/local/apache/conf/ssl/
total 8
-rw-rw-r-- 1 root root 4085 Apr 8 2018 ssl.kevin.com.crt
-rw-rw-r-- 1 root root 1706 Apr 8 2018 ssl.kevin.com.key
[root@qw-web03 ~]# cat /usr/local/apache/conf/httpd.conf
Include conf/extra/httpd-ssl.conf
LoadModule php7_module modules/libphp7.so
DocumentRoot "/data/www/public"
<Directory "/data/www/public">
Options FollowSymLinks MultiViews Includes
AllowOverride All
Require all granted
</Directory>
[root@qw-web03 ~]# cat /data/www/public/.htaccess
<IfModule mod_rewrite.c>
Options +FollowSymlinks -Multiviews
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php/$1 [QSA,PT,L]
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</IfModule>
解決:
前面幾行是http強轉到https的配置
後面三行是"關閉Apache伺服器的TRACE請求, 或是禁止遠端WWW服務支援TRACE請求", 安全配置
2) nginx反向代理配置(http強轉到https)
[root@external-lb02 ~]# cat /data/nginx/conf/vhosts/www.kevin.com.conf
upstream web-80 {
server 10.0.32.62:80 max_fails=3 fail_timeout=15s;
server 10.0.32.63:80 max_fails=3 fail_timeout=15s;
}
server {
listen 80;
server_name kevin.com;
return 301 http://www.kevin.com$request_uri;
}
server {
listen 80;
server_name www.kevin.com;
access_log /data/nginx/logs/www.kevin.com-access.log main;
error_log /data/nginx/logs/www.kevin.com-error.log;
location / {
proxy_pass http://web-80;
proxy_set_header Host $host;
proxy_redirect http://web-80/ http://www.kevin.com/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
[root@external-lb02 ~]# cat /data/nginx/conf/vhosts/443-www.kevin.com.conf
upstream web-443 {
ip_hash;
server 10.0.32.62:443 max_fails=3 fail_timeout=15s;
server 10.0.32.63:443 max_fails=3 fail_timeout=15s;
}
server {
listen 443;
server_name www.kevin.com kevin.com;
ssl on;
ssl_certificate /data/nginx/conf/ssl/ssl.kevin.com.crt;
ssl_certificate_key /data/nginx/conf/ssl/ssl.kevin.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;
ssl_prefer_server_ciphers on;
access_log /data/nginx/logs/www.kevin.com-access.log main;
error_log /data/nginx/logs/www.kevin.com-error.log;
if ($host = "kevin.com") {
rewrite ^/(.*)$ https://www.kevin.com permanent;
}
location / {
proxy_pass https://web-443;
proxy_set_header Host $host;
proxy_redirect https://web-443/ https://www.kevin.com/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
[root@external-lb02 ~]# ll /data/nginx/conf/ssl/
總用量 36
-rw-r-xr-- 1 root root 4085 4月 8 2018 ssl.kevin.com.crt
-rw-r-xr-- 1 root root 1706 4月 8 2018 ssl.kevin.com.key