Muddo yar ka hor, Mail.Ru Cloud Solutions (MCS) iyo adeegga Dobro Mail.Ru ayaa bilaabay mashruuca "”, taas oo ay ugu mahadcelinayaan ururada aan macaash doonka ahayni ay ku heli karaan agabka madal daruureedka MCS si bilaash ah. Mu'asasada Samafalka"» ka qayb qaadatay mashruuca oo si guul leh u geysay qayb ka mid ah kaabayaashiisa oo ku salaysan MCS.
Kadib ansaxinta ka dib, NPO waxay ka heli kartaa awooda farsamada ee MCS, laakiin qaabayn dheeri ah waxay u baahan tahay shahaadooyin gaar ah. Maaddadan, waxaan rabnaa inaan wadaagno tilmaamo gaar ah oo loogu talagalay dejinta Ubuntu Linux-ku-saleysan server si loo maamulo degelka aasaasiga ah ee aasaasiga ah iyo tiro subdomains ah iyadoo la adeegsanayo shahaadooyin SSL oo bilaash ah. Qaar badan, tani waxay noqon doontaa hage fudud, laakiin waxaan rajeyneynaa in waayo-aragnimadeena ay faa'iido u yeelan doonto ururada kale ee aan faa'iido doonka ahayn, oo kaliya maaha.
FYIMaxaad ka heli kartaa MCS? 4 CPUs, 32 GB RAM, 1 TB HDD, Ubuntu Linux OS, 500 GB kaydinta walxaha.
Talaabada 1: soo saar server ka dalwaddii
Aynu si toos ah u gaadhno barta oo aynu ku abuurno koontadaada khaaska ah ee MCS server-kayaga (loo yaqaan "tusaale"). Dukaanka app-ka dhexdiisa, waxaad u baahan tahay inaad doorato oo aad rakibto xidhmo LAMP ah oo diyaarsan, kaas oo ah qayb ka mid ah software-ka server-ka (LAMP = Linux, Apache, MySQL, PHP) lagama maarmaanka u ah in lagu maamulo inta badan mareegaha.
Dooro qaabeynta serverka ku haboon oo samee furaha SSH cusub. Ka dib markaad riixdo badhanka "Install", rakibidda server-ka iyo xirmooyinka LAMP ayaa bilaaban doona, tani waxay qaadan doontaa wakhti. Nidaamku wuxuu sidoo kale ku siin doonaa inaad soo dejiso furaha khaaska ah ee kombiyuutarkaaga si aad u maamusho mishiinka farsamada iyada oo loo marayo console-ka, keydso.
Kadib rakibida codsiga, aan isla markiiba dejino firewall-ka, tani sidoo kale waxaa lagu sameeyaa akoonkaaga gaarka ah: u gudub qaybta "Cloud Computing -> Mashiinnada Virtual" oo dooro "Dejinta Firewall":
Waxaad u baahan tahay inaad ku darto oggolaanshaha gaadiidka ka imanaya dekedda 80 iyo 9997. Tani waxay lagama maarmaan u tahay mustaqbalka si loo rakibo shahaadooyinka SSL iyo in lala shaqeeyo phpMyAdmin. Natiijo ahaan, nidaamka xeerku waa inuu u ekaado sidan:
Hadda waxaad ku xidhi kartaa server-kaaga adigoo isticmaalaya khadka taliska adoo isticmaalaya borotokoolka SSH. Si aad tan u samayso, ku qor amarka soo socda, adigoo tilmaamaya furaha SSH ee kombiyuutarkaaga iyo ciwaanka IP-ga ee dibadeed ee server-kaaga (waxaad ka heli kartaa qaybta "Mashiinnada Virtual"):
$ ssh -i /путь/к/ключу/key.pem ubuntu@<ip_сервера>Markaad ku xirto server-ka markii ugu horeysay, waxaa lagu talinayaa in lagu rakibo dhammaan cusbooneysiinta hadda jirta oo dib loo bilaabo. Si tan loo sameeyo, socodsii amarrada soo socda:
$ sudo apt-get updateNidaamku wuxuu heli doonaa liiska cusbooneysiinta, ku rakib adigoo isticmaalaya amarkan oo raac tilmaamaha:
$ sudo apt-get upgradeKa dib markii la rakibo cusbooneysiinta, dib u bilaw serverka:
$ sudo rebootTalaabada 2: Samee martigaliyayaasha Virtual
Dad badan oo aan faa'iido doon ahayn waxay u baahan yihiin inay dhawraan domains ama subdomains isku mar isku mid ah (tusaale ahaan, degel weyn iyo bogag degitaan oo dhowr ah oo loogu talagalay ololayaasha xayaysiinta, iwm.). Waxaas oo dhan si ku habboon ayaa loogu dhejin karaa hal server iyada oo la abuurayo dhowr marti-galiyeyaasha casriga ah.
Marka hore waxaan u baahanahay inaan abuurno qaab dhismeedka hagaha goobaha lagu soo bandhigi doono booqdayaasha. Aan abuurno hagayaal:
$ sudo mkdir -p /var/www/a-dobra.ru/public_html$ sudo mkdir -p /var/www/promo.a-dobra.ru/public_htmlOo sheeg mulkiilaha isticmaalaha hadda:
$ sudo chown -R $USER:$USER /var/www/a-dobra.ru/public_html$ sudo chown -R $USER:$USER /var/www/promo.a-dobra.ru/public_html
Isbadal $USER waxa ku jira magaca isticmaalaha kaas oo aad hada ku dhex gasho ( default kani waa isticmaalaha ubuntu). Hadda isticmaaleha hadda ayaa leh hagaha dadweynaha_html halkaas oo aanu ku kaydin doono waxa ku jira.
Waxaan sidoo kale u baahannahay inaan xoogaa tafatirno oggolaanshaha si aan u hubinno in gelitaanka wax-akhrinta loo oggol yahay hagaha shabakadda ee la wadaago iyo dhammaan faylasha iyo faylalka ay ka kooban tahay. Tani waxay lagama maarmaan u tahay boggaga goobta inay si sax ah u muujiyaan:
$ sudo chmod -R 755 /var/wwwAdeegahaaga shabakadu waa inuu hadda haystaa ogolaanshaha uu u baahan yahay si uu u muujiyo waxa ku jira. Intaa waxaa dheer, isticmaalehaagu hadda wuxuu awood u leeyahay inuu ku abuuro nuxurka hagayaasha loo baahan yahay.
Horeba waxaa u jiray faylka index.php ee tusaha /var/www/html, aan ku koobiyayno hagayaashayada cusub - tani hadda waxay ahaan doontaa nuxurkayaga:
$ cp /var/www/html/index.php /var/www/a-dobra.ru/public_html/index.php$ cp /var/www/html/index.php /var/www/promo.a-dobra.ru/public_html/index.phpHadda waxaad u baahan tahay inaad hubiso in isticmaaluhu uu geli karo goobtaada. Si tan loo sameeyo, waxaan marka hore habeyn doonaa faylalka martida loo yahay, kaas oo go'aaminaya sida server-ka Apache uu uga jawaabi doono codsiyada qaybaha kala duwan.
Sida caadiga ah, Apache waxay leedahay faylka martida loo yahay ee 000-default.conf kaas oo aan u isticmaali karno meel bilow ah. Waanu koobi doonan doonaa kan si aanu u abuurno faylal martigeliyaha dalwadda ah mid kasta oo ka mid ah xayndaabkeena. Waxaan ku bilaabi doonaa hal domain, qaabeyn doonaa, ku koobi doona domain kale, ka dibna samee tafatirka lagama maarmaanka ah mar kale.
Qaabeynta caadiga ah ee Ubuntu waxay u baahan tahay in fayl kasta oo martigeliyaha ah uu yeesho * .conf kordhin.
Aan ku bilowno koobiyaynta faylka domainka kowaad:
$ sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/a-dobra.ru.confFayl cusub ka fur tafatiraha leh xuquuqaha xididka:
$ sudo nano /etc/apache2/sites-available/a-dobra.ru.conf
U beddel xogta sida soo socota, adoo cayimaya dekedda 80, xogtaada ServerAdmin, ServerName, ServerAlias, iyo sidoo kale jidka loo maro tusaha xididka ee goobtaada, keydi faylka (Ctrl+X, ka dibna Y):
<VirtualHost *:80>
ServerAdmin [email protected]
ServerName a-dobra.ru
ServerAlias www.a-dobra.ru
DocumentRoot /var/www/a-dobra.ru/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/a-dobra.ru/public_html>
Options -Indexes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted
</Directory>
<FilesMatch .php$>
SetHandler "proxy:unix:/var/run/php/php7.2-fpm.sock|fcgi://localhost/"
</FilesMatch>
</VirtualHost>
ServerName dejinaya domain-ka aasaasiga ah, kaas oo ay tahay inuu waafaqo magaca martida loo yahay. Kani waa inuu noqdaa magacaaga domain Labaad, ServerAlias, wuxuu qeexayaa magacyo kale oo ay tahay in loo tarjumo sidii inay yihiin qaybta hoose. Tani waxay ku habboon tahay isticmaalka magacyo domain oo dheeraad ah, tusaale ahaan adigoo isticmaalaya www.
Aan u koobiyeyno qaabkan martigeliyaha kale oo aan sidoo kale u tafatirno si la mid ah:
$ sudo cp /etc/apache2/sites-available/a-dobra.ru.conf /etc/apache2/sites-available/promo.a-dobra.ru.confWaxaad u abuuri kartaa hagayaal badan iyo martigeliyayaal toos ah mareegahaaga inta aad rabto! Hadda oo aan abuurnay faylalka martigeliyaha dalwaddiinta ah, waxaan u baahanahay inaan awoodno. Waxaan u isticmaali karnaa utility a2ensite si aan awood ugu siinno mid kasta oo ka mid ah goobaheena sidan oo kale ah:
$ sudo a2ensite a-dobra.ru.conf$ sudo a2ensite promo.a-dobra.ru.conf Sida caadiga ah, dekedda 80 waxay ku xiran tahay LAMP, waxaanan u baahan doonaa hadhow si aan u rakibno shahaadada SSL. Markaa aan isla markiiba wax ka beddelno faylka ports.conf ka dibna dib u bilow Apache:
$ sudo nano /etc/apache2/ports.confKu dar khad cusub oo kaydi faylka si uu u ekaado sidan:
Listen 80
Listen 443
Listen 9997Kadib markaad dhamaystirto dejinta, waxaad u baahan tahay inaad dib u bilowdo Apache dhammaan isbeddelada si ay u dhaqan galaan:
$ sudo systemctl reload apache2Tallaabada 3: Samee magacyada domain
Marka xigta, waxaad u baahan tahay inaad ku darto diiwaannada DNS kuwaas oo tilmaamaya serverkaaga cusub. Si loo maareeyo xayndaabyada, Xisaabintayada Aasaaska Wanaagsan waxay isticmaashaa adeega dns-master.ru, waxaanu ku tusi doonaa tusaale.
Dejinta diiwaanka A ee domain-ka ugu weyn waxaa badanaa lagu tilmaamaa sida soo socota (calaamad @):
Diiwaanka A ee subdomains waxaa badanaa lagu qeexaa sidan:
Ciwaanka IP-ga waa ciwaanka server-ka Linux ee aan hadda abuurnay. Waxaad qeexi kartaa TTL = 3600.
Muddo ka dib, waxaa suurtagal noqon doonta inaad booqato goobtaada, laakiin hadda oo kaliya iyada oo loo marayo http://. Talaabada xigta waxaan ku dari doonaa taageero https://.
Tallaabada 4: Samee shahaadooyin SSL oo bilaash ah
Waxaad ka heli kartaa bilaash Aynu sirno shahaadooyin SSL ee goobtaada ugu weyn iyo dhammaan subdomainsyada. Waxa kale oo aad habayn kartaa dib u cusboonaysiintooda tooska ah, taas oo aad ugu habboon. Si aad u hesho shahaadooyinka SSL, ku rakib Certbot serverkaaga:
$ sudo add-apt-repository ppa:certbot/certbot
Ku rakib xirmada Certbot ee Apache addoo isticmaalaya apt:
$ sudo apt install python-certbot-apache Hadda Certbot wuxuu diyaar u yahay inuu isticmaalo, socodsii amarka:
$ sudo certbot --apache -d a-dobra.ru -d www.a-dobra.ru -d promo.a-dobra.ru
Amarkani waxa uu bilaabayaa certbot, furayaasha -d qeex magacyada domains ay tahay in shahaadada loo bixiyo.
Haddii tani ay tahay markii ugu horeysay ee aad bilowdo certbot, waxaa lagu weydiin doonaa inaad geliso cinwaankaaga iimaylka oo aad ogolaato shuruudaha isticmaalka. certbot ayaa markaa la xiriiri doonta Aynu Encrypt server ka dibna xaqiijin doono inaad dhab ahaantii maamusho domainka aad ka codsatay shahaadada.
Haddii wax waliba si fiican u dhaceen, certbot ayaa ku weydiin doona sida aad u rabto inaad u habayso qaabaynta HTTPS:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):Waxaan kugula talineynaa inaad doorato ikhtiyaarka 2 oo aad riixdo ENTER. Qaabeynta waa la cusboonaysiin doonaa oo Apache dib ayaa loo bilaabi doonaa si loo dabaqo isbeddelada.
Shahaadooyinkaagii hadda waa la soo dejiyay, la rakibay oo shaqaynayay. Isku day inaad dib ugu soo dejiso goobtaada https:// oo waxaad ku arki doontaa sumadda amniga browserkaaga. Haddii aad tijaabiso server-kaaga , wuxuu heli doonaa shahaado A.
Aynu sirno shahaadooyinku waxay shaqeynayaan 90 maalmood oo keliya, laakiin xirmada certbot ee aan hadda rakibnay waxay si toos ah u cusbooneysiin doontaa shahaadooyinka. Si loo tijaabiyo habka cusboonaysiinta, waxaan samayn karnaa orod qalalan oo certbot ah:
$ sudo certbot renew --dry-run Haddii aadan arkin wax qalad ah oo ka dhashay socodsiinta amarkan, markaa wax walbaa way shaqeynayaan!
Tallaabada 5: Gal MySQL iyo phpMyAdmin
Shabakado badan ayaa isticmaala xog-ururin. Qalabka phpMyAdmin ee maaraynta xogta ayaa mar horeba lagu rakibay serfarkayaga. Si aad u gasho, aad browser-kaaga addoo isticmaalaya isku xidhka sida:
https://<ip-адрес сервера>:9997Furaha gelitaanka xididka waxa laga heli karaa koontadaada gaarka ah ee MCS (). Ha iloobin inaad bedesho furahaaga xididka marka ugu horeysa ee aad gasho!
Talaabada 6: Samee galitaanka faylka adoo isticmaalaya SFTP
Horumariyayaashu waxay u heli doonaan inay ku habboon tahay in faylasha loogu dhejiyo boggaaga SFTP. Si tan loo sameeyo, waxaan abuuri doonaa isticmaale cusub, u wac maamulaha shabakada:
$ sudo adduser webmasterNidaamku wuxuu ku weydiin doonaa inaad dejiso furaha sirta ah oo aad geliso xog kale.
Ku beddelashada mulkiilaha hagaha degelkaaga:
$ sudo chown -R webmaster:webmaster /var/www/a-dobra.ru/public_htmlHadda aan bedelno qaabka SSH si isticmaaleha cusub uu u helo oo keliya SFTP oo uusan u helin marinka SSH:
$ sudo nano /etc/ssh/sshd_configU dhaadhac dhamaadka faylka qaabeynta oo ku dar block soo socda:
Match User webmaster
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/www/a-dobra.ru
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding noKeydi faylka oo dib u bilow adeegga:
$ sudo systemctl restart sshdHadda waxaad ku xidhi kartaa server-ka iyada oo loo marayo macmiil kasta oo SFTP ah, tusaale ahaan, iyada oo loo marayo FileZilla.
Natiijada
- Hadda waxaad taqaanaa sida loo abuuro hagayaal cusub oo loo habeeyo martigeliyaha farsamada ee mareegahaaga isla serverka.
- Waxaad si fudud u abuuri kartaa shahaadooyinka SSL ee lagama maarmaanka ah - waa bilaash, oo si toos ah ayaa loo cusboonaysiin doonaa.
- Waxaad si ku habboon ula shaqayn kartaa xogta MySQL adoo isticmaalaya phpMyAdmin-yaqaanka ah.
- Abuuritaanka xisaabaadka cusub ee SFTP iyo dejinta xuquuqaha gelitaanka uma baahna dadaal badan. Xisaabaadka noocan oo kale ah waxaa loo wareejin karaa soo-saareyaal shabakadeed oo dhinac saddexaad ah iyo maamulayaasha goobta.
- Ha iloobin inaad xilliyo kala duwan cusbooneysiiso nidaamka, waxaanan sidoo kale kugula talineynaa inaad sameysid nuqul ka mid ah - MCS waxaad ku qaadan kartaa "snapshots" nidaamka oo dhan hal gujis, ka dibna, haddii loo baahdo, bilow sawirro oo dhan.
Ilaha la isticmaalo ee laga yaabo inay faa'iido u yeeshaan:
By habka, Waxaad ka akhrisan kartaa VC sida ay aasaaskayaga u daadisay goob waxbarasho online ah oo loogu talagalay agoonta oo ku salaysan daruurta MCS.
Source: www.habr.com