2021-06-25

在 Debian 上安裝 NginX, PHP-FPM 環境和 Certbot

在 Debian 上安裝 NginX, PHP-FPM 環境和 Certbot

如果是雲端新開的主機先更新系統套件:

sudo apt update sudo apt upgrade

安裝 NginX

sudo apt install nginx

安裝 PHP_FPM

sudo apt show php-fpm # 可以先查看版本,debian 查到的是 7.3 版 # 同時安裝常用 php 套件 sudo apt install php7.3-fpm php7.3-mysql php7.3-curl php7.3-gd php7.3-json php7.3-mbstring php7.3-xml php7.3-xmlrpc php7.3-zip php7.3-bz2 php7.3-opcache php7.3-bcmath php7.3-iconv

修改 NginX 設定檔,以啟用 PHP 功能

# /etc/nginx/sites-enabled/default server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; index index.php index.html index.htm index.nginx-debian.html; server_name _; location / { try_files $uri $uri/ =404; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; } }

重新啟動 NginX

sudo systemctl restart nginx

PHP 的設定檔主要為 /etc/php/7.3/fpm/php.ini 另一個可能要設定的地方為 /etc/php/7.3/fpm/pool.d/www.conf 可以參考 Debian 下安装 Nginx 和 PHP-FPM

# 1G 記憶體的配置 pm.max_children = 25 # 最大的行程數 pm.start_servers = 5 # 啟動時行程數 pm.min_spare_servers = 5 # 空閒時最小行程數 pm.max_spare_servers = 15 # 空閒時最大行程數

若有修改 PHP 的設定,記得重新啟動 PHP-FPM:

sudo systemctl restart php7.3-fpm

安裝 Certbot

在安裝 Cetbot 之前,請記得先設定好 domain 指定,和 NginX 設定檔裡的 server_name。可以參考這篇 在 AWS EC2 安裝 nginx

目前在 Debian 或 Ubuntu 已經不建議使用 apt 來安裝 Certbot,而是使用 snapd 來安裝。

先到 Certbot 官方首頁 選擇你的作業系統和網站伺服器的種類,接著會有說明指引你一步一步的安裝,相當方便。在這裡選 Debian 10 和 NginX。以下為安裝流程:

  1. Debian 預設沒有 snapd,先安裝 snapd
sudo apt install snapd
  1. 確認 snapd 是最新的版本
sudo snap install core; sudo snap refresh core
  1. 透過 snapd 安裝 Certbot
sudo snap install --classic certbot
  1. 設定命令檔連結
sudo ln -s /snap/bin/certbot /usr/bin/certbot
  1. 直接使用 certbot 去修改 nginx 的設定檔
sudo certbot --nginx # 以下為部份輸出結果 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Account registered. Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: mysite.shinder.cc - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Requesting a certificate for mysite.shinder.cc Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/mysite.shinder.cc/fullchain.pem Key is saved at: /etc/letsencrypt/live/mysite.shinder.cc/privkey.pem This certificate expires on 2021-09-22. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. Deploying certificate Successfully deployed certificate for mysite.shinder.cc to /etc/nginx/sites-enabled/mysite.shinder.cc.conf Congratulations! You have successfully enabled HTTPS on https://mysite.shinder.cc
  1. 測試認證更新功能是否正常
sudo certbot renew --dry-run

現在安裝 Certbot 真的方便太多了,很多設定官方工具都幫你搞定了。不過,要特別注意如果系統預先已經安裝 Certbot 的相關套件,要先全部移除,再安裝最新版的官方套件。

沒有留言:

FB 留言