建议:ubuntu 20.04 LTS
ubuntu 21 版本 https 证书更新等支持不那么友好。
安装设置中文语言支持
如果不修改为中文, 看 wordpress 等的配置文件中的中文有问题。
- vi /etc/locale.gen , 添加如下的行:
zh_CN GB2312
zh_CN.GB18030 GB18030
zh_CN.GBK GBK
zh_CN.UTF-8 UTF-8
2. 运行 locale-gen 下载语言
3 永久更改编码,运行以下命令
echo "export LC_ALL=zh_CN.utf8" >> /etc/profile
4. 重启 vps: reboot
使用 screen 运行命令
apt-get install screen
# 新建一个窗口, 名字为 screen_name, 可以通过名字恢复该窗口
screen -S screen_name
# 列出窗口列表
screen -ls
# 恢复窗口
screen -r screen_name
# 有时候恢复连接会出现 screen session 的状态为 Attached 而怎么连也连不上的情况,-D -r 先踢掉前一用户,再登陆
screen -D -r screen_name
增加 swap 分区
使用 free - m 命令查看 swap 分区大小是否为 0.
使用 dd 命令创建一个 swap 分区,count 的值是:size(多少 M)* 1024,这里设置的 4G 虚拟内存 (和主机内存保持一致),也就是 count=4096000.
dd if=/dev/zero of=/home/swap bs=1024 count=4096000
格式化 swap 分区, 把格式化后的文件分区设置为 swap 分区,
mkswap /home/swap && swapon /home/swap
#提示:swapon:/home/swap: insecure permissions 0644, 0600 suggested
chmod 600 /home/swap
如果要关闭 SWAP 分区, 命令为:swapoff /home/swap
vi /etc/fstab, 在文末加入如下行让 swap 分区自动挂载
/home/swap swap swap default 0 0
swappiness 的值的大小对如何使用 swap 分区是有着很大的联系的。swappiness= 0 的时候表示最大限度使用物理内存,然后才是 swap 空间,swappiness=100 的时候表示积极的使用 swap 分区,并且把内存上的数据及时的搬运到 swap 空间里面。默认值一般为 10:
cat /proc/sys/vm/swappiness
0
vi /etc/sysctl.conf 增加如下行, 尽量使用内存
vm.swappiness = 0
php,MySQL,nginx
不安装 MariaDB, 安装 MySQL, 因为前者不支持 fts.
apt-get update && apt-get upgrade && apt-get install vim software-properties-common screen unzip php7.4-curl php7.4-gd php7.4-mbstring php7.4-xml php7.4-xmlrpc php7.4-fpm php7.4-bcmath php7.4-imagick php7.4-tidy php7.4-zip php7.4-mysql nginx mysql-server && apt upgrade && apt autoremove
参考 https://www.cnblogs.com/zgblog/p/10341035.html :
sysctl vm.nr_hugepages=512
配置 php7.4
vi /etc/php/7.4/fpm/php.ini, 部分字段:
upload_max_filesize = 100M
pdo_mysql.default_socket=/run/mysqld/mysqld.sock
opcache.enable=1
opcache.enable_cli=1
opcache.huge_code_pages=1
opcache.file_cache=/tmp
重启: service php7.4-fpm restart
安全加固 MySQL: mysql_secure_installation
访问权限问题, 修改为密码访问:
MariaDB [(none)]> use mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [mysql]> select Host,User,plugin from mysql.user where User='root';
+-----------+------+-------------+
| Host | User | plugin |
+-----------+------+-------------+
| localhost | root | auth_socket |
+-----------+------+-------------+
1 row in set (0.000 sec) # 这个时候会发现 plugin(加密方式) 是 unix_socket,MariaDB [mysql]> update mysql.user set plugin='mysql_native_password';
Query OK, 1 row affected (0.001 sec) # #重置加密方式
Rows matched: 1 Changed: 1 Warnings: 0
MariaDB [mysql]> flush privileges;
Query OK, 0 rows affected (0.000 sec)
配置 nginx
vi /etc/nginx/sites-enabled/default, 部分配置段:
location / {
root /hugo_yinhe/public;
index index.php index.html index.htm;
}
error_page 404 https://yinhe.co/404.html;
# redirect server error pages to the static page /50x.html
#
#error_page 500 502 503 504 /50x.html;
#location = /50x.html {
# root html;
#}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
}
为 nginx 配置 https
1 安装 certbot
参考: https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx
cd ~/ && apt-get update
apt-get install certbot python3-certbot-nginx
2 仅获取证书
主域名证书:
certbot certonly --standalone -d yinhe.co
或者:
certbot --nginx certonly
获取的证书信息:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/yinhe.co/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/yinhe.co/privkey.pem
Your cert will expire on 2021-10-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
泛域名证书, 需要根据提示设置 DNS:
# certbot certonly -d *.yinhe.co --email xxx@xxx.com --server https://acme-v02.api.letsencrypt.org/directory --preferred-challenges dns --manual
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.yinhe.co with the following value:
xxxxxx
Before continuing, verify the record is deployed.
-----------------------------------------------------------
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/yinhe.co-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/yinhe.co-0001/privkey.pem
Your cert will expire on 2021-10-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
3 dhparam 设置
执行如下命令:
openssl dhparam -out /etc/letsencrypt/live/yinhe.co/dh4096.pem 4096
4 手动配置 nginx 文件
修改 nginx 单个 server 配置, vi /etc/nginx/sites-enabled/default , 配置文件中最好不要有中文,某些场景可能引起故障又很难排查:
listen 443 ssl http2;
ssl on;
ssl_certificate /etc/letsencrypt/live/yinhe.co/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yinhe.co/privkey.pem;
ssl_dhparam /etc/letsencrypt/live/yinhe.co/dh4096.pem;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
#ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/yinhe.co/chain.pem;
add_header X-Frame-Options SAMEORIGIN;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
server_name yinhe.co;
注释掉 ssl_stapling on 是因为在服务器端验证证书出错, 不能连接上 ocsp.int-x3.letsencrypt.org
5 重定向
# subdomains redirect
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.yinhe.co;
ssl_certificate /etc/letsencrypt/live/yinhe.co-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yinhe.co-0001/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/yinhe.co-0001/chain.pem;
return 301 https://yinhe.co$request_uri;
}
# HTTP redirect
server {
listen 80;
listen [::]:80;
server_name .yinhe.co;
# SSL
ssl_certificate /etc/letsencrypt/live/yinhe.co-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yinhe.co-0001/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/yinhe.co-0001/chain.pem;
location / {return 301 https://yinhe.co$request_uri;}
}
静态文件优化
location ~* \.(?:jpg|jpeg|gif|png|ico|woff2|eot|ttf|otf|svg)$ {
expires 1M;
add_header Cache-Control "public";
}
location ~* \.(?:jpg|jpeg|gif|png|ico|woff2|eot|ttf|otf|svg|js|css)$ {access_log off;}
/etc/nginx/nginx.conf: 不记录请求成功的日志, 这里用默认 combined 格式记录日志
#access_log /var/log/nginx/access.log;
map $status $loggable {~^[23] 0;
default 1;
}
access_log /var/log/nginx/access.log combined buffer=512k flush=1m if=$loggable;
优化网站说明: 参考 网站性能测试:Google PageSpeed Insights
参考 https://www.nginx.com/blog/help-the-world-by-healing-your-nginx-configuration/ 优化 nginx
为字体和图像设置较长的缓存过期时间,这些字体和图像可能不会经常更改(即使更改,它们通常也会获得新的文件名)。如下配置指示客户端浏览器将字体和图像在本地缓存中保留一个月:
location ~* \.(?:jpg|jpeg|gif|png|ico|woff2)$ {
expires 1M;
add_header Cache-Control "public";
}
需要注意的是,字体有很多格式 (eot|ttf|otf|woff|svg), 所以可以修改为:
location ~* \.(?:jpg|jpeg|gif|png|ico|woff2|eot|ttf|otf|svg)$ {
expires 1M;
add_header Cache-Control "public";
}
减少和优化日志记录:
禁用页面资源请求的记录:
location ~* \.(?:jpg|jpeg|gif|png|ico|woff2|js|css)$ {access_log off;}
修改版:
location ~* \.(?:jpg|jpeg|gif|png|ico|woff2|eot|ttf|otf|svg|js|css)$ {access_log off;}
不记录请求成功的日志, 这里用默认 combined 格式记录日志, vi /etc/nginx/nginx.conf
#access_log /var/log/nginx/access.log;
map $status $loggable {~^[23] 0;
default 1;
}
access_log /var/log/nginx/access.log combined buffer=512k flush=1m if=$loggable;
- nginx 配置优化, 参考: https://www.digitalocean.com/community/tools/nginx
nginx 子目录设置
参考: https://gist.github.com/yidas/fc7228b6d7aad48d84461a254a77812f
Nginx Configuration Guide & Samples
Subdirectory using Alias
root /var/www/html;
location /site2/ {alias /srv/www/project2/;}
on request of /site2/top.gif, the file /srv/www/project2/top.gif will be sent.
Subdirectory with PHP
According to Nginx Alias above, you could define PHP location in that with SCRIPT_FILENAME setting for Subdirectory path.
location /site2/ {
alias /srv/www/project2/;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
# Apply the subdirectory base path to PHP script
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
}
Pretty URI
If you need pretty URL such as Laravel PHP framework, you could seriously setup try_files with trick:
location /site2/ {
alias /srv/www/project2/;
# Pretty URI trick
try_files $uri $uri/ /site2//site2/index.php?$query_string;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
# Apply the subdirectory base path to PHP script
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
}
Reference
- Laravel Server Configuration for Nginx & Apache (Subdirectory)
- Yii2 Server Configuration for Nginx & Apache (Subdirectory)
- Codeigniter 3 server configuration for Nginx & Apache
设置 ubuntu,miniconda 的自动更新
/etc/crontab
# update ubuntu each hour
31 * * * * root apt-get update && apt-get upgrade -y
# update python pkgs hour
33 * * * * root /root/miniconda3/bin/conda update --all -y
