ENV2021-Project 建置筆記

# ENV2021-Project 建置筆記 ## GCP Infomation * e2-small (2 個 vCPU，2 GB 記憶體) * Disk for system & AP/DB: SSD 20GB * Disk for image: 10GB * Public IP: 35.206.218.155 * FW: 80/443 port ## Virtualhost Infomation * domain: env.gravitywave.com.tw * Home Directory: /home/wwwroot/env * Database username: envdbs * Database userpassword: ********** * Database Name: envdbs * Enable SSL: Let's Encrypt ## Environment Infomation * PHP 7.4.12 * Nginx 1.18.0 * MariaDB 10.4.13 ## vhost Conf Setting ``` nano /usr/local/nginx/conf/vhost/env.gravitywave.com.tw.conf ``` ``` server { listen 80; #listen [::]:80; server_name env.gravitywave.com.tw; index index.html index.htm index.php default.html default.htm default.php; root /home/wwwroot/env/drupal/web; return 301 https://env.gravitywave.com.tw$request_uri; include rewrite/none.conf; #error_page 404 /404.html; include enable-php-pathinfo.conf; access_log off; } server { listen 443 ssl http2; #listen [::]:443 ssl http2; #if ($host = env.gravitywave.com.tw) { # return 301 https://env.gravitywave.com.tw$request_uri; #} server_name env.gravitywave.com.tw; index index.html index.htm index.php default.html default.htm default.php; root /home/wwwroot/env/drupal/web; ssl_certificate /usr/local/nginx/conf/ssl/env.gravitywave.com.tw/fullchain.cer; ssl_certificate_key /usr/local/nginx/conf/ssl/env.gravitywave.com.tw/env.gravitywave.com.tw.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5"; ssl_session_cache builtin:1000 shared:SSL:10m; # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048 ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem; include rewrite/none.conf; #error_page 404 /404.html; include enable-php-pathinfo.conf; location ~ /.well-known { allow all; } access_log off; location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; } location ~* \.(txt|log)$ { allow 192.168.0.0/16; deny all; } location ~ \..*/.*\.php$ { return 403; } location ~ ^/sites/.*/private/ { return 403; } location ~ ^/sites/[^/]+/files/.*\.php$ { deny all; } location ~ (^|/)\. { return 403; } location / { try_files $uri /index.php?$query_string; # For Drupal >= 7 } location @rewrite { rewrite ^/(.*)$ /index.php?q=$1; } location ~ /vendor/.*\.php$ { deny all; return 404; } location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|composer\.(lock|json)$|web\.config$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ { deny all; return 404; } location ~ '\.php$|^/update.php' { fastcgi_split_path_info ^(.+?\.php)(|/.*)$; try_files $fastcgi_script_name =404; include fastcgi_params; fastcgi_param HTTP_PROXY ""; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param QUERY_STRING $query_string; fastcgi_intercept_errors on; fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; } location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { try_files $uri @rewrite; expires max; log_not_found off; } location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7 try_files $uri @rewrite; } location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7 try_files $uri /index.php?$query_string; } if ($request_uri ~* "^(.*/)index\.php/(.*)") { return 307 $1$2; } } ``` ## PHP & MariaDB Conf Setting ``` nano /usr/local/php/etc/php.ini ``` ``` memory_limit = 256M date.timezone = Asia/Taipei max_execution_time = 300 max_input_time = 300 * 刪除以下 functions： disable_functions = passthru,exec,proc_open,proc_get_status ``` ``` nano /etc/my.cnf ``` ``` max_allowed_packet = 32M ``` ## PHP Env Setting ``` cd ~ php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" php -r "if (hash_file('sha384', 'composer-setup.php') === '756890a4488ce9024fc62c56153228907f1545c228516cbf63f885e036d37e9a59d27d63f46af1d4d07ee0f76181c7d3') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" php composer-setup.php php -r "unlink('composer-setup.php');" ``` ``` nano /usr/local/nginx/conf/fastcgi.conf ``` 註釋掉： ``` #fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/:/tmp/:/proc/"; ``` #### 啟動 PHP OPcache ``` ./addons.sh install opcache ``` ``` cd /home/wwwroot/env/ composer create-project drupal/recommended-project:~8.9.12 drupal chown -R www:www web/ chmod -R 755 web/ ``` #### Protecting against HTTP HOST Header attacks: ``` nano sites/default/settings.php ``` ``` $settings['trusted_host_patterns'] = [ '^env\.gravitywave\.com\.tw$', ]; ``` #### Drush Installation ``` cd /home/wwwroot/env/drupal COMPOSER_MEMORY_LIMIT=-1 composer require drush/drush ``` ``` nano ~/.bashrc ``` ``` export PATH="/home/wwwroot/env/drupal/vendor/bin:$PATH" ``` ``` source ~/.bashrc ```