PHP MySQLなど、基本設定
今回は、Conoha VPSで、構築してみました。
RockyLinux バージョン
# cat /etc/os-release NAME="Rocky Linux" VERSION="9.3 (Blue Onyx)" ID="rocky" ID_LIKE="rhel centos fedora" VERSION_ID="9.3" PLATFORM_ID="platform:el9" PRETTY_NAME="Rocky Linux 9.3 (Blue Onyx)" ANSI_COLOR="0;32" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:rocky:rocky:9::baseos" HOME_URL="https://rockylinux.org/" BUG_REPORT_URL="https://bugs.rockylinux.org/" SUPPORT_END="2032-05-31" ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9" ROCKY_SUPPORT_PRODUCT_VERSION="9.3" REDHAT_SUPPORT_PRODUCT="Rocky Linux" REDHAT_SUPPORT_PRODUCT_VERSION="9.3"
↑RockyLinux 9.3がテンプレートにあります。
# dnf update
↑ソフトウェアのアップデートを行います。
MySQL
# dnf info mysql-server Available Packages Name : mysql-server Version : 8.0.36 Release : 1.el9_3 Architecture : x86_64 Size : 17 M Source : mysql-8.0.36-1.el9_3.src.rpm Repository : appstream Summary : The MySQL server and related files URL : http://www.mysql.com License : GPLv2 with exceptions and LGPLv2 and BSD Description : MySQL is a multi-user, multi-threaded SQL database server. MySQL is a : client/server implementation consisting of a server daemon (mysqld) : and many different client programs and libraries. This package contains : the MySQL server and some accompanying files and directories.
↑インストール可能な、8.0.36を入れます。
# dnf install mysql-server # systemctl status mysqld.service ○ mysqld.service - MySQL 8.0 database server Loaded: loaded (/usr/lib/systemd/system/mysqld.service; disabled; preset: disabled) Active: inactive (dead) # systemctl start mysqld.service # systemctl status mysqld.service ● mysqld.service - MySQL 8.0 database server Loaded: loaded (/usr/lib/systemd/system/mysqld.service; disabled; preset: disabled) Active: active (running) since Sun XXXX-XX-XX 10:54:27 JST; 1s ago Process: 6065 ExecStartPre=/usr/libexec/mysql-check-socket (code=exited, status=0/SUCCESS) Process: 6087 ExecStartPre=/usr/libexec/mysql-prepare-db-dir mysqld.service (code=exited, status=0/SUCCESS) Main PID: 6162 (mysqld) Status: "Server is operational" Tasks: 38 (limit: 11121) Memory: 467.9M CPU: 5.041s CGroup: /system.slice/mysqld.service └─6162 /usr/libexec/mysqld --basedir=/usr XXX XX XX:XX:21 XXX-XXX-XXX-XXX systemd[1]: Starting MySQL 8.0 database server... XXX XX XX:XX:21 XXX-XXX-XXX-XXX mysql-prepare-db-dir[6087]: Initializing MySQL database XXX XX XX:XX:27 XXX-XXX-XXX-XXX systemd[1]: Started MySQL 8.0 database server. # systemctl enable mysqld.service Created symlink /etc/systemd/system/multi-user.target.wants/mysqld.service → /usr/lib/systemd/system/mysqld.service.
↑MySQL 8.0系を入れて、起動し、自動起動の設定をします。
#mysql_secure_installation
は、実行しなくても大丈夫です。
# mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 8 Server version: 8.0.36 Source distribution Copyright (c) 2000, 2024, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | sys | +--------------------+ 4 rows in set (0.00 sec) mysql> ALTER USER 'root'@'localhost' IDENTIFIED BY '(新パスワード)'; Query OK, 0 rows affected (0.01 sec) ↑rootのパスワードを設定しておきます。
Nginx
# dnf info nginx Available Packages Name : nginx Epoch : 1 Version : 1.20.1 Release : 14.el9_2.1 Architecture : x86_64 Size : 36 k Source : nginx-1.20.1-14.el9_2.1.src.rpm Repository : appstream Summary : A high performance web server and reverse proxy server URL : https://nginx.org License : BSD Description : Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and : IMAP protocols, with a strong focus on high concurrency, performance and low : memory usage.
↑標準で入る、Nginx が、少し古いので、最新のを入れます。
# yum install yum-utils # vi /etc/yum.repos.d/nginx.repo [nginx-stable] name=nginx stable repo baseurl=http://nginx.org/packages/centos/$releasever/$basearch/ gpgcheck=1 enabled=1 gpgkey=https://nginx.org/keys/nginx_signing.key module_hotfixes=true [nginx-mainline] name=nginx mainline repo baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/ gpgcheck=1 enabled=0 gpgkey=https://nginx.org/keys/nginx_signing.key module_hotfixes=true
↑リポジトリを設定します。
# yum-config-manager --enable nginx-mainline # yum install nginx nginx stable repo 21 kB/s | 22 kB 00:01 nginx mainline repo 34 kB/s | 41 kB 00:01 Dependencies resolved. ==================================================================================================================================================================================== Package Architecture Version Repository Size ==================================================================================================================================================================================== Installing: nginx x86_64 1:1.25.4-1.el9.ngx nginx-mainline 991 k Transaction Summary ==================================================================================================================================================================================== Install 1 Package Total download size: 991 k Installed size: 3.3 M Is this ok [y/N]: (略) Installed: nginx-1:1.25.4-1.el9.ngx.x86_64 Complete!
↑ nginx 1.25.4 が入りました。
# systemctl status nginx ○ nginx.service - nginx - high performance web server Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; preset: disabled) Active: inactive (dead) Docs: http://nginx.org/en/docs/ XXX XX XX:XX:XX XXX-XXX-XXX-XXX systemd[1]: /usr/lib/systemd/system/nginx.service:9: PIDFile= references a path below legacy directory /var/run/, updating /var/run/nginx.pid → /run # systemctl start nginx # systemctl status nginx ● nginx.service - nginx - high performance web server Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; preset: disabled) Active: active (running) since Sun XXX-XX-XX XX:XX:XX JST; 1s ago Docs: http://nginx.org/en/docs/ Process: 6760 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS) Main PID: 6761 (nginx) Tasks: 4 (limit: 11121) Memory: 4.0M CPU: 19ms CGroup: /system.slice/nginx.service ├─6761 "nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf" ├─6762 "nginx: worker process" ├─6763 "nginx: worker process" └─6764 "nginx: worker process" XXX XX XX:XX:XX XXX-XXX-XXX-XXX systemd[1]: Starting nginx - high performance web server... XXX XX XX:XX:XX XXX-XXX-XXX-XXX systemd[1]: Started nginx - high performance web server. # systemctl enable nginx Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service → /usr/lib/systemd/system/nginx.service.
↑nginx を起動し、自動起動の設定をします。
# mkdir -p /var/www/html
↑webコンテンツの置き場所を作ります
# cd /etc/nginx/conf.d # mv default.conf default.conf.back
↑標準で、置かれている設定を、外しておきます。
# vi xxx.conf server { listen 80; server_name (FQDN); location / { root /var/www/html; index index.html; } }
↑シンプルな設定をしておきます。
# /usr/sbin/nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
↑設定が正しいか、チェックします。大丈夫なようです。
# systemctl restart nginx # systemctl status nginx ● nginx.service - nginx - high performance web server Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: disabled) Active: active (running) since Sun XXXX-XX-XX XX:XX:XX JST; 9s ago Docs: http://nginx.org/en/docs/ Process: 7116 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS) Main PID: 7118 (nginx) Tasks: 4 (limit: 11121) Memory: 4.0M CPU: 17ms CGroup: /system.slice/nginx.service ├─7118 "nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf" ├─7119 "nginx: worker process" ├─7120 "nginx: worker process" └─7121 "nginx: worker process" XXX XX XX:XX:XX XXX-XXX-XXX-XXX systemd[1]: Starting nginx - high performance web server... XXX XX XX:XX:XX XXX-XXX-XXX-XXX systemd[1]: Started nginx - high performance web server.
↑再起動をします。
これで、80番ポートがきちんと表示されます。
firewall
# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="XXX.XXX.XXX.XXX" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable" # firewall-cmd --zone=public --add-service=http --permanent success # firewall-cmd --zone=public --add-service=https --permanent success # firewall-cmd --reload success
↑firewallに関して、80番と、443番を開けます。
TSL(SSL)
# dnf install certbot Dependencies resolved. ==================================================================================================================================================================================== Package Architecture Version Repository Size ==================================================================================================================================================================================== Installing: certbot noarch 2.6.0-1.el9 epel 18 k Installing dependencies: (略) Installed: certbot-2.6.0-1.el9.noarch fontawesome-fonts-1:4.7.0-13.el9.noarch python-josepy-doc-1.13.0-1.el9.noarch python3-acme-2.6.0-1.el9.noarch python3-certbot-2.6.0-1.el9.noarch python3-cffi-1.14.5-5.el9.x86_64 python3-configargparse-1.7-1.el9.noarch python3-cryptography-36.0.1-4.el9.x86_64 python3-josepy-1.13.0-1.el9.noarch python3-parsedatetime-2.6-5.el9.noarch python3-ply-3.11-14.el9.0.1.noarch python3-pyOpenSSL-21.0.0-1.el9.noarch python3-pycparser-2.20-6.el9.noarch python3-pyrfc3339-1.1-11.el9.noarch Complete!
↑certbot が入りました。
# /usr/bin/certbot certonly --webroot -w /var/www/html -d (FQDN) --renew-by-default --email (メールアドレス) Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service atYou must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Account registered. Requesting a certificate for (FQDN) Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/(FQDN)/fullchain.pem Key is saved at: /etc/letsencrypt/live/(FQDN)/privkey.pem This certificate expires on XXXX-XX-XX. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -404 Page not found - Let's EncryptLet's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Res...
↑サーバー証明書を発行します。
# openssl dhparam -out /etc/nginx/dhparam.pem 2048 Generating DH parameters, 2048 bit long safe prime .........................................................................+.......................+....+..+............................................................................................+...............................................................................................................................................................+.....................................................................................................................................................................................................................................................................................................................................................................................+..........+.................................................................................................++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*
↑ssl_dhparam を作成します。
vi xxx.conf server { listen 443 ssl; http2 on; server_name (FQDN); root /var/www/html/; ssl_certificate /etc/letsencrypt/live/(FQDN)/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/(FQDN)/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/(FQDN)/fullchain.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_dhparam /etc/nginx/dhparam.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security max-age=15768000; ssl_stapling on; ssl_stapling_verify on; index index.html; }
↑nginxの設定ファイル、「xxx.conf」に上記の設定を加えます。
listen 443 ssl http2; ↓ listen 443 ssl; http2 on;
↑ nginx 1.25 あたりから、http2の指定が変わりました。
# /usr/sbin/nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful # systemctl restart nginx
↑設定をチェックして、再起動をします。
これで、TSL(SSL)でのアクセスが可能となりました。
php 8.1
# dnf module install php:8.1 Dependencies resolved. ==================================================================================================================================================================================== Package Architecture Version Repository Size ==================================================================================================================================================================================== Installing group/module packages: php-cli x86_64 8.1.27-1.module+el9.3.0+16050+d5cd6ed5 appstream 3.5 M php-common x86_64 8.1.27-1.module+el9.3.0+16050+d5cd6ed5 appstream 675 k php-fpm x86_64 8.1.27-1.module+el9.3.0+16050+d5cd6ed5 appstream 1.8 M php-mbstring x86_64 8.1.27-1.module+el9.3.0+16050+d5cd6ed5 appstream 473 k php-xml x86_64 8.1.27-1.module+el9.3.0+16050+d5cd6ed5 appstream 142 k Installing dependencies: httpd-filesystem noarch 2.4.57-5.el9 appstream 13 k libxslt x86_64 1.1.34-9.el9 appstream 240 k nginx-filesystem noarch 1:1.20.1-14.el9_2.1 appstream 8.5 k oniguruma x86_64 6.9.6-1.el9.5 appstream 217 k Installing module profiles: php/common Enabling module streams: php 8.1 (略) Installed: httpd-filesystem-2.4.57-5.el9.noarch libxslt-1.1.34-9.el9.x86_64 nginx-filesystem-1:1.20.1-14.el9_2.1.noarch oniguruma-6.9.6-1.el9.5.x86_64 php-cli-8.1.27-1.module+el9.3.0+16050+d5cd6ed5.x86_64 php-common-8.1.27-1.module+el9.3.0+16050+d5cd6ed5.x86_64 php-fpm-8.1.27-1.module+el9.3.0+16050+d5cd6ed5.x86_64 php-mbstring-8.1.27-1.module+el9.3.0+16050+d5cd6ed5.x86_64 php-xml-8.1.27-1.module+el9.3.0+16050+d5cd6ed5.x86_64 Complete!
↑ php8.1 が入りました。
# php -v PHP 8.1.27 (cli) (built: Dec 19 2023 20:35:55) (NTS gcc x86_64) Copyright (c) The PHP Group Zend Engine v4.1.27, Copyright (c) Zend Technologies # php-fpm -v PHP 8.1.27 (fpm-fcgi) (built: Dec 19 2023 20:35:55) Copyright (c) The PHP Group Zend Engine v4.1.27, Copyright (c) Zend Technologies
↑ php 8.1.27 が、入りました。
# systemctl status php-fpm ○ php-fpm.service - The PHP FastCGI Process Manager Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; preset: disabled) Active: inactive (dead) # systemctl start php-fpm # systemctl status php-fpm ● php-fpm.service - The PHP FastCGI Process Manager Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled; preset: disabled) Active: active (running) since Sun XXXX-XX-XX XX:XX:XX JST; 5s ago Main PID: 7505 (php-fpm) Status: "Ready to handle connections" Tasks: 6 (limit: 11121) Memory: 9.3M CPU: 63ms CGroup: /system.slice/php-fpm.service ├─7505 "php-fpm: master process (/etc/php-fpm.conf)" ├─7506 "php-fpm: pool www" ├─7507 "php-fpm: pool www" ├─7508 "php-fpm: pool www" ├─7509 "php-fpm: pool www" └─7510 "php-fpm: pool www" XXX XX XX:XX:XX XXX-XXX-XXX-XXX systemd[1]: Starting The PHP FastCGI Process Manager... XXX XX XX:XX:XX XXX-XXX-XXX-XXX systemd[1]: Started The PHP FastCGI Process Manager. # systemctl enable php-fpm Created symlink /etc/systemd/system/multi-user.target.wants/php-fpm.service → /usr/lib/systemd/system/php-fpm.service.
↑php-fpm を起動して、自動起動の設定も行います
# vi /etc/nginx/conf.d/xxx.conf client_max_body_size 100M; try_files $uri $uri/ /index.php$is_args$args; proxy_read_timeout 480; location ~ \.php$ { root /var/www/html; fastcgi_pass unix:/run/php-fpm/www.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $request_filename; include fastcgi_params; }
↑nginx の設定、「xxx.conf」で、上記の設定を追加して、nginxを再起動すると、php が有効となります。