Kungekudala, i-Mail.Ru Cloud Solutions (MCS) kunye nenkonzo ye-Dobro Mail.Ru yasungula iprojekthi "", enkosi apho imibutho engenzi nzuzo inokufumana izixhobo ze-MCS cloud platform simahla. ISiseko seSisa "Β» ithathe inxaxheba kwiprojekthi kwaye yasasaza ngempumelelo inxalenye yeziseko zayo ezisekelwe kwi-MCS.
Emva kokuphumelela ukuqinisekiswa, i-NPO inokufumana umthamo obonakalayo kwi-MCS, kodwa uqwalaselo olongezelelweyo lufuna iziqinisekiso ezithile. Kule mathiriyeli, sifuna ukwabelana ngemiyalelo ethile yokuseta i-Ubuntu Linux-based server ukuze iqhube isiseko sewebhusayithi esingundoqo kunye nenani lesubdomains zisebenzisa izatifikethi ze-SSL zasimahla. Kwabaninzi, oku kuya kuba sisikhokelo esilula, kodwa sinethemba lokuba amava ethu aya kuba luncedo kwezinye imibutho engenzi nzuzo, kwaye kungekhona kuphela.
FYI: Yintoni onokuyifumana kwi-MCS? 4 CPUs, 32 GB RAM, 1 TB HDD, Ubuntu Linux OS, 500 GB yokugcina into.
Inyathelo 1: vula iseva yenyani
Masingene ngqo kwinqanaba kwaye senze iseva yethu yenyani (eyaziwa ngokuba "umzekelo") kwiakhawunti yakho yobuqu ye-MCS. Kwisitolo se-app, kufuneka ukhethe kwaye ufake i-LAMP stack esele yenziwe, eyisethi yesofthiwe yeseva (LAMP = Linux, Apache, MySQL, PHP) efunekayo ukuqhuba ezininzi iiwebhusayithi.
Khetha uqwalaselo lomncedisi olufanelekileyo kwaye wenze iqhosha elitsha le-SSH. Emva kokuchofoza iqhosha elithi "Faka", ukufakwa komncedisi kunye ne-LAMP stack kuya kuqala, oku kuya kuthatha ixesha elithile. Inkqubo iya kubonelela ngokukhuphela isitshixo sabucala kwikhompyuter yakho ukulawula umatshini wenyani ngeconsole, uyigcine.
Emva kokufaka isicelo, masiseta ngokukhawuleza i-firewall, oku kwenziwa nakwiakhawunti yakho yobuqu: yiya kwicandelo elithi "i-Cloud computing -> Oomatshini ababonakalayo" kwaye ukhethe "Ukuseta i-firewall":
Kufuneka wongeze imvume yetrafikhi engenayo nge-port 80 kunye ne-9997. Oku kuyimfuneko kwixa elizayo ukufaka izatifikethi ze-SSL kunye nokusebenza ngephpMyAdmin. Ngenxa yoko, iseti yemithetho kufuneka ijongeke ngolu hlobo:
Ngoku ungaqhagamshela kwiseva yakho ngomgca womyalelo usebenzisa iSSH protocol. Ukwenza oku, chwetheza lo myalelo ulandelayo, ukhomba kwiqhosha le-SSH kwikhompyuter yakho kunye nedilesi ye-IP yangaphandle yomncedisi wakho (ungayifumana kwicandelo "loomatshini be-Virtual"):
$ ssh -i /ΠΏΡΡΡ/ΠΊ/ΠΊΠ»ΡΡΡ/key.pem ubuntu@<ip_ΡΠ΅ΡΠ²Π΅ΡΠ°>Xa uqhagamshela kwiseva okokuqala, kuyacetyiswa ukuba ufake zonke iintlaziyo zangoku kuyo kwaye uyiqalise kwakhona. Ukwenza oku, sebenzisa le miyalelo ilandelayo:
$ sudo apt-get updateInkqubo iya kufumana uluhlu lohlaziyo, lufake usebenzisa lo myalelo kwaye ulandele imiyalelo:
$ sudo apt-get upgradeEmva kokufaka uhlaziyo, qalisa kwakhona iseva:
$ sudo rebootInyathelo 2: Cwangcisa iinginginya zenyani
Uninzi olungenzi nzuzo lufuna ukugcina imimandla emininzi okanye i-subdomains ngexesha elinye (umzekelo, iwebhusayithi ephambili kunye namaphepha amaninzi okumisa amaphulo okuthengisa, njl. njl.). Konke oku kunokubekwa ngokulula kumncedisi omnye ngokwenza iinginginya ezininzi ezinenyani.
Okokuqala kufuneka senze i-directory structure yeendawo eziza kuboniswa kwiindwendwe. Masenze abalawuli:
$ sudo mkdir -p /var/www/a-dobra.ru/public_html$ sudo mkdir -p /var/www/promo.a-dobra.ru/public_htmlKwaye uchaze umnini womsebenzisi wangoku:
$ sudo chown -R $USER:$USER /var/www/a-dobra.ru/public_html$ sudo chown -R $USER:$USER /var/www/promo.a-dobra.ru/public_html
Eyahlukileyo $USER iqulathe igama lomsebenzisi ongene phantsi kwalo ngoku (ngokungagqibekanga lo ngumsebenzisi ubuntu). Ngoku umsebenzisi wangoku ungumnikazi we-public_html abalawuli apho sizakugcina umxholo.
Kwakhona kufuneka sihlele iimvume kancinci ukuqinisekisa ukuba ukufikelela kokufunda kuvunyelwe kuluhlu lwewebhu ekwabelwana ngalo kunye nazo zonke iifayile kunye neefolda eziqulethwe. Oku kuyimfuneko ukuze amaphepha esayithi abonise ngokuchanekileyo:
$ sudo chmod -R 755 /var/wwwUmncedisi wakho wewebhu ngoku kufuneka abe neemvume ezifunekayo ukubonisa umxholo. Ukongeza, umsebenzisi wakho ngoku unamandla okwenza umxholo kwizikhokelo ezifunekayo.
Sele kukho ifayile ye index.php kwi/var/www/html directory, masiyikopishele kwizikhokelo zethu ezintsha - oku kuya kuba ngumxholo wethu okwangoku:
$ cp /var/www/html/index.php /var/www/a-dobra.ru/public_html/index.php$ cp /var/www/html/index.php /var/www/promo.a-dobra.ru/public_html/index.phpNgoku kufuneka uqinisekise ukuba umsebenzisi unokufikelela kwindawo yakho. Ukwenza oku, siya kuqala siqwalasele iifayile ze-host host, ezichaza ukuba i-Apache iseva yewebhu iya kuphendula njani kwizicelo kwiinkalo ezahlukeneyo.
Ngokungagqibekanga, i-Apache inefayile yomnini wenyani 000-default.conf esinokuyisebenzisa njengendawo yokuqalisa. Sizakukopa oku ukwenza iifayile zomamkeli wenyani kwindawo nganye yethu. Siza kuqala nge-domain enye, siyiqwalasele, siyikopishe kwesinye isizinda, kwaye emva koko senze uhlengiso oluyimfuneko kwakhona.
Uqwalaselo olungagqibekanga lwe-Ubuntu lufuna ukuba ifayile yenginginya nganye enenyani ibenolwandiso lwe *.conf.
Masiqale ngokukopa ifayile kwindawo yokuqala:
$ sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/a-dobra.ru.confVula ifayile entsha kumhleli onamalungelo engcambu:
$ sudo nano /etc/apache2/sites-available/a-dobra.ru.conf
Hlela idatha ngolu hlobo lulandelayo, ichaza izibuko 80, idatha yakho ServerAdmin, ServerName, ServerAlias, kunye nendlela eya kulawulo lweengcambu kwindawo yakho, gcina ifayile (Ctrl+X, ngoko Y):
<VirtualHost *:80>
ServerAdmin [email protected]
ServerName a-dobra.ru
ServerAlias www.a-dobra.ru
DocumentRoot /var/www/a-dobra.ru/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/a-dobra.ru/public_html>
Options -Indexes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted
</Directory>
<FilesMatch .php$>
SetHandler "proxy:unix:/var/run/php/php7.2-fpm.sock|fcgi://localhost/"
</FilesMatch>
</VirtualHost>
ServerName icwangcisa indawo engundoqo, ekufuneka ithelekise igama lenginginya enenyani. Oku kufuneka ibe ligama lakho lesizinda. Isibini, ServerAlias, ichaza amanye amagama afanele ukutolikwa ngokungathi ngummandla ophambili. Oku kukulungele ukusebenzisa amagama edomeyini eyongezelelweyo, umzekelo usebenzisa i-www.
Masikope olu qwalaselo lomnye umamkeli kwaye siluhlele ngendlela efanayo:
$ sudo cp /etc/apache2/sites-available/a-dobra.ru.conf /etc/apache2/sites-available/promo.a-dobra.ru.confUnokwenza abalawuli abaninzi kunye neenginginya ezibonakalayo kwiiwebhusayithi zakho njengoko uthanda! Ngoku ukuba senze iifayile zethu ze-host host, kufuneka sizenze zisebenze. Singasebenzisa i-a2ensite eluncedo ukwenza indawo nganye yethu ibe ngolu hlobo:
$ sudo a2ensite a-dobra.ru.conf$ sudo a2ensite promo.a-dobra.ru.conf Ngokungagqibekanga, i-port 80 ivaliwe kwi-LAMP, kwaye siya kuyidinga kamva ukufaka isatifikethi se-SSL. Ke masihlele kwangoko ifayile ye-ports.conf kwaye emva koko siqale kwakhona i-Apache:
$ sudo nano /etc/apache2/ports.confYongeza umgca omtsha kwaye ugcine ifayile ukuze ibukeke ngolu hlobo:
Listen 80
Listen 443
Listen 9997Emva kokugqiba useto, kufuneka uqalise kwakhona i-Apache ukuze lonke utshintsho lusebenze:
$ sudo systemctl reload apache2Inyathelo 3: Misela amagama esizinda
Okulandelayo, kufuneka ungeze iirekhodi ze-DNS eziza kukhomba kumncedisi wakho omtsha. Ukulawula imimandla, i-Arithmetic yethu yeSiseko esiLungileyo isebenzisa inkonzo ye-dns-master.ru, siya kubonisa ngomzekelo.
Ukumisela i-A-rekhoda yommandla oyintloko kudla ngokuboniswa ngolu hlobo lulandelayo (sayina @):
Irekhodi A ye subdomains idla ngokuchazwa ngolu hlobo:
Idilesi ye IP yidilesi yomncedisi we Linux esisanda kuyenza. Ungakhankanya i-TTL = 3600.
Emva kwexesha elithile, kuya kwenzeka ukuba undwendwele indawo yakho, kodwa okwangoku kuphela http://. Kwinqanaba elilandelayo siya kongeza inkxaso https://.
Inyathelo 4: Misela izatifikethi ze-SSL zasimahla
Unokufumana simahla Iziqinisekiso ze-SSL zasimahla ze-SSL kwindawo yakho ephambili kunye nazo zonke ii-subdomains. Ungaqwalasela kwakhona uhlaziyo lwabo oluzenzekelayo, olulunge kakhulu. Ukufumana izatifikethi ze-SSL, faka i-Certbot kwiseva yakho:
$ sudo add-apt-repository ppa:certbot/certbot
Faka iphakheji yeCertbot ukuze usebenzise i-Apache apt:
$ sudo apt install python-certbot-apache Ngoku iCertbot ilungele ukusebenzisa, sebenzisa umyalelo:
$ sudo certbot --apache -d a-dobra.ru -d www.a-dobra.ru -d promo.a-dobra.ru
Lo myalelo usebenzisa i-certbot, izitshixo -d chaza amagama emimandla apho isiqinisekiso kufuneka sikhutshelwe khona.
Ukuba eli lixesha lokuqala usungula i-certbot, uya kucelwa ukuba ufake idilesi ye-imeyile kwaye uvumelane nemigaqo yokusetyenziswa kwenkonzo. I-certbot iya kuthi emva koko iqhagamshelane ne-Let's Fihla iseva kwaye emva koko iqinisekise ukuba ngokwenene uyayilawula indawo osicelele yona isatifikethi.
Ukuba yonke into ihambe kakuhle, i-certbot iya kukubuza ukuba ufuna ukulumisela njani uqwalaselo lwe-HTTPS:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):Sicebisa ukuba ukhethe ukhetho 2 kwaye ucofe u-ENTER. Ubumbeko luya kuhlaziywa kwaye i-Apache iya kuqalwa kwakhona ukuze isebenzise utshintsho.
Izatifikethi zakho ngoku zikhutshelwe, zifakiwe kwaye ziyasebenza. Zama ukulayisha kwakhona indawo yakho nge-https:// kwaye uya kubona i-ayikhoni yokhuseleko kwibrawuza yakho. Ukuba uvavanya iseva yakho , uya kufumana u-A.
Izatifikethi ze-Let Encrypting zisebenza kuphela iintsuku ezingama-90, kodwa iphakheji yecertbot esisandula ukuyifakela iya kuhlaziya izatifikethi ngokuzenzekelayo. Ukuvavanya inkqubo yohlaziyo, sinokwenza ukubaleka okomileyo kwe-certbot:
$ sudo certbot renew --dry-run Ukuba awuboni naziphi na iimpazamo ngenxa yokusebenzisa lo myalelo, ngoko yonke into iyasebenza!
Inyathelo 5: Fikelela kwiMySQL kunye nephpMyAdmin
Iiwebhusayithi ezininzi zisebenzisa i-database. Isixhobo sephpMyAdmin solawulo lwedatha sele sifakiwe kwiseva yethu. Ukufikelela kuyo, yiya kwisikhangeli sakho usebenzisa ilinki efana nale:
https://<ip-Π°Π΄ΡΠ΅Ρ ΡΠ΅ΡΠ²Π΅ΡΠ°>:9997Igama lokugqitha lengcambu yofikelelo inokufunyanwa kwiakhawunti yakho yobuqu yeMCS (). Ungalibali ukutshintsha igama eligqithisiweyo eliyingcambu okokuqala xa ungena!
Inyathelo 6: Cwangcisa ukufakwa kwefayile ngeSFTP
Abaphuhlisi baya kukufumana kulula ukulayisha iifayile zewebhusayithi yakho ngeSFTP. Ukwenza oku, siya kudala umsebenzisi omtsha, umbize umphathi wewebhu:
$ sudo adduser webmasterInkqubo iya kukucela ukuba usete igama eligqithisiweyo kwaye ufake enye idatha.
Ukutshintsha umnini wencwadi ngewebhusayithi yakho:
$ sudo chown -R webmaster:webmaster /var/www/a-dobra.ru/public_htmlNgoku masitshintshe uqwalaselo lwe-SSH ukuze umsebenzisi omtsha afikelele kuphela kwi-SFTP hayi i-terminal ye-SSH:
$ sudo nano /etc/ssh/sshd_configSkrolela ekupheleni kwefayile yoqwalaselo kwaye wongeze ibhloko elandelayo:
Match User webmaster
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/www/a-dobra.ru
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding noGcina ifayile kwaye uqalise kwakhona inkonzo:
$ sudo systemctl restart sshdNgoku unokudibanisa kumncedisi ngokusebenzisa nayiphi na iklayenti yeSFTP, umzekelo, ngeFayileZilla.
Isiphumo
- Ngoku uyayazi indlela yokwenza abalawuli abatsha kwaye uqwalasele iinginginya ezibonakalayo kwiiwebhusayithi zakho ngaphakathi kweseva efanayo.
- Unokwenza ngokulula izatifikethi eziyimfuneko ze-SSL - kusimahla, kwaye ziya kuhlaziywa ngokuzenzekelayo.
- Unokusebenza ngokulula kunye nedatha ye-MySQL ngokusebenzisa iphpMyAdmin eqhelekileyo.
- Ukwenza ii-akhawunti zeSFTP ezintsha kunye nokuseta amalungelo okufikelela akufuni mzamo ungako. Iiakhawunti ezinjalo zinokugqithiselwa kubaphuhlisi bewebhu beqela lesithathu kunye nabalawuli besayithi.
- Ungalibali ukuhlaziya inkqubo ngamaxesha, kwaye sikwacebisa ukwenza ii-backups - kwi-MCS ungathatha "i-snapshots" yenkqubo yonke ngonqakrazo olunye, kwaye ke, ukuba kuyimfuneko, uqalise yonke imifanekiso.
Izixhobo ezisetyenzisiweyo ezinokuba luncedo:
Ngendlela, Unokufunda kwi-VC indlela isiseko sethu sasebenzisa ngayo iqonga lemfundo ye-intanethi kwiinkedama ezisekwe kwilifu le-MCS.
umthombo: www.habr.com