Article directory
foreword
Use linux+nginx+php-fpm+mysql to build a website and be able to run php code, connect to the database and execute mysql statements.
build record
System overview
hundred 7
Basic environment installation
Install GCC
yum install gcc-c++
Install PCRE
yum install -y pcre pcre-devel
Install Zlib
yum install -y zlib zlib-devel
Install Openssl
yum install -y openssl openssl-devel
Install EPEL-release
yum -y install epel-release
Install Nginx
yum -y install nginx
Website path: /usr/share/nginx/html
nginx configuration: /etc/nginx/nginx.conf
set self-starting: systemctl enable nginx.service
modify the configuration file, remove the previous comment to parse the php file:
restart: service resrat nginx
visit the homepage to check the installation status:
Install php-fpm
The emergence of PHP-FPM is to solve two problems:
1. After the traditional php-cgi changes the php.ini configuration, it needs to restart php-cgi to make the new php-ini take effect, and it cannot start smoothly.
2. When the php-cgi process is terminated, the php service will also be forced to terminate.
Sync source:
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
Search for php-fpm version:
yum search all php-fpm
Uninstall the original version dependencies:
yum remove php php-fpm php-common
Install version 7.0 and its extensions
yum install php70w php70w-fpm php70w-cli php70w-common php70w-devel php70w-gd php70w-pdo php70w-mysql php70w-mbstring php70w-bcmath php70w-xml php70w-pecl-redis php70w-process php70w-intl php70w-xmlrpc php70w-soap php70w-ldap php70w-opcache
Start the service
systemctl start php-fpm
Set to enable self-starting
systemctl enable php-fpm
Close the service
killall php-fpm
Restart
php-fpm -R
Create /usr/share/nginx/html
a file with the content <?php phpinfo(); ?>
and visit to check the php parsing
Install MySQL
Download the MySQL installation package
wget -i -c http://dev.mysql.com/get/mysql57-community-release-el7-10.noarch.rpm
Install using yum
yum -y install mysql57-community-release-el7-10.noarch.rpm
Install the MySQL server
yum -y install mysql-community-server --nogpgcheck
#nogpgcheck means not to verify the key, otherwise an error will be reported, of course you can also use the official mariadb
start mysql
systemctl start mysqld.service
Check running status
systemctl status mysqld.service
find root password
grep "password" /var/log/mysqld.log
enter the database
mysql -u root -p
Modify password
ALTER USER 'root'@'localhost' IDENTIFIED BY 'Cdbc@123..';
# Change the root password to xxxx, the strength must be sufficient, including uppercase and lowercase numbers and special characters, otherwise an insecure prompt will appear, and the password cannot be changed successfully.
Enable remote access
grant all privileges on . to 'root'@'192.168.31.1' identified by 'password' with grant option;
#192.168.31.1 indicates that only remote access addresses are allowed, and if you need to allow all addresses, replace the address with %
Refresh permission configuration
flush privileges;
exit database
exit
Firewall add open ports
firewall-cmd --zone=public --add-port=3306/tcp --permanent
reload firewall
firewall-cmd --reload
Remote access test
This test uses Navicat, MySQL access needs to install the client.
Think Safe
server
Port Security: Only open the ports that need to be used.
Host vulnerability: Use goby to scan to ensure that there are no major security vulnerabilities.
Baseline inspection: Meet the basic security requirements, and use the github script to automatically scan and find that it is basically passed.
Password security: You can use the key to log in without using weak passwords.
database
Password security: prevent weak passwords
Port security: you can modify the default port 3306 of mysql
operating system
Do a security check before going online, you can use awvs/xray to scan.
The shooting range environment is open to the public and can use 401 basic authentication settings to prevent malicious attacks.
middleware
Nginx has a parsing vulnerability, which is a configuration problem. It is difficult to use by default. It is a good choice for flexible and light configuration.
Thinking about shortcut key installation
In the later stage, integrated environments such as docker\phpstudy can be used.