xud6的笔记本

SELinux boolean操作

 •  Filed under centos, centos7, selinux
查询boolean状态
sudo sestatus -b

或者

sudo sestatus -b | grep -i sendmail
设置boolean
sudo setsebool -P $boolean名 $1或0

如允许httpd发送邮件

sudo setsebool -P httpd_can_sendmail 1

Centos 7 安装wordpress

 •  Filed under centos, centos7, apache

首先安装LAMP
Centos 7 安装LAMP并配置event MPM和FastCGI

以下假设wordpress安装在/opt/wordpress下
创建安装文件夹

sudo mkdir /opt/wordpress
sudo chown -R `whoami`:`whoami` /opt/wordpress
准备数据库
mysql -u root -p

输入MySQL的ROOT密码

CREATE DATABASE 数据库名;
CREATE USER 用户名@localhost IDENTIFIED BY '用户密码';
GRANT ALL PRIVILEGES ON 数据库名.* TO 用户名@localhost IDENTIFIED BY '用户密码';
FLUSH PRIVILEGES;
exit
安装wordpress
cd $home
wget http://wordpress.org/latest.tar.gz
tar xzvf latest.tar.gz
mv wordpress/* /opt/wordpress/
cd /opt/wordpress/
mkdir wp-content/uploads
> .htaccess
cp wp-config-sample.php wp-config.php
nano wp-config.php

替换database_name_here为数据库名,替换username_here为用户名,替换password_here为用户密码
在末尾添加define('FS_METHOD','direct');
更改文件夹所有者为apache

sudo chown -R apache:apache ./

配置selinux

sudo yum install -y policycoreutils-python -y
sudo semanage fcontext -a -t httpd_sys_content_t "/opt/wordpress(/.*)?"
sudo semanage fcontext -a -t httpd_sys_rw_content_t "/opt/wordpress/wp-content(/.*)?"
sudo semanage fcontext -a -t httpd_sys_rw_content_t /opt/wordpress/.htaccess
sudo semanage fcontext -a -t httpd_sys_rw_content_t /opt/wordpress/wp-config.php
sudo restorecon -R -v /opt/wordpress
添加virtualhost
sudo nano /etc/httpd/conf.d/wordpress.conf

内容为

<VirtualHost *>
    DocumentRoot /opt/wordpress
    ServerName 你的服务器域名
    <Directory "/opt/wordpress">
        AllowOverride none
        Require all granted
        Allow from all
        DirectoryIndex index.php
        IncludeOptional /opt/wordpress/.htaccess
    </Directory>
</VirtualHost>

重启Apache

sudo systemctl restart httpd
安装php插件
sudo yum install php-gd opcache -y

重启php-fpm

sudo systemctl restart php-fpm
wordpress初始化

访问http://域名 开始wordpress初始化

其他
允许发送邮件
sudo setsebool -P httpd_can_sendmail 1

Centos 7 安装LAMP并配置event MPM和FastCGI

 •  Filed under centos, centos7, apache

安装工具软件

sudo yum install nano wget -y
sudo yum update -y
安装Apache
sudo yum install httpd -y
配置MPM
sudo nano /etc/httpd/conf.modules.d/00-mpm.conf

注释掉prefork MPM并取消event MPM的注释,完成后是这样的(注释已删除)

#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
LoadModule mpm_event_module modules/mod_mpm_event.so
启动apache
sudo systemctl start httpd
sudo systemctl enable httpd

访问 http://服务器IP 应该可以看到Apache测试页面

安装PHP-FPM 7.0

PHP5.6使用Remi's RPM源安装

sudo yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm yum-utils -y
sudo yum-config-manager --enable remi-php70
sudo yum update
sudo yum install php-cli php-fpm -y
配置php
sudo nano /etc/php.ini

找到expose_php = On替换为expose_php = Off
配置php-fpm

sudo nano /etc/php-fpm.d/www.conf

替换listen = 127.0.0.1:9000listen = /var/run/php-fpm/php-fpm.sock
替换

;listen.owner = nobody
;listen.group = nobody

listen.owner = apache
listen.group = apache
启动php-fpm
sudo systemctl start php-fpm
sudo systemctl enable php-fpm
配置Apache使用mod_proxy_fcgi

删除原本的mod_php相关(如果有)

yum remove php -y

添加fcgi handler

sudo nano /etc/httpd/conf.d/php.conf

内容如下

AddType text/html .php
DirectoryIndex index.php
<IfModule mod_proxy_fcgi.c>
    <Proxy "unix:/var/run/php-fpm/php-fpm.sock|fcgi://localhost">
        ProxySet timeout=3600 connectiontimeout=3600
    </Proxy>

    <FilesMatch \.php$>
        SetHandler "proxy:fcgi://localhost"
    </FilesMatch>
</IfModule>
重启Apache
sudo systemctl restart httpd
测试
sudo sh -c "echo '<?php phpinfo();?>' > /var/www/html/info.php"
curl http://127.0.0.1/info.php
安装MariaDB(MySQL)
sudo yum install mariadb mariadb-server -y
启动数据库
sudo systemctl start mariadb
sudo systemctl enable mariadb
初始化MySQL数据库
sudo mysql_secure_installation

按需求回应,初始root密码为空,其它保持默认就可以。

安装php-mysqlnd
sudo yum install php-mysqlnd

重启php-fpm

sudo systemctl restart php-fpm

Centos 7 加入freeipa域

 •  Filed under centos, centos7, freeipa, linux

安装需要的软件包

yum install ipa-client -y

加入域

ipa-client-install --domain YOUR_DOMAIN_NAME

打开自动创建home文件夹

authconfig --enablemkhomedir --update

使用haproxy为remote desktop gateway做反向代理

 • 

配置文件

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL).
        ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend ssl_relay 0.0.0.0:443
    # this only works with 1.5 haproxy
    mode tcp
    option clitcpka
    option tcplog
    option socket-stats
    # option nolinger
    maxconn  300

    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    use_backend ssl_sp if { req_ssl_sni -i sp.example.com }
    use_backend ssl_rd if { req_ssl_sni -i rd.example.com }
    use_backend ssl_def if { req_ssl_sni -i default.example.com }

    default_backend ssl_def

backend ssl_sp
   mode tcp
   #option nolinger
   option tcplog
   #balance roundrobin
   hash-type consistent
   option srvtcpka

    # maximum SSL session ID length is 32 bytes.
    stick-table type binary len 32 size 30k expire 30m

    # make sure we cover type 1 (fallback)
    acl clienthello req_ssl_hello_type 1
    acl serverhello rep_ssl_hello_type 2

    # use tcp content accepts to detects ssl client and server hello.
    tcp-request inspect-delay 5s
    tcp-request content accept if clienthello

    # no timeout on response inspect delay by default.
    tcp-response content accept if serverhello

    # SSL session ID (SSLID) may be present on a client or server hello.
    # Its length is coded on 1 byte at offset 43 and its value starts
    # at offset 44.
    # Match and learn on request if client hello.
    stick on payload_lv(43,1) if clienthello

    # Learn on response if server hello.
    stick store-response payload_lv(43,1) if serverhello

    #option ssl-hello-chk

    server x_sp sp.example.com:443


backend ssl_rd
   mode tcp
   #option nolinger
   option tcplog
   #balance roundrobin
   hash-type consistent
   option srvtcpka

    # maximum SSL session ID length is 32 bytes.
    stick-table type binary len 32 size 30k expire 30m

    # make sure we cover type 1 (fallback)
    acl clienthello req_ssl_hello_type 1
    acl serverhello rep_ssl_hello_type 2

    # use tcp content accepts to detects ssl client and server hello.
    tcp-request inspect-delay 5s
    tcp-request content accept if clienthello

    # no timeout on response inspect delay by default.
    tcp-response content accept if serverhello

    # SSL session ID (SSLID) may be present on a client or server hello.
    # Its length is coded on 1 byte at offset 43 and its value starts
    # at offset 44.
    # Match and learn on request if client hello.
    stick on payload_lv(43,1) if clienthello

    # Learn on response if server hello.
    stick store-response payload_lv(43,1) if serverhello

    #option ssl-hello-chk

    server x_rd rd.example.com:443

backend ssl_def
   mode tcp
   #option nolinger
   option tcplog
   #balance roundrobin
   hash-type consistent
   option srvtcpka

    # maximum SSL session ID length is 32 bytes.
    stick-table type binary len 32 size 30k expire 30m

    # make sure we cover type 1 (fallback)
    acl clienthello req_ssl_hello_type 1
    acl serverhello rep_ssl_hello_type 2

    # use tcp content accepts to detects ssl client and server hello.
    tcp-request inspect-delay 5s
    tcp-request content accept if clienthello

    # no timeout on response inspect delay by default.
    tcp-response content accept if serverhello

    # SSL session ID (SSLID) may be present on a client or server hello.
    # Its length is coded on 1 byte at offset 43 and its value starts
    # at offset 44.
    # Match and learn on request if client hello.
    stick on payload_lv(43,1) if clienthello

    # Learn on response if server hello.
    stick store-response payload_lv(43,1) if serverhello

    #option ssl-hello-chk

    server x_def default.example.com:443

yum通过代理访问

 • 

执行

sudo su
export http_proxy=http://{{proxy address}}:{{proxy port}}
export https_proxy=http://{{proxy address}}:{{proxy port}}
yum clean all
yum install {{something}}