Firewalld
启用防火墙服务,除了默认的ssh之外,仅允许http/https连接到服务器。
#!/bin/bash # 启用firewalldsystemctl enable firewalld # 重启(service firewalld status > /dev/null && service firewalld restart) || service firewalld start # 添加支持http和https并重启firewall-cmd --permanent --zone=public --add-service=httpfirewall-cmd --permanent --zone=public --add-service=httpsfirewall-cmd --reload
Letsencrypt
使用Letsencrypt获得免费的SSL证书 (openssl命令在上次发布的文章有说过)
yum -y install letsencryptopenssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
使用Yum Cron
#!/bin/bash # 保证YUM_CRON_EMAIL已设置if [[ -z $YUM_CRON_EMAIL ]]; then echo "You must specify an email using \$YUM_CRON_EMAIL";else # 安装启用并加补丁修复 yum -y install yum-cron patch chkconfig yum-cron on # 配置 sed -i "s|^email_to = root|email_to = ${YUM_CRON_EMAIL}|" /etc/yum/yum-cron.conf sed -i 's|^update_messages = no|update_messages = yes|' /etc/yum/yum-cron.conf sed -i 's|^download_updates = no|download_updates = yes|' /etc/yum/yum-cron.conf sed -i 's|^apply_updates = no|apply_updates = yes|' /etc/yum/yum-cron.conf sed -i 's|^emit_via = stdio|emit_via = email|' /etc/yum/yum-cron.conf sed -i "s|^email_to = root|email_to = ${YUM_CRON_EMAIL}|" /etc/yum/yum-cron-hourly.conf sed -i 's|^update_cmd = default|update_cmd = security|' /etc/yum/yum-cron-hourly.conf sed -i 's|^update_messages = no|update_messages = yes|' /etc/yum/yum-cron-hourly.conf sed -i 's|^download_updates = no|download_updates = yes|' /etc/yum/yum-cron-hourly.conf sed -i 's|^apply_updates = no|apply_updates = yes|' /etc/yum/yum-cron-hourly.conf sed -i 's|^emit_via = stdio|emit_via = email|' /etc/yum/yum-cron-hourly.conf egrep '^email_to|^update_messages|^download_updates|^apply_updates|^emit_via' /etc/yum/yum-cron.conf egrep '^email_to|^update_cmd|^update_messages|^download_updates|^apply_updates|^emit_via' /etc/yum/yum-cron-hourly.conf # fix bug in yum-cron nightly updates if [[ $(grep -q "# success, dependencies resolved" /usr/sbin/yum-cron) -ne 0 ]]; then patch /usr/sbin/yum-cron < /dev/null && service yum-cron restart) || service yum-cron startfi
安装NGINX
使用mainline仓支持HTTP2
#!/bin/bash # import src utilityif [[ -z $(type -t src) ]]; then source <(curl -sL https://www.doublesharp.com/src)fi src osnamesrc osversion cat < /etc/yum.repos.d/nginx.repo[nginx]name=nginx repo# default repo#baseurl=http://nginx.org/packages/$(osname)/$(osversion)/\$basearch/# mainline "dev" repo for http2 supportbaseurl=http://nginx.org/packages/mainline/$(osname)/$(osversion)/\$basearch/gpgcheck=0enabled=1REPO #install nginxyum install -y nginx # turn on for rebootssystemctl enable nginx mkdir -p /etc/nginx/includesmkdir -p /etc/nginx/sites-enabledmkdir -p /etc/nginx/sites-availablemkdir -p /etc/nginx/streams-enabledmkdir -p /etc/nginx/streams-available # use a conf file to include our sites-enabled conf filescat < /etc/nginx/includes/sites-enabled.confinclude /etc/nginx/sites-enabled/*.conf;SITESENABLED [[ -f "/etc/nginx/conf.d/_.sites-enabled.conf" ]] || ln -s /etc/nginx/includes/sites-enabled.conf /etc/nginx/conf.d/_.sites-enabled.conf # enable httpd in selinuxsemanage permissive -a httpd_t cat < /etc/nginx/nginx.confuser nginx;worker_processes auto; error_log /var/log/nginx/error.log warn;pid /var/run/nginx.pid; worker_rlimit_nofile 100000; events { # determines how much clients will be served per worker # max clients = worker_connections * worker_processes # max clients is also limited by the number of socket connections available on the system (~64k) worker_connections 100000; # optmized to serve many clients with each thread, essential for linux use epoll; # accept as many connections as possible, may flood worker connections if set too low multi_accept on;} # web servers / virtual hostshttp { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '\$remote_addr - \$remote_user [\$time_local] "\$request" ' '\$status \$body_bytes_sent "\$http_referer" ' '"\$http_user_agent" "\$http_x_forwarded_for"'; access_log /var/log/nginx/access.log combined flush=1m buffer=128k; # cache informations about FDs, frequently accessed files # can boost performance, but you need to test those values open_file_cache max=200000 inactive=20s; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache_errors on; # send headers in one peace, its better then sending them one by one tcp_nopush on; # don't buffer data sent, good for small data bursts in real time tcp_nodelay on; # server will close connection after this time keepalive_timeout 30; # allow the server to close connection on non responding client, this will free up memory reset_timedout_connection on; # request timed out -- default 60 client_body_timeout 10; # if client stop responding, free up memory -- default 60 send_timeout 2; # reduce the data that needs to be sent over network gzip on; gzip_min_length 10240; gzip_proxied expired no-cache no-store private auth; gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml; gzip_disable "MSIE [1-6]\."; proxy_buffer_size 128k; proxy_buffers 64 256k; proxy_busy_buffers_size 256k; proxy_ignore_client_abort on; include /etc/nginx/conf.d/*.conf;} # load balancer streamsstream { include /etc/nginx/streams-enabled/*.conf;}NGINX_CONF # create a virtual server conf file that is in sites-availablecat < /etc/nginx/sites-available/myapp.confupstream myapp { # our app will be on localhost port 3000, but you can change this here server 127.0.0.1:3000 fail_timeout=0;} server { listen 80; server_name myapp.example.com; location / { proxy_set_header Host \$host:\$server_port; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; proxy_pass http://myapp; }}NGINX_HOST # link this conf to sites-enabled. it's important to use the full path#ln -s /etc/nginx/sites-available/myapp.conf /etc/nginx/sites-enabled/myapp.conf nginx -t && (service nginx status > /dev/null && service nginx restart)
安装Redis
安装Redis之前先安装EPEL
#!/bin/bash # install the EPEL repo to access Redisyum install -y epel-releaseyum install -y redis # fix redis background saves on low memorysysctl vm.overcommit_memory=1 && cat < /etc/sysctl.d/88-vm.overcommit_memory.confvm.overcommit_memory = 1SYSCTL_MEM # increase max connectionssysctl -w net.core.somaxconn=65535 && cat < /etc/sysctl.d/88-net.core.somaxconn.confnet.core.somaxconn = 65535SYSCTL_CONN sysctl -w fs.file-max=100000 && cat < /etc/sysctl.d/88-fs.file-max.conffs.file-max = 100000SYSCTL_FILEMAX sed -i "s|^tcp-backlog [[:digit:]]\+|tcp-backlog 65535|" /etc/redis.conf # enable redis service on rebootsystemctl enable redis # start service(service redis status > /dev/null && service redis restart) || service redis start
安装Node.js 和 PM2
#!/bin/bash # make sure the SRC_NODE_VERSION is setif [[ -z $SRC_NODE_VERSION ]]; then echo "You must specify a node version using \$SRC_NODE_VERSION";else # Select node version to install curl --silent --location https://rpm.nodesource.com/setup_$SRC_NODE_VERSION.x | bash - # install via yum yum install -y git gcc-c++ make nodejsfi # PM2 - install as globalnpm install pm2@latest -g
创建 appuser
adduser appuserpasswd appuser
为appuser创建PM2
mkdir ~/appscd /apps pm2 start ~/apps/myapp/server.js --name=myapppm2 status myapppm2 restart myapp
本文来自投稿,不代表本人立场,如若转载,请注明出处:http://www.souzhinan.com/kj/269107.html