如何使用 Nginx 安装 NEOS CMS 并让我们在 Rocky Linux 8 上加密 SSL
在此页
- 配置Nginx
先决条件
-
A server running Rocky Linux 8.
-
A non-root sudo user.
-
Make sure everything is updated.
$ sudo dnf update -
Install basic utility packages. Some of them may already be installed.
$ sudo dnf install wget curl nano unzip yum-utils -y
第 1 步 - 配置防火墙
$ sudo firewall-cmd --state running $ sudo firewall-cmd --permanent --list-services cockpit dhcpv6-client ssh $ sudo firewall-cmd --permanent --add-service=http $ sudo firewall-cmd --permanent --add-service=https $ sudo firewall-cmd --permanent --list-services cockpit dhcpv6-client http https ssh $ sudo firewall-cmd --reload 第 2 步 - 安装 Nginx
$ sudo nano /etc/yum.repos.d/nginx.repo [nginx-stable] name=nginx stable repo baseurl=http://nginx.org/packages/centos/$releasever/$basearch/ gpgcheck=1 enabled=1 gpgkey=https://nginx.org/keys/nginx_signing.key module_hotfixes=true [nginx-mainline] name=nginx mainline repo baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/ gpgcheck=1 enabled=0 gpgkey=https://nginx.org/keys/nginx_signing.key module_hotfixes=true $ sudo dnf install nginx $ nginx -v nginx version: nginx/1.20.2 $ sudo systemctl enable nginx --now 第 3 步 - 安装 PHP 和扩展
$ sudo dnf install epel-release $ sudo dnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm $ dnf module list php -y Last metadata expiration check: 0:00:12 ago on Fri 03 Dec 2021 09:39:32 AM UTC. Rocky Linux 8 - AppStream Name Stream Profiles Summary php 7.2 [d] common [d], devel, minimal PHP scripting language php 7.3 common [d], devel, minimal PHP scripting language php 7.4 common [d], devel, minimal PHP scripting language Remi's Modular repository for Enterprise Linux 8 - x86_64 Name Stream Profiles Summary php remi-7.2 common [d], devel, minimal PHP scripting language php remi-7.3 common [d], devel, minimal PHP scripting language php remi-7.4 common [d], devel, minimal PHP scripting language php remi-8.0 common [d], devel, minimal PHP scripting language php remi-8.1 common [d], devel, minimal PHP scripting language Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled $ sudo dnf module reset php $ sudo dnf module enable php:remi-8.0 $ sudo dnf install php-fpm php-mbstring php-xml php-curl php-mysqlnd php-zip php-cli php-imagick ImageMagick php-intl $ php --version PHP 8.0.14 (cli) (built: Dec 16 2021 03:01:07) ( NTS gcc x86_64 ) Copyright (c) The PHP Group Zend Engine v4.0.14, Copyright (c) Zend Technologies 第 4 步 - 安装和配置 MySQL 服务器
$ sudo dnf install mysql-server $ sudo systemctl enable mysqld --now $ sudo mysql_secure_installation Securing the MySQL server deployment. Connecting to MySQL using a blank password. VALIDATE PASSWORD COMPONENT can be used to test passwords and improve security. It checks the strength of password and allows the users to set only those passwords which are secure enough. Would you like to setup VALIDATE PASSWORD component? Press y|Y for Yes, any other key for No: Y There are three levels of password validation policy: LOW Length >= 8 MEDIUM Length >= 8, numeric, mixed case, and special characters STRONG Length >= 8, numeric, mixed case, special characters and dictionary file Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 2 Please set the password for root here. New password: Re-enter new password: Estimated strength of the password: 100 Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : Y ... Remove anonymous users? (Press y|Y for Yes, any other key for No) : Y Success. ... Disallow root login remotely? (Press y|Y for Yes, any other key for No) : Y Success. ... Remove test database and access to it? (Press y|Y for Yes, any other key for No) : Y - Dropping test database... Success. - Removing privileges on test database... Success. Reloading the privilege tables will ensure that all changes made so far will take effect immediately. ... Reload privilege tables now? (Press y|Y for Yes, any other key for No) : Y Success. All done! $ mysql -u root -p mysql> CREATE USER 'neos'@'localhost' IDENTIFIED BY 'Your_password2'; mysql> CREATE DATABASE neosdb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; mysql> GRANT ALL PRIVILEGES ON neosdb.* TO 'neos'@'localhost'; mysql> exit 第 5 步 - 安装 Composer
$ curl -sS https://getcomposer.org/installer -o composer-setup.php $ HASH=`curl -sS https://composer.github.io/installer.sig` $ echo $HASH $ php -r "if (hash_file('SHA384', 'composer-setup.php') === '$HASH') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" Installer verified $ sudo php composer-setup.php --install-dir=/usr/local/bin --filename=composer $ composer --version Composer version 2.2.3 2021-12-31 12:18:53 第 6 步 - 安装 Neos CMS
$ sudo mkdir -p /var/www/neos $ sudo chown -R $USER:$USER /var/www/neos $ cd /var/www/neos $ composer create-project --no-dev neos/neos-base-distribution . - Installing neos/composer-plugin (2.1.3): Extracting archive neos/composer-plugin contains a Composer plugin which is currently not in your allow-plugins config. See https://getcomposer.org/allow-plugins Do you trust "neos/composer-plugin" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?] y - Installing composer/package-versions-deprecated (1.11.99.4): Extracting archive composer/package-versions-deprecated contains a Composer plugin which is currently not in your allow-plugins config. See https://getcomposer.org/allow-plugins Do you trust "composer/package-versions-deprecated" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?] y $ sudo ./flow core:setfilepermissions $USER nginx nginx $ sudo usermod -a -G nginx $USER 第 7 步 - 配置 SELinux 权限
$ sudo chcon -t httpd_sys_content_t /var/www/neos -R $ sudo chcon -t httpd_sys_rw_content_t /var/www/neos -R $ sudo setsebool -P httpd_can_network_connect on 第 8 步 - 安装和配置 SSL
$ sudo dnf install certbot $ sudo systemctl stop nginx $ sudo certbot certonly --standalone --agree-tos --no-eff-email --staple-ocsp --preferred-challenges http -m -d neos.example.com $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 $ sudo mkdir -p /var/lib/letsencrypt $ sudo nano /etc/cron.daily/certbot-renew #!/bin/sh certbot renew --cert-name neos.example.com --webroot -w /var/lib/letsencrypt/ --post-hook "systemctl reload nginx" $ sudo chmod +x /etc/cron.daily/certbot-renew 第 9 步 - 配置 Nginx 和 PHP
配置 PHP-FPM
$ sudo nano /etc/php-fpm.d/www.conf ... ; Unix user/group of processes ; Note: The user is mandatory. If the group is not set, the default user's group ; will be used. ; RPM: apache user chosen to provide access to the same directories as httpd user = nginx ; RPM: Keep a group allowed to write in log dir. group = nginx ... $ sudo systemctl start php-fpm 配置 Nginx
$ sudo nano /etc/nginx/conf.d/neos.conf server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name neos.example.com; access_log /var/log/nginx/neos.access.log; error_log /var/log/nginx/neos.error.log; # SSL ssl_certificate /etc/letsencrypt/live/neos.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/neos.example.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/neos.example.com/chain.pem; ssl_session_timeout 5m; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; ssl_stapling on; ssl_stapling_verify on; ssl_dhparam /etc/ssl/certs/dhparam.pem; resolver 8.8.8.8; root /var/www/neos/Web/; index index.php; location / { try_files $uri $uri/ /index.php?$args; } # Pass PHP Scripts To FastCGI Server location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_pass unix:/run/php-fpm/www.sock; # Depends On The PHP Version fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param FLOW_REWRITEURLS 1; fastcgi_param FLOW_CONTEXT Production; fastcgi_param X-Forwarded-For $proxy_add_x_forwarded_for; fastcgi_param X-Forwarded-Port $proxy_port; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_NAME $http_host; fastcgi_read_timeout 300; fastcgi_buffer_size 128k; fastcgi_buffers 256 16k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; include fastcgi_params; try_files $uri =404; } location ~ /_Resources/ { access_log off; log_not_found off; expires max; if (!-f $request_filename) { rewrite "/_Resources/Persistent/([a-z0-9]{40})/.+\.(.+)" /_Resources/Persistent/$1.$2 break; rewrite "/_Resources/Persistent(?>/[a-z0-9]{5}){8}/([a-f0-9]{40})/.+\.(.+)" /_Resources/Persistent/$1.$2 break; } } } # enforce HTTPS server { listen 80; listen [::]:80; server_name neos.example.com; return 301 https://$host$request_uri; } $ sudo nano /etc/nginx/nginx.conf server_names_hash_bucket_size 64; $ sudo nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful $ sudo systemctl restart nginx 第 10 步 - 完成 Neos 安装
$ cat /var/www/neos/Data/SetupPassword.txt The setup password is: SCPUYmmQ After you successfully logged in, this file is automatically deleted for security reasons. Make sure to save the setup password for later use. Package Name: Neos.HowtoForgeNews Site Name: HowtoForgeNews