之前用的最多的web框架是LNMP,偶尔也会用到LAMP。接下来简单说下LAMP环境的部署记录,这里选择源码安装的方式:
LAMP相关安装包下载地址:https://pan.baidu.com/s/1pYo9X7f1vy5d70eV0RDYWA
提取密码:ebj8
1)Mysql的安装
部署过程参考:http://www.cnblogs.com/kevingrace/p/6109679.html
2)Apache的安装(下面各软件版本要对应,否则会因为版本不兼容而导致Apache编译失败)
LAMP编译安装软件包下载地址:https://pan.baidu.com/s/1MPga1bL1sutGeubW-uXcpg
提取密码:qp2c
依赖软件安装
[root@jenkins-server ~]# yum install gcc gcc-c++ make wget
[root@jenkins-server ~]# yum install zlib-devel openssl-devel
[root@jenkins-server ~]# yum install -y perl perl-devel
apr编译安装(下载地址:http://archive.apache.org/dist/apr/)
[root@jenkins-server ~]# cd /usr/local/src/
[root@jenkins-server src]# wget http://mirrors.cnnic.cn/apache//apr/apr-1.5.2.tar.gz
[root@jenkins-server src]# tar zxvf apr-1.5.2.tar.gz
[root@jenkins-server src]# cd apr-1.5.2
[root@jenkins-server apr-1.5.2]# ./configure --prefix=/usr/local/apache/apr && make && make install
apr-util编译安装(下载地址:http://apr.apache.org/download.cgi)
[root@jenkins-server src]# wget http://mirrors.cnnic.cn/apache//apr/apr-util-1.5.4.tar.gz
[root@jenkins-server src]# tar zxvf apr-util-1.5.4.tar.gz
[root@jenkins-server src]# cd apr-util-1.5.4
[root@jenkins-server apr-util-1.5.4]# ./configure --prefix=/usr/local/apache/apr-util --with-apr=/usr/local/apache/apr
[root@jenkins-server apr-util-1.5.4]# make && make install
如果出现报错: make[1]: *** [xml/apr_xml.lo] Error 1 make[1]: Leaving directory `/usr/local/src/apr-util-1.6.1' make: *** [all-recursive] Error 1 解决办法:yum install expat-devel -y
pcre编译安装
[root@jenkins-server src]# wget https://jaist.dl.sourceforge.net/project/pcre/pcre/8.37/pcre-8.37.tar.gz
[root@jenkins-server src]# tar zxvf pcre-8.37.tar.gz
[root@jenkins-server src]# cd pcre-8.37
[root@jenkins-server pcre-8.37]# ./configure && make && make install
apache编译安装
[root@jenkins-server src]# wget http://www.apache.org/dist/httpd/httpd-2.4.25.tar.gz
[root@jenkins-server src]# tar zxvf httpd-2.4.25.tar.gz
[root@jenkins-server src]# cd httpd-2.4.25
[root@jenkins-server httpd-2.4.25]# ./configure --prefix=/usr/local/apache --with-apr=/usr/local/apache/apr/bin/apr-1-config --with-apr-util=/usr/local/apache/apr-util/bin/apu-1-config --enable-module=so --enable-mods-shared=all --enable-deflate --enable-expires --enable-headers --enable-cache --enable-file-cache --enable-mem-cache --enable-disk-cache --enable-mime-magic --enable-authn-dbm --enable-vhost-alias --enable-so --enable-rewrite --enable-ssl --with-mpm=prefork
[root@jenkins-server httpd-2.4.25]# make && make install
配置apache
[root@jenkins-server src]# cd /usr/local/apache/conf/
[root@jenkins-server conf]# vim httpd.conf
........ ServerName localhost:80 ........ AddType application/x-compress .Z //这两行是默认就有的,在这两行下面添加下面两行 AddType application/x-gzip .gz .tgz AddType application/x-httpd-php .php //使apache支持php AddType application/x-httpd-php-source .php5 ...... LoadModule php5_module modules/libphp5.so //添加php模块,这个在后面php编译安装后就会自动加进来。最后一定要检查这里是否有php模块产生 ...... DocumentRoot "/var/www/html" //修改apache站点目录路径,默认是/usr/local/apache/htdocs。注意这两行要修改一致。 <Directory "/var/www/html"> ....... DirectoryIndex index.html index.php //添加默认的首页面,index.html和index.php ...... Include conf/extra/mxwang.conf //添加虚拟主机配置文件
[root@jenkins-server conf]# cd extra/
[root@jenkins-server extra]# vim mxwang.conf
<VirtualHost *:80> ServerName www.mxwang.cn DocumentRoot /var/www/html/ ErrorLog "/var/log/httpd/www.mxwang.cn-error_log" CustomLog "/var/log/httpd/www.mxwang.cn-access_log" common </VirtualHost>
启动apache
[root@jenkins-server extra]# /usr/local/apache/bin/httpd
[root@jenkins-server extra]# ps -ef|grep http
root 30145 1 2 19:53 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 30146 30145 0 19:53 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 30147 30145 0 19:53 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 30148 30145 0 19:53 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 30149 30145 0 19:53 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 30150 30145 0 19:53 ? 00:00:00 /usr/local/apache/bin/httpd
root 30156 2090 0 19:53 pts/3 00:00:00 grep --color http
[root@jenkins-server extra]# cat /var/www/html/test.html
sdfasdfasdf
测试访问:http://www.mxwang.cn/test.html
3)PHP编译安装
[root@jenkins-server ~]# yum install libxml2-devel curl-devel libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel net-snmp net-snmp-devel
[root@jenkins-server ~]# cd /usr/local/src/
[root@jenkins-server src]# wget http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.14.tar.gz
[root@jenkins-server src]# tar zxvf libiconv-1.14.tar.gz
[root@jenkins-server src]# cd libiconv-1.14
[root@jenkins-server libiconv-1.14]# ./configure --prefix=/usr/local/php/libiconv && make && make install
[root@jenkins-server src]# wget http://nchc.dl.sourceforge.net/project/mcrypt/Libmcrypt/2.5.8/libmcrypt-2.5.8.tar.gz
[root@jenkins-server src]# tar zxvf libmcrypt-2.5.8.tar.gz
[root@jenkins-server src]# cd libmcrypt-2.5.8
[root@jenkins-server libmcrypt-2.5.8]# ./configure && make && make install
[root@jenkins-server libmcrypt-2.5.8]# /sbin/ldconfig && cd libltdl/
[root@jenkins-server libltdl]# ./configure --enable-ltdl-install && make && make install
[root@jenkins-server src]# wget http://nchc.dl.sourceforge.net/project/mhash/mhash/0.9.9.9/mhash-0.9.9.9.tar.gz
[root@jenkins-server src]# tar zxvf mhash-0.9.9.9.tar.gz
[root@jenkins-server src]# cd mhash-0.9.9.9
[root@jenkins-server mhash-0.9.9.9]# ./configure && make && make install
[root@jenkins-server src]# wget http://nchc.dl.sourceforge.net/project/mcrypt/MCrypt/2.6.8/mcrypt-2.6.8.tar.gz
[root@jenkins-server src]# tar zxvf mcrypt-2.6.8.tar.gz
[root@jenkins-server src]# cd mcrypt-2.6.8
[root@jenkins-server mcrypt-2.6.8]# /sbin/ldconfig && export LD_LIBRARY_PATH=/usr/local/lib: LD_LIBRARY_PATH
[root@jenkins-server mcrypt-2.6.8]# ./configure && make && make install
[root@jenkins-server src]# wget http://cn2.php.net/distributions/php-5.6.15.tar.gz
[root@jenkins-server src]# tar zxvf php-5.6.15.tar.gz
[root@jenkins-server src]# cd php-5.6.15
[root@jenkins-server php-5.6.15]# ./configure --prefix=/usr/local/php --with-config-file-path=/usr/local/php/etc --with-iconv=/usr/local/php/libiconv --with-apxs2=/usr/local/apache/bin/apxs --with-mysql=mysqlnd --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd --with-gd --with-jpeg-dir --with-png-dir --with-pear --with-freetype-dir --with-zlib --with-libxml-dir --with-iconv-dir --with-xmlrpc --with-mhash --with-mcrypt --with-curl --with-openssl --with-snmp --with-gettext --enable-pdo --enable-mbstring --enable-ctype --enable-simplexml --enable-ftp --enable-sockets --enable-gd-native-ttf --enable-sysvsem --enable-exif --enable-sysvshm --enable-xml --enable-dom --enable-simplexml --enable-shmop --enable-zip --enable-mbregex --enable-bcmath --enable-inline-optimization --enable-soap
[root@jenkins-server php-5.6.15]# make && make install
[root@jenkins-server php-5.6.15]# cp php.ini-production /usr/local/php/etc/php.ini
[root@jenkins-server php-5.6.15]# vim /etc/profile
......
export PATH=$PATH:/usr/local/php/bin
[root@jenkins-server php-5.6.15]# source /etc/profile
[root@jenkins-server src]# /usr/local/php/bin/php -m
[PHP Modules]
bcmath
Core
ctype
curl
date
dom
ereg
exif
fileinfo
filter
ftp
gd
gettext
hash
iconv
json
libxml
mbstring
mcrypt
mhash
mysql
mysqli
mysqlnd
openssl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
posix
Reflection
session
shmop
SimpleXML
snmp
soap
sockets
SPL
sqlite3
standard
sysvsem
sysvshm
tokenizer
xml
xmlreader
xmlrpc
xmlwriter
zip
zlib
[Zend Modules]
一定要记得重启aapche
[root@jenkins-server src]# pkill -9 http
[root@jenkins-server src]# ps -ef|grep http
root 31091 12736 0 20:06 pts/6 00:00:00 grep --color http
[root@jenkins-server src]# /usr/local/apache/bin/httpd
[root@jenkins-server src]# ps -ef|grep http
root 31098 1 7 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 31099 31098 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 31100 31098 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 31101 31098 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 31102 31098 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 31103 31098 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
root 31106 12736 0 20:06 pts/6 00:00:00 grep --color http
测试php:
[root@jenkins-server src]# cat /var/www/html/test.php
<?php
phpinfo()
?>
访问:www.mxwang.cn/test.php
注意几点:
php.ini文件中的设置时区
[root@jenkins-server src]# vim /usr/local/php/etc/php.ini
......
date.timezone = PRC
保证站点目录下的文件权限和apache启动用户一致:
[root@jenkins-server src]# ps -ef|grep http
root 31098 1 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 31099 31098 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 31100 31098 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 31101 31098 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 31102 31098 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 31103 31098 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 31151 31098 0 20:06 ? 00:00:00 /usr/local/apache/bin/httpd
root 31409 12736 0 20:10 pts/6 00:00:00 grep --color http
[root@jenkins-server src]# ll /var/www/html/
total 40232
drwxr-xr-x. 3 777 nobody 4096 Jan 5 12:47 addons
-rw-r--r--. 1 777 nobody 464 Jan 5 12:47 admin.php
drwxr-xr-x. 2 777 nobody 4096 Jan 5 12:47 api
-rw-r--r--. 1 777 nobody 216 Jan 5 12:47 api.php
......
可以将上面的安装过程归档在一个安装脚本里进行一键安装
=================apache下http强制转https配置==================
1)在httpd.conf文件里使下面模块生效 [root@back ~]# cat /usr/local/apache/conf/httpd.conf|grep rewrite_module ....... LoadModule rewrite_module modules/mod_rewrite.so #打开重写跳转功能 2)httpd.conf配置文件或者是在httpd-vhost.conf文件里修改 [root@back ~]# cat /usr/local/apache/conf/httpd.conf ....... DocumentRoot "/data/vhosts" <Directory "/data/vhosts"> Options FollowSymLinks MultiViews Includes AllowOverride All Require all granted </Directory> 3)在网站根目录下面添加该文件“.htaccess” 目录访问控制文件,并添加如下内容: #--------------------------------- RewriteEngine on #开启重定向引擎 RewriteBase / #可以不设置 RewriteCond %{SERVER_PORT} !^443$ #非443端口的数据全部进行重定向 RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R] #把需要重定向的内容重定向到https #---------------------------------- #如果是默认不是443端口,那么可以在最后一行写成这样 RewriteRule ^.*$ https://www.wang.com:8443 #当然如果默认是443的话,也可以这么写 RewriteRule ^.*$ https://www.wang.com #该 .htaccess 需要放置在网站的根目录下面才可以生效 #---------------------------------- 含义是这样的:为了让用户访问传统的http://转到https://上来,用了一下rewrite规则: 第一句:启动rewrite引擎 第二句:rewrite的条件是访问的服务器端口不是443端口 第三句:这是正则表达式,^是开头,$是结束,/?表示有没有/都可以(0或1个),(.*)是任何数量的任意字符 整句的意思是讲:启动rewrite模块,将所有访问非443端口的请求,url地址内容不变,将http://变成https://。
==========================================================
看看下面一例:
[root@back ~]# cat /usr/local/apache/conf/httpd.conf|grep -v "#"|grep -v "^$" ServerRoot "/usr/local/apache" Listen 80 LoadModule authn_file_module modules/mod_authn_file.so #这些模块功能的配置最好都开启了,打开所有LoadModule前面的注释,否则apache启动可能报错。 LoadModule authn_core_module modules/mod_authn_core.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule access_compat_module modules/mod_access_compat.so LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule reqtimeout_module modules/mod_reqtimeout.so LoadModule filter_module modules/mod_filter.so LoadModule mime_module modules/mod_mime.so LoadModule log_config_module modules/mod_log_config.so LoadModule env_module modules/mod_env.so LoadModule headers_module modules/mod_headers.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule version_module modules/mod_version.so LoadModule ssl_module modules/mod_ssl.so #打开https功能模块 LoadModule unixd_module modules/mod_unixd.so LoadModule status_module modules/mod_status.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule dir_module modules/mod_dir.so LoadModule alias_module modules/mod_alias.so LoadModule rewrite_module modules/mod_rewrite.so #打开重写跳转功能模块 LoadModule php5_module modules/libphp5.so <IfModule unixd_module> User nobody Group nobody </IfModule> ServerAdmin you@example.com ServerName www.example.com:80 <Directory /> AllowOverride none Require all denied </Directory> DocumentRoot "/data/vhosts" <Directory "/data/vhosts"> Options FollowSymLinks MultiViews Includes AllowOverride All Require all granted </Directory> <IfModule dir_module> DirectoryIndex index.php index.html </IfModule> <Files ".ht*"> Require all denied </Files> ErrorLog "logs/error_log" LogLevel warn <IfModule log_config_module> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common <IfModule logio_module> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio </IfModule> CustomLog "logs/access_log" combined </IfModule> <IfModule alias_module> ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/" </IfModule> <IfModule cgid_module> </IfModule> <Directory "/usr/local/apache/cgi-bin"> AllowOverride None Options None Require all granted </Directory> <IfModule headers_module> RequestHeader unset Proxy early </IfModule> <IfModule mime_module> TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz AddType application/x-httpd-php .php .phtml .php3 .inc AddType application/x-httpd-php-source .phps </IfModule> Include conf/extra/httpd-mpm.conf Include conf/extra/httpd-info.conf Include conf/extra/httpd-vhosts.conf <IfModule proxy_html_module> Include conf/extra/proxy-html.conf </IfModule> Include conf/extra/httpd-ssl.conf <IfModule ssl_module> SSLRandomSeed startup builtin SSLRandomSeed connect builtin </IfModule> [root@back ~]# cd /usr/local/apache/conf [root@back conf]# ls wang.cer extra httpd.conf.bak httpd_orig.conf mime.types server.crt server.key wang.key httpd.conf httpd.conf-orig magic original server.csr server.key.unsecure [root@back conf]# cd extra/ [root@back extra]# ls httpd-autoindex.conf httpd-languages.conf httpd-ssl.conf httpd-userdir.conf httpd-dav.conf httpd-manual.conf httpd-ssl.conf.bak httpd-vhosts.conf httpd-default.conf httpd-mpm.conf httpd-ssl.conf-orig httpd-vhosts.conf-orig httpd-info.conf httpd-multilang-errordoc.conf httpd-ssl_orig.conf proxy-html.conf [root@back extra]# cat httpd-vhosts.conf |grep -v "#"|grep -v "^$" <Directory "/data/vhosts/"> Options FollowSymLinks AllowOverride All Require all granted </Directory> <VirtualHost *:80> ServerAdmin g-ops-all@wang.com DocumentRoot "/data/vhosts/limesurvey/" ServerName wj.wang.com ErrorLog "logs/limesurvey.wang.com-error_log" CustomLog "logs/limesurvey.wang.com-access_log" combined </VirtualHost> <VirtualHost *:80> ServerAdmin g-ops-all@wang.com DocumentRoot "/data/vhosts/nextcloud/" ServerName nextcloud.wang.com ErrorLog "logs/nextcloud.wang.com-error_log" CustomLog "logs/nextcloud.wang.com-access_log" combined </VirtualHost> <VirtualHost *:80> ServerAdmin g-ops-all@wang.com DocumentRoot "/data/vhosts/opensns/" ServerName opensns.wang.com ErrorLog "logs/opensns.wang.com-error_log" CustomLog "logs/opensns.wang.com-access_log" combined <Directory "/data/vhosts/opensns/"> Options FollowSymlinks AllowOverride All Require all granted </Directory> </VirtualHost> <VirtualHost *:80> ServerAdmin g-ops-all@wang.com DocumentRoot "/data/vhosts/discuz/" ServerName discuz.wang.com ErrorLog "logs/discuz.wang.com-error_log" CustomLog "logs/discuz.wang.com-access_log" combined </VirtualHost> [root@back extra]# cat httpd-ssl.conf |grep -v "#"|grep -v "^$" Listen 0.0.0.0:443 SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4 SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4 SSLHonorCipherOrder on SSLProtocol all -SSLv3 SSLProxyProtocol all -SSLv3 SSLPassPhraseDialog builtin SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 <VirtualHost *:443> ServerAdmin g-ops-all@wang.com DocumentRoot "/data/vhosts/limesurvey/" ServerName limesurvey.wang.com SSLEngine on SSLCertificateFile "/usr/local/apache/conf/wang.cer" SSLCertificateKeyFile "/usr/local/apache/conf/wang.key" ErrorLog "logs/limesurvey.wang.com-https-error_log" CustomLog "logs/limesurvey.wang.com-https-access_log" combined </VirtualHost> <VirtualHost *:443> ServerAdmin g-ops-all@wang.com DocumentRoot "/data/vhosts/opensns/" ServerName opensns.wang.com SSLEngine on SSLCertificateFile "/usr/local/apache/conf/server.crt" SSLCertificateKeyFile "/usr/local/apache/conf/server.key" ErrorLog "logs/opensns.wang.com-https-error_log" CustomLog "logs/opensns.wang.com-https-access_log" combined </VirtualHost> <VirtualHost *:443> ServerAdmin g-ops-all@wang.com DocumentRoot "/data/vhosts/nextcloud/" ServerName nextcloud.wang.com SSLEngine on SSLCertificateFile "/usr/local/apache/conf/server.crt" SSLCertificateKeyFile "/usr/local/apache/conf/server.key" ErrorLog "logs/nextcloud.wang.com-https-error_log" CustomLog "logs/nextcloud.wang.com-https-access_log" combined </VirtualHost> <VirtualHost *:443> ServerAdmin g-ops-all@wang.com DocumentRoot "/data/vhosts/discuz/" ServerName discuz.wang.com SSLEngine on SSLCertificateFile "/usr/local/apache/conf/server.crt" SSLCertificateKeyFile "/usr/local/apache/conf/server.key" ErrorLog "logs/opensns.wang.com-https-error_log" CustomLog "logs/opensns.wang.com-https-access_log" combined </VirtualHost> <VirtualHost _default_:443> DocumentRoot "/data/vhosts" ServerName test.com ServerAdmin g-ops-all@wang.com ErrorLog "/usr/local/apache/logs/discuz-https-error_log" TransferLog "/usr/local/apache/logs/discuz-https-access_log" SSLEngine on SSLCertificateFile "/usr/local/apache/conf/server.crt" SSLCertificateKeyFile "/usr/local/apache/conf/server.key" <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/usr/local/apache/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog "/usr/local/apache/logs/ssl_request_log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> http强制跳转到https,在每个站点的根目录下添加.htaccess文件,配置如下: [root@back ~]# cat /data/vhosts/limesurvey/.htaccess <IfModule mod_rewrite.c> RewriteEngine on # RewriteBase / RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R] # if a directory or a file exists, use it directly RewriteCond %{REQUEST_FILENAME} !-f # otherwise forward it to index.php RewriteRule . index.php </IfModule> # General setting to properly handle LimeSurvey paths # AcceptPathInfo on 这样,访问http://limesurvey.wang.com就会强制跳转为https://limesurvey.wang.com。 其他域名配置一样!
============================总结=========================
Apache强制HTTP全部跳转到HTTPS,只需要在站点根目录下添加.htaccess文件,在.htaccess加入下面规则
1) RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,L] 或者 RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L] 2)强制HTTPS方式访问,对WWW或*域名不做跳转。 RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://www.kevin.com/$1 [L,R=301] 3)强制HTTPS方式访问,并自动将*域名跳转到WWW。 RewriteEngine On RewriteCond %{HTTP_HOST} !^www.kevin.com$ [NC] RewriteRule ^(.*)$ https://www.kevin.com/$1 [L,R=301] RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://www.kevin.com/$1 [L,R=301] 4)强制HTTPS方式访问,并自动将WWW跳转到*域名。 RewriteEngine On RewriteCond %{HTTP_HOST} !^kevin.com$ [NC] RewriteRule ^(.*)$ https://kevin.com/$1 [L,R=301] RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://kevin.com/$1 [L,R=301] 5)站点绑定多个域名,只允许www.kevin.com 跳转 RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteCond %{HTTP_HOST} ^kevin.com [NC,OR] RewriteCond %{HTTP_HOST} ^www.kevin.com [NC] RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,L]
==================apache下多端口虚拟主机配置====================
apache服务器上(apache+php)配置三个域名zpadmin.wang.com、 zpwechat.wang.com、zpimages.wang.com 然后在前面LB层进行反向代理配置(apache真实服务器没有外网ip) 三个域名分别对应三个端口8080、8081、8082,注意http.conf文件里的Listen [root@localhost ~]# cat /data/apache/conf/httpd.conf|grep -v "#"|grep -v "^$" ServerRoot "/data/apache" Listen 192.168.1.32:8080 Listen 192.168.1.32:8081 Listen 192.168.1.32:8082 LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_core_module modules/mod_authn_core.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule access_compat_module modules/mod_access_compat.so LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule reqtimeout_module modules/mod_reqtimeout.so LoadModule filter_module modules/mod_filter.so LoadModule mime_module modules/mod_mime.so LoadModule log_config_module modules/mod_log_config.so LoadModule env_module modules/mod_env.so LoadModule headers_module modules/mod_headers.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule version_module modules/mod_version.so LoadModule ssl_module modules/mod_ssl.so LoadModule unixd_module modules/mod_unixd.so LoadModule status_module modules/mod_status.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule dir_module modules/mod_dir.so LoadModule alias_module modules/mod_alias.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule php5_module modules/libphp5.so <IfModule unixd_module> User nobody Group nobody </IfModule> ServerAdmin you@example.com ServerName www.example.com:80 <Directory /> AllowOverride none Require all denied </Directory> DocumentRoot "/data/vhosts" <Directory "/data/vhosts"> Options FollowSymLinks MultiViews Includes AllowOverride All Require all granted </Directory> <IfModule dir_module> DirectoryIndex index.php index.html </IfModule> <Files ".ht*"> Require all denied </Files> ErrorLog "logs/error_log" LogLevel warn <IfModule log_config_module> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common <IfModule logio_module> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio </IfModule> CustomLog "logs/access_log" combined </IfModule> <IfModule alias_module> ScriptAlias /cgi-bin/ "/data/apache/cgi-bin/" </IfModule> <IfModule cgid_module> </IfModule> <Directory "/data/apache/cgi-bin"> AllowOverride None Options None Require all granted </Directory> <IfModule headers_module> RequestHeader unset Proxy early </IfModule> <IfModule mime_module> TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz AddType application/x-httpd-php .php .phtml .php3 .inc AddType application/x-httpd-php-source .phps </IfModule> Include conf/extra/httpd-mpm.conf Include conf/extra/httpd-info.conf Include conf/extra/httpd-vhosts.conf <IfModule proxy_html_module> Include conf/extra/proxy-html.conf </IfModule> Include conf/extra/httpd-ssl.conf <IfModule ssl_module> SSLRandomSeed startup builtin SSLRandomSeed connect builtin </IfModule> 虚拟主机配置如下: 注意,Apache2.4.x版本版本后就取消了NameVirtualHost配置。 所以配置对应端口的虚拟主机时不需要在<VirtualHost 192.168.1.32:8080>的前面再设置 NameVirtualHost 192.168.1.32:8080了 [root@localhost ~]# cat /data/apache/conf/extra/httpd-vhosts.conf # Virtual Hosts # # Required modules: mod_log_config # If you want to maintain multiple domains/hostnames on your # machine you can setup VirtualHost containers for them. Most configurations # use only name-based virtual hosts so the server doesn't need to worry about # IP addresses. This is indicated by the asterisks in the directives below. # # Please see the documentation at # <URL:http://httpd.apache.org/docs/2.4/vhosts/> # for further details before you try to setup virtual hosts. # # You may use the command line option '-S' to verify your virtual host # configuration. # # VirtualHost example: # Almost any Apache directive may go into a VirtualHost container. # The first VirtualHost section is used for all requests that do not # match a ServerName or ServerAlias in any <VirtualHost> block. # # <VirtualHost 192.168.1.32:80> # ServerAdmin webmaster@dummy-host.example.com # DocumentRoot "/data/apache/docs/dummy-host.example.com" # ServerName dummy-host.example.com # ServerAlias www.dummy-host.example.com # ErrorLog "logs/dummy-host.example.com-error_log" # CustomLog "logs/dummy-host.example.com-access_log" common # </VirtualHost> # <VirtualHost 192.168.1.32:80> # ServerAdmin webmaster@dummy-host2.example.com # DocumentRoot "/data/apache/docs/dummy-host2.example.com" # ServerName dummy-host2.example.com # ErrorLog "logs/dummy-host2.example.com-error_log" # CustomLog "logs/dummy-host2.example.com-access_log" common # </VirtualHost> # ============================================================= # Add by Francis Hao @ 2017-06-27 <Directory "/data/vhosts/"> Options FollowSymLinks # Includes ExecCGI AllowOverride All Require all granted </Directory> <VirtualHost 192.168.1.32:8080> ServerAdmin g-ops-all@wang.com DocumentRoot "/data/vhosts/shellking/backend/web" ServerName zpadmin.wang.com ErrorLog "logs/zpadmin-error_log" CustomLog "logs/zpadmin-access_log" combined </VirtualHost> <VirtualHost 192.168.1.32:8081> ServerAdmin g-ops-all@wang.com DocumentRoot "/data/vhosts/shellking/wechat/web" ServerName zpwechat.wang.com ErrorLog "logs/zpwechat-error_log" CustomLog "logs/zpwechat-access_log" combined </VirtualHost> <VirtualHost 192.168.1.32:8082> ServerAdmin g-ops-all@wang.com DocumentRoot "/data/vhosts/shellking/upload" ServerName zpimages.wang.com ErrorLog "logs/zpimages-error_log" CustomLog "logs/zpimages-access_log" combined </VirtualHost> 前面LB层的反向代理配置: [root@nginx-web01 ~]# cat /data/nginx/conf/vhosts/zpadmin.conf upstream zpadmin { server 192.168.1.32:8080 max_fails=3 fail_timeout=10s; } server { listen 80; server_name zpadmin.wang.com; access_log logs/zpadmin_access.log main; error_log logs/zpadmin_error.log; location / { proxy_pass http://zpadmin/; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } } [root@nginx-web01 ~]# cat /data/nginx/conf/vhosts/zpwechat.conf upstream zpwechat { server 192.168.1.32:8081 max_fails=3 fail_timeout=10s; } server { listen 80; server_name zpwechat.wang.com; access_log logs/zpwechat_access.log main; error_log logs/zpwechat_error.log; location / { proxy_pass http://zpwechat/; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } } [root@nginx-web01 ~]# cat /data/nginx/conf/vhosts/zpimages.conf upstream zpimages { server 192.168.1.32:8082 max_fails=3 fail_timeout=10s; } server { listen 80; server_name zpimages.wang.com; access_log logs/zpimages_access.log main; error_log logs/zpimages_error.log; location / { proxy_pass http://zpimages/; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } }
================LAPM中在php(5.6.15版本)连接mysql的配置=================
apache的站点根目录是/data/www,php测试连接mysql的测试配置如下:
[root@uatweb01 ~]# cat /data/www/test.php <?php $servername = "localhost:3306"; $username = "kevin"; $password = "123456"; $dbname = "kevin-test"; $conn = new mysqli($servername, $username, $password, $dbname); if ($conn->connect_error) { die("Connection failed: " . mysqli_connect_error()); }else{ echo "this is connected"; } ?>
访问该test.php文件,如果出现如下结果"this is connected",这说明php连接mysql成功!如果出现"Connection failed",则说明php连接mysql失败!
=============================系统后台登录, PHP报错============================
系统部署在了LAMP环境上, 访问系统后台, 点击登录没反应, F12查看报错: ini_set() [function.ini-set]: A session is active. You cannot change the session module's ini settings at this time 根据报错提示涉及的文件是Session.php中的170行, 最后注释下面几行内容, 问题解决: 169 #if (isset($config['secure'])) { 170 # ini_set('session.cookie_secure', $config['secure']); 171 #} 172 173 #if (isset($config['httponly'])) { 174 # ini_set('session.cookie_httponly', $config['httponly']); 175 #} 解释: 上面两个是cookie安全的设置, 加了httponly 和 cookie_secure; http only一般是用来防止js偷cookie; cookie_secure设置之后只有https的请求才会生效. 前面通过Nginx upstream, 实现反向代理的负载均衡方式进行访问, 并利用nginx的ip_hash实现session共享.
下面是曾经线上使用过的一个LAMP配置(Mysql5.7+PHP7.2.3+Apahce2.4.7), http强转到https, 前面通过Nginx反向代理, 在此贴出来分享下:
1) 后端两台LAMP机器的apache配置如下(http强转到https) [root@qw-web03 ~]# cat /usr/local/apache/conf/extra/veredholdings.conf <VirtualHost *:80> ServerName www.kevin.com DocumentRoot /data/www/public DirectoryIndex index.php index.html ErrorLog "/var/log/httpd/www.kevin.com-error_log" CustomLog "/var/log/httpd/www.kevin.com-access_log" common </VirtualHost> [root@qw-web03 ~]# cat /usr/local/apache/conf/extra/httpd-ssl.conf Listen 443 SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4 SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4 SSLHonorCipherOrder on SSLProtocol all -SSLv3 SSLProxyProtocol all -SSLv3 SSLPassPhraseDialog builtin SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 <VirtualHost *:443> DocumentRoot "/data/www/public" ServerName www.kevin.com DirectoryIndex index.php index.html SSLEngine on SSLCertificateFile "/usr/local/apache/conf/ssl/ssl.kevin.com.crt" SSLCertificateKeyFile "/usr/local/apache/conf/ssl/ssl.kevin.com.key" ErrorLog "logs/www.kevin.com-https-error_log" CustomLog "logs/www.kevin.com-https-access_log" combined </VirtualHost> [root@qw-web03 ~]# ll /usr/local/apache/conf/ssl/ total 8 -rw-rw-r-- 1 root root 4085 Apr 8 2018 ssl.kevin.com.crt -rw-rw-r-- 1 root root 1706 Apr 8 2018 ssl.kevin.com.key [root@qw-web03 ~]# cat /usr/local/apache/conf/httpd.conf Include conf/extra/httpd-ssl.conf LoadModule php7_module modules/libphp7.so DocumentRoot "/data/www/public" <Directory "/data/www/public"> Options FollowSymLinks MultiViews Includes AllowOverride All Require all granted </Directory> [root@qw-web03 ~]# cat /data/www/public/.htaccess <IfModule mod_rewrite.c> Options +FollowSymlinks -Multiviews RewriteEngine On RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R] RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^(.*)$ index.php/$1 [QSA,PT,L] RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] </IfModule> 解决: 前面几行是http强转到https的配置 后面三行是"关闭Apache服务器的TRACE请求, 或是禁止远端WWW服务支持TRACE请求", 安全配置 2) nginx反向代理配置(http强转到https) [root@external-lb02 ~]# cat /data/nginx/conf/vhosts/www.kevin.com.conf upstream web-80 { server 10.0.32.62:80 max_fails=3 fail_timeout=15s; server 10.0.32.63:80 max_fails=3 fail_timeout=15s; } server { listen 80; server_name kevin.com; return 301 http://www.kevin.com$request_uri; } server { listen 80; server_name www.kevin.com; access_log /data/nginx/logs/www.kevin.com-access.log main; error_log /data/nginx/logs/www.kevin.com-error.log; location / { proxy_pass http://web-80; proxy_set_header Host $host; proxy_redirect http://web-80/ http://www.kevin.com/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } [root@external-lb02 ~]# cat /data/nginx/conf/vhosts/443-www.kevin.com.conf upstream web-443 { ip_hash; server 10.0.32.62:443 max_fails=3 fail_timeout=15s; server 10.0.32.63:443 max_fails=3 fail_timeout=15s; } server { listen 443; server_name www.kevin.com kevin.com; ssl on; ssl_certificate /data/nginx/conf/ssl/ssl.kevin.com.crt; ssl_certificate_key /data/nginx/conf/ssl/ssl.kevin.com.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE; ssl_prefer_server_ciphers on; access_log /data/nginx/logs/www.kevin.com-access.log main; error_log /data/nginx/logs/www.kevin.com-error.log; if ($host = "kevin.com") { rewrite ^/(.*)$ https://www.kevin.com permanent; } location / { proxy_pass https://web-443; proxy_set_header Host $host; proxy_redirect https://web-443/ https://www.kevin.com/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } [root@external-lb02 ~]# ll /data/nginx/conf/ssl/ 总用量 36 -rw-r-xr-- 1 root root 4085 4月 8 2018 ssl.kevin.com.crt -rw-r-xr-- 1 root root 1706 4月 8 2018 ssl.kevin.com.key