标签归档:LNMP

CentOS 7 编译安装nginx并启用TLS1.3

暂时转向caddy,caddy暂时还在等待上游对tls v1.3的支持。

更新日志

20180708 OpenSSL于2018年6月8日更新了关于tls 1.3的说明,见此wiki,本文按新wiki修改更新; 主要变化有:OpenSSL目前同时支持“draft-26”, "draft-27" and "draft-28"草案;简化流程,编译时默认开启tls 1.3,无需enable参数;加密算法表达的更新; Chrome canary 69.0.3484.0 和 Firefox Nightly 63.0a1支持tls1.3 Draft 28。 20180411 Firefox Nightly 61.0a1支持tls1.3 Draft 26。 20180404 IESG批准将TLS 1.3 Draft 28作为TLS version 1.3 的建议标准; 至20180404,Openssl支持的标准为Draft 26。 20180312 Chrome 65正式版已经发布,支持tls1.3 Draft 23。 20180207 修正部分错误。
如果TLSv1.3如期发布,OpenSSL 1.1.1 将于2018年4月17日面向公众发布。对于服务器来说,我还是喜欢CentOS,支持周期很长,折腾一次可以用很长世间,因此以下记录一下在基于LNMP的CentOS 7 系统上启用TLSv1.3的过程。

1 升级系统

yum update

升级后的系统版本为:

cat /etc/centos-release
CentOS Linux release 7.5.1804 (Core)

2 安装官方mainline版的nginx

通过官方源安装nginx的目的是:
自动生成nginx的配置文件,减少大量的工作;
获取nginx的编译参数。

配置源:

vi /etc/yum.repos.d/nginx.repo

写入如下内容:

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/
gpgcheck=0
enabled=1

安装nginx:

yum install nginx -y

查看nginx版本:

nginx -v
nginx version: nginx/1.15.1

获取编译参数:

nginx -V
nginx version: nginx/1.15.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

修改nginx源,将enabled=1改为enabled=0,防止yum update时nginx被更新掉

vi /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/
gpgcheck=0
enabled=0

3 编译nginx

安装可能用到的依赖:

yum install -y git gcc gcc-c clang automake make autoconf libtool zlib-devel libatomic_ops-devel pcre-devel openssl-devel libxml2-devel libxslt-devel gd-devel GeoIP-devel gperftools-devel  perl-devel perl-ExtUtils-Embed

获取源码:

git clone https://github.com/nginx/nginx.git
git clone https://github.com/openssl/openssl.git
git clone https://github.com/grahamedgecombe/nginx-ct.git

nginx-ct是启用证书透明度(Certificate Transparency)策略的模块。为了启用Certificate Transparency和TLSv1.3,需要额外加入如下编译参数:

--add-module=../nginx-ct/ --with-openssl=../openssl/

加在官方编译参数后面,简单修改形成完整的编译参数:

auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' --add-module=../nginx-ct/ --with-openssl=../openssl/

进入nginx源码目录,并输入如上完整的编译参数。
开始编译:

make

查看编译好的nginx信息:

./objs/nginx -v
nginx version: nginx/1.15.2

备份已经安装好的官方mainline版,安装编译版:

mv /usr/sbin/nginx /usr/sbin/nginx.1.15.1.20180708.official.mainline
cp ./objs/nginx /usr/sbin/

4 修改nginx配置文件内的ssl_protocols和ssl_ciphers,默认启用TLSv1.3的前三项常用的加密算法

...
ssl_protocols          TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers            EECDH+CHACHA20:ECDHE+aECDSA+CHACHA20:ECDHE+aRSA+CHACHA20:ECDHE+aECDSA+AESGCM:ECDHE+aRSA+AESGCM:ECDHE+aECDSA+AES256+SHA384:ECDHE+aRSA+AES256+SHA384:ECDHE+aECDSA+AES256+SHA:ECDHE+aRSA+AES256+SHA;
...

重启nginx服务以使修改生效:

systemctl restart nginx

5 测试TLSv1.3是否生效

5.1 使用testssl工具
git clone --depth 1 https://github.com/drwetter/testssl.sh.git
cd testssl.sh
./testssl.sh --help

命令为(coldawn.com需要换成自己的域名):

./testssl.sh -p coldawn.com
...
 Testing protocols via sockets except SPDY+HTTP2

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): draft 28, draft 27, draft 26
 NPN/SPDY   h2, http/1.1 (advertised)
 ALPN/HTTP2 h2, http/1.1 (offered)
...

详细的情况,用大写的P作为参数:

./testssl.sh -P coldawn.com

 Testing server preferences

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.3
 Negotiated cipher            TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
 Cipher order
    TLSv1:     ECDHE-RSA-AES256-SHA
    TLSv1.1:   ECDHE-RSA-AES256-SHA
    TLSv1.2:   ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA
    TLSv1.3:   TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256
5.2 使用现代浏览器

Chrome canary 69.0.3484.0 和 Firefox Nightly 63.0a1已经支持tls1.3 Draft 28。

CentOS 7 搭建LNMP服务器环境

CentOS漫长的支持周期使得对系统更新的需求不是那么迫切,只要用得顺手。不过,新安装的话,就应该直接安装最新版,这样就可以用很久了。Centos 7 搭建LNMP(nginx, MariaDB, PHP)服务器和在CentOS 6 搭建LNMP服务器环境大同小异,整体过程和方法都是一样的,只需将NMP的源由CentOS 6 改成CentOS 7 的,修改几条命令就可以了。

1 更新系统:

yum update -y

查看系统版本:

cat /etc/centos-release

CentOS Linux release 7.3.1611 (Core)

2 配置源:

2.1 配置MariaDB官方源
首先需要定制MariaDB的官方源
选择合适的系统,系统版本,及MariaDB版本(最新是10.2, 目前处于RC阶段),获得CentOS 7 64位系统MariaDB 10.2 RC版本的源地址。

CentOS > CentOS 7 (x86_64) > 10.2 [Release Candidate]

配置源方法

vi /etc/yum.repos.d/MariaDB.repo

填入如下内容

# MariaDB 10.2 CentOS repository list - created 2017-02-25 08:07 UTC
# http://downloads.mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.2/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

保存退出(按ESC键,输入:wq)。

2.2 配置PHP源
webtatic源更新较快,且其命名有自己的特色方式,可以避免与其他源的某些冲突:

rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm

2.3 配置nginx官方源
官方nginx有两个版本,mainline和stable,即开发板和稳定版,区别是前者引入新特性但可能有新bug,后者足够稳定。事实上,两者均比较稳定,nginx的网站总是运行在mainline版上。
以下提供两个版本供选择,请选择其一,推荐使用mainline版。

2.3.1 mainline 版
nginx的mainline版

vi /etc/yum.repos.d/nginx.repo

系统是CentOS 7,故写入如下内容

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/
gpgcheck=0
enabled=1

保存退出。

2.3.2 stable 版

vi /etc/yum.repos.d/nginx.repo

系统是CentOS 7,故写入如下内容


[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1

保存退出。

3 安装、启动服务及设置开机启动

3.1.1 安装MariaDB

yum install MariaDB-server -y

3.1.2 安装PHP

yum install php71w-fpm -y

安装扩展

yum install php71w-gd php71w-mysqlnd php71w-pdo php71w-mcrypt php71w-mbstring php71w-xmlrpc -y

3.1.3 安装nginx

yum install nginx -y

3.2 启动服务并设置开机启动

systemctl start nginx

systemctl start mariadb

systemctl start php-fpm

systemctl enable nginx

systemctl enable mariadb

systemctl enable php-fpm

4 配置

4.1 设置MariaDB

MariaDB对MySQL的命令具有良好的兼容性。
此步主要是MariaDB的安全设置:

mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 

因为是初次设置MariaDB,所以root密码是空的,此处直接回车

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y

设置数据库的密码

New password: 

设置密码,设置一个你自己知道的密码。

Re-enter new password: 

再次输入密码

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

4.2 配置PHP

vi /etc/php.ini

找到

;cgi.fix_pathinfo=1

去掉注释,并将1改成0

cgi.fix_pathinfo=0

保存退出。

4.3 配置nginx

4.3.1 默认配置

直接用浏览器打开你的主机空间的IP地址或者域名(假设IP地址为1.2.3.4,域名为www.urwp.com,后面也会用到),就可以看到nginx的欢迎页面,说明nginx已经在工作了。

Welcome to nginx!

If you see this page, the nginx web server is successfully installed and working. Further configuration is required.

For online documentation and support please refer to nginx.org.
Commercial support is available at nginx.com.

Thank you for using nginx.

4.3.2 配置nginx,以支持PHP

vi /etc/nginx/conf.d/default.conf

修改前的默认配置是这样的:

server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/log/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}

修改如下区块,取消注释,并修改部分内容:

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
        root           /usr/share/nginx/html;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

4.3.3 测试PHP是否正常运行

vi /usr/share/nginx/html/phpinfo.php

写入如下代码,并保存

<?php
phpinfo();
?>

重启nginx和PHP

systemctl restart nginx
systemctl restart php-fpm

再次访问你的主机地址或域名:

http://1.2.3.4/phpinfo.php

或者

http://www.urwp.com/phpinfo.php

可见到php相关信息,说明PHP和nginx已经配合工作了。
此时LNMP网络服务环境就已初步搭建了。

接下来,可以部署自己的网站,或者开个简单的博客,比如WordPress
部署好LNMP后,不管是CentOS 6,还是CentOS 7,安装WordPress步骤都是一样的:CentOS 6系统LNMP环境下安装WordPress

CentOS 6 搭建LNMP服务器环境

更新: 
2017-05-26
1 CentOS 6支持时程的完整更新已于2016年第2季度结束,维护更新持续到2020-11-30,虽然还有3年多的时间,但请及时升级到CentOS 7。
2 如仍停留在CentOS 6,本教程仍然有效,可安装/升级至最新版的LNMP。

2017-05-25
1 更新至nginx 1.13.0,MariaDB 10.2.6,PHP 7.1.5。

2017-02-25
1 CentOS 7搭建LNMP请参考这篇文章。 

2016-08-19
1 nginx-1.11.3 mainline或nginx-1.10.1, MariaDB 10.1.16, PHP 7.0.9,同样适用。
2 目前centos 6 64位已升至6.8,同样适用。

2016-05-04
1 加入 nginx 的 mainline 和 stable 两个版本供安装选择,标题中总是选择mainline版,详见如下步骤。
2 经测试,该教程适用于nginx-1.9.15 mainline 或者 nginx-1.10.0 stable, MariaDB 10.1.13, PHP 7.0.5,按本教程新装则自动为最新版本;
3 如按本教程安装过老版本,可直接通过如下命令升级即可升级为最新版,无需额外步骤:

     yum update 2016-02-21 1 经测试,同样适用于nginx 1.9.11, PHP 7.0.3, 按本教程新装则自动为最新版本; 2 按本教程安装了nginx 1.9.10 PHP 7.0.2,可直接通过“yum update”命令升级即可,无需额外步骤。
以LNMP(Linux+nginx+MySQL+PHP)来搭建网络环境越来越流行,MariaDB也有逐渐取代MySQL的趋势。
说明:
1 本文以CentOS 6.7 64位系统为基础,安装nginx、MariaDB、PHP来搭建网络环境。
2 尽量采用yum方式,避免出现需要手动编写配置文件的棘手问题。
3 参考教程:
 How To Install Linux, nginx, MySQL, PHP (LEMP) stack on CentOS 6
 Ultimate Guide To Installing Nginx, MySQL, PHP5, PHP-FPM In CentOS 6.5

详细步骤:
1 更新系统是第一件事:

yum update -y

并查看系统版本:

head -1 /etc/issue

CentOS release 6.7 (Final)

2 配置源:
2.1 配置MariaDB官方源
首先需要定制MariaDB的官方源
选择合适的系统,系统版本,及MariaDB版本(最新是10.1)

CentOS > CentOS 6(64bit) > 10.1

从而获得CentOS 6 64位系统MariaDB 10.1版本的源地址,配置源方法

vi /etc/yum.repos.d/MariaDB.repo

填入如下内容

# MariaDB 10.1 CentOS repository list - created 2016-02-03 13:17 UTC
# http://mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.1/centos6-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

保存退出(按ESC键,输入:wq)。

2.2 配置PHP源
webtatic源更新较快,且其命名有自己的特色方式,可以避免与其他源的某些冲突:

rpm -Uvh https://mirror.webtatic.com/yum/el6/latest.rpm

2.3 配置nginx官方源
官方nginx有两个版本,mainline和stable,即开发板和稳定版,区别是前者引入新特性但可能有新bug,后者足够稳定。事实上,两者均比较稳定,nginx的网站总是运行在mainline版上。
以下提供两个版本供选择,请选择其一,推荐使用mainline版。

2.3.1 mainline 版
nginx的mainline版

vi /etc/yum.repos.d/nginx.repo

系统是CentOS 6,故写入如下内容

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/6/$basearch/
gpgcheck=0
enabled=1

保存退出。

2.3.2 stable 版

vi /etc/yum.repos.d/nginx.repo

系统是CentOS 6,故写入如下内容

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/6/$basearch/
gpgcheck=0
enabled=1

保存退出。

3 安装、启动服务及设置开机启动

3.1.1 安装MariaDB

yum install MariaDB-server -y

3.1.2 安装PHP

yum install php70w-fpm -y

安装扩展

yum install php70w-gd php70w-mysqlnd php70w-pdo php70w-mcrypt php70w-mbstring php70w-xmlrpc -y

3.1.3 安装nginx

yum install nginx -y

3.2 启动服务并设置开机启动

service nginx start

service mysql start

service php-fpm start

chkconfig --level 235 nginx on

chkconfig --level 235 mysql on

chkconfig --level 235 php-fpm on

4 配置

4.1 设置MariaDB

作为生来就是要接替MySQL的MariaDB,对MySQL的命令具有良好的兼容性。
此步主要是MariaDB的安全设置:

mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 

因为还未设置MariaDB的数据库,所以root密码也是空的,此处直接回车

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y

设置数据库的密码

New password: 

设置密码,设置一个你自己知道的密码。

Re-enter new password: 

再次输入密码

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

4.2 配置PHP

vi /etc/php.ini

找到

;cgi.fix_pathinfo=1

去掉注释,并将1改成0

cgi.fix_pathinfo=0

保存退出。

4.3 配置nginx

4.3.1 默认配置的情况下,直接用浏览器打开你的主机空间的IP地址或者域名(假设IP地址为1.2.3.4,域名为www.urwp.com,后面也会用到),就可以看到nginx的欢迎页面,说明nginx已经在工作了。

Welcome to nginx!

If you see this page, the nginx web server is successfully installed and working. Further configuration is required.

For online documentation and support please refer to nginx.org.
Commercial support is available at nginx.com.

Thank you for using nginx.

4.3.2 配置nginx,以支持PHP

vi /etc/nginx/conf.d/default.conf

修改前的默认配置是这样的:

server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/log/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}

按下面内容修改,取消注释,并修改部分内容:

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
        root           /usr/share/nginx/html;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

4.3.3 测试PHP是否正常运行

vi /usr/share/nginx/html/phpinfo.php

写入如下代码,并保存

<?php
phpinfo();
?>

重启nginx和PHP

service nginx restart
service php-fpm restart

再次访问你的主机地址或域名:

http://1.2.3.4/phpinfo.php

或者

http://www.urwp.com/phpinfo.php

可见到php相关信息,说明PHP和nginx已经配合工作了。
此时LNMP网络服务环境就已初步搭建了。
接下来,可以部署自己的网站,或者开个简单的博客,比如WordPress
下一篇:CentOS 6系统LNMP环境下安装WordPress