Aliyun CentOS6.5 (NGINX+PHP-FPM) and RDS primary use guidelines and simple security settings

New on Ali server ECS and cloud database RDS (US Silicon Valley node), starting from zero security settings, environment installation, record

First, open the Cloud shield.

The CentOS6.5 system is selected and there is a data disk. 1. Mount the data disk

Reference Linux system Mount data disk

View a data disk

Df–h
Fdisk-l

Partitioning a data disk

Fdisk-s 56/dev/xvdb

View the new partition

Fdisk-l

Format a new partition

Mkfs.ext3/dev/xvdb1

Add partition information

Echo '/dev/xvdb1  /mnt ext3    defaults    0  0 ' >>/etc/fstab

Mount New Partition

Mount-a
df-h

2. Drawing on past experience

, reference how to restrict external scan behavior through firewall policy

wget http://oss.aliyuncs.com/aliyunecs/linux_drop_port.sh sh linux_drop_port.sh step 1.No lock File,begin to create lock

File and Continue.

Step 2.Begen to check the OS issue.

This OS is CENTOS6.

Step 3.Begen to config firewall. Chain INPUT (Policy ACCEPT 0 packets, 0 bytes) pkts bytes Target prot opt in Out source Destina               tion Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes Target prot opt in Out source               Destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes Target prot opt in Out source Destination 0 0 DROP TCP--* * 0.0.0.0/0 0.0.0.0/0 multiport D           Ports 21,22,23,25,53,80,135,139,443,445 0 0 DROP TCP--* * 0.0.0.0/0 0.0.0.0/0 Multiport dports 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186 0 0 DROP UDP--* * 0 .0.0.0/0 0.0.0.0/0 COnfig Firewall Success,this script now exit!
 

Through the Aliyun provided by the script, blocking the external contract behavior, in case the host of malicious contract case was stopped. 3. No ping

Refer to the ECS Linux prohibit ping and open ping method

Echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all

4. Close SELinux

Refer to Linux for why to turn off the SELinux.

Vim/etc/selinux/config

Modify
Selinux=disabled
Found that the Aliyun has been turned off by default 5. Comment out users and user groups that are not needed by the system

Note: It is not recommended to delete directly, when you need a user, it will be troublesome to add yourself again.

CP  /etc/passwd  /etc/passwdbak   #修改之前先备份
vi/etc/passwd  #编辑用户, preceded by a # comment 
#adm: x:3:4:adm :/var/adm:/sbin/nologin
#lp: X:4:7:lp:/var/spool/lpd:/sbin/nologin
#sync: X:5:0:sync:/sbin:/bin/sync
#shutdown: X:6:0:shutdown:/sbin:/sbin/shutdown
#halt: X:7:0:halt:/sbin:/sbin/halt
#uucp: x:10:14: Uucp:/var/spool/uucp:/sbin/nologin
#operator: X:11:0:operator:/root:/sbin/nologin
#games: x:12:100: Games:/usr/games:/sbin/nologin
#gopher: X:13:30:gopher:/var/gopher:/sbin/nologin
#ftp: x:14:50:ftp User :/var/ftp:/sbin/nologin    #注释掉ftp匿名账号 
cp/etc/group   /etc/groupbak   #修改之前先备份
vi/etc/group  #编辑用户组, precede the line with the # comment
#adm: X:4:root,adm,daemon
#lp: X:7:daemon,lp
#uucp: X:14:UUCP
#games : x:20:
#dip: x:40:

6. Configure the firewall

View existing iptables settings

Iptables-l-N

Notice that Step 2 has written down the following rules:
Chain INPUT (Policy ACCEPT)
Target Prot opt source destination

Chain FORWARD (Policy ACCEPT)
Target Prot opt source destination

Chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination
DROP tcp–0.0.0.0/0 0.0.0.0/0 multiport dports 21,22,23,25,53,80,135,139,443,445
DROP tcp–0.0.0.0/0 0.0.0.0/0 multiport dports 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186
DROP udp–0.0.0.0/0 0.0.0.0/0

On this basis,
We need

#允许来自于lo接口的数据包, without this rule, you will not be able to access local services via 127.0.0.1, such as ping 127.0.0.1
/sbin/iptables-a input-i lo-j ACCEPT 
# Open TCP protocol 22 port so that you can ssh, if you are in a fixed IP location, you can use-s to qualify the client's IP
/sbin/iptables-a input-p tcp--dport 22-j ACCEPT
# SSH Port 2222 (preparing for subsequent modification of the SSH port)
/sbin/iptables-a input-p tcp--dport 2222-j ACCEPT
#web服务端口80
/sbin/iptables-a Input-p TCP--dport 80-j ACCEPT
#允许所有对外请求的返回包
#本机对外请求相当于OUTPUT, must be received for the return packet, which is equivalent to input
#这条规则参看: [http:/ /WWW.NETINGCN.COM/IPTABLES-LOCALHOST-NOT-ACCESS-INTERNET.HTML][5]
/sbin/iptables-a input-m State--state Established-j ACCEPT
#屏蔽上述规则以为的所有请求, indispensable, otherwise the firewall does not have any filtering function
/sbin/iptables-p INPUT DROP
#至此防火墙就算配置好, But this is temporary, when reboot iptables or reboot machine, the above configuration will be emptied, want to take effect permanently, still need the following Operation
service iptables save
iptables:saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

7. Modify the SSH port

Vi/etc/ssh/sshd_config

Add a row of our own defined ports, such as 2222, as follows:
Port 22//Leave the default 22 ports, remove the front #
Port 2222//Our new addition
And then save the exit
Perform

/ETC/INIT.D/SSHD Restart//Restart SSHD service 

Then use the SSH tool to connect port 2222 to test for success.
Once successful, edit sshd_config and iptables again and remove the 22 port/reboot. 8. Install Nginx

View Nginx Related Information

 Yum List | grep nginx collectd-nginx.x86_64 4.10.9-1.el6 epel munin-nginx.no Arch 2.0.25-2.el6 Epel nginx.x86_64 1.0.15-11. El6 epel nginx-filesystem.noarch 1.0.15-11.el6 epel Owncloud-nginx. Noarch 7.0.5-2.el6 Epel Yum info nginx Loaded plugins:security Available packag Es name:nginx arch:x86_64 version:1.0.15 release:11.el6 size:404 k Repo:ep
El summary:a high Performance Web server and reverse proxy server Url:http://nginx.org/license:bsd  Description:nginx is a Web server and a reverse proxy server for HTTP, SMTP, POP3 and:imap protocols, with
A strong focus on the high concurrency, performance and:low memory usage. 

found that the version is very low, so append nginx Yum Warehouse, create a file/etc/yum.repos.d/nginx.repo, and copy the following content into

[Nginx]  
Name=nginx repo  
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/  
gpgcheck=0  
enabled= 1

After editing and saving the/etc/yum.repos.d/nginx.repo file, execute at the command line

Yum List | grep nginx
collectd-nginx.x86_64                      4.10.9-1.el6                 epel
munin-nginx.noarch                 2.0.25-2.el6 Epel
nginx.x86_64                               1.6.3-1.el6.ngx              nginx
nginx-debug.x86_64              1.6.3-1.el6.ngx
nginx-debuginfo.x86_64                     1.6.3-1.el6.ngx              nginx
nginx-filesystem.noarch                    1.0.15-11.el6                epel
nginx-nr-agent.noarch                      2.0.0-7.el6.ngx              nginx
owncloud-nginx.noarch 7.0.5-2                      . El6                  Epel

Discover the latest stable version of 1.6.3, and then execute directly

Yum Install Nginx-y 

When the installation is complete, the Nginx can be started directly below:

/etc/init.d/nginx start
starting nginx:                                            [  OK  ]

Now that the Nginx has started, the direct access server will be able to see the Nginx Welcome page.
Nginx command and configuration file location:

/etc/init.d/nginx Start # starts Nginx service
/etc/init.d/nginx Stop # stops Nginx service
/etc/nginx/nginx.conf # Nginx Profile Location

9. Install PHP and PHP-FPM

Reference Combat Nginx and PHP (FastCGI) installation, configuration and optimization
Download the latest stable version of PHP 5.6.8

cd/usr/local/src/
wget http://php.net/distributions/php-5.6.8.tar.gz
cd php-5.6.8
./configure-- PREFIX=/USR/LOCAL/PHP5--with-config-file-path=/usr/local/php5/etc--enable-fpm--disable-ipv6--enable-pdo-- With-pdo-mysql--with-openssl--with-mcrypt--with-mhash--enable-json--enable-mbstring--with-gd--with-openssl-dir --with-jpeg-dir--with-png-dir--with-zlib-dir--with-freetype-dir--enable-gd-native-ttf--enable-gd-jis-conv-- Enable-zip

Depending on the error message given, you need to install the following package:

Yum install-y libxml2 libxml2-devel openssl-devel libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel LIBMC Rypt Libmcrypt-devel MCrypt Mhash

Of course, you can also install these dependent packages beforehand before configure.
And then install

Make make
Install

After the installation is complete, set the PHP-FPM
Cp/usr/local/php-5.6.0/etc/php-fpm.conf.default/usr/local/php-5.6.0/etc/php-fpm.conf
VI php-fpm.conf
Find the following lines to make sure that the following lines are not previously ";"
PID = Run/php-fpm.pid
Error_log = Log/php-fpm.log
Log_level = Notice
Listen = 127.0.0.1:9000
PM = dynamic
Pm.max_children = 50
Pm.start_servers = 20
Pm.min_spare_servers = 5
Pm.max_spare_servers = 35
Pm.max_requests = 500

PM indicates that in that way, there are two values that can be selected, either static (static) or dynamic. In older versions, dynamic is called Apache-like. This should be noted in the description of the configuration file.

The following 4 parameters mean:
Pm.max_children: The number of PHP-FPM processes that are open in static mode.
Pm.start_servers: The number of starting PHP-FPM processes in dynamic mode.
Pm.min_spare_servers: The minimum number of PHP-FPM processes under dynamic mode.
Pm.max_spare_servers: The maximum number of PHP-FPM processes under dynamic mode.

If the DM is set to static, then only pm.max_children this parameter is in effect. The system will turn on the set number of PHP-FPM processes.
If the DM is set to dynamic, then the Pm.max_children parameter fails and the following 3 parameters take effect.
The system starts the Pm.start_servers PHP-FPM process at the start of the PHP-FPM run.
Then the number of php-fpm processes between Pm.min_spare_servers and Pm.max_spare_servers is dynamically adjusted according to the requirements of the system.

For our server, it is better to choose which way to execute. Please go to php-fpm configuration optimization
In general, a server with large memory (such as 8G or more) uses static (static) mode, and the small memory uses dynamic.

Using PHP's own PHP-FPM management tools, can be very convenient start,stop,restart
Put the management tools from the source pack into the Php5/sbin folder for easy use

cp/usr/local/php-5.6.8/sapi/fpm/init.d.php-fpm/usr/local/php5/sbin/
cd/usr/local/php5/sbin/
chmod 755 INIT.D.PHP-FPM
./init.d.php-fpm start
starting php-fpm  done

PHP-FPM installation Complete 10. Configure Nginx to support PHP

cd/etc/nginx/
vi nginx.conf
#打开gzip
gzip on    ;

Configure Vhost, assuming the domain name is www.a.com

Cd/etc/nginx/conf.d/vi www.a.com.conf #内容如下 Server {Listen 80;
        server_name www.a.com a.com;
        #让不带www的域名跳转到带www的域名 if ($host!= ' www.a.com ') {rewrite ^ (. *) $ http://www.a.com/$1 permanent;
                } location/{#开启ssi支持shtml SSI on;
                Ssi_silent_errors on;
                Ssi_types text/shtml;
                Index index.shtml index.php index.htm index.html;
                root/mnt/www/www.a.com;
                #框架路由设置 if (!-e $request _filename) {rewrite ^ (. *) $/index.php?url=$1 last;
                }} location ~\.php$ {root/mnt/www/www.a.com;
                Fastcgi_pass 127.0.0.1:9000;
                Fastcgi_index index.php;
                Fastcgi_param script_filename $document _root$fastcgi_script_name;
        Include Fastcgi_params; } location ~\. (JPG|JPEG|PNG|JS|CSS)
 {               root/mnt/www/www.a.com;
        Expires 30d;
 }

}

Test the configuration file for errors

/etc/init.d/nginx configtest
nginx:the configuration file/etc/nginx/nginx.conf syntax is OK
nginx: Configuration file/etc/nginx/nginx.conf test is successful

On the data disk MNT, create a new folder/mnt/www/www.a.com and create a new info.php test file that contains

<?php
phpinfo ();
? >

Modify the local host, will www.a.com and a.com all point to server IP, access to www.a.com/info.php, successfully get phpinfo information,
Access a.com/info.php Auto Jump to www.a.com/info.php
This nginx+php-fpm setting is complete. 11. Connect to Cloud Database rds

First into the RDS management console, set the whitelist to allow only our own ECS intranet IP access
Then create a new account and a corresponding database
Then log on to the database IDB Cloud and create a new datasheet

ECS to create a new group and account (such as Group_a,user_a), the root directory for/mnt/www/www.a.com, SFTP way to upload files to the server

Groupadd group_a
useradd user_a-d/mnt/www/www.a.com-g group_a chown user_a:group_a/mnt/www/www.a.com

RDS and common MySQL connection, just change the connection address to RDS data instance link name (such as example201108.mysql.alibabalabs.com)
Refer to how to connect to the RDS database in specific ways

Original address: http://www.keyunq.com/server/aliyun-system.html