Kungekudala, i-Mail.Ru Cloud Solutions (MCS) kanye nensizakalo ye-Dobro Mail.Ru yethule iphrojekthi "”, ngenxa yokuthi izinhlangano ezingenzi nzuzo zingathola izinsiza zenkundla yefu ye-MCS mahhala. I-Charitable Foundation "» ubambe iqhaza kuphrojekthi futhi wathumela ngempumelelo ingxenye yengqalasizinda yayo esekelwe ku-MCS.
Ngemva kokuphumelela ukuqinisekiswa, i-NPO ingathola umthamo obonakalayo ku-MCS, kodwa ukucushwa okwengeziwe kudinga iziqu ezithile. Kulesi sihloko, sifuna ukwabelana ngemiyalo ethile yokusetha iseva esekwe ku-Ubuntu Linux ukuze iqhube iwebhusayithi yesisekelo esiyinhloko kanye nezizinda ezimbalwa ezisebenzisa izitifiketi zamahhala ze-SSL. Kwabaningi, lokhu kuzoba umhlahlandlela olula, kodwa sithemba ukuthi ulwazi lwethu luzoba usizo kwezinye izinhlangano ezingenzi nzuzo, hhayi kuphela.
FYI: Yini ongayithola ku-MCS? 4 CPUs, 32 GB RAM, 1 TB HDD, Ubuntu Linux OS, 500 GB isitoreji sento.
Isinyathelo 1: vula iseva ebonakalayo
Masiqonde ngqo ephuzwini futhi sakhe iseva yethu ebonakalayo (eyaziwa nangokuthi "isibonelo") ku-akhawunti yakho yomuntu siqu ye-MCS. Esitolo sohlelo lokusebenza, udinga ukukhetha nokufaka isitaki se-LAMP esenziwe ngomumo, okuyisethi yesofthiwe yeseva (LAMP = Linux, Apache, MySQL, PHP) edingekayo ukuze usebenzise amawebhusayithi amaningi.
Khetha ukucushwa kweseva okufanele futhi udale ukhiye omusha we-SSH. Ngemva kokuchofoza inkinobho ethi "Faka", ukufakwa kweseva nesitaki se-LAMP kuzoqala, lokhu kuzothatha isikhathi. Uhlelo futhi luzonikezela ngokulanda ukhiye oyimfihlo kukhompyutha yakho ukuze uphathe umshini obonakalayo usebenzisa ikhonsoli, uyilondoloze.
Ngemuva kokufaka uhlelo, masimise ngokushesha i-firewall, lokhu kwenziwa futhi ku-akhawunti yakho yomuntu siqu: iya engxenyeni ethi "Cloud computing -> Imishini ebonakalayo" bese ukhetha "Ukusetha i-firewall":
Udinga ukungeza imvume yethrafikhi engenayo nge-port 80 kanye ne-9997. Lokhu kuyadingeka esikhathini esizayo ukufaka izitifiketi ze-SSL nokusebenza ne-phpMyAdmin. Ngenxa yalokho, isethi yemithetho kufanele ibukeke kanje:
Manje usungakwazi ukuxhuma kuseva yakho ngomugqa womyalo usebenzisa iphrothokholi ye-SSH. Ukuze wenze lokhu, thayipha umyalo olandelayo, ukhomba ukhiye we-SSH kukhompyutha yakho kanye nekheli le-IP langaphandle leseva yakho (ungalithola esigabeni "Imishini ebonakalayo"):
$ ssh -i /путь/к/ключу/key.pem ubuntu@<ip_сервера>Uma uxhuma kuseva okokuqala ngqa, kuyanconywa ukuthi ufake zonke izibuyekezo zamanje kuyo bese uyiqalisa kabusha. Ukuze wenze lokhu, sebenzisa imiyalo elandelayo:
$ sudo apt-get updateUhlelo luzothola uhlu lwezibuyekezo, lufake usebenzisa lo myalo bese ulandela imiyalelo:
$ sudo apt-get upgradeNgemva kokufaka izibuyekezo, qala kabusha iseva:
$ sudo rebootIsinyathelo sesi-2: Setha ababungazi ababonakalayo
Eziningi ezingenzi-nzuzo zidinga ukunakekela izizinda ezimbalwa noma izizinda ezingaphansi kwesinye ngesikhathi esisodwa (isibonelo, iwebhusayithi eyinhloko namakhasi okubikezela ambalwa emikhankaso yokuphromotha, njll.). Konke lokhu kungenziwa kalula kuseva eyodwa ngokudala ababungazi abaningana.
Okokuqala sidinga ukwakha uhla lwemibhalo lwamasayithi azoboniswa izivakashi. Masidale ezinye iziqondisi:
$ sudo mkdir -p /var/www/a-dobra.ru/public_html$ sudo mkdir -p /var/www/promo.a-dobra.ru/public_htmlFuthi ucacise umnikazi womsebenzisi wamanje:
$ sudo chown -R $USER:$USER /var/www/a-dobra.ru/public_html$ sudo chown -R $USER:$USER /var/www/promo.a-dobra.ru/public_html
Iyaguquguquka $USER liqukethe igama lomsebenzisi ongene ngaphansi kwalo njengamanje (ngokuzenzakalelayo lona ngumsebenzisi ubuntu). Manje umsebenzisi wamanje ungumnikazi wezinkomba zomphakathi_html lapho sizogcina khona okuqukethwe.
Kudingeka futhi sihlele izimvume kancane ukuze siqiniseke ukuthi ukufinyelela kokufunda kuvunyelwe kuhla lwemibhalo lwewebhu okwabelwana ngalo nawo wonke amafayela namafolda eliwaqukethe. Lokhu kuyadingeka ukuze amakhasi esayithi abonakale ngendlela efanele:
$ sudo chmod -R 755 /var/wwwIseva yakho yewebhu manje kufanele ibe nezimvume ezidingayo ukuze ibonise okuqukethwe. Ngaphezu kwalokho, umsebenzisi wakho manje unamandla okudala okuqukethwe kunkhombandlela edingekayo.
Selivele likhona ifayela elithi index.php kuhla lwemibhalo /var/www/html, masilikopishele ezinhlwini zethu ezintsha - lokhu kuzoba okuqukethwe kwethu okwamanje:
$ cp /var/www/html/index.php /var/www/a-dobra.ru/public_html/index.php$ cp /var/www/html/index.php /var/www/promo.a-dobra.ru/public_html/index.phpManje udinga ukwenza isiqiniseko sokuthi umsebenzisi angakwazi ukufinyelela isayithi lakho. Ukuze senze lokhu, sizoqale silungise amafayela abamba iqhaza, anquma ukuthi iseva yewebhu ye-Apache izophendula kanjani izicelo ezizindeni ezahlukene.
Ngokuzenzakalelayo, i-Apache inefayela le-host host elibonakalayo elithi 000-default.conf esingalisebenzisa njengesiqalo. Sizokopisha lokhu ukuze sakhe amafayela asokhaya abonakalayo esizindeni sethu ngasinye. Sizoqala ngesizinda esisodwa, sisilungise, sikopishele kwesinye isizinda, bese sihlela futhi okudingekayo.
Ukucushwa okuzenzakalelayo kwe-Ubuntu kudinga ukuthi ifayela ngalinye elingusokhaya elibonakalayo libe nesandiso *.conf.
Ake siqale ngokukopisha ifayela lesizinda sokuqala:
$ sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/a-dobra.ru.confVula ifayela elisha kusihleli esinamalungelo empande:
$ sudo nano /etc/apache2/sites-available/a-dobra.ru.conf
Hlela idatha ngale ndlela elandelayo, ucacise i-port 80, idatha yakho ye ServerAdmin, ServerName, ServerAlias, kanye nendlela eya kumkhombandlela wezimpande zesayithi lakho, gcina ifayela (Ctrl+X, bese u-Y):
<VirtualHost *:80>
ServerAdmin [email protected]
ServerName a-dobra.ru
ServerAlias www.a-dobra.ru
DocumentRoot /var/www/a-dobra.ru/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/a-dobra.ru/public_html>
Options -Indexes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted
</Directory>
<FilesMatch .php$>
SetHandler "proxy:unix:/var/run/php/php7.2-fpm.sock|fcgi://localhost/"
</FilesMatch>
</VirtualHost>
ServerName imisa isizinda esiyinhloko, okufanele sifane negama lomsingathi elibonakalayo. Leli kufanele kube igama lakho lesizinda. Okwesibili, ServerAlias, ichaza amanye amagama okufanele ahunyushwe njengokungathi isizinda esiyinhloko. Lokhu kulungele ukusebenzisa amagama esizinda engeziwe, isibonelo usebenzisa i-www.
Ake sikopishele lokhu kulungiselelwa komunye umsingathi futhi sikuhlele ngendlela efanayo:
$ sudo cp /etc/apache2/sites-available/a-dobra.ru.conf /etc/apache2/sites-available/promo.a-dobra.ru.confUngakha izinkomba eziningi kanye nabasingathi bangempela bewebhusayithi yakho ngendlela othanda ngayo! Manje njengoba sesidale amafayela ethu asokhaya abonakalayo, sidinga ukuwavumela. Singasebenzisa insiza ye-a2ensite ukunika amandla amasayithi ethu ngalinye kanje:
$ sudo a2ensite a-dobra.ru.conf$ sudo a2ensite promo.a-dobra.ru.conf Ngokuzenzakalelayo, i-port 80 ivaliwe nge-LAMP, futhi sizoyidinga kamuva ukuze sifake isitifiketi se-SSL. Ngakho-ke masihlele ngokushesha ifayela le-ports.conf bese siqala kabusha i-Apache:
$ sudo nano /etc/apache2/ports.confEngeza umugqa omusha bese ulondoloza ifayela ukuze libukeke kanje:
Listen 80
Listen 443
Listen 9997Ngemuva kokuqeda izilungiselelo, udinga ukuqala kabusha i-Apache ukuze zonke izinguquko zisebenze:
$ sudo systemctl reload apache2Isinyathelo sesi-3: Setha amagama wesizinda
Okulandelayo, udinga ukwengeza amarekhodi e-DNS azokhomba kuseva yakho entsha. Ukuphatha izizinda, i-Arithmetic of Good Foundation yethu isebenzisa isevisi ye-dns-master.ru, sizoyibonisa ngesibonelo.
Ukusetha irekhodi elingu-A lesizinda esikhulu kuvame ukukhonjiswa ngale ndlela elandelayo (sayina @):
Irekhodi elithi A lezizinda ezingaphansi kwesinye ngokuvamile licaciswa kanje:
Ikheli lasesizindeni se-inthanethi yikheli leseva ye-Linux esisanda kuyidala. Ungacacisa i-TTL = 3600.
Ngemva kwesikhathi esithile, uzokwazi ukuvakashela isayithi lakho, kodwa okwamanje kuphela http://. Esinyathelweni esilandelayo sizokwengeza ukusekela https://.
Isinyathelo sesi-4: Setha izitifiketi ze-SSL zamahhala
Ungathola mahhala izitifiketi ze-Asibethe SSL zesayithi lakho eliyinhloko nazo zonke izizinda ezingaphansi. Ungakwazi futhi ukumisa ukuvuselela kwabo okuzenzakalelayo, okulula kakhulu. Ukuze uthole izitifiketi ze-SSL, faka i-Certbot kuseva yakho:
$ sudo add-apt-repository ppa:certbot/certbot
Faka iphakheji ye-Certbot ukuze usebenzise i-Apache apt:
$ sudo apt install python-certbot-apache Manje i-Certbot isilungele ukusetshenziswa, sebenzisa umyalo:
$ sudo certbot --apache -d a-dobra.ru -d www.a-dobra.ru -d promo.a-dobra.ru
Lo myalo usebenzisa i-certbot, okhiye -d chaza amagama ezizinda lapho isitifiketi okufanele sikhishelwe khona.
Uma kungokokuqala uvula i-certbot, uzocelwa ukuthi ufake ikheli lakho le-imeyili futhi uvumelane nemigomo yokusebenzisa isevisi. I-certbot izobe isithinta iseva ethi Masibethele bese iqinisekisa ukuthi ulawula ngempela isizinda osicelele isitifiketi.
Uma konke kuhambe kahle, i-certbot izobuza ukuthi ufuna ukumisa kanjani ukucushwa kwe-HTTPS:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):Sincoma ukukhetha inketho 2 bese ucindezela u-ENTER. Ukulungiselelwa kuzobuyekezwa futhi i-Apache izoqalwa kabusha ukuze kusetshenziswe izinguquko.
Izitifiketi zakho manje sezilandiwe, zifakiwe futhi ziyasebenza. Zama ukulayisha kabusha isayithi lakho nge-https:// futhi uzobona isithonjana sokuvikela esipheqululini sakho. Uma uhlola iseva yakho , uzothola u-A.
Izitifiketi ze-Let's Encrypt zisebenza izinsuku ezingu-90 kuphela, kodwa iphakheji ye-certbot esisanda kuyifaka izovuselela izitifiketi ngokuzenzakalelayo. Ukuhlola inqubo yokubuyekeza, singenza ukoma kwe-certbot:
$ sudo certbot renew --dry-run Uma ungaboni noma yimaphi amaphutha ngenxa yokusebenzisa lo myalo, khona-ke yonke into iyasebenza!
Isinyathelo sesi-5: Finyelela ku-MySQL ne-phpMyAdmin
Amawebhusayithi amaningi asebenzisa i-database. Ithuluzi le-phpMyAdmin lokuphathwa kwesizindalwazi selivele lifakiwe kuseva yethu. Ukuze uyifinyelele, yiya esipheqululini sakho usebenzisa isixhumanisi esifana nalesi:
https://<ip-адрес сервера>:9997Iphasiwedi yokufinyelela kwezimpande ingatholwa ku-akhawunti yakho yomuntu siqu ye-MCS (). Ungakhohlwa ukushintsha i-root password yakho ngesikhathi sokuqala ungena ngemvume!
Isinyathelo sesi-6: Setha ukulayishwa kwefayela nge-SFTP
Onjiniyela bazokuthola kulula ukulayisha amafayela ewebhusayithi yakho nge-SFTP. Ukwenza lokhu, sizodala umsebenzisi omusha, simbize umphathi wewebhu:
$ sudo adduser webmasterUhlelo luzokucela ukuthi usethe iphasiwedi futhi ufake enye idatha.
Ukushintsha umnikazi wohla lwemibhalo ngewebhusayithi yakho:
$ sudo chown -R webmaster:webmaster /var/www/a-dobra.ru/public_htmlManje ake sishintshe ukucushwa kwe-SSH ukuze umsebenzisi omusha akwazi ukufinyelela i-SFTP kuphela hhayi ukuphela kwe-SSH:
$ sudo nano /etc/ssh/sshd_configSkrolela ekugcineni kwefayela lokumisa bese wengeza ibhulokhi elandelayo:
Match User webmaster
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/www/a-dobra.ru
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding noLondoloza ifayela bese uqala kabusha isevisi:
$ sudo systemctl restart sshdManje usungakwazi ukuxhuma kuseva ngokusebenzisa noma yiliphi iklayenti le-SFTP, isibonelo, ngeFayileZilla.
Umphumela
- Manje uyazi ukuthi ungenza kanjani izinkomba ezintsha futhi ulungiselele abasingathi bewebhusayithi yakho ngaphakathi kweseva efanayo.
- Ungakha kalula izitifiketi ezidingekayo ze-SSL - kumahhala, futhi zizobuyekezwa ngokuzenzakalelayo.
- Ungakwazi ukusebenza kalula ne-database ye-MySQL ngokusebenzisa i-phpMyAdmin ejwayelekile.
- Ukudala ama-akhawunti amasha e-SFTP nokusetha amalungelo okufinyelela akudingi umzamo omkhulu. Ama-akhawunti anjalo angadluliselwa kubathuthukisi bewebhu abavela eceleni kanye nabaphathi besayithi.
- Ungakhohlwa ukubuyekeza uhlelo ngezikhathi ezithile, futhi sincoma nokwenza izipele - ku-MCS ungathatha "izifinyezo" zohlelo lonke ngokuchofoza okukodwa, bese, uma kunesidingo, uqalise zonke izithombe.
Izinsiza ezisetshenzisiwe ezingase zibe usizo:
Ngendlela, Ungafunda ku-VC ukuthi isisekelo sethu sasebenzisa kanjani inkundla yemfundo ye-inthanethi yezintandane ngokusekelwe kwifu le-MCS.
Source: www.habr.com