Stay Hungry. Stay Foolish.

CentOSRHEL (Red Hat Enterprise Linux) 的免费版,由于红帽的大力推广,在国内外很是流行。因为众多企业和开发者使用,首先要求的是保证稳定,所以 CentOS 下的软件从不追求最新版本。

而很多时候我们不得不用到最新的版本进行一些操作,本文就介绍在 CentOS / RHEL 7.x 下使用 EPEL 以及官网仓库安装较新版本的 LEMP。

本文所有操作均在 root 用户下进行,请自行切换至 root 用户或者赋予 sudo 权限。

初始化配置

关闭 SELinux

sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config && setenforce 0

增加 epel 和 php 仓库

yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install -y http://rpms.remirepo.net/enterprise/remi-release-7.rpm
# yum install -y https://centos7.iuscommunity.org/ius-release.rpm
# yum install -y https://mirror.webtatic.com/yum/el7/webtatic-release.rpm

卸载无用软件及升级系统

yum upgrade -y
yum install -y centos-release centos-release-scl centos-release-xen centos-release-yum4
yum install -y yum4 && yum4 -y install dnf-plugins-core
yum4 group install -y "Core" "Base" "Development Tools" "Compatibility Libraries"
yum4 install -y kernel kernel-devel kernel-headers
yum4 install -y bzip2-devel ca-certificates clang-devel cmake crontabs curl-devel dh-autoreconf dialog diffutils enchant-devel file firewalld flex gd-devel gperftools-devel htop iftop iptables* jemalloc-devel libaio-devel libargon2-devel libatomic_ops-devel libc-client-devel libbsd-devel libcurl libcurl-devel libyaml-devel libevent-devel libjpeg-devel libmcrypt-devel libnghttp2-devel libpng-devel libtidy-devel libuuid-devel libwebp-devel libxml2-devel libxslt-devel libzip-devel lua-devel make ncurses-devel net-snmp-devel net-tools nghttp2 nload openssl-devel pcre-devel pkgconfig python-devel python2-pip python36 python36-devel readline-devel recode-devel rsyslog screen subversion sudo time unzip vim virt-what which yum-plugin-fastestmirror yum-plugin-security yum-plugin-versionlock GeoIP-devel ImageMagick-c++-devel ImageMagick-devel
yum4 install -y devtoolset-7-* llvm-toolset-7-*
yum4 upgrade -y

更改系统时间(可选)

timedatectl set-timezone Asia/Shanghai

安装 Nginx

使用 Nginx 官方的仓库,导入 Nginx 的 key

rpm --import http://nginx.org/keys/nginx_signing.key

新建 Nginx 源

cat > /etc/yum.repos.d/nginx.repo << EOF
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/7/\$basearch/
gpgcheck=0
enabled=1
EOF

安装 Nginx

yum4 remove -y httpd* mod_* && yum4 install -y nginx
nginx -V

为 Nginx 放行防火墙端口(以 firewall 为例)

systemctl start firewalld && systemctl enable firewalld
firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --reload

安装 PHP

Remi 源安装 PHP

我们并不会从官方源拉取 PHP,因为官方版本太过于古老,于是我们选择 Remi 维护的 PHP,安装较新的 PHP7.2

yum-config-manager --enable remi-php72 && yum4 -y update
yum4 install -y php-{bcmath,cli,common,devel,fpm,gd,intl,json,mbstring,mysqlnd,odbc,opcache,pdo,xml,xmlrpc,ioncube-loader}

修改一下 /etc/php.ini 防止跨站攻击:

sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' /etc/php.ini 

修改连接方式为 socket 连接

sed -i s'/listen = 127.0.0.1:9000/listen = \/var\/run\/php-fpm\/php-fpm.sock/' /etc/php-fpm.d/www.conf
sed -i s'/;listen.owner = nobody/listen.owner = nginx/' /etc/php-fpm.d/www.conf
sed -i s'/;listen.group = nobody/listen.group = nginx/' /etc/php-fpm.d/www.conf
sed -i s'/;listen.mode = 0660/listen.mode = 0660/' /etc/php-fpm.d/www.conf

开启 php-fpm 服务:

systemctl start php-fpm
systemctl enable php-fpm

创建 php info 测试文件

修改 Nginx 配置文件

cat > /etc/nginx/conf.d/default.conf << EOF
server {
    listen       80;
    server_name  localhost;
    root  /usr/share/nginx/html;
    index  index.html;
    access_log  /var/log/nginx/host.access.log  main;
    location / {
        try_files \$uri \$uri/ =404;
    }
    error_page  404              /404.html;
    error_page  500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
    location ~ \.php$ {
        try_files      \$uri =404;
        fastcgi_index  index.php;
        fastcgi_pass   unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_param  SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
        include        fastcgi_params;
    }
    location ~ /\.ht {
        deny  all;
    }
}
EOF

创建 PHP 测试文件:

cat > /usr/share/nginx/html/index.php << EOF
<?php phpinfo(); ?>
EOF

重启 Nginx 并查看 PHP 参数

systemctl restart nginx
systemctl enable nginx

浏览器中打开 http://<YOURIP>/index.php 即可查看。如果能够打开的话证明之前的安装是成功的。

安装 MySQL

再次安利大家用 Percona Server 代替 MySQLMariadb

增加 Percona Server 的仓库

yum install https://www.percona.com/redir/downloads/percona-release/redhat/latest/percona-release-0.1-6.noarch.rpm

然后安装

yum4 update && yum4 install Percona-Server-server-57 percona-xtrabackup-24 percona-toolkit -y

为了安全考虑,安装过程中是不需要输入 MySQL root 密码的,我们直接启动 MySQL:

systemctl start mysql

然后 root 密码就会放在日志里了

cat /var/log/mysqld.log | grep "temporary password"

返回的结果大致如下:

A temporary password is generated for [email protected]: 123456

最后的那一串就是你的 root 密码啦

重置密码并增强安全性

mysql_secure_installation  

设置如下

[[email protected]]# mysql_secure_installation  

Securing the MySQL server deployment.

Enter password for user root: 

The existing password for the user account root has expired. Please set a new password.

New password: 

Re-enter new password: 

The 'validate_password' plugin is installed on the server.
The subsequent steps will run with the existing configuration
of the plugin.
Using existing password for root.

Estimated strength of the password: 100 
Change the password for root ? ((Press y|Y for Yes, any other key for No) : n

... skipping.
By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment.

Remove anonymous users? (Press y|Y for Yes, any other key for No) : y
Success.

Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y
Success.

By default, MySQL comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment.

Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y
 - Dropping test database...
Success.

 - Removing privileges on test database...
Success.

Reloading the privilege tables will ensure that all changes made so far will take effect immediately.

Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y
Success.

All done!  

做好初始安全设置后,我们就可以进行创建数据库操作。

新建数据库和用户

  • 首先使用 root 登录 MySQL
mysql -u root -p  
  • 会提示输入密码,输入密码登陆后,创建一个名为 example 的数据库
CREATE DATABASE example DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;  

由于手机端的流行,我们已经不再使用 utf-8 编码,而改用 utf8mb4 这样我们就可以在 MySQL 数据库里储存 emoji 表情了。你甚至可以尝试使用 emoji 作为用户名或者密码。

  • 接着我们创建一个叫做 example_user 的用户,使用强大的密码并且赋予 example_database 数据库权限
GRANT ALL ON example.* TO 'example_user'@'localhost' IDENTIFIED BY '这里改成你要设置的强大的没人能猜出来的随机的密码'; 

终端会提示类似 Query OK, 0 rows affected, 1 warning 不用去管它

  • 然后刷新权限,没问题就可以退出结束安装了
FLUSH PRIVILEGES;
EXIT;