CentOS 7, 基于rpm包方式安装部署apm(php-fpm) + xcache;
a) httpd, php, mariadb分别部署在一个单独的主机上;
b) 一个虚拟主机提供phpMyAdmin,另一个虚拟主机提供wordpress;
c) 为phpMyAdmim提供https服务;
环境配置:
三台主机独立都需要关闭防火墙和设置SELinux:
使用httpd+FastCGI的方式实现整合:
1.php-5.3.3+版本中才能默认实现;
2.httpd支持proxy_fcgi_module,默认httpd-2.2中不支持此模块,httpd-2.4支持
第一个主机---配置httpd:
[root@chenliang ~]# yum -y install httpd
配置虚拟主机:
[root@chenliang ~]# vim /etc/httpd/conf.d/www.conf
重新启动httpd服务:
[root@chenliang conf.d]# systemctl start httpd.service
第二个主机---提供php服务:
安装php-fpm:
[root@chenliang ~]# rpm -q php //php-fpm和php不能同时存在,要安装php-fpm需要首先卸载php
未安装软件包 php
安装php-fpm等应用程序:
[root@chenliang ~]# yum -y install php-fpm php-mysql php-gd php-mbstring
构建在httpd配置文件中对应的映射路径:
[root@chenliang ~]# mkdir -pv /var/www/html/vhost1
mkdir: 已创建目录 "/var/www/html/vhost1"
[root@chenliang ~]# cd /var/www/html/vhost1
[root@chenliang vhost1]# vim index.php
提供php服务的主机。
phpinfo();
?>
修改php-fpm服务进程的配置文件:
[root@chenliang ~]# vim /etc/php-fpm.d/www.conf
listen = 172.16.72.2:9000 //php-fpm服务器监听本机套接字
listen.allowed_clients = 172.16.72.1 //监听的httpd服务器IP地址用于接受请求
[root@chenliang ~]# systemctl start php-fpm.service
查看启动php-fpm状态,发现监听的IP地址和9000端口号是我们设定的端口号:
测试PHP连接顺畅:
搭建WordPress:
[root@chenliang vhost1]# ls
index.php wordpress-4.2-zh_CN.tar.gz
[root@chenliang vhost1]# tar xf wordpress-4.2-zh_CN.tar.gz
[root@chenliang vhost1]# ls
index.php wordpress wordpress-4.2-zh_CN.tar.gz
[root@chenliang vhost1]# cd wordpress/
[root@chenliang wordpress]# vim wp-config-sample.php //修改WordPress配置文件,需要手动创建数据库和用户名等配置;其中的IP地址是第三个主机IP
下图代表WordPress论坛界面已经可以显示,只需要搭建好数据库就可以了:
搭建phpMyAdmin 应用程序:
第三个主机---提供mariadb(数据库)服务:
1)配置WordPress论坛:
[root@chenliang ~]# yum install -y mariadb-server
开启数据库服务:
[root@chenliang ~]# systemctl start mariadb.service
对WordPress论坛访问用户授权:
根据下面的提示,在第二个主机配置文件:
[root@chenliang wordpress]# vim wp-config.php //在其中加入提示内容
结果如下:
创建用户后安装:
最终结果:
[root@chenliang pma]# scp -r wordpress [email protected]:/var/www/html/vhost1/ //将首页文件发送至第一个httpd主机下
2)配置phpMyAdmin 论坛:
在第三台主机中对用户进行访问数据库授权:
在第二台主机/var/www/html/vhost2下安装phpMyAdmin:
[root@chenliang vhost2]# ls
index.php phpMyAdmin-3.5.4-all-languages.tar.gz
[root@chenliang vhost2]# tar xf phpMyAdmin-3.5.4-all-languages.tar.gz
[root@chenliang vhost2]# ls
index.php phpMyAdmin-3.5.4-all-languages phpMyAdmin-3.5.4-all-languages.tar.gz
[root@chenliang vhost2]# mv phpMyAdmin-3.5.4-all-languages pma
[root@chenliang vhost2]# ls
index.php phpMyAdmin-3.5.4-all-languages.tar.gz pma
[root@chenliang vhost2]# cd pma/
[root@chenliang pma]# ls
[root@chenliang pma]# mv config.sample.inc.php config.inc.php
[root@chenliang pma]# openssl rand -base64 10
RKUJMUuBLrHlKg==
[root@chenliang pma]# vim config.inc.php //将上面的生成的随机数修改到配置文件中,然后修改随机数来保障数据库访问安全,修改数据库所在主机IP,如下图
$cfg['blowfish_secret'] = 'RKUJMUuBLrHlKg==';
$cfg['Servers'][$i]['host'] = '172.16.74.1';
[root@chenliang vhost2]# scp -r pma [email protected]:/var/www/html/vhost2/ //将phpMyAdmin的首页文件发送到httpd主机,以保障良好的页面展示,反向代理跳转的话,界面较丑
测试结果如下:
为phpMyAdmin提供https服务:
在第一台主机中为phpMyAdmin提供https服务:
[root@chenliang conf.d]# yum install -y mod_ssl
创建私有CA:
[root@chenliang ~]# cd /etc/pki/CA
[root@chenliang CA]# ls
certs crl newcerts private
[root@chenliang CA]# (umask 077;openssl genrsa -out private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.++
.++
e is 65537 (0x10001)
生成自签证书:
[root@chenliang CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:cl
Locality Name (eg, city) [Default City]:cl
Organization Name (eg, company) [Default Company Ltd]:cl
Organizational Unit Name (eg, section) []:cl
Common Name (eg, your name or your server's hostname) []:cl
Email Address []:
[root@chenliang CA]# ls
cacert.pem certs crl newcerts private
创建文本文件和目录文件:
[root@chenliang CA]# touch index.txt
[root@chenliang CA]# echo 01 > serial
[root@chenliang CA]# ls
cacert.pem certs crl index.txt newcerts private serial
为httpd服务器生成密钥并生成证书请求:
[root@chenliang CA]# cd ~
[root@chenliang ~]# mkdir -pv /etc/httpd/ssl
mkdir: 已创建目录 "/etc/httpd/ssl"
[root@chenliang ~]# cd /etc/httpd/ssl
[root@chenliang ssl]# (umask 077;openssl genrsa -out httpd.key 4096)
Generating RSA private key, 4096 bit long modulus
........................................++
..........................................................................................................++
e is 65537 (0x10001)
[root@chenliang ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:cl
Locality Name (eg, city) [Default City]:cl
Organization Name (eg, company) [Default Company Ltd]:cl
Organizational Unit Name (eg, section) []:cl
Common Name (eg, your name or your server's hostname) []:cl
Email Address []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:cl
将证书请求发送到CA:
[root@chenliang ssl]# ls
httpd.csr httpd.key
[root@chenliang ssl]# cp httpd.csr /tmp
在CA上为此次请求签发证书:
[root@chenliang ssl]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 10 14:52:39 2018 GMT
Not After : May 10 14:52:39 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = cl
organizationName = cl
organizationalUnitName = cl
commonName = cl
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
75:3A:3D:56:AE:73:1B:8E:19:D5:B8:2B:84:A8:6F:2C:0B:F1:4B:CB
X509v3 Authority Key Identifier:
keyid:79:4B:25:B7:82:DC:20:46:D9:C7:CA:5A:FD:DE:45:32:D6:4C:59:C5Certificate is to be certified until May 10 14:52:39 2019 GMT (365 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
在CA上将CA签发的证书传送到httpd服务器:
[root@chenliang ssl]# cp /etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/
在httpd服务器上,删除证书请求文件:
[root@chenliang ssl]# ls
httpd.crt httpd.csr httpd.key
[root@chenliang ssl]# rm -f httpd.csr
在vhost2虚拟主机站点服务器上配置ssl支持:
配置https的虚拟主机(保证mod_ssl模块被正确装载;如果没有,则需要单独安装):[root@chenliang ~]# cd /etc/httpd/conf.d
[root@chenliang conf.d]# vim ssl.conf
DocumentRoot "/var/www/html/vhost2"
ServerName www.chenliangs.com:443
DirectoryIndex index.php
ProxyRequests on
ProxyPassMatch ^/(.*.php)$ fcgi://172.16.72.2:9000/var/www/html/vhost2/$1
Options None
Allowoverride None
Require all granted
重启服务:
[root@chenliang conf.d]# systemctl restart httpd.service
先测试https在静态资源页面的显示效果,如图:
[root@chenliang html]# mkdir /var/www/html/vhost2 -pv
mkdir: 已创建目录 "/var/www/html/vhost2"
[root@chenliang html]# ls
index.html vhost2
[root@chenliang html]# cd vhost2/
[root@chenliang vhost2]# ls
[root@chenliang vhost2]# vim index.html
https's static page.
之后在第二台主机上,测试PHP数据库连接:
[root@chenliang html]# mkdir /var/www/html/vhost2 -pv
mkdir: 已创建目录 "/var/www/html/vhost2"
[root@chenliang html]# ls
index.html vhost1 vhost2
[root@chenliang html]# cd vhost2/
[root@chenliang vhost2]# ls
[root@chenliang vhost2]# vim index.php
测试结果如下: