Nginx로 NEOS CMS를 설치하고 Rocky Linux 8에서 SSL을 암호화하는 방법
이 페이지에서
- Nginx 구성
전제 조건
-
A server running Rocky Linux 8.
-
A non-root sudo user.
-
Make sure everything is updated.
$ sudo dnf update
-
Install basic utility packages. Some of them may already be installed.
$ sudo dnf install wget curl nano unzip yum-utils -y
1단계 - 방화벽 구성
$ sudo firewall-cmd --state running
$ sudo firewall-cmd --permanent --list-services
cockpit dhcpv6-client ssh
$ sudo firewall-cmd --permanent --add-service=http $ sudo firewall-cmd --permanent --add-service=https
$ sudo firewall-cmd --permanent --list-services
cockpit dhcpv6-client http https ssh
$ sudo firewall-cmd --reload
2단계 - Nginx 설치
$ sudo nano /etc/yum.repos.d/nginx.repo
[nginx-stable] name=nginx stable repo baseurl=http://nginx.org/packages/centos/$releasever/$basearch/ gpgcheck=1 enabled=1 gpgkey=https://nginx.org/keys/nginx_signing.key module_hotfixes=true [nginx-mainline] name=nginx mainline repo baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/ gpgcheck=1 enabled=0 gpgkey=https://nginx.org/keys/nginx_signing.key module_hotfixes=true
$ sudo dnf install nginx
$ nginx -v nginx version: nginx/1.20.2
$ sudo systemctl enable nginx --now
3단계 - PHP 및 확장 설치
$ sudo dnf install epel-release
$ sudo dnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm
$ dnf module list php -y Last metadata expiration check: 0:00:12 ago on Fri 03 Dec 2021 09:39:32 AM UTC. Rocky Linux 8 - AppStream Name Stream Profiles Summary php 7.2 [d] common [d], devel, minimal PHP scripting language php 7.3 common [d], devel, minimal PHP scripting language php 7.4 common [d], devel, minimal PHP scripting language Remi's Modular repository for Enterprise Linux 8 - x86_64 Name Stream Profiles Summary php remi-7.2 common [d], devel, minimal PHP scripting language php remi-7.3 common [d], devel, minimal PHP scripting language php remi-7.4 common [d], devel, minimal PHP scripting language php remi-8.0 common [d], devel, minimal PHP scripting language php remi-8.1 common [d], devel, minimal PHP scripting language Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled
$ sudo dnf module reset php $ sudo dnf module enable php:remi-8.0
$ sudo dnf install php-fpm php-mbstring php-xml php-curl php-mysqlnd php-zip php-cli php-imagick ImageMagick php-intl
$ php --version PHP 8.0.14 (cli) (built: Dec 16 2021 03:01:07) ( NTS gcc x86_64 ) Copyright (c) The PHP Group Zend Engine v4.0.14, Copyright (c) Zend Technologies
4단계 - MySQL 서버 설치 및 구성
$ sudo dnf install mysql-server
$ sudo systemctl enable mysqld --now
$ sudo mysql_secure_installation
Securing the MySQL server deployment. Connecting to MySQL using a blank password. VALIDATE PASSWORD COMPONENT can be used to test passwords and improve security. It checks the strength of password and allows the users to set only those passwords which are secure enough. Would you like to setup VALIDATE PASSWORD component? Press y|Y for Yes, any other key for No: Y There are three levels of password validation policy: LOW Length >= 8 MEDIUM Length >= 8, numeric, mixed case, and special characters STRONG Length >= 8, numeric, mixed case, special characters and dictionary file Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 2
Please set the password for root here. New password: Re-enter new password: Estimated strength of the password: 100 Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : Y
... Remove anonymous users? (Press y|Y for Yes, any other key for No) : Y Success. ... Disallow root login remotely? (Press y|Y for Yes, any other key for No) : Y Success. ... Remove test database and access to it? (Press y|Y for Yes, any other key for No) : Y - Dropping test database... Success. - Removing privileges on test database... Success. Reloading the privilege tables will ensure that all changes made so far will take effect immediately. ... Reload privilege tables now? (Press y|Y for Yes, any other key for No) : Y Success. All done!
$ mysql -u root -p
mysql> CREATE USER 'neos'@'localhost' IDENTIFIED BY 'Your_password2';
mysql> CREATE DATABASE neosdb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
mysql> GRANT ALL PRIVILEGES ON neosdb.* TO 'neos'@'localhost';
mysql> exit
5단계 - 작성기 설치
$ curl -sS https://getcomposer.org/installer -o composer-setup.php
$ HASH=`curl -sS https://composer.github.io/installer.sig` $ echo $HASH $ php -r "if (hash_file('SHA384', 'composer-setup.php') === '$HASH') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
Installer verified
$ sudo php composer-setup.php --install-dir=/usr/local/bin --filename=composer
$ composer --version Composer version 2.2.3 2021-12-31 12:18:53
6단계 - Neos CMS 설치
$ sudo mkdir -p /var/www/neos
$ sudo chown -R $USER:$USER /var/www/neos
$ cd /var/www/neos
$ composer create-project --no-dev neos/neos-base-distribution .
- Installing neos/composer-plugin (2.1.3): Extracting archive neos/composer-plugin contains a Composer plugin which is currently not in your allow-plugins config. See https://getcomposer.org/allow-plugins Do you trust "neos/composer-plugin" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?] y - Installing composer/package-versions-deprecated (1.11.99.4): Extracting archive composer/package-versions-deprecated contains a Composer plugin which is currently not in your allow-plugins config. See https://getcomposer.org/allow-plugins Do you trust "composer/package-versions-deprecated" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?] y
$ sudo ./flow core:setfilepermissions $USER nginx nginx
$ sudo usermod -a -G nginx $USER
7단계 - SELinux 권한 구성
$ sudo chcon -t httpd_sys_content_t /var/www/neos -R $ sudo chcon -t httpd_sys_rw_content_t /var/www/neos -R
$ sudo setsebool -P httpd_can_network_connect on
8단계 - SSL 설치 및 구성
$ sudo dnf install certbot
$ sudo systemctl stop nginx
$ sudo certbot certonly --standalone --agree-tos --no-eff-email --staple-ocsp --preferred-challenges http -m -d neos.example.com
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
$ sudo mkdir -p /var/lib/letsencrypt
$ sudo nano /etc/cron.daily/certbot-renew
#!/bin/sh certbot renew --cert-name neos.example.com --webroot -w /var/lib/letsencrypt/ --post-hook "systemctl reload nginx"
$ sudo chmod +x /etc/cron.daily/certbot-renew
9단계 - Nginx 및 PHP 구성
PHP-FPM 구성
$ sudo nano /etc/php-fpm.d/www.conf
... ; Unix user/group of processes ; Note: The user is mandatory. If the group is not set, the default user's group ; will be used. ; RPM: apache user chosen to provide access to the same directories as httpd user = nginx ; RPM: Keep a group allowed to write in log dir. group = nginx ...
$ sudo systemctl start php-fpm
Nginx 구성
$ sudo nano /etc/nginx/conf.d/neos.conf
server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name neos.example.com; access_log /var/log/nginx/neos.access.log; error_log /var/log/nginx/neos.error.log; # SSL ssl_certificate /etc/letsencrypt/live/neos.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/neos.example.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/neos.example.com/chain.pem; ssl_session_timeout 5m; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; ssl_stapling on; ssl_stapling_verify on; ssl_dhparam /etc/ssl/certs/dhparam.pem; resolver 8.8.8.8; root /var/www/neos/Web/; index index.php; location / { try_files $uri $uri/ /index.php?$args; } # Pass PHP Scripts To FastCGI Server location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_pass unix:/run/php-fpm/www.sock; # Depends On The PHP Version fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param FLOW_REWRITEURLS 1; fastcgi_param FLOW_CONTEXT Production; fastcgi_param X-Forwarded-For $proxy_add_x_forwarded_for; fastcgi_param X-Forwarded-Port $proxy_port; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_NAME $http_host; fastcgi_read_timeout 300; fastcgi_buffer_size 128k; fastcgi_buffers 256 16k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; include fastcgi_params; try_files $uri =404; } location ~ /_Resources/ { access_log off; log_not_found off; expires max; if (!-f $request_filename) { rewrite "/_Resources/Persistent/([a-z0-9]{40})/.+\.(.+)" /_Resources/Persistent/$1.$2 break; rewrite "/_Resources/Persistent(?>/[a-z0-9]{5}){8}/([a-f0-9]{40})/.+\.(.+)" /_Resources/Persistent/$1.$2 break; } } } # enforce HTTPS server { listen 80; listen [::]:80; server_name neos.example.com; return 301 https://$host$request_uri; }
$ sudo nano /etc/nginx/nginx.conf
server_names_hash_bucket_size 64;
$ sudo nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
$ sudo systemctl restart nginx
10단계 - Neos 설치 완료
$ cat /var/www/neos/Data/SetupPassword.txt The setup password is: SCPUYmmQ After you successfully logged in, this file is automatically deleted for security reasons. Make sure to save the setup password for later use.
Package Name: Neos.HowtoForgeNews Site Name: HowtoForgeNews