November 23, 2016
· Linux Server Ubuntusetup LAMP with varnish in Ubuntu 14+
Ubuntu 14.04 PHP 5.5.9 Mysql 2.2x Apache 2.2X Varnish 4.x
#On server
##Server setup
sudo su -
apt-get update
apt-get install nginx
apt-get install mysql-server mysql-client
apt-get install php5 php5-cli php5-curl php5-fpm php5-gd php5-mcrypt php5-mysql
apt-get install vim curl unzip zip
apt-get install apt-transport-https
curl https://repo.varnish-cache.org/GPG-key.txt | apt-key add -
echo "deb https://repo.varnish-cache.org/ubuntu/ trusty varnish-4.0" >> /etc/apt/sources.list.d/varnish-cache.list
apt-get update
apt-get install varnish
php5enmod mcrypt
#setup .bashrc
vim ~/.bashrc
#add
export LANG="en_US.utf8"
export LANGUAGE="en_US.utf8"
export LC_ALL="en_US.utf8"
#Change config /etc/default/varnish
#DAEMON_OPTS="-a :6081 \ ==> DAEMON_OPTS="-a :80 \
#Change config /etc/nginx/sites-available/default
port 80 -> 8080
#Set up www-data
mkdir /var/www
chmod 775 /var/www
chown www-data:www-data /var/www
#Setup Logs directory
mkdir /var/www/logs
chmod 775 /var/www/logs
chown www-data:www-data /usr/share/nginx/logs
#install phpmyadmin
#https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-phpmyadmin-with-nginx-on-an-ubuntu-14-04-server
apt-get update
apt-get install phpmyadmin
ln -s /usr/share/phpmyadmin /var/www/pmadev.example.com
cp /etc/nginx/sites-available/default /etc/nginx/sites-available/pmadev.example.com
ln -s /etc/nginx/sites-available/pmadev.example.com /etc/nginx/sites-enabled/
#config file for pmadev.example.com
server {
# Replace this port with the right one for your requirements
listen 8080; #could also be 1.2.3.4:80
# Multiple hostnames separated by spaces. Replace these as well.
server_name pmadev.example.com;
client_max_body_size 512M;
root /var/www/pmadev.example.com;
access_log /var/www/logs/pmadev.example.com.access.log;
allow 192.168.0.0/24; #only allow internal network ip , external needs vpn.
#deny all;
#allow all; #Commented=>disabled all users enter except internal IP!
index index.php index.html index.htm;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
}
#config file for pmadev.example.com
#add new user for phpmyadmin
adduser phpmyadmin
usermod -aG www-data phpmyadmin
#set file permission in pmadev.example.com
cd /var/www/pmadev.example.com
chown -r phpmyadmin:www-data .
find -type d -exec chmod 755 {} \;
find -type d -exec chmod ug+s {} \;
find -type f -exec chmod 644 {} \;
service php5-fpm restart
#-- /var/log/nginx/error.log check nginx log file if any error
service nginx restart
#web project setup
mkdir /var/www/techdev.example2.com
adduser example2
usermod -aG www-data example2
cd /var/www/techdev.example2.com
chown -R example2:www-data .
find -type d -exec chmod 755 {} \;
find -type d -exec chmod ug+s {} \;
find -type f -exec chmod 644 {} \;
cp /etc/nginx/sites-available/default /etc/nginx/sites-available/techdev.example2.com
ln -s /etc/nginx/sites-available/techdev.example2.com /etc/nginx/sites-enabled/
vim /etc/nginx/sites-available/techdev.example2.com
#-- set config file for techdev.example2.com --
sl_certificate_key /home/mindbuffer/ssl.key;
#change your path /var/www/techdev.example2.com
server {
listen 8080;
#listen [::]:80 ipv6only=on;
index index.html index.htm index.php;
root /var/www/techdev.example2.com/;
access_log /var/www/logs/techdev.example2.com.access.log;
error_log /var/www/logs/techdev.example2.com.error.log error;
server_name techdev.example2.com;
client_max_body_size 512M;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
# Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests
#location /RequestDenied {
# proxy_pass http://127.0.0.1:8080;
#}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
#error_page 500 502 503 504 /50x.html;
#location = /50x.html {
# root /usr/share/nginx/html;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
# With php5-cgi alone:
#fastcgi_pass 127.0.0.1:9000;
# With php5-fpm:
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# HTTPS server
#server {
# listen 443;
# server_name kiwsy.com;
# ssl on;
# ssl_certificate /etc/nginx/ssl/kiwsy.crt;
# ssl_certificate_key /etc/nginx/ssl/kiwsy.key;
#
# error_log /home/kiwsy/log/https-error.log error;
#
# location / {
# proxy_pass http://127.0.0.1:80;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-Proto https;
# proxy_set_header X-Forwarded-Port 443;
# proxy_set_header X-Secure on;
# proxy_set_header Host $host;
# }
#}
#-- set config file for techdev.example2.com --
#check vanish version, the config file is for Varnish 4
varnishd -V
vim /etc/varnish/default.vcl
#-- set vanish config file --
# This is an example VCL file for Varnish.
vcl 4.0;
backend default {
.host = "127.0.0.1";
.port = "8080";
.first_byte_timeout = 120s;
}
acl purge {
"localhost";
"127.0.0.1";
}
import std;
sub vcl_recv {
# Happens before we check if we have this in cache already.
#
# Typically you clean up the request here, removing cookies you don't need,
# rewriting the request, etc.
set req.http.X-Forwarded-For = client.ip;
set req.http.X-Forwarded-Port = 80;
return (pass);
# Allow purging from ACL
if (req.method == "PURGE") {
# If not allowed then a error 405 is returned
if (!client.ip ~ purge) {
return(synth(405, "This IP is not allowed to send PURGE requests."));
}
# If allowed, do a cache_lookup -> vlc_hit() or vlc_miss()
return (purge);
}
if (req.method == "BAN") {
if (!client.ip ~ purge) {
return (synth(403, "Not allowed."));
}
ban("req.http.host == " + req.http.host + " && req.url ~ " + req.url);
return(synth(200, "Ban added"));
}
if (req.http.host ~ "techdev.example2.com")
#you may edit your customized config here.
{
if (req.url ~ "preview=true")
{
return (pass);
}
if (req.url ~ "^/wp-json" ||
req.url ~ "^/$" ||
req.url ~ "^/\?p=" ||
req.url ~ "^/view[0-9]*/\?p=" ||
req.url ~ "^/20[0-9][0-9]/" ||
req.url ~ "^/category/" ||
req.url ~ "^/wp-content/uploads" ||
req.url ~ "^/wp-content/plugins/.*\.js" ||
req.url ~ "^/wp-content/plugins/.*\.css" ||
req.url ~ "^/wp-content/themes/example2.*\.(js|css|gif|jpg|png)" ||
req.url ~ "^/wp-includes/js/jquery.*" ||
req.url ~ "^/wp-includes/js/wp-emoji-release.min.js")
{
unset req.http.cookie;
return (hash);
}
}
#you may edit your customized config here.
return (pass);
}
sub vcl_hash{
hash_data(req.url);
if (req.http.host) {
hash_data(req.http.host);
} else {
hash_data(server.ip);
}
return (lookup);
}
sub vcl_backend_response {
# Happens after we have read the response headers from the backend.
#
# Here you clean the response headers, removing silly Set-Cookie headers
# and other mistakes your backend does.
if (bereq.http.host ~ "techdev.example2.com")
{
set beresp.ttl = 5m;
}
if (beresp.status >= 500)
{
set beresp.ttl = 0m;
}
set beresp.http.Expires = "" + (now + beresp.ttl);
return (deliver);
}
sub vcl_deliver {
# Happens when we have all the pieces we need, and are about to send the
# response to the client.
#
# You can do accounting or modifying the final object here.
if (obj.hits > 0) {
set resp.http.X-Cache = "HIT";
} else {
set resp.http.X-Cache = "MISS";
}
if (resp.http.X-Sniper-ETag) {
set resp.http.ETag = resp.http.X-Sniper-ETag;
unset resp.http.X-Sniper-ETag;
}
set resp.http.Access-Control-Allow-Origin = "*";
unset resp.http.X-Powered-By;
unset resp.http.Server;
unset resp.http.X-Varnish;
unset resp.http.Via;
}
#-- set vanish config file --
#-- restart server --
service nginx restart
service varnish restart
#-- Setup PHP Upload Settings (100MB) --
php --ini
#change the following
#upload_max_filesize = 10M
#post_max_size = 10M
service php5-fpm restart
#On client
sudo vim /etc/hosts
#add host record
192.168.57.100 techdev.example2.com
192.168.57.100 pmadev.example.com
#Add sudoer and disable root login
adduser kiwi
echo 'kiwi ALL=(ALL) ALL' >> /etc/sudoers
passwd phpmyadmin -d #remove password and disable empty password login
#set port and disable empty password login
vim /etc/ssh/sshd_config
PermitRootLogin no
PermitEmptyPasswords no
Port 10022
service ssh restart
#secure phpmyadmin login panel via http://
openssl passwd
vim /etc/nginx/pma_password
{usernamestr}:{passwordstr}
#add the following into config file
location ~ \.php$ {
auth_basic "Admin Login";
auth_basic_user_file /etc/nginx/pma_password;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
-----------pure file server settings ---------------
server {
listen 8080;
#listen [::]:8080 default_server ipv6only=on;
root /var/www/kiwijs.example2.com/;
index index.html index.htm;
server_name kiwijs.example2.com;
client_max_body_size 512M;
location / {
try_files $uri $uri/ =404;
}
}