使用Nginx安装和配置Drupal 8,并在CentOS 8上进行加密
使用Nginx安装和配置Drupal 8,并在CentOS 8上进行加密
Drupal是一个免费的,开源的,可扩展的内容管理系统,个人可以使用它来创建和管理任何类型的网站。它是用PHP编写的,并使用MySQL / MariaDB存储其数据。Drupal提供了丰富的功能集,可以通过数千个附加组件进行扩展。Drupal支持许多Web服务器,包括Apache,Nginx,IIS,Lighttpd和数据库MySQL,MariaDB,MongoDB,SQLite,PostgreSQL和MS SQL服务器。Drupal带有一个简单且用户友好的Web UI,使您无需任何编码知识即可创建网站。
在本教程中,我们将向您展示如何在CentOS 8服务器上安装Drupal 8并使用Let’s Encrypt free SSL对其进行保护。
要求
- 运行CentOS的服务器8。
- 指向您服务器IP的有效域名
- 在服务器上配置了root密码。
安装Nginx,MariaDB和PHP
开始之前,您需要在服务器上安装LEMP服务器。您可以通过运行以下命令来安装它:
dnf install nginx mariadb-server php php-fpm php-cli php-mbstring php-gd php-xml php-curl php-mysqlnd php-pdo php-json php-opcache -y
安装完成后,启动Nginx,MariaDB和php-fpm服务,并使用以下命令使它们在系统重启后启动:
systemctl start nginx
systemctl start php-fpm
systemctl start mariadb
systemctl enable nginx
systemctl enable php-fpm
systemctl enable mariadb
配置数据库
默认情况下,MariaDB是不安全的,因此您需要对其进行安全保护。您可以通过运行以下命令来保护它:
mysql_secure_installation
回答所有问题,如下所示:
Enter current password for root (enter for none): Set root password? [Y/n] Y New password: Re-enter new password: Remove anonymous users? [Y/n] Y Disallow root login remotely? [Y/n] Y Remove test database and access to it? [Y/n] Y Reload privilege tables now? [Y/n] Y
完成后,使用以下命令登录MariaDB shell:
mysql -u root -p
在提示时提供您的root密码,然后使用以下命令为Drupal创建数据库和用户:
MariaDB [(none)]> CREATE DATABASE drupaldb CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
MariaDB [(none)]> CREATE USER drupal@localhost IDENTIFIED BY "password";
接下来,使用以下命令将所有特权授予drupaldb:
MariaDB [(none)]> GRANT ALL ON drupaldb.* TO drupal@localhost IDENTIFIED BY "password";
接下来,刷新特权并使用以下命令从MariaDB shell退出:
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> EXIT;
下载Drupal
首先,您需要从其官方网站下载最新版本的Drupal。您可以使用以下命令下载它:
wget https://ftp.drupal.org/files/projects/drupal-8.7.10.tar.gz
下载后,使用以下命令解压缩下载的文件:
tar -xvzf drupal-8.7.10.tar.gz
接下来,使用以下命令将提取的目录移动到Nginx Web根目录:
mv drupal-8.7.10 /var/www/html/drupal
接下来,创建一个目录来存储网站文件,并重命名default.settings.php文件,如下所示:
mkdir /var/www/html/drupal/sites/default/files
cp /var/www/html/drupal/sites/default/default.settings.php /var/www/html/drupal/sites/default/settings.php
接下来,将Drupal目录的所有权更改为nginx,如下所示:
chown -R nginx:nginx /var/www/html/drupal/
为Drupal配置Nginx
首先,使用以下命令为Drupal创建一个php-fpm配置文件:
nano /etc/php-fpm.d/drupal.conf
添加以下行:
[drupal] user = nginx group = nginx listen.owner = nginx listen.group = nginx listen = /run/php-fpm/drupal.sock pm = ondemand pm.max_children = 50 pm.process_idle_timeout = 10s pm.max_requests = 500 chdir = /
完成后保存并关闭文件。然后,为Drupal创建一个Nginx虚拟主机配置文件:
nano /etc/nginx/conf.d/drupal.conf
添加以下行:
server { listen 80; server_name example.com; root /var/www/html/drupal; access_log /var/log/nginx/example.com.access.log; error_log /var/log/nginx/example.com.error.log; location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; } location ~ /..*/.*/.php$ { return 403; } location ~ ^/sites/.*/private/ { return 403; } # Block access to scripts in site files directory location ~ ^/sites/[^/]+/files/.*/.php$ { deny all; } location ~ (^|/)/. { return 403; } location / { try_files $uri /index.php?$query_string; } location @rewrite { rewrite ^/(.*)$ /index.php?q=$1; } location ~ /vendor/.*/.php$ { deny all; return 404; } location ~ '/.php$|^/update.php' { fastcgi_split_path_info ^(.+?/.php)(|/.*)$; include fastcgi_params; # Block httpoxy attacks. See https://httpoxy.org/. fastcgi_param HTTP_PROXY ""; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param QUERY_STRING $query_string; fastcgi_intercept_errors on; fastcgi_pass unix:/run/php-fpm/drupal.sock; } location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7 try_files $uri @rewrite; } # Handle private files through Drupal. Private file's path can come # with a language prefix. location ~ ^(/[a-z/-]+)?/system/files/ { # For Drupal >= 7 try_files $uri /index.php?$query_string; } location ~* /.(js|css|png|jpg|jpeg|gif|ico|svg)$ { try_files $uri @rewrite; expires max; log_not_found off; } }
保存并关闭文件。然后,重新启动php-fpm和Nginx服务以应用更改:
systemctl restart php-fpm
systemctl restart nginx
配置SELinux和防火墙
默认情况下,CentOS 8中启用了SELinux。因此,您需要配置SELinux才能使Drupal正常工作。
首先,允许Drupal使用以下命令写入公共和私有文件目录:
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/drupal(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/drupal/sites/default/settings.php'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/drupal/sites/default/files'
restorecon -Rv /var/www/html/drupal
restorecon -v /var/www/html/drupal/sites/default/settings.php
restorecon -Rv /var/www/html/drupal/sites/default/files
接下来,允许Drupal使用以下命令发送出站电子邮件:
setsebool -P httpd_can_sendmail on
接下来,您将需要创建防火墙规则以允许来自外部网络的HTTP和HTTPS服务。您可以使用以下命令允许它:
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
让我们加密SSL保护Drupal
现在已经安装并配置了Drupal。是时候使用“免费加密SSL”来保护它了。
为此,您需要在服务器上下载certbot客户端。您可以通过运行以下命令下载并设置正确的权限:
wget https://dl.eff.org/certbot-auto
mv certbot-auto /usr/local/bin/certbot-auto
chown root /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto
现在,运行以下命令为您的Drupal网站获取并安装SSL证书。
certbot-auto --nginx -d example.com
上面的命令将首先在服务器上安装所有必需的依赖项。安装后,将要求您提供一个电子邮件地址并接受服务条款,如下所示:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): hitjethva@gmail.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Obtaining a new certificate Performing the following challenges: http-01 challenge for example.com Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/conf.d/drupal.conf
接下来,您将需要选择是否将HTTP流量重定向到HTTPS,如下所示:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
输入2,然后按Enter键继续。安装完成后,您应该看到以下输出:
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/drupal.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://example.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=example.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2020-03-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
访问Drupal网站
现在,打开您的Web浏览器并输入URL https://example.com。您将被重定向到以下页面:
选择所需的语言,然后单击保存并继续按钮。您应该看到以下页面:
选择您的安装配置文件,然后单击“ 保存并继续”按钮。您应该看到以下页面:
提供您的数据库详细信息,然后单击“ 保存并继续”按钮。您应该看到以下页面:
提供您的站点名称,管理员用户名,密码,然后单击“ 保存并继续”按钮。您应该在以下页面中看到您的Drupal仪表板:
恭喜你!您已经在CentOS 8服务器上成功安装并保护了Drupal。
原创文章,作者:Maggie-Hunter,如若转载,请注明出处:https://blog.ytso.com/32251.html