ubuntu服务器基本配置

建议:ubuntu 20.04 LTS

ubuntu 21 版本 https 证书更新等支持不那么友好。

安装设置中文语言支持

如果不修改为中文, 看 wordpress 等的配置文件中的中文有问题。

  1. vi /etc/locale.gen , 添加如下的行:
zh_CN GB2312
zh_CN.GB18030 GB18030
zh_CN.GBK GBK
zh_CN.UTF-8 UTF-8

2. 运行 locale-gen 下载语言

3 永久更改编码,运行以下命令

echo "export LC_ALL=zh_CN.utf8" >> /etc/profile

4. 重启 vps: reboot

使用 screen 运行命令

apt-get install screen

# 新建一个窗口, 名字为 screen_name, 可以通过名字恢复该窗口
screen -S screen_name
# 列出窗口列表
screen -ls
# 恢复窗口
screen -r screen_name
# 有时候恢复连接会出现 screen session 的状态为 Attached 而怎么连也连不上的情况,-D -r 先踢掉前一用户,再登陆
screen -D -r screen_name

增加 swap 分区

使用 free - m 命令查看 swap 分区大小是否为 0.

使用 dd 命令创建一个 swap 分区,count 的值是:size(多少 M)* 1024,这里设置的 4G 虚拟内存 (和主机内存保持一致),也就是 count=4096000.

dd if=/dev/zero of=/home/swap bs=1024 count=4096000

格式化 swap 分区, 把格式化后的文件分区设置为 swap 分区,

mkswap /home/swap && swapon /home/swap
#提示:swapon:/home/swap: insecure permissions 0644, 0600 suggested
chmod 600 /home/swap

如果要关闭 SWAP 分区, 命令为:swapoff /home/swap

vi /etc/fstab, 在文末加入如下行让 swap 分区自动挂载

/home/swap swap swap default 0 0

swappiness 的值的大小对如何使用 swap 分区是有着很大的联系的。swappiness= 0 的时候表示最大限度使用物理内存,然后才是 swap 空间,swappiness=100 的时候表示积极的使用 swap 分区,并且把内存上的数据及时的搬运到 swap 空间里面。默认值一般为 10:

cat /proc/sys/vm/swappiness
0

vi /etc/sysctl.conf 增加如下行, 尽量使用内存

vm.swappiness = 0

php,MySQL,nginx

不安装 MariaDB, 安装 MySQL, 因为前者不支持 fts.

apt-get update && apt-get upgrade && apt-get install  vim software-properties-common screen unzip  php7.4-curl php7.4-gd php7.4-mbstring php7.4-xml php7.4-xmlrpc php7.4-fpm php7.4-bcmath php7.4-imagick  php7.4-tidy   php7.4-zip  php7.4-mysql nginx mysql-server  && apt upgrade && apt autoremove

参考 https://www.cnblogs.com/zgblog/p/10341035.html :

sysctl vm.nr_hugepages=512

配置 php7.4
vi /etc/php/7.4/fpm/php.ini, 部分字段:

upload_max_filesize = 100M
pdo_mysql.default_socket=/run/mysqld/mysqld.sock
opcache.enable=1
opcache.enable_cli=1
opcache.huge_code_pages=1
opcache.file_cache=/tmp

重启: service php7.4-fpm restart

安全加固 MySQL: mysql_secure_installation

访问权限问题, 修改为密码访问:

MariaDB [(none)]> use mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [mysql]> select Host,User,plugin from mysql.user where User='root';
+-----------+------+-------------+
| Host      | User | plugin      |
+-----------+------+-------------+
| localhost | root | auth_socket |
+-----------+------+-------------+
1 row in set (0.000 sec) # 这个时候会发现 plugin(加密方式) 是 unix_socket,MariaDB [mysql]> update mysql.user set plugin='mysql_native_password';
Query OK, 1 row affected (0.001 sec) # #重置加密方式
Rows matched: 1  Changed: 1  Warnings: 0

MariaDB [mysql]> flush privileges;
Query OK, 0 rows affected (0.000 sec)

配置 nginx
vi /etc/nginx/sites-enabled/default, 部分配置段:

        location / {
            root   /hugo_yinhe/public;
            index  index.php index.html index.htm;
        }

        error_page  404             https://yinhe.co/404.html;

        # redirect server error pages to the static page /50x.html
        #
        #error_page   500 502 503 504  /50x.html;
        #location = /50x.html {
        #    root   html;
        #}

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_param SCRIPT_FILENAME $request_filename;
                fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        }

为 nginx 配置 https

1 安装 certbot

参考: https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx

cd ~/ && apt-get update
apt-get install certbot  python3-certbot-nginx

2 仅获取证书

主域名证书:

certbot certonly --standalone -d yinhe.co

或者:

certbot --nginx certonly 

获取的证书信息:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/yinhe.co/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/yinhe.co/privkey.pem
   Your cert will expire on 2021-10-27. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

泛域名证书, 需要根据提示设置 DNS:

# certbot certonly  -d *.yinhe.co --email xxx@xxx.com --server https://acme-v02.api.letsencrypt.org/directory  --preferred-challenges dns --manual

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.yinhe.co with the following value:

xxxxxx

Before continuing, verify the record is deployed.
-----------------------------------------------------------
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/yinhe.co-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/yinhe.co-0001/privkey.pem
   Your cert will expire on 2021-10-27. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

3 dhparam 设置

执行如下命令:

openssl dhparam -out /etc/letsencrypt/live/yinhe.co/dh4096.pem 4096

4 手动配置 nginx 文件

修改 nginx 单个 server 配置, vi /etc/nginx/sites-enabled/default , 配置文件中最好不要有中文,某些场景可能引起故障又很难排查:

        listen                  443 ssl http2;
        ssl                     on;
        ssl_certificate      /etc/letsencrypt/live/yinhe.co/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/yinhe.co/privkey.pem;
        ssl_dhparam          /etc/letsencrypt/live/yinhe.co/dh4096.pem;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
        ssl_prefer_server_ciphers  on;
        ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache          shared:SSL:50m;
        ssl_session_timeout        1d;
        ssl_session_tickets off;
        #ssl_stapling               on;
        ssl_stapling_verify        on;
        ssl_trusted_certificate    /etc/letsencrypt/live/yinhe.co/chain.pem;
        add_header X-Frame-Options SAMEORIGIN;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;  

        server_name yinhe.co;

注释掉 ssl_stapling on 是因为在服务器端验证证书出错, 不能连接上 ocsp.int-x3.letsencrypt.org

5 重定向

# subdomains redirect
server {
    listen                  443 ssl http2;
    listen                  [::]:443 ssl http2;
    server_name             *.yinhe.co;

    ssl_certificate         /etc/letsencrypt/live/yinhe.co-0001/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/yinhe.co-0001/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/yinhe.co-0001/chain.pem;
    return                  301 https://yinhe.co$request_uri;
}

# HTTP redirect
server {
    listen      80;
    listen      [::]:80;
    server_name .yinhe.co;
    # SSL
    ssl_certificate         /etc/letsencrypt/live/yinhe.co-0001/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/yinhe.co-0001/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/yinhe.co-0001/chain.pem;


    location / {return 301 https://yinhe.co$request_uri;}
}

静态文件优化

        location ~* \.(?:jpg|jpeg|gif|png|ico|woff2|eot|ttf|otf|svg)$ {
                expires 1M;
                add_header Cache-Control "public";
        }

        location ~* \.(?:jpg|jpeg|gif|png|ico|woff2|eot|ttf|otf|svg|js|css)$ {access_log off;}

/etc/nginx/nginx.conf: 不记录请求成功的日志, 这里用默认 combined 格式记录日志

        #access_log /var/log/nginx/access.log;
        map $status $loggable {~^[23] 0;
                 default 1;
        }

        access_log /var/log/nginx/access.log combined buffer=512k flush=1m if=$loggable;

优化网站说明: 参考 网站性能测试:Google PageSpeed Insights

Google PageSpeed Insights

参考 https://www.nginx.com/blog/help-the-world-by-healing-your-nginx-configuration/ 优化 nginx

为字体和图像设置较长的缓存过期时间,这些字体和图像可能不会经常更改(即使更改,它们通常也会获得新的文件名)。如下配置指示客户端浏览器将字体和图像在本地缓存中保留一个月:

location ~* \.(?:jpg|jpeg|gif|png|ico|woff2)$ {
    expires 1M;
    add_header Cache-Control "public";
}

需要注意的是,字体有很多格式 (eot|ttf|otf|woff|svg), 所以可以修改为:

location ~* \.(?:jpg|jpeg|gif|png|ico|woff2|eot|ttf|otf|svg)$ {
    expires 1M;
    add_header Cache-Control "public";
}

减少和优化日志记录:

禁用页面资源请求的记录:

location ~* \.(?:jpg|jpeg|gif|png|ico|woff2|js|css)$ {access_log off;}

修改版:

location ~* \.(?:jpg|jpeg|gif|png|ico|woff2|eot|ttf|otf|svg|js|css)$ {access_log off;}

不记录请求成功的日志, 这里用默认 combined 格式记录日志, vi /etc/nginx/nginx.conf

#access_log /var/log/nginx/access.log;
map $status $loggable {~^[23] 0;
    default 1;
}

access_log /var/log/nginx/access.log combined buffer=512k flush=1m if=$loggable;

nginx 子目录设置

参考: https://gist.github.com/yidas/fc7228b6d7aad48d84461a254a77812f

Nginx Configuration Guide & Samples

Subdirectory using Alias

root /var/www/html;

location /site2/ {alias /srv/www/project2/;}

on request of /site2/top.gif, the file /srv/www/project2/top.gif will be sent.

Subdirectory with PHP

According to Nginx Alias above, you could define PHP location in that with SCRIPT_FILENAME setting for Subdirectory path.

location /site2/ {

    alias /srv/www/project2/;

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        # Apply the subdirectory base path to PHP script
        fastcgi_param SCRIPT_FILENAME $request_filename;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }
}
Pretty URI

If you need pretty URL such as Laravel PHP framework, you could seriously setup try_files with trick:

location /site2/ {

    alias /srv/www/project2/;

    # Pretty URI trick
    try_files $uri $uri/ /site2//site2/index.php?$query_string;

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        # Apply the subdirectory base path to PHP script
        fastcgi_param SCRIPT_FILENAME $request_filename;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }
}

Reference

设置 ubuntu,miniconda 的自动更新

/etc/crontab

# update ubuntu each hour
31 *   * * *   root    apt-get update && apt-get upgrade -y
# update python pkgs hour
33 *   * * *   root  /root/miniconda3/bin/conda update --all -y
评论(没有评论)