The server Xiao Bai came to ask for advice …
Because I have been using a virtual host, or a Platform PaaS a service like SAE, and I have not touched the process of building my own server, so I have no idea about this aspect.
Now, as the price of VPS services such as those in Alibaba Cloud and QCloud is gradually lowered, the threshold is getting lower and lower, and due to some restrictions (such as SSL) imposed by virtual hosts and Platform as a service, I want to learn one by myself.Production environmentThe deployment of the server process, I hope you server predecessors, operations predecessors, can give directions.
Suppose the server isUbuntu 14.04System, and hope that:
The system is not necessarily Ubuntu, but CentOS or Debian. I hope it is easy to get started.
Can run PHP websites, preferably PHP 7, which must be optimized after deployment?
At the same time running MariaDB or MySQL database, permission, remote access, is this kind of special configuration?
Using Nginx as a web Server and How to Deploy HTTPS Websites?
Do you want to use Git for code distribution, like hook?
How should the user rights of the server be configured as necessary? What should basic safety protection do?
Since it is a production environment, should website data be backed up regularly? What is the more convenient way?
All installed manually, do not use those one-click packages.
I know that the optimization of details requires years of experience, and it is not clear in a few words, but I don’t want to be perfect to what extent, mainly for the purpose of learning. I hope all great gods, predecessors, can not stint, thank you!
The problem of providing a Web server is too extensive. To know that every language can provide Web services, there are also many kinds of Web containers.
Let’s just talk about some basic matters here.
Q: So in the endHow to Start LearningConfigure a Web server?
A: First of all, you need to know the process through which users access Web services and break them down one by one.
0x01 Understanding Web Request Process
1. After the user opens the browser, enter the web address and enter.
2. The browser starts to query the DNS record of the website address and initiates a request for the queried record. (What are the domain name purchase /DNS records/DNS configuration for domain names)
3. The server’s Web container (such as Nginx/Apache, etc.) receives the request and sends it according to the browserHTTP headerStart working. (HTTP headers/common Web containers/how to configure these Web containers to work with back-end programs) (note: Web containers do not have to exist, but are part of the most common process of processing Web requests)
4. Back-end processing of received requests
5. The 5.Web container obtains the final result from the backend program and returns the result to the browser together with the HTTP reply header
6. Browser Display Results
After the basic process is finished, look at some areas where your concept is vague or even completely unknown, search for them, and continue to look down after finding out.
0x02 server deployment
1. Be familiar with commonly used instructions, at least do not spend a lot of time on checking how to use basic instructions in daily operation of the server, so as to attack your enthusiasm.
2. Create your own low-privilege account. Do not log in to root account directly through ssh, which is helpful to prevent your own misoperation and improve security.
3. Learn to use the package manager, which is the instruction used to install the software. CentOS/RedHat is
4. Start installing what you think you need to install after reading 0x01. …
5. Learn to download the source code, compile and install it to the specified directory by using software not found by the package manager or software with unsatisfactory version.
In addition: find out
$ ls -lhtaAfter listing the directory/file, the meaning of the previous things.
For example: drrwxrwxr-x1lake chan lake chan 322kjan 2809: 10 233333
After deployment, you should now be able to run to service and access your page, but before going online, look at the following basic security knowledge.
0x03 Basic Safety Knowledge
System: ssh root account login is prohibited, and a low-authority account management server is created for daily use. Use
suGo to the root account to operate the privilege escalation. All accounts use strong passwords, or only publickey is allowed to log in through ssh; System Kernel Upgrade Frequently
web container: upgrade frequently
For PHP only: disabledEvalThe use of
Mysql: If there is no need, close the remote login of all accounts; Don’t let the program use root account to connect to the database, and try to refine the account permission allocation. Do not use too weak a password for the account.
Code deployment: if you choose to use version management systems such as git/svn to deploy and update codes, users are forbidden to access them.git/.svnDirectories that these users should not access; Don’t let Web containers follow soft links; The configuration of permissions/owners of various files and directories (including the root directory of Web programs) shall follow the principle of minimization. Don’t be lazy.
Other: Don’t leave anything by default, such as apache’s server-status and phpMyAdmin directory names. At least don’t use names like pma and pma123.
Beware of all data provided to you by users and prevent sql injection, file upload, xss, csrf and other attacks.
Security configuration here can basically block most ScriptKid
0x04 Most Important
I’m tired of typing so many words. Can you give me a compliment?