於 Google Compute Engine CentOS 7.0 建置 Magento 使用環境

隨著官網的重要性越來越高,將 Magento 雲端化已經是必要的事情了(免除停電、網路斷線等風險)

以下是在 Google Compute Engine(GCE) 中的 CentOS 7.0 進行環境設定

GCE CentOS 7.0 預設模組版本為 PHP 5.4.16、NGINX 1.12.2、OpenSSL 1.0.2k,已經符合我們的最低需求了

資料庫則嘗試採用 Google SQL 取代本機安裝 MariaDB(MySQL) 的方式

 

安裝

為了方便設定,先設定 root 密碼,在用 su 指令切換至 root 使用者

sudo passwd root
su

安裝 NGINX 1.12.2

yum -y install nginx

安裝 PHP 5.4.16 + Zend Optimizer+

yum -y install php php-mysql php-gd php-fpm php-mbstring php-mcrypt php-pear php-process php-tidy php-xml php-xmlrpc php-soap
yum -y install php-pecl-zendopcache

安裝 PHP 5.6 + opcache

rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum -y install php56w php56w-mysql php56w-gd php56w-fpm php56w-mbstring php56w-mcrypt php56w-pear php56w-process php56w-tidy php56w-xml php56w-xmlrpc php56w-soap php56w-devel php56w-opcache

安裝新版 CURL(Magento 必須套件)

rpm -Uvh http://www.city-fan.org/ftp/contrib/yum-repo/rhel7/x86_64/city-fan.org-release-1-13.rhel7.noarch.rpm
sed -i '5c enabled=1' /etc/yum.repos.d/city-fan.org.repo
yum -y install curl libcurl

設定

修改 SELINUX 模式,http_can_sendmail 設定

sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config && setsebool -P httpd_can_sendmail 1

修改 php.ini 設定

sed -i 's/short_open_tag = Off/short_open_tag = On/' /etc/php.ini && sed -i 's/memory_limit = 128M/memory_limit = 512M/' /etc/php.ini && sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' /etc/php.ini

修改 php-fpm 設定

sed -i 's@listen = 127.0.0.1:9000@listen = /var/run/php-fpm/php-fpm.sock@' /etc/php-fpm.d/www.conf && sed -i 's@;listen.owner = nobody@listen.owner = nginx@' /etc/php-fpm.d/www.conf && sed -i 's/;listen.group = nobody/listen.group = nginx/' /etc/php-fpm.d/www.conf && sed -i 's/user = apache/user = nginx/' /etc/php-fpm.d/www.conf && sed -i 's/group = apache/group = nginx/' /etc/php-fpm.d/www.conf

優化 /etc/php.d/opcache.ini 設定

sed -i 's/opcache.memory_consumption=128/opcache.memory_consumption=256/' /etc/php.d/opcache.ini && sed -i 's/opcache.max_accelerated_files=4000/opcache.max_accelerated_files=16000/' /etc/php.d/opcache.ini

修改 nginx.conf 設定檔

vim /etc/nginx/nginx.conf

移除此區塊

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
        location / {
        }
        error_page 404 /404.html;
            location = /40x.html {
        }
        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

新增 nginx/conf.d/magento.conf (80 port 專用)

vim /etc/nginx/conf.d/magento.conf

填入以下設定

server {
    listen       80;
    server_name  104.199.145.27;
    root   /usr/share/nginx/html;
    index index.php index.html index.htm;
    location ~* \.(ico|css|js|gif|jpe?g|png|ogg|ogv|svg|svgz|eot|otf|woff)(\?.+)?$ {
        expires max;
        log_not_found off;
        add_header Access-Control-Allow-Origin "*";
    }
    #location /.well-known/acme-challenge/ {
    #    alias /var/www/dehydrated/;
    #}
    location / {
        try_files $uri $uri/ /index.php?q=$uri&$args;
    }
    ## These locations are protected
    location /downloader/ {
        allow 192.168.0.0/24;
        deny all;
    }
    ## These locations are protected
    location ~ /(dev|app|includes|lib|media/downloadable|pkginfo|var)/ {
        deny all;
    }
    location @handler { ## Magento uses a common front handler
        rewrite / /index.php;
    }
    location ~ .php/ { ## Forward paths like /js/index.php/x.js to relevant handler
        rewrite ^(.*.php)/ $1 last;
    }
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
    #if ($bad_referer) {
    #    return 444;
    #}
}

新增 nginx/conf.d/magento.ssl.conf (443 port 專用)

vim /etc/nginx/conf.d/magento.ssl.conf

填入以下設定

server {
    listen       443 ssl http2;
    server_name  www.gapl.com.tw www.glamp.com.tw;
    root   /usr/share/nginx/html;
    index index.php index.html index.htm;

    ssl_certificate      /etc/dehydrated/certs/www.gapl.com.tw/fullchain.pem;
    ssl_certificate_key  /etc/dehydrated/certs/www.gapl.com.tw/privkey.pem;
    ssl_dhparam /etc/dehydrated/dhparam.pem;

    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 180m;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4;
    add_header Strict-Transport-Security "max-age=31536000" always;

    location ~* \.(ico|css|js|gif|jpe?g|png|ogg|ogv|svg|svgz|eot|otf|woff)(\?.+)?$ {
        expires max;
        log_not_found off;
        add_header Access-Control-Allow-Origin "*";
        add_header Strict-Transport-Security "max-age=31536000" always;
    }

    location / {
        deny 203.24.188.5;
        deny 203.24.188.10;
        try_files $uri $uri/ /index.php?q=$uri&$args;
    }

    ## These locations are protected
    location /dev/ {
        allow 192.168.0.0/16;
        deny all;
    }

    location /downloader/ {
        allow 192.168.0.0/16;
        deny all;
    }
    ## These locations are protected
    location ~ /(app|includes|lib|media/downloadable|pkginfo|var)/ {
        deny all;
    }

    location @handler { ## Magento uses a common front handler
        rewrite / /index.php;
    }

    location ~ .php/ { ## Forward paths like /js/index.php/x.js to relevant handler
        rewrite ^(.*.php)/ $1 last;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_read_timeout 600s;
    }

    if ($bad_referer) {
        return 444;
    }

}

 

設定開機啟動 NGINX & PHP-FPM 服務

systemctl enable nginx.service && systemctl enable php-fpm.service

下載 Magento 備份檔並轉移至網站資料夾,並重新啟動讓 SELINUX 設定生效

curl -O https://storage.googleapis.com/www-gapl/magento_2017-12-29.tar.gz
rm -rf /usr/share/nginx/html
tar -C /usr/share/nginx/ -zxvf magento_2017-12-29.tar.gz
chown -R nginx: /usr/share/nginx/html
reboot

下一步 SSL 轉移請前往:於 Google Compute Engine CentOS 7.0 設定 Dehydrated 與轉移 SSL 憑證

 

 

 

 

遇到 403 Forbidden
Nginx Error Log(/var/log/nginx/error.log) 中顯示
2017/12/30 18:16:42 [error] 871#0: *2 open() “/usr/share/nginx/html/LICENSE.txt” failed (13: Permission denied), client: 60.251.46.241, s
erver: 104.199.145.27, request: “GET /LICENSE.txt HTTP/1.1”, host: “104.199.145.27”

 

 

延伸閱讀

Google Compute Engine 使用 root 和密碼登入

PHP 5.4, APC/Zend Optimizer+ on Centos 7

PHP 5.6 on CentOS/RHEL 7.4 and 6.9 via Yum