wordpress-好用插件介绍

一、系统安全类

1、Wordfence Security
wordpress 老牌 防火墙插件,必装。

2、Google Authenticator
wordpress 后台登录两步验证插件,提升安全性。

3、Disable XML-RPC / Disable XML-RPC Pingback
关闭远程调用接口,接口是为移动端发博客调用的,但会被黑客利用,所以jing

二、系统优化类

1、EWWW Image Optimizer
对上传的图片进行压缩的插件。

2、W3 Total Cache
建立网站缓存的插件。

3、Accelerated Mobile Pages 
AMP 网站搜索,文章迅速加载插件。

三、文章编辑类

1、Black Studio TinyMCE Widget
wordpress  可以编辑文本的 网页小工具。

2、TinyMCE Advanced
增强版,wordpress 文章编辑软件,可以满足一般的使用需求了。

3、Crayon Syntax Highlighter
wordpress 代码编辑插件,可以方便的在文章中插入代码片段。风格比较多,覆盖比较全。

4、SyntaxHighlighter Evolved
wordpress 代码编辑插件,可以方便的在文章中插入代码片段。风格和前一种不同。

四、实用工具类

1、Collapsing Archives
一款将文章按月份自动收纳展开的插件。

2、Collapsing Categories
一款将文章按类别自动收纳展开的插件。

3、Media Library Assistant
一款对网站图片视频资源分类管理插件

4、Phoenix Media Rename
一款网站媒体资源重命名插件

5、Private content
可以在文章中,根据用户角色,判断是否能展示 文章部分隐藏内容。

6、User Access Manager
用户权限管理,可以设置哪些类别,文章,能被哪些用户访问。

7、Top 10
统计网站最流行的文章插件

8、WP Statistics
网站数据统计插件,统计网站各项数据

9、WP User Avatar
修改网站头像插件

10、wpDiscuz
网站论坛插件,在文章回复中添加验证码模块

11、Easy Table of Contents
有widget插件,可以自动生成文章目录,方便阅读

12、Q2W3 Fixed Widget

将侧边栏控件,自由设置固定还是滚动

五、网站维护类

1、Search & Replace
域名替换插件,可以替换数据库中所有域名信息。

2、UpdraftPlus – Backup/Restore
网站备份还原插件

六、界面美化类

1、weichuncai(WP伪春菜)
一款wordpress 桌面精灵插件。

2、Calendar Event
一款好看的日历插件

3、Responsive Lightbox
一款不错的网页图片浏览插件

wordpress 5.0 后,采用 simple code block 代码高亮插件

centos初装系统-安全性加固

转载自:https://www.linode.com/docs/security/securing-your-server/

In the Getting Started guide, you learned how to deploy a Linux distribution, boot your Linode and perform basic administrative tasks. Now it’s time to harden your Linode against unauthorized access.

Update Your System–FrequentlyPermalink

Keeping your software up to date is the single biggest security precaution you can take for any operating system. Software updates range from critical vulnerability patches to minor bug fixes, and many software vulnerabilities are actually patched by the time they become public.

Automatic Security UpdatesPermalink

There are arguments for and against automatic updates on servers. Fedora’s Wikihas a good breakdown of the pros and cons, but the risk of automatic updates will be minimal if you limit them to security updates. Not all package managers make that easy or possible, though.

The practicality of automatic updates is something you must judge for yourself because it comes down to what you do with your Linode. Bear in mind that automatic updates apply only to packages sourced from repositories, not self-compiled applications. You may find it worthwhile to have a test environment that replicates your production server. Updates can be applied there and reviewed for issues before being applied to the live environment.

Add a Limited User AccountPermalink

Up to this point, you have accessed your Linode as the root user, which has unlimited privileges and can execute any command–even one that could accidentally disrupt your server. We recommend creating a limited user account and using that at all times. Administrative tasks will be done using sudo to temporarily elevate your limited user’s privileges so you can administer your server.

Note

Not all Linux distributions include sudo on the system by default, but all the images provided by Linode have sudo in their package repositories. If you get the output sudo: command not found, install sudo before continuing.

To add a new user, first log in to your Linode via SSH.

CentOS / FedoraPermalink

  1. Create the user, replacing example_user with your desired username, and assign a password:
    useradd example_user && passwd example_user
    
  2. Add the user to the wheel group for sudo privileges:
    usermod -aG wheel example_user
    

    Caution

    In CentOS 6 a wheel group is disabled by default for sudo access. You must to configure it manually. Type from root: /usr/sbin/visudo. Then find the line # %wheeland uncomment this line. To began typing in vi, press a. To save and exit press Escape, then type :w(press enter), :q(press enter)

UbuntuPermalink

  1. Create the user, replacing example_user with your desired username. You’ll then be asked to assign the user a password:
    adduser example_user
    
  2. Add the user to the sudo group so you’ll have administrative privileges:
    adduser example_user sudo
    

DebianPermalink

  1. Debian does not include sudo by default so it must be installed:
    apt install sudo
    
  2. Create the user, replacing example_user with your desired username. You’ll then be asked to assign the user a password:
    adduser example_user
    
  3. Add the user to the sudo group so you’ll have administrative privileges:
    adduser example_user sudo
    
  4. After creating your limited user, disconnect from your Linode:
    exit
    
  5. Log back in as your new user. Replace example_user with your username, and the example IP address with your Linode’s IP address:
    ssh [email protected]
    

Now you can administer your Linode from your new user account instead of root. Nearly all superuser commands can be executed with sudo (example: sudo iptables -L -nv) and those commands will be logged to /var/log/auth.log.

Harden SSH AccessPermalink

By default, password authentication is used to connect to your Linode via SSH. A cryptographic key-pair is more secure because a private key takes the place of a password, which is generally much more difficult to brute-force. In this section we’ll create a key-pair and configure the Linode to not accept passwords for SSH logins.

Create an Authentication Key-pairPermalink

  1. This is done on your local computer, not your Linode, and will create a 4096-bit RSA key-pair. During creation, you will be given the option to encrypt the private key with a passphrase. This means that it cannot be used without entering the passphrase, unless you save it to your local desktop’s keychain manager. We suggest you use the key-pair with a passphrase, but you can leave this field blank if you don’t want to use one.Linux / OS X

    Caution

    If you’ve already created an RSA key-pair, this command will overwrite it, potentially locking you out of other systems. If you’ve already created a key-pair, skip this step. To check for existing keys, run ls ~/.ssh/id_rsa*.
    ssh-keygen -b 4096
    

    Press Enter to use the default names id_rsa and id_rsa.pub in /home/your_username/.ssh before entering your passphrase.

    Windows

    This can be done using PuTTY as outlined in our guide: Use Public Key Authentication with SSH.

  2. Upload the public key to your Linode. Replace example_user with the name of the user you plan to administer the server as, and 203.0.113.10 with your Linode’s IP address.LinuxFrom your local computer:
    ssh-copy-id [email protected]
    

    OS X

    On your Linode (while signed in as your limited user):

    mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/
    

    From your local computer:

    scp ~/.ssh/id_rsa.pub [email protected]:~/.ssh/authorized_keys
    

    Note

    ssh-copy-id is available in Homebrew if you prefer it over SCP. Install with brew install ssh-copy-id.

    Windows

    • Option 1: This can be done using WinSCP. In the login window, enter your Linode’s public IP address as the hostname, and your non-root username and password. Click Login to connect.Once WinSCP has connected, you’ll see two main sections. The section on the left shows files on your local computer and the section on the right shows files on your Linode. Using the file explorer on the left, navigate to the file where you’ve saved your public key, select the public key file, and click Upload in the toolbar above.You’ll be prompted to enter a path where you’d like to place the file on your Linode. Upload the file to /home/example_user/.ssh/authorized_keys, replacing example_user with your username.
    • Option 2: Copy the public key directly from the PuTTY key generator into the terminal emulator connected to your Linode (as a non-root user):
      mkdir ~/.ssh; nano ~/.ssh/authorized_keys
      

      The above command will open a blank file called authorized_keys in a text editor. Copy the public key into the text file, making sure it is copied as a single line exactly as it was generated by PuTTY. Press CTRL+X, then Y, then Enter to save the file.

    Finally, you’ll want to set permissions for the public key directory and the key file itself:

    sudo chmod 700 -R ~/.ssh && chmod 600 ~/.ssh/authorized_keys
    

    These commands provide an extra layer of security by preventing other users from accessing the public key directory as well as the file itself. For more information on how this works, see our guide on how to modify file permissions.

  3. Now exit and log back into your Linode. If you specified a passphrase for your private key, you’ll need to enter it.

SSH Daemon OptionsPermalink

  1. Disallow root logins over SSH. This requires all SSH connections be by non-root users. Once a limited user account is connected, administrative privileges are accessible either by using sudo or changing to a root shell using su -.
    /etc/ssh/sshd_config
    # Authentication:
    ...
    PermitRootLogin no
  2. Disable SSH password authentication. This requires all users connecting via SSH to use key authentication. Depending on the Linux distribution, the line PasswordAuthentication may need to be added, or uncommented by removing the leading #.
    /etc/ssh/sshd_config
    # Change to no to disable tunnelled clear text passwords
    PasswordAuthentication no

    Note

    You may want to leave password authentication enabled if you connect to your Linode from many different computers. This will allow you to authenticate with a password instead of generating and uploading a key-pair for every device.
  3. Listen on only one internet protocol. The SSH daemon listens for incoming connections over both IPv4 and IPv6 by default. Unless you need to SSH into your Linode using both protocols, disable whichever you do not need. This does not disable the protocol system-wide, it is only for the SSH daemon.Use the option:
    • AddressFamily inet to listen only on IPv4.
    • AddressFamily inet6 to listen only on IPv6.

    The AddressFamily option is usually not in the sshd_config file by default. Add it to the end of the file:

    echo 'AddressFamily inet' | sudo tee -a /etc/ssh/sshd_config
    
  4. Restart the SSH service to load the new configuration.If you’re using a Linux distribution which uses systemd (CentOS 7, Debian 8, Fedora, Ubuntu 15.10+)
    sudo systemctl restart sshd
    

    If your init system is SystemV or Upstart (CentOS 6, Debian 7, Ubuntu 14.04):

    sudo service ssh restart
    

Use Fail2Ban for SSH Login ProtectionPermalink

Fail2Ban is an application that bans IP addresses from logging into your server after too many failed login attempts. Since legitimate logins usually take no more than three tries to succeed (and with SSH keys, no more than one), a server being spammed with unsuccessful logins indicates attempted malicious access.

Fail2Ban can monitor a variety of protocols including SSH, HTTP, and SMTP. By default, Fail2Ban monitors SSH only, and is a helpful security deterrent for any server since the SSH daemon is usually configured to run constantly and listen for connections from any remote IP address.

For complete instructions on installing and configuring Fail2Ban, see our guide: Securing Your Server with Fail2ban.

Remove Unused Network-Facing ServicesPermalink

Most Linux distributions install with running network services which listen for incoming connections from the internet, the loopback interface, or a combination of both. Network-facing services which are not needed should be removed from the system to reduce the attack surface of both running processes and installed packages.

Determine Running ServicesPermalink

To see your Linode’s running network services:

sudo ss -atpu

The following is an example of the output given by ss, and shows that the SSH daemon (sshd) is listening and connected. Note that because distributions run different services by default, your output will differ.

 Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp LISTEN 0 128 *:ssh *:* users:(("sshd",pid=3675,fd=3)) tcp ESTAB 0 208 203.0.113.1:ssh 198.51.100.2:54820 users:(("sshd",pid=3698,fd=3)) tcp LISTEN 0 128 :::ssh :::* users:(("sshd",pid=3675,fd=4)) 

TCPPermalink

See the Peer Address:Port column of the ss readout. The process sshd is listening on *:*, which translates into any incoming IPv4 address to any port, and over any network interface. The next line shows an established SSH connection from IP address 198.51.100.2 via ephemeral port 54820. The last line, :::*denotes the sshd process listening for any incoming SSH connections over IPv6 to any port, and again over any network interface.

UDPPermalink

UDP sockets are stateless, meaning they are either open or closed and every process’s connection is independent of those which occurred before and after. This is in contrast to TCP connection states such as LISTEN, ESTABLISHED and CLOSE_WAIT. The ss output above shows no UDP connections.

Determine Which Services to RemovePermalink

A basic TCP and UDP nmap scan of your Linode without a firewall enabled would show SSH and possibly other services listening for incoming connections. By configuring a firewall you can filter those ports to your requirements. Ideally, the unused services should be disabled.

You will likely be administering your server primarily through an SSH connection, so that service needs to stay. As mentioned above, RSA keys and Fail2Ban can help protect SSH. System services like chronyd, systemd-resolved, and dnsmasqare usually listening on localhost and only occasionally contacting the outside world. Services like this are part of your operating system and will cause problems if removed and not properly substituted.

However, some services are unnecessary and should be removed unless you have a specific need for them. Some examples could be Exim, Apache and RPC.

Uninstall the Listening ServicesPermalink

How to remove the offending packages will differ depending on your distribution’s package manager.

Arch

sudo pacman -Rs package_name

CentOS

sudo yum remove package_name

Debian / Ubuntu

sudo apt purge package_name

Fedora

sudo dnf remove package_name

Run ss -atup again to verify that the unwanted services are no longer running.

Configure a FirewallPermalink

Using a firewall to block unwanted inbound traffic to your Linode provides a highly effective security layer. By being very specific about the traffic you allow in, you can prevent intrusions and network mapping. A best practice is to allow only the traffic you need, and deny everything else. See our documentation on some of the most common firewall applications:

  • Iptables is the controller for netfilter, the Linux kernel’s packet filtering framework. Iptables is included in most Linux distributions by default.
  • FirewallD is the iptables controller available for the CentOS / Fedora family of distributions.
  • UFW provides an iptables frontend for Debian and Ubuntu.

Next StepsPermalink

These are the most basic steps to harden any Linux server, but further security layers will depend on its intended use. Additional techniques can include application configurations, using intrusion detection or installing a form of access control.

Now you can begin setting up your Linode for any purpose you choose. We have a library of documentation to assist you with a variety of topics ranging from migration from shared hosting to enabling two-factor authentication to hosting a website.

See Also

centos初装系统-修改timezone

It may be better to use the same timezone which a majority of your users are located in, or that you live in to make log file timestamps more sensible.

Debian / Ubuntu

[bash]dpkg-reconfigure tzdata[/bash]

Arch Linux and CentOS 7

View the list of available time zones.

[bash]timedatectl list-timezones[/bash]

Use the Up, Down, Page Up and Page Down keys to navigate. Find the time zone which you want. Remember it, write it down or copy it as a mouse selection. Then press q to exit the list.

To set the time zone:

[bash]timedatectl set-timezone ‘America/New_York'[/bash]

Gentoo

View the list of available time zones.

[bash]ls /usr/share/zoneinfo[/bash]

Write the selected time zone to the /etc/timezone file.

Example (for Eastern Standard Time):

[bash]echo "EST" > /etc/timezone[/bash]

Configure the sys-libs/timezone-data package, which will set /etc/localtimeappropriately.

[bash]emerge –config sys-libs/timezone-data[/bash]

Check the Time

View the current date and time according to your server.

[bash]date[/bash]

The output should look similar to: Thu Feb 16 12:17:52 EST 2012.

 

转载自:https://www.linode.com/docs/getting-started/

centos初装系统-修改hostname

你系统的主机名应该是唯一的。 有些人用行星,哲学家或动物命名他们的服务器。 请注意,除了为系统本身提供名称之外,主机名与托管在其上的网站或电子邮件服务没有任何关系。 您的主机名不应该是“www”或任何太普通的名字。如果您想为您的系统分配一个完全合格的域名,请参阅我们的关于使用您系统的主机文件的指南。如果您想为您的系统分配一个完全合格的域名,请参阅我们的关于使用您系统的主机文件的指南

Arch / CentOS 7 / Debian 8 / Fedora / Ubuntu 16.04 and above

Replace example_hostname with one of your choice.

[bash]hostnamectl set-hostname example_hostname[/bash]

Debian 7 / Slackware / Ubuntu 14.04

Replace example_hostname with one of your choice.

[bash]
echo "example_hostname" > /etc/hostname
hostname -F /etc/hostname
[/bash]

Note

Debian and Ubuntu include a line in their hosts file for a loopback domain by default (127.0.1.1), but even though they’re closely related, the commands above to set a hostname don’t change the loopback domain.

The result is the message when using sudo commands: sudo: unable to resolve host . To fix this, add your hostname to the hosts file as shown in the last example here.

CentOS 6

Replace hostname with one of your choice.

[bash]
echo "HOSTNAME=example_hostname" >> /etc/sysconfig/network
hostname "hostname"
[/bash]

Gentoo

Enter the following commands to set the hostname, replacing example_hostnamewith the hostname of your choice:

[bash]
echo "HOSTNAME=\"example_hostname\"" > /etc/conf.d/hostname
/etc/init.d/hostname restart
[/bash]

转载自:https://www.linode.com/docs/getting-started/

mysql设置-修改登录密码

MySQL修改root密码的多种方法(推荐)

方法1: 用SET PASSWORD命令

MySQL -u root
  mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('newpass');

方法2:用mysqladmin

  mysqladmin -u root password "newpass"

如果root已经设置过密码,采用如下方法

mysqladmin -u root password oldpass "newpass"

方法3: 用UPDATE直接编辑user表

 mysql -u root
  mysql> use mysql;
  mysql> UPDATE user SET Password = PASSWORD('newpass') WHERE user = 'root';
  mysql> FLUSH PRIVILEGES;

在丢失root密码的时候,可以这样

mysqld_safe --skip-grant-tables&
  mysql -u root mysql
  mysql> UPDATE user SET password=PASSWORD("new password") WHERE user='root';
  mysql> FLUSH PRIVILEGES;

 

参考:https://www.jb51.net/article/109259.htm

mysql安装配置-在centos7上

一、先卸载 mariadb

centos7自带 mariadb ;也就是 mysql的另一个分支,先删除了mariadb再装好了。

(重点强调一下:一开始卸载了php-mysql插件,然后装了mysql-5.7后,开启mysql又重新装了一遍。Php-mysql 插件,但是没有重启 php 和mysql,所以没有生效)

# 利用 rpm 查找 已经安装好的 mariadb 版本号 
rpm -qa | grep mariadb
(软件版本号)
# 获得 版本号 后
yum remove (软件版本号)

二、安装mysql yum 源

关于版本说明:el7 就是 centos7 版本,el6 就是 centos6版本。
MySQL must be installed from the community repository.
Download and add the repository, then update.
方法一、

wget http://repo.mysql.com/mysql-community-release-el7-5.noarch.rpm
sudo rpm -ivh mysql-community-release-el7-5.noarch.rpm
yum update

方法二、

yum install https://dev.mysql.com/get/mysql57-community-release-el7-9.noarch.rpm

方法三、

# 下载mysql源安装包
shell> wget http://dev.mysql.com/get/mysql57-community-release-el7-8.noarch.rpm

# 安装mysql源
shell> yum localinstall mysql57-community-release-el7-8.noarch.rpm

# 检查mysql源是否安装成功
shell> yum repolist enabled | grep "mysql.*-community.*"
!mysql-connectors-community/x86_64 MySQL Connectors Community                 4
!mysql-tools-community/x86_64      MySQL Tools Community                      5
!mysql57-community/x86_64          MySQL 5.7 Community Server                24

可以修改vim /etc/yum.repos.d/mysql-community.repo源,改变默认安装的mysql版本。比如要安装5.6版本,将5.7源的enabled=1改成enabled=0。然后再将5.6源的enabled=0改成enabled=1即可。
默认 mysql 源 配置 文件

[root@testdb ~]# cat /etc/yum.repos.d/mysql-community.repo
[mysql-connectors-community]
name=MySQL Connectors Community
baseurl=http://repo.mysql.com/yum/mysql-connectors-community/el/7/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql

[mysql-tools-community]
name=MySQL Tools Community
baseurl=http://repo.mysql.com/yum/mysql-tools-community/el/7/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql

# Enable to use MySQL 5.5
[mysql55-community]
name=MySQL 5.5 Community Server
baseurl=http://repo.mysql.com/yum/mysql-5.5-community/el/7/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql

# Enable to use MySQL 5.6
[mysql56-community]
name=MySQL 5.6 Community Server
baseurl=http://repo.mysql.com/yum/mysql-5.6-community/el/7/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql

[mysql57-community]
name=MySQL 5.7 Community Server
baseurl=http://repo.mysql.com/yum/mysql-5.7-community/el/7/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql

[mysql80-community]
name=MySQL 8.0 Community Server
baseurl=http://repo.mysql.com/yum/mysql-8.0-community/el/7/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql

[mysql-tools-preview]
name=MySQL Tools Preview
baseurl=http://repo.mysql.com/yum/mysql-tools-preview/el/7/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql

[mysql-cluster-7.5-community]
name=MySQL Cluster 7.5 Community
baseurl=http://repo.mysql.com/yum/mysql-cluster-7.5-community/el/7/$basearch/
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql

[root@testdb ~]# 

三、安装 运行 mysql

yum install mysql-server
systemctl start mysqld

四、开机启动 mysql

systemctl enable mysqld
systemctl daemon-reload

五、mysql 安全加固

sudo mysql_secure_installation

You will be given the choice to change the MySQL root password, remove anonymous user accounts, disable root logins outside of localhost, and remove test databases. It is recommended that you answer yes to these options. You can read more about the script in the MySQL Reference Manual.

六、登录 mysql

mysql -u root -p

输入密码时:
1、如果 之前 运行了 mysql_secure_installation ,那么默认 root 密码刚才就设置好了。

2、如果 没有 运行 mysql_secure_installation,那么mysql安装完成之后,在/var/log/mysqld.log文件中给root生成了一个默认密码。通过下面的方式找到root默认密码,然后登录mysql进行修改:

[root@testdb ~]# grep 'temporary password' /var/log/mysqld.log
2017-11-10T15:38:35.927329Z 1 [Note] A temporary password is generated for root@localhost: ,vdcjfk1,Dl3
[root@testdb ~]#

3、修改mysql密码

mysql> set password for 'root'@'localhost'=password('HelloWorld8!'); 

注意:mysql5.7默认安装了密码安全检查插件(validate_password),默认密码检查策略要求密码必须包含:大小写字母、数字和特殊符号,并且长度不能少于8位。否则会提示ERROR 1819 (HY000): Your password does not satisfy the current policy requirements错误。

通过msyql环境变量可以查看密码策略的相关信息:

mysql> show variables like '%password%';
+---------------------------------------+--------+
| Variable_name                         | Value  |
+---------------------------------------+--------+
| default_password_lifetime             | 0      |
| disconnect_on_expired_password        | ON     |
| log_builtin_as_identified_by_password | OFF    |
| mysql_native_password_proxy_users     | OFF    |
| old_passwords                         | 0      |
| report_password                       |        |
| sha256_password_proxy_users           | OFF    |
| validate_password_check_user_name     | OFF    |
| validate_password_dictionary_file     |        |
| validate_password_length              | 8      |
| validate_password_mixed_case_count    | 1      |
| validate_password_number_count        | 1      |
| validate_password_policy              | MEDIUM |
| validate_password_special_char_count  | 1      |
+---------------------------------------+--------+
14 rows in set (0.01 sec)

mysql> 

validate_password_policy:密码策略,默认为MEDIUM策略
validate_password_dictionary_file:密码策略文件,策略为STRONG才需要
validate_password_length:密码最少长度
validate_password_mixed_case_count:大小写字符长度,至少1个
validate_password_number_count :数字至少1个
validate_password_special_char_count:特殊字符至少1个
上述参数是默认策略MEDIUM的密码检查规则。
共有以下几种密码策略:

策略 检查规则
0 or LOW Length
1 or MEDIUM Length; numeric, lowercase/uppercase, and special characters
2 or STRONG Length; numeric, lowercase/uppercase, and special characters; dictionary file

MySQL官网密码策略详细说明:http://dev.mysql.com/doc/refman/5.7/en/validate-password-options-variables.html#sysvar_validate_password_policy
修改密码策略
在/etc/my.cnf文件添加validate_password_policy配置,指定密码策略
# 选择0(LOW),1(MEDIUM),2(STRONG)其中一种,选择2需要提供密码字典文件
validate_password_policy=0

如果不需要密码策略,添加my.cnf文件中添加如下配置禁用即可:
validate_password = off
重新启动mysql服务使配置生效:
systemctl restart mysqld

六、mysql 使用前配置

默认配置文件路径:
配置文件:/etc/my.cnf
日志文件:/var/log//var/log/mysqld.log
服务启动脚本:/usr/lib/systemd/system/mysqld.service
socket文件:/var/run/mysqld/mysqld.pid

1、配置默认编码为utf8
修改/etc/my.cnf配置文件,在[mysqld]下添加编码配置,如下所示:

[mysqld]
character_set_server=utf8
init_connect='SET NAMES utf8'

重新启动mysql服务,查看数据库默认编码如下所示:

mysql> show variables like '%character%';
+--------------------------+----------------------------+
| Variable_name            | Value                      |
+--------------------------+----------------------------+
| character_set_client     | utf8                       |
| character_set_connection | utf8                       |
| character_set_database   | utf8                       |
| character_set_filesystem | binary                     |
| character_set_results    | utf8                       |
| character_set_server     | utf8                       |
| character_set_system     | utf8                       |
| character_sets_dir       | /usr/share/mysql/charsets/ |
+--------------------------+----------------------------+
8 rows in set (0.01 sec)

mysql> 

2、
[Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use –explicit_defaults_for_timestamp server option (see documentation for more details).
其原因是从 5.6开始,timestamp 的默认行为已经是 deprecated 了。
在MySQL 5.6.6之前,TIMESTAMP的默认行为:
•TIMESTAMP列如果没有明确声明NULL属性,默认为NOT NULL。(而其他数据类型,如果没有显示声明为NOT NULL,则允许NULL值。)设置TIMESTAMP的列值为NULL,会自动存储为当前timestamp。
•表中的第一个TIMESTAMP列,如果没有声明NULL属性、DEFAULT或者 ON UPDATE,会自动分配 DEFAULT CURRENT_TIMESTAMP和ON UPDATE CURRENT_TIMESTAMP 属性。
•表中第二个TIMESTAMP列,如果没有声明为NULL或者DEFAULT子句,默认自动分配’0000-00-00 00:00:00′。插入行时没有指明改列的值,该列默认分配’0000-00-00 00:00:00′,且没有警告。
要关闭警告,需要加入下面的参数:
/etc/my.cnf 文件中,添加下面这句话

[mysqld]
explicit_defaults_for_timestamp=true

重启MySQL后错误消失,这时TIMESTAMP的行为如下:
•TIMESTAMP如果没有显示声明NOT NULL,是允许NULL值的,可以直接设置改列为NULL,而没有默认填充行为。
•TIMESTAMP不会默认分配DEFAULT CURRENT_TIMESTAMP 和 ON UPDATE CURRENT_TIMESTAMP属性。
•声明为NOT NULL且没有默认子句的TIMESTAMP列是没有默认值的。往数据表中插入列,又没有给TIMESTAMP列赋值时,如果是严格SQL模式,会抛出一 个错误,如果严格SQL模式没有启用,该列会赋值为’0000-00-00 00:00:00′,同时出现一个警告。(这和MySQL处理其他时间类型数据一样,如DATETIME)(参见:http://www.jb51.net/article/71054.htm)
也就是 explicit_defaults_for_timestamp 关闭了 timestamp 类型字段锁拥有的一些会让人感到奇怪的默认行为,加入了该参数之后,如果还需要为 timestamp类型的字段指定默认行为,那么就需要显示的在创建表时显示的指定。explicit_defaults_for_timestamp 也就是这个意思:显示指定默认值为timestamp类型的字段。
explicit_defaults_for_timestamp=true

此外,mysql 服务 用户组,建议 不要用 root 身份启动,所以 就配置 成 以mysql 的用户身份 启动了

explicit_defaults_for_timestamp=true
user=mysql

七、进行远程连接

使用SSH端口转发,在本地电脑上安装 mysql 客户端,然后进行 连接操作。

# 3306 是 mysql服务器的默认 端口
# root 登入 远程服务器 的用户
# 128.128.128.128 远程服务器ip地址
# 12580 是 远程服务器 的 SSH 端口号
ssh -v -C -L 3306:localhost:3306 [email protected] -p 12580

端口转发后,相当于 本地 电脑 3306 端口 运行着 mysql 服务器。
楼主安装的mac平台 mysql客户端是:sequel pro,只要用 mysql 客户端 连接本地 3306端口 就能进行数据库增删改查操作了。

 

部分内容参考自:
http://www.linuxidc.com/Linux/2016-09/135288.htm
https://www.linode.com/docs/databases/mysql/how-to-install-mysql-on-centos-7/

php7配置文件-配置概述

php默认配置文件:
在centos下的目录:   /etc/php.ini

优化php性能的时候,优化配置文件这个是首当其冲的。下边跟大家分享下我总结的关于php.ini配置文件里的每一行的解释,希望能帮助大家进一步了解php。

[root@taokey ~]# grep -v ";" /etc/php.ini
[PHP]
engine = On ——→ 是否启用PHP解析引擎
short_open_tag = Off ——→ 是否使用简介标志
asp_tags = Off ——→ 不允许asp类标志
precision = 14 ——→ 浮点型数据显示的有效期
y2k_compliance = On
####是否强制打开2000年适应(可能在非Y2K适应的浏览器中导致问题)。
output_buffering = 4096 ——→ 输出缓冲区大小(字节)。建议值为4096~8192。
zlib.output_compression = Off ——→ 是否开启zlib输出压缩
implicit_flush = Off ——→ 是否要求PHP输出层在每个输出块之后自动刷新数据
这等效于在每个 print()、echo()、HTML块 之后自动调用flush()函数。打开这个选项对程序执行的性能有严重的影响,通常只推荐在调试时使用。在CLI SAPI的执行模式下,该指令默认为 On 。
unserialize_callback_func =
serialize_precision = 17
####将浮点型和双精度型数据序列化存储时的精度(有效位数)。默认值能够确保浮点型数据被解序列化程序解码时不会丢失数据。
allow_call_time_pass_reference = Off
####是否强迫在函数调用时按引用传递参数(每次使用此特性都会收到一条警告)。
; php反对这种做法,并在将来的版本里不再支持,因为它影响到了代码的整洁。
; 鼓励的方法是在函数声明里明确指定哪些参数按引用传递。
; 我们鼓励你关闭这一选项,以保证你的脚本在将来版本的语言里仍能正常工作。
safe_mode = Off ——→ 安全模式
safe_mode_gid = Off
safe_mode_include_dir =
#在安全模式下,该组目录和其子目录下的文件被包含时,将跳过UID/GID检查。换句话说,如果此处的值为空,任何UID/GID不符合的文件都不允许被包含。这里设置的目录必须已经存在于include_path指令中或者用完整路径来包含。多个目录之间用冒号(Win下为分号)隔开。指定的限制实际上是一个前缀,而非一个目录名。
safe_mode_exec_dir = ——→ 安全模式下的可执行文件存放目录
safe_mode_allowed_env_vars = PHP_
####在安全模式下,用户仅可以更改的环境变量的前缀列表(逗号分隔)。允许用户设置某些环境变量,可能会导致潜在的安全漏洞。注意: 如果这一参数值为空,PHP将允许用户更改任意环境变量。
safe_mode_protected_env_vars = LD_LIBRARY_PATH
####在安全模式下,用户不能更改的环境变量列表(逗号分隔)。这些变量即使在safe_mode_allowed_env_vars指令设置为允许的情况下也会得到保护。
disable_functions = ——→ 该指令接受一个用逗号分隔的函数名列表,以禁用特定的函数。
disable_classes = ——→ 该指令接受一个用逗号分隔的类名列表,以禁用特定的类
zend.enable_gc = On ——→
expose_php = On ——→ 在网页头部显示php信息
max_execution_time = 30 ——→ 每个脚本最大执行秒数
max_input_time = 60 ——→ 每个脚本用来分析请求数据的最大限制时间
memory_limit = 128M ——→ 每个脚本执行的内存限制
error_reporting = E_ALL & ~E_DEPRECATED
display_errors = Off ——→ #显示失误(该关闭,换成日志显示)
display_startup_errors = Off ——→ #显示启动失误
log_errors = On ——→ 生成错误错误日志显示
log_errors_max_len = 1024 ——→ 设定error_log最大长度
ignore_repeated_errors = Off ——→ 打开后,不记录重复的信息
ignore_repeated_source = Off ——→ 打开后当记录重复的信息时忽略来源
report_memleaks = On ——→ 报告内存泄露,仅在debug编译模式下有效
track_errors = Off ——→ ####在$php_errormsg中保存最后一次错误/警告消息 (逻辑值).永远不要再生产环境中使用此特性:html_errors 会显示php错误所在的html标签
html_errors = Off ——→ 是否开启静态网页错误提示
variables_order = "GPCS" ——→ ####此指令描述了PHP注册GET, POST, Cookie, 环境 和 内置变量的顺序 (各自使用G, P, C, E 和 S , 一般使用 EGPCS 或 GPC). 注册使用从左往右的顺序, 新的值会覆盖旧的值.
request_order = "GP"
####此指令描述的顺序PHP注册GET,POST和COOKIE变量_REQUEST数组。注册是由左到右,新的值将覆盖旧值。如果这个指令没有设置,variables_order中使用$ _REQUEST内容。请注意,默认分配的php.ini文件中不包含'C'饼干,出于安全方面的考虑。
register_globals = Off ——→ ##是否打开register全局变量
register_long_arrays = Off
####是否注册老形式的输入数组, HTTP_GET_VARS 和相关数组;如果你不使用他们,建议为了提高性能关闭他们.
register_argc_argv = Off
####此指令让PHP确认是否申明 argv&argc 变量 (这些变量会包含GET信息). ;如果你不使用这些变量,为了提升性能应该关闭此选项.
auto_globals_jit = On
####当打开此项, SERVER 和 ENV 变量将在第一次被使用时而不是脚本一开始时创建(运行时);如果这些变量在脚本中没有被使用过, 打开此项会增加一点性能.;为了使此指令有效,PHP指令 register_globals, register_long_arrays,;以及 register_argc_argv 必须被关闭.
post_max_size = 8M ——→ #PHP可以接受的最大的POST数据大小
magic_quotes_gpc = Off ——→ #针对GET/POST/Cookie数据打开Magic quotes.
magic_quotes_runtime = Off
####针对实时产生的数据打开Magic quotes,例如从SQL获取的数据, 从exec()返回的数据等等.
magic_quotes_sybase = Off ##使用 Sybase 风格的 magic quotes (使用"来引导'替代\').
auto_prepend_file = ——→ #在任何PHP文档之前或之后自动增加文件
auto_append_file =
####两个有趣的变量是auto_prepend_file以及auto_append_file。这些变量指定PHP自动添加到任何PHP文档文件头或文件尾的其他文件。这对于为PHP产生的页面添加页眉或页脚非常有用,可以节省为每个PHP文档添加代码的时间。但需要注意这里的指定文件将会添加到所有的PHP文档中,所以这些变量必须适合单应用程序(single-application)的服务器。所包含的文件要么是PHP脚本,要么是普通的HTML文档。嵌入式PHP代码必须用标准<?php...?>标记括起来。
default_mimetype = "text/html" ——→ #PHP内建默认为text/html
doc_root = ——→ #PHP的"根目录"。仅在非空时有效。
; 如果safe_mode=On,则此目录之外的文件一概被拒绝。 ; 如果编译PHP时没有指定FORCE_REDIRECT,并且在非IIS服务器上以CGI方式运行, ; 则必须设置此指令(参见手册中的安全部分)。 ; 替代方案是使用的cgi.force_redirect指令
user_dir =
####告诉php在使用 /~username 打开脚本时到哪个目录下去找,仅在非空时有效。 也就是在用户目录之下使用PHP文件的基本目录名,例如:"public_html"
enable_dl = Off
####是否允许使用dl()函数。dl()函数仅在将PHP作为apache模块安装时才有效。 禁用dl()函数主要是出于安全考虑,因为它可以绕过open_basedir指令的限制。 在安全模式下始终禁用dl()函数,而不管此处如何设置。
file_uploads = On 是否开启上传功能
upload_max_filesize = 2M #最大可上传文件,2M
max_file_uploads = 20 最大同时可以上传20个文件
allow_url_fopen = On #是否允许打开远程文件
allow_url_include = Off #是否允许include/require远程文件
default_socket_timeout = 60 默认的socket超时时间
[Date] 日期
[filter]
[iconv]
[intl]
[sqlite]
[sqlite3]
[Pcre]
[Pdo]
[Pdo_mysql]
pdo_mysql.cache_size = 2000 ——→ Ped_mysql的缓存大小
pdo_mysql.default_socket= ——→ 默认的socket时间
[Phar]
[Syslog]
define_syslog_variables = Off ——→ 是否定义各种的系统日志变量
[mail function] ——→ 邮件功能
SMTP = localhost ——→ 本地作为邮件服务器
smtp_port = 25 邮件端口号默认是25
mail.add_x_header = On ——→ 是否开启最大的header
[SQL]
sql.safe_mode = Off
####是否使用SQL安全模式。如果打开,指定默认值的数据库连接函数将会使用这些默认值代替支持的参数。对于每个不同数据库的连接函数,其默认值请参考相应的手册页面。
[ODBC]
odbc.allow_persistent = On ——→ 允许或阻止持久连接.
odbc.check_persistent = On ——→ 在重用前检查连接是否可用
odbc.max_persistent = -1 ——→ 持久连接的最大数目,-1意味着没有限制.
odbc.max_links = -1 ——→ 最大连接数(持久 + 非持久).-1意味着没有限制.
odbc.defaultlrl = 4096 ——→ 长字段处理.返回变量的字节数.0 意味着略过.
odbc.defaultbinmode = 1
####二进制数据处理.0意味着略过,1按照实际返回,2转换到字符.;查看odbc_binmode和odbc_longreadlen 的文档来获取针对uodbc.defaultlrl和uodbc.defaultbinmode的解释
[Interbase] ——→ Interbase数据库
ibase.allow_persistent = 1 ——→ 允许或组织持久连接。
ibase.max_persistent = -1 ——→ 持久连接的最大数目,-1意味着没有限制.
ibase.max_links = -1 ——→ 最大连接数(持久 + 非持久).-1意味着没有限制.
ibase.timestampformat = "%Y-%m-%d %H:%M:%S" ——→ 数据库时间记录模式
ibase.dateformat = "%Y-%m-%d"
ibase.timeformat = "%H:%M:%S"
[MySQL]
mysql.allow_local_infile = On ——→ 是否允许本地文件连接数据库
mysql.allow_persistent = On ——→ 允许或禁止 持久连接
mysql.cache_size = 2000 ——→ mysql缓存大小
mysql.max_persistent = -1 ——→ 持久连接的最大数目. -1 意味着没有限制.
mysql.max_links = -1 ——→ 连接的最大数目(持久和非持久)。-1 代表无限制
mysql.default_port =
####mysql_connect() 使用的默认端口,如不设置,mysql_connect()
;将使用变量 $MYSQL_TCP_PORT,或在/etc/services 下的mysql-tcp 条目(unix),
;或在编译是定义的 MYSQL_PORT(按这样的顺序)
;Win32环境,将仅检查MYSQL_PORT。
mysql.default_socket =
####用于本地 MySql 连接的默认的套接字名。为空,使用 MYSQL 内建值
mysql.default_host = ——→ mysql_connect() 默认使用的主机(安全模式下无效)
mysql.default_user = ——→ mysql_connect() 默认使用的用户名(安全模式下无效)
mysql.default_password = ——→ mysql_connect() 默认使用的密码(安全模式下无效
mysql.connect_timeout = 60 ——→ 连接超时时间,默认是60s
mysql.trace_mode = Off
[MySQLi]
mysqli.max_persistent = -1 ——→ 持久连接的最大数目. -1 意味着没有限制.
mysqli.allow_persistent = On ——→ 允许或拒绝之久连接
mysqli.max_links = -1 ——→ 最大连接数. -1 意味着没有限制.
mysqli.cache_size = 2000 ——→ 连接缓存大小
mysqli.default_port = 3306 ——→ 连接端口号
####mysqli_connect()默认的端口号.如果没有设置, mysql_connect() 会使用 $MYSQL_TCP_PORT;或者 位于/etc/services的 mysql-tcp 入口或者编译时定义的MYSQL_PORT 值(按照此顺序查找).;Win32 只会查找MYSQL_PORT值.
mysqli.default_socket =
####对于本地MySQL连接的默认socket名称. 如果为空, 则使用MySQL内建默认值.
mysqli.default_host =
####mysqli_connect()的默认host值(在安全模式中不会生效)
mysqli.default_user =
####mysqli_connect()的默认user值(在安全模式中不会生效).
mysqli.default_pw =
####mysqli_connect() 的默认password值(在安全模式中不会生效).
; 注意在此文件中保存密码一般来说是 *糟糕* 的主义.
; *任何* 使用PHP的用户可以执行 'echo get_cfg_var("mysqli.default_password")
; 并且获取到此密码! 而且理所当然, 任何有对此文件读权限的用户都可以获取到此密码.
mysqli.reconnect = Off ——→ 允许或阻止持久连接
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
[OCI8]
[PostgreSQL]
pgsql.allow_persistent = On ——→ 允许或阻止持久连接.
pgsql.auto_reset_persistent = Off
####总是在 pg_pconnect() 时检测断开的持久连接.;自动重置特性会引起一点开销.
pgsql.max_persistent = -1 ——→ 持久连接的最大数目. -1 意味着没有限制.
pgsql.max_links = -1 ——→ 最大连接数 (持久 + 非持久). -1 意味着没有限制
pgsql.ignore_notice = 0 ——→ 是否忽略 PostgreSQL 后端通告消息.;通告消息记录会需要一点开销.
pgsql.log_notice = 0
####是否记录 PostgreSQL 后端通告消息.;除非 pgsql.ignore_notice=0, 否则模块无法记录通告消息。
[Sybase-CT]
sybct.allow_persistent = On ——→ 允许或阻止持久连接.
sybct.max_persistent = -1 ——→ 持久连接的最大数目. -1 意味着没有限制.
sybct.max_links = -1 ——→ 最大连接数 (持久 + 非持久). -1 意味着没有限制.
sybct.min_server_severity = 10 ——→ 显示出的错误最小严重程度.
sybct.min_client_severity = 10 ——→ 显示出的消息最小严重程度
[bcmath]
bcmath.scale = 0 ——→ #用于所有bcmath函数的10十进制数数字的个数
[browscap]
[Session]
session.save_handler = files ——→ 用于保存/取回数据的控制方式
session.use_cookies = 1 ——→ 是否使用cookies
session.use_only_cookies = 1
####这个选项允许管理员去保护那些在URL中传送session id的用户免于被攻击;默认是0.
session.name = PHPSESSID ——→ session 的名字(同时作为cookie的名称
session.auto_start = 0 ——→ 在请求开始时初始化 session
session.cookie_lifetime = 0 ——→ cookie的存活秒数,如果为0,则是直到浏览器重新启动
session.cookie_path = / ——→ cookie的有效路径
session.cookie_domain = ——→ cookie的有效域名
session.cookie_httponly =
####是否将httpOnly标志增加到cookie上,
增加后则cookie无法被浏览器的脚本语言(例如JavaScript)存取.
session.serialize_handler = php 用于序列化数据的处理器. php是标准的PHP序列化器.
session.gc_probability = 1
####; 定义'垃圾回收'进程在每次session初始化时开始的比例.
; 比例由 gc_probability/gc_divisor来得出,
; 例如. 1/100 意味着在每次请求时有1%的机会启动'垃圾回收'进程.
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
####在这里数字所指的秒数后,保存的数据将被视为'碎片(garbage)'并由gc进程清理掉。
session.bug_compat_42 = Off
####PHP 4.2 和更早版本有一个未公开的 特性/bug , 此特性允许你在全局初始化一个session变量,即便 register_globals已经被关闭.;如果此特性被使用,PHP 4.3 和更早版本会警告你.;你可以关闭此特性并且隔离此警告. 这时候,如果打开bug_compat_42,那此警告只是被显示出来.
session.bug_compat_warn = Off
session.referer_check =
####检查HTTP Referer来防止带有id的外部URL.;HTTP_REFERER 必须包含从session来的这个字段才会被认为是合法的.
session.entropy_length = 0 ——→ 从此文件读取多少字节
session.cache_limiter = nocache
####设置为{nocache,private,public,}来决定HTTP缓冲的类型;留空则防止发送anti-caching头.
session.cache_expire = 180 ——→ 文档在n分钟之后过期.
session.use_trans_sid = 0
####trans sid 支持默认关闭.
;使用 trans sid 可能让你的用户承担安全风险.;使用此项必须小心.; - 用户也许通过email/irc/其他途径发送包含有效的session ID的URL给其他人.; - 包含有效session ID的URL可能被存放在容易被公共存取的电脑上.; - 用户可能通过在浏览器历史记录或者收藏夹里面的包含相同的session ID的URL来访问你的站点.
session.hash_function = 0 ——→ 选择hash方法;0:MD5(128 bits);1:SHA-1(160 bits)
session.hash_bits_per_character = 5
; 当转换二进制hash数据到可读形式时,每个字符保存时有几位.
; 4 bits: 0-9, a-f; 5 bits: 0-9, a-v; 6 bits: 0-9, a-z, A-Z, "-", ","
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
URL rewriter会在已经定义的一组HTML标签内查找URL.; form/fieldset 是特殊字符; 如果你在这里包含他们, rewriter会增加一个包含信息的隐藏字段否则就是在URL中附加信息.; 如果你你想遵守XHTML, 删除form的入口.; 注意 所有合法的入口都需要一个"="符号, 甚至是没有任何值的.
[MSSQL]
mssql.allow_persistent = On ——→ 允许或阻止持久连接
mssql.max_persistent = -1 ——→ 持久连接的最大数目. -1 意味着没有限制.
mssql.max_links = -1 ——→ 最大连接数 (持久 + 非持久). -1 意味着没有限制.
mssql.min_error_severity = 10 ——→ 显示出的错误最小严重程度.
mssql.min_message_severity = 10 ——→ 显示出的消息最小严重程度
mssql.compatability_mode = Off ——→ PHP 3.0 老版本的兼容模式.
mssql.secure_connection = Off ——→ 当连接到服务器时使用NT验证
[Assertion]
[COM]
[mbstring]
[gd]
[exif]
[Tidy]
当调用tidy时,默认指向tidy配置文件的路径 tidy是否自动清除和修复输出?; 警告: 不要在你产生非html内容时使用此项,例如产生动态图片时
tidy.clean_output = Off 清除功能是否开启,本文中为关闭状态
[soap]
soap.wsdl_cache_enabled=1 ——→ 打开或关闭WSDL缓冲特性.
soap.wsdl_cache_dir="/tmp" ——→ 设置SOAP扩展存放缓冲文件的目录
soap.wsdl_cache_ttl=86400——→(存活时间)设置当缓冲文件被用来替换原有缓冲文件的秒数
soap.wsdl_cache_limit = 5 ——→ 最小缓存
[sysvshm]
[ldap]
ldap.max_links = -1
[mcrypt]
[dba]
[xsl]

 

转载自: http://blog.51cto.com/taokey/1313756

php7安装配置-在centos7上

一、先卸载旧版php

yum remove php* php-common

二、安装epel

yum -y install epel-release

三、安装第三方yum源

#centos 6.x 的yum源 (二选一)
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el6/latest.rpm

#centos 7 的yum源 (二选一)
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm

#查看是否安装了目标 yum 源
ls /etc/yum.repos.d

# 输出 目标yum源的信息
cat webtatic.repo
[webtatic]
name=Webtatic Repository EL7 - $basearch
#baseurl=https://repo.webtatic.com/yum/el7/$basearch/
mirrorlist=https://mirror.webtatic.com/yum/el7/$basearch/mirrorlist
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-el7

[webtatic-debuginfo]
name=Webtatic Repository EL7 - $basearch - Debug
#baseurl=https://repo.webtatic.com/yum/el7/$basearch/debug/
mirrorlist=https://mirror.webtatic.com/yum/el7/$basearch/debug/mirrorlist
failovermethod=priority
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-el7

[webtatic-source]
name=Webtatic Repository EL7 - $basearch - Source
#baseurl=https://repo.webtatic.com/yum/el7/SRPMS/
mirrorlist=https://mirror.webtatic.com/yum/el7/SRPMS/mirrorlist
failovermethod=priority
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-webtatic-el7<br>

通过访问 https://repo.webtatic.com/yum/el7/SRPMS/
我们就能看到所有的 rpm 安装包了

#也可以通过命令查看该源对应的安装包
yum list --enablerepo=webtatic | grep php
#或者 直接 搜索 相关安装包
yum search php71w
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.linode.com
 * epel: mirrors.kernel.org
 * extras: mirrors.linode.com
 * updates: mirrors.linode.com
 * webtatic: sp.repo.webtatic.com
============================= N/S matched: php71w ==============================
mod_php71w.x86_64 : PHP module for the Apache HTTP Server
php71w-bcmath.x86_64 : A module for PHP applications for using the bcmath
                     : library
php71w-cli.x86_64 : Command-line interface for PHP
php71w-common.x86_64 : Common files for PHP
注意一个问题,php71w和php70w,它们的描述方式不同。
php70w.x86_64 : PHP scripting language for creating dynamic web sites
mod_php71w.x86_64 : PHP module for the Apache HTTP Server
其实效果是一样的,就是php 服务器,注意啦。
yum search php70w
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.linode.com
 * epel: mirrors.kernel.org
 * extras: mirrors.linode.com
 * updates: mirrors.linode.com
 * webtatic: sp.repo.webtatic.com
============================= N/S matched: php70w ==============================
php70w.x86_64 : PHP scripting language for creating dynamic web sites
php70w-bcmath.x86_64 : A module for PHP applications for using the bcmath
                     : library
php70w-cli.x86_64 : Command-line interface for PHP
php70w-common.x86_64 : Common files for PHP
<br>

四、安装 PHP 7.1

# 安装php7.1
yum install php71w -y
# nginx连接使用
yum install php71w-fpm -y
# 宽字节
yum install php71w-mbstring -y
# mysql相关
yum install php71w-mysqlnd -y
# redis扩展
yum install php71w-pecl-redis -y
# 加密使用
yum install php71w-mcrypt -y
# 性能加速 php5.5 以上使用
yum install php71w-opcache -y
# 安装这些基本的可以满足大量需求, 至于有些扩展, 会在安装这些库的时候附加进去<br>

五、启动 PHP 7.1

我已经安装好需要程序,要想PHP请求被Nginx接收并转交给PHP-FPM再由PHP解释器执行返回结果,还需要做一些配置。
1、设置Nginx
Nginx 配置文件中 已经配置过,如何接收 php请求了。
2、启动 PHP-FPM

# 启动PHP-FPM
systemctl start php-fpm  
# 设置开机启动
systemctl enable php-fpm

六、基本配置优化

对于搭建一般的小网站,参考 wordpress-优化php-fpm和mysql 。

bash-文件-linux设置文件权限

对指定 文件夹 文件 读写 全开放
chmod 777 -R 文件夹 (递归调用,使子文件 文件夹也是这个权限)

对指定 文件夹 ,设置 文件 文件夹 用户组 和用户 ;就是文件所有者
chown -R apache:apache 文件夹 (递归调用,使子文件 文件夹也是这个权限)

最后 设置好
chmod 755 -R 文件夹 (递归调用,使子文件 文件夹也是这个权限)
ls –l 文件夹 (可以查看文件 权限 用户组)

nginx配置文件-常用配置

一、找到Nginx安装目录

在centos下:可以用 rpm 查找

# 查看 nginx 是否已经安装 
sh-4.2# rpm -qa | grep -i nginx
nginx-1.12.2-1.el7_4.ngx.x86_64
# 查看 具体 软件名 的安装目录
sh-4.2# rpm -ql nginx-1.12.2-1.el7_4.ngx.x86_64
/etc/logrotate.d/nginx
/etc/nginx
/etc/nginx/conf.d
/etc/nginx/conf.d/default.conf
/etc/nginx/fastcgi_params
/etc/nginx/koi-utf
/etc/nginx/koi-win
/etc/nginx/mime.types
/etc/nginx/modules
/etc/nginx/nginx.conf
/etc/nginx/scgi_params
/etc/nginx/uwsgi_params
/etc/nginx/win-utf
/etc/sysconfig/nginx
/etc/sysconfig/nginx-debug
/usr/lib/systemd/system/nginx-debug.service
/usr/lib/systemd/system/nginx.service
/usr/lib64/nginx
/usr/lib64/nginx/modules
/usr/libexec/initscripts/legacy-actions/nginx
/usr/libexec/initscripts/legacy-actions/nginx/check-reload
/usr/libexec/initscripts/legacy-actions/nginx/upgrade
/usr/sbin/nginx
/usr/sbin/nginx-debug
/usr/share/doc/nginx-1.12.2
/usr/share/doc/nginx-1.12.2/COPYRIGHT
/usr/share/man/man8/nginx.8.gz
/usr/share/nginx
/usr/share/nginx/html
/usr/share/nginx/html/50x.html
/usr/share/nginx/html/index.html
/var/cache/nginx
/var/log/nginx
sh-4.2#

从 Nginx 安装目录可以知道,
nginx 系统配置文件:/etc/sysconfig/nginx

# Configuration file for the nginx service.

NGINX=/usr/sbin/nginx
CONFFILE=/etc/nginx/nginx.conf

所以nginx服务器的 配置文件是 /etc/nginx/nginx.conf
查看 此配置文件 发现 ,会加载 /etc/nginx/conf.d/default.conf
简单来说,/etc/nginx/nginx.conf 是主配置文件,会自动 加载 /etc/nginx/conf.d/文件夹下面的所有字配置文件


注意nginx的坑爹之处,nginx 在配置 服务器 名字时,可以是 ip地址,可以是 localhost,可以是 域名。
但是如果 一个 未配置 的 域名指向 该nginx 服务器时,nginx 在配置 文件中 找不到 该 域名的 配置文件,
于是 nginx 会 默认 选择 第一个 配置文件,作为 该域名的 nginx服务器 配置文件。

简单来说,nginx 的所有配置文件中 的server name 没有包括ip 访问的话,如果用 ip直接 访问服务器,
nginx就会 默认 选择 第一个 配置 文件,来进行解析。


二、Nginx基本参数配置

全局配置

我们分片段一点点的介绍默认的配置文件

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
    worker_connections  1024;
}

这些是配置文件开始的默认行。通常的环境下,你不需要修改这些选项。这一部分有几个方面需要我们注意:

  • 所有以#号开的行是注释,nginx不会解析。默认的配置文件有许多说明解释的注释块
  • 指令是以一个变量名开头(例如,worker_processes或pid),然后包含一个参数(例如,1或 logs/nginx.pid)或者多个参数(例如,”logs/error.log notice”)
  • 所有指令以分号结尾
  • 某些指令,像上面的events可以包含多个子指令作为参数。这些子指令以花括号包围。
  • 虽然nginx不解析空白符(例如tab,空格,和换行符),但是良好的缩进能提高你维护长期运行配置文件的效率。良好的缩进使配置文件读起来更流畅,能让你很容易明白配置的策略,即使几个月前。

下面我们继续读配置文件

http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

“http { }”块的开头像配置文件的开头一样都是标准配置不需要修改。这里我们需要把注意力放在这些元素上:

  • 这部分内容的开始”include”语句包含/usr/loca/nginx/mime.types文件到nginx.conf文件include语句所在位置。include对ningx.conf文件的可读性和组织性很有用。
  • 不能过多使用include,如果太多递归地include文件会产生混乱,所以需要合理有限制地使用include来保证配置文件的清晰和可管理。
  • 你可以去掉log_format指令前的注释并修改这几行设置的变量为你想记录的信息。
  • gzip指令告诉nginx使用gzip压缩的方式来降低带宽使用和加快传输速度。如果想使用gzip压缩,需要添加如下配置到配置文件的gzip位置。
        gzip on;
        gzip_http_version 1.1;
        gzip_comp_level 2;
        gzip_types    text/plain text/html text/css
                      application/x-javascript text/xml
                      application/xml application/xml+rss
                      text/javascript;

使用gizp压缩并不是没有代价的。在降低带宽的同时也增加了CPU的使用。gzip_cop_level的参数取值范围1-9,9代表最用CPU和1代表最少用CPU,其默认值是1.

另外,请注意上面的片段 “http { ” 是http的前半部分,其余部分解下面继续,直到匹配的”}”。

虚拟机server配置

我们家是nginx.conf接下来的配置文件是这样

        server {
                listen       80;
                server_name  localhost;

                access_log  logs/localhost.access.log  main;

                location / {
                    root   html;
                    index  index.html index.htm;
                }
        }
}

我们可以看到http{ }块到此结束。

server指令块,像上面例子中那个一样,是我们nginx用户主要配置自己虚拟主机的地方。在server块里有许多重要的指令。listen指令告诉nginx在一个特定的hostname,ip或者tcp端口监听连接。默认,http服务运行在80端口。一下这些listen指令都是有效的:

listen     127.0.0.1:80;
listen     localhost:80;

listen     127.0.0.1:8080;
listen     localhost:8080;

listen     192.168.3.105:80;
listen     192.168.3.105:8080;

listen     80;
listen     *:80;
listen     8080;
listen     *:8080;

listen     12.34.56.77:80;
listen     12.34.56.78:80;
listen     12.34.56.79:80;

在这些例子中,我们可以看到很多不同表达方式:

  • 第一组2个指令指明服务器监听在127.0.0.1或localhost的80端口,localhost通常定义在/etc/hosts指向127.0.0.1
  • 第二组除了端口号监听在8080而不是80外,与第一组相同。
  • 第三组例子定义服务器监听在192.168.3.105的80和8080端口
  • 第四组例子是在所有地址上监听特定的端口。listen 80与listen *:80相同,listen 8080与listen *:80相同。
  • 最后一组例子设置服务器只监听在12.34.56.77/78/79的80端口上的请求。

server_name指令可以设置基于域名的虚拟主机,根据请求头部的内容,一个ip的服务器可以配置多个域名。下面这些server_name的参数是有效的:

server_name   nginx.cn;
server_name   nginx.cn www.nginx.cn;
server_name   *.nginx.cn;
server_name   .nginx.cn;

server_name   nginx.*;

server_name   nginx.cng bucknell.net brackley.org;
server_name   localhost litchfield bleddington;

server_name   "";

多个域名之间以空格分隔。nginx允许一个虚拟主机有一个或多个名字,也可以使用通配符”*”来设置虚拟主机的名字。上面的例子我们看到了很多特殊的地方:

  • 第一组例子,首先定义server_name为nginx.cn,那么来自http://nginx.cn的请求就会发到该主机上。第二个例子配置了nginx.cn和www.nginx.cn,那么http://nginx.cn和http://www.nginx.cn的请求会发到这个主机上。
  • *.nginx.cn和.nginx.cn是等同的配置,设置该主机处理所有来自nginx.cn的子域名,比如www.nginx.cn,blog.nginx.cn等
  • 第二组server_name配置nginx.*,配置服务器处理所有以nginx.开头的请求。例如,nginx.com,nginx.cn,nginx.net,nginx.baidu.com
  • 接下来一组第一个server_name配置,设置主机处理来自三个域名的请求。nginx允许设置不是有效域名的名字。比如接下来这个配置我们可以看到三个不是有效域名的例子,localhost,litchfiled和bledington。nginx只查找请求的HTTP头中的域名但并不判断域名是否有效,这个例子中这些主机名可以配制在/etc/hosts中。当你在本机调试时使用非域名的主机名有时候更适合些。
  • 最后一组例子,server_name设置为空的双引号,它告诉nginx捕捉所有没有hostname的请求,或者hostname没有在其它server_name中指定的。

 

我们继续分析接下来的server指令块,看看access_log指令。

access_log logs/nginx.access.log;
access_log /srv/http/ducklington.org/logs/access.log;
access_log /var/log/nginx/access/ducklington.org;
access_log off;

第一个例子,日志使用相对路径,log文件放在与配置文件同级的目录中,也就是日志存储在/usr/local/nginx/logs/nginx.access.log;接下来的两个例子定义了完整的绝对路径;最后一个例子是关闭access log,不会记录访问日志到文件。

server块的最后部分是location指令块,对于client的不同请求目标,location是用来配置服务器的不同响应。

就像server_name指令配置nginx处理请求使用包含在请求中的信息一样,location指令配置如何响应不同位置资源的请求。例如:

无需修改主配置文件,只需新建一个域名配置文件。示例如下

[root@testdb ~]# cat /etc/nginx/conf.d/www.example.net.conf
server {
    listen       80;
    server_name  example.net , www.example.net;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    root   /var/www/www.example.net;  #wordpress location
    index index.php index.html index.htm;


    location / {

        # try_files $uri $uri/ =404;
         try_files $uri $uri/ /index.php?q=$uri&args;

    }

    error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass   127.0.0.1:9000;
      # fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}

     location ~ ^/\.user\.ini {
        deny all;
     }

}

[root@testdb ~]# 

部分内容转载自:http://www.nginx.cn/591.html