CentOS 7中基于rpm包方式安装部署apm(php
CentOS 7, 基于rpm包方式安装部署apm(php-fpm) + xcache;a) httpd, php, mariadb分别部署在一个单独的主机上;
b) 一个虚拟主机提供phpMyAdmin,另一个虚拟主机提供wordpress;
c) 为phpMyAdmim提供https服务;
环境配置:
三台主机独立都需要关闭防火墙和设置SELinux:
http://i2.运维网.com/images/blog/201805/10/53ddd40c53b5d126bbb8781c3613a9c6.png
使用httpd+FastCGI的方式实现整合:
1.php-5.3.3+版本中才能默认实现;
2.httpd支持proxy_fcgi_module,默认httpd-2.2中不支持此模块,httpd-2.4支持
第一个主机---配置httpd:
# yum-y install httpd
配置虚拟主机:
# vim /etc/httpd/conf.d/www.conf
http://i2.运维网.com/images/blog/201805/11/e2c32921e50a47d6ff32ecb71d87967f.png
重新启动httpd服务:
# systemctl start httpd.service
第二个主机---提供php服务:
安装php-fpm:
# rpm -q php //php-fpm和php不能同时存在,要安装php-fpm需要首先卸载php
未安装软件包 php
安装php-fpm等应用程序:
# yum -y install php-fpm php-mysql php-gd php-mbstring
构建在httpd配置文件中对应的映射路径:
# mkdir -pv /var/www/html/vhost1
mkdir: 已创建目录 "/var/www/html/vhost1"
# cd /var/www/html/vhost1
# vim index.php
提供php服务的主机。
修改php-fpm服务进程的配置文件:
# vim /etc/php-fpm.d/www.conf
http://i2.运维网.com/images/blog/201805/10/e7f2fc8007fe180bbcfa3be8b3c7259b.png
listen = 172.16.72.2:9000 //php-fpm服务器监听本机套接字
listen.allowed_clients = 172.16.72.1 //监听的httpd服务器IP地址用于接受请求
# systemctl start php-fpm.service
查看启动php-fpm状态,发现监听的IP地址和9000端口号是我们设定的端口号:
http://i2.运维网.com/images/blog/201805/10/5bd178f8d2cd765747ee690b597640d0.png
测试PHP连接顺畅:
http://i2.运维网.com/images/blog/201805/10/66ca5687bb58edd692914502cc17f909.png
搭建WordPress:
# ls
index.phpwordpress-4.2-zh_CN.tar.gz
# tar xf wordpress-4.2-zh_CN.tar.gz
# ls
index.phpwordpresswordpress-4.2-zh_CN.tar.gz
# cd wordpress/
# vim wp-config-sample.php //修改WordPress配置文件,需要手动创建数据库和用户名等配置;其中的IP地址是第三个主机IP
http://i2.运维网.com/images/blog/201805/10/1653917226db0bada70b2c9ede1cb845.png
下图代表WordPress论坛界面已经可以显示,只需要搭建好数据库就可以了:
http://i2.运维网.com/images/blog/201805/10/8f68b6ed1154f4f97664969695dccfc6.png
搭建phpMyAdmin 应用程序:
第三个主机---提供mariadb(数据库)服务:
1)配置WordPress论坛:
# yum install -y mariadb-server
开启数据库服务:
# systemctl start mariadb.service
对WordPress论坛访问用户授权:
http://i2.运维网.com/images/blog/201805/10/3ee61c39511c9ec9681034ade4fd0f60.png
http://i2.运维网.com/images/blog/201805/10/28bb4e1e0275528d9ace869857cf68f8.png
根据下面的提示,在第二个主机配置文件:
http://i2.运维网.com/images/blog/201805/10/b7751661ed3d18b4bd660554535ebb0a.png
# vim wp-config.php //在其中加入提示内容
结果如下:
http://i2.运维网.com/images/blog/201805/10/ecaac7026d632a20c0856bab026cb782.png
创建用户后安装:
http://i2.运维网.com/images/blog/201805/10/cadf3f9ee8915266428e2aa841afb7c6.png
最终结果:
http://i2.运维网.com/images/blog/201805/10/94666f4dcbd9075655c680f8a6bb80ca.png
# scp -r wordpress root@172.16.72.1:/var/www/html/vhost1/ //将首页文件发送至第一个httpd主机下
http://i2.运维网.com/images/blog/201805/11/220110c94dc1715b7859198c318a1164.png
2)配置phpMyAdmin 论坛:
在第三台主机中对用户进行访问数据库授权:
http://i2.运维网.com/images/blog/201805/11/000153d54fb6ebd920d78536058a6c65.png
在第二台主机/var/www/html/vhost2下安装phpMyAdmin:
# ls
index.phpphpMyAdmin-3.5.4-all-languages.tar.gz
# tar xf phpMyAdmin-3.5.4-all-languages.tar.gz
# ls
index.phpphpMyAdmin-3.5.4-all-languagesphpMyAdmin-3.5.4-all-languages.tar.gz
# mv phpMyAdmin-3.5.4-all-languages pma
# ls
index.phpphpMyAdmin-3.5.4-all-languages.tar.gzpma
# cd pma/
# ls
# mv config.sample.inc.phpconfig.inc.php
# openssl rand -base64 10
RKUJMUuBLrHlKg==
# vim config.inc.php //将上面的生成的随机数修改到配置文件中,然后修改随机数来保障数据库访问安全,修改数据库所在主机IP,如下图
$cfg['blowfish_secret'] = 'RKUJMUuBLrHlKg==';
$cfg['Servers'][$i]['host'] = '172.16.74.1';
http://i2.运维网.com/images/blog/201805/11/74b4671a862499b0c7acfcd6f050c90f.png
# scp -r pma root@172.16.72.1:/var/www/html/vhost2/ //将phpMyAdmin的首页文件发送到httpd主机,以保障良好的页面展示,反向代理跳转的话,界面较丑
测试结果如下:
http://i2.运维网.com/images/blog/201805/11/7a5ada3446db7aa6b1f7d8317763f805.png
http://i2.运维网.com/images/blog/201805/11/2a95bbbcb30e135151f891fd73a38204.png
为phpMyAdmin提供https服务:
在第一台主机中为phpMyAdmin提供https服务:
# yum install -y mod_ssl
创建私有CA:
# cd /etc/pki/CA
# ls
certscrlnewcertsprivate
# (umask 077;openssl genrsa -out private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.++
.++
e is 65537 (0x10001)
生成自签证书:
# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) :CN
State or Province Name (full name) []:cl
Locality Name (eg, city) :cl
Organization Name (eg, company) :cl
Organizational Unit Name (eg, section) []:cl
Common Name (eg, your name or your server's hostname) []:cl
Email Address []:
# ls
cacert.pemcertscrlnewcertsprivate
创建文本文件和目录文件:
# touch index.txt
# echo 01 > serial
# ls
cacert.pemcertscrlindex.txtnewcertsprivateserial
为httpd服务器生成密钥并生成证书请求:
# cd ~
# mkdir -pv /etc/httpd/ssl
mkdir: 已创建目录 "/etc/httpd/ssl"
# cd /etc/httpd/ssl
# (umask 077;openssl genrsa -out httpd.key 4096)
Generating RSA private key, 4096 bit long modulus
........................................++
..........................................................................................................++
e is 65537 (0x10001)
# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) :CN
State or Province Name (full name) []:cl
Locality Name (eg, city) :cl
Organization Name (eg, company) :cl
Organizational Unit Name (eg, section) []:cl
Common Name (eg, your name or your server's hostname) []:cl
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:cl
将证书请求发送到CA:
# ls
httpd.csrhttpd.key
# cp httpd.csr /tmp
在CA上为此次请求签发证书:
# openssl ca -in /tmp/httpd.csr-out /etc/pki/CA/certs/httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 10 14:52:39 2018 GMT
Not After : May 10 14:52:39 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = cl
organizationName = cl
organizationalUnitName = cl
commonName = cl
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
75:3A:3D:56:AE:73:1B:8E:19:D5:B8:2B:84:A8:6F:2C:0B:F1:4B:CB
X509v3 Authority Key Identifier:
keyid:79:4B:25:B7:82:DC:20:46:D9:C7:CA:5A:FD:DE:45:32:D6:4C:59:C5
Certificate is to be certified until May 10 14:52:39 2019 GMT (365 days)
Sign the certificate? :y
1 out of 1 certificate requests certified, commit? y
Write out database with 1 new entries
Data Base Updated
在CA上将CA签发的证书传送到httpd服务器:
# cp /etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/
在httpd服务器上,删除证书请求文件:
# ls
httpd.crt httpd.csr httpd.key
# rm -f httpd.csr
在vhost2虚拟主机站点服务器上配置ssl支持:
配置https的虚拟主机(保证mod_ssl模块被正确装载;如果没有,则需要单独安装):
# cd /etc/httpd/conf.d
# vim ssl.conf
DocumentRoot "/var/www/html/vhost2"
ServerName www.chenliangs.com:443
DirectoryIndex index.php
ProxyRequests on
ProxyPassMatch ^/(.*.php)$ fcgi://172.16.72.2:9000/var/www/html/vhost2/$1
Options None
Allowoverride None
Require all granted
重启服务:
# systemctl restart httpd.service
先测试https在静态资源页面的显示效果,如图:
# mkdir /var/www/html/vhost2 -pv
mkdir: 已创建目录 "/var/www/html/vhost2"
# ls
index.htmlvhost2
# cd vhost2/
# ls
# vim index.html
https's static page.
http://i2.运维网.com/images/blog/201805/10/be956bf3355eff60d87b767704fa8393.png
之后在第二台主机上,测试PHP数据库连接:
# mkdir /var/www/html/vhost2 -pv
mkdir: 已创建目录 "/var/www/html/vhost2"
# ls
index.htmlvhost1vhost2
# cd vhost2/
# ls
# vim index.php
测试结果如下:
http://i2.运维网.com/images/blog/201805/10/dd8b6c1fbcd3e67abf8297a9a75996de.png
结果如下:
http://i2.运维网.com/images/blog/201805/11/680286391b03417e2d9200ee242ab4c9.png
页:
[1]