ubuntu25 server 服务器 初始化 nginx1.26+php8.4+mariadb11+ 基础安全设置

原创 已于 2025-11-24 20:06:09 修改 · 423 阅读 · 1 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#ubuntu #linux #运维 #网络安全 #php #nginx #mysql

于 2025-04-25 14:23:17 首次发布

1、修改apt 源

阿里源

腾讯云 Ubuntu 源

sudo nano /etc/apt/sources.list.d/ubuntu.sources  

内容:

Types: deb
URIs: https://mirrors.tuna.tsinghua.edu.cn/ubuntu/
Suites: plucky plucky-updates plucky-backports
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

Types: deb
URIs: https://mirrors.tuna.tsinghua.edu.cn/ubuntu/
Suites: plucky-security
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

sudo apt update

apt list --upgradable

sudo apt upgrade

设置nano显示行号

#sudo nano /etc/nanorc 
#sudo nano ~/.nanorc

#内容:
#set linenumbers            #取消#号

nano somefle -l

安装net-tools

sudo apt install net-tools

优化swap

sudo nano /etc/sysctl.conf

加入:
vm.swappiness=10

保存后执行:
sudo sysctl -p                    #生效
cat /proc/sys/vm/swappiness       #查看

2、修改pip源

cd ~

mkdir .pip

nano pip.conf

内容:

[global]
index-url = https://mirrors.aliyun.com/pypi/simple/

#index-url = https://mirrors.tuna.tsinghua.edu.cn/pypi/web/simple
#[install]
#trusted-host = mirrors.tuna.tsinghua.edu.cn

3、安装配置zsh

sudo apt install zsh zsh-syntax-highlighting zsh-autosuggestions

chsh -s /usr/bin/zsh

重连

nano ~/.zshrc

修改为:

# Set up the prompt

autoload -Uz promptinit
promptinit
prompt adam1

setopt histignorealldups sharehistory

# Use emacs keybindings even if our EDITOR is set to vi
bindkey -e

# Keep 1000 lines of history within the shell and save it to ~/.zsh_history:
HISTSIZE=1000
SAVEHIST=1000
HISTFILE=~/.zsh_history

# Use modern completion system
autoload -Uz compinit
compinit

zstyle ':completion:*' auto-description 'specify: %d'
zstyle ':completion:*' completer _expand _complete _correct _approximate
zstyle ':completion:*' format 'Completing %d'
zstyle ':completion:*' group-name ''
zstyle ':completion:*' menu select=2
eval "$(dircolors -b)"
zstyle ':completion:*:default' list-colors ${(s.:.)LS_COLORS}
zstyle ':completion:*' list-colors ''
zstyle ':completion:*' list-prompt %SAt %p: Hit TAB for more, or the character to insert%s
zstyle ':completion:*' matcher-list '' 'm:{a-z}={A-Z}' 'm:{a-zA-Z}={A-Za-z}' 'r:|[._-]=* r:|=* l:|=*'
zstyle ':completion:*' menu select=long
zstyle ':completion:*' select-prompt %SScrolling active: current selection at %p%s
zstyle ':completion:*' use-compctl false
zstyle ':completion:*' verbose true

zstyle ':completion:*:*:kill:*:processes' list-colors '=(#b) #([0-9]#)*=0=01;31'
zstyle ':completion:*:kill:*' command 'ps -u $USER -o pid,%cpu,tty,cputime,cmd'

setopt nonomatch

source /usr/share/zsh-autosuggestions/zsh-autosuggestions.zsh
source /usr/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh

alias ls='ls --color=auto'
alias grep='grep --color=auto'
alias fgrep='fgrep --color=auto'
alias egrep='egrep --color=auto'

alias ll='ls -alFh'
#alias ll='ls -alFhG'   #freebsd显示颜色
alias la='ls -A'
alias l='ls -CF'

alias sudo='sudo '   #解决sudo 其他别名时找不到

alias updatedb="sudo updatedb --prunepaths=\"/mnt\""

sudo cp .zshrc /etc/skel      #新建用户时自动拷贝zsh配置

sudo nano /etc/adduser.conf

修改内容:DSHELL=/usr/bin/zsh   #设置新加用户的默认shell

4、配置 su 权限

sudo nano /etc/pam.d/su       

修改内容: auth       required   pam_wheel.so group=sudo    #设置只有sudo组能用su

5、防火墙

sudo ufw status verbose     #显示防火墙状态

sudo ufw app list           #查看应用配置

sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

#sudo ufw allow 11011/tcp        #花生壳监听
#sudo ufw allow 16062/tcp

sudo ufw enable             #启用防火墙

6、设置时区校准时间

timedatectl status                                 #显示时区

sudo timedatectl set-timezone Asia/Shanghai        #设置时区
#sudo timedatectl set-local-rtc yes                #设置本地时间和系统时间相同

sudo ntpdate ntp.aliyun.com                        #校准时间

date -R

7、替代命令

sudo apt install bat                 #好看一点的 cat

sudo batcat /var/log/auth.log |grep Failed.*ssh   #查看ssh登录失败记录

htop                                 #好看一点的 top

duf                                  #好看一点的 df

tree/broot                           #好看一点的list

procs                                #好看一点的ps

fdfind                               #好看一点的find sudo apt install fd-find

sudo -i                              #提权

8、安装 Mariadb

apt list mariadb*

sudo apt install mariadb-server

sudo mariadb-secure-installation

sudo systemctl status mariadb
sudo systemctl enable mariadb
sudo systemctl start mariadb

mariadb --version

低性能服务器mariadb优化

sudo nano /etc/mysql/mariadb.conf.d/50-server.cnf

#低性能服务器mariadb优化 无innodb只有aria表
# ===================== 基础资源限制(核心:压减内存占用)=====================
max_connections = 60  # 低性能服务器无需高并发,默认 151 太高,40 足够(连接数=并发数+5-10 预留)
wait_timeout = 60     # 空闲连接 60 秒超时,释放资源(默认 8 小时太长)
interactive_timeout = 60  # 交互连接超时,与 wait_timeout 一致
table_open_cache = 256 # 表缓存,避免频繁打开表(默认 2000,128 适配小型应用)
table_definition_cache = 200 # 表结构缓存,配合 table_open_cache
thread_cache_size = 8     # 线程缓存,减少线程创建/销毁开销(小内存设 2-4)
max_allowed_packet = 16M  # 最大数据包,默认 64M 太大,16M 足够小型应用
skip-name-resolve  # 禁用 DNS 解析(避免连接时 DNS 查询耗时,直接用 IP 连接)
key_buffer_size = 64M

# ===================== InnoDB 优化(事务场景,默认引擎)=====================
default-storage-engine = Aria 
innodb_buffer_pool_size = 128M  # 核心!缓存数据和索引,占内存 20%-40%(1GB 内存设 256M,2GB 设 512M)
innodb_log_buffer_size = 8M     # 日志缓冲,减少磁盘 IO(默认 16M,小内存可降)
innodb_log_file_size = 64M      # redo 日志大小,太小会频繁刷盘(平衡性能/恢复速度)
innodb_flush_log_at_trx_commit = 2  # 事务刷盘策略:2=每秒刷盘(性能/安全平衡,非金融场景够用)
innodb_flush_method = O_DIRECT  # 跳过系统缓存,直接写磁盘(减少内存占用,提升 IO 效率)
innodb_read_io_threads = 2      # IO 线程数,按 CPU 核心数调整(低性能设 2-4)
innodb_write_io_threads = 2
innodb_buffer_pool_instances = 1  # 缓冲池实例数,小内存设 1(避免实例间开销)
#innodb_use_native_aio = 1       # 禁用异步 IO(低性能服务器/机械硬盘适配,减少 CPU 开销)
innodb_adaptive_hash_index = 0  # 禁用自适应哈希索引(小内存场景收益低,反而耗资源)

# ===================== Aria 引擎专项优化(非事务场景)=====================
# Aria 核心优势:崩溃安全(比 MyISAM 可靠)、内存占用低、读写快(适合只读/轻写)
aria_pagecache_buffer_size = 512M       # Aria核心缓存,用于缓存表数据和索引。建议设置为系统总内存的 20%-30%
aria_log_file_size = 64M        # Aria 日志大小(崩溃恢复用,太小会频繁刷盘)
#aria_log_buffer_size = 8M       # Aria 日志缓冲(减少磁盘 IO)
aria_recover = 1                # 启动时自动恢复 Aria 表(崩溃后避免数据丢失)


# ===================== 查询优化(减少 CPU/IO 开销)=====================
query_cache_type = 0  # 禁用查询缓存(MariaDB 12 中缓存失效频繁,反而耗 CPU/内存)
query_cache_size = 0
sort_buffer_size = 64K  # 排序缓冲区,默认 2M 太大,64K-128K 足够(避免每个连接占过多内存)
join_buffer_size = 64K  # 连接缓冲区,同上(小型查询够用)
read_buffer_size = 64K  # 顺序读缓冲
read_rnd_buffer_size = 64K  # 随机读缓冲

# ===================== 日志与监控(定位问题)=====================
slow_query_log = 1  # 开启慢查询日志
#slow_query_log_file = /var/log/mariadb/slow.log
long_query_time = 1  # 超过 1 秒的查询记录(低性能服务器阈值可设更低)
log_queries_not_using_indexes = 1  # 记录未用索引的查询(优化索引关键)
general_log = 0  # 禁用通用查询日志(减少磁盘 IO)
log_bin = 0  # 禁用二进制日志(无需主从复制时,大幅减少 IO 开销)


# ===================== 线程池 =====================
thread_handling = pool-of-threads
thread_pool_size = 4               	# 通常设置为CPU核心数的1-2倍
thread_pool_max_threads = 300       # 线程池最大线程总数
thread_pool_idle_timeout = 60       # 空闲工作线程超时时间

9、安装 Nginx Php

sudo apt install nginx

apt list php8*

sudo apt install php8.4-fpm php8.4-mysql php8.4-mbstring php8.4-gd php8.4-curl php8.4-xml

apt list php8.4* |grep installed

sudo systemctl start nginx
sudo systemctl enable nginx

sudo systemctl start php8.4-fpm
sudo systemctl enable php8.4-fpm

设置web上传用户:

sudo adduser userupload --ingroup www-data   #建立web上传用户
#sudo usermod userupload -g www-data         #修改用户主组

su userupload

mkdir /home/userupload/www
chmod 750 /home/userupload/www  
exit


sudo nano /etc/nginx/nginx.conf

修改内容:#include /etc/nginx/sites-enabled/*;    #注释默认配置

sudo cp /etc/nginx/sites-available/default /etc/nginx/conf.d/my.conf  #复制默认配置

sudo nano /etc/nginx/conf.d/my.conf

修改Nginx my.conf内容:

server {
	listen 80 default_server;
    server_tokens off;              #隐藏nginx版本号
	root /home/userupload/www;
	index index.html index.htm index.php;
	server_name _;

	location / {
		try_files $uri $uri/ =404;
		#autoindex on;
	}

	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		fastcgi_pass unix:/run/php/php8.4-fpm.sock;      #具体位置得看你装的是哪个版本的php
	}
}

php安全设置

sudo nano /etc/php/8.4/fpm/php.ini

内容:

allow_url_include = Off

open_basedir = /home/userupload/www

disable_functions = checkdnsrr, chgrp, chown, disk_free_space, disk_total_space, error_log, error_reporting, exec, fsockopen, ftp_connect, ftp_get, ftp_login, ftp_pasv, getcwd, getmxrr, getservbyname, getservbyport, highlight_file, ini_alter, ini_restore, ini_set, link, openlog, parse_ini_file, passthru, pfsockopen, popen, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgroups, posix_getlast_error, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_strerror, posix_times, posix_ttyname, posix_uname, proc_close, proc_get_status, proc_open, putenv, readlink, scandir, shell_exec, show_source, socket_accept, socket_bind, socket_connect, socket_create, socket_listen, stream_socket_accept, stream_socket_client, stream_socket_server, symlink, sys_getloadavg, syslog, system, touch,dl,pcntl_exec

上传网页后设置文件、文件夹权限

chmod  750  `find ./www -type d`
chmod  640  `find ./www -type f`

10、配置内网自签名ssl 以及ssl 安全加强

建立ssl证书目录

sudo mkdir -p /etc/nginx/ssl

生成秘钥、证书;生成 Diffie-Hellman 参数

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx-selfsigned.key -out /etc/nginx/ssl/nginx-selfsigned.crt

#sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096  增强安全但会增加开销

sudo nano /etc/nginx/conf.d/my.conf

修改Nginx my.conf内容:

#https://ssl-config.mozilla.org/     mozilla配置生成器

server {
	listen 80 default_server;
	server_tokens off;
	#listen [::]:80 default_server;

	listen 443 ssl;
	http2 on;
	server_name your_domain_or_IP;

	ssl_certificate /etc/nginx/ssl/nginx-selfsigned.crt;
	ssl_certificate_key /etc/nginx/ssl/nginx-selfsigned.key;
	#ssl_dhparam /etc/nginx/ssl/dhparam.pem;

	#ssl_protocols TLSv1.3 TLSv1.2;
    ssl_protocols TLSv1.3;
	ssl_ecdh_curve X25519:prime256v1:secp384r1;
	ssl_prefer_server_ciphers off; # TLSv1.2以上设置关闭让客户机选择加密套件以提高性能
	#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;

	# 性能优化参数
	#ssl_session_cache shared:SSL:10m;
	#ssl_session_timeout 1d;
	#ssl_session_tickets off;
    
	# 安全增强
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_buffer_size 4k;

	#add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval'" always;
	#add_header Referrer-Policy "same-origin" always;
	#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
	#add_header X-Content-Type-Options "nosniff" always;
	#add_header X-Download-Options "noopen" always;
	#add_header X-Frame-Options "sameorigin" always;
	#add_header X-Permitted-Cross-Domain-Policies  "none" always;                                          
	#add_header X-Robots-Tag "none" always;
	#add_header X-XSS-Protection "1; mode=block" always;
	#proxy_hide_header  X-Powered-By;
	#fastcgi_hide_header X-Powered-By;
	#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
	add_header Strict-Transport-Security "max-age=63072000" always;


	#root /var/www/html;
	root /home/userupload/www;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.php;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
		#autoindex on;
	}

	# pass PHP scripts to FastCGI server
	#
	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
	#
	#	# With php-fpm (or other unix sockets):
		fastcgi_pass unix:/run/php/php8.4-fpm.sock;
	}

}

csdn_ocheers
关注
评论
成就一亿技术人!
拼手气红包6.0元
还能输入1000个字符
 
红包 添加红包
表情包 插入表情
表情包 代码片
 条评论被折叠 查看
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值