Steps for Ubuntu with nginx + php website environment

If the installation source is slow (the local machine, virtual machine, or foreign network environment is not good), replace the installation source (optional ).
Replace the installation source

Sudo vim/etc/apt/sources. list

# Replacing resources with Alibaba Cloud
: 0, $ s/us.archive.ubuntu.com/mirrors.aliyun.com/
If it is a virtual machine in the testing environment, if sshd is not enabled after installation, you need to install openssh and enable remote SSH.
Enable remote SSH

Sudo apt-get install openssh-server

After the installation is complete, check whether sshd is running:

Ps-e | grep ssh

Set the system time for normal running of machines and scripts.

Set system time

Dpkg-reconfigure tzdata

Update the system, install git, zsh, and oh-my-zsh, and set zsh to the default shell (you can also use your preferred shell ).
Update the system, install necessary software, and replace the shell.

Apt-get update & apt-get upgrade
Apt-get install git zsh wget curl unzip vim-y
Curl-Lhttp: // install. ohmyz. sh | sh
Chsh-s/bin/zsh

Update host name (for example, bai)

Echo "bai">/etc/hostname
Hostname-F/etc/hostname
Cat/etc/hostname
If you are running the WEB service and are not a resource proxy machine, update the HOSTS record.
Modify hosts

127.0.0.1bai
12.34.56.78subdomain.domain.com

Add users and set user permissions (it is recommended to set users and permissions separately for running software)

Adduser soulteary
Usermod-a-Gsudo soulteary

Set "free" logon. If you think the KEY security factor is low, try using a KEY with a password.
If the machine is not self-built and reliable, the third-party two-step verification software should be carefully considered to avoid unnecessary troubles.
In addition, if the same network segment management software such as VNC does not have a key attached, do not modify the password in ssh_config to prevent logon.
We recommend that you change the sshd port, for example, 12345 (to your preferred high port number)

Scp ~ /. Ssh/id_rsa.pub example_user@123.456.78.90:
 
Mv id_rsa.pub.ssh/authorized_keys
Chown-Rexample_user: example_user.ssh
Chmod700.ssh
Chmod600.ssh/authorized_keys
 
Vim/etc/ssh/sshd_config
 
PermitRootLogin no
PasswordAuthentication no
Sudo service ssh restart
Use PAM to judge the root user again

 

Vim/etc/pam. d/login
# Add content
Auth required pam_succeed_if.so user! = Root quiet
Although nginx installed with a package is easier to maintain, it is not easy to change after the server infrastructure is complete. Therefore, teng.pdf is recommended.
The following describes how to install nginx and tengloud. If you like nginx, it is simple and quick to use.

If you still like nginx

Apt-get install nginx

Of course, if you want to use more features.

If you want to install tengbench

Sudo apt-get update & sudo apt-get upgrade
Apt-get install gccg ++ make-y
 
# Download a software package
Wget http://jaist.dl.sourceforge.net/project/pcre/pcre/8.36/pcre-8.36.tar.gz
Wget http://zlib.net/zlib-1.2.8.tar.gz
Wget http://www.openssl.org/source/openssl-1.0.1j.tar.gz
Wget http://www.canonware.com/download/jemalloc/jemalloc-3.6.0.tar.bz2
Wget http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
 
# Install pcre
Tar zxvf pcre-8.36.tar.gz
Cd pcre-8.36
../Configure -- prefix =/usr/local/pcre-8.36
Make & make install
 
# Install zlib
Cd ..
Tar zxvf zlib-1.2.8.tar.gz
Cd zlib-1.2.8
../Configure -- prefix =/usr/local/zlib-1.2.8
Make & make install
 
# Install open-ssl
Cd ..
Tar zxvf openssl-1.0.1j.tar.gz
Cd openssl-1.0.1j
./Config -- prefix =/usr/local/openssl-1.0.1j
Make & make install
 
# Install jemalloc
Cd .. & tar jxvf jemalloc-3.6.0.tar.bz2
 
# Use the www-data user and user group to install tengbench. Of course, you can also use root (not recommended)
./Configure -- user = www-data \
-- Group = www-data \
-- With-pcre = ../pcre-8.36 \
-- With-openssl = ../openssl-1.0.1j /\
-- With-jemalloc = ../jemalloc-3.6.0 \
With-http_gzip_static_module \
With-http_realip_module \
With-http_stub_status_module \
With-http_concat_module \
With-http_spdy_module \
-- With-zlib = ../zlib-1.2.8

Because my machine needs PHP runtime, and it is still earlier than PHP7, HHVM has released a new version, and it has been used for so long and found that the performance is really the same as that of God, so we recommend HHVM.

Install hhvm. If you cannot access it (virtual machine, network), bind it to hosts first.

140.211.166.134dl.hhvm.com

Then install

Install HHVM

Wget-O-http://dl.hhvm.com/conf/hhvm.gpg.key | sudo apt-key add-
Echo deb http://dl.hhvm.com/ubuntu trusty main | sudo tee/etc/apt/sources. list. d/hhvm. list
Apt-get update & apt-get install hhvm-y

If you do not need the new features of io. js, nodejs will be able to meet your needs, you can use the following command to install it:

Sudo apt-get install nodejs-legacy npm-y

Install mysql and redis. Because the supervisor management process is used, you need to set redis to configure daemonize: no (yourself can use vim config, omitted)

Sudo apt-get install mysql-server redis-server-y

Install process management tools

Sudo apt-get install supervisor

Configure the firewall. First, create a background configuration.

Sudo apt-get install supervisor

Choose whether to enable 443 based on your own situation. If you have modified the ssh port, you can easily change it.

* Filter
 
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-AINPUT-ilo-jACCEPT
-AINPUT-d127.0.0.0/8-jREJECT
 
# Accept all established inbound connections
-AINPUT-mstate -- state ESTABLISHED, RELATED-jACCEPT
 
# Allow all outbound traffic-you can modify this to only allow certain traffic
-AOUTPUT-jACCEPT
 
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL ).
-AINPUT-ptcp -- dport80-jACCEPT
#-A input-p tcp -- dport 443-j ACCEPT
 
# Allow SSH connections
#
# The-dport number shocould be the same port number you set in sshd_config
#
-AINPUT-ptcp-mstate -- state NEW -- dport12345-jACCEPT
 
# Allow ping
-AINPUT-picmp -- icmp-type echo-request-jACCEPT
 
# Log iptables denied Cils
-AINPUT-mlimit -- limit5/min-jLOG -- log-prefix "iptables denied:" -- log-level7
 
# Drop all other inbound-default deny unless explicitly allowed policy
-AINPUT-jDROP
-AFORWARD-jDROP
 
COMMIT

Application firewall rules

Sudo iptables-restore </etc/iptables. firewall. rules
Sudo iptables-L

Automatically add rules upon startup

Sudo vim/etc/net/if-pre-up.d/firewall
 
#! /Bin/sh
/Sbin/iptables-restore </etc/iptables. firewall. rules
 
Sudo chmod + x/etc/network/if-pre-up.d/firewall

Modify the number of file handles opened by the system. Some people report that it is too busy to log on to the machine. Open 51200.

# View the current number
Ulimit-n
# Adjust the number
Ulimit-SHn51200
 
# Modify system configurations
Vim/etc/security/limits. conf
# Add content
* Soft nofile51200
* Hard nofile51200
 
# Modify PAM
Vim/etc/pam. d/common-session
# Add content
Session required pam_limits.so
 
# Add enable startup
Vim/etc/profile
# Add at the end of the file
Ulimit-SHn51200

Modify the upper limit of the opened file handle of nginx (tenghandler) to cope with emergencies.

Worker_rlimit_nofile52100;

Modify the number of processes. There is no need to multiply the number of CPU cores, just a few threads.

Worker_processes2;

If you need to install PMA, install PMA manually. Because the package in ubuntu is installed with a bunch of apache related content, it is not necessary.
This section is forgotten. For security, bind the local ip address to access pma, enable self-signed ssl, and enable the logon count limit.

Install fail2ban

Sudo apt-get install fail2ban
# Specific Configurations. Set different filters based on your needs.
Vim/etc/fail2ban/jail. conf
For more information about service settings, see.