∮Ω奧米加空間∮»技術文件區»【原創】VPS 安裝 Chevereto 4 付費版教學
| 作者 |
主題 |
dc
管理員
性別:男
來自:瓦肯星
發表總數:11573
註冊時間:2002-05-07 16:32 |
(第 1 篇)  【原創】VPS 安裝 Chevereto 4 付費版教學
官方 nginx 的偽靜態設定需要微調一下,所以依我自己安裝過程寫個教學給大家
這次要進行的作業如下指令的部分都用紅色標註
OS : Centos 7 x86_64
Httpd : nginx/1.23.2
PHP : 8.1.13
DB : MariaDB 10.8
memcached 1.4.15
開啟 SELinux
開啟防火牆
安裝路徑為 /wwwroot/photo
範例我的網域 photo.omega.idv.tw 已經加好 DNS A 紀錄
1.設定防火牆規則
開啟你自己的固定 IP 連線例如 114.88.88.88/32 ,關閉 dhcpv6 與 ssh 連線,只有你開的固定 IP 可以連線
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="114.88.88.88/32" accept'
firewall-cmd --remove-service=dhcpv6-client --permanent
firewall-cmd --remove-service=ssh --permanent
firewall-cmd --reload
firewall-cmd --list-all
可以看到目前只有你的固定 IP 開放連線
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="114.88.88.88/32" accept
因為只要 ssh 有對外開放的話,可以看到有人一直嘗試登入 ssh
lastb
root ssh:notty 61.177.173.24 Mon Nov 28 03:28 - 03:28 (00:00)
root ssh:notty 61.177.173.24 Mon Nov 28 03:28 - 03:28 (00:00)
root ssh:notty 61.177.173.24 Mon Nov 28 03:28 - 03:28 (00:00)
2.修改系統時區並加入排程自動較時
timedatectl set-timezone Asia/Taipei
yum -y install ntpdate yum-utils wget unzip
crontab -e
0 */1 * * * /usr/sbin/ntpdate time.stdtime.gov.tw && /sbin/hwclock -w
3.安裝 httpd nginx
加入軟體源安裝最新版本
vi /etc/yum.repos.d/nginx.repo
=====
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
=====
yum-config-manager --enable nginx-mainline
yum -y install nginx
nginx -v
nginx version: nginx/1.23.2
開機自動啟動
systemctl enable nginx
systemctl start nginx
systemctl status nginx
使用瀏覽器開啟你已經對應 DNS A 紀錄的網址,範例是
http://photo.omega.idv.tw
可以看到 Welcome to nginx!
表示 httpd nginx 架設成功囉~
4.安裝 Chevereto 4 php 需要 8 以上版本,我們安裝 8.1 與必要的套件
安裝軟體源
yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install -y http://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum install -y --enablerepo=remi --enablerepo=remi-php81 php php-{curl,exif,fileinfo,gd,hash,json,pdo,session,xml,fpm,mysql,mbstring} php-pecl-imagick php-pecl-memcache
php -v
PHP 8.1.13 (cli) (built: Nov 22 2022 14:42:07) (NTS gcc x86_64)
Copyright (c) The PHP Group
Zend Engine v4.1.13, Copyright (c) Zend Technologies
vi /etc/php-fpm.d/www.conf
user = apache
group = apache
改
user = nginx
group = nginx
修改目錄權限使用者為 nginx
mkdir -p /wwwroot/photo
chown -R nginx.nginx /wwwroot/photo
chown -R nginx.nginx /var/lib/php/session
chown -R nginx.nginx /var/lib/php/wsdlcache
因為我們修改了預設的 www 目錄所以要設定
chcon -R -t httpd_sys_content_t /wwwroot/photo
ls -Zd /wwwroot/photo
修改 php 時區 與 檔案上傳的設定值
vi /etc/php.ini
date.timezone = "Asia/Taipei"
upload_max_filesize = 64M;
post_max_size = 64M;
max_execution_time = 180;
memory_limit = 512M;
如果在 html 裡要使用 php 語法的話要加這一條
security.limit_extensions = .php .html
加入開機啟動
systemctl enable php-fpm
systemctl start php-fpm
systemctl status php-fpm
因為現在都需要 https 所以我們先設定 acme 再來測試 php
開啟 http 與 https 可以讓外網連線的防火牆設定
firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --reload
firewall-cmd --list-service
http https
chevereto 偽靜態的設定值在這我們依實際狀況調整一下
https://v4-docs.chevereto.com/application/stack/web-server.html#nginx
將預設的 default.conf 移走建立我們站台的 conf ,先開 port 80 之後認證完畢再開 ssl 443
mv /etc/nginx/conf.d/default.conf /etc/nginx/default.conf
vi /etc/nginx/conf.d/photo.conf
# server {
# listen 80;
# return 301 https://$host$request_uri;
#}
server {
listen 80;
# listen 443 ssl;
server_name photo.omega.idv.tw;
root /wwwroot/photo;
access_log /var/log/nginx/photo.access.log main;
error_log /var/log/nginx/photo.error.log info;
#error_log /var/log/nginx/photo.error.log debug;
# ssl_certificate photo.crt;
# ssl_certificate_key photo.key;
# ssl_protocols TLSv1.1 TLSv1.2;
client_max_body_size 64M;
fastcgi_read_timeout 180s;
# Disable access to sensitive application files
location ~* (app|content|lib)/.*\.(po|php|lock|sql)$ {
return 404;
}
location ~* composer\.json|composer\.lock|.gitignore$ {
return 404;
}
location ~* /\.ht {
return 404;
}
# Image not found replacement
location ~* \.(jpe?g|png|gif|webp)$ {
log_not_found off;
error_page 404 /content/images/system/default/404.gif;
}
# CORS header (avoids font rendering issues)
location ~* \.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js)$ {
add_header Access-Control-Allow-Origin "*";
}
# PHP front controller
location / {
index index.php;
try_files $uri $uri/ /index.php$is_args$query_string;
}
# Single PHP-entrypoint (disables direct access to .php files)
location ~* \.(php|html)?$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#fastcgi_param script_NAME $fastcgi_script_name;
fastcgi_pass 127.0.0.1:9000;
}
}
vi /wwwroot/photo/phpinfo.php
<?php
phpinfo();
?>
systemctl restart php-fpm
systemctl restart nginx
5.SSL 安裝,免費的套件可以使用
https://github.com/acmesh-official/acme.sh
acme.sh 實現了 acme 協議, 可以從 letsencrypt 生成免費的證書.
主要步驟:
1.安裝 acme.sh
2.生成證書
3.copy 證書到 nginx/apache 或者其他服務
4.更新證書
5.更新 acme.sh
6.出錯怎麼辦,如何調試
email= 的部分請填你自己的 email
curl https://get.acme.sh | sh -s email=ddcc@omega.idv.tw
[Mon Nov 28 11:32:34 CST 2022] Installing from online archive.
[Mon Nov 28 11:32:34 CST 2022] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Mon Nov 28 11:32:34 CST 2022] Extracting master.tar.gz
[Mon Nov 28 11:32:34 CST 2022] It is recommended to install socat first.
[Mon Nov 28 11:32:34 CST 2022] We use socat for standalone server if you use standalone mode.
[Mon Nov 28 11:32:34 CST 2022] If you don't use standalone mode, just ignore this warning.
[Mon Nov 28 11:32:34 CST 2022] Installing to /root/.acme.sh
[Mon Nov 28 11:32:34 CST 2022] Installed to /root/.acme.sh/acme.sh
[Mon Nov 28 11:32:35 CST 2022] Installing alias to '/root/.bashrc'
[Mon Nov 28 11:32:35 CST 2022] OK, Close and reopen your terminal to start using acme.sh
[Mon Nov 28 11:32:35 CST 2022] Installing alias to '/root/.cshrc'
[Mon Nov 28 11:32:35 CST 2022] Installing alias to '/root/.tcshrc'
[Mon Nov 28 11:32:35 CST 2022] Installing cron job
[Mon Nov 28 11:32:35 CST 2022] Good, bash is found, so change the shebang to use bash as preferred.
[Mon Nov 28 11:32:35 CST 2022] OK
[Mon Nov 28 11:32:35 CST 2022] Install success!
生成證書,我們用 nginx 的方式,請填你站台的網域
cd ~/.acme.sh
./acme.sh --issue -d photo.omega.idv.tw --nginx
[Mon Nov 28 11:58:23 CST 2022] Using CA: https://acme.zerossl.com/v2/DV90
[Mon Nov 28 11:58:23 CST 2022] Single domain='photo.omega.idv.tw'
[Mon Nov 28 11:58:23 CST 2022] Getting domain auth token for each domain
[Mon Nov 28 11:58:31 CST 2022] Getting webroot for domain='photo.omega.idv.tw'
[Mon Nov 28 11:58:31 CST 2022] Verifying: photo.omega.idv.tw
[Mon Nov 28 11:58:31 CST 2022] Nginx mode for domain:photo.omega.idv.tw
[Mon Nov 28 11:58:31 CST 2022] Found conf file: /etc/nginx/conf.d/photo.conf
[Mon Nov 28 11:58:31 CST 2022] Backup /etc/nginx/conf.d/photo.conf to /root/.acme.sh/photo.omega.idv.tw/backup/photo.omega.idv.tw.nginx.conf
[Mon Nov 28 11:58:31 CST 2022] Check the nginx conf before setting up.
[Mon Nov 28 11:58:31 CST 2022] OK, Set up nginx config file
[Mon Nov 28 11:58:31 CST 2022] nginx conf is done, let's check it again.
[Mon Nov 28 11:58:31 CST 2022] Reload nginx
[Mon Nov 28 11:58:36 CST 2022] Processing, The CA is processing your order, please just wait. (1/30)
[Mon Nov 28 11:58:42 CST 2022] Success
[Mon Nov 28 11:58:42 CST 2022] Restoring from /root/.acme.sh/photo.omega.idv.tw/backup/photo.omega.idv.tw.nginx.conf to /etc/nginx/conf.d/photo.conf
[Mon Nov 28 11:58:42 CST 2022] Reload nginx
[Mon Nov 28 11:58:42 CST 2022] Verify finished, start to sign.
[Mon Nov 28 11:58:42 CST 2022] Lets finalize the order.
[Mon Nov 28 11:58:42 CST 2022] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/WXxCs-ubDmGbx/finalize'
[Mon Nov 28 11:58:44 CST 2022] Order status is processing, lets sleep and retry.
[Mon Nov 28 11:58:44 CST 2022] Retry after: 15
[Mon Nov 28 11:59:00 CST 2022] Polling order status: https://acme.zerossl.com/v2/DV90/order/WXxCs-ubDmGbx
[Mon Nov 28 11:59:03 CST 2022] Order status is processing, lets sleep and retry.
[Mon Nov 28 11:59:03 CST 2022] Retry after: 15
[Mon Nov 28 11:59:19 CST 2022] Polling order status: https://acme.zerossl.com/v2/DV90/order/WXxCs-ubDmGbx
[Mon Nov 28 11:59:20 CST 2022] Downloading cert.
[Mon Nov 28 11:59:20 CST 2022] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/_sRF-j6QH'
[Mon Nov 28 11:59:22 CST 2022] Cert success.
-----BEGIN CERTIFICATE-----
MIIGbDCCBFSgAwIBAgIRAOghu1mzN810P5+k44Y78is
SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0w
U0wgU
eLIoU7LJsQP2wHD4/L2xVw==
-----END CERTIFICATE-----
[Mon Nov 28 11:59:22 CST 2022] Your cert is in: /root/.acme.sh/photo.omega.idv.tw/photo.omega.idv.tw.cer
[Mon Nov 28 11:59:22 CST 2022] Your cert key is in: /root/.acme.sh/photo.omega.idv.tw/photo.omega.idv.tw.key
[Mon Nov 28 11:59:22 CST 2022] The intermediate CA cert is in: /root/.acme.sh/photo.omega.idv.tw/ca.cer
[Mon Nov 28 11:59:22 CST 2022] And the full chain certs is there: /root/.acme.sh/photo.omega.idv.tw/fullchain.cer
安裝證書
./acme.sh --install-cert -d photo.omega.idv.tw \
--key-file /etc/nginx/photo.key \
--fullchain-file /etc/nginx/photo.crt \
--reloadcmd "service nginx force-reload"
(一個小提醒, 這裡用的是 service nginx force-reload, 不是 service nginx reload, 據測試, reload 並不會重新加載證書, 所以用的 force-reload)
Nginx 的配置 ssl_certificate 使用 /etc/nginx/ssl/fullchain.cer ,而非 /etc/nginx/ssl/<domain>.cer ,否則 SSL Labs 的測試會報 Chain issues Incomplete 錯誤。
查看證書狀態
./acme.sh --info -d photo.omega.idv.tw
將 SSL 的設定值加回去,將 http 跳轉 https
vi /etc/nginx/conf.d/photo.conf
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
# listen 80;
listen 443 ssl;
server_name photo.omega.idv.tw;
root /wwwroot/photo;
access_log /var/log/nginx/photo.access.log main;
error_log /var/log/nginx/photo.error.log info;
#error_log /var/log/nginx/photo.error.log debug;
ssl_certificate photo.crt;
ssl_certificate_key photo.key;
ssl_protocols TLSv1.1 TLSv1.2;
client_max_body_size 64M;
fastcgi_read_timeout 180s;
# Disable access to sensitive application files
location ~* (app|content|lib)/.*\.(po|php|lock|sql)$ {
return 404;
}
location ~* composer\.json|composer\.lock|.gitignore$ {
return 404;
}
location ~* /\.ht {
return 404;
}
# Image not found replacement
location ~* \.(jpe?g|png|gif|webp)$ {
log_not_found off;
error_page 404 /content/images/system/default/404.gif;
}
# CORS header (avoids font rendering issues)
location ~* \.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js)$ {
add_header Access-Control-Allow-Origin "*";
}
# PHP front controller
location / {
index index.php;
try_files $uri $uri/ /index.php$is_args$query_string;
}
# Single PHP-entrypoint (disables direct access to .php files)
location ~* \.(php|html)?$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#fastcgi_param script_NAME $fastcgi_script_name;
fastcgi_pass 127.0.0.1:9000;
}
}
systemctl restart nginx
這時候我們開啟 http 會自動被轉向 https
http://photo.omega.idv.tw/phpinfo.php
移除 phpinfo.php
rm /wwwroot/photo/phpinfo.php
6.安裝 memcached 服務
yum install memcached -y
systemctl enable memcached.service
systemctl start memcached.service
ss -ntulp | grep 11211
memcached-tool 127.0.0.1:11211 stats
vi /etc/php.ini
session.save_handler = files
改
session.save_handler = memcache
加
session.save_path = "tcp://localhost:11211?persistent=1&weight=1&timeout=1&retry_interval=15"
vi /etc/php-fpm.d/www.conf
加上分號 ; 註解與新增
;php_value[session.save_handler] = files
;php_value[session.save_path] = /var/lib/php/session
;php_value[soap.wsdl_cache_dir] = /var/lib/php/wsdlcache
php_value[session.save_handler] = memcache
php_value[session.save_path] = "tcp://localhost:11211?persistent=1&weight=1&timeout=1&retry_interval=15"
systemctl restart php-fpm
systemctl restart nginx
php -i | grep "session.save"
memcache.session_save_path => no value => no value
session.save_handler => memcache => memcache
session.save_path => tcp://localhost:11211?persistent=1&weight=1&timeout=1&retry_interval=15 => tcp://localhost:11211?persistent=1&weight=1&timeout=1&retry_interval=15
7.安裝 MariaDB
vi /etc/yum.repos.d/MariaDB.repo
# MariaDB 10.8 CentOS repository list - created 2022-11-28 04:30 UTC
# https://mariadb.org/download/
[mariadb]
name = MariaDB
baseurl = https://tw1.mirror.blendbyte.net/mariadb/yum/10.8/centos7-amd64
gpgkey=https://tw1.mirror.blendbyte.net/mariadb/yum/RPM-GPG-KEY-MariaDB
gpgcheck=1
yum install -y MariaDB-server MariaDB-client
systemctl enable --now mariadb
systemctl status mariadb
mariadb-secure-installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.
You already have your root account protected, so you can safely answer 'n'.
Switch to unix_socket authentication [Y/n] n
... skipping.
You already have your root account protected, so you can safely answer 'n'.
Change the root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
建立安裝 chevereto 的資料庫
mariadb -u root -p
資料庫名稱 chevereto 使用者 username 密碼 passwd 都請自訂
# 新增資料庫
CREATE DATABASE `chevereto`;
# 新增使用者,設定密碼
CREATE USER 'username'@'localhost' IDENTIFIED BY 'passwd';
# 設定使用者權限
GRANT ALL PRIVILEGES ON chevereto.* TO 'username'@'localhost';
#重新載入權限,剛剛所做的異動才會生效。
FLUSH PRIVILEGES;
\q
8.安裝 Chevereto
程式可以由這裏下載
https://chevereto.com/panel
或是依文檔使用 get.sh 下載
https://v4-docs.chevereto.com/application/installing/installation.html
cd /wwwroot/photo
bash <(curl -s https://raw.githubusercontent.com/chevereto/vps/4.0/common/get.sh)
__ __
____/ / ___ _ _____ _______ / /____
/ __/ _ \/ -_) |/ / -_) __/ -_) __/ _ \
\__/_//_/\__/|___/\__/_/ \__/\__/\___/
Chevereto V4 License (hidden):輸入你的授權碼下載
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 71.6M 100 71.6M 0 0 9498k 0 0:00:07 0:00:07 --:--:-- 10.3M
curl: Saved to filename 'chevereto_4.0.4_dgxvdes.zip'
[NOTICE] www-data user not found, skipping ownership change
[OK] Chevereto V4 files provisioned!
我們直接開啟的話會遇到下列錯誤
System error
The system has encountered errors in your server setup that must be fixed to use Chevereto:
No write permission for PHP user root in /images/ directory. Chevereto needs to be able to write in this directory.
No write permission for PHP user root in /content/ directory. Chevereto needs to be able to write in this directory.
No write permission for PHP user root in /app/content/ directory. Chevereto needs to be able to write in this directory.
Need help? Check our Support.
我們剛剛是用 root 安裝,所以要改成 nginx 並加上讀寫的功能
chown -R nginx:nginx /wwwroot/photo
chcon -R -t httpd_sys_rw_content_t /wwwroot/photo/images/
chcon -R -t httpd_sys_rw_content_t /wwwroot/photo/content/
chcon -R -t httpd_sys_rw_content_t /wwwroot/photo/app/content/
開啟 https://photo.omega.idv.tw/install 就能進入安裝資料庫的畫面拉
請填入剛剛設定的資料
會出現
Edit app/env.php
The database details are correct, but the system was unable to put these at the app/env.php file.
You will require to edit the /wwwroot/photo/app/env.php file with the contents below. Once done, re-load this window.
我們將資訊填入
vi /wwwroot/photo/app/env.php
<?php
return [
'CHEVERETO_DB_HOST' => 'localhost',
'CHEVERETO_DB_NAME' => 'chevereto',
'CHEVERETO_DB_PASS' => 'passwd',
'CHEVERETO_DB_PORT' => '3306',
'CHEVERETO_DB_USER' => 'username',
'CHEVERETO_DB_TABLE_PREFIX' => 'chv_',
'CHEVERETO_ENCRYPTION_KEY' => 'ZTU09Mu*****',
];
chown nginx:nginx /wwwroot/photo/app/env.php
按下 Re-load
輸入 admin 資訊,名稱最少三字元
安裝完成畫面,可以選擇進儀表版或是網頁
但是發生無法登入主要是安全性的關係,開啟就好
setsebool -P httpd_can_network_connect=1
因為發生管理員在切換語言的時候發生錯誤 env.php 填入
'CHEVERETO_DEBUG_LEVEL' => '2',
可以看到錯誤是權限不足
主要是安全性的關係,開啟就好
chcon -R -t httpd_sys_rw_content_t /wwwroot/photo/app/.cache
如果檔案上限值忘記修改,建議值在這裡
https://v4-docs.chevereto.com/application/stack/php.html#configuration
upload_max_filesize = 64M;
post_max_size = 64M;
max_execution_time = 30;
memory_limit = 512M;
修改設定值
vi /etc/php.ini
upload_max_filesize = 64M;
post_max_size = 64M;
max_execution_time = 180;
memory_limit = 512M;
增加設定值
vi /etc/nginx/conf.d/photo.conf
client_max_body_size 64M;
fastcgi_read_timeout 180s;
systemctl restart php-fpm
systemctl restart nginx
管理員後台 -> 圖片上傳 -> 最大上傳大小[MB]
記得改為 64M
變更儲存
本帖由dc最後編輯於2022-11-29 17:00
Your mind to my mind,
your thought to my thought |
| 發表時間:2022-11-29 16:51 |
|
|
所有時間均為GMT+8, 現在是2025-12-24 05:31 |
|
