Tag: OpenSSL

於 Google Compute Engine CentOS 7.0 建置 Magento 使用環境

隨著官網的重要性越來越高,將 Magento 雲端化已經是必要的事情了(免除停電、網路斷線等風險)

以下是在 Google Compute Engine(GCE) 中的 CentOS 7.0 進行環境設定

GCE CentOS 7.0 預設模組版本為 PHP 5.4.16、NGINX 1.12.2、OpenSSL 1.0.2k,已經符合我們的最低需求了

資料庫則嘗試採用 Google SQL 取代本機安裝 MariaDB(MySQL) 的方式

 

安裝

為了方便設定,先設定 root 密碼,在用 su 指令切換至 root 使用者

sudo passwd root
su

安裝 NGINX 1.12.2

yum -y install nginx

安裝 PHP 5.4.16 + Zend Optimizer+

yum -y install php php-mysql php-gd php-fpm php-mbstring php-mcrypt php-pear php-process php-tidy php-xml php-xmlrpc php-soap
yum -y install php-pecl-zendopcache

安裝 PHP 5.6 + opcache

rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum -y install php56w php56w-mysql php56w-gd php56w-fpm php56w-mbstring php56w-mcrypt php56w-pear php56w-process php56w-tidy php56w-xml php56w-xmlrpc php56w-soap php56w-devel php56w-opcache

安裝新版 CURL(Magento 必須套件)

rpm -Uvh http://www.city-fan.org/ftp/contrib/yum-repo/rhel7/x86_64/city-fan.org-release-1-13.rhel7.noarch.rpm
sed -i '5c enabled=1' /etc/yum.repos.d/city-fan.org.repo
yum -y install curl libcurl

設定

修改 SELINUX 模式,http_can_sendmail 設定

sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config && setsebool -P httpd_can_sendmail 1

修改 php.ini 設定

sed -i 's/short_open_tag = Off/short_open_tag = On/' /etc/php.ini && sed -i 's/memory_limit = 128M/memory_limit = 512M/' /etc/php.ini && sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' /etc/php.ini

修改 php-fpm 設定

sed -i 's@listen = 127.0.0.1:9000@listen = /var/run/php-fpm/php-fpm.sock@' /etc/php-fpm.d/www.conf && sed -i 's@;listen.owner = nobody@listen.owner = nginx@' /etc/php-fpm.d/www.conf && sed -i 's/;listen.group = nobody/listen.group = nginx/' /etc/php-fpm.d/www.conf && sed -i 's/user = apache/user = nginx/' /etc/php-fpm.d/www.conf && sed -i 's/group = apache/group = nginx/' /etc/php-fpm.d/www.conf

優化 /etc/php.d/opcache.ini 設定

sed -i 's/opcache.memory_consumption=128/opcache.memory_consumption=256/' /etc/php.d/opcache.ini && sed -i 's/opcache.max_accelerated_files=4000/opcache.max_accelerated_files=16000/' /etc/php.d/opcache.ini

修改 nginx.conf 設定檔

vim /etc/nginx/nginx.conf

移除此區塊

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
        location / {
        }
        error_page 404 /404.html;
            location = /40x.html {
        }
        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

新增 nginx/conf.d/magento.conf (80 port 專用)

vim /etc/nginx/conf.d/magento.conf

填入以下設定

server {
    listen       80;
    server_name  104.199.145.27;
    root   /usr/share/nginx/html;
    index index.php index.html index.htm;
    location ~* \.(ico|css|js|gif|jpe?g|png|ogg|ogv|svg|svgz|eot|otf|woff)(\?.+)?$ {
        expires max;
        log_not_found off;
        add_header Access-Control-Allow-Origin "*";
    }
    #location /.well-known/acme-challenge/ {
    #    alias /var/www/dehydrated/;
    #}
    location / {
        try_files $uri $uri/ /index.php?q=$uri&$args;
    }
    ## These locations are protected
    location /downloader/ {
        allow 192.168.0.0/24;
        deny all;
    }
    ## These locations are protected
    location ~ /(dev|app|includes|lib|media/downloadable|pkginfo|var)/ {
        deny all;
    }
    location @handler { ## Magento uses a common front handler
        rewrite / /index.php;
    }
    location ~ .php/ { ## Forward paths like /js/index.php/x.js to relevant handler
        rewrite ^(.*.php)/ $1 last;
    }
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
    #if ($bad_referer) {
    #    return 444;
    #}
}

新增 nginx/conf.d/magento.ssl.conf (443 port 專用)

vim /etc/nginx/conf.d/magento.ssl.conf

填入以下設定

server {
    listen       443 ssl http2;
    server_name  www.gapl.com.tw www.glamp.com.tw;
    root   /usr/share/nginx/html;
    index index.php index.html index.htm;

    ssl_certificate      /etc/dehydrated/certs/www.gapl.com.tw/fullchain.pem;
    ssl_certificate_key  /etc/dehydrated/certs/www.gapl.com.tw/privkey.pem;
    ssl_dhparam /etc/dehydrated/dhparam.pem;

    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 180m;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4;
    add_header Strict-Transport-Security "max-age=31536000" always;

    location ~* \.(ico|css|js|gif|jpe?g|png|ogg|ogv|svg|svgz|eot|otf|woff)(\?.+)?$ {
        expires max;
        log_not_found off;
        add_header Access-Control-Allow-Origin "*";
        add_header Strict-Transport-Security "max-age=31536000" always;
    }

    location / {
        deny 203.24.188.5;
        deny 203.24.188.10;
        try_files $uri $uri/ /index.php?q=$uri&$args;
    }

    ## These locations are protected
    location /dev/ {
        allow 192.168.0.0/16;
        deny all;
    }

    location /downloader/ {
        allow 192.168.0.0/16;
        deny all;
    }
    ## These locations are protected
    location ~ /(app|includes|lib|media/downloadable|pkginfo|var)/ {
        deny all;
    }

    location @handler { ## Magento uses a common front handler
        rewrite / /index.php;
    }

    location ~ .php/ { ## Forward paths like /js/index.php/x.js to relevant handler
        rewrite ^(.*.php)/ $1 last;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_read_timeout 600s;
    }

    if ($bad_referer) {
        return 444;
    }

}

 

設定開機啟動 NGINX & PHP-FPM 服務

systemctl enable nginx.service && systemctl enable php-fpm.service

下載 Magento 備份檔並轉移至網站資料夾,並重新啟動讓 SELINUX 設定生效

curl -O https://storage.googleapis.com/www-gapl/magento_2017-12-29.tar.gz
rm -rf /usr/share/nginx/html
tar -C /usr/share/nginx/ -zxvf magento_2017-12-29.tar.gz
chown -R nginx: /usr/share/nginx/html
reboot

下一步 SSL 轉移請前往:於 Google Compute Engine CentOS 7.0 設定 Dehydrated 與轉移 SSL 憑證

 

 

 

 

遇到 403 Forbidden
Nginx Error Log(/var/log/nginx/error.log) 中顯示
2017/12/30 18:16:42 [error] 871#0: *2 open() “/usr/share/nginx/html/LICENSE.txt” failed (13: Permission denied), client: 60.251.46.241, s
erver: 104.199.145.27, request: “GET /LICENSE.txt HTTP/1.1”, host: “104.199.145.27”

 

 

延伸閱讀

Google Compute Engine 使用 root 和密碼登入

PHP 5.4, APC/Zend Optimizer+ on Centos 7

PHP 5.6 on CentOS/RHEL 7.4 and 6.9 via Yum

CentOS 更新 OpenSSL 到最新版 1.1.0

CentOS YUM 套件庫中的 OpenSSL 版本只到 1.0.1e

但 NGINX 有些功能需要升級到 1.0.2+ 才能支援

依照下方流程即可順利更新

下載最新版 openSSL

$ wget https://www.openssl.org/source/openssl-1.1.0-latest.tar.gz
$ tar zxvf openssl-1.1.0-latest.tar.gz -C /usr/src/
$ cd /usr/src/openssl-1.1.0*

編譯及安裝

$ ./config -Wl,--enable-new-dtags,-rpath,'$(LIBRPATH)' => 如果沒下後方的參數,Let's Encrypt 會報錯
$ make
$ make install

如果之前有手動更新過 openssl 需手動移除此檔案

$ rm -f /usr/bin/openssl && rm -f /usr/lib64/libssl.so.1.1 && rm -f /usr/lib64/libcrypto.so.1.1

重新製作 symbolic link

$ ln -s /usr/local/bin/openssl /usr/bin/openssl
$ ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
$ ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1

確認版本

$ openssl version
OpenSSL 1.1.0f 25 May 2017
Let’s Encrypt 需增加
cd ~/.local/share/letsencrypt/bin/
./pip uninstall cryptography pyopenssl -y
./pip install --upgrade pip
rm -rf ~/.cache/
./pip install cryptography pyopenssl

參考資料:

https://stackoverflow.com/questions/42111198/undefined-symbol-openssl-sk-num/43622117

加速 Magento – 讓 NGINX 支援 HTTP/2 與 ALPN

有鑑於支援 HTTP/2 後,網站連線速度加快不少(可參考 https://www.httpvshttps.com/

所以著手升級現有的系統加速 Magento 運行的速度

升級 OpenSSL 至 1.0.2+

ALPN 需要 OpenSSL 1.0.2 以上才支援,參照 CentOS 更新 OpenSSL 到最新版 1.0.2j or CentOS 更新 OpenSSL 到最新版 1.1.0 更新到最新版

下載並手動編譯 NGINX

可先用 YUM 將 NGINX 更新至最新版

su
yum -y update

再下載對應的 NGINX 來編譯,這樣子比較不會有問題

接下來檢查我們的 NGINX 版本與『編譯參數』

[root@www nginx-1.12.0]# nginx -V
nginx version: nginx/1.12.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

可以看出 NGINX 版本為 1.12.0,編譯的 OpenSSL 版本為 1.0.1e

最後方的 configure arguments 就是編譯的參數,重新編譯需要在最後加上『–with-openssl=/usr/src/openssl-1.1.0f』

讓 NGINX 將新版 OpenSSL 編譯進去

yum -y install libxslt-devel gd-devel perl-devel perl-ExtUtils-Embed GeoIP GeoIP-devel GeoIP-data
cd /root
wget http://nginx.org/download/nginx-1.12.0.tar.gz
tar zxvf nginx-1.12.0.tar.gz
cd nginx-1.12.0
./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' --with-openssl=/usr/src/openssl-1.1.0f
./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-openssl=/usr/local/openssl-1.0.2j/ --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'
make
make install

編輯 NGINX conf 檔

於 /etc/nginx/conf.d/xxxx.conf 新增 http2 即可

server {
 listen 443 ssl http2;

檢查 NGINX 是否編譯成功

[root@www nginx-1.12.0]# nginx -V
nginx version: nginx/1.12.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
built with OpenSSL 1.1.0f 25 May 2017
TLS SNI support enabled

重新啟動後才會正式啟用 ALPN 的功能

service nginx restart

可來此網站測試是否成功

https://tools.keycdn.com/http2-test

參考資料:

本博客 Nginx 配置之完整篇

How to get already installed NGINX to use OpenSSL 1.0.2 for ALPN?

NGINX 下載頁面

CentOS 更新 OpenSSL 到最新版 1.0.2j

CentOS YUM 套件庫中的 OpenSSL 版本只到 1.0.1e

但 NGINX 有些功能需要升級到 1.0.2 才能支援

依照下方流程即可順利更新

$ wget https://www.openssl.org/source/openssl-1.0.2-latest.tar.gz
$ tar zxvf openssl-1.0.2-latest.tar.gz -C /usr/local/
$ cd /usr/local/openssl-1.0.2*
$ ./config
$ make depend
$ make
$ make test
$ make install
$ mv /usr/bin/openssl /usr/bin/openssl_1.0.1e
$ ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
$ openssl version
OpenSSL 1.0.2h  3 May 2016