BNMP配置
在freeBSD系统上安装php, Nginx, mySQL 和 SSL
升级系统和打补丁
# freebsd-update fetch # freebsd-update install
如果升级失败
# freebsd-update rollback
升级后重启服务器
# shutdown -r now
夜间自动获取补丁
# ee /etc/crontab
@daily root freebsd-update cron
新系统安装软件前先升级ports树
获取port树更新
# portsnap fetch
第一次使用portsnap请extract
# portsnap extract
更新port树
# portsnap update
安装port
寻找port目录
# whereis nginx
nginx: /usr/ports/www
安装nginx
# cd /usr/ports/www/nginx
# make install clean
安装mysql
# cd /usr/ports/databases/mysql57-server
# make install clean
安装php
# cd /usr/ports/lang/php56-extensions
# make install clean
添加自启动
# ee /etc/rc.conf
php_fpm_enable="YES"
nginx_enable="YES"
mysql_enable="YES"
启动nginx
# nginx
关闭nginx
# nginx -s stop
热升级,部署,模块替换重载
# nginx -s reload
升级已安装port
安装portmaster
# cd /usr/ports/ports-mgmt/portmaster # make install clean
获取需要更新的所有port
# portmaster -L
自动更新所有port
# portmaster -a
卸载port
# make deinstall
Nginx 配置
# ee /usr/local/etc/nginx/nginx.conf
load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_stream_module.so;
worker_processes 8; //指定nginx所用cpu核心数量
events {
worker_connections 1024; //每核心用户链接最大数量
use kqueue; // 用于BSD内核,Linux用use epoll
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
location / {
root /usr/local/www;
index index.html index.htm index.php;
if (!-e $request_filename) {
rewrite "^/(.*)$" /index.php last;
}
rewrite ^/$/index.php last;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
location ~ \.php($|/) {
root /usr/local/www;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
include fastcgi_params;
}
}
}
FreeBSD 安装mySql
配置文件
# ee /usr/local/etc/mysql/my.cnf
[mysqld]
socket = /tmp/mysql.sock
# Don't listen on a TCP/IP port at all.
skip-networking
skip-name-resolve
#Expire binary logs after one day:
expire_logs_days = 1
启动服务
# service mysql-server start
安全配置
# mysql_secure_installation
更换root密码
# mysql> ALTER USER 'root'@'localhost' IDENTIFIED BY 'psw', 'root'@'localhost' PASSWORD EXPIRE NEVER;
# mysqladmin -u root -p password 'psw'
更换数据库位置
# cd /var/db # mv mysql /usr/local/ # ln -s /usr/local/mysql mysql # cd /usr/local # chown -R mysql:mysql mysql
安装ssl
# cd /usr/ports/security/py-certbot
# make install clean
# certbot certonly --webroot -w /usr/local/www/ -d xxx.com -d www.xxx.com
nginx https配置
server {
listen 80;
listen 443 ssl http2;
server_name xxx.com;
server_name www.xxx.com;
if ($scheme = http) {
return 301 https://$host$request_uri;
}
ssl_certificate /usr/local/etc/letsencrypt/live/xxx.com/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/xxx.com/privkey.pem;
ssl_trusted_certificate /usr/local/etc/letsencrypt/live/xxx.com/chain.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA";
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
ssl_stapling on;
ssl_stapling_verify on;
ssl_buffer_size 8k;
;…...
}
更新证书
# certbot renew
Last updated