1.搭建一个LNMP架构网站
2.实现实时备份
3.实现全站https
4.当一台lb服务器宕机,不影响整个服务
5.优雅的跳转到错误页面
6.实现页面伪静态
#安装rsync
[root@backup ~]# yum install -y rsync
#启动rsync服务端并加入开机自启
[root@backup ~]# systemctl enable --now rsyncd
Created symlink from /etc/systemd/system/multi-user.target.wants/rsyncd.service to /usr/lib/systemd/system/rsyncd.service.
#编辑rsync服务端配置文件
[root@backup ~]# vim /etc/rsyncd.conf
#启动服务的用户
uid = www
gid = www
#监听的端口号(默认873)
port = 873
#无需root用户登录
fake super = yes
#安全机制
use chroot = no
#最大连接数
max connections = 200
#超时时间
timeout = 600
#忽略错误
ignore errors
#只读权限
read only = false
#查看模块列表
list = false
#定义虚拟用户
auth users = yzl
#定义密码文件
secrets file = /etc/rsync.passwd
#定义日志文件
log file = /var/log/rsyncd.log
#模块名
[database]
#描述信息
comment = welcome to oldboyedu database!
#服务器真实路径
path = /backup/database
#创建配置文件中需要用到的普通用户
[root@backup ~]# useradd www -u1000
#创建密码文件并授权
[root@backup ~]# echo yzl:123 > /etc/rsync.passwd
[root@backup ~]# chmod 600 !$
#创建备份文件夹并授权
[root@backup ~]# mkdir -p /backup/database
[root@backup ~]# chown -R www.www !$
chown -R www.www /backup/database
#安装rsync、nfs、rpcbind
[root@nfs ~]# yum install -y rpcbind nfs-utils rsync
#创建客户端密码文件并授权
[root@nfs ~]# echo 123 > /etc/rsync.passwd
[root@nfs ~]# chmod 600 !$
#创建与backup中对应的用户
[root@nfs ~]# useradd www -u1000
#编辑挂载点配置文件(创建挂载点)
[root@nfs ~]# vim /etc/exports
/nfs/web 172.16.1.0/24(rw,sync,all_squash,anonuid=1000,anongid=1000)
/nfs/datase 172.16.1.0/24(rw,sync,all_squash,anonuid=1000,anongid=1000)
/nfs/conf 172.16.1.0/24(rw,sync,all_squash,anonuid=1000,anongid=1000)
/nfs/backup 172.16.1.0/24(rw,sync,all_squash,anonuid=1000,anongid=1000)
#创建可供挂载的目录并授权
[root@nfs ~]# mkdir -p /nfs/web
[root@nfs ~]# mkdir /nfs/database
[root@nfs ~]# mkdir /nfs/backup
[root@nfs ~]# mkdir /nfs/conf
[root@nfs ~]# chown -R www.www /nfs/web/
[root@nfs ~]# chown -R www.www /nfs/database/
[root@nfs ~]# chown -R www.www /nfs/backup/
[root@nfs ~]# chown -R www.www /nfs/conf/
#查看挂载点是否配置成功
[root@nfs ~]# showmount -e
Export list for nfs:
/nfs/backup 172.16.1.0/24
/nfs/conf 172.16.1.0/24
/nfs/datase 172.16.1.0/24
/nfs/web 172.16.1.0/24
#上传sersync压缩包并解压
[root@nfs ~]# cd /nfs
[root@nfs nfs]# rz -E
rz waiting to receive.
[root@nfs nfs]# tar -xf sersync.gz
#编辑sersync配置文件
[root@nfs nfs]# vim GNU-Linux-x86/confxml.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<head version="2.5">
<host hostip="localhost" port="8008"></host>
<debug start="false"/>
<fileSystem xfs="false"/>
<filter start="false">
<exclude expression="(.*)\.svn"></exclude>
<exclude expression="(.*)\.gz"></exclude>
<exclude expression="^info/*"></exclude>
<exclude expression="^static/*"></exclude>
</filter>
<inotify>
<delete start="true"/>
<createFolder start="true"/>
<createFile start="true"/>
<moveTo start="true"/>
<attrib start="true"/>
<modify start="true"/>
</inotify>
<sersync>
<localpath watch="/nfs/database">
<remote ip="172.16.1.41" name="database"/>
<!--<remote ip="192.168.8.39" name="tongbu"/>-->
<!--<remote ip="192.168.8.40" name="tongbu"/>-->
<commonParams params="-az"/>
<auth start="true" users="yzl" passwordfile="/etc/rsync.passwd"/>
<userDefinedPort start="false" port="874"/><!-- port=874 -->
<timeout start="false" time="100"/><!-- timeout=100 -->
<ssh start="false"/>
</rsync>
<crontab start="false" schedule="600"><!--600mins-->
<crontabfilter start="false">
<exclude expression="*.php"></exclude>
<exclude expression="info/*"></exclude>
</crontabfilter>
</sersync>
<filter start="false">
<include expression="(.*)\.php"/>
<include expression="(.*)\.sh"/>
</filter>
</plugin>
<plugin name="socket">
<localpath watch="/opt/tongbu">
<deshost ip="192.168.138.20" port="8009"/>
</localpath>
</plugin>
<plugin name="refreshCDN">
<localpath watch="/data0/htdocs/cms.xoyo.com/site/">
<cdninfo domainname="ccms.chinacache.com" port="80" username="xxxx" passwd="xxxx"/>
<sendurl base="http://pic.xoyo.com/cms"/>
<regexurl regex="false" match="cms.xoyo.com/site([/a-zA-Z0-9]*).xoyo.com/images"/>
</localpath>
</plugin>
</head>
#创建yum源
[root@web03 ~]# vim /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1
module_hotfixes=true
#安装nginx
[root@web03 ~]# yum install nginx -y
#编辑nginx配置文件
[root@web01 ~]# vim /etc/nginx/nginx.conf
user www;
......
#上传PHP压缩包
[root@web01 ~]# rz -E
rz waiting to receive.
#解压并安装
[root@web01 ~]# tar -xf php.tar.gz
[root@web01 ~]# yum localinstall -y *.rpm
#编辑PHP配置文件
[root@web01 ~]# vim /etc/php-fpm.d/www.conf
user=www
group=www
......
#创建项目存放目录
[root@web01 ~]# mkdir -p /www/discuz
#创建用户
[root@web01 ~]# useradd www -u1000
#授权
[root@web01 ~]# chown -R www.www /www
#安装nfs、rpcbind
[root@web01 ~]# yum install -y nfs-utils rpcbind
#挂载
[root@web01 ~]# mount -t nfs 172.16.1.31:/nfs/web /www
[root@web01 ~]# mount -t nfs 172.16.1.31:/nfs/conf /etc/nginx/conf.d/
#编辑网站配置文件
[root@web01 ~]# cd /etc/nginx/conf.d/
[root@web01 conf.d]# vim discuz.conf
server{
listen 80;
server_name www.discuz.com;
root /www/discuz/upload;
location /{
index index.php;
#将网站页面做成伪静态
rewrite ^([^\.]*)/topic-(.+)\.html$ $1/portal.php?mod=topic&topic=$2 last;
rewrite ^([^\.]*)/article-([0-9]+)-([0-9]+)\.html$ $1/portal.php?mod=view&aid=$2&page=$3 last;
rewrite ^([^\.]*)/forum-(\w+)-([0-9]+)\.html$ $1/forum.php?mod=forumdisplay&fid=$2&page=$3 last;
rewrite ^([^\.]*)/thread-([0-9]+)-([0-9]+)-([0-9]+)\.html$ $1/forum.php?mod=viewthread&tid=$2&extra=page%3D$4&page=$3 last;
rewrite ^([^\.]*)/group-([0-9]+)-([0-9]+)\.html$ $1/forum.php?mod=group&fid=$2&page=$3 last;
rewrite ^([^\.]*)/space-(username|uid)-(.+)\.html$ $1/home.php?mod=space&$2=$3 last;
rewrite ^([^\.]*)/blog-([0-9]+)-([0-9]+)\.html$ $1/home.php?mod=space&uid=$2&do=blog&id=$3 last;
rewrite ^([^\.]*)/(fid|tid)-([0-9]+)\.html$ $1/archiver/index.php?action=$2&value=$3 last;
rewrite ^([^\.]*)/([a-z]+[a-z0-9_]*)-([a-z0-9_\-]+)\.html$ $1/plugin.php?id=$2:$3 last;
#出现错误以后跳转到指定页面
error_page 404 403 /error/index.html;
}
#绑定PHP(nginx无法处理动态请求,所以需要PHP来处理)
include php.params;
}
#编辑PHP的配置文件
[root@web01 ~]# vim /etc/nginx/php.params
location ~* \.php$ {
fastcgi_pass 127.0.0.1:9000;
#开启https模式
fastcgi_param HTTPS on;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
#上传项目压缩包并解压
[root@web01 ~]# cd /www/discuz
[root@web01 www]# rz -E
rz waiting to receive.
[root@web01 ~]# unzip Discuz_X3.4_SC_UTF8_20210320.zip
#创建错误跳转的页面
[root@web01 ~]# cd /www/discuz/upload
[root@web01 ~]# mkdir error
[root@web01 ~]# echo this is a error page! > error/index.html
#将存放用户数据的目录与nfs挂载,并让nfs备份到backup上
[root@web01 ~]# mount -t nfs 172.16.1.31:/nfs/database /www/discuz/upload/data/attachment/forum/
#检查nginx配置
[root@web01 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
#启动nginx并加入开机自启
[root@web01 ~]# systemctl enable --now nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
#启动PHP并加入开机自启
[root@web01 ~]# systemctl enable --now php-fpm
Created symlink from /etc/systemd/system/multi-user.target.wants/php-fpm.service to /usr/lib/systemd/system/php-fpm.service.
#安装mysql服务
[root@db01 ~]# yum install -y mariadb-server
#启动Mariadb并加入开机自启
[root@db01 ~]# systemctl enable --now mariadb
#为数据库设置密码
[root@db01 ~]# mysqladmin -uroot password '123'
#登录数据库
[root@db01 ~]# mysql -uroot -p123
#创建项目所需的数据库
MariaDB [(none)]> create database discuz;
Query OK, 1 row affected (0.00 sec)
#让yzl用户对discuz数据库下的任意表拥有所有权限,并将密码设为123
MariaDB [(none)]> grant all on discuz.* to yzl@'%' identified by '123';
Query OK, 0 rows affected (0.08 sec)
#创建秘钥
[root@lb01 nginx]# ssh-keygen
.....
#将创建的公钥发送到需要免密登录的远程机器上
[root@lb01 ~]# cd
[root@lb01 ~]# ssh-copy-id -i .ssh/id_rsa.pub [email protected]
....
#同上
[root@lb02 ~]# ssh-keygen
.....
[root@lb02 ~]# ssh-copy-id -i .ssh/id_rsa.pub [email protected]
......
#编写nginx的yum源
[root@lb01 ~]# vim /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1
module_hotfixes=true
#安装nginx
[root@lb01 ~]# yum install nginx -y
#编辑nginx配置文件
[root@lb01 ~]# vim /etc/nginx/nginx.conf
user=www
#创建配置文件需要的用户
[root@lb01 ~]# useradd www -u1000
#创建证书存放目录
[root@lb01 ~]# mkdir /etc/nginx/ssl_key
[root@lb01 ~]# cd /!$
cd //etc/nginx/ssl_key
#创建证书
[root@lb01 ssl_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.......................+++
............+++
e is 65537 (0x10001)
Enter pass phrase for server.key:123456
Verifying - Enter pass phrase for server.key:123456
[root@lb01 ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
.............+++
.......+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hn
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:oldboy
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:oldboy
Email Address []:[email protected]
#查看证书是否齐全
[root@lb01 ssl_key]# ls
server.crt server.key
#将lb01与lb02配置同步
[root@lb01 conf.d]# scp -r /etc/nginx/ssl_key 172.16.1.6:/etc/nginx/
[root@lb01 conf.d]# scp -r /etc/nginx/conf.d/ 172.16.1.6:/etc/nginx/
[root@lb01 ssl_key]# cd /etc/nginx/conf.d/
#编写nginx配置文件
[root@lb01 conf.d]# vim discuz.conf
upstream discuz {
server 172.16.1.7:80;
server 172.16.1.8:80;
server 172.16.1.9:80;
}
server {
listen 443 ssl;
server_name www.discuz.com;
ssl_certificate /etc/nginx/ssl_key/server.crt;
ssl_certificate_key /etc/nginx/ssl_key/server.key;
location / {
proxy_pass http://discuz;
include proxy_params;
}
}
server{
listen 80;
server_name www.discuz.com;
rewrite ^(.*)$ https://$server_name$request_uri;
}
#编写优化配置文件
[root@lb01 nginx]# vim proxy_params;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 20s;
proxy_read_timeout 20s;
proxy_send_timeout 20s;
proxy_buffering on;
proxy_buffer_size 8k;
proxy_buffers 8 8k;
proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
#安装高可用软件
[root@lb01 ~]# yum install -y keepalived
#查看配置文件
[root@lb01 ~]# rpm -qc keepalived
/etc/keepalived/keepalived.conf
/etc/sysconfig/keepalived
#编写keepalived配置文件
[root@lb01 ~]# vim /etc/keepalived/keepalived.conf
global_defs {
router_id lb01
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.1.3
}
}
#编写解决脑裂问题的脚本(此脚本针对的是两台高可用服务器都在抢vip)
[root@lb01 ~]# vim /etc/nginx/check_naolie.sh
#!/bin/bash
# 做免密
VIP="192.168.15.3"
MASTERIP="172.16.1.6"
BACKUPIP="172.16.1.5"
while true; do
# 探测VIP
PROBE='ip a | grep "${VIP}"'
ssh ${MASTERIP} "${PROBE}" > /dev/null
MASTER_STATU=$?
ssh ${BACKUPIP} "${PROBE}" > /dev/null
BACKUP_STATU=$?
if [[ $MASTER_STATU -eq 0 && $BACKUP_STATU -eq 0 ]];then
ssh ${BACKUPIP} "systemctl stop keepalived.service"
fi
sleep 2
done
#编写解决脑裂问题的脚本(此脚本针对的是一台高可用服务器nginx出现故障)
[root@lb01 ~]# vim /etc/nginx/check_web.sh
#!/bin/bash
nginxnum=`ps -ef | grep [n]ginx | wc -l`
if [ $nginxnum -eq 0 ];then
systemctl start nginx
sleep 3
nginxnum=`ps -ef | grep [n]ginx | wc -l`
if [ $nginxnum -eq 0 ];then
systemctl stop keepalived.service
fi
fi
#编辑配置文件(将脚本加入配置文件中)
[root@lb01 ~]# vim /etc/keepalived/keepalived.conf
global_defs {
router_id lb01
}
vrrp_script check_web {
script "/etc/nginx/check_web.sh"
interval 5
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.1.3
}
track_script {
check_web
}
}
#重启nginx和keepalived
[root@lb01 ~]# systemctl restart nginx
[root@lb01 ~]# systemctl restart keepalived
在本地hosts文件中添加:
192.168.1.3 www.discuz.com
在浏览器输入:www.discuz.com即可
上述web01服务器的操作,web02、web03也需要操作
上述lb01服务器的操作,lb02也需要操作