ubuntu服务器基本配置

建议:ubuntu 20.04 LTS

ubuntu 21版本 https 证书更新等支持不那么友好.

安装设置中文语言支持

如果不修改为中文, 看wordpress等的配置文件中的中文有问题.

  1. vi /etc/locale.gen , 添加如下的行:
zh_CN GB2312
zh_CN.GB18030 GB18030
zh_CN.GBK GBK
zh_CN.UTF-8 UTF-8

2.运行 locale-gen下载语言

3永久更改编码,运行以下命令

echo "export LC_ALL=zh_CN.utf8" >> /etc/profile

4.重启vps: reboot

使用 screen 运行命令

apt-get install screen

# 新建一个窗口, 名字为 screen_name, 可以通过名字恢复该窗口
screen -S screen_name
# 列出窗口列表
screen -ls
# 恢复窗口
screen -r screen_name
# 有时候恢复连接会出现screen session的状态为Attached而怎么连也连不上的情况,-D -r 先踢掉前一用户,再登陆
screen -D -r screen_name

增加swap分区

使用 free -m命令查看swap分区大小是否为0.

使用dd命令创建一个swap分区,count的值是:size(多少M)* 1024,这里设置的4G虚拟内存(和主机内存保持一致),也就是count=4096000.

dd if=/dev/zero of=/home/swap bs=1024 count=4096000

格式化swap分区,把格式化后的文件分区设置为swap分区,

mkswap /home/swap && swapon /home/swap
#提示: swapon:/home/swap: insecure permissions 0644, 0600 suggested
chmod 600 /home/swap

如果要关闭SWAP分区, 命令为:swapoff /home/swap

vi /etc/fstab, 在文末加入如下行让swap分区自动挂载

/home/swap swap swap default 0 0

swappiness的值的大小对如何使用swap分区是有着很大的联系的。swappiness=0的时候表示最大限度使用物理内存,然后才是 swap空间,swappiness=100的时候表示积极的使用swap分区,并且把内存上的数据及时的搬运到swap空间里面。默认值一般为10:

cat /proc/sys/vm/swappiness
0

vi /etc/sysctl.conf增加如下行,尽量使用内存

vm.swappiness = 0

php,MySQL,nginx

不安装 MariaDB, 安装 MySQL, 因为前者不支持 fts.

apt-get update && apt-get upgrade && apt-get install  vim software-properties-common screen unzip  php7.4-curl php7.4-gd php7.4-mbstring php7.4-xml php7.4-xmlrpc php7.4-fpm php7.4-bcmath php7.4-imagick  php7.4-tidy   php7.4-zip  php7.4-mysql nginx mysql-server  && apt upgrade && apt autoremove

参考 https://www.cnblogs.com/zgblog/p/10341035.html :

sysctl vm.nr_hugepages=512

配置 php7.4 vi /etc/php/7.4/fpm/php.ini,部分字段:

upload_max_filesize = 100M
pdo_mysql.default_socket=/run/mysqld/mysqld.sock
opcache.enable=1
opcache.enable_cli=1
opcache.huge_code_pages=1
opcache.file_cache=/tmp

重启: service php7.4-fpm restart

安全加固MySQL: mysql_secure_installation

访问权限问题,修改为密码访问:

MariaDB [(none)]> use mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [mysql]> select Host,User,plugin from mysql.user where User='root';
+-----------+------+-------------+
| Host      | User | plugin      |
+-----------+------+-------------+
| localhost | root | auth_socket |
+-----------+------+-------------+
1 row in set (0.000 sec) # 这个时候会发现plugin(加密方式)是unix_socket,

MariaDB [mysql]> update mysql.user set plugin='mysql_native_password';
Query OK, 1 row affected (0.001 sec) # #重置加密方式
Rows matched: 1  Changed: 1  Warnings: 0

MariaDB [mysql]> flush privileges;
Query OK, 0 rows affected (0.000 sec)

配置nginx vi /etc/nginx/sites-enabled/default, 部分配置段:

        location / {
            root   /hugo_yinhe/public;
            index  index.php index.html index.htm;
        }

        error_page  404             https://yinhe.co/404.html;

        # redirect server error pages to the static page /50x.html
        #
        #error_page   500 502 503 504  /50x.html;
        #location = /50x.html {
        #    root   html;
        #}

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_param SCRIPT_FILENAME $request_filename;
                fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        }

为nginx 配置 https

1 安装certbot

参考: https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx

cd ~/ && apt-get update
apt-get install certbot  python3-certbot-nginx

2 仅获取证书

主域名证书:

certbot certonly --standalone -d yinhe.co

或者:

certbot --nginx certonly 

获取的证书信息:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/yinhe.co/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/yinhe.co/privkey.pem
   Your cert will expire on 2021-10-27. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

泛域名证书,需要根据提示设置DNS:

# certbot certonly  -d *.yinhe.co --email xxx@xxx.com --server https://acme-v02.api.letsencrypt.org/directory  --preferred-challenges dns --manual

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.yinhe.co with the following value:

xxxxxx

Before continuing, verify the record is deployed.
-----------------------------------------------------------
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/yinhe.co-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/yinhe.co-0001/privkey.pem
   Your cert will expire on 2021-10-27. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

3 dhparam设置

执行如下命令:

openssl dhparam -out /etc/letsencrypt/live/yinhe.co/dh4096.pem 4096

4 手动配置nginx文件

修改 nginx单个server配置, vi /etc/nginx/sites-enabled/default , 配置文件中最好不要有中文,某些场景可能引起故障又很难排查:

        listen                  443 ssl http2;
        ssl                     on;
        ssl_certificate      /etc/letsencrypt/live/yinhe.co/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/yinhe.co/privkey.pem;
        ssl_dhparam          /etc/letsencrypt/live/yinhe.co/dh4096.pem;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
        ssl_prefer_server_ciphers  on;
        ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache          shared:SSL:50m;
        ssl_session_timeout        1d;
        ssl_session_tickets off;
        #ssl_stapling               on;
        ssl_stapling_verify        on;
        ssl_trusted_certificate    /etc/letsencrypt/live/yinhe.co/chain.pem;
        add_header X-Frame-Options SAMEORIGIN;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;  

        server_name yinhe.co;

注释掉 ssl_stapling on 是因为在服务器端验证证书出错, 不能连接上ocsp.int-x3.letsencrypt.org

5 重定向

# subdomains redirect
server {
    listen                  443 ssl http2;
    listen                  [::]:443 ssl http2;
    server_name             *.yinhe.co;

    ssl_certificate         /etc/letsencrypt/live/yinhe.co-0001/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/yinhe.co-0001/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/yinhe.co-0001/chain.pem;
    return                  301 https://yinhe.co$request_uri;
}

# HTTP redirect
server {
    listen      80;
    listen      [::]:80;
    server_name .yinhe.co;
    # SSL
    ssl_certificate         /etc/letsencrypt/live/yinhe.co-0001/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/yinhe.co-0001/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/yinhe.co-0001/chain.pem;


    location / {
        return 301 https://yinhe.co$request_uri;
    }
}

静态文件优化

        location ~* \.(?:jpg|jpeg|gif|png|ico|woff2|eot|ttf|otf|svg)$ {
                expires 1M;
                add_header Cache-Control "public";
        }

        location ~* \.(?:jpg|jpeg|gif|png|ico|woff2|eot|ttf|otf|svg|js|css)$ {
                 access_log off;
        }

/etc/nginx/nginx.conf: 不记录请求成功的日志, 这里用默认combined格式记录日志

        #access_log /var/log/nginx/access.log;
        map $status $loggable {
                 ~^[23] 0;
                 default 1;
        }

        access_log /var/log/nginx/access.log combined buffer=512k flush=1m if=$loggable;

优化网站说明: 参考 网站性能测试:Google PageSpeed Insights

Google PageSpeed Insights

参考 https://www.nginx.com/blog/help-the-world-by-healing-your-nginx-configuration/ 优化 nginx

为字体和图像设置较长的缓存过期时间,这些字体和图像可能不会经常更改(即使更改,它们通常也会获得新的文件名)。如下配置指示客户端浏览器将字体和图像在本地缓存中保留一个月:

location ~* \.(?:jpg|jpeg|gif|png|ico|woff2)$ {
    expires 1M;
    add_header Cache-Control "public";
}

需要注意的是,字体有很多格式(eot|ttf|otf|woff|svg), 所以可以修改为:

location ~* \.(?:jpg|jpeg|gif|png|ico|woff2|eot|ttf|otf|svg)$ {
    expires 1M;
    add_header Cache-Control "public";
}

减少和优化日志记录:

禁用页面资源请求的记录:

location ~* \.(?:jpg|jpeg|gif|png|ico|woff2|js|css)$ {
    access_log off;
}

修改版:

location ~* \.(?:jpg|jpeg|gif|png|ico|woff2|eot|ttf|otf|svg|js|css)$ {
    access_log off;
}

不记录请求成功的日志, 这里用默认combined格式记录日志, vi /etc/nginx/nginx.conf

#access_log /var/log/nginx/access.log;
map $status $loggable {
    ~^[23] 0;
    default 1;
}

access_log /var/log/nginx/access.log combined buffer=512k flush=1m if=$loggable;

nginx 子目录设置

参考: https://gist.github.com/yidas/fc7228b6d7aad48d84461a254a77812f

Nginx Configuration Guide & Samples

Subdirectory using Alias

root /var/www/html;

location /site2/ {

    alias /srv/www/project2/;
}

on request of /site2/top.gif, the file /srv/www/project2/top.gif will be sent.

Subdirectory with PHP

According to Nginx Alias above, you could define PHP location in that with SCRIPT_FILENAME setting for Subdirectory path.

location /site2/ {

    alias /srv/www/project2/;

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        # Apply the subdirectory base path to PHP script
        fastcgi_param SCRIPT_FILENAME $request_filename;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }
}
Pretty URI

If you need pretty URL such as Laravel PHP framework, you could seriously setup try_files with trick:

location /site2/ {

    alias /srv/www/project2/;

    # Pretty URI trick
    try_files $uri $uri/ /site2//site2/index.php?$query_string;

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        # Apply the subdirectory base path to PHP script
        fastcgi_param SCRIPT_FILENAME $request_filename;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }
}

Reference

设置 ubuntu, miniconda 的自动更新

/etc/crontab

# update ubuntu each hour
31 *   * * *   root    apt-get update && apt-get upgrade -y
# update python pkgs hour
33 *   * * *   root  /root/miniconda3/bin/conda update --all -y
© Licensed under CC BY-NC-SA 4.0

在认识一切事物之后,人才能认识自己,因为事物仅仅是人的界限。——尼采

发表我的评论
取消评论
表情

Hi,您需要填写昵称和邮箱!