Firewalld

启用防火墙服务，除了默认的ssh之外，仅允许http/https连接到服务器。

#!/bin/bash # 启用firewalldsystemctl enable firewalld # 重启(service firewalld status > /dev/null && service firewalld restart) || service firewalld start # 添加支持http和https并重启firewall-cmd --permanent --zone=public --add-service=httpfirewall-cmd --permanent --zone=public --add-service=httpsfirewall-cmd --reload

Letsencrypt

使用Letsencrypt获得免费的SSL证书 (openssl命令在上次发布的文章有说过)

yum -y install letsencryptopenssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

使用Yum Cron

#!/bin/bash # 保证YUM_CRON_EMAIL已设置if [[ -z $YUM_CRON_EMAIL ]]; then  echo "You must specify an email using \$YUM_CRON_EMAIL";else  # 安装启用并加补丁修复  yum -y install yum-cron patch  chkconfig yum-cron on   # 配置  sed -i "s|^email_to = root|email_to = ${YUM_CRON_EMAIL}|" /etc/yum/yum-cron.conf  sed -i 's|^update_messages = no|update_messages = yes|' /etc/yum/yum-cron.conf  sed -i 's|^download_updates = no|download_updates = yes|' /etc/yum/yum-cron.conf  sed -i 's|^apply_updates = no|apply_updates = yes|' /etc/yum/yum-cron.conf  sed -i 's|^emit_via = stdio|emit_via = email|' /etc/yum/yum-cron.conf   sed -i "s|^email_to = root|email_to = ${YUM_CRON_EMAIL}|" /etc/yum/yum-cron-hourly.conf  sed -i 's|^update_cmd = default|update_cmd = security|' /etc/yum/yum-cron-hourly.conf  sed -i 's|^update_messages = no|update_messages = yes|' /etc/yum/yum-cron-hourly.conf  sed -i 's|^download_updates = no|download_updates = yes|' /etc/yum/yum-cron-hourly.conf  sed -i 's|^apply_updates = no|apply_updates = yes|' /etc/yum/yum-cron-hourly.conf  sed -i 's|^emit_via = stdio|emit_via = email|' /etc/yum/yum-cron-hourly.conf      egrep '^email_to|^update_messages|^download_updates|^apply_updates|^emit_via' /etc/yum/yum-cron.conf  egrep '^email_to|^update_cmd|^update_messages|^download_updates|^apply_updates|^emit_via' /etc/yum/yum-cron-hourly.conf     # fix bug in yum-cron nightly updates  if [[ $(grep -q "# success, dependencies resolved" /usr/sbin/yum-cron) -ne 0 ]]; then    patch /usr/sbin/yum-cron < /dev/null && service yum-cron restart) || service yum-cron startfi

安装NGINX

使用mainline仓支持HTTP2

#!/bin/bash # import src utilityif [[ -z $(type -t src) ]]; then  source <(curl -sL https://www.doublesharp.com/src)fi src osnamesrc osversion cat < /etc/yum.repos.d/nginx.repo[nginx]name=nginx repo# default repo#baseurl=http://nginx.org/packages/$(osname)/$(osversion)/\$basearch/# mainline "dev" repo for http2 supportbaseurl=http://nginx.org/packages/mainline/$(osname)/$(osversion)/\$basearch/gpgcheck=0enabled=1REPO #install nginxyum install -y nginx # turn on for rebootssystemctl enable nginx mkdir -p /etc/nginx/includesmkdir -p /etc/nginx/sites-enabledmkdir -p /etc/nginx/sites-availablemkdir -p /etc/nginx/streams-enabledmkdir -p /etc/nginx/streams-available # use a conf file to include our sites-enabled conf filescat < /etc/nginx/includes/sites-enabled.confinclude                 /etc/nginx/sites-enabled/*.conf;SITESENABLED [[ -f "/etc/nginx/conf.d/_.sites-enabled.conf" ]] || ln -s /etc/nginx/includes/sites-enabled.conf /etc/nginx/conf.d/_.sites-enabled.conf # enable httpd in selinuxsemanage permissive -a httpd_t cat < /etc/nginx/nginx.confuser                    nginx;worker_processes        auto; error_log               /var/log/nginx/error.log warn;pid                     /var/run/nginx.pid; worker_rlimit_nofile    100000;  events {  # determines how much clients will be served per worker  # max clients = worker_connections * worker_processes  # max clients is also limited by the number of socket connections available on the system (~64k)  worker_connections      100000;   # optmized to serve many clients with each thread, essential for linux  use                     epoll;   # accept as many connections as possible, may flood worker connections if set too low  multi_accept on;} # web servers / virtual hostshttp {  include                 /etc/nginx/mime.types;  default_type            application/octet-stream;   log_format              main    '\$remote_addr - \$remote_user [\$time_local] "\$request" '                                  '\$status \$body_bytes_sent "\$http_referer" '                                  '"\$http_user_agent" "\$http_x_forwarded_for"';   access_log              /var/log/nginx/access.log combined flush=1m buffer=128k;   # cache informations about FDs, frequently accessed files  # can boost performance, but you need to test those values  open_file_cache         max=200000 inactive=20s;  open_file_cache_valid   30s;  open_file_cache_min_uses 2;  open_file_cache_errors  on;   # send headers in one peace, its better then sending them one by one  tcp_nopush              on;     # don't buffer data sent, good for small data bursts in real time  tcp_nodelay             on;     # server will close connection after this time  keepalive_timeout       30;     # allow the server to close connection on non responding client, this will free up memory  reset_timedout_connection on;     # request timed out -- default 60  client_body_timeout     10;     # if client stop responding, free up memory -- default 60  send_timeout            2;     # reduce the data that needs to be sent over network  gzip                    on;  gzip_min_length         10240;  gzip_proxied            expired no-cache no-store private auth;  gzip_types              text/plain text/css text/xml text/javascript application/x-javascript application/xml;  gzip_disable            "MSIE [1-6]\.";   proxy_buffer_size       128k;  proxy_buffers           64 256k;  proxy_busy_buffers_size 256k;  proxy_ignore_client_abort on;   include                 /etc/nginx/conf.d/*.conf;} # load balancer streamsstream {  include                 /etc/nginx/streams-enabled/*.conf;}NGINX_CONF  # create a virtual server conf file that is in sites-availablecat < /etc/nginx/sites-available/myapp.confupstream myapp {        # our app will be on localhost port 3000, but you can change this here        server                  127.0.0.1:3000 fail_timeout=0;}  server {        listen                  80;        server_name             myapp.example.com;          location / {                proxy_set_header        Host \$host:\$server_port;                proxy_set_header        X-Real-IP \$remote_addr;                proxy_set_header        X-Forwarded-For \$proxy_add_x_forwarded_for;                proxy_set_header        X-Forwarded-Proto \$scheme;                  proxy_pass              http://myapp;        }}NGINX_HOST  # link this conf to sites-enabled. it's important to use the full path#ln -s /etc/nginx/sites-available/myapp.conf /etc/nginx/sites-enabled/myapp.conf nginx -t && (service nginx status > /dev/null && service nginx restart)

安装Redis

安装Redis之前先安装EPEL

#!/bin/bash # install the EPEL repo to access Redisyum install -y epel-releaseyum install -y redis # fix redis background saves on low memorysysctl vm.overcommit_memory=1 && cat < /etc/sysctl.d/88-vm.overcommit_memory.confvm.overcommit_memory = 1SYSCTL_MEM # increase max connectionssysctl -w net.core.somaxconn=65535 && cat < /etc/sysctl.d/88-net.core.somaxconn.confnet.core.somaxconn = 65535SYSCTL_CONN sysctl -w fs.file-max=100000 && cat < /etc/sysctl.d/88-fs.file-max.conffs.file-max = 100000SYSCTL_FILEMAX sed -i "s|^tcp-backlog [[:digit:]]\+|tcp-backlog 65535|" /etc/redis.conf # enable redis service on rebootsystemctl enable redis # start service(service redis status > /dev/null && service redis restart) || service redis start

安装Node.js 和 PM2

#!/bin/bash # make sure the SRC_NODE_VERSION is setif [[ -z $SRC_NODE_VERSION ]]; then  echo "You must specify a node version using \$SRC_NODE_VERSION";else  # Select node version to install  curl --silent --location https://rpm.nodesource.com/setup_$SRC_NODE_VERSION.x | bash -     # install via yum  yum install -y git gcc-c++ make nodejsfi # PM2 - install as globalnpm install pm2@latest -g

创建 appuser

adduser appuserpasswd appuser

为appuser创建PM2

mkdir ~/appscd /apps pm2 start ~/apps/myapp/server.js --name=myapppm2 status myapppm2 restart myapp