建议:ubuntu 20.04 LTS
ubuntu 21版本 https 证书更新等支持不那么友好.
安装设置中文语言支持
如果不修改为中文, 看wordpress等的配置文件中的中文有问题.
- vi /etc/locale.gen , 添加如下的行:
zh_CN GB2312
zh_CN.GB18030 GB18030
zh_CN.GBK GBK
zh_CN.UTF-8 UTF-8
2.运行 locale-gen下载语言
3永久更改编码,运行以下命令
echo "export LC_ALL=zh_CN.utf8" >> /etc/profile
4.重启vps: reboot
使用 screen 运行命令
apt-get install screen
# 新建一个窗口, 名字为 screen_name, 可以通过名字恢复该窗口
screen -S screen_name
# 列出窗口列表
screen -ls
# 恢复窗口
screen -r screen_name
# 有时候恢复连接会出现screen session的状态为Attached而怎么连也连不上的情况,-D -r 先踢掉前一用户,再登陆
screen -D -r screen_name
增加swap分区
使用 free -m命令查看swap分区大小是否为0.
使用dd命令创建一个swap分区,count的值是:size(多少M)* 1024,这里设置的4G虚拟内存(和主机内存保持一致),也就是count=4096000.
dd if=/dev/zero of=/home/swap bs=1024 count=4096000
格式化swap分区,把格式化后的文件分区设置为swap分区,
mkswap /home/swap && swapon /home/swap
#提示: swapon:/home/swap: insecure permissions 0644, 0600 suggested
chmod 600 /home/swap
如果要关闭SWAP分区, 命令为:swapoff /home/swap
vi /etc/fstab, 在文末加入如下行让swap分区自动挂载
/home/swap swap swap default 0 0
swappiness的值的大小对如何使用swap分区是有着很大的联系的。swappiness=0的时候表示最大限度使用物理内存,然后才是 swap空间,swappiness=100的时候表示积极的使用swap分区,并且把内存上的数据及时的搬运到swap空间里面。默认值一般为10:
cat /proc/sys/vm/swappiness
0
vi /etc/sysctl.conf增加如下行,尽量使用内存
vm.swappiness = 0
php,MySQL,nginx
不安装 MariaDB, 安装 MySQL, 因为前者不支持 fts.
apt-get update && apt-get upgrade && apt-get install vim software-properties-common screen unzip php7.4-curl php7.4-gd php7.4-mbstring php7.4-xml php7.4-xmlrpc php7.4-fpm php7.4-bcmath php7.4-imagick php7.4-tidy php7.4-zip php7.4-mysql nginx mysql-server && apt upgrade && apt autoremove
参考 https://www.cnblogs.com/zgblog/p/10341035.html :
sysctl vm.nr_hugepages=512
配置 php7.4 vi /etc/php/7.4/fpm/php.ini,部分字段:
upload_max_filesize = 100M
pdo_mysql.default_socket=/run/mysqld/mysqld.sock
opcache.enable=1
opcache.enable_cli=1
opcache.huge_code_pages=1
opcache.file_cache=/tmp
重启: service php7.4-fpm restart
安全加固MySQL: mysql_secure_installation
访问权限问题,修改为密码访问:
MariaDB [(none)]> use mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [mysql]> select Host,User,plugin from mysql.user where User='root';
+-----------+------+-------------+
| Host | User | plugin |
+-----------+------+-------------+
| localhost | root | auth_socket |
+-----------+------+-------------+
1 row in set (0.000 sec) # 这个时候会发现plugin(加密方式)是unix_socket,
MariaDB [mysql]> update mysql.user set plugin='mysql_native_password';
Query OK, 1 row affected (0.001 sec) # #重置加密方式
Rows matched: 1 Changed: 1 Warnings: 0
MariaDB [mysql]> flush privileges;
Query OK, 0 rows affected (0.000 sec)
配置nginx vi /etc/nginx/sites-enabled/default, 部分配置段:
location / {
root /hugo_yinhe/public;
index index.php index.html index.htm;
}
error_page 404 https://yinhe.co/404.html;
# redirect server error pages to the static page /50x.html
#
#error_page 500 502 503 504 /50x.html;
#location = /50x.html {
# root html;
#}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
}
为nginx 配置 https
1 安装certbot
参考: https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx
cd ~/ && apt-get update
apt-get install certbot python3-certbot-nginx
2 仅获取证书
主域名证书:
certbot certonly --standalone -d yinhe.co
或者:
certbot --nginx certonly
获取的证书信息:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/yinhe.co/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/yinhe.co/privkey.pem
Your cert will expire on 2021-10-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
泛域名证书,需要根据提示设置DNS:
# certbot certonly -d *.yinhe.co --email xxx@xxx.com --server https://acme-v02.api.letsencrypt.org/directory --preferred-challenges dns --manual
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.yinhe.co with the following value:
xxxxxx
Before continuing, verify the record is deployed.
-----------------------------------------------------------
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/yinhe.co-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/yinhe.co-0001/privkey.pem
Your cert will expire on 2021-10-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
3 dhparam设置
执行如下命令:
openssl dhparam -out /etc/letsencrypt/live/yinhe.co/dh4096.pem 4096
4 手动配置nginx文件
修改 nginx单个server配置, vi /etc/nginx/sites-enabled/default , 配置文件中最好不要有中文,某些场景可能引起故障又很难排查:
listen 443 ssl http2;
ssl on;
ssl_certificate /etc/letsencrypt/live/yinhe.co/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yinhe.co/privkey.pem;
ssl_dhparam /etc/letsencrypt/live/yinhe.co/dh4096.pem;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
#ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/yinhe.co/chain.pem;
add_header X-Frame-Options SAMEORIGIN;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
server_name yinhe.co;
注释掉 ssl_stapling on 是因为在服务器端验证证书出错, 不能连接上ocsp.int-x3.letsencrypt.org
5 重定向
# subdomains redirect
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.yinhe.co;
ssl_certificate /etc/letsencrypt/live/yinhe.co-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yinhe.co-0001/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/yinhe.co-0001/chain.pem;
return 301 https://yinhe.co$request_uri;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name .yinhe.co;
# SSL
ssl_certificate /etc/letsencrypt/live/yinhe.co-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yinhe.co-0001/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/yinhe.co-0001/chain.pem;
location / {
return 301 https://yinhe.co$request_uri;
}
}
静态文件优化
location ~* \.(?:jpg|jpeg|gif|png|ico|woff2|eot|ttf|otf|svg)$ {
expires 1M;
add_header Cache-Control "public";
}
location ~* \.(?:jpg|jpeg|gif|png|ico|woff2|eot|ttf|otf|svg|js|css)$ {
access_log off;
}
/etc/nginx/nginx.conf: 不记录请求成功的日志, 这里用默认combined格式记录日志
#access_log /var/log/nginx/access.log;
map $status $loggable {
~^[23] 0;
default 1;
}
access_log /var/log/nginx/access.log combined buffer=512k flush=1m if=$loggable;
优化网站说明: 参考 网站性能测试:Google PageSpeed Insights
参考 https://www.nginx.com/blog/help-the-world-by-healing-your-nginx-configuration/ 优化 nginx
为字体和图像设置较长的缓存过期时间,这些字体和图像可能不会经常更改(即使更改,它们通常也会获得新的文件名)。如下配置指示客户端浏览器将字体和图像在本地缓存中保留一个月:
location ~* \.(?:jpg|jpeg|gif|png|ico|woff2)$ {
expires 1M;
add_header Cache-Control "public";
}
需要注意的是,字体有很多格式(eot|ttf|otf|woff|svg), 所以可以修改为:
location ~* \.(?:jpg|jpeg|gif|png|ico|woff2|eot|ttf|otf|svg)$ {
expires 1M;
add_header Cache-Control "public";
}
减少和优化日志记录:
禁用页面资源请求的记录:
location ~* \.(?:jpg|jpeg|gif|png|ico|woff2|js|css)$ {
access_log off;
}
修改版:
location ~* \.(?:jpg|jpeg|gif|png|ico|woff2|eot|ttf|otf|svg|js|css)$ {
access_log off;
}
不记录请求成功的日志, 这里用默认combined格式记录日志, vi /etc/nginx/nginx.conf
#access_log /var/log/nginx/access.log;
map $status $loggable {
~^[23] 0;
default 1;
}
access_log /var/log/nginx/access.log combined buffer=512k flush=1m if=$loggable;
- nginx配置优化, 参考: https://www.digitalocean.com/community/tools/nginx
nginx 子目录设置
参考: https://gist.github.com/yidas/fc7228b6d7aad48d84461a254a77812f
Nginx Configuration Guide & Samples
Subdirectory using Alias
root /var/www/html;
location /site2/ {
alias /srv/www/project2/;
}
on request of /site2/top.gif, the file /srv/www/project2/top.gif will be sent.
Subdirectory with PHP
According to Nginx Alias above, you could define PHP location in that with SCRIPT_FILENAME setting for Subdirectory path.
location /site2/ {
alias /srv/www/project2/;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
# Apply the subdirectory base path to PHP script
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
}
Pretty URI
If you need pretty URL such as Laravel PHP framework, you could seriously setup try_files with trick:
location /site2/ {
alias /srv/www/project2/;
# Pretty URI trick
try_files $uri $uri/ /site2//site2/index.php?$query_string;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
# Apply the subdirectory base path to PHP script
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
}
Reference
- Laravel Server Configuration for Nginx & Apache (Subdirectory)
- Yii2 Server Configuration for Nginx & Apache (Subdirectory)
- Codeigniter 3 server configuration for Nginx & Apache
设置 ubuntu, miniconda 的自动更新
/etc/crontab
# update ubuntu each hour
31 * * * * root apt-get update && apt-get upgrade -y
# update python pkgs hour
33 * * * * root /root/miniconda3/bin/conda update --all -y
在认识一切事物之后,人才能认识自己,因为事物仅仅是人的界限。——尼采