--- tags: 主機管理, CentOS7, PHP, Apache --- # CentOS7安裝新版PHP7、httpd24的指令步驟參考 [toc] (原本預設的怎麼更新都只能到httpd2.4.6，裝httpd24u才可以跟著官網更新到最新)另外根據php官網表示：目前php7.3.x(含)以下已經不再做安全性更新， 因此目前建議安裝版本以7.4.x為主。 TODO: [Rocky Linux 安裝 Apache, PHP, MariaDB (LAMP)](https://www.ltsplus.com/linux/rocky-linux-install-apache-php-mariadb-lamp) TODO: [RHEL / Rocky Linux 8 安裝多個 PHP 版本](https://www.ltsplus.com/linux/rhel-rocky-linux-oracle-linux-install-multiple-php) TODO: [RHEL / CentOS 8 安裝 Nginx, MySQL, PHP (LEMP)](https://www.ltsplus.com/linux/rhel-centos-8-install-nginx-mysql-php-lemp) TODO: [Redis Server 建置](https://hackmd.io/@3obs7uo2R0ywhgjPUysZZg/rkwCiHqA4) TODO: [Redis還在學 系列](https://ithelp.ithome.com.tw/users/20111658/ironman/4426?page=3) TODO: [Redis - 高流量系統不能或缺的資料庫](https://blog.kennycoder.io/2020/02/22/Redis-%E9%AB%98%E6%B5%81%E9%87%8F%E7%B3%BB%E7%B5%B1%E4%B8%8D%E8%83%BD%E6%88%96%E7%BC%BA%E7%9A%84%E8%B3%87%E6%96%99%E5%BA%AB%EF%BC%81%E5%AE%89%E8%A3%9D%E6%95%99%E5%AD%B8%EF%BC%81/) TODO: [Redis系列 - 環境建置篇](https://jed1978.github.io/2018/05/02/Redis-Environment-Installation-Configuration.html) TODO: [更新Kernel](https://phoenixnap.com/kb/how-to-upgrade-kernel-centos) TODO: 找時間來試試 Rocky Linux 安裝 Apache + PHP 或 Nginx + PHP ## 參考資料 #### [php版本支援計畫表](https://www.php.net/supported-versions.php) #### [apache2.2升級apache2.4參考文件](https://httpd.apache.org/docs/current/upgrading.html) #### 政府組態基準設定(GCB) * [政府組態基準 Apache HTTP Server 2.4](https://download.nccst.nat.gov.tw/attachfilegcb/%E6%94%BF%E5%BA%9C%E7%B5%84%E6%85%8B%E5%9F%BA%E6%BA%96GCB_Apache%20HTTP%20Server%202.4%E8%AA%AA%E6%98%8E%E6%96%87%E4%BB%B6(V1.0)(%E9%A0%90%E5%91%8A%E7%89%88).pdf) * [政府組態基準 Red Hat Enterprise Linux 5 (V1.1)](https://download.nccst.nat.gov.tw/attachfilegcb/TWGCB-01-003_Red%20Hat%20Enterprise%20Linux%205%E6%94%BF%E5%BA%9C%E7%B5%84%E6%85%8B%E5%9F%BA%E6%BA%96%E8%AA%AA%E6%98%8E%E6%96%87%E4%BB%B6(V1.1).pdf) #### 線上參考資料 * [鳥哥的Linux私房菜](https://linux.vbird.org/) * [Linux 伺服器系統管理 - CentOS](http://www.tsnien.idv.tw/Linux_WebBook/CentOS.htm) * [可供 CentOS 使用的軟件庫](https://wiki.centos.org/zh-tw/AdditionalResources/Repositories) * [Linux Package Management Cheatsheet](https://danilodellaquila.com/en/blog/linux-package-management-cheatsheet) * [[Centos7] 安裝apache+php7+mariadb10+selinux](http://n.sfs.tw/content/index/11045?noframe=true)   ## CentOS7安裝步驟參考 #### 前置作業 * SELinux設定 > This reference environment has been set up and tested with Security-Enhanced Linux (SELinux) enabled in ENFORCING mode. Once again, please refer to the Red Hat documentation on SELinux for further details on using and configuring this feature [[RHEL8](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/index) / [RHEL7](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/index)]. For any other operating system, consult the respective documentation for security and firewall solutions to ensure that maximum security is maintained while the ports required by your application are opened. > When enabled in ENFORCING mode, by default, SELinux prevents Apache web server from establishing network connections. On the machine hosting Apache web server, configure SELinux it to allow httpd network connections: ``` > setsebool -P httpd_can_network_connect on # Laravel專案內需要額外針對storage資料夾進行設定 > cd <laravel_project_path> > chcon -R -t httpd_sys_rw_content_t storage ``` * 重啟服務時若遇到以下訊息，則應執行 `setsebool -P httpd_read_user_content 1` 指令。 ``` [Tue Mar 22 13:47:04.212277 2022] [core:notice] [pid 4657:tid 4657] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0 [Tue Mar 22 13:47:04.214969 2022] [ssl:emerg] [pid 4657:tid 4657] AH02311: Fatal error initialising mod_ssl, exiting. See /etc/httpd/logs/conf-ssl-error.log for more information ``` > [Configuring SELinux Policies for Apache Web Servers](https://www.serverlab.ca/tutorials/linux/web-servers-linux/configuring-selinux-policies-for-apache-web-servers/) > A full list of booleans on SELinux is available at: https://wiki.centos.org/TipsAndTricks/SelinuxBooleans > Overall information: https://wiki.centos.org/HowTos/SELinux > [SELinux 初接触](https://abcdabcd987.com/stop-disabling-selinux/) > [setroubleshoot --> 錯誤訊息寫入 /var/log/messages](https://linux.vbird.org/linux_basic/centos7/0440processcontrol.php#selinux_policy) > [Laravel在CentOS，無法寫入Log的問題](https://blog.404nofound.com/post/centos_selinux/) * centos7預設套件庫沒有比較新版的，要裝第三方套件庫才能跟上安全性更新 ``` > yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm > yum install https://repo.ius.io/ius-release-el7.rpm > yum install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm ``` * 安裝必備的工具 ``` > yum install yum-plugin-replace > yum install yum-utils > yum clean all > hash -r ``` * 裝機之前停掉httpd服務 ``` > systemctl stop httpd.service ``` #### 安裝 git (requre ius repo) * 先查是否有裝git，若裝的是git 1.x可移掉，改裝git2.x ``` > yum list installed | grep git > yum remove git216-core > yum install git236 -y ``` #### 安裝 oracle instant client * 下載[oracle instant client](https://www.oracle.com/tw/database/technologies/instant-client/downloads.html)，然後將其安裝起來，要裝之前先看有沒有過舊的oracle instant client，要先刪除後再裝新版 * oracle-instantclient-basic-21.3.0.0.0-1.x86_64.rpm * oracle-instantclient-devel-21.3.0.0.0-1.x86_64.rpm * 先確認有無舊版，若有，就要視狀況先移除舊版 ```bash > yum list installed | grep oracle > yum remove oracle-instantclient19.8-basic ``` * 下載安裝檔 ```bash > wget https://download.oracle.com/otn_software/linux/instantclient/213000/oracle-instantclient-basic-21.3.0.0.0-1.x86_64.rpm > wget https://download.oracle.com/otn_software/linux/instantclient/213000/oracle-instantclient-devel-21.3.0.0.0-1.x86_64.rpm > yum install oracle-instantclient-basic-21.3.0.0.0-1.x86_64.rpm --nogpgcheck > yum install oracle-instantclient-devel-21.3.0.0.0-1.x86_64.rpm --nogpgcheck > yum list installed | grep oracle ``` * 設定oracle環境參數 > vi /etc/profile.d/client.sh ```bash export PHP_DTRACE=yes export ORACLE_HOME=/usr/lib/oracle/21.3/client64 export PATH=$PATH:$ORACLE_HOME/bin export LD_LIBRARY_PATH=$ORACLE_HOME/lib export TNS_ADMIN=$ORACLE_HOME/network/admin ``` * 確認設定生效 ```bash > sh /etc/profile.d/client.sh > source /etc/profile.d/client.sh > echo $ORACLE_HOME ``` #### 安裝 httpd2.4 及 php7.4 * 移除php7.2以下版本 ```bash > yum list installed | grep php* > yum remove php72w* mod_php72w > rm -f /etc/php.d/*.* ``` * 根據中華電信上課內容，移掉不ok的第三方套件資源 ```bash > yum remove webtatic-release -y > yum repolist ``` * 安裝httpd24u，若原先有安裝httpd請移掉 (ius、epel) ```bash > yum list installed | grep httpd* > yum remove httpd httpd-tools > yum install httpd24u httpd24u-mod_ssl -y ``` * 安裝php7.4 (remi) > php-zip在php7.4時被移到pecl裡，改安裝php-pecl-zip，是PhpSpreadsheet必要的延伸安裝 ```bash > yum-config-manager --enable remi-php74 > yum install mod_php > yum install php-soap php-oci8 php-bcmath php-devel php-gd php-ldap php-mbstring php-mysqlnd php-pdo php-opcache php-xml php-xmlrpc -y > yum install php-pecl-zip -y > yum clean all > hash -r ``` * 安裝openssl ```bash > cd /usr/local/src > wget https://www.openssl.org/source/openssl-1.1.1s.tar.gz > tar xzvf openssl-1.1.1s.tar.gz > cd openssl-1.1.1s > ./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib no-shared zlib-dynamic > make > make test > make install > ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/ > ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/ ``` * `vi /etc/profile.d/openssl.sh` ``` export LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64 ``` * 確認安裝結果 ``` source /etc/profile.d/openssl.sh openssl version ``` #### 確認安裝結果 * 確認安裝結果，並看看有沒有錯誤訊息 ```bash > php -v > httpd -v ``` * 確認是否有裝php必備的延伸套件 (oracle資料庫、ad認證、laravel框架需求) ``` bash > php -m|grep -i oci > php -m|grep -i ldap > php -m|grep -i openssl > php -m|grep -i bcmath > php -m|grep -i mbstring > php -m|grep -i ctype > php -m|grep -i tokenizer > php -m|grep -i json > php -m|grep -i pdo ``` #### 相關設定調校 * php.ini需要調整的內容 > vi /etc/php.ini ``` error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT & ~E_NOTICE expose_php = Off display_error = Off timezone = Asia/Taipei session.cookie_secure = 1 session.cookie_httponly = 1 ``` * 調整httpd其他特殊設定 (如virtual host、ssl等，都在 /etc/httpd/conf.d/*.conf) > vi /etc/httpd/conf/httpd.conf ```c <Directory "/var/www"> # 若有.htaccess的使用，要把AllowOverride None改成AllowOverride All AllowOverride All # Allow open access: Require all granted </Directory> # Further relax access to the default document root: <Directory "/var/www/html"> # # Possible values for the Options directive are "None", "All", # or any combination of: # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews # # Note that "MultiViews" must be named *explicitly* --- "Options All" # doesn't give it to you. # # The Options directive is both complicated and important. Please see # http://httpd.apache.org/docs/2.4/mod/core.html#options # for more information. # # 將Indexes FollowSymLinks關掉 Options -Indexes -FollowSymLinks ``` ```c # # DirectoryIndex: sets the file that Apache will serve if a directory # is requested. # <IfModule dir_module> # DirectoryIndex要以index.php為優先項目 DirectoryIndex index.php index.html </IfModule> ``` > vi /etc/httpd/conf.d/security.conf ```c # set up response header <IfModule mod_headers.c> # 隱藏 Apache、PHP 版本 Header unset Server RequestHeader unset Server Header always unset X-Powered-By Header unset X-Powered-By Header unset X-CF-Powered-By Header unset X-Mod-Pagespeed Header unset X-Pingback # 增加隱私權 # Referrer 代表的是你從 A 網站跳到 B 網站的時候，這個欄位會被記錄為 A # 簡單來說，他是記錄你上一個瀏覽的地方的東西 Header set Referrer-Policy: "no-referrer" # 防禦 Clickjacking 攻擊 # 防止釣魚網站透過iframe來嵌入自己的網站 # 政府組態 TWGCB-04-005-0036 Header always append X-Frame-Options SAMEORIGIN Header always append Frame-Options SAMEORIGIN # IE8+ and variants, XSS Protection Header always append X-XSS-Protection "1;mode=block" # Protection from drive-by dynamic/executable IE files # 避免瀏覽器誤判文件形態 # X-Content-Type-Options 是拿來防止 Content-Type 被竄改 # 比較要注意的是，這個屬性只會套用在 script style Header always append X-Content-Type-Options "nosniff" # cookie設定 Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict Header set Cache-Control "no-cache=\"Set-Cookie\"" # 隱藏Etag資訊 Header unset ETag FileETag None </IfModule> # Apache Range Exploit RequestHeader unset Range RequestHeader unset Request-Range # 隱藏Apache版本 # 政府組態 TWGCB-04-005-0048 ServerTokens Prod # 政府組態 TWGCB-04-005-0049 ServerSignature Off #關閉HTTP TRACE 避免Cross Site Scripting風險 # 政府組態 TWGCB-04-005-0030 TraceEnable Off #限制連線閒置時間為60s後斷線<預設沒有，新增> # 政府組態 TWGCB-04-005-0052 Timeout 60 #緩解DDoS # 政府組態 TWGCB-04-005-0053 KeepAlive On # 政府組態 TWGCB-04-005-0054 MaxKeepAliveRequests 100 # 政府組態 TWGCB-04-005-0055 KeepAliveTimeOut 15 # 政府組態 TWGCB-04-005-0056、TWGCB-04-005-0057 RequestReadTimeOut header=20-40,MinRate=500 body=20,MinRate=500 #限制請求 # 政府組態 TWGCB-04-005-0058 LimitRequestline 512 # 政府組態 TWGCB-04-005-0059 LimitRequestFields 100 # 政府組態 TWGCB-04-005-0060 LimitRequestFieldSize 1024 # 政府組態 TWGCB-04-005-0061 LimitRequestBody 102400 ``` > vi /etc/httpd/conf.d/vhost.conf ```c <VirtualHost 站台名稱.nfu.edu.tw:80> DocumentRoot "/var/www/站台名稱-html" ServerName 站台名稱.nfu.edu.tw ErrorLog "logs/站台名稱-error.log" CustomLog "logs/站台名稱-access.log" combined DirectoryIndex index.php index.html index.htm Redirect permanent / https://站台名稱.nfu.edu.tw <Directory "/var/www/站台名稱-html"> Options -Indexes -FollowSymLinks AllowOverride None Require all granted </Directory> </VirtualHost> #引造字用的：反向代理不需要開啟ProxyRequests - (工作上獨有的需要) ProxyRequests Off ProxyPass /AstarProxy http://140.130.2.124:8080/ ``` > vi /etc/httpd/conf.d/ssl.conf ```c <VirtualHost 站台名稱.nfu.edu.tw:443> # General setup for the virtual host, inherited from global configuration DocumentRoot "/var/www/站台名稱-html" ServerName 站台名稱.nfu.edu.tw:443 # Use separate log files for the SSL virtual host; note that LogLevel # is not inherited from httpd.conf. ErrorLog "logs/站台名稱-ssl-error.log" CustomLog "logs/站台名稱-ssl-access.log" combined # TWGCB-04-005-0037 (預設值為warn改為notice core:info) LogLevel notice core:info # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # Server Certificate: SSLCertificateFile /etc/httpd/ssl_twca/server.cer # Server Private Key: # TWGCB-04-005-0041 # chown root:root /etc/httpd/ssl_twca/server.key # chmod 0400 /etc/httpd/ssl_twca/server.key SSLCertificateKeyFile /etc/httpd/ssl_twca/server.key # Server Certificate Chain: SSLCertificateChainFile /etc/httpd/ssl_twca/uca.cer # enable HTTP/2, if available (先關掉，有可能會出錯) #Protocols h2 http/1.1 # HTTP Strict Transport Security (mod_headers is required) # TWGCB-04-005-0047 # HTTP強制安全傳輸機制(HSTS) # 用來強制瀏覽器只能使用安全的 HTTPS 協定跟網站進行連線，防範 MITM 攻擊 # 啟用，且max-age設為480秒(含)以上 (建議不小於180天 = 180*24*60*60 = 1552000) Header always set Strict-Transport-Security "max-age=480; includeSubDomains; preload" # Per-Server Logging: CustomLog "logs/站台名稱-ssl-request.log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" <FilesMatch "\.(shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> # SSL Protocol Adjustments: BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </VirtualHost> # intermediate configuration # TWGCB-04-005-0042 政府組態 # 停用SSLv3、TLSv1.0 # NSA建議僅能使用TLS 1.2 或TLS 1.3，不得使用SSL 2.0、SSL 3.0、TLS 1.0和TLS 1.1。 SSLProtocol -all +TLSv1.2 # TWGCB-04-005-0043 政府組態 # NSA建議不應再採用使用這些演算法的加密套件。 # 特別像是TLS 1.2中的NULL、RC2、RC4、DES、IDEA與TDES/3DES等演算法， # SSLCipherSuite 原來預設的演算法內容:!RC2:!RC4:!DES:!IDEA:!3DES:!TDES SSLHonorCipherOrder On SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 SSLSessionTickets Off # TWGCB-04-005-0044 SSLInsecureRenegotiation Off # TWGCB-04-005-0045 SSLCompression Off # TWGCB-04-005-0046 SSLUseStapling On SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" ``` #### 啟用httpd服務 * 重新啟動httpd服務 ```bash > systemctl start httpd.service ``` * 確認httpd服務啟動狀態 ```bash > systemctl status httpd.service ``` * 開機預設啟用httpd (只要初步安裝時執行一次即可) ```bash > systemctl enable httpd ``` #### 安裝composer * 安裝指令 ```bash > cd /root > php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" > php -r "if (hash_file('sha384', 'composer-setup.php') === '572cb359b56ad9ae52f9c23d29d4b19a040af10d6635642e646a7caa7b96de717ce683bd797a92ce99e5929cc51e7d5f') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" > php composer-setup.php > php -r "unlink('composer-setup.php');" > mv composer.phar /usr/local/bin/composer ``` * 查看安裝版本序號 ```bash > composer --version ``` ## 不定期確認作業系統的更新 #### yum套件更新方式 ```bash > yum check-update > yum update -y > yum clean all ``` #### httpd與php更新後，要看設定檔有沒有跑掉，要修正回來 * 若有 `*.rpmsave` (代表設定檔被更新了，這個是舊的設定檔) ```bash > ls /etc/php.ini.rpmsave > ls /etc/httpd/conf.d/httpd.conf.rpmsave ``` * 查閱新舊設定之間的差異 ```bash > diff /etc/php.ini /etc/php.ini.rpmsave > diff /etc/httpd/conf.d/httpd.conf /etc/httpd/conf.d/httpd.conf.rpmsave ``` ## 安裝nmap工具，以便測試ssl演算法 #### 安裝nmap工具 * 自官方網站下載並安裝 ```bash > wget https://nmap.org/dist/nmap-7.92-1.x86_64.rpm > rpm -vhU nmap-7.92-1.x86_64.rpm ``` * 確認安裝後版本 ```bash > nmap --version ``` * 測試ssl演算法 ```bash > nmap --script ssl-enum-ciphers -p 443 xx.nfu.edu.tw ``` ## 其他補充 * [Linux and macOS Installation Tutorial for the Microsoft Drivers for PHP for SQL Server](https://docs.microsoft.com/en-us/sql/connect/php/installation-tutorial-linux-mac?view=sql-server-ver15#installing-on-red-hat) * [【茶包射手日記】網站憑證無效案例分析](https://blog.darkthread.net/blog/cert-chain-issue/) * [如何使用 OpenSSL 工具產製 CSR 憑證要求檔並成功申請正式 TLS 憑證](https://blog.miniasp.com/post/2022/06/14/How-to-request-new-tls-certificate-using-OpenSSL) * [Apache Server 隱藏敏感性資訊設定](https://oxygentw.net/blog/computer/apache-hide-sensitive-info/)