CentOS install Nginx, MySQL, php method (LNMP)

For LNMP installations, each operational dimension may have been hundreds of times. Here's what I think is the simplest and most efficient installation scenario.

1. Upgrade Yum to the latest version:

The code is as follows	Copy Code
Yum-y Update

2. Install the components that are dependent on the LNMP server with Yum:

The code is as follows	Copy Code
Lang=c Yum-y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-deve L zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel Curl curl-devel e2fsprogs E2 Fsprogs-devel krb5 krb5-devel libidn libidn-devel OpenSSL openssl-devel openldap openldap-devel Nss_ldap Openldap-clients openldap-servers

3. Install PHP, MySQL client and server, php-fastcgi and common PHP components with Yum:

The code is as follows	Copy Code
yum-y install php mysql mysql-server mysql-devel php-mysql php-cgi php-mbstring php-gd php-fastcgi php-fpm

4. Install Nginx with yum, but Yum default source does not have nginx, need to change to Nginx official address:

The code is as follows	Copy Code
wget wget http://nginx.org/packages/centos/6/noarch/RPMS/nginx-release-centos-6-0.el6.ngx.noarch.rpm RPM-IVH nginx-release-centos-6-0.el6.ngx.noarch.rpm

5. Install Nginx with Yum:

The code is as follows	Copy Code
Yum Install Nginx

6. Set Nginx to start automatically:

The code is as follows	Copy Code
Chkconfig Nginx on Chkconfig PHP-FPM on Chkconfig mysqld on

7. Start three services separately with the following command:

The code is as follows	Copy Code
Nginx PHP-FPM & Service mysqld Start

All the above installation is complete. Finally, open the Nginx configuration file, set up PHP-FPM, and add the following content to the server in the Nginx profile (note that the path to Fastcgi_param change is your own):

The code is as follows	Copy Code
Location ~. php$ { root HTML; Fastcgi_pass 127.0.0.1:9000; Fastcgi_index index.php; Fastcgi_param Script_filename/opt/www$fastcgi_script_name; Include Fastcgi_params; }

Setup is complete, create phpinfo view.

The whole process takes less than 5 minutes in a good network situation. The network bad classmate please update Yum source to NetEase's source, the speed is very fast.

after the back we look at some nginx security configuration

Have done the virtual host know, Apache has a very good place---configuration php_admin_value, in the inside configuration open_basedir on it, but Nginx did not have such a setting, but did not set this, Once a user uploads a phpspy or something like that, the other user data suffers, and today it's a problem to solve, how to make the user not to side note.

First, you need to set the Open_basedir value in php.ini, such as the site Directory all under/data/web/, for example/data/web/xxx.com/below is the xxx.com site so I can set open_basedir= "/data /web/:/tmp/"(Note that/TMP must be set, otherwise affect the upload file, if you set the Upload_tmp_dir, then set/tmp to Upload_tmp_dir value)

And then execute

The code is as follows	Copy Code
# chmod 755-r/data/web/ # chmod 711/data/web/

At this time, the website still can visit, but you try to upload a phpspy, see still can list/data/web/catalogue?

But the problem again, if said/data/web/under the directory naming very regular, it is easy to guess the solution, direct input/data/web/xxx.com can list other people's directory, do not worry, there are ways to rename the/data/web/xxx.com as a complex name, such as/ Data/web/xxx.com_2a8b4c76, turn display_errors off again.

Now we're going to configure the anti-cross station

The test environment is LNMP one-click installation package environment. Please replace the relevant commands according to your environment.

The code is as follows

Copy Code

Tar zxvf php-5.2.17.tar.gz GZIP-CD php-5.2.17-fpm-0.5.14.diff.gz | Patch-d PHP-5.2.17-P1//After the FPM patch and then modify the PHP source program CD php-5.2.17/ Wget-c http://soft.vpser.net/web/php/bug/php-5.2.17-max-input-vars.patch//hash dos Vulnerability patch Patch-p1 < Php-5.2.17-max-input-vars.patch ./buildconf--force ./configure--prefix=/usr/local/php--with-config-file-path=/usr/local/php/etc--with-mysql=/usr/local/mysql-- With-mysqli=/usr/local/mysql/bin/mysql_config--with-iconv-dir--with-freetype-dir--w Ith-jpeg-dir--with-png-dir--with-zlib--with-libxml-dir=/usr--enable-xml--disable-rpath-- Enable-magic-quotes--enable-safe-mode--enable-bcmath--enable-shmop--enable-sy Svsem--enable-inline-optimization--with-curl--with-curlwrappers--enable-mbregex--enable-fastcgi-- Enable-force-cgi-redirect--enable-mbstring--with-mcrypt--enable-ftp--with-gd --enable-gd-native-ttf--with-openssl--with-mhash--enable-pcntl--enable-sockets--with-xmlrpc-- Enable-soap--without-pear--with-gettext--with-mime-magic

VI MAIN/FOPEN_WRAPPERS.C
Found it

The code is as follows

Copy Code

/* {{{Php_check_open_basedir */ PHPAPI int php_check_open_basedir_ex (const char *path, int warn TSRMLS_DC) { /* Only check when OPEN_BASEDIR is available * * * if (PG (open_basedir) && *pg (Open_basedir)) { Char *pathbuf; Char *ptr; Char *end; Add by anxsoft.com Char *env_doc_root; if (PG (Doc_root)) { Env_doc_root = Estrdup (PG (doc_root)); }else{ Env_doc_root = sapi_getenv ("Document_root", sizeof ("Document_root")-1 tsrmls_cc); } if (env_doc_root) { int res_root = Php_check_specific_open_basedir (env_doc_root, path TSRMLS_CC); Efree (Env_doc_root); if (Res_root = = 0) { return 0; } if (Res_root = = 2) { errno = Eperm; return-1; } } Add by anxsoft.com Pathbuf = Estrdup (PG (Open_basedir)); ptr = Pathbuf; while (PTR && *ptr) { end = STRCHR (PTR, default_dir_separator); If (end!= NULL) { *end = '; end++; } if (Php_check_specific_open_basedir (PTR, path tsrmls_cc) = = 0) { Efree (PATHBUF); return 0; } ptr = end; } if (warn) { Php_error_docref (NULL tsrmls_cc, e_warning, "open_basedir restriction in effect. File (%s) is not within the allowed path (s): (%s), Path, PG (Open_basedir)); } Efree (PATHBUF); errno = Eperm; /* We deny permission to open it www.111cn.net * * return-1; } /* Nothing to check ... * * return 0; } /* }}} */

The Scarlet Letter is modified plus go

Save exit and then compile installation

Make zend_extra_libs= '-liconv '
Make install

Finally, don't forget to change the Open_basedir in php.ini to: Open_basedir = "/var/tmp/:/tmp/"

Remove unwanted nginx modules

We may configure nginx according to our needs, of course, at compile time can select some unwanted modules not to compile, such as the streamlining of AutoIndex and SSI modules, commands are as follows:

./configure--without-http_autoindex_module--without-http_ssi_module

Make

Make install

Of course, the following commands can be used to see which modules can be turned on or off before compiling:

./configure--help | Less

Modify the Nginx server name and version number

The famous Netcraft Web site can easily find your server's operating system and service version, or the HTTP Response header can also disclose this information to us, in many cases, this information will provide a basis for hackers to attack, so we need to camouflage it.

To compile the Nginx source file src/http/ngx_http_header_filter_module.c, enter the following command:

VI +48 SRC/HTTP/NGX_HTTP_HEADER_FILTER_MODULE.C

Locate the following two lines:

The code is as follows	Copy Code
static char ngx_http_server_string[] = "Server:nginx" CRLF; static char ngx_http_server_full_string[] = "server:" Nginx_ver CRLF;

Change to the following, of course, what you can define your own:

The code is as follows	Copy Code
static char ngx_http_server_string[] = "Server:noyb" CRLF; static char ngx_http_server_full_string[] = "Server:noyb" CRLF;

modifying Nginx configuration Files

3.1 Avoid buffer overflow attacks

Modify the nginx.conf and set the buffer size limit for all clients:

Vi/usr/local/nginx/conf/nginx.conf

Edited and set as follows:

The code is as follows	Copy Code
# # Start:size Limits &buffer Overflows # # Client_body_buffer_size 1K; Client_header_buffer_size 1k; Client_max_body_size 1k; Large_client_header_buffers 2 1k; # # End:size Limits &buffer Overflows # #

Of course, you may also need to configure the following to improve server performance:

The code is as follows	Copy Code
# # start:timeouts # # Client_body_timeout 10; Client_header_timeout 10; Keepalive_timeout 5 5; Send_timeout 10; # # end:timeouts # #

3.2 Limit Some access

Only allow access to the domain name we specify, prevent anyone from scanning all domain names that bind to the current IP, or avoid direct IP access and malicious domain bindings:

The code is as follows	Copy Code
# # only requests to our Host are allowed # # i.e. nixcraft.in, images.nixcraft.in and www.nixcraft.in if ($host!~ ^ (nixcraft.in|www.nixcraft.in|images.nixcraft.in) $) { return 444; } ##

Of course, the Internet has also circulated such a wording:

The code is as follows	Copy Code
server { Listen default; server_name _; return 500; }

Limit some methods, general get and post has been enough for us to use, in fact, HTTP also defines a similar to delete, search and other methods, in the case of the denial of these methods access to the server:

code is as follows	copy code
# Allow these request methods # # If ($request _method!~ ^ (get| head| POST) $ { return 444; } # # Don't accept DELETE, SEARCH and other methods #