|
|
172.16.59.10主机, httpd:
[iyunv@yph7 ~]# yuminstall httpd
[iyunv@yph7 ~]# apachectlstart
[iyunv@yph7 ~]# ss -tnl |grep 80
LISTEN 0 128 :::80 :::*
[iyunv@yph7~]# vim/etc/httpd/conf/httpd.conf
#DocumentRoot"/var/www/html"
#DirectoryIndex index.html
[iyunv@yph7 ~]# vim /var/www/html/a.com/index.html
172.16.59.10 a.com
创建虚拟主机:https默认把第一个虚拟主机作为https服务器,
[iyunv@yph7 ~]# cd/etc/httpd/conf.d
[iyunv@yph7 conf.d]# vimvhosts.conf
[iyunv@yph7 conf.d]# catvhosts.conf
DirectoryIndex index.php
<VirtualHost172.16.59.10:80>
ServerName www.a.com
DocumentRoot /var/www/html/a.com
ProxyRequests off
ProxyPassmatch ^/(.*\.php)$fcgi://172.16.59.20:9000/var/www/html/a.com/$1
<Directory "/var/www/html/a.com">
Options FollowSymLinks
Require all granted
AllowOverride None
</Directory>
</VirtualHost>
<VirtualHost172.16.59.10:80>
ServerName www.b.com
DocumentRoot /var/www/html/b.com
ProxyRequests off
ProxyPassmatch ^/(.*\.php)$fcgi://172.16.59.20:9000/var/www/html/b.com/$1
<Directory "/var/www/html/b.com">
Options FollowSymLinks
Require all granted
AllowOverride None
</Directory>
</VirtualHost>
[iyunv@yph7 conf.d]# mkdir/var/www/html/{a,b}.com
安装WordPress----/var/www/html/a.com/wordpress
[iyunv@y7-2 wordpress]#unzip wordpress-4.3.1-zh_CN.zip
[iyunv@y7-2 html]# cdwordpress/
[iyunv@y7-2 wordpress]# cpwp-config-sample.php wp-config.php
[iyunv@y7-2 wordpress]#vim wp-config.php
define('DB_NAME','wpdb');
define('DB_USER','wpuser');
define('DB_PASSWORD','magedu');
define('DB_HOST','172.16.59.30');
安装phpMyAdmin:
[iyunv@yph7 b.com]# scp -rroot@172.16.59.20:/var/www/html/b.com/phpMyAdmin-4.4.14.1-all-languages pma
申请CA签证:
[iyunv@yph7 a.com]# mkdir/etc/httpd/ssl
[iyunv@yph7 a.com]# cd/etc/httpd/ssl
创建私钥
[iyunv@yph7 ssl]#(umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
创建申请信
[iyunv@yph7 ssl]#openssl req -new -key /etc/httpd/ssl/httpd.key -out/etc/httpd/ssl/httpd.csr -days 365
Country Name (2 lettercode) [XX]:cn
State or Province Name(full name) []:beijing
Locality Name (eg, city)[Default City]:beijing
Organization Name (eg,company) [Default Company Ltd]:ali
Organizational Unit Name(eg, section) []:ops
Common Name (eg, yourname or your server's hostname) []:www.a.com
Email Address[]:admin@a.com
发送申请信
[iyunv@yph7 ssl]# scphttpd.csr root@172.16.59.30:/tmp/ ------正常是必须亲自用U盘考走的,通过网络太危险
构建https协议:
[iyunv@yph7 b.com]# cd/etc/httpd/conf.d
[iyunv@yph7 conf.d]# vimssl.conf
[iyunv@yph7 conf.d]# cpssl.conf{,.bak}
[iyunv@yph7 conf.d]# vimssl.conf ----------修改下列几项
DocumentRoot "/var/www/html/a.com" ----服务器根目录
#ServerName www.a.com:443 --注销掉,因为在<VirtualHost_default_:443>里有定义端口,vhosts.conf定义了主机名
SSLCertificateFile /etc/httpd/ssl/httpd.crt -----自己网站的证书,即公钥
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key ----自己网站的私钥
<VirtualHost_default_:443> _default_是默认虚拟主机,就是第一个虚拟主机,后面配置的几个不是默认的
这个地方的端口改为443,vhosts.conf里的端口就可以都为80 了。
[iyunv@yph7 ssl]# vim/etc/httpd/conf.d/vhosts.conf
<VirtualHost172.16.59.10:80> ----------端口为80,www.a.com主机既可以访问http协议又可以访问https协议,否则如果端口为也443,访问http协议只会访问到www.b.com上的内容,访问不到www.a.com的内容,因为www.a.com只能访问https协议,二者又是同一个IP,所以会跳到www.b.com上去。
ServerName www.a.com
DocumentRoot /var/www/html/a.com
[iyunv@yph7 ssl]# httpd –t -------检查语法。若果服务重启失败,找不到原因,不要忘记这个
Syntax OK
[iyunv@yph7 ssl]#systemctl restart httpd.service
[iyunv@yph7 ssl]# ss -tnl| grep 443
LISTEN 0 128 :::443 :::*
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
172.16.59.20 php-fpm:
安装php-fpm并测试:
[iyunv@y7-2 ~]# yuminstall php-fpm
[iyunv@y7-2 wordpress]#yum install php-mysql -----------这个包必须安装,否则phpMyAdmin无法运行
[iyunv@y7-2 ~]# vim/etc/php-fpm.d/www.conf
listen =172.16.59.20:9000 ----只监听本机的哪些IP的端口,如果多IP可以使用0.0.0.0,允许本机所有IP
#listen.allowed_clients =172.16.59.10 -----------,必须注释掉这行,否则表示只允许与这个IP进行交互;或者把第二个的ip也加在后面。与MySQL服务器无法连接就是这个原因
[iyunv@y7-2 ~]# systemctlstart php-fpm.service
[iyunv@y7-2 ~]# ss -tnl
LISTEN 0 128 *:9000 *:* --------9000端口被监听,正常启动
下面是为了测试三台主机的链接情况:
[iyunv@y7-2 ~]# vim/var/www/html/a.com/index.php
172.16.59.20 a.com
<?php
phpinfo();
?>
[iyunv@y7-2 ~]# vim/var/www/html/b.com/index.php
172.16.59.20 b.com
<?php
$conn =mysql_connect('172.16.59.30','wpuser','magedu');
if($conn)
echo "OK";
else
echo "Failure";
?>
浏览器输入www.a.com和[url]www.b.com[/url] 看到” 172.16.59.20OK”说明三个主机连接成功。因为index.php是放在172.16.59.20主机上的,OK是表示与172.16.59.30数据库主机连接成功
安装WordPress :/var/www/html/a.com/wordpress 过程同上
安装phpMyAdmin:/var/www/html/b.com
[iyunv@y7-2 ~]# yuminstall -y php-mbstring
[iyunv@y7-2 pma]# yuminstall -y php-mysql
[iyunv@y7-2 pma]# yuminstall -y mariadb-server --------上面这三个都是必须装的,血的代价换来的
[iyunv@y7-2 b.com]# unzip phpMyAdmin-4.4.14.1-all-languages.zip
[iyunv@y7-2 pma]#ln -svphpMyAdmin-4.4.14.1-all-languages pma
[iyunv@y7-2 pma]#opensslrand -base64 20
[iyunv@y7-2 pma]#cd pma
[iyunv@y7-2 pma]#cp config.sample.inc.php config.inc.php
[iyunv@y7-2 pma]#vimconfig.inc.php
$cfg['blowfish_secret'] ='fG9NH5b7OmmGRohmjBO0Jpnk4kg'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
$cfg['Servers'][$i]['host']= '172.16.59.30'; ---------设定远程连接主机,若写入密码就会自动登录,一般不要写密码
因为没装mariadb-server,无法初始化,没那个文件,装完重启服务就可以了
[iyunv@y7-2 pma]# yum install-y mariadb-server
[iyunv@y7-2 pma]#systemctl start mariadb.service
[iyunv@y7-2 pma]#systemctl restart php-fpm.service
[iyunv@y7-2 pma]#mysql_secure_installation ----------初始化,设置密码等功能,此处设置密码只是本地数据库的root密码;不论指向的是本地数据库还是远程数据库都是本地数据库的密码;与远程主机的root和普通用户密码无关,
把PHPMyAdmin复制到172.16.59.10/var/www/html/b.com一份后就可以用浏览器输入www.b.com/pma访问了,
输入用户名“wpuser”,密码“magedu”就可以登录了
安装php-xcache
换台主机压力测试
[iyunv@yph7 pma]# ab -n1000 -c 10 http://172.16.59.10/wordpress/index.php
Requests per second: 8.70 [#/sec] (mean)
[iyunv@y7-2 pma]# yuminstall -y php-devel
[iyunv@y7-2 ~]# yumgroupinstall -y "ServerPlatform Development ""Development Tools"
[iyunv@y7-2 ~]# tar xfxcache-3.2.0.tar.bz2
[iyunv@y7-2 ~]# cdxcache-3.2.0/
[iyunv@y7-2 xcache-3.2.0]#phpize
[iyunv@y7-2 xcache-3.2.0]#./configure --enable-xcache --with-php-config=/usr/bin/php-config
[iyunv@y7-2 xcache-3.2.0]#make && make install
[iyunv@y7-2 xcache-3.2.0]#vim /etc/php.d/xcache.ini
xcache.admin.enable_auth = On
xcache.size = 60M
在59.10和59.20主机的/var/www/html/a.com/index.php都写入phpinfo();函数
[iyunv@y7-2 a.com]#systemctl restart php-fpm.service ------httpd主机的httpd服务或许需要重启
xcache.admin.enable_auth On On
xcache.cacher On On
xcache.size 60M
再换台主机压测:效果果然提升了三倍左右
[iyunv@yph7 a.com]# ab -n 1000 -c 10http://172.16.59.10/wordpress/index.php
Requests per second: 27.40 [#/sec] (mean)
这次实验用不着这一步:
这一步在某种情况下要用,不改权限无权访问网页
创建session目录,并确保运行php-fpm进程的用户对此目录有读写权限;
[iyunv@yph7 pma]# mkdir /var/lib/php/session
[iyunv@yph7 pma]# chown -R apache.apache /var/lib/php/session
apache用户是php-fpm子进程的身份
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
172.16.59.30 MySQL:
安装mariadb-server:
[iyunv@y7-3 ~]# yuminstall -y mariadb-server
[iyunv@y7-3 ~]# systemctlstart mariadb.service
[iyunv@y7-3 ~]# mysql
MariaDB [(none)]>grant all on wpdb.* to wpuser@'172.16.%.%' identified by 'magedu';
允许wpuser用户可以通过172.16网段的IP连接MySQL数据库,用来作为WordPress数据库
MariaDB [(none)]>flush privileges;
[iyunv@y7-3 ~]# ss -tnl
LISTEN 0 50 *:3306 *:*
[iyunv@y7-3 ~]# vim/etc/my.cnf
[mysqld]
skip_name_resolve = ON
建立CA私有机构:
[iyunv@y7-3 ~]# cd/etc/pki/CA
创建私钥
[iyunv@y7-3 CA]# (umask077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
给自己发证书
[iyunv@y7-3 CA]# opensslreq -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem-days 3655
Country Name (2 lettercode) [XX]:cn
State or Province Name(full name) []:beijing
Locality Name (eg, city)[Default City]:beijing
Organization Name (eg,company) [Default Company Ltd]:ali
Organizational Unit Name(eg, section) []:ops
Common Name (eg, yourname or your server's hostname) []:ca.ali.com
Email Address[]:admin@ali.com
创建必备目录及文件
[iyunv@y7-3 CA]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
[iyunv@y7-3 CA]#touch /etc/pki/CA/{serial,index.txt}
[iyunv@y7-3 CA]# echo 01 > /etc/pki/CA/serial
等申请方把申请书发过来,做证书
[iyunv@y7-3 CA]# opensslca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
把证书发给申请者
[iyunv@y7-3 CA]# scpcerts/httpd.crt 172.16.59.10:/etc/httpd/ssl/
查看证书
[iyunv@y7-3 CA]#openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
serial=01
subject= /C=cn/ST=beijing/O=ali/OU=ops/CN=www.a.com/emailAddress=admin@a.com
测试时,记得改hosts文件:
[iyunv@y7-3 CA]# openssls_client -connect www.a.com:443 -CAfile cacert.pem
GET /index.html HTTP/1.1
Host: www.a.com
将/etc/pki/CA/cacert.pem复制到windows桌面。并该格式为crt,双加就可以安装证书,在浏览器输入https://www.a.com验证,默认安装的是IE浏览器。
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2016-1-22 08:29:04
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡