開発環境構築メモ
2017年07月11日 18時07分
CentOS7
# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
# yum -y update
# groupadd aerosonic
# useradd -g aerosonic aerosonic
# passwd aerosonic
# visudo
Defaults:aerosonic !requiretty
aerosonic ALL=(ALL) NOPASSWD: ALL
# getenforce
Disabled
# vi /etc/ssh/sshd_config
PermitRootLogin no
# hostnamectl set-hostname YOUR_HOST_NAME
# reboot
Firewall
$ sudo yum -y install firewalld
$ sudo systemctl start firewalld
$ sudo firewall-cmd --add-service=http --zone=public --permanent
$ sudo firewall-cmd --add-service=https --zone=public --permanent
$ sudo systemctl enable firewalld.service
$ sudo systemctl restart firewalld
$ sudo firewall-cmd --list-all
fail2ban
$ sudo yum -y install fail2ban fail2ban-systemd
$ sudo vi /etc/fail2ban/jail.conf
[sshd]
enabled = true
#banaction = iptables-multiport
banaction = firewallcmd-ipset
$ sudo systemctl enable fail2ban.service
$ sudo systemctl start fail2ban
Nginx
$ sudo yum -y remove httpd-*
$ sudo vi /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=0
enabled=0
$ sudo yum -y install nginx
$ sudo systemctl enable nginx.service
$ sudo systemctl start nginx
$ sudo mkdir -p /var/www/YOUR_PROJECT/prod
$ sudo mkdir -p /var/www/YOUR_PROJECT/test
$ cd
$ sudo yum -y install git
$ git clone https://github.com/letsencrypt/letsencrypt.git
$ cd letsencrypt
$ ./letsencrypt-auto --help
$ ./letsencrypt-auto certonly --standalone --webroot-path /var/www/YOUR_PROJECT/prod -d YOUR_DOMAIN -m YOUR_EMAIL --agree-tos
$ ./letsencrypt-auto certonly --standalone --webroot-path /var/www/YOUR_PROJECT/test -d test.YOUR_DOMAIN -m YOUR_EMAIL --agree-tos
$ sudo vi /etc/nginx/conf.d/prod.conf
$ sudo vi /etc/nginx/conf.d/test.conf
※以下prodのみ記載。testは、prod→testに変更して対応
----
server_tokens off;
server {
listen 80;
server_name YOUR_DOMAIN;
root /var/www/YOUR_PROJECT/prod;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name YOUR_DOMAIN;
root /var/www/YOUR_PROJECT/prod;
ssl on;
ssl_certificate /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
index index.php;
try_files $uri $uri/ /index.php$is_args$args;
# auth_basic "Input your ID and Password.";
# auth_basic_user_file /var/www/html/.htpasswd;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "POST, GET, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, Authorization, Accept";
add_header Access-Control-Allow-Credentials true;
}
client_max_body_size 100m;
location ~ .php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
include fastcgi_params;
}
location ~ (\.yml|\.log|\.sql|\.csv|\.html|\.txt|\.xml|\.co?nf|\.pem|\.pid)$ {
deny all;
}
location ~ "sess_\w{26}$" {
deny all;
}
location ~ ((config|urls|cli|Controller|Helper)\.php)$ {
deny all;
}
}
$ sudo systemctl start nginx
PHP
$ sudo yum -y install epel-release
$ sudo rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
$ sudo yum -y install --enablerepo=remi,remi-php70 php php-devel php-mbstring php-pdo php-gd php-zip php-process php-opcache php-mysqlnd php-xml php-dom php-mcrypt php-posix php-intl php-fpm
$ sudo vi /etc/php-fpm.d/www.conf
user = nginx
group = nginx
$ sudo systemctl enable php-fpm.service
$ sudo systemctl start php-fpm
$ sudo vi /etc/php.ini
date.timezone = "Asia/Tokyo"
expose_php = Off
post_max_size = 128M
upload_max_filesize = 128M
MariaDB
$ sudo yum remove mariadb mariadb-libs
$ sudo vi /etc/yum.repos.d/MariaDB.repo
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.1/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
$ sudo yum -y install --enablerepo=mariadb MariaDB-common MariaDB-devel MariaDB-shared MariaDB-compat MariaDB-server MariaDB-client
$ sudo systemctl enable mariadb.service
$ sudo systemctl start mariadb
$ sudo mysql_secure_installation
Enter current password for root (enter for none): Enter
Set root password? [Y/n] Y
New password: YOUR_PASSWORD
Re-enter new password: YOUR_PASSWORD
Password updated successfully!
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y
$ sudo cp -p /usr/share/mysql/my-innodb-heavy-4G.cnf /etc/my.cnf.d/server.cnf
$ sudo vi /etc/my.cnf.d/server.cnf
[client]
default-character-set = utf8
[mysqld]
datadir=/var/lib/mysql
character-set-server = utf8
skip-name-resolve
innodb_file_per_table
$ sudo systemctl restart mariadb
Postfix
$ sudo yum -y install postfix
