RcockyLinux9.3 Nginx1.25 PHP8.1 MySQL8.0 LetsEncrypt

PHP MySQLなど、基本設定

今回は、Conoha VPSで、構築してみました。

RockyLinux バージョン

# cat /etc/os-release 
NAME="Rocky Linux"
VERSION="9.3 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.3"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.3 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.3"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.3"

↑RockyLinux 9.3がテンプレートにあります。

# dnf update

↑ソフトウェアのアップデートを行います。

MySQL

# dnf info mysql-server
Available Packages
Name         : mysql-server
Version      : 8.0.36
Release      : 1.el9_3
Architecture : x86_64
Size         : 17 M
Source       : mysql-8.0.36-1.el9_3.src.rpm
Repository   : appstream
Summary      : The MySQL server and related files
URL          : http://www.mysql.com
License      : GPLv2 with exceptions and LGPLv2 and BSD
Description  : MySQL is a multi-user, multi-threaded SQL database server. MySQL is a
             : client/server implementation consisting of a server daemon (mysqld)
             : and many different client programs and libraries. This package contains
             : the MySQL server and some accompanying files and directories.

↑インストール可能な、8.0.36を入れます。

# dnf install mysql-server

# systemctl status mysqld.service 
○ mysqld.service - MySQL 8.0 database server
     Loaded: loaded (/usr/lib/systemd/system/mysqld.service; disabled; preset: disabled)
     Active: inactive (dead)

# systemctl start mysqld.service 
# systemctl status mysqld.service 
● mysqld.service - MySQL 8.0 database server
     Loaded: loaded (/usr/lib/systemd/system/mysqld.service; disabled; preset: disabled)
     Active: active (running) since Sun XXXX-XX-XX 10:54:27 JST; 1s ago
    Process: 6065 ExecStartPre=/usr/libexec/mysql-check-socket (code=exited, status=0/SUCCESS)
    Process: 6087 ExecStartPre=/usr/libexec/mysql-prepare-db-dir mysqld.service (code=exited, status=0/SUCCESS)
   Main PID: 6162 (mysqld)
     Status: "Server is operational"
      Tasks: 38 (limit: 11121)
     Memory: 467.9M
        CPU: 5.041s
     CGroup: /system.slice/mysqld.service
             └─6162 /usr/libexec/mysqld --basedir=/usr

XXX XX XX:XX:21 XXX-XXX-XXX-XXX systemd[1]: Starting MySQL 8.0 database server...
XXX XX XX:XX:21 XXX-XXX-XXX-XXX mysql-prepare-db-dir[6087]: Initializing MySQL database
XXX XX XX:XX:27 XXX-XXX-XXX-XXX systemd[1]: Started MySQL 8.0 database server.

# systemctl enable mysqld.service 
Created symlink /etc/systemd/system/multi-user.target.wants/mysqld.service → /usr/lib/systemd/system/mysqld.service.

↑MySQL 8.0系を入れて、起動し、自動起動の設定をします。

＃mysql_secure_installation

は、実行しなくても大丈夫です。

# mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 8.0.36 Source distribution

Copyright (c) 2000, 2024, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
4 rows in set (0.00 sec)



mysql>  ALTER USER 'root'@'localhost' IDENTIFIED BY '（新パスワード）';
Query OK, 0 rows affected (0.01 sec)

↑rootのパスワードを設定しておきます。

Nginx

# dnf info nginx
Available Packages
Name         : nginx
Epoch        : 1
Version      : 1.20.1
Release      : 14.el9_2.1
Architecture : x86_64
Size         : 36 k
Source       : nginx-1.20.1-14.el9_2.1.src.rpm
Repository   : appstream
Summary      : A high performance web server and reverse proxy server
URL          : https://nginx.org
License      : BSD
Description  : Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and
             : IMAP protocols, with a strong focus on high concurrency, performance and low
             : memory usage.

↑標準で入る、Nginx が、少し古いので、最新のを入れます。

# yum install yum-utils

# vi /etc/yum.repos.d/nginx.repo

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

↑リポジトリを設定します。

# yum-config-manager --enable nginx-mainline

# yum install nginx
nginx stable repo                                                                                                                                    21 kB/s |  22 kB     00:01    
nginx mainline repo                                                                                                                                  34 kB/s |  41 kB     00:01    
Dependencies resolved.
====================================================================================================================================================================================
 Package                              Architecture                          Version                                             Repository                                     Size
====================================================================================================================================================================================
Installing:
 nginx                                x86_64                                1:1.25.4-1.el9.ngx                                  nginx-mainline                                991 k

Transaction Summary
====================================================================================================================================================================================
Install  1 Package

Total download size: 991 k
Installed size: 3.3 M
Is this ok [y/N]: 

（略）

Installed:
  nginx-1:1.25.4-1.el9.ngx.x86_64                                                                                                                                                   

Complete!

↑ nginx 1.25.4 が入りました。

# systemctl status nginx
○ nginx.service - nginx - high performance web server
     Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; preset: disabled)
     Active: inactive (dead)
       Docs: http://nginx.org/en/docs/

XXX XX XX:XX:XX XXX-XXX-XXX-XXX systemd[1]: /usr/lib/systemd/system/nginx.service:9: PIDFile= references a path below legacy directory /var/run/, updating /var/run/nginx.pid → /run


# systemctl start nginx
# systemctl status nginx
● nginx.service - nginx - high performance web server
     Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; preset: disabled)
     Active: active (running) since Sun XXX-XX-XX XX:XX:XX JST; 1s ago
       Docs: http://nginx.org/en/docs/
    Process: 6760 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS)
   Main PID: 6761 (nginx)
      Tasks: 4 (limit: 11121)
     Memory: 4.0M
        CPU: 19ms
     CGroup: /system.slice/nginx.service
             ├─6761 "nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf"
             ├─6762 "nginx: worker process"
             ├─6763 "nginx: worker process"
             └─6764 "nginx: worker process"

XXX XX XX:XX:XX XXX-XXX-XXX-XXX systemd[1]: Starting nginx - high performance web server...
XXX XX XX:XX:XX XXX-XXX-XXX-XXX systemd[1]: Started nginx - high performance web server.
# systemctl enable nginx
Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service → /usr/lib/systemd/system/nginx.service.

↑nginx を起動し、自動起動の設定をします。

# mkdir -p /var/www/html

↑webコンテンツの置き場所を作ります

# cd /etc/nginx/conf.d

# mv default.conf default.conf.back

↑標準で、置かれている設定を、外しておきます。

# vi xxx.conf 


server {
    listen       80;
    server_name  （FQDN）;


    location / {
        root   /var/www/html;
        index  index.html;
    }
}

↑シンプルな設定をしておきます。

# /usr/sbin/nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

↑設定が正しいか、チェックします。大丈夫なようです。

# systemctl restart nginx
# systemctl status  nginx
● nginx.service - nginx - high performance web server
     Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: disabled)
     Active: active (running) since Sun XXXX-XX-XX XX:XX:XX JST; 9s ago
       Docs: http://nginx.org/en/docs/
    Process: 7116 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS)
   Main PID: 7118 (nginx)
      Tasks: 4 (limit: 11121)
     Memory: 4.0M
        CPU: 17ms
     CGroup: /system.slice/nginx.service
             ├─7118 "nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf"
             ├─7119 "nginx: worker process"
             ├─7120 "nginx: worker process"
             └─7121 "nginx: worker process"

XXX XX XX:XX:XX XXX-XXX-XXX-XXX systemd[1]: Starting nginx - high performance web server...
XXX XX XX:XX:XX XXX-XXX-XXX-XXX systemd[1]: Started nginx - high performance web server.

↑再起動をします。

これで、80番ポートがきちんと表示されます。

firewall

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="XXX.XXX.XXX.XXX" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"

        
# firewall-cmd --zone=public --add-service=http --permanent
success
# firewall-cmd --zone=public --add-service=https --permanent
success
# firewall-cmd --reload
success

↑firewallに関して、８０番と、４４３番を開けます。

TSL(SSL)

# dnf install certbot
Dependencies resolved.
====================================================================================================================================================================================
 Package                                             Architecture                        Version                                       Repository                              Size
====================================================================================================================================================================================
Installing:
 certbot                                             noarch                              2.6.0-1.el9                                   epel                                    18 k
Installing dependencies:

（略）

Installed:
  certbot-2.6.0-1.el9.noarch               fontawesome-fonts-1:4.7.0-13.el9.noarch      python-josepy-doc-1.13.0-1.el9.noarch        python3-acme-2.6.0-1.el9.noarch              
  python3-certbot-2.6.0-1.el9.noarch       python3-cffi-1.14.5-5.el9.x86_64             python3-configargparse-1.7-1.el9.noarch      python3-cryptography-36.0.1-4.el9.x86_64     
  python3-josepy-1.13.0-1.el9.noarch       python3-parsedatetime-2.6-5.el9.noarch       python3-ply-3.11-14.el9.0.1.noarch           python3-pyOpenSSL-21.0.0-1.el9.noarch        
  python3-pycparser-2.20-6.el9.noarch      python3-pyrfc3339-1.1-11.el9.noarch         

Complete!

↑certbot が入りました。

# /usr/bin/certbot certonly --webroot -w /var/www/html -d (FQDN) --renew-by-default --email (メールアドレス)
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at

404 Page not found -  Let's Encrypt
Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Res...
letsencrypt.org You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for (FQDN)

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/(FQDN)/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/(FQDN)/privkey.pem
This certificate expires on XXXX-XX-XX.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

↑サーバー証明書を発行します。

# openssl dhparam -out /etc/nginx/dhparam.pem 2048
Generating DH parameters, 2048 bit long safe prime
.........................................................................+.......................+....+..+............................................................................................+...............................................................................................................................................................+.....................................................................................................................................................................................................................................................................................................................................................................................+..........+.................................................................................................++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*

↑ssl_dhparam を作成します。

vi xxx.conf

       server {
                listen       443 ssl;
                http2 on;
                server_name  (FQDN);

                root    /var/www/html/;

                ssl_certificate     /etc/letsencrypt/live/(FQDN)/fullchain.pem;
                ssl_certificate_key /etc/letsencrypt/live/(FQDN)/privkey.pem;
                ssl_trusted_certificate /etc/letsencrypt/live/(FQDN)/fullchain.pem;

                ssl_session_timeout 1d;
                ssl_session_cache shared:SSL:50m;
                ssl_session_tickets off;
                ssl_dhparam /etc/nginx/dhparam.pem;
                ssl_protocols TLSv1.2 TLSv1.3;
                ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
                ssl_prefer_server_ciphers on;
                add_header Strict-Transport-Security max-age=15768000;
                ssl_stapling on;
                ssl_stapling_verify on;

                index  index.html;


        }

↑nginxの設定ファイル、「xxx.conf」に上記の設定を加えます。

listen       443 ssl http2;
　↓
listen       443 ssl;
http2 on;

↑ nginx 1.25 あたりから、http2の指定が変わりました。

# /usr/sbin/nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

# systemctl restart nginx

↑設定をチェックして、再起動をします。

これで、ＴＳＬ（ＳＳＬ）でのアクセスが可能となりました。

php 8.1

# dnf module install php:8.1
Dependencies resolved.
====================================================================================================================================================================================
 Package                                   Architecture                    Version                                                         Repository                          Size
====================================================================================================================================================================================
Installing group/module packages:
 php-cli                                   x86_64                          8.1.27-1.module+el9.3.0+16050+d5cd6ed5                          appstream                          3.5 M
 php-common                                x86_64                          8.1.27-1.module+el9.3.0+16050+d5cd6ed5                          appstream                          675 k
 php-fpm                                   x86_64                          8.1.27-1.module+el9.3.0+16050+d5cd6ed5                          appstream                          1.8 M
 php-mbstring                              x86_64                          8.1.27-1.module+el9.3.0+16050+d5cd6ed5                          appstream                          473 k
 php-xml                                   x86_64                          8.1.27-1.module+el9.3.0+16050+d5cd6ed5                          appstream                          142 k
Installing dependencies:
 httpd-filesystem                          noarch                          2.4.57-5.el9                                                    appstream                           13 k
 libxslt                                   x86_64                          1.1.34-9.el9                                                    appstream                          240 k
 nginx-filesystem                          noarch                          1:1.20.1-14.el9_2.1                                             appstream                          8.5 k
 oniguruma                                 x86_64                          6.9.6-1.el9.5                                                   appstream                          217 k
Installing module profiles:
 php/common                                                                                                                                                                        
Enabling module streams:
 php                                                                       8.1                                                                                                     

（略）


Installed:
  httpd-filesystem-2.4.57-5.el9.noarch                     libxslt-1.1.34-9.el9.x86_64                                   nginx-filesystem-1:1.20.1-14.el9_2.1.noarch                
  oniguruma-6.9.6-1.el9.5.x86_64                           php-cli-8.1.27-1.module+el9.3.0+16050+d5cd6ed5.x86_64         php-common-8.1.27-1.module+el9.3.0+16050+d5cd6ed5.x86_64   
  php-fpm-8.1.27-1.module+el9.3.0+16050+d5cd6ed5.x86_64    php-mbstring-8.1.27-1.module+el9.3.0+16050+d5cd6ed5.x86_64    php-xml-8.1.27-1.module+el9.3.0+16050+d5cd6ed5.x86_64      

Complete!

↑ php8.1 が入りました。

# php -v
PHP 8.1.27 (cli) (built: Dec 19 2023 20:35:55) (NTS gcc x86_64)
Copyright (c) The PHP Group
Zend Engine v4.1.27, Copyright (c) Zend Technologies
# php-fpm -v
PHP 8.1.27 (fpm-fcgi) (built: Dec 19 2023 20:35:55)
Copyright (c) The PHP Group
Zend Engine v4.1.27, Copyright (c) Zend Technologies

↑ php 8.1.27 が、入りました。

# systemctl status php-fpm
○ php-fpm.service - The PHP FastCGI Process Manager
     Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; preset: disabled)
     Active: inactive (dead)
# systemctl start php-fpm
# systemctl status php-fpm
● php-fpm.service - The PHP FastCGI Process Manager
     Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; preset: disabled)
     Active: active (running) since Sun XXXX-XX-XX XX:XX:XX JST; 5s ago
   Main PID: 7505 (php-fpm)
     Status: "Ready to handle connections"
      Tasks: 6 (limit: 11121)
     Memory: 9.3M
        CPU: 63ms
     CGroup: /system.slice/php-fpm.service
             ├─7505 "php-fpm: master process (/etc/php-fpm.conf)"
             ├─7506 "php-fpm: pool www"
             ├─7507 "php-fpm: pool www"
             ├─7508 "php-fpm: pool www"
             ├─7509 "php-fpm: pool www"
             └─7510 "php-fpm: pool www"

XXX XX XX:XX:XX XXX-XXX-XXX-XXX systemd[1]: Starting The PHP FastCGI Process Manager...
XXX XX XX:XX:XX XXX-XXX-XXX-XXX systemd[1]: Started The PHP FastCGI Process Manager.
# systemctl enable php-fpm
Created symlink /etc/systemd/system/multi-user.target.wants/php-fpm.service → /usr/lib/systemd/system/php-fpm.service.

↑php-fpm を起動して、自動起動の設定も行います

# vi /etc/nginx/conf.d/xxx.conf


                client_max_body_size 100M;

                try_files $uri $uri/ /index.php$is_args$args;

                proxy_read_timeout 480;

                location ~ \.php$ {
                        root  /var/www/html;
                        fastcgi_pass   unix:/run/php-fpm/www.sock;
                        fastcgi_index  index.php;
                        fastcgi_param  SCRIPT_FILENAME  $request_filename;
                        include        fastcgi_params;
                }

↑nginx の設定、「xxx.conf」で、上記の設定を追加して、nginxを再起動すると、php が有効となります。