BNMP配置

在freeBSD系统上安装php, Nginx, mySQL 和 SSL

升级系统和打补丁

# freebsd-update fetch # freebsd-update install

如果升级失败

# freebsd-update rollback

升级后重启服务器

# shutdown -r now

夜间自动获取补丁

# ee /etc/crontab

@daily root freebsd-update cron

新系统安装软件前先升级ports树

获取port树更新

# portsnap fetch

第一次使用portsnap请extract

# portsnap extract

更新port树

# portsnap update

安装port

寻找port目录

# whereis nginx

nginx: /usr/ports/www

安装nginx

# cd /usr/ports/www/nginx

# make install clean

安装mysql

# cd /usr/ports/databases/mysql57-server

# make install clean

安装php

# cd /usr/ports/lang/php56-extensions

# make install clean

添加自启动

# ee /etc/rc.conf

php_fpm_enable="YES"

nginx_enable="YES"

mysql_enable="YES"

启动nginx

# nginx

关闭nginx

# nginx -s stop

热升级,部署,模块替换重载

# nginx -s reload

升级已安装port

安装portmaster

# cd /usr/ports/ports-mgmt/portmaster # make install clean

获取需要更新的所有port

# portmaster -L

自动更新所有port

# portmaster -a

卸载port

# make deinstall

Nginx 配置

# ee /usr/local/etc/nginx/nginx.conf

load_module /usr/local/libexec/nginx/ngx_mail_module.so;

load_module /usr/local/libexec/nginx/ngx_stream_module.so;

worker_processes 8; //指定nginx所用cpu核心数量

events {

worker_connections 1024; //每核心用户链接最大数量

use kqueue; // 用于BSD内核,Linux用use epoll

}

http {

include mime.types;

default_type application/octet-stream;

sendfile on;

keepalive_timeout 65;

server {

listen 80;

server_name localhost;

location / {

root /usr/local/www;

index index.html index.htm index.php;

if (!-e $request_filename) {

rewrite "^/(.*)$" /index.php last;

}

rewrite ^/$/index.php last;

}

error_page 404 /404.html;

error_page 500 502 503 504 /50x.html;

location = /50x.html {

root /usr/local/www/nginx-dist;

}

location ~ \.php($|/) {

root /usr/local/www;

fastcgi_pass 127.0.0.1:9000;

fastcgi_index index.php;

fastcgi_split_path_info ^(.+\.php)(.*)$;

fastcgi_param PATH_INFO $fastcgi_path_info;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;

include fastcgi_params;

}

}

}

FreeBSD 安装mySql

配置文件

# ee /usr/local/etc/mysql/my.cnf

[mysqld]

socket = /tmp/mysql.sock

# Don't listen on a TCP/IP port at all.

skip-networking

skip-name-resolve

#Expire binary logs after one day:

expire_logs_days = 1

启动服务

# service mysql-server start

安全配置

# mysql_secure_installation

更换root密码

# mysql> ALTER USER 'root'@'localhost' IDENTIFIED BY 'psw', 'root'@'localhost' PASSWORD EXPIRE NEVER;

# mysqladmin -u root -p password 'psw'

更换数据库位置

# cd /var/db # mv mysql /usr/local/ # ln -s /usr/local/mysql mysql # cd /usr/local # chown -R mysql:mysql mysql

安装ssl

# cd /usr/ports/security/py-certbot

# make install clean

# certbot certonly --webroot -w /usr/local/www/ -d xxx.com -d www.xxx.com

nginx https配置

server {

listen 80;

listen 443 ssl http2;

server_name xxx.com;

server_name www.xxx.com;

if ($scheme = http) {

return 301 https://$host$request_uri;

}

ssl_certificate /usr/local/etc/letsencrypt/live/xxx.com/fullchain.pem;

ssl_certificate_key /usr/local/etc/letsencrypt/live/xxx.com/privkey.pem;

ssl_trusted_certificate /usr/local/etc/letsencrypt/live/xxx.com/chain.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA";

ssl_prefer_server_ciphers on;

ssl_ecdh_curve secp384r1;

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 10m;

ssl_session_tickets off;

add_header Strict-Transport-Security "max-age=31536000";

add_header X-Frame-Options SAMEORIGIN;

add_header X-Content-Type-Options nosniff;

resolver 8.8.8.8 8.8.4.4 valid=300s;

resolver_timeout 10s;

ssl_stapling on;

ssl_stapling_verify on;

ssl_buffer_size 8k;

;…...

}

更新证书

# certbot renew