サーバーインストール2022¶
まだ数例インストールした記録。今後記述を検証していく。
ホスティングサービス¶
次のホスティングサービスを想定- GMOクラウドALTUS(Plesk不使用) - AlmaLinux 8.5
- AWS EC2 - Amazon Linux 2
予想される管理操作に応じてホスティングサービスでアクセス制限をかける。
☆接続元IPアドレス
(正) :183.77.171.12(会社)
(副) :153.122.45.46(新ARCHESサーバ)
(予備) :153.122.73.247(ARCHES ALTUS2)
初期設定¶
sudo yum -y update
操作記録を容易にするため、プロンプトに時刻を付けておく
vi ~/.bashrc
export PS1='\[\e[1;36m\]\d \[\e[1;32m\]\t \[\e[1;33m\]\u@\[\e[1;35m\]\h:\w\$\[\e[m\] ' (←末尾に追加)source ~/.bashrc
スワップファイル作成¶
top
Swapが0ならまだ作成されていない
GMOは自動作成、EC2は未作成?
https://aws.amazon.com/jp/premiumsupport/knowledge-center/ec2-memory-swap-file/
ストレージにもよるが、メモリが大きければ同サイズ、少なければ倍
sudo dd if=/dev/zero of=/swapfile bs=128M count=128 (←16GBの場合)
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
sudo swapon -s
sudo vi /etc/fstab
cat /etc/fstab
UUID=008cdb03-aa96-41b3-8e92-b11c5b511efd / xfs defaults,noatime 1 1 /swapfile swap swap defaults 0 0 (←追加)
SSHの設定¶
rootのログインを禁止し、SSH用ユーザのみ許可する
EC2はデフォルト禁止?
sudo vi /etc/ssh/sshd_config
sudo grep -i root /etc/ssh/sshd_config
#PermitRootLogin yes PermitRootLogin no (←追加) # the setting of "PermitRootLogin without-password". #ChrootDirectory nonesudo systemctl restart sshd
基本的なソフトのインストール¶
rsyslog¶
sudo yum -y install rsyslog
Apache2¶
sudo yum -y install httpd
sudo systemctl enable httpd
sudo systemctl start httpd
sudo vi /etc/httpd/conf/httpd.conf
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
#AllowOverride None
AllowOverride All
アクセスが多いサイトはパラメータをチューニングする。
D-Agreeの2022年3月の/etc/httpd/conf/httpd.conf
<IfModule mpm_prefork_module>
StartServers 10
MinSpareServers 20
MaxSpareServers 60
ServerLimit 200
MaxClients 200
MaxRequestsPerChild 100
</IfModule>
sudo vi /etc/httpd/conf/httpd.confsudo apachectl configtest
sudo systemctl reload httpd
PHP7.4¶
CentOS7, AlmaLinux8の場合
dnf -y install https://rpms.remirepo.net/enterprise/remi-release-8.rpm
dnf -y module install php:remi-7.4
Amazon Linux 2の場合
sudo amazon-linux-extras install php7.4
共通?
sudo yum install php-mbstring php-xml php-xmlrpc php-gd
sudo systemctl restart httpd
sudo systemctl enable php-fpm
sudo systemctl restart php-fpm
/etc/php.iniの次の箇所をプロジェクトに合わせて修正
404,407c404 < ; memory_limit = 128M < memory_limit = 96M < ; memory_limit = 64M < ; memory_limit = 1024M --- > memory_limit = 128M 675,677c672 < ;post_max_size = 8M < post_max_size = 20M < --- > post_max_size = 8M 830,831c825 < ;upload_max_filesize = 2M < upload_max_filesize = 16M --- > upload_max_filesize = 2M 909d902 < date.timezone = "Asia/Tokyo" 1516c1509 < mbstring.language = Japanese --- > ;mbstring.language = Japanese 1523c1516 < mbstring.internal_encoding = UTF-8 --- > ;mbstring.internal_encoding =sudo systemctl restart php-fpm
MySQLまたはMariaDB¶
AlmaLinux, MariaDB10.6の場合
https://mariadb.com/ja/resources/blog/install-mariadb-server-centos7/ に沿う
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash
日本語を扱えるようにする
/etc/my.cnf.d/server.cnf
[mariadb]
character-set-server=utf8mb4
[client-mariadb]
default-character-set=utf8mb4
systemctl restart mariadb
systemctl enable mariadb
mariadb-secure-installation
Amazon Linux2, MySQL8.0の場合
sudo yum -y install --enablerepo=mysql80-community mysql-community-server
sudo systemctl start mysqld
sudo systemctl enable mysqld
アクセスが多いサイトはパラメータをチューニングする。
D-Agreeの2022年3月の/etc/my.cnfは下記を追記
secure-file-priv= NULL character_set_server=utf8mb4 collation-server=utf8mb4_general_ci slow_query_log=1 long_query_time=1 log_queries_not_using_indexes=1 log_throttle_queries_not_using_indexes=1 max_connections=300 wait_timeout=12 interactive_timeout=12 innodb_buffer_pool_size=8G innodb_log_file_size=1G innodb_buffer_pool_instances=8 innodb_lock_wait_timeout=20 thread_cache_size=50 early-plugin-load=keyring_file.so keyring_file_data=/var/lib/mysql/mysql-keyring/keyringsudo vi /etc/my.cnf
sudo systemctl restart mysqld
sudo mysql_secure_installation
SSL証明書¶
商用SSLを使わない場合、Let's encryptの概要
CentOS7,AlmaLinux8の場合
https://certbot.eff.org/instructions?ws=apache&os=centosrhel7 を参照
Amazon Linux 2の場合
https://docs.aws.amazon.com/ja_jp/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html#letsencrypt を参照
Let's encryptのワイルドカード証明書はDNS認証が必須で自動化できない。
毎回次のコマンドでDNS認証をしないといけない模様。
sudo certbot certonly --manual \
--preferred-challenges dns-01 \
--server https://acme-v02.api.letsencrypt.org/directory \
-m server@arches.co.jp \
-d r-agree.com \
-d *.r-agree.com
certbotがssl.confを見付けられないケースあり? 手動で直した。
iptables¶
ホスティングサービスで制限しているので今のところ使わない。
vsftpd¶
サーバーを最初から設定するような場合はSFTPのみでFTPは必要ないことが多い。
ClamAV¶
sudo yum install clamav clamav-update clamd
sudo freshclam
sudo vi /etc/clamd.d/scan.conf
# Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) #LocalSocket /run/clamd.scan/clamd.sock LocalSocket /run/clamd.scan/clamd.sock (←追加)sudo systemctl start clamd@scan
sudo systemctl enable clamd@scan
Postfix¶
詳細要確認
sudo yum -y install postfix
sudo yum -y install cyrus-sasl-plain
sudo yum -y install cyrus-sasl-md5
sudo vi /etc/postfix/main.cf
# INTERNET HOST AND DOMAIN NAMES # # The myhostname parameter specifies the internet hostname of this # mail system. The default is to use the fully-qualified domain name # from gethostname(). $myhostname is used as a default value for many # other configuration parameters. # #myhostname = host.domain.tld #myhostname = virtual.domain.tld myhostname = r-agree.com # The mydomain parameter specifies the local internet domain name. # The default is to use $myhostname minus the first component. # $mydomain is used as a default value for many other configuration # parameters. # #mydomain = domain.tld mydomain = r-agree.com #mydestination = $myhostname, localhost.$mydomain, localhost mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, # mail.$mydomain, www.$mydomain, ftp.$mydomain #home_mailbox = Mailbox home_mailbox = Maildir/sudo vi /etc/postfix/master.cf
smtp inet n - n - - smtpd #smtp inet n - n - 1 postscreen #smtpd pass - - n - - smtpd #dnsblog unix - - n - 0 dnsblog #tlsproxy unix - - n - 0 tlsproxy submission inet n - n - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING
sudo vi /etc/sasl2/smtpd.conf
# pwcheck_method: saslauthd pwcheck_method: auxprop # mech_list: plain login mech_list: cram-md5 plain login
sudo mkdir -p /etc/skel/Maildir/{new,cur,tmp}
sudo chmod -R 700 /etc/skel/Maildir/
sudo yum -y install cyrus-sasl
sudo systemctl start saslauthd
sudo systemctl enable saslauthd
sudo postfix check
sudo systemctl restart postfix
sudo systemctl enable postfix
logwatch¶
sudo yum install logwatch
sudo vi /etc/logwatch/conf/logwatch.conf
MailTo = server@arches.co.jp Detail = Highsudo logwatch –output mail
なぜかこの設定は無視されてcronが届かない。
sudo vi /etc/cron.daily/0logwatch
#OPTIONS="--output mail" OPTIONS="--output mail --mailto server@arches.co.jp"としておく。
Dovecot¶
今のところ必要な場面がない。
Munin¶
sudo yum install munin
sudo yum install munin-node
sudo systemctl enable munin-node
sudo systemctl start munin-node
sudo su - munin --shell=/usr/bin/munin-cron
sudo vi /etc/cron.d/munin
# # cron-jobs for munin # MAILTO=root */5 * * * * munin test -x /usr/bin/munin-cron && /usr/bin/munin-cron
cd /etc/munin
sudo htpasswd -c munin-htpasswd munin
sudo grep -r html/munin /etc/
/etc/selinux/targeted/contexts/files/file_contexts:/var/www/html/munin(/.*)? system_u:object_r:munin_content_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/var/www/html/munin/cgi(/.*)? system_u:object_r:munin_script_exec_t:s0 Binary file /etc/selinux/targeted/contexts/files/file_contexts.bin matches /etc/selinux/targeted/active/file_contexts:/var/www/html/munin(/.*)? system_u:object_r:munin_content_t:s0 /etc/selinux/targeted/active/file_contexts:/var/www/html/munin/cgi(/.*)? system_u:object_r:munin_script_exec_t:s0 /etc/munin/munin.conf:#htmldir /var/www/html/muninmuninのパスを見せたくないのでパス類を一通り変える。
cd /var/www/html
sudo mv munin munin-valley/
sudo systemctl restart munin-node
cd munin-valley
sudo vi .htaccess
# This file can be used as a .htaccess file, or a part of your apache # config file. # # For the .htaccess file option to work the munin www directory # (@@HTMLDIR@@) must have "AllowOverride all" or something close # to that set. # # As a config file enclose it in <directory> like so: # # <directory @@HTMLDIR@@> # AuthUserFile @@CONFDIR@@/munin-htpasswd AuthUserFile /etc/munin/munin-htpasswd AuthName "Munin" AuthType Basic require valid-user # This next part requires mod_expires to be enabled. # # We could use <IfModule mod_expires> around here, but I want it to be # as evident as possible that you either have to load mod_expires _or_ # you comment out/remove these lines. # Set the default expiery time for files 5 minutes 10 seconds from # their creation (modification) time. There are probably new files by # that time. ExpiresActive On ExpiresDefault M310 # </directory>
Apache関係とMySQL関係のプラグインを追加
ls -lF /etc/munin/plugins/
ls -lF /usr/share/munin/plugins/
ls -lF /usr/share/munin/plugins/apache_*
ls -lF /usr/share/munin/plugins/mysql_*
sudo ln -s /usr/share/munin/plugins/apache_accesses /etc/munin/plugins/
sudo ln -s /usr/share/munin/plugins/apache_processes /etc/munin/plugins/
sudo ln -s /usr/share/munin/plugins/apache_volume /etc/munin/plugins/
sudo ln -s /usr/share/munin/plugins/mysql_bytes /etc/munin/plugins/mysql_bytes
sudo ln -s /usr/share/munin/plugins/mysql_queries /etc/munin/plugins/mysql_queries
sudo ln -s /usr/share/munin/plugins/mysql_slowqueries /etc/munin/plugins/mysql_slowqueries
sudo ln -s /usr/share/munin/plugins/mysql_threads /etc/munin/plugins/mysql_threads
sudo ln -s /usr/share/munin/plugins/mysql_threads /etc/munin/plugins/mysql_innodb
Apacheの状態報告
sudo vi /etc/httpd/conf.d/server-status.conf
ExtendedStatus On
<Location /server-status>
SetHandler server-status
Require ip 127.0.0.1
</Location>
sudo systemctl restart httpd
MuninのMySQLアカウントを追加
mysql -u root -p
CREATE DATABASE munin;
CREATE USER munin@localhost IDENTIFIED BY 'NwyzFWp_dXBM2hjP';
GRANT SELECT ON munin.* TO munin@localhost;
FLUSH PRIVILEGES;
sudo vi /etc/munin/plugin-conf.d/munin-node
# We moved the default config to file 00-default # as config files in this directory are read in alphabetical order. # # Documentation can be found in Munin-Guide: # http://guide.munin-monitoring.org/en/latest/plugin/use.html#configuring [mysql*] env.mysqlopts -u munin --password=NwyzFWp_dXBM2hjP
sudo yum install -y perl-Cache-Cache perl-DBD-MySQL
sudo munin-node-configure --shell | sh
sudo systemctl restart munin-node
sudo su - munin --shell=/usr/bin/munin-cron
その他¶
プログラムのアップロード¶
ファイル権限に注意。ログ系やアップロード系のディレクトリは所有者apacheにしないといけないことが多い。
データベース初期化¶
初期化コマンドのメモ
CREATE DATABASE IF NOT EXISTS `RAgree2022_db` DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
USE `RAgree2022_db`;
CREATE USER RAgree2022_db@localhost IDENTIFIED BY 'nVTrw%z4uBkEipLV';
GRANT ALL PRIVILEGES ON RAgree2022_db.* TO RAgree2022_db@localhost;
FLUSH PRIVILEGES;
Updated by Kiyotaka NEMOTO over 3 years ago · 1 revisions