Nginx / PHP / MySQL¶
Installer un serveur web¶
Installer Nginx:¶
$ sudo apt-get install nginx
Version de Nginx:¶
$ nginx -v
nginx version: nginx/1.14.0 (Ubuntu)
Démarrer,activer et vérifier l'étât du service Nginx.¶
$ sudo systemctl start nginx.service
$ sudo systemctl enable nginx.service
$ sudo systemctl status nginx.service
# ps -ef | grep -i nginx
root 18596 13:16 nginx: master process ./nginx
nobody 18597 13:16 nginx: worker process
https://www.nginx.com/resources/wiki/start/
https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
https://wiki.debian.org/Nginx/DirectoryStructure
Arborescence:¶
bruno@MintBook:/etc/nginx$ tree
.
├── conf.d
├── fastcgi.conf
├── fastcgi_params
├── koi-utf
├── koi-win
├── mime.types
├── modules-available
├── modules-enabled
│ ├── 50-mod-http-geoip.conf -> /usr/share/nginx/modules-available/mod-http-geoip.conf
│ ├── 50-mod-http-image-filter.conf -> /usr/share/nginx/modules-available/mod-http-image-filter.conf
│ ├── 50-mod-http-xslt-filter.conf -> /usr/share/nginx/modules-available/mod-http-xslt-filter.conf
│ ├── 50-mod-mail.conf -> /usr/share/nginx/modules-available/mod-mail.conf
│ └── 50-mod-stream.conf -> /usr/share/nginx/modules-available/mod-stream.conf
├── nginx.conf
├── proxy_params
├── scgi_params
├── sites-available
│ └── default
├── sites-enabled
│ └── default -> /etc/nginx/sites-available/default
├── snippets
│ ├── fastcgi-php.conf
│ └── snakeoil.conf
├── uwsgi_params
└── win-utf
Configuration:¶
Le fichier /etc/nginx/nginx.conf contient la configuration générale de nginx.
user www-data;
Créer un fichier qui contiendra les configurations du site dans le répertoire /etc/nginx/sites-available/.
Le dossier contient déjà un fichier par défaut: /etc/nginx/sites-available/default
$ cd /etc/nginx/sites-available/
$ sudo cp default mint
$ sudo gedit mint
Modifier les lignes:
- root: le dossier root du site
- index: ajouter index.php
- server_name
Dé-commenter les lignes:
- include snippets/fastcgi-php.conf;
- fastcgi_pass unix:/run/php/php7.2-fpm.sock;
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /home/bruno/Sites;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm;
server_name mintbook.local;
access_log /var/log/nginx/access_log;
error_log /var/log/nginx/error_log;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
#
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
Donner les droits à Nginx pour le dossier root:
$ sudo chown -R www-data:www-data /home/bruno/Sites
Déclarer le socket Unix de PHP-FPM au niveau de Nginx: il faut modifier ou créer le fichier /etc/nginx/conf.d/php7-fpm.conf
upstream php7.2-fpm-sock {
server unix:/run/php/php7.2-fpm.sock;
}
Créer ensuite un lien symbolique de ce fichier dans le répertoire /etc/nginx/sites-enabled/ afin d’activer le site.
Il est à noter que pour désactiver le site temporairement il suffit de supprimer le lien symbolique qui est dans sites-enabled et pour le réactiver, il faut refaire un lien symbolique avec le fichier qui se trouve dans site-available.
$ cd /etc/nginx/sites-enabled/
$ ln -s /etc/nginx/sites-available/mint mint
$ ls -la
total 8
drwxr-xr-x 2 root root 4096 mai 30 12:56 .
drwxr-xr-x 8 root root 4096 mai 30 10:40 ..
lrwxrwxrwx 1 root root 34 mai 30 10:40 default -> /etc/nginx/sites-available/default
lrwxrwxrwx 1 root root 31 mai 30 12:56 mint -> /etc/nginx/sites-available/mint
$ sudo rm default
Tester la configuration Nginx:¶
$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Relancer Nginx:¶
$ sudo service nginx reload
Commandes Nginx:¶
Démarrer nginx: $ sudo systemctl start nginx
Arrêter nginx: $ sudo systemctl stop nginx
Redémarrer nginx: $ sudo systemctl restart nginx
Recharger nginx après une modification de configuration: $ sudo systemctl reload nginx
Désactiver le démarrage auto de nginx avec le système: $ sudo systemctl disable nginx
Activer le démarrage auto de nginx avec le système: $ sudo systemctl enable nginx
Vérifier l'étât de Nginx:¶
$ systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-05-30 10:40:04 CEST; 21h ago
Docs: man:nginx(8)
Main PID: 19485 (nginx)
Tasks: 9 (limit: 4915)
CGroup: /system.slice/nginx.service
├─19485 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
├─30594 nginx: worker process
├─30595 nginx: worker process
├─30596 nginx: worker process
├─30597 nginx: worker process
├─30598 nginx: worker process
├─30599 nginx: worker process
├─30600 nginx: worker process
└─30601 nginx: worker process
HTTPS:¶
https://linoxide.com/linux-how-to/create-self-signed-ssl-certificate-nginx-ubuntu/
Créer une clé et un certificat. auto-signé:¶
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/mintbook.local.key -out /etc/ssl/certs/mintbook.local.crt
[sudo] password for bruno:
Generating a 2048 bit RSA private key
...........+++
.................+++
## writing new private key to '/etc/ssl/private/mintbook.local.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
## If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Bourgogne
Locality Name (eg, city) []:Dijon
Organization Name (eg, company) [Internet Widgits Pty Ltd]:clicclac.info
Organizational Unit Name (eg, section) []:Web
Common Name (e.g. server FQDN or YOUR name) []:mintbook.local
Email Address []:enzo@clicclac.info
Paramètres Diffie-Hellman (DH):¶
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..........................................+.....+..
Configuration SSL:¶
$ sudo nano /etc/nginx/snippets/self-signed.conf
ssl_certificate /etc/ssl/certs/mintbook.local.crt;
ssl_certificate_key /etc/ssl/private/mintbook.local.key;
$ sudo nano /etc/nginx/snippets/ssl-params.conf
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable strict transport security for now. You can uncomment the following
# line if you understand the implications.
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
$ cd /etc/nginx/sites-available
$ sudo cp mint mint-ssl
$ sudo gedit mint-ssl
# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
include snippets/self-signed.conf;
include snippets/ssl-param.conf;
Installer PHP:¶
$ sudo apt-get install php-fpm
$ which php
/usr/bin/php
$ php -v
PHP 7.2.17-0ubuntu0.18.04.1 (cli) (built: Apr 18 2019 14:12:38) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.2.17-0ubuntu0.18.04.1, Copyright (c) 1999-2018, by Zend Technologies
Configurer PHP-FPM:¶
- PHP et Nginx sur la même machine => socket Unix
- PHP et Nginx sur la même machine => socket TCP
$ sudo gedit /etc/php/7.2/fpm/pool.d/www.conf
Vérifier que PHP-Fpm utilise le Socket Unix (NGINX et PHP sur la même machine):
;listen = 127.0.0.1:9000
listen = /run/php/php7.2-fpm.sock
Configurer PHP.ini:¶
$ nano /etc/php/7.2/fpm/php.ini
file_uploads = On
allow_url_fopen = On
memory_limit = 256M
upload_max_filesize = 64M
cgi.fix_pathinfo = 0
upload_max_filesize = 100M
max_execution_time = 360
date.timezone = Europe/Paris
cgi.fix_pathinfo : l’activation de ce paramètre permet à PHP de n’accepter que les URI qui existent réellement sur le serveur.
Configurer Nginx:¶
$ sudo gedit /etc/nginx/sites-availables
Activer php:
location ~ \.php$ {
include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
#
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
}
Redémarrer le service php-fpm:
$ sudo service php7.2-fpm restart
Installer les modules PHP manquants:¶
Dans le Gestionnaire de paquets Synaptic, installer les modules GD, MySQL...
Manque: apcu, gmp, odbc, yaml
ou
$ sudo apt-cachesearch php- | less
$ sudo apt-get install "module name"
$ sudo apt-cache show "module name"
Installer MySQL (MariaDB):¶
$ sudo apt-get -y install mariadb-server mariadb-client
Démarrer, activer et vérifier l'étât du service MariaDB:¶
$ sudo systemctl start mysql.service
$ sudo systemctl enable mysql.service
$ sudo systemctl status mysql.service
Securiser l'installation de MariaDB:¶
$ sudo mysql_secure_installation
Enter current password for root (enter for none): Enter Your Current Password
OK, successfully used password, moving on...
Set root password? [Y/n] n
... skipping.
Remove anonymous users? [Y/n] y
... Success!
Disallow root login remotely? [Y/n] y
... Success!
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
l/p: root/sncfp1p2
Désinstaller mysql:¶
$ sudo service mysql stop
$ sudo apt-get remove --purge mysql*
$ sudo apt-get autoremove
$ sudo apt-get autoclean
$ sudo rm -rf /var/lib/mysql
$ sudo rm -rf /etc/mysql
Se connecter à MySQL:¶
$ sudo mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 49
Server version: 10.1.38-MariaDB-0ubuntu0.18.04.2 Ubuntu 18.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
Depuis ubuntu 18.04¶
Se logguer dans mysql en root.
Créer un utilisateur et lui donner tous les droits:
CREATE USER 'username'@'localhost' IDENTIFIED BY 'the_password';
GRANT ALL PRIVILEGES ON *.* TO 'username'@'localhost' WITH GRANT OPTION;
Créer un utilisateur avec le même nom et lui donner tous les droits:
CREATE USER 'username'@'%' IDENTIFIED BY 'the_password';
GRANT ALL PRIVILEGES ON *.* TO 'username'@'%' WITH GRANT OPTION;
Le compte 'username'@‘localhost' est utilisé quand on se connecte depuis la machine locale. Le compte 'username'@'%' est utilisé pour se connecter depuis n'importe quelle machine.
SHOW GRANTS FOR username;
FLUSH PRIVILEGES;
Configurer le firewall ubuntu:¶
$ sudo ufw app list
[sudo] password for bruno:
Available applications:
CUPS
Nginx Full
Nginx HTTP
Nginx HTTPS
syncthing
syncthing-gui
Liste les profils disponibles:
Profile Nginx Full: ouvre les ports 80 (http) et 443 (https) Profile Nginx HTTP: ouvre les ports 80 (http) Profile Nginx HTTPS: ouvre les ports 443 (https)
Activer le profile Nginx Full:¶
$ sudo ufw allow 'Nginx Full'
Rule added
Rule added (v6)
Status du firewall:¶
$ sudo ufw status
Status: active
To Action From
------
Nginx Full ALLOW Anywhere
Nginx Full (v6) ALLOW Anywhere (v6)
¶
Dernière mise à jour:
February 4, 2021