CentOS + Nginx + PHP + MySQL 生产环境配置指南

1. 系统准备

1.1 最小化安装CentOS

# 推荐使用CentOS 7或8（根据业务需求选择）
# 安装时选择最小化安装，安装完成后更新系统
yum update -y

1.2 基础安全配置

# 配置防火墙
systemctl enable firewalld
systemctl start firewalld

# 配置SELinux（根据需求选择）
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config

# 创建普通用户并禁用root SSH登录
useradd deploy
passwd deploy
usermod -aG wheel deploy

# 修改SSH配置
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd

2. 安装Nginx

2.1 安装Nginx

# CentOS 7
yum install epel-release -y
yum install nginx -y

# CentOS 8
dnf install nginx -y

2.2 配置Nginx

# 启动并设置开机启动
systemctl enable nginx
systemctl start nginx

# 防火墙配置
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload

2.3 优化Nginx配置

编辑 /etc/nginx/nginx.conf：

user nginx;
worker_processes auto;
worker_rlimit_nofile 65535;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
    worker_connections 10240;
    use epoll;
    multi_accept on;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

    access_log /var/log/nginx/access.log main;

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;

    keepalive_timeout 65;
    types_hash_max_size 2048;

    server_tokens off;

    # Gzip配置
    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    include /etc/nginx/conf.d/*.conf;
}

3. 安装PHP

3.1 安装PHP（以PHP 7.4为例）

# CentOS 7
yum install https://rpms.remirepo.net/enterprise/remi-release-7.rpm -y
yum-config-manager --enable remi-php74
yum install php php-fpm php-mysqlnd php-opcache php-gd php-xml php-mbstring php-json php-zip -y

# CentOS 8
dnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm -y
dnf module reset php -y
dnf module enable php:remi-7.4 -y
dnf install php php-fpm php-mysqlnd php-opcache php-gd php-xml php-mbstring php-json php-zip -y

3.2 配置PHP-FPM

编辑 /etc/php-fpm.d/www.conf：

[www]
user = nginx
group = nginx
listen = /run/php-fpm/www.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0660

pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500

php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on

3.3 启动PHP-FPM

systemctl enable php-fpm
systemctl start php-fpm

4. 安装MySQL

4.1 安装MySQL（以MySQL 8.0为例）

# CentOS 7
yum localinstall https://dev.mysql.com/get/mysql80-community-release-el7-3.noarch.rpm -y
yum install mysql-community-server -y

# CentOS 8
dnf install mysql-server -y

4.2 配置MySQL

systemctl enable mysqld
systemctl start mysqld

# 获取临时密码
grep 'temporary password' /var/log/mysqld.log

# 运行安全配置
mysql_secure_installation

4.3 优化MySQL配置

编辑 /etc/my.cnf：

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

# 优化配置
default_authentication_plugin=mysql_native_password
character-set-server=utf8mb4
collation-server=utf8mb4_unicode_ci

# 性能相关
innodb_buffer_pool_size = 1G  # 根据服务器内存调整，通常为总内存的50-70%
innodb_log_file_size = 256M
innodb_flush_log_at_trx_commit = 1
sync_binlog = 1
max_connections = 200
query_cache_size = 0
query_cache_type = 0

[client]
default-character-set=utf8mb4

[mysql]
default-character-set=utf8mb4

重启MySQL：

systemctl restart mysqld

5. 配置Nginx支持PHP

5.1 创建网站配置文件

编辑 /etc/nginx/conf.d/example.com.conf：

server {
    listen 80;
    server_name example.com www.example.com;
    root /var/www/example.com/public;
    index index.php index.html index.htm;

    access_log /var/log/nginx/example.com.access.log main;
    error_log /var/log/nginx/example.com.error.log warn;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass unix:/run/php-fpm/www.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    location ~ /\.ht {
        deny all;
    }

    location ~* \.(jpg|jpeg|gif|png|css|js|ico|svg|woff|woff2|ttf|eot)$ {
        expires 30d;
        add_header Cache-Control "public, no-transform";
    }
}

5.2 创建网站目录

mkdir -p /var/www/example.com/public
chown -R nginx:nginx /var/www/example.com
chmod -R 755 /var/www/example.com

5.3 测试配置并重启Nginx

nginx -t
systemctl restart nginx

6. 安全加固

6.1 安装Fail2Ban

yum install fail2ban -y
systemctl enable fail2ban
systemctl start fail2ban

6.2 配置Fail2Ban

编辑 /etc/fail2ban/jail.local：

[sshd]
enabled = true
maxretry = 3
bantime = 3600

[nginx-http-auth]
enabled = true
maxretry = 3
bantime = 86400

6.3 安装并配置OSSEC

# 安装OSSEC（开源HIDS）
yum install -y make gcc
wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz
tar -xvzf 3.6.0.tar.gz
cd ossec-hids-3.6.0
./install.sh

7. 监控与维护

7.1 安装监控工具

# 安装Netdata
bash <(curl -Ss https://my-netdata.io/kickstart.sh)

7.2 设置日志轮转

编辑 /etc/logrotate.d/nginx：

/var/log/nginx/*.log {
    daily
    missingok
    rotate 30
    compress
    delaycompress
    notifempty
    create 640 nginx adm
    sharedscripts
    postrotate
        /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
    endscript
}

8. 备份策略

8.1 数据库备份

# 创建备份脚本 /usr/local/bin/mysql_backup.sh
#!/bin/bash
DATE=$(date +%Y%m%d%H%M)
BACKUP_DIR="/backup/mysql"
MYSQL_USER="backup"
MYSQL_PASSWORD="your_password"

mkdir -p $BACKUP_DIR
mysqldump --all-databases -u$MYSQL_USER -p$MYSQL_PASSWORD | gzip > $BACKUP_DIR/mysql_backup_$DATE.sql.gz

# 保留最近7天备份
find $BACKUP_DIR -type f -name "mysql_backup_*" -mtime +7 -exec rm {} \;

# 设置定时任务
echo "0 2 * * * root /usr/local/bin/mysql_backup.sh" > /etc/cron.d/mysql_backup

8.2 网站文件备份

# 创建备份脚本 /usr/local/bin/web_backup.sh
#!/bin/bash
DATE=$(date +%Y%m%d%H%M)
BACKUP_DIR="/backup/web"
WEB_DIR="/var/www"

mkdir -p $BACKUP_DIR
tar -czf $BACKUP_DIR/web_backup_$DATE.tar.gz $WEB_DIR

# 保留最近7天备份
find $BACKUP_DIR -type f -name "web_backup_*" -mtime +7 -exec rm {} \;

# 设置定时任务
echo "30 2 * * * root /usr/local/bin/web_backup.sh" > /etc/cron.d/web_backup

9. 性能优化

9.1 PHP优化

编辑 /etc/php.ini：

memory_limit = 256M
upload_max_filesize = 64M
post_max_size = 64M
max_execution_time = 120
max_input_time = 120
opcache.enable=1
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=4000
opcache.revalidate_freq=60
opcache.fast_shutdown=1

9.2 Nginx性能优化

# 调整内核参数
echo "net.core.somaxconn = 65535" >> /etc/sysctl.conf
echo "net.ipv4.tcp_max_syn_backlog = 65535" >> /etc/sysctl.conf
echo "net.ipv4.tcp_max_tw_buckets = 1440000" >> /etc/sysctl.conf
sysctl -p

10. SSL证书配置（可选）

10.1 使用Let's Encrypt

# 安装Certbot
yum install certbot python3-certbot-nginx -y

# 获取证书
certbot --nginx -d example.com -d www.example.com

# 设置自动续期
echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" > /etc/cron.d/certbot

以上配置提供了一个生产环境下的CentOS + Nginx + PHP + MySQL标准配置方案。根据实际业务需求，可能还需要进一步调整参数和配置。