# BNMP配置

**升级系统和打补丁**<br>

**# freebsd-update fetch**\
**# freebsd-update install**<br>

**如果升级失败**

**# freebsd-update rollback**<br>

**升级后重启服务器**

**# shutdown -r now**<br>

**夜间自动获取补丁**

**# ee /etc/crontab**<br>

**@daily                                  root freebsd-update cron**<br>

**新系统安装软件前先升级ports树**<br>

**获取port树更新**

**# portsnap fetch**<br>

**第一次使用portsnap请extract**

**# portsnap extract**<br>

**更新port树**

**# portsnap update**<br>

**安装port**<br>

**寻找port目录**

**# whereis nginx**

**nginx: /usr/ports/www**<br>

**安装nginx**

**# cd /usr/ports/www/nginx**

**# make install clean**<br>

**安装mysql**

**# cd /usr/ports/databases/mysql57-server**

**# make install clean**<br>

**安装php**

**# cd /usr/ports/lang/php56-extensions**

**# make install clean**<br>

**添加自启动**

**# ee /etc/rc.conf**<br>

**php\_fpm\_enable="YES"**

**nginx\_enable="YES"**

**mysql\_enable="YES"**<br>

**启动nginx**

**# nginx**<br>

**关闭nginx**

**# nginx -s stop**<br>

**热升级,部署,模块替换重载**

**# nginx -s reload**<br>

**升级已安装port**<br>

**安装portmaster**

**# cd /usr/ports/ports-mgmt/portmaster**\
**# make install clean**<br>

**获取需要更新的所有port**

**# portmaster -L**<br>

**自动更新所有port**

**# portmaster -a**<br>

**卸载port**

**# make deinstall**<br>

**Nginx 配置**\ <br>

**# ee /usr/local/etc/nginx/nginx.conf**<br>

**load\_module /usr/local/libexec/nginx/ngx\_mail\_module.so;**

**load\_module /usr/local/libexec/nginx/ngx\_stream\_module.so;**<br>

**worker\_processes  8;    //指定nginx所用cpu核心数量**<br>

**events {**

&#x20;  **worker\_connections  1024;     //每核心用户链接最大数量**

&#x20;  **use kqueue;    // 用于BSD内核,Linux用use epoll**

**}**\ <br>

**http {**

&#x20;  **include       mime.types;**

&#x20;  **default\_type  application/octet-stream;**<br>

&#x20;  **sendfile        on;**

&#x20;  **keepalive\_timeout  65;**<br>

&#x20;  **server {**

&#x20;      **listen      80;**

&#x20;      **server\_name  localhost;**<br>

&#x20;      **location / {**

&#x20;          **root /usr/local/www;**

&#x20;          **index index.html index.htm index.php;**

&#x20;          **if (!-e $request\_filename) {**

&#x20;          **rewrite "^/(.\*)$" /index.php last;**

&#x20;          **}**

&#x20;          **rewrite ^/$/index.php last;**

&#x20;      **}**<br>

&#x20;      **error\_page  404     /404.html;**

&#x20;      **error\_page   500 502 503 504  /50x.html;**

&#x20;      **location = /50x.html {**

&#x20;          **root /usr/local/www/nginx-dist;**

&#x20;      **}**

&#x20;      **location \~ \\.php($|/) {**

&#x20;          **root    /usr/local/www;**

&#x20;          **fastcgi\_pass   127.0.0.1:9000;**

&#x20;          **fastcgi\_index  index.php;**

&#x20;          **fastcgi\_split\_path\_info ^(.+\\.php)(.\*)$;**

&#x20;          **fastcgi\_param   PATH\_INFO $fastcgi\_path\_info;**

&#x20;          **fastcgi\_param   SCRIPT\_FILENAME $document\_root$fastcgi\_script\_name;**

&#x20;          **fastcgi\_param   PATH\_TRANSLATED   $document\_root$fastcgi\_path\_info;**

&#x20;          **include    fastcgi\_params;**

&#x20;      **}**

&#x20;  **}**

**}**\
\ <br>

**FreeBSD 安装mySql**<br>

**配置文件**

**# ee /usr/local/etc/mysql/my.cnf**\
\ <br>

**\[mysqld]**

**socket          = /tmp/mysql.sock**

**# Don't listen on a TCP/IP port at all.**

**skip-networking**

**skip-name-resolve**

**#Expire binary logs after one day:**

**expire\_logs\_days = 1**\ <br>

**启动服务**

**# service mysql-server start**<br>

**安全配置**

**# mysql\_secure\_installation**<br>

**更换root密码**

**# mysql> ALTER USER 'root'@'localhost' IDENTIFIED BY 'psw', 'root'@'localhost' PASSWORD EXPIRE NEVER;**

**# mysqladmin -u root -p password 'psw'**<br>

**更换数据库位置**<br>

**# cd /var/db**\
**# mv mysql /usr/local/**\
**# ln -s /usr/local/mysql mysql**\
**# cd /usr/local**\
**# chown -R mysql:mysql mysql**<br>

**安装ssl**<br>

**# cd /usr/ports/security/py-certbot**

**# make install clean**

**# certbot certonly --webroot -w /usr/local/www/ -d xxx.com -d** [**www.xxx.com**](http://www.xxx.com/)<br>

**nginx https配置**<br>

**server {**

&#x20;      **listen 80;**

&#x20;       **listen 443 ssl http2;**

&#x20;       **server\_name  xxx.com;**

&#x20;       **server\_name [www.xxx.com](http://www.xxx.com);**<br>

&#x20;       **if ($scheme = http) {**

&#x20;               **return   301 https\://$host$request\_uri;**

&#x20;       **}**<br>

&#x20;       **ssl\_certificate          /usr/local/etc/letsencrypt/live/xxx.com/fullchain.pem;**

&#x20;       **ssl\_certificate\_key      /usr/local/etc/letsencrypt/live/xxx.com/privkey.pem;**

&#x20;       **ssl\_trusted\_certificate /usr/local/etc/letsencrypt/live/xxx.com/chain.pem;**\ <br>

&#x20;       **ssl\_protocols TLSv1 TLSv1.1 TLSv1.2;**

&#x20;       **ssl\_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA";**<br>

&#x20;      **ssl\_prefer\_server\_ciphers on;**

&#x20;       **ssl\_ecdh\_curve secp384r1;**<br>

&#x20;       **ssl\_session\_cache    shared:SSL:10m;**

&#x20;       **ssl\_session\_timeout  10m;**

&#x20;       **ssl\_session\_tickets off;**<br>

&#x20;       **add\_header Strict-Transport-Security "max-age=31536000";**

&#x20;       **add\_header X-Frame-Options SAMEORIGIN;**

&#x20;       **add\_header X-Content-Type-Options nosniff;**<br>

&#x20;       **resolver 8.8.8.8 8.8.4.4 valid=300s;**

&#x20;       **resolver\_timeout 10s;**

&#x20;       **ssl\_stapling on;**

&#x20;       **ssl\_stapling\_verify on;**<br>

&#x20;       **ssl\_buffer\_size 8k;**<br>

&#x20;**;…...**<br>

&#x20;  **}**\ <br>

**更新证书**<br>

**# certbot renew**\
\
\
\
\ <br>