目录:
1、环境概述
2、动静分离拓扑图
3、各服务器功能规划
4、各服务器基础环境配置
5、httpd安装配置
6、php安装配置及启用opcache加速功能
7、mysql安装配置
8、wordpress论坛程序安装测试
9、CA证书服务器及ssl配置
10、phpmyadmin安装测试
11、php的opcache加速功能测试
12、总结
1、环境概述:
前几篇博客已把httpd、mysql及php以模块的方式与http进行了整合,这些服务都在一台Linux主机上部署,这种简单的架构在网站初期还能胜任,但随着网站访问量的增大,业务逻辑越来越复杂,这种架构已不能满足现实的需求,现急需优化架构。我们需要一个可扩展的网站架构,所以这次来一个大手术,httpd、mysql、以及以FastCGI方式工作的php服务各自部署在单独的服务器,三个服务各施其职,独占自己的硬件资源,这种架构随着业务量增加后扩展方便,而这种架构还实现了网站的动静分离。
所有软件包这里获取:LAMP环境所涉及软件包获取地址
2、动静分离拓扑图:
3、各服务器功能规划:
主机名 | IP地址 | 安装服务 | 说明 |
http |
192.168.0.200 |
httpd、NFS服务端 | 通过nfs把php服务器的网站程序挂载到本地,避免上传网站程序时在http和php服务器都要上传 |
php | 192.168.0.201 |
php、NFS客户端、phpmyadmin、论坛程序 | php以php-fpm方式工作,通过nfs服务把网站程序共享 |
mysql | 192.168.0.202 | mysql、配置成CA服务器 | 数据目录存放在LVM卷上,兼任CA证书服务,为实现安全的访问phpmyadmin |
4、各服务器基础环境配置:
4.1、http服务器基础配置:
[root@http ~]# cat /etc/issue CentOS release 6.4 (Final) Kernel \r on an \m [root@http ~]# hostname http [root@http ~]# ifconfig | grep Bcast: inet addr:192.168.0.200 Bcast:192.168.0.255 Mask:255.255.255.0 [root@http ~]# echo "192.168.0.200 www" >> /etc/hosts [root@http ~]# echo "192.168.0.201 php" >> /etc/hosts [root@http ~]# echo "192.168.0.202 mysql" >> /etc/hosts [root@http ~]# chkconfig iptables off [root@http ~]# service iptables stop [root@http ~]# vim /etc/sysconfig/selinux SELINUX=disabled [root@http ~]# shutdown -r now
4.2、php服务器基础配置:
[root@php ~]# cat /etc/issue CentOS release 6.4 (Final) Kernel \r on an \m [root@php ~]# hostname php [root@php ~]# ifconfig | grep Bcast: inet addr:192.168.0.201 Bcast:192.168.0.255 Mask:255.255.255.0 [root@php ~]# echo "192.168.0.201 php" >> /etc/hosts [root@php ~]# echo "192.168.0.200 http" >> /etc/hosts [root@php ~]# echo "192.168.0.202 mysql" >> /etc/hosts [root@php ~]# chkconfig iptables off [root@php ~]# service iptables stop [root@php ~]# vim /etc/sysconfig/selinux SELINUX=disabled [root@php ~]# shutdown -r now
4.3、mysql服务器基础配置:
[root@mysql ~]# cat /etc/issue CentOS release 6.4 (Final) Kernel \r on an \m [root@php ~]# hostname mysql [root@mysql ~]# ifconfig | grep Bcast: inet addr:192.168.0.202 Bcast:192.168.0.255 Mask:255.255.255.0 [root@mysql ~]# echo "192.168.0.202 mysql" >> /etc/hosts [root@mysql ~]# echo "192.168.0.200 http" >> /etc/hosts [root@mysql ~]# echo "192.168.0.201 php" >> /etc/hosts [root@mysql ~]# chkconfig iptables off [root@mysql ~]# service iptables stop [root@mysql ~]# vim /etc/sysconfig/selinux SELINUX=disabled [root@mysql ~]# shutdown -r now
4.4、配置各服务器间免密码登陆:
4.4.1、配置http无密码访问php和mysql主机:
[root@http ~]# ssh-keygen -t rsa #连续回车 [root@http ~]# ls /root/.ssh/ id_rsa id_rsa.pub [root@http ~]# ssh-copy-id root@php #在有提示处输入“yes”,l并输入php主机的密码 [root@http ~]# ls /root/.ssh/ #生成了know_hosts文件 id_rsa id_rsa.pub known_hosts [root@http ~]# ssh-copy-id root@mysql 测试http无密码访问php及mysql主机: [root@http ~]# ssh root@php Last login: Sat Jan 31 16:41:46 2015 from http [root@http ~]# ssh root@mysql Last login: Sat Jan 31 16:38:12 2015 from http
说明:在“[root@http ~]# ssh-copy-id root@php”时,若不是指定php主机的主机名,而是指定ip地址,就像这样“[root@http ~]# ssh-copy-id [email protected]”那http登陆php时只能用指定ip的地址进行无密码登陆,如果是这样“[root@http ~]# ssh root@php”是不能无密码登陆的,通过观察“/root/.ssh/know_hosts”文件就可知道其中的道理。
4.4.2、配置php无密码访问http和mysql主机:
[root@php ~]# ssh-keygen -t rsa [root@php ~]# ssh-copy-id root@http [root@php ~]# ssh-copy-id root@mysql
4.4.3、配置mysql无密码访问http和php主机:
[root@mysql ~]# ssh-keygen -t rsa [root@mysql ~]# ssh-copy-id root@http [root@mysql ~]# ssh-copy-id root@php
4.5、基于NFS准备网站目录结构:
[root@php ~]# yum -y install nfs-utils [root@php ~]# vim /etc/exports /web/vhosts 192.168.0.200(rw,sync,no_root_squash) [root@php ~]# mkdir -pv /web/vhosts/{bbs.linux.com,phpmyadmin.com} [root@php ~]# service rpcbind start [root@php ~]# service nfs start [root@php ~]# chkconfig nfs on
[root@http httpd-2.4.12]# mkdir -pv /web/vhosts [root@http httpd-2.4.12]# vim /etc/fstab 192.168.0.201:/web/vhosts /web/vhosts nfs defaults 0 0 #新增加此行 [root@http httpd-2.4.12]# mount -a [root@http httpd-2.4.12]# ls /web/vhosts/ bbs.linux.com phpmyadmin.com
5、httpd安装配置:
5.1、软件包版本信息:
[root@http software]# pwd /root/software [root@http software]# ls apr-1.5.1.tar.gz apr-util-1.5.2.tar.bz2 httpd-2.4.12.tar.bz2
5.2、处理httpd的依赖关系:
[root@http software]# yum -y install pcre-devel [root@http software]# tar xf apr-1.5.1.tar.gz [root@http software]# cd apr-1.5.1 [root@http apr-1.5.1]# ./configure --prefix=/usr/local/apr-1.5 [root@http apr-1.5.1]# make && make install
说明:在编译apr-1.5.1前请看这里“安装apr报错rm: cannot remove `libtoolT': No such file or directory”
[root@http software]# tar xf apr-util-1.5.2.tar.bz2 [root@http software]# cd apr-util-1.5.2 [root@http apr-util-1.5.2]# ./configure --prefix=/usr/local/apr-util-1.5 --with-apr=/usr/local/apr-1.5 [root@http apr-util-1.5.2]# make && make install
5.3、httpd编译安装配置及配置:
5.3.1、编译、配置、安装http:
[root@http software]# tar xf httpd-2.4.12.tar.bz2 [root@http software]# cd httpd-2.4.12 [root@http httpd-2.4.12]# ./configure --prefix=/usr/local/apache24 --sysconfdir=/etc/httpd24 --enable-so --enable-ssl --enable-cgi --enable-rewrite --enable-modules=most --enable-mpms-shared=all --with-zlib --with-pcre --with-mpm=event --with-apr=/usr/local/apr-1.5 --with-apr-util=/usr/local/apr-util-1.5 [root@http httpd-2.4.12]# make && make install
5.3.2、源码编译安装后的收尾工作:
导出二进制文件:
[root@http httpd-2.4.12]# vim /etc/profile.d/http24.sh export PATH=/usr/local/apache24/bin:$PATH [root@http httpd-2.4.12]# source /etc/profile.d/http24.sh
导出头文件:
[root@http httpd-2.4.12]# ln -sv /usr/local/apache24/include /usr/include/http24
导出man文档:
[root@http httpd-2.4.12]# vim /etc/man.config MANPATH /usr/man MANPATH /usr/share/man MANPATH /usr/local/man MANPATH /usr/local/share/man MANPATH /usr/X11R6/man MANPATH /usr/local/apache24/man #新增
配置http开机自动启动(可参照前边的博客为http提供sysv风格的脚本):
[root@http httpd-2.4.12]# echo "/usr/local/apache24/bin/apachectl -k start" >> /etc/rc.loacl
5.3.3、配置http、增加对php支持、启用虚拟主机:
[root@http httpd-2.4.12]# cp /etc/httpd24/httpd.conf /etc/httpd24/httpd.conf.back [root@http httpd-2.4.12]# vim /etc/httpd24/httpd.conf ServerName 192.168.0.200:80 #启用ServerName #DocumentRoot "/usr/local/apache24/htdocs" #注释中心主机DirectoryIndex index.php index.html #增加php的主页文件 AddType application/x-compress .Z AddType application/x-gzip .gz .tgz AddType application/x-httpd-php .php #增加对php的支持 AddType application/x-httpd-php-source .phps #增加对php的支持 Include /etc/httpd24/extra/httpd-vhosts.conf #启用虚拟主机配置文件
配置虚拟主机:
[root@http httpd-2.4.12]# vim /etc/httpd24/extra/httpd-vhosts.conf #注释掉最后的VirtualHost容器,并新增以下两个虚拟主机DocumentRoot "/web/vhosts/bbs.linux.com" ServerName bbs.linux.com ErrorLog "logs/bbs.linux.com-error_log" CustomLog "logs/bbs.linux.com-access_log" common Options none AllowOverride none Require all granted DocumentRoot "/web/vhosts/phpmyadmin.com" ServerName phpmyadmin.com ErrorLog "logs/phpmyadmin.com-error_log" CustomLog "logs/phpmyadmin.com-access_log" common Options none AllowOverride none Require all granted
测试两个虚拟主机:
[root@http httpd-2.4.12]# vim /web/vhosts/bbs.linux.com/index.html This is bbs.linux.com [root@http httpd-2.4.12]# vim /web/vhosts/phpmyadmin.com/index.html This is phpmyadmin.com [root@http httpd-2.4.12]# /usr/local/apache24/bin/apachectl -k start
最后配置windows主机的hosts文件,增加http服务器的两个域名解析,用浏览器进行测试两个域名是否能正常工作。
6、php安装配置及启用opcache加速功能:
6.1、软件版本信息:
[root@php software]# pwd /root/software [root@php software]# ls php-5.6.5.tar.xz
6.2、处理php的依赖关系:
[root@php software]# yum -y install libxml2-devel bzip2-devel libmcrypt-devel mhash-devel #若默认的yum源中没有这些依赖包请增加epel源后再安装
6.3、php编译安装及相应配置:
6.3.1、编译安装php:
[root@php software]# tar xf php-5.6.5.tar.xz [root@php software]# cd php-5.6.5 [root@php php-5.6.5]# ./configure --prefix=/usr/local/php5.6 --enable-mbstring --enable-xml --enable-fpm --enable-sockets --with-mysql=mysqlnd --with-pdo-mysql=mysqlnd --with-mysqli=mysqlnd --with-openssl --with-freetype-dir --with-jpeg-dir --with-png-dir --with-zlib --with-libxml-dir=/usr --with-mcrypt --with-config-file-path=/etc --with-config-file-scan-dir=/etc/php.d --with-bz2 [root@php php-5.6.5]# make && make install
6.3.2、提供php.ini、php-fpm.conf、启动脚本文件及一些收尾工作:
[root@php php-5.6.5]# cp php.ini-production /etc/php.ini [root@php php-5.6.5]# cp /usr/local/php5.6/etc/php-fpm.conf.default /usr/local/php5.6/etc/php-fpm.conf [root@php php-5.6.5]# vim /usr/local/php5.6/etc/php-fpm.conf #合理调整下边的参数 listen = 192.168.0.201:9000 pm.max_children = 5 #允许的并发连接数,线上服务器肯定大于5 pm.start_servers = 2 #php-fpm启动时启动的进程个数 pm.min_spare_servers = 1 #最小空闲进程数 pm.max_spare_servers = 3 #最大空闲进程数 [root@php php-5.6.5]# cp sapi/fpm/init.d.php-fpm /etc/rc.d/init.d/php-fpm [root@php php-5.6.5]# chmod +x /etc/rc.d/init.d/php-fpm [root@php php-5.6.5]# chkconfig --add php-fpm [root@php php-5.6.5]# chkconfig php-fpm on #启动php-fpm及测试: [root@php php-5.6.5]# service php-fpm start [root@php php-5.6.5]# netstat -tnulp | grep 9000 #导出二进制文件: [root@php php-5.6.5]# echo 'export PATH=/usr/local/php5.6/bin:$PATH' > /etc/profile.d/php.sh [root@php php-5.6.5]# source /etc/profile.d/php.sh [root@php php-5.6.5]# php -v PHP 5.6.5 (cli) (built: Feb 1 2015 09:41:40) Copyright (c) 1997-2014 The PHP Group Zend Engine v2.6.0, Copyright (c) 1998-2014 Zend Technologies #导出头文件: [root@php php-5.6.5]# ln -sv /usr/local/php5.6/include /usr/include/php5.6 #导出库文件: [root@php php-5.6.5]# echo "/usr/local/php5.6/lib" > /etc/ld.so.conf.d/php56.conf [root@php php-5.6.5]# ldconfig
6.3.3、启用opcache,加速php代码:
[root@php ~]# vim /etc/php.ini #启用[opcache]里的参数 [opcache] zend_extension = /usr/local/php5.6/lib/php/extensions/no-debug-non-zts-20131226/opcache.so opcache.enable=1 opcache.enable_cli=1 opcache.memory_consumption=64 opcache.interned_strings_buffer=4 opcache.max_accelerated_files=2000 opcache.revalidate_freq=2 opcache.fast_shutdown=1 [root@php ~]# service php-fpm restart [root@php ~]# php -m #查看opcache模块是否加载
6.4、配置http虚拟主机成为fastcgi的客户端,实现用户请求php文件时能转交给php服务器:
6.4.1、启用两个模块,使用http成为fastcgi客户:
[root@http ~]# vim /etc/httpd24/httpd.conf …… LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so …… [root@http ~]# /usr/local/apache24/bin/apachectl -k stop [root@http ~]# /usr/local/apache24/bin/apachectl -k start [root@http ~]# /usr/local/apache24/bin/apachectl -t -D DUMP_MODULES | grep proxy proxy_module (shared) proxy_fcgi_module (shared)
6.4.2、修改虚拟主机配置文件:
[root@http ~]# vim /etc/httpd24/extra/httpd-vhosts.confDocumentRoot "/web/vhosts/bbs.linux.com" ServerName bbs.linux.com ErrorLog "logs/bbs.linux.com-error_log" CustomLog "logs/bbs.linux.com-access_log" common ProxyRequests Off #新增 ProxyPassMatch ^/(.*\.php)$ fcgi://192.168.0.201:9000/web/vhosts/bbs.linux.com/$1 #新增 Options none AllowOverride none Require all granted DocumentRoot "/web/vhosts/phpmyadmin.com" ServerName phpmyadmin.com ErrorLog "logs/phpmyadmin.com-error_log" CustomLog "logs/phpmyadmin.com-access_log" common ProxyRequests Off #新增 ProxyPassMatch ^/(.*\.php)$ fcgi://192.168.0.201:9000/web/vhosts/phpmyadmin.com/$1 #新增 [root@http ~]# /usr/local/apache24/bin/apachectl -t Syntax OK [root@http ~]# /usr/local/apache24/bin/apachectl -k stop [root@http ~]# /usr/local/apache24/bin/apachectl -k startOptions none AllowOverride none Require all granted
6.4.3、测试http与fastcgi整合是否工作正常:
[root@http ~]# vim /web/vhosts/bbs.linux.com/index.php [root@http ~]# cp /web/vhosts/bbs.linux.com/index.php /web/vhosts/phpmyadmin.com/
7、mysql安装配置:
7.1、基于LVM(逻辑卷管理器)准备分区,mysql的数据目录放在此设备上:
[root@mysql ~]# fdisk -l | grep Disk Disk /dev/sdb: 1073 MB, 1073741824 bytes Disk identifier: 0x00000000 Disk /dev/sda: 53.7 GB, 53687091200 bytes Disk identifier: 0x000bf287 Disk /dev/sdc: 1073 MB, 1073741824 bytes Disk identifier: 0x00000000 #用fdisk分区工具把sdb与sdc两个块设备进行分区,并把分区类型修改成“8e Linux LVM ”类型 [root@mysql ~]# fdisk -l | grep "Device Boot" -A 1 Device Boot Start End Blocks Id System /dev/sdb1 1 130 1044193+ 8e Linux LVM -- Device Boot Start End Blocks Id System /dev/sda1 * 1 13 102400 83 Linux -- Device Boot Start End Blocks Id System /dev/sdc1 1 130 1044193+ 8e Linux LVM
[root@mysql ~]# yum -y install lvm2 #安装lvm管理器 [root@mysql ~]# pvcreate /dev/sdb1 /dev/sdc1 #把两设备转化成pv设备 [root@mysql ~]# vgcreate MysqlData /dev/sdb1 /dev/sdc1 #创建vg [root@mysql ~]# vgs VG #PV #LV #SN Attr VSize VFree MysqlData 2 0 0 wz--n- 1.98g 1.98g [root@mysql ~]# lvcreate -L 500M -n DB_Data MysqlData Logical volume "DB_Data" created [root@mysql ~]# lvdisplay --- Logical volume --- LV Path /dev/MysqlData/DB_Data LV Name DB_Data VG Name MysqlData LV UUID SrY3K8-TtB6-KARr-gkNc-IZjb-B21M-UZsmQB LV Write Access read/write LV Creation host, time mysql, 2015-02-01 11:36:35 +0800 LV Status available # open 0 LV Size 500.00 MiB Current LE 125 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 253:0 [root@mysql ~]# mkfs.ext4 /dev/MysqlData/DB_Data #格式化 [root@mysql ~]# mkdir /mydata #创建挂载目录 [root@mysql ~]# vim /etc/fstab /dev/MysqlData/DB_Data /mydata ext4 defaults 0 0 #新增 [root@mysql ~]# mount -a [root@mysql ~]# ls /mydata/ lost+found
7.2、mysql二进制包安装及相应库的准备工作:
7.2.1、mysql安装配置:
[root@mysql software]# pwd /root/software [root@mysql software]# ls mysql-advanced-5.6.22-linux-glibc2.5-x86_64.tar.gz [root@mysql software]# yum -y install libaio-devel #处理依赖关系 [root@mysql software]# useradd -r -s /sbin/nologin mysql -M #创建mysql运行时的用户 [root@mysql software]# mkdir /mydata/data [root@mysql software]# chown -R mysql.mysql /mydata/data #修改数据目录的属性 [root@mysql software]# ls -ld /mydata/data drwxr-xr-x 2 mysql mysql 1024 Feb 1 12:46 /mydata/data [root@mysql software]# mv /etc/my.cnf /etc/my.cnf.back #备份原有的配置文件 [root@mysql software]# tar xf mysql-advanced-5.6.22-linux-glibc2.5-x86_64.tar.gz -C /usr/local/ [root@mysql software]# ln -sv /usr/local/mysql-advanced-5.6.22-linux-glibc2.5-x86_64 /usr/local/mysql [root@mysql software]# chown -R root.mysql /usr/local/mysql/* [root@mysql software]# cp /usr/local/mysql/support-files/my-default.cnf /etc/my.cnf [root@mysql software]# vim /etc/my.cnf #保留下边的参数mysql就可启动,详细参数请查看其他文档 basedir = /usr/local/mysql datadir = /mydata/data port = 3306 # server_id = ..... socket = /tmp/mysql.sock user = mysql innodb_file_per_table = 1 innodb_thread_concurrency = 0 #不限制并发数 [root@mysql software]# cd /usr/local/mysql [root@mysql mysql]# cp /usr/local/mysql/support-files/mysql.server /etc/rc.d/init.d/mysqld [root@mysql mysql]# chkconfig --add mysqld [root@mysql mysql]# chkconfig mysqld on [root@mysql mysql]# scripts/mysql_install_db --user=mysql --datadir=/mydata/data [root@mysql mysql]# service mysqld start Starting MySQL.. SUCCESS! #导出二进制文件: [root@mysql mysql]# echo 'export PATH=/usr/local/mysql/bin:$PATH' > /etc/profile.d/mysql.sh [root@mysql mysql]# source /etc/profile.d/mysql.sh #导出头文件: [root@mysql mysql]# ln -sv /usr/local/mysql/include /usr/include/mysql #导出库文件: [root@mysql mysql]# echo "/usr/local/mysql/lib" > /etc/ld.so.conf.d/mysql.conf [root@mysql mysql]# ldconfig -v | grep mysql #测试: [root@mysql mysql]# mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2 Server version: 5.6.22-enterprise-commercial-advanced MySQL Enterprise Server - Advanced Edition (Commercial) Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> [root@mysql mysql]# mysqladmin -u root password #为root用户设置密码 New password: Confirm new password:
7.2.2、创建论坛程序wordpress所使用数据库:
[root@mysql mysql]# mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 3 Server version: 5.6.22-enterprise-commercial-advanced MySQL Enterprise Server - Advanced Edition (Commercial) Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> create database wpdb; Query OK, 1 row affected (0.01 sec) mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | test | | wpdb | +--------------------+ 5 rows in set (0.00 sec) mysql> grant all on wpdb.* to 'wpadmin'@'192.168.%.%' identified by '111111'; Query OK, 0 rows affected (0.03 sec) mysql> flush privileges; Query OK, 0 rows affected (0.03 sec) mysql> \q Bye
8、wordpress论坛程序安装测试
[root@php software]# pwd /root/software [root@php software]# ls php-5.6.5 php-5.6.5.tar.xz wordpress-4.1-zh_CN.tar.gz [root@php software]# tar xf wordpress-4.1-zh_CN.tar.gz [root@php software]# mv wordpress/* /web/vhosts/bbs.linux.com/ [root@php software]# cd /web/vhosts/bbs.linux.com/ [root@php bbs.linux.com]# cp wp-config-sample.php wp-config.php [root@php bbs.linux.com]# vim wp-config.php /** WordPress数据库的名称 */ define('DB_NAME', 'wpdb'); /** MySQL数据库用户名 */ define('DB_USER', 'wpadmin'); /** MySQL数据库密码 */ define('DB_PASSWORD', '111111'); /** MySQL主机 */ define('DB_HOST', '192.168.0.202');
在windows主机上用IE浏览器直接访问“http://bbs.linux.com”就可打开wordpress的安装界面,
经测试,workpress运行正常。
9、CA证书服务器及ssl配置
9.1、在mysql服务器中生成密钥文件:
[root@mysql ~]# cd /etc/pki/CA [root@mysql CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ..+++ ....................+++ e is 65537 (0x10001) [root@mysql CA]# ls private/ cakey.pem
9.2、生成自签证书:
[root@mysql CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:ChongQing Locality Name (eg, city) [Default City]:YuBei Organization Name (eg, company) [Default Company Ltd]:Learing Organizational Unit Name (eg, section) []:Tech Common Name (eg, your name or your server's hostname) []:ca.mysql.com Email Address []:[email protected] [root@mysql CA]# ls cacert.pem certs crl newcerts private [root@mysql CA]# touch index.txt [root@mysql CA]# echo 01 > serial
CA建立完成,接下来要为phpmyadmin.com这个虚拟主机提交证书申请,并为其配置成https。
9.3、回到http服务器为phpmyadmin.com虚拟主机生成私钥,生成证书签署请求,并把证书请求发给CA,:
[root@http httpd24]# pwd /etc/httpd24 [root@http httpd24]# mkdir ssl [root@http httpd24]# cd ssl [root@http ssl]# (umask 077;openssl genrsa -out httpd.key 1024) #生成私钥 Generating RSA private key, 1024 bit long modulus .................++++++ ..................++++++ e is 65537 (0x10001) [root@http ssl]# openssl req -new -key httpd.key -out httpd.csr #生成证书签署请求 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:ChongQing Locality Name (eg, city) [Default City]:YuBei Organization Name (eg, company) [Default Company Ltd]:Learing Organizational Unit Name (eg, section) []:Tech Common Name (eg, your name or your server's hostname) []:phpmyadmin.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@http ssl]# scp httpd.csr mysql:/tmp #把证书签署请求发送到CA httpd.csr 100% 708 0.7KB/s 00:00
9.4、回到CA服务器签署http发送过来的证书签署请求,处理后得到一证书文件,把它回传给http服务器:
[root@mysql ~]# openssl ca -in /tmp/httpd.csr -out httpd.crt -days 365 #处理http的证书签署请求 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Feb 1 07:05:52 2015 GMT Not After : Feb 1 07:05:52 2016 GMT Subject: countryName = CN stateOrProvinceName = ChongQing organizationName = Learing organizationalUnitName = Tech commonName = phpmyadmin.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: B3:3B:7C:FC:A2:4B:35:C1:20:23:3E:FD:47:DA:13:61:38:45:8C:E6 X509v3 Authority Key Identifier: keyid:45:B3:8D:A7:16:89:C6:50:D4:87:02:82:7B:80:4B:C8:25:23:2C:50 Certificate is to be certified until Feb 1 07:05:52 2016 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@mysql ~]# ls anaconda-ks.cfg httpd.crt install.log install.log.syslog software [root@mysql ~]# scp httpd.crt http:/etc/httpd24/ssl #把证书回传给http服务器 httpd.crt 100% 3861 3.8KB/s 00:00
9.5、回到http服务器,配置虚拟主机对ssl的支持:
[root@http httpd24]# pwd /etc/httpd24 [root@http httpd24]# vim httpd.conf LoadModule socache_shmcb_module modules/mod_socache_shmcb.so #此模块在httpd-ssl.conf所需要 LoadModule ssl_module modules/mod_ssl.so #启用ssl模块 Include /etc/httpd24/extra/httpd-ssl.conf #启用ssl配置文件包含 [root@http httpd24]# vim extra/httpd-ssl.conf# General setup for the virtual host DocumentRoot "/web/vhosts/phpmyadmin.com" ServerName phpmyadmin.com:443 ServerAdmin [email protected] ErrorLog "/web/vhosts/phpmyadmin.com/logs/error_log" TransferLog "/web/vhosts/phpmyadmin.com/logs/access_log" ProxyRequests Off ProxyPassMatch ^/(.*\.php)$ fcgi://192.168.0.201:9000/web/vhosts/phpmyadmin.com/$1 Options none AllowOverride none Require all granted SSLCertificateFile "/etc/httpd24/ssl/httpd.crt" SSLCertificateKeyFile "/etc/httpd24/ssl/httpd.key" [root@http httpd24]# mkdir /web/vhosts/phpmyadmin.com/logs #创建日志目录 [root@http httpd24]# /usr/local/apache24/bin/apachectl -t Syntax OK [root@http httpd24]# /usr/local/apache24/bin/apachectl -k graceful
9.6、下载CA服务器需要对外公开的证书文件(cacert.pem),导入系统后进行测试。在windows系统下需要把cacert.pem证书文件重新命令为以“crt”为后缀的文件,即改名后为“cacert.crt”,导入证书后就可以访问“https://phpmyadmin.com”进行测试。
上图是之前建的测试文件,现在用https来访问也是正常的。
10、phpmyadmin安装测试
[root@php software]# pwd /root/software [root@php software]# ls | grep phpMyAdmin phpMyAdmin-4.3.8-all-languages.zip [root@php software]# unzip phpMyAdmin-4.3.8-all-languages.zip [root@php software]# rm -rf /web/vhosts/phpmyadmin.com/index* #删除之前建立的测试文件 [root@php software]# mv phpMyAdmin-4.3.8-all-languages/* /web/vhosts/phpmyadmin.com/ [root@php phpmyadmin.com]# cd /web/vhosts/phpmyadmin.com/ [root@php phpmyadmin.com]# cp config.sample.inc.php config.inc.php [root@php phpmyadmin.com]# openssl rand -hex 8 #生成随机数 949b17bdabd31977 [root@php phpmyadmin.com]# vim config.inc.php $cfg['blowfish_secret'] = '949b17bdabd31977'; /*把上边的随机数填入*/ $cfg['Servers'][$i]['host'] = '192.168.0.202'; /*填入mysql的IP地址*/
现在只能用wpammin用户测试,因为root用户默认拒绝远程登陆:
回到mysql服务去设置让root用户也可以远程登陆:
[root@mysql ~]# mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 63 Server version: 5.6.22-enterprise-commercial-advanced MySQL Enterprise Server - Advanced Edition (Commercial) Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use mysql Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> select host,user,password from user; #只有wpadmin可以在192.168.0.0网络中远程登陆 +-------------+---------+-------------------------------------------+ | host | user | password | +-------------+---------+-------------------------------------------+ | localhost | root | *FD571203974BA9AFE270FE62151AE967ECA5E0AA | | mysql | root | | | 127.0.0.1 | root | | | ::1 | root | | | localhost | | | | mysql | | | | 192.168.%.% | wpadmin | *FD571203974BA9AFE270FE62151AE967ECA5E0AA | +-------------+---------+-------------------------------------------+ 7 rows in set (0.00 sec) mysql> grant all privileges on *.* to 'root'@'192.168.0.201' identified by '111111' with grant option; Query OK, 0 rows affected (0.03 sec) mysql> flush privileges; Query OK, 0 rows affected (0.00 sec) mysql> select host,user,password from user; +---------------+---------+-------------------------------------------+ | host | user | password | +---------------+---------+-------------------------------------------+ | localhost | root | *FD571203974BA9AFE270FE62151AE967ECA5E0AA | | mysql | root | | | 127.0.0.1 | root | | | ::1 | root | | | localhost | | | | mysql | | | | 192.168.%.% | wpadmin | *FD571203974BA9AFE270FE62151AE967ECA5E0AA | | 192.168.0.201 | root | *FD571203974BA9AFE270FE62151AE967ECA5E0AA | +---------------+---------+-------------------------------------------+ 8 rows in set (0.00 sec)
用root用户来登陆phpmyadmin测试:
11、php的opcache加速功能测试:
先关闭php的opcache功能:
[root@php ~]# vim /etc/php.ini ;zend_extension = /usr/local/php5.6/lib/php/extensions/no-debug-non-zts-20131226/opcache.so ;注释掉上边一行 [root@php ~]# service php-fpm restart [root@php ~]# php -m
在mysql服务器上用ab命令进行测试:
[root@mysql ~]# yum -y install httpd-tools #安装ab测试工具,是在httpd-tools这个包里的 [root@mysql ~]# vim /etc/hosts #增加bbs.linux.com的本地解析 192.168.0.202 mysql 192.168.0.200 http bbs.linux.com 192.168.0.201 php [root@mysql ~]# ab -c 100 -n 1000 http://bbs.linux.com/index.php ……省略 Non-2xx responses: 1000 Total transferred: 301205 bytes HTML transferred: 299 bytes Requests per second: 8.40 [#/sec] (mean) #每秒请求个数 Time per request: 11902.085 [ms] (mean) Time per request: 119.021 [ms] (mean, across all concurrent requests) Transfer rate: 2.47 [Kbytes/sec] received ……省略 启用opcache功能后再做测试: [root@php ~]# vim /etc/php.ini zend_extension = /usr/local/php5.6/lib/php/extensions/no-debug-non-zts-20131226/opcache.so [root@php ~]# service php-fpm restart [root@php ~]# php -m [root@mysql ~]# ab -c 100 -n 1000 http://bbs.linux.com/index.php ……省略 Write errors: 0 Non-2xx responses: 1000 Total transferred: 301000 bytes HTML transferred: 0 bytes Requests per second: 31.26 [#/sec] (mean) #每秒请求个数 Time per request: 3199.462 [ms] (mean) Time per request: 31.995 [ms] (mean, across all concurrent requests) Transfer rate: 9.19 [Kbytes/sec] received ……省略 通过两次对比,可以看出启用opcache功能后网站的访问速度有明显提升。
12、总结:
这次环境搭建比较顺利,当出现错误时都能通过程序所给出的错误提示和日志文件快速的定位到故障处在,但还是有一些地址值得注意或优化:
1、在类linux环境下对编译安装的软件包约定俗成是安装在“/usr/local/”下,这里的usr是“uinx software resource”这个目录在系统安装好后本身就会有许多文件存在,如果把我们自定义编译安装的软件都放在这个目录中,对软件的管理上还是有一些不便,这个目录有点像windows下的“Program Files”这个目录。所以建议在安装系统之初,在进行分区时可单独划出一个分区专门成为编译软件的安装目录;
2、httpd的虚拟主机的日志文件应该集中在一个地方进行集中存储管理,这次环境搭建是分散的放在各个虚拟主机主目录下,这样也不便于日志的管理;
3、因http主机上的“/web/vhosts”目录是从php主机通过nfs发布后挂载过来的,所以简化了两次上传网站程序的动作,但也在管理上带了一定的影响,当要重新启动http、php主机时要注意开关机的顺序,开机时先开php主机,再开http主机,关机时先关http主机,后关php主机。
4、这样一个LAMP环境中涉及到了“http.conf、http-ssl.conf、http-vhost.conf、my.cnf、php.ini、my-fpm.conf”等配置文件,这些配置中各个参数的具体意义得好好总结;
5、最后就是mysql这个软件,已被oracle收购,在下载mysql5.6版本包时粗略看了一下许可协议,好像不像原生的mysql了,如果是公司线上产品,用其他数据库来替代吧,mariadb是一个不错的选择(没看过它的许可)。