CentOS+Nginx+Tomcat+Mysql+PHP 环境搭建及系统部署

==============安装centos 7.0======================= 选择最小安装，将相关的"调试工具"、“兼容性程序库”、“开发工具”选中。 此操作是为了减少后期安装或编译相关服务时出现依赖、或环境的问题。 硬盘分区，可根据个人的习惯而定，不清楚的可以直接选择系统自动分区， 由于个人的习惯，本人的分区如下，仅供参考： /boot 500M 用于启动Linux的核心文件 swap 5120M(5G) Linux下的交换分区，又称为虚拟内存，一般是物理内存的2倍，但不建议超过8G / 51200M(50G) 所有系统的文件等，都在该分区下 /home 剩下的空间 用户主目录，新建的用户的目录将会出现在这里

================关闭不需要的安全设置，使用其他的安全管理================ vi /etc/selinux/config //关闭Selinux SELINUX=disabled //原为enforcing改为disabled ------------------------或使用以下命令关闭SELINUX--------------------------------------- sed -i "s/SELINUX=enforcing/SELINUX=disabled/" /etc/selinux/config setenforce 0

systemctl stop firewalld //停止系统默认的防火墙 systemctl mask firewalld //屏蔽服务(让它不能启动) reboot //重启让selinux配置生效

=================管理工具安装====================== 安装ifconfig、ntsysv、updatedb、lrzsz(上传下载)、wget(远程http下载)功能 yum install -y chkconfig net-tools telnet ntsysv mlocate lrzsz wget lsof setuptool system-config-securitylevel-tui system-config-network-gui system-config-network-tui system-config-date tcpdump yum install -y vim nano //安装编辑器

==============更新Centos 7.0 repo源===================== yum install -y epel-release rpm -ivh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm rpm -Uvh https://mirror.webtatic.com/yum/el7/epel-release.rpm rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm yum clean all yum makecache yum install -y python-pip pip install --upgrade pip pip install requests

=====安装nginx yum安装的第三方repo源文件(使用编译安装则不需要)======= mkdir /root/software cd /root/software wget https://mirrors.ustc.edu.cn/epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm rpm -ivh epel-release-7-11.noarch.rpm rpm -ivh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

=====安装mysql yum安装的第三方repo源文件(使用编译安装则不需要)======= cd /root/software //进入源文件集中文件夹 wget http://dev.mysql.com/get/mysql57-community-release-el7-8.noarch.rpm //下载 yum localinstall -y mysql57-community-release-el7-8.noarch.rpm //通过rpm安装得到repo源 yum repolist enabled | grep "mysql.-community." //检查mysql源是否安装成功

=================各种环境的预装====================== yum install -y make cmake gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers gd gd-devel perl expat expat-devel nss_ldap unixODBC-devel libxslt-devel libevent-devel libtool-ltdl bison libtool zip unzip gmp-devel //安装各种环境所需要的插件 yum install -y pcre pcre-devel //安装PCRE(可与预装环境同步进行) yum update -y //升级补丁

=======================安装mysql及初始设置mysql======================= yum install -y bison-devel libaio-devel //预装mysql环境 yum install -y perl-Data-Dumper //预装mysql所需环境 yum install -y mysql-server //安装mysqld service mysqld start //启动mysql systemctl enable mysqld.service //开机自启动

grep 'temporary password' /var/log/mysqld.log //mysql5.7版本后，初始密码不再为空，默认随机生成，可通过该命令查询 mysql -u root -p //进入mysql alter user root@localhost identified by '三种或以上的八位字符'; 默认需要先修改密码，才能其他操作 exit; //退出mysql管理 ----------------------------设置mysql 不分大小写---------------------- vi /etc/my.cnf [mysqld] lower_case_table_names=1 //必须在[mysqld] 中

-------------------------配置mysql支持UTF-8------------------------- [mysqld] datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock lower_case_table_names=1 character-set-server=utf8 max_connections=500 innodb_log_file_size=60M innodb_buffer_pool_size=128M symbolic-links=0

[client] default-character-set=utf8 socket=/var/lib/mysql/mysql.sock

[mysqld_safe] open-files-limit = 8192 log-error=/var/log/mysqld.log socket=/var/lib/mysql/mysql.sock pid-file=/var/run/mysqld/mysqld.pid

service mysqld restart //重启mysql

=================MySQL运维小知识====================== MySQL高占用CPU、内存，有可能是由于进程未能及时释放，可以通过简单的设置，可以有效的解决这个问题。 mysql -uroot -p mysql> show global variables like '%timeout'; mysql> set global interactive_timeout=100; -----------------上述的，在重启mysqld.service后失效----------------------------------- vi /etc/my.cnf [mysqld] interactive_timeout=20 wait_timeout=20 ------------------------------上述，任何时候都生效------------------------- -----------------------------mysql创建远程用户并授权--------------------------- mysql -uroot -p mysql> create user root identified by '123456'; mysql> grant all privileges on . to 'root'@'%'identified by '123456' with grant option; mysql> flush privileges; -----------------------------mysql创建数据库----------------------------- mysql> CREATE DATABASE lottery DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci; ----------------------------mysql修改指定用户的密码------------------------------- update mysql.user set password=password('新密码') where User="test" and Host="localhost"; ---------------------------mysql删除指定用户------------------------------------- delete from user where User='test' and Host='localhost';

====================安装PHP环境========================== yum install -y php56w php56w-cli php56w-common php56w-gd php56w-ldap php56w-mbstring php56w-mcrypt php56w-mysql php56w-pdo php56w-devel yum install -y traceroute net-snmp-devel vim sysstat tree mysql-devel ntpdate libjpeg* bind-utils yum install -y php56w-imap php56w-odbc php56w-pear php56w-xml php56w-xmlrpc php56w-mhash libmcrypt php56w-bcmath yum install -y php56w-fpm vi /etc/php-fpm.d/www.conf

user = nginx //默认为apache，修改与nginx一致的用户 需要安装nginx后才能改 group = nginx //默认为apache，修改与nginx一致的组 需要安装nginx后才能改

vi /etc/php.ini

session.save_path = "/var/lib/php/session" //设置session的位置，否则PHP运行会出错

chmod 777 /var/lib/php/session //设置文件夹属性 chkconfig php-fpm on

=============安装yum nginx============ yum install -y automake autoconf libtool make yum install -y nginx chkconfig nginx on cd /etc/nginx mkdir vhost //放虚拟主机配置文件的位置 vi nginx.conf -------------在server{}中添加如下内容--------------------------- ~~~~在server的root下添加如下内容，默认首页文件名~ index index.php default.php index.html index.htm; 在server中添加支持PHP的语句~ location ~ .php$ { root html; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } ---------------------在http{}的最后，添加如下内容--------------------------- include vhost/*.conf; //添加完成后保存退出 nginx -t //检查nginx.conf及vhost下的配置文件是否正确 service php-fpm start //启动PHP-FPM service nginx restart //重启nginx服务 ------------------虚拟主机配置示例------------------------------ server { listen 808; server_name 10.17.162.113:808; root /home/website/phpmyadmin/wwwroot; location / { index index.php index.html index.shtml; }

location ~ .php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /home/website/phpmyadmin/wwwroot$fastcgi_script_name; include fastcgi_params; }

#log... } ------------------Nginx 反向代理转发(无条件访问HTTPS)--------------------------- server { listen 80; server_name huizhong.itrxm.com; rewrite ^(.*)$ https://$host$1 permanent; } server { listen 443; server_name huizhong.itrxm.com; ssl on; ssl_certificate /etc/nginx/vhost/ssl/huizhong.itrxm.com-certificate.crt; ssl_certificate_key /etc/nginx/vhost/ssl/huizhong.itrxm.com-private.key; ssl_session_timeout 5m; ssl_protocols TLSv1; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { client_max_body_size 16m; client_body_buffer_size 128k; proxy_pass https://10.17.162.113:6443; proxy_set_header REMOTE-HOST $remote_addr; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_next_upstream off; proxy_buffer_size 32k; proxy_buffers 64 32k; proxy_busy_buffers_size 1m; proxy_temp_file_write_size 512k; proxy_connect_timeout 30; proxy_read_timeout 300; proxy_send_timeout 300; } } -------------------------------Nginx访问TomCat WebApps下某个目录--------------- server { listen 80; server_name hhcphb.itrxm.com; #charset koi8-r; #access_log logs/host.access.log main; location / { client_max_body_size 16m; client_body_buffer_size 128k; proxy_pass http://59.188.14.217:8080/HBH5/; proxy_set_header REMOTE-HOST $remote_addr; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #root html; #index index.html; proxy_next_upstream off; proxy_buffer_size 32k; proxy_buffers 64 32k; proxy_busy_buffers_size 1m; proxy_temp_file_write_size 512k; proxy_connect_timeout 30; proxy_read_timeout 300; proxy_send_timeout 300; } location /HBH5/ { client_max_body_size 16m; client_body_buffer_size 128k; proxy_pass http://59.188.14.217:8080/HBH5/; proxy_set_header REMOTE-HOST $remote_addr; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #root html; #index index.html; proxy_next_upstream off; proxy_buffer_size 32k; proxy_buffers 64 32k; proxy_busy_buffers_size 1m; proxy_temp_file_write_size 512k; proxy_connect_timeout 30; proxy_read_timeout 300; proxy_send_timeout 300; } }

================JAVA开发环境安装============= yum search java-1.7 //搜索java-1.7的版本 yum install -y java-1.7.0-openjdk-devel.x86_64 //安装java-1.7.0版本开发环境 cd /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.161-2.6.12.0.el7_4.x86_64/ //进入安装目录 vi /etc/profile //环境配置 -------------------在文件最后面，添加上----------------------- export JAVA_HOME=/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.161-2.6.12.0.el7_4.x86_64 //版本不同，路径不一样，需要注意这个问题 export PATH=$JAVA_HOME/bin:$PATH export CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar

source /etc/profile //立即生效 javac //运行测试 -----------------------显示以下内容说明配置成功--------------------------- [root@apisrv lib]# javac Usage: javac <options> <source files> where possible options include: -g Generate all debugging info -g:none Generate no debugging info -g:{lines,vars,source} Generate only some debugging info -nowarn Generate no warnings -verbose Output messages about what the compiler is doing -deprecation Output source locations where deprecated APIs are used -classpath <path> Specify where to find user class files and annotation processors -cp <path> Specify where to find user class files and annotation processors -sourcepath <path> Specify where to find input source files -bootclasspath <path> Override location of bootstrap class files -extdirs <dirs> Override location of installed extensions -endorseddirs <dirs> Override location of endorsed standards path -proc:{none,only} Control whether annotation processing and/or compilation is done. -processor <class1>[,<class2>,<class3>...] Names of the annotation processors to run; bypasses default discovery process -processorpath <path> Specify where to find annotation processors -parameters Generate metadata for reflection on method parameters -d <directory> Specify where to place generated class files -s <directory> Specify where to place generated source files -h <directory> Specify where to place generated native header files -implicit:{none,class} Specify whether or not to generate class files for implicitly referenced files -encoding <encoding> Specify character encoding used by source files -source <release> Provide source compatibility with specified release -target <release> Generate class files for specific VM version -profile <profile> Check that API used is available in the specified profile -version Version information -help Print a synopsis of standard options -Akey[=value] Options to pass to annotation processors -X Print a synopsis of nonstandard options -J<flag> Pass <flag> directly to the runtime system -Werror Terminate compilation if warnings occur @<filename> Read options and filenames from file

注：若输入javac显示：bash: javac: 未找到命令… 则说明配置失败，检查环境变量路径是否正确。

================Tomcat安装============= mkdir /opt/tomcat sudo groupadd tomcat sudo useradd -s /bin/nologin -g tomcat -d /opt/tomcat/tomcat tomcat mkdir /root/software //创建专用于存放下载的软件，个人习惯，也可放在/usr/local下等。 cd /root/software wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-7/v7.0.82/bin/apache-tomcat-7.0.82.tar.gz sudo tar -zxvf apache-tomcat-7.0.82.tar.gz -C /opt/tomcat/tomcat --strip-components=1 cd /opt/tomcat/tomcat chmod -R 754 bin/ chgrp -R tomcat /opt/tomcat/tomcat chmod -R g+r conf chmod g+x conf chown -R tomcat webapps/ work/ temp/ logs/

=================创建服务启动文件================== sudo vi /etc/systemd/system/tomcat.service -------------------------------内容如下---------------------------------------------------- [Unit] Description=Apache Tomcat Web Application Container After=syslog.target network.target

[Service] Type=forking

Environment=JAVA_HOME=/usr/lib/jvm/jre Environment=CATALINA_PID=/opt/tomcat/tomcat/temp/tomcat.pid Environment=CATALINA_HOME=/opt/tomcat/tomcat Environment=CATALINA_BASE=/opt/tomcat/tomcat Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC' Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'

ExecStart=/opt/tomcat/tomcat/bin/startup.sh ExecStop=/bin/kill -15 $MAINPID

User=tomcat Group=tomcat

[Install] WantedBy=multi-user.target

systemctl daemon-reload //重载一下服务单元 systemctl enable tomcat.service systemctl start tomcat.service

===========安装haveged(进程守护)==================== sudo yum install -y haveged sudo systemctl start haveged.service sudo systemctl enable haveged.service

访问 http://[Your-Host-IP]:8080 预览是否正常。

================配置Tomcat 管理界面========================== sudo vi /opt/tomcat/tomcat/conf/tomcat-users.xml -------------------------在<tomcat-users>与</tomcat-users>内输入以下内容------------------- <role rolename="admin-gui"/> <role rolename="manager-gui"/> <role rolename="manager-script"/> <role rolename="manager-jmx"/> <role rolename="manager-status"/> <user username="tomcat" password="s3cret" roles="admin-gui,manager-gui,manager-script,manager-jmx,manager-status"/>

sudo systemctl restart tomcat.service

==============catalina.out 日志分割=================== yum install -y cronolog 修改bin/catalina.sh文件 标红的为修改的内容，

shift touch “$CATALINA_OUT” if [ “$1” = “-security” ] ; then if [ $have_tty -eq 1 ]; then echo “Using Security Manager” fi shift eval “\”$_RUNJAVA\”” “\”$LOGGING_CONFIG\”” $LOGGING_MANAGER $JAVA_OPTS $CATALINA_OPTS
-Djava.endorsed.dirs=”\”$JAVA_ENDORSED_DIRS\”” -classpath “\”$CLASSPATH\””
-Djava.security.manager
-Djava.security.policy==”\”$CATALINA_BASE/conf/catalina.policy\””
-Dcatalina.base=”\”$CATALINA_BASE\””
-Dcatalina.home=”\”$CATALINA_HOME\””
-Djava.io.tmpdir=”\”$CATALINA_TMPDIR\””
org.apache.catalina.startup.Bootstrap “$@” start \

“$CATALINA_OUT” 2>&1 “&” else eval “\”$_RUNJAVA\”” “\”$LOGGING_CONFIG\”” $LOGGING_MANAGER $JAVA_OPTS $CATALINA_OPTS
-Djava.endorsed.dirs=”\”$JAVA_ENDORSED_DIRS\”” -classpath “\”$CLASSPATH\””
-Dcatalina.base=”\”$CATALINA_BASE\””
-Dcatalina.home=”\”$CATALINA_HOME\””
-Djava.io.tmpdir=”\”$CATALINA_TMPDIR\””
org.apache.catalina.startup.Bootstrap “$@” start \

“$CATALINA_OUT” 2>&1 “&” fi 改为： shift

touch "$CATALINA_OUT" 注释掉

if [ “$1” = “-security” ] ; then if [ $have_tty -eq 1 ]; then echo “Using Security Manager” fi shift eval “\”$_RUNJAVA\”” “\”$LOGGING_CONFIG\”” $LOGGING_MANAGER $JAVA_OPTS $CATALINA_OPTS
-Djava.endorsed.dirs=”\”$JAVA_ENDORSED_DIRS\”” -classpath “\”$CLASSPATH\””
-Djava.security.manager
-Djava.security.policy==”\”$CATALINA_BASE/conf/catalina.policy\””
-Dcatalina.base=”\”$CATALINA_BASE\””
-Dcatalina.home=”\”$CATALINA_HOME\””
-Djava.io.tmpdir=”\”$CATALINA_TMPDIR\””
org.apache.catalina.startup.Bootstrap "$@" start 2>&1 | /usr/sbin/cronolog "$CATALINA_BASE"/logs/catalina.%Y-%m-%d.out >> /dev/null & else eval “\”$_RUNJAVA\”” “\”$LOGGING_CONFIG\”” $LOGGING_MANAGER $JAVA_OPTS $CATALINA_OPTS
-Djava.endorsed.dirs=”\”$JAVA_ENDORSED_DIRS\”” -classpath “\”$CLASSPATH\””
-Dcatalina.base=”\”$CATALINA_BASE\””
-Dcatalina.home=”\”$CATALINA_HOME\””
-Djava.io.tmpdir=”\”$CATALINA_TMPDIR\””
org.apache.catalina.startup.Bootstrap “$@” start 2>&1 | /usr/sbin/cronolog "$CATALINA_BASE"/logs/catalina.%Y-%m-%d.out >> /dev/null & fi

====================tomcat日志分割定期删除catalina.out============= 每天晚上11点50切割日志文件，同时删除超过30天的日志 log_path=/opt/tomcat/logs d=date +%Y-%m-%d d90=date -d'30 day ago' +%Y-%m-%d cd ${log_path} && cp catalina.out $log_path/cron/catalina.out.$d.log echo > catalina.out rm -rf $log_path/cron/catalina.out.${d90}.log

添加权限 chmod 777 /shell/log.sh 编辑crontab crontab -e 50 23 * * * sh /shell/log.sh ----------------------另一种方法--------------------------- crontab -e

• 5 * * * find /usr/logs/* -name ".20" -ctime +7 -exec rm -rf {} ;

systemctl start tomcat7.service

===============配置访问同一个项目下不同的文件夹=========== 先将原本的<host>配置注释掉，然后新增如下内容： <Host name="hhcp.itrxm.com" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> <Context path="" docBase="/data/tomcat/tomcat/webapps/ROOT" debug="0" reloadable="true" /> </Host> <Host name="hhcphb.itrxm.com" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> <Context path="" docBase="/data/tomcat/tomcat/webapps/HBH5" debug="0" reloadable="true" /> </Host>

================SSL环境搭建================================== 在nginx的conf中，进行做对应的修改 server { listen 80; server_name 域名地址; rewrite ^(.*)$ https://$host$1 permanent; }

server { listen 443; server_name x; ssl on; ssl_certificate /etc/nginx/vhost/ssl/certificate.crt; ssl_certificate_key /etc/nginx/vhost/ssl/private.key; ssl_session_timeout 5m; ssl_protocols TLSv1; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on;

     location / {
          client_max_body_size    16m;
          client_body_buffer_size 128k;
          proxy_pass                          http://IP地址:8080;
          proxy_set_header        Host $host;
          proxy_set_header        X-Real-IP $remote_addr;
          proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header           X-Forwarded-Proto https;
          proxy_next_upstream   off;

          proxy_connect_timeout   30;
          proxy_read_timeout      300;
          proxy_send_timeout      300;
    }
}

在tomcat 中的server.xml中修改： <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> --> 修改为： <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/opt/tomcat/tomcat/conf/cert/201802031124.pfx" //绝对路径，否则容易出错 keystoreType="PKCS12" keystorePass="201802031124" clientAuth="false" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/> 并新加节点： <Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto"/>

重启tomcat服务 systemctl restart tomcat.service

注：没有若只有key及crt文件的证书，可以进入 https://www.myssl.cn/tools/merge-pfx-cert.html 中进行生成一个pfx文件的证书，并设置一个密码。

=================通过VisualVM对Tomcat性能监控================== JMX下载地址：http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-7/v7.0.81/bin/extras/catalina-jmx-remote.jar catalina-jmx-remote.jar包下载完成后放到Tomcat的lib目录下

vim catalina.sh ----------------------------------在注释下面添加如下内容------------------------------------ CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=7090 -Dcom.sun.management.jmxremote.ssl=false
-Djava.rmi.server.hostname=被监控的服务器IP地址 -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/var/tomcat/tomcat/conf/jmxremote.password -Dcom.sun.management.jmxremote.access.file=/var/tomcat/tomcat/conf/jmxremote.access"

cd /var/tomcat/tomcat/conf vim jmxremote.access

monitorRole readonly controlRole readwrite

vim jmxremote.password //要与运行tomcat的权限一致

monitorRole 25DWdl2&D^W controlRole 25DWdl2&D^W

chmod 0400 jmxremote.password //密码文件应该是只读的，只能由Tomcat运行用户 systemctl restart tomcat.service

至此，整套环境及系统搭建部署完毕。