在 Debian 上安裝 NginX, PHP-FPM 環境和 Certbot
如果是雲端新開的主機先更新系統套件:
sudo apt update
sudo apt upgrade
安裝 NginX
sudo apt install nginx
安裝 PHP_FPM
sudo apt show php-fpm # 可以先查看版本,debian 查到的是 7.3 版
# 同時安裝常用 php 套件
sudo apt install php7.3-fpm php7.3-mysql php7.3-curl php7.3-gd php7.3-json php7.3-mbstring php7.3-xml php7.3-xmlrpc php7.3-zip php7.3-bz2 php7.3-opcache php7.3-bcmath php7.3-iconv
修改 NginX 設定檔,以啟用 PHP 功能
# /etc/nginx/sites-enabled/default
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
index index.php index.html index.htm index.nginx-debian.html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
}
}
重新啟動 NginX
sudo systemctl restart nginx
PHP 的設定檔主要為 /etc/php/7.3/fpm/php.ini
另一個可能要設定的地方為 /etc/php/7.3/fpm/pool.d/www.conf
可以參考 Debian 下安装 Nginx 和 PHP-FPM
# 1G 記憶體的配置
pm.max_children = 25 # 最大的行程數
pm.start_servers = 5 # 啟動時行程數
pm.min_spare_servers = 5 # 空閒時最小行程數
pm.max_spare_servers = 15 # 空閒時最大行程數
若有修改 PHP 的設定,記得重新啟動 PHP-FPM:
sudo systemctl restart php7.3-fpm
安裝 Certbot
在安裝 Cetbot 之前,請記得先設定好 domain 指定,和 NginX 設定檔裡的 server_name。可以參考這篇 在 AWS EC2 安裝 nginx 。
目前在 Debian 或 Ubuntu 已經不建議使用 apt 來安裝 Certbot,而是使用 snapd 來安裝。
先到 Certbot 官方首頁 選擇你的作業系統和網站伺服器的種類,接著會有說明指引你一步一步的安裝,相當方便。在這裡選 Debian 10 和 NginX。以下為安裝流程:
- Debian 預設沒有 snapd,先安裝 snapd
sudo apt install snapd
- 確認 snapd 是最新的版本
sudo snap install core; sudo snap refresh core
- 透過 snapd 安裝 Certbot
sudo snap install --classic certbot
- 設定命令檔連結
sudo ln -s /snap/bin/certbot /usr/bin/certbot
- 直接使用 certbot 去修改 nginx 的設定檔
sudo certbot --nginx
# 以下為部份輸出結果
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: mysite.shinder.cc
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for mysite.shinder.cc
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mysite.shinder.cc/fullchain.pem
Key is saved at: /etc/letsencrypt/live/mysite.shinder.cc/privkey.pem
This certificate expires on 2021-09-22.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for mysite.shinder.cc to /etc/nginx/sites-enabled/mysite.shinder.cc.conf
Congratulations! You have successfully enabled HTTPS on https://mysite.shinder.cc
- 測試認證更新功能是否正常
sudo certbot renew --dry-run
現在安裝 Certbot 真的方便太多了,很多設定官方工具都幫你搞定了。不過,要特別注意如果系統預先已經安裝 Certbot 的相關套件,要先全部移除,再安裝最新版的官方套件。
沒有留言:
張貼留言