16 May 2019 / #web #linux

Встановлення Nginx + PHP + MySQL на Debian 9

Покрокова інструкція по встановленню і запуску зв’язки LEMP (Linux + Nginx + MySQL + PHP).

1. Оновлення системи

Оновлюємо версії ПЗ до актуального стану

apt-get update
apt-get upgrade

2. Налаштування захисту

2.1 iptables

Спочатку встановлюю mc. Для тих у кого в цей момент засвербіло “mc - для лохів, vim - наше всьо, nano рулить” - поцілуйте мій блискучий металевий зад (С).

apt-get install mc
update-alternatives --config editor

Створюємо правила файервола

editor /etc/iptables.up.rules

*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allows SSH connections 
# The --dport number is the same as in /etc/ssh/sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Now you should read up on iptables rules and consider whether ssh access 
# for everyone is really desired. Most likely you will only allow access from certain IPs.

# Allow ping
#  note that blocking other types of icmp packets is considered a bad idea by some
#  remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:
#  https://security.stackexchange.com/questions/22711
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

Увага!!! Після COMMIT один порожній рядок.

Завантажуємо правила

iptables-restore < /etc/iptables.up.rules

Додаємо правила в автозавантаження

editor /etc/network/if-pre-up.d/iptables

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules

chmod +x /etc/network/if-pre-up.d/iptables

Джерело тут

2.2 fail2ban

apt-get install fail2ban

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
editor /etc/fail2ban/jail.local

[DEFAULT]
ignoreip = 127.0.0.1
bantime  = 3600 
findtime = 600
maxretry = 3

service fail2ban restart

3. Nginx

Збираємо nginx з модулем pagespeed, brotli та останньою версією openssl:

#!/bin/sh

apt-get install build-essential ca-certificates zlib1g-dev libpcre3 libpcre3-dev tar unzip libssl-dev checkinstall git uuid-dev libgeoip-dev

OPENSSL_VER=1.1.0k
NPS_VER=1.12.34.3-stable
NGINX_VER=1.17.1

cd /opt
wget -c https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz
tar -xzvf openssl-$OPENSSL_VER.tar.gz
rm openssl-$OPENSSL_VER.tar.gz

wget https://github.com/apache/incubator-pagespeed-ngx/archive/v${NPS_VER}.zip
unzip v${NPS_VER}.zip
rm v${NPS_VER}.zip
NPS_DIR=$(find . -name "*pagespeed-ngx-${NPS_VER}" -type d | sed -e 's/\.\///g')
cd $NPS_DIR

[ -e scripts/format_binary_url.sh ] && psol_url=$(scripts/format_binary_url.sh PSOL_BINARY_URL)
wget ${psol_url}
tar -xzvf $(basename ${psol_url})
rm $(basename ${psol_url})

cd /opt
git clone https://github.com/google/ngx_brotli
cd /opt/ngx_brotli && git submodule update --init

cd /opt
wget -qO- http://nginx.org/download/nginx-$NGINX_VER.tar.gz | tar zxf -

cd nginx-$NGINX_VER
 ./configure \
 --prefix=/etc/nginx \
 --sbin-path=/usr/sbin/nginx \
 --conf-path=/etc/nginx/nginx.conf \
 --error-log-path=/var/log/nginx/error.log \
 --http-log-path=/var/log/nginx/access.log \
 --pid-path=/var/run/nginx.pid \
 --lock-path=/var/run/nginx.lock \
 --http-client-body-temp-path=/var/cache/nginx/client_temp \
 --http-proxy-temp-path=/var/cache/nginx/proxy_temp \
 --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
 --user=www-data \
 --group=www-data \
 --without-http_ssi_module \
 --without-http_scgi_module \
 --without-http_uwsgi_module \
 --without-http_split_clients_module \
 --without-http_memcached_module \
 --without-http_empty_gif_module \
 --without-http_browser_module \
 --with-http_geoip_module \
 --with-threads \
 --with-file-aio \
 --with-http_ssl_module \
 --with-http_v2_module \
 --with-ipv6 \
 --with-http_mp4_module \
 --with-http_auth_request_module \
 --with-http_slice_module \
 --with-http_stub_status_module \
 --with-openssl=/opt/openssl-$OPENSSL_VER \
 --add-module=/opt/$NPS_DIR \
 --add-module=/opt/ngx_brotli

make -j `nproc`

#make install
checkinstall --pkgname=nginx --pkgversion=$NGINX_VER --nodoc --install=no

dpkg -i /opt/nginx-$NGINX_VER/nginx_$NGINX_VER*.deb

cat > /lib/systemd/system/nginx.service << EOF
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF

mkdir -p /var/cache/nginx
mkdir -p /var/log/nginx

systemctl enable nginx.service

4. PHP 7

apt-get install ca-certificates apt-transport-https
wget -q https://packages.sury.org/php/apt.gpg -O- | apt-key add -
echo "deb https://packages.sury.org/php/ stretch main" | tee /etc/apt/sources.list.d/php.list
apt-get update
apt-get install php7.2-fpm

5. Percona Server (MySQL)

apt-get install lsb-release
wget https://repo.percona.com/apt/percona-release_latest.$(lsb_release -sc)_all.deb
dpkg -i percona-release_latest.$(lsb_release -sc)_all.deb
apt-get update
apt-get install percona-server-server-5.7 php7.0-mysql