實驗目標:搭建lnmp並實現wordpress,phpmyadmin功能,併爲phpmyadmin添加https服務
實驗環境:centos7,使用epel源安裝nginx,php,php-fpm,mariadb,pgp-mysql, php-mbstring
172.16.34.2:lnmp
172.16.34.1:https簽發證書服務器
修改hosts文件,添加一條記錄
[root@localhost php-fpm.d]# vim /etc/hosts
172.16.34.2 www.pma.com www.wp.com
對nginx進行配置
切換至nginx配置文件目錄,將配置文件中的server內容註釋,在http上下文中添加index的默認查看選項
[root@localhost phpMyAdmin]# cd /etc/nginx
[root@localhost nginx]# vim nginx.conf
index index.php index.html index.htm;
切換至conf.d目錄
[root@localhost nginx]# cd conf.d/
創建wp.conf配置文件
[root@localhost conf.d]# vim wp.conf
server {
listen80;
server_namewww.wp.com;
root/wp/wordpress;
location ~ \.php$ {
fastcgi_pass 172.16.34.2:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /wp/wordpress/$fastcgi_script_name;
include fastcgi_params;
}
}
創建phpmyadmin配置文件
[root@localhost conf.d]# vim pma.conf
server {
listen80;
server_namewww.pma.com;
root/pma/pma;
location ~ \.php$ {
fastcgi_pass 172.16.34.2:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /pma/pma/$fastcgi_script_name;
include fastcgi_params;
}
}配置php-fpm,添加當前主機IP地址
[root@localhost ~]# cd /etc/php-fpm.d/
[root@localhost php-fpm.d]# vim www.conf
listen = 172.16.34.2:9000
listen.allowed_clients = 172.16.34.2
配置mariadb
創建wordpress用的數據庫及賬號密碼
MariaDB [(none)]> create userwpuser@'172.16.%.%' identified by 'wppass';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> create database wpdb;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all on wpdb.*to wpuser@'172.16.%.%' identified by'wppass';
Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
創建phpmyadmin用賬號密碼
MariaDB [(none)]> create userpma@'172.16.%.%' identified by 'pmapass';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> grant all on *.*to pma@'172.16.%.%' identified by'pmapass';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
安裝wordpress
使用wordpress的壓縮包,將複製至服務器,此處使用/wp目錄
[root@localhost ~]# mkdir /wp
[root@localhost ~]# cd /wp
[root@localhost wp]# unzipwordpress-4.5.3-zh_CN.zip
[root@localhost wp]# cd wordpress/
修改配置文件中數據庫地址
[root@localhost wordpress]# mvwp-config-sample.php wp-config.php
[root@localhost wordpress]# vimwp-config.php
// ** MySQL 設置 - 具體信息來自您正在使用的主機 ** //
/** WordPress數據庫的名稱*/
define('DB_NAME', 'wpdb');
/** MySQL數據庫用戶名 */
define('DB_USER', 'wpuser');
/** MySQL數據庫密碼 */
define('DB_PASSWORD', 'wppass');
/** MySQL主機 */
define('DB_HOST', '172.16.34.2');
驗證登錄
配置phpmyadmin
使用phpmyadmin的壓縮包,將複製至服務器,此處使用/pma目錄
[root@localhost ~]# mkdir /pma
[root@localhost ~]# cd /pma
[root@localhost pma]# unzipphpMyAdmin-4.4.14.1-all-languages.zip
給解壓的文件夾做一個軟連接
[root@localhost pma]# ln -sphpMyAdmin-4.4.14.1-all-languages pma
編輯phpmyadmin的配置文件
[root@localhost pma]# mvconfig.sample.inc.php config.inc.php
[root@localhost pma]# vim config.inc.php
$cfg['Servers'][$i]['host'] ='172.16.34.2';
登錄驗證
爲phpmyadmin配置https服務
https服務器生成字簽證書
[root@localhost ~]# cd /etc/pki/CA/ [root@localhost CA]# (unask 077;opensslgenrsa -out private/cakey.pem 1024) -bash: unask: command not found Generating RSA private key, 1024 bit longmodulus ..........................................++++++ ........................................................++++++ e is 65537 (0x10001)
[root@localhost CA]# openssl req -new -x509-key private/cakey.pem -out cacert.pem You are about to be asked to enterinformation that will be incorporated into your certificate request. What you are about to enter is what iscalled a Distinguished Name or a DN. There are quite a few fields but you canleave some blank For some fields there will be a defaultvalue, If you enter '.', the field will be leftblank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name)[]:beijing Locality Name (eg, city) [DefaultCity]:beijing Organization Name (eg, company) [DefaultCompany Ltd]:pma Organizational Unit Name (eg, section)[]:pma Common Name (eg, your name or your server'shostname) []:pma.admin.com Email Address []:[email protected]
創建結構文件
[root@localhost CA]# touch index.txt [root@localhost CA]# echo 01 > serial
在nginx服務器中創建/etc/nginx/ssl文件夾用於存放ssl證書,在lnmp服務器中生成ssl證書申請請求
[root@localhost pma]# mkdir /etc/nginx/ssl [root@localhost pma]# cd /etc/nginx/ssl [root@localhost ssl]# (umask 077; opensslgenrsa -out https.key 1024) Generating RSA private key, 1024 bit longmodulus ....................++++++ .....++++++ e is 65537 (0x10001)
生成請求
[root@localhost ssl]# openssl req -new -keyhttps.key -out https.csr You are about to be asked to enterinformation that will be incorporated into your certificate request. What you are about to enter is what iscalled a Distinguished Name or a DN. There are quite a few fields but you canleave some blank For some fields there will be a defaultvalue, If you enter '.', the field will be leftblank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [DefaultCity]:beijing Organization Name (eg, company) [DefaultCompany Ltd]:pma Organizational Unit Name (eg, section)[]:pma Common Name (eg, your name or your server'shostname) []:www.pma.com Email Address []:[email protected] Please enter the following 'extra'attributes to be sent with your certificate request A challenge password []: An optional company name []:
將請求文件複製至簽發服務器
[root@localhost ssl]# scp https.csr172.16.34.1:/tmp The authenticity of host '172.16.34.1(172.16.34.1)' can't be established. RSA key fingerprint ise3:f4:9c:da:f9:29:b3:da:bb:29:0b:90:1f:d6:11:39. Are you sure you want to continueconnecting (yes/no)? yes Warning: Permanently added '172.16.34.1'(RSA) to the list of known hosts. [email protected]'s password: https.csr
爲申請證書籤發
[root@localhost tmp]# openssl ca -in https.csr-out https.crt Using configuration from/etc/pki/tls/openssl.cnf Check that the request matches thesignature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jul 29 09:48:51 2016 GMT Not After : Jul 29 09:48:51 2017 GMT Subject: countryName = CN stateOrProvinceName =beijing organizationName = pma organizationalUnitName = pma commonName =www.pma.com emailAddress [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 90:8B:98:8A:1C:F2:4B:97:E6:E5:AA:8E:71:BB:5C:B8:74:9D:BC:AA X509v3 Authority Key Identifier: keyid:47:27:C4:38:0F:02:E8:25:36:D1:0C:EE:B8:91:E8:7A:6C:E6:33:65 Certificate is to be certified until Jul 2909:48:51 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified,commit? [y/n]y Write out database with 1 new entries Data Base Updated
將簽發號的證書複製至nginx服務器
[root@localhost tmp]# scp https.crt 172.16.34.2:/etc/nginx/ssl The authenticity of host '172.16.34.2(172.16.34.2)' can't be established. RSA key fingerprint ise5:64:1c:8f:70:41:7f:74:79:a2:f7:f4:8d:38:1a:0e. Are you sure you want to continueconnecting (yes/no)? yes Warning: Permanently added '172.16.34.2'(RSA) to the list of known hosts. [email protected]'s password: https.crt
編輯nginx的pma.conf配置文件
[root@localhost conf.d]# vim pma.conf
server {
listen 443 ssl;
server_name www.pma.com;
root /pma/pma;
ssl on
ssl_certificate /etc/nginx/ssl/https.crt;
ssl_certificate_key /etc/nginx/ssl/https.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphersECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:!RC4-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
ssl_prefer_server_ciphers on;
location ~ \.php$ {
fastcgi_pass 172.16.34.2:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /pma/pma/$fastcgi_script_name;
include fastcgi_params;
}
}server {
listen 80;
server_name www.pma.com;
rewrite ^(.*)$ https://$server_name$1 permanent;
}驗證登錄
