CentOS 7下搭建Web服务器的最佳实践

1. 系统准备与更新

# 更新系统
sudo yum update -y

# 安装常用工具
sudo yum install -y wget curl vim net-tools epel-release

2. 选择Web服务器软件

选项A: Apache HTTP Server

# 安装Apache
sudo yum install -y httpd

# 启动并设置开机自启
sudo systemctl start httpd
sudo systemctl enable httpd

# 防火墙配置
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

选项B: Nginx

# 安装Nginx
sudo yum install -y nginx

# 启动并设置开机自启
sudo systemctl start nginx
sudo systemctl enable nginx

# 防火墙配置
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

3. 安装数据库服务器

MySQL/MariaDB

# 安装MariaDB
sudo yum install -y mariadb-server mariadb

# 启动并设置开机自启
sudo systemctl start mariadb
sudo systemctl enable mariadb

# 运行安全配置
sudo mysql_secure_installation

4. 安装PHP (LAMP/LEMP)

# 安装PHP及常用扩展
sudo yum install -y php php-mysql php-fpm php-gd php-mbstring php-xml

# 如果是Nginx，需要额外配置PHP-FPM
sudo systemctl start php-fpm
sudo systemctl enable php-fpm

5. 安全加固

# 禁用root SSH登录
sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart sshd

# 安装并配置Fail2Ban
sudo yum install -y fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban

# 配置基本防火墙规则
sudo firewall-cmd --permanent --add-port=22/tcp  # SSH
sudo firewall-cmd --reload

6. 性能优化

Apache优化

# /etc/httpd/conf/httpd.conf
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15

<IfModule prefork.c>
    StartServers        8
    MinSpareServers     5
    MaxSpareServers     20
    ServerLimit         256
    MaxClients          256
    MaxRequestsPerChild 4000
</IfModule>

Nginx优化

# /etc/nginx/nginx.conf
worker_processes auto;
worker_connections 1024;
keepalive_timeout 15;
client_max_body_size 20M;
gzip on;

MySQL/MariaDB优化

# /etc/my.cnf.d/server.cnf
[mysqld]
innodb_buffer_pool_size = 1G  # 根据内存调整
query_cache_size = 64M
query_cache_limit = 4M
max_connections = 100

7. SSL证书配置 (Let's Encrypt)

# 安装Certbot
sudo yum install -y certbot python2-certbot-apache  # 对于Apache
# 或
sudo yum install -y certbot python2-certbot-nginx   # 对于Nginx

# 获取证书
sudo certbot --apache  # Apache
# 或
sudo certbot --nginx   # Nginx

# 设置自动续期
echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" | sudo tee -a /etc/crontab > /dev/null

8. 监控与维护

# 安装htop进行系统监控
sudo yum install -y htop

# 日志轮转配置
sudo yum install -y logrotate

# 设置自动更新安全补丁
sudo yum install -y yum-cron
sudo systemctl enable yum-cron
sudo systemctl start yum-cron

9. 备份策略

# 创建备份脚本示例
sudo mkdir /backups
cat << 'EOF' | sudo tee /usr/local/bin/backup_website.sh
#!/bin/bash
DATE=$(date +%Y%m%d)
tar -czf /backups/website_${DATE}.tar.gz /var/www/html
mysqldump -u root -p[password] --all-databases > /backups/db_${DATE}.sql
gzip /backups/db_${DATE}.sql
find /backups -type f -mtime +30 -delete
EOF

sudo chmod +x /usr/local/bin/backup_website.sh

# 添加到cron
(crontab -l 2>/dev/null; echo "0 3 * * * /usr/local/bin/backup_website.sh") | crontab -

10. 虚拟主机配置示例

Apache虚拟主机

# /etc/httpd/conf.d/example.com.conf
<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com/public_html
    ErrorLog /var/log/httpd/example.com_error.log
    CustomLog /var/log/httpd/example.com_access.log combined
</VirtualHost>

Nginx虚拟主机

# /etc/nginx/conf.d/example.com.conf
server {
    listen 80;
    server_name example.com www.example.com;
    root /var/www/example.com/public_html;
    index index.php index.html index.htm;

    access_log /var/log/nginx/example.com_access.log;
    error_log /var/log/nginx/example.com_error.log;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

以上是CentOS 7下搭建Web服务器的最佳实践指南，根据实际需求选择适合的组件和配置。