查看debian/ubuntu版本:
cat /etc/issue更新系统:
apt-get update && apt-get upgrade -y安装依赖:
apt -y install build-essential libpcre3 libpcre3-dev zlib1g-dev git dbus manpages-dev aptitude g++ wget curl unzip libssl-dev libxslt-dev libgd-dev libgeoip-dev - debian
apt -y install curl gnupg2 ca-certificates lsb-release debian-archive-keyring- ubuntu
apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring -y校准时间:
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && date -R下载/安装/解压 openssl-3.3.2
wget -nc --no-check-certificate https://www.openssl.org/source/openssl-3.3.2.tar.gz && tar -zxvf openssl-3.3.2.tar.gz下载/解压 nginx-1.26.2:
wget -nc --no-check-certificate https://nginx.org/download/nginx-1.26.2.tar.gz && tar -zxvf nginx-1.26.2.tar.gz删除 nginx-1.26.1.tar.gz:
rm -rf nginx-1.26.2.tar.gz && rm -rf openssl-3.3.2.tar.gz && cd nginx-1.26.2添加编译插件:
./configure --prefix=/etc/nginx \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_v3_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module=dynamic \
--with-http_image_filter_module=dynamic \
--with-http_geoip_module=dynamic \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_degradation_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-cc-opt='-O3' \
--with-cpu-opt=CPU \
--with-pcre \
--with-stream \
--with-stream=dynamic \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module \
--with-stream_geoip_module=dynamic \
--with-stream_ssl_preread_module \
--with-compat \
--with-pcre-jit \
--with-openssl-opt=enable-tls1_3 \
--with-openssl=../openssl-3.3.2编译/安装 nginx-1.26.2:
make && make install配置nginx-1.26.2服务:
cat >/etc/systemd/system/nginx.service <<EOF
[Unit]
Description=A high performance web server and a reverse proxy server
Documentation=man:nginx(8)
After=network.target nss-lookup.target
[Service]
Type=forking
PIDFile=/etc/nginx/logs/nginx.pid
ExecStartPre=/etc/nginx/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/etc/nginx/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/etc/nginx/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /etc/nginx/logs/nginx.pid
TimeoutStopSec=5
KillMode=mixed
[Install]
WantedBy=multi-user.target
EOF添加配置文件:
mkdir -p /etc/nginx/ssl /etc/systemd/system/nginx.service.d配置nginx.pid:
printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf- 返回列表
cd && rm -rf nginx-1.26.2 openssl-3.3.2安装MariaDB php:
apt install php-fpm php-mysql mariadb-server -y安装php插件:
apt install php-curl php-gd php-imagick php-intl php-mbstring php-zip php-dom -ymysql或MariaDB安全加固:
会设置密码,界面1直接回车,剩的都选Y:
mysql_secure_installationroot登录:
mysql -u root -p查看当前的数据库:
show databases;创建数据库非root用户名密码:
create database wordpress; create user name@localhost identified by 'password';授予权限:
grant all privileges on wordpress.* to name@localhost; flush privileges;- 使密码生效
ALTER USER root@localhost IDENTIFIED VIA mysql_native_password USING PASSWORD("password");退出:
exit下载https://typecho.org/ 解压放在/etc/nginx/html文件夹下,
安装wordpress
cd /etc/nginx/html && wget https://cn.wordpress.org/latest-zh_CN.zip && unzip latest-zh_CN.zip && mv wordpress/* /etc/nginx/html && rm -rf latest-zh_CN.zip wordpress && cd ..用的非root账户要给html文件夹赋给权限:
chown -R www-data:www-data html重新配置nginx.conf
# generated 2022-12-24, Mozilla Guideline v5.6, nginx 1.22.1, OpenSSL 3.0.7, intermediate configuration, no OCSP
# https://ssl-config.mozilla.org/#server=nginx&version=1.22.1&config=intermediate&openssl=3.0.7&ocsp=false&guideline=5.6
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
server_name _;
location / {
if ($host ~* "\d+\.\d+\.\d+\.\d+") {
return 500;
}
if ($host != "xxxxxxxxx.com") {
return 500;
}
return 301 https://$host$request_uri;
}
}
server {
listen 443 quic reuseport;
listen 443 ssl;
# listen [::]:443 quic reuseport;
# listen [::]:443 ssl http2;
http2 on;
ssl_certificate /etc/nginx/ssl/xxxxxxxxx.com_cert_chain.pem;
ssl_certificate_key /etc/nginx/ssl/xxxxxxxxx.com_key.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/nginx/ssl/dhparam
ssl_dhparam /etc/nginx/ssl/dhparam;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers off;
# 开启 1.3 o-RTT
ssl_early_data on;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
location = /favicon.ico {
log_not_found off;
}
location = /robots.txt {
log_not_found off;
}
location = /conf.js {
log_not_found off;
}
location = /1 {
log_not_found off;
}
location = /sitemap.xml {
log_not_found off;
}
location = /admin {
log_not_found off;
}
location = /wp-json/* {
log_not_found off;
}
location = /.well-known/* {
log_not_found off;
}
location = /api/* {
log_not_found off;
}
location = /movie/* {
log_not_found off;
}
location = /sites/* {
log_not_found off;
}
location = /templates/* {
log_not_found off;
}
location = /wp-content/* {
log_not_found off;
}
location = /wp-includes/* {
log_not_found off;
}
location = /wp-admin/* {
log_not_found off;
}
location = /cgialfa {
log_not_found off;
}
location = /alfacgiapi {
log_not_found off;
}
location = /ALFA_DATA {
log_not_found off;
}
location = /gank.php.PhP {
log_not_found off;
}
location = /dns-query {
log_not_found off;
}
location = /PHPBonusChallengeExploits.php/* {
log_not_found off;
}
location = /service/* {
log_not_found off;
}
location = /member/* {
log_not_found off;
}
location = /securityRealm/* {
log_not_found off;
}
location = /users/* {
log_not_found off;
}
location = /index.php/* {
log_not_found off;
}
location = /node/* {
log_not_found off;
}
location = /user/* {
log_not_found off;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php-fpm/www.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
location / {
if ($host ~* "\d+\.\d+\.\d+\.\d+") {
return 500;
}
if ($host != "xxxxxxxxx.com") {
return 500;
}
root html;
index index.php index.html index.htm;
add_header Alt-Svc 'h3=":443"; ma=86400'; #通告 HTTP/3 server 的可用性
}
}开启BBR:
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf && echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf && sysctl -p && lsmod | grep bbr加载单元:
systemctl daemon-reload开启nginx:
systemctl start nginx开启状态:
systemctl status nginx开机自动启动:
systemctl enable nginx重新启动:
systemctl restart nginx停止nginx:
service nginx stop开启php8.2-fpm:
systemctl start php8.2-fpm开启状态:
systemctl status php8.2-fpm开机自动启动:
systemctl enable php8.2-fpm重新启动:
systemctl restart php8.2-fpm开启mysql:
systemctl start mariadb.service开启状态:
systemctl status mariadb.service开机自动启动:
systemctl enable mariadb.service重新启动:
systemctl restart mariadb.service