Centos7 nginx + php-fpm(7.3)インストール・設定

linux

nginx + php-fpm + ssl化の記録です。Let’s Encryptの部分はapacheのSSL化と重複してます

別記事のphpインストールをしていない場合、php-fpmをインストールする

# yum install php73-php-fpm.x86_64

自動起動設定をする

# systemctl enable php73-php-fpm.service

php-fpmの設定をする

# vi /etc/opt/remi/php73/php-fpm.conf
[www]
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
listen = /run/php73-fpm.sock
listen.backlog = 65535
;listen.mode = 0660
pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
;pm.process_idle_timeout = 10s;
;pm.max_requests = 500
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
slowlog = /var/log/php-fpm/www-slow.log
;request_slowlog_timeout = 0
;request_terminate_timeout = 0
;rlimit_files = 1024
;rlimit_core = 0
;chroot = 
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
php_admin_value[error_log] = /var/opt/remi/php73/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 128M

; Set session path to a directory owned by process user
php_value[session.save_handler] = files
php_value[session.save_path]    = /var/opt/remi/php73/lib/php/session
php_value[soap.wsdl_cache_dir]  = /var/opt/remi/php73/lib/php/wsdlcache
;php_value[opcache.file_cache]  = /var/opt/remi/php73/lib/php/opcache

php-fpmを起動する

# service php73-php-fpm start

Let’s Encrypt(無料SSL証明書生成ツール)のインストール

# yum install certbot python2-certbot-apache

Let’s Encrypt で証明書作成

前提:事前に証明書を取得するサーバにドメインが設定されている事(名前が引けるようになっている事)

以下はこのサイトの証明書を取ったときの例。

・80ポートを使うのでWebサーバが動いている場合は停止する
# service nginx stop

# certbot certonly --standalone -t --register-unsafely-without-email
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): www.ukkari-san.net ※取得するサイトのドメインを入力
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.ukkari-san.net
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.ukkari-san.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.ukkari-san.net/privkey.pem
   Your cert will expire on 2019-07-24. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

鍵が生成されたか確認する

# ls -l /etc/letsencrypt/live/www.ukkari-san.net/
total 4
lrwxrwxrwx 1 root root  42 Apr 25 21:09 cert.pem -> ../../archive/www.ukkari-san.net/cert1.pem
lrwxrwxrwx 1 root root  43 Apr 25 21:09 chain.pem -> ../../archive/www.ukkari-san.net/chain1.pem
lrwxrwxrwx 1 root root  47 Apr 25 21:09 fullchain.pem -> ../../archive/www.ukkari-san.net/fullchain1.pem
lrwxrwxrwx 1 root root  45 Apr 25 21:09 privkey.pem -> ../../archive/www.ukkari-san.net/privkey1.pem
-rw-r--r-- 1 root root 692 Apr 25 21:09 README

nginxのリポジトリをインストール

# yum install http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

nginxをインストール

# yum install nginx.x86_64

自動起動の設定をする

# systemctl enable nginx.service

nginxのドキュメントルートになるディレクトリを作成する

# mkdir -p /var/www/www.ukkari-san.net
# chown -R [自分のユーザ].nginx /var/www/www.ukkari-san.net

(使う人は)proxy cache用 キャッシュ ディレクトリを作成する

# sudo mkdir -p /var/cache/nginx/proxy_temp
# sudo chown -R nginx.nginx /var/cache/nginx

nginxの設定を変更する。 (nginx.conf)

ログの出力形式はltsv(タブ区切り)

# vi /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  ltsv  'time:$time_iso8601\t'
                      'host:$remote_addr\t'
                      'method:$request_method\t'
                      'uri:$request_uri\t'
                      'status:$status\t'
                      'size:$body_bytes_sent\t'
                      'reqtime:$request_time\t'
                      'apptime:$upstream_response_time\t'
                      'referer:$http_referer\t'
                      'ua:$http_user_agent\t';
                      #'request_body:$request_body\t';

    log_format main    '$remote_addr - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';

    log_format backend '$http_x_forwarded_for - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent"';

    access_log  /var/log/nginx/access.log  main;

    server_name_in_redirect off;
    server_tokens      off;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   5;
    types_hash_max_size 2048;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    index   index.html index.htm index.php;

    # proxy cache
    proxy_cache_path  /var/cache/nginx/thankstock levels=1:2 keys_zone=czone:32m max_size=256m inactive=1440m;
    #proxy_cache_path  /var/cache/nginx/iitan levels=1:2 keys_zone=czone:32m max_size=256m inactive=1440m;

    proxy_temp_path   /var/cache/nginx/proxy_temp;
    proxy_cache_key   "$scheme://$host$request_uri";
    proxy_set_header  Host               $host;
    proxy_set_header  X-Real-IP          $remote_addr;
    proxy_set_header  Remote-Addr        $remote_addr;
    proxy_set_header  X-Forwarded-Host   $host;
    proxy_set_header  X-Forwarded-Server $host;
    proxy_set_header  X-Forwarded-For    $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto  $scheme;
    #proxy_set_header  X-UA-Detect        $mobile;
    proxy_set_header  Accept-Encoding    "";
    proxy_hide_header X-Pingback;
    proxy_hide_header Link;
    proxy_hide_header ETag;
    proxy_connect_timeout 5;
    proxy_send_timeout 5;
    proxy_read_timeout 5;
    proxy_cache_use_stale timeout invalid_header http_500 http_502 http_503 http_504;
    proxy_cache_lock on;
    proxy_cache_lock_timeout 5s;
    proxy_buffers 30 32k;
    proxy_buffer_size 64k;

    upstream phpfpm {
        server unix:/run/php73-fpm.sock fail_timeout=0;
    }

    include /etc/nginx/conf.d/*.conf;
}

nginxの設定を変更する。 (www.ukkari-san.net)

ドメインの部分は各自読み替えで

server {
    listen 80;
    server_name www.ukkari-san.net;
    # http は https へリダイレクト
    return 301 https://www.ukkari-san.net$request_uri;
}

server {
    listen 443 ssl;
    server_name www.ukkari-san.net;

    access_log  /var/log/nginx/www.ukkari-san.net.access.log  main;
    error_log   /var/log/nginx/www.ukkari-san.net.error.log;

    #ssl on;
    ssl_certificate /etc/letsencrypt/live/www.ukkari-san.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.ukkari-san.net/privkey.pem;

    root /var/www/www.ukkari-san.net;

    location / {
        index index.php index.html;
        try_files $uri $uri/ $uri?$args /index.php?$uri&$args /index.php?$args;
    }

    location ~ \.php$ {
        fastcgi_pass  phpfpm;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

設定をチェック

# nginx -t

OKならnginxを起動する

# service nginx start

コメント

タイトルとURLをコピーしました