サーバー管理

h1. サーバーインストール2022

まだ数例インストールした記録。今後記述を検証していく。

h2. ホスティングサービス

次のホスティングサービスを想定

* GMOクラウドALTUS（Plesk不使用） - AlmaLinux 8.5

* AWS EC2 - Amazon Linux 2

予想される管理操作に応じてホスティングサービスでアクセス制限をかける。

☆接続元IPアドレス

(正)	：183.77.171.12(会社)

(副)	：153.122.45.46(新ARCHESサーバ)

(予備)	：153.122.73.247(ARCHES ALTUS2)

h2. 初期設定

sudo yum -y update

操作記録を容易にするため、プロンプトに時刻を付けておく

vi ~/.bashrc

<pre>

export PS1='\[\e[1;36m\]\d \[\e[1;32m\]\t \[\e[1;33m\]\u@\[\e[1;35m\]\h:\w\$\[\e[m\] ' （←末尾に追加）

</pre>source ~/.bashrc

h2. スワップファイル作成

top

Swapが0ならまだ作成されていない

GMOは自動作成、EC2は未作成？

https://aws.amazon.com/jp/premiumsupport/knowledge-center/ec2-memory-swap-file/

ストレージにもよるが、メモリが大きければ同サイズ、少なければ倍

sudo dd if=/dev/zero of=/swapfile bs=128M count=128 （←16GBの場合）

sudo chmod 600 /swapfile

sudo mkswap /swapfile

sudo swapon /swapfile

sudo swapon -s

sudo vi /etc/fstab

cat /etc/fstab

<pre>

UUID=008cdb03-aa96-41b3-8e92-b11c5b511efd     /           xfs    defaults,noatime  1   1

/swapfile swap swap defaults 0 0 （←追加）

</pre>

h2. SSHの設定

rootのログインを禁止し、SSH用ユーザのみ許可する

EC2はデフォルト禁止？

sudo vi /etc/ssh/sshd_config

sudo grep -i root /etc/ssh/sshd_config

<pre>

#PermitRootLogin yes

PermitRootLogin no （←追加）

# the setting of "PermitRootLogin without-password".

#ChrootDirectory none

</pre>sudo systemctl restart sshd

h2. 基本的なソフトのインストール

h3. rsyslog

sudo yum -y install rsyslog

h3. Apache2

sudo yum -y install httpd

sudo systemctl enable httpd

sudo systemctl start httpd

sudo vi /etc/httpd/conf/httpd.conf

<pre>

    #

    # AllowOverride controls what directives may be placed in .htaccess files.

    # It can be "All", "None", or any combination of the keywords:

    #   Options FileInfo AuthConfig Limit

    #

    #AllowOverride None

    AllowOverride All

</pre>

アクセスが多いサイトはパラメータをチューニングする。

D-Agreeの2022年3月の/etc/httpd/conf/httpd.conf

<pre>

<IfModule mpm_prefork_module>

    StartServers 10

    MinSpareServers 20

    MaxSpareServers 60

    ServerLimit 200

    MaxClients 200

    MaxRequestsPerChild 100

</IfModule>

</pre>sudo vi /etc/httpd/conf/httpd.conf

sudo apachectl configtest

sudo systemctl reload httpd

h3. PHP7.4

CentOS7, AlmaLinux8の場合

dnf -y install https://rpms.remirepo.net/enterprise/remi-release-8.rpm

dnf -y module install php:remi-7.4

Amazon Linux 2の場合

sudo amazon-linux-extras install php7.4

共通？

sudo yum install php-mbstring php-xml php-xmlrpc php-gd

sudo systemctl restart httpd

sudo systemctl enable php-fpm

sudo systemctl restart php-fpm

/etc/php.iniの次の箇所をプロジェクトに合わせて修正

<pre>

404,407c404

< ; memory_limit = 128M

< memory_limit = 96M

< ; memory_limit = 64M

< ; memory_limit = 1024M

---

> memory_limit = 128M

675,677c672

< ;post_max_size = 8M

< post_max_size = 20M

<

---

> post_max_size = 8M

830,831c825

< ;upload_max_filesize = 2M

< upload_max_filesize = 16M

---

> upload_max_filesize = 2M

909d902

< date.timezone = "Asia/Tokyo"

1516c1509

< mbstring.language = Japanese

---

> ;mbstring.language = Japanese

1523c1516

< mbstring.internal_encoding = UTF-8

---

> ;mbstring.internal_encoding =

</pre>sudo systemctl restart php-fpm

h3. MySQLまたはMariaDB

AlmaLinux, MariaDB10.6の場合

https://mariadb.com/ja/resources/blog/install-mariadb-server-centos7/ に沿う

curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash

日本語を扱えるようにする

/etc/my.cnf.d/server.cnf

[mariadb]

character-set-server=utf8mb4

[client-mariadb]

default-character-set=utf8mb4

systemctl restart mariadb

systemctl enable mariadb

mariadb-secure-installation

Amazon Linux2, MySQL8.0の場合

sudo yum -y install --enablerepo=mysql80-community mysql-community-server

sudo systemctl start mysqld

sudo systemctl enable mysqld

アクセスが多いサイトはパラメータをチューニングする。

D-Agreeの2022年3月の/etc/my.cnfは下記を追記

<pre>

secure-file-priv= NULL

character_set_server=utf8mb4

collation-server=utf8mb4_general_ci

slow_query_log=1

long_query_time=1

log_queries_not_using_indexes=1

log_throttle_queries_not_using_indexes=1

max_connections=300

wait_timeout=12

interactive_timeout=12

innodb_buffer_pool_size=8G

innodb_log_file_size=1G

innodb_buffer_pool_instances=8

innodb_lock_wait_timeout=20

thread_cache_size=50

early-plugin-load=keyring_file.so

keyring_file_data=/var/lib/mysql/mysql-keyring/keyring

</pre>sudo vi /etc/my.cnf

sudo systemctl restart mysqld

sudo mysql_secure_installation

h3. SSL証明書

商用SSLを使わない場合、Let's encryptの概要

CentOS7,AlmaLinux8の場合

https://certbot.eff.org/instructions?ws=apache&os=centosrhel7 を参照

Amazon Linux 2の場合

https://docs.aws.amazon.com/ja_jp/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html#letsencrypt を参照

Let's encryptのワイルドカード証明書はDNS認証が必須で自動化できない。

毎回次のコマンドでDNS認証をしないといけない模様。

sudo certbot certonly --manual \

   --preferred-challenges dns-01 \

   --server https://acme-v02.api.letsencrypt.org/directory \

   -m server@arches.co.jp \

   -d r-agree.com \

   -d *.r-agree.com

certbotがssl.confを見付けられないケースあり？ 手動で直した。

h3. iptables

ホスティングサービスで制限しているので今のところ使わない。

h3. vsftpd

サーバーを最初から設定するような場合はSFTPのみでFTPは必要ないことが多い。

h3. ClamAV

sudo yum install clamav clamav-update clamd

sudo freshclam

sudo vi /etc/clamd.d/scan.conf

<pre>

# Path to a local socket file the daemon will listen on.

# Default: disabled (must be specified by a user)

#LocalSocket /run/clamd.scan/clamd.sock

LocalSocket /run/clamd.scan/clamd.sock （←追加）

</pre>sudo systemctl start clamd@scan

sudo systemctl enable clamd@scan

h3. Postfix

詳細要確認

sudo yum -y install postfix

sudo yum -y install cyrus-sasl-plain

sudo yum -y install cyrus-sasl-md5

sudo vi /etc/postfix/main.cf

<pre>

# INTERNET HOST AND DOMAIN NAMES

#

# The myhostname parameter specifies the internet hostname of this

# mail system. The default is to use the fully-qualified domain name

# from gethostname(). $myhostname is used as a default value for many

# other configuration parameters.

#

#myhostname = host.domain.tld

#myhostname = virtual.domain.tld

myhostname = r-agree.com

# The mydomain parameter specifies the local internet domain name.

# The default is to use $myhostname minus the first component.

# $mydomain is used as a default value for many other configuration

# parameters.

#

#mydomain = domain.tld

mydomain = r-agree.com

#mydestination = $myhostname, localhost.$mydomain, localhost

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,

#       mail.$mydomain, www.$mydomain, ftp.$mydomain

#home_mailbox = Mailbox

home_mailbox = Maildir/

</pre>sudo vi /etc/postfix/master.cf

<pre>

smtp      inet  n       -       n       -       -       smtpd

#smtp      inet  n       -       n       -       1       postscreen

#smtpd     pass  -       -       n       -       -       smtpd

#dnsblog   unix  -       -       n       -       0       dnsblog

#tlsproxy  unix  -       -       n       -       0       tlsproxy

submission inet n       -       n       -       -       smtpd

#  -o syslog_name=postfix/submission

#  -o smtpd_tls_security_level=encrypt

  -o smtpd_sasl_auth_enable=yes

#  -o smtpd_reject_unlisted_recipient=no

#  -o smtpd_client_restrictions=$mua_client_restrictions

#  -o smtpd_helo_restrictions=$mua_helo_restrictions

#  -o smtpd_sender_restrictions=$mua_sender_restrictions

  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

#  -o milter_macro_daemon_name=ORIGINATING

</pre>

sudo vi /etc/sasl2/smtpd.conf

<pre>

# pwcheck_method: saslauthd

pwcheck_method: auxprop

# mech_list: plain login

mech_list: cram-md5 plain login

</pre>

sudo mkdir -p /etc/skel/Maildir/{new,cur,tmp}

sudo chmod -R 700 /etc/skel/Maildir/

sudo yum -y install cyrus-sasl

sudo systemctl start saslauthd

sudo systemctl enable saslauthd

sudo postfix check

sudo systemctl restart postfix

sudo systemctl enable postfix

h3. logwatch

sudo yum install logwatch

sudo vi /etc/logwatch/conf/logwatch.conf

<pre>

MailTo = server@arches.co.jp

Detail = High

</pre>sudo logwatch –output mail

なぜかこの設定は無視されてcronが届かない。

sudo vi /etc/cron.daily/0logwatch

<pre>

#OPTIONS="--output mail"

OPTIONS="--output mail --mailto server@arches.co.jp"

</pre>としておく。

h3. Dovecot

今のところ必要な場面がない。

h3. Munin

sudo yum install munin

sudo yum install munin-node

sudo systemctl enable munin-node

sudo systemctl start  munin-node

sudo su - munin --shell=/usr/bin/munin-cron

sudo vi /etc/cron.d/munin

<pre>

#

# cron-jobs for munin

#

MAILTO=root

*/5 * * * *     munin test -x /usr/bin/munin-cron && /usr/bin/munin-cron

</pre>

cd /etc/munin

sudo htpasswd -c munin-htpasswd munin

sudo grep -r html/munin /etc/

<pre>

/etc/selinux/targeted/contexts/files/file_contexts:/var/www/html/munin(/.*)?    system_u:object_r:munin_content_t:s0

/etc/selinux/targeted/contexts/files/file_contexts:/var/www/html/munin/cgi(/.*)?        system_u:object_r:munin_script_exec_t:s0

Binary file /etc/selinux/targeted/contexts/files/file_contexts.bin matches

/etc/selinux/targeted/active/file_contexts:/var/www/html/munin(/.*)?    system_u:object_r:munin_content_t:s0

/etc/selinux/targeted/active/file_contexts:/var/www/html/munin/cgi(/.*)?        system_u:object_r:munin_script_exec_t:s0

/etc/munin/munin.conf:#htmldir   /var/www/html/munin

</pre>muninのパスを見せたくないのでパス類を一通り変える。

cd /var/www/html

sudo mv munin munin-valley/

sudo systemctl restart munin-node

cd munin-valley

sudo vi .htaccess

<pre>

# This file can be used as a .htaccess file, or a part of your apache

# config file.

#

# For the .htaccess file option to work the munin www directory

# (@@HTMLDIR@@) must have "AllowOverride all" or something close

# to that set.

#

# As a config file enclose it in <directory> like so:

#

# <directory @@HTMLDIR@@>

# AuthUserFile @@CONFDIR@@/munin-htpasswd

AuthUserFile /etc/munin/munin-htpasswd

AuthName "Munin"

AuthType Basic

require valid-user

# This next part requires mod_expires to be enabled.

#

# We could use <IfModule mod_expires> around here, but I want it to be

# as evident as possible that you either have to load mod_expires _or_

# you comment out/remove these lines.

# Set the default expiery time for files 5 minutes 10 seconds from

# their creation (modification) time.  There are probably new files by

# that time.

ExpiresActive On

ExpiresDefault M310

# </directory>

</pre>

Apache関係とMySQL関係のプラグインを追加

ls -lF /etc/munin/plugins/

ls -lF /usr/share/munin/plugins/

ls -lF /usr/share/munin/plugins/apache_*

ls -lF /usr/share/munin/plugins/mysql_*

sudo ln -s /usr/share/munin/plugins/apache_accesses /etc/munin/plugins/

sudo ln -s /usr/share/munin/plugins/apache_processes /etc/munin/plugins/

sudo ln -s /usr/share/munin/plugins/apache_volume /etc/munin/plugins/

sudo ln -s /usr/share/munin/plugins/mysql_bytes /etc/munin/plugins/mysql_bytes

sudo ln -s /usr/share/munin/plugins/mysql_queries /etc/munin/plugins/mysql_queries

sudo ln -s /usr/share/munin/plugins/mysql_slowqueries /etc/munin/plugins/mysql_slowqueries

sudo ln -s /usr/share/munin/plugins/mysql_threads /etc/munin/plugins/mysql_threads

sudo ln -s /usr/share/munin/plugins/mysql_threads /etc/munin/plugins/mysql_innodb

Apacheの状態報告

sudo vi /etc/httpd/conf.d/server-status.conf

<pre>

ExtendedStatus On

<Location /server-status>

        SetHandler server-status

        Require ip 127.0.0.1

</Location>

</pre>sudo systemctl restart httpd

MuninのMySQLアカウントを追加

mysql -u root -p

CREATE DATABASE munin;

CREATE USER munin@localhost IDENTIFIED BY 'NwyzFWp_dXBM2hjP';

GRANT SELECT ON munin.* TO munin@localhost;

FLUSH PRIVILEGES;

sudo vi /etc/munin/plugin-conf.d/munin-node

<pre>

# We moved the default config to file 00-default

# as config files in this directory are read in alphabetical order.

#

# Documentation can be found in Munin-Guide:

# http://guide.munin-monitoring.org/en/latest/plugin/use.html#configuring

[mysql*]

env.mysqlopts -u munin --password=NwyzFWp_dXBM2hjP

</pre>

sudo yum install -y perl-Cache-Cache perl-DBD-MySQL

sudo munin-node-configure --shell | sh

sudo systemctl restart munin-node

sudo su - munin --shell=/usr/bin/munin-cron

h2. その他

h3. プログラムのアップロード

ファイル権限に注意。ログ系やアップロード系のディレクトリは所有者apacheにしないといけないことが多い。

h3. データベース初期化

初期化コマンドのメモ

CREATE DATABASE IF NOT EXISTS `RAgree2022_db` DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;

USE `RAgree2022_db`;

CREATE USER RAgree2022_db@localhost IDENTIFIED BY 'nVTrw%z4uBkEipLV';

GRANT ALL PRIVILEGES ON RAgree2022_db.* TO RAgree2022_db@localhost;

FLUSH PRIVILEGES;