Last active
August 29, 2015 14:19
-
-
Save fabioneves/849bbba81932aa730037 to your computer and use it in GitHub Desktop.
nginx from scratch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# config | |
NGINX_USER=nginx | |
NGINX_VERSION=1.9.0 | |
NGINX_PAGESPEED=1.9.32.3 | |
NGINX_UPLOAD_PROGRESS=0.9.1 | |
PHP_TIMEZONE="Europe\/Lisbon" | |
PHP_POST_MAX_SIZE=2048M | |
PHP_UPLOAD_FILESIZE=2048M | |
PHP_MAX_INPUT_VARS=3000 | |
PHP_MEMORY_LIMIT=256M | |
PHP_MAX_INPUT_TIME=300 | |
PHP_MAX_EXEC_TIME=300 | |
MYSQL_ROOT_PASSWORD=abcd1234 | |
MYSQL_DRUPAL_DB=drupal | |
MYSQL_DRUPAL_DB_USER=drupal | |
MYSQL_DRUPAL_DB_PASS=123 | |
# add epel repo | |
wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm | |
rpm -Uvh epel-release-7*.rpm | |
# add remi repo | |
wget http://rpms.famillecollet.com/enterprise/remi-release-7.rpm | |
rpm -Uvh remi-release-7*.rpm | |
remi=`ex /etc/yum.repos.d/remi.repo <<-EOF | |
/^\[remi\] | |
/^enabled= | |
s/=0/=1/ | |
/^\[remi-php56\] | |
/^enabled= | |
s/=0/=1/ | |
wq | |
EOF` | |
# remove rpm's | |
rm -Rf epel-release-7*.rpm remi-release-7*.rpm | |
# perform system update after adding these repos | |
yum update -y | |
## | |
# compile nginx from source with SPDY and ngx_pagespeed | |
## | |
# install required packages | |
yum install -y mlocate htop gcc-c++ pcre-devel zlib-devel make unzip openssl-devel git libxml2-devel libxslt-devel gd-devel perl-ExtUtils-Embed GeoIP-devel libatomic_ops-devel | |
# download and prepare ngx_pagespeed | |
wget https://github.com/pagespeed/ngx_pagespeed/archive/release-${NGINX_PAGESPEED}-beta.zip | |
unzip release-${NGINX_PAGESPEED}-beta.zip | |
cd ngx_pagespeed-release-${NGINX_PAGESPEED}-beta/ | |
wget https://dl.google.com/dl/page-speed/psol/${NGINX_PAGESPEED}.tar.gz | |
tar -xzvf ${NGINX_PAGESPEED}.tar.gz | |
cd .. | |
# download upload progress module | |
wget https://github.com/masterzen/nginx-upload-progress-module/archive/v${NGINX_UPLOAD_PROGRESS}.tar.gz | |
tar zxvf v${NGINX_UPLOAD_PROGRESS}.tar.gz | |
# nginx user | |
useradd ${NGINX_USER} | |
usermod -s /sbin/nologin ${NGINX_USER} | |
# download nginx source | |
wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz | |
tar zxvf nginx-${NGINX_VERSION}.tar.gz | |
cd nginx-${NGINX_VERSION} | |
# enable almost all the modules for nginx | |
./configure --user=${NGINX_USER} --group=${NGINX_USER} --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-http_spdy_module --with-select_module --with-poll_module --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_spdy_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-cpp_test_module --with-cpu-opt=CPU --with-pcre --with-pcre-jit --with-md5-asm --with-sha1-asm --with-zlib-asm=CPU --with-libatomic --with-debug --with-ld-opt="-Wl,-E" --add-module=../ngx_pagespeed-release-${NGINX_PAGESPEED}-beta --add-module=../nginx-upload-progress-module-${NGINX_UPLOAD_PROGRESS} | |
make && make install | |
# cleanup | |
rm -Rf ../nginx-${NGINX_VERSION}* ../nginx-upload-progress-module-${NGINX_UPLOAD_PROGRESS} ../ngx_pagespeed ../v${NGINX_UPLOAD_PROGRESS}.tar.gz | |
# create systemd service file for nginx | |
cat >> /usr/lib/systemd/system/nginx.service << NGINX_SERVICE | |
[Unit] | |
Description=The nginx HTTP and reverse proxy server | |
After=syslog.target network.target remote-fs.target nss-lookup.target | |
[Service] | |
Type=forking | |
PIDFile=/run/nginx.pid | |
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf | |
ExecReload=/bin/kill -s HUP $MAINPID | |
ExecStop=/bin/kill -s QUIT $MAINPID | |
PrivateTmp=true | |
[Install] | |
WantedBy=multi-user.target | |
NGINX_SERVICE | |
# nginx config | |
cat <<EOF > /etc/nginx/nginx.conf | |
user nginx; | |
worker_processes 1; | |
pid /run/nginx.pid; | |
events { | |
worker_connections 1024; | |
multi_accept on; | |
use epoll; | |
} | |
http { | |
include mime.types; | |
default_type application/octet-stream; | |
# configuration files | |
include /etc/nginx/conf.d/*.conf; | |
# vhosts | |
include /etc/nginx/sites-enabled/*; | |
} | |
EOF | |
cat <<EOF > /etc/nginx/fastcgi_params | |
fastcgi_param QUERY_STRING \$query_string; | |
fastcgi_param REQUEST_METHOD \$request_method; | |
fastcgi_param CONTENT_TYPE \$content_type; | |
fastcgi_param CONTENT_LENGTH \$content_length; | |
fastcgi_param SCRIPT_FILENAME \$request_filename; | |
fastcgi_param SCRIPT_NAME \$fastcgi_script_name; | |
fastcgi_param REQUEST_URI \$request_uri; | |
fastcgi_param DOCUMENT_URI \$document_uri; | |
fastcgi_param DOCUMENT_ROOT \$document_root; | |
fastcgi_param SERVER_PROTOCOL \$server_protocol; | |
fastcgi_param HTTPS \$https if_not_empty; | |
fastcgi_param GATEWAY_INTERFACE CGI/1.1; | |
fastcgi_param SERVER_SOFTWARE nginx/\$nginx_version; | |
fastcgi_param REMOTE_ADDR \$remote_addr; | |
fastcgi_param REMOTE_PORT \$remote_port; | |
fastcgi_param SERVER_ADDR \$server_addr; | |
fastcgi_param SERVER_PORT \$server_port; | |
fastcgi_param SERVER_NAME \$server_name; | |
# PHP only, required if PHP was built with --enable-force-cgi-redirect | |
fastcgi_param REDIRECT_STATUS 200; | |
EOF | |
mkdir /etc/nginx/conf.d | |
cat <<EOF > /etc/nginx/conf.d/core.conf | |
## sendfile and tcp_nopush | |
## - Ensures that the packets are full before sending to the client. | |
sendfile on; | |
tcp_nopush on; | |
## tcp_nodelay | |
## - Forces the socket to send the data (saving up to 0.2 seconds per file (nagle's algorithm)). | |
tcp_nodelay on; | |
## server_tokens | |
## - Enables or disables emitting nginx version in error messages and in the 'Server' response header field. | |
server_tokens off; | |
## client_max_body_size | |
## - Sets the maximum allowed size of the client request body, specified in the 'Content-Length' request header field. | |
## If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client. | |
client_max_body_size 256m; | |
## keepalive_timeout | |
## - Sets a timeout during which a keep-alive client connection will stay open on the server side (default 75s). | |
keepalive_timeout 30; | |
## client_header_timeout | |
## - Defines a timeout for reading client request header. | |
client_header_timeout 10; | |
## client_body_timeout | |
## - Defines a timeout for reading client request body. | |
client_body_timeout 10; | |
## send_timeout | |
## - Sets a timeout for transmitting a response to the client. | |
send_timeout 10; | |
EOF | |
cat <<EOF > /etc/nginx/conf.d/gzip.conf | |
gzip on; | |
gzip_disable "msie6"; | |
gzip_http_version 1.1; | |
gzip_vary on; | |
gzip_comp_level 6; | |
gzip_min_length 0; | |
gzip_proxied any; | |
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js ; | |
EOF | |
cat <<EOF > /etc/nginx/conf.d/pagespeed.conf | |
pagespeed on; | |
pagespeed FileCachePath /var/cache/ngx_pagespeed_cache; | |
pagespeed FileCacheSizeKb 102400; | |
pagespeed FileCacheCleanIntervalMs 3600000; | |
pagespeed FileCacheInodeLimit 500000; | |
pagespeed LRUCacheKbPerProcess 8192; | |
pagespeed LRUCacheByteLimit 16384; | |
pagespeed MemcachedServers "127.0.0.1:11211"; | |
pagespeed RewriteLevel PassThrough; | |
pagespeed EnableFilters remove_comments,collapse_whitespace,rewrite_images,resize_images,resize_rendered_image_dimensions,prioritize_critical_css,insert_dns_prefetch,combine_css,rewrite_css,combine_javascript,rewrite_javascript; | |
pagespeed RespectVary on; | |
pagespeed CriticalImagesBeaconEnabled false; | |
pagespeed StatisticsPath /ngx_pagespeed_statistics; | |
pagespeed GlobalStatisticsPath /ngx_pagespeed_global_statistics; | |
pagespeed MessagesPath /ngx_pagespeed_message; | |
pagespeed ConsolePath /pagespeed_console; | |
pagespeed AdminPath /pagespeed_admin; | |
pagespeed GlobalAdminPath /pagespeed_global_admin; | |
pagespeed MessageBufferSize 200000; | |
pagespeed Statistics on; | |
pagespeed StatisticsLogging on; | |
pagespeed LogDir /var/log/pagespeed; | |
pagespeed StatisticsLoggingIntervalMs 60000; | |
pagespeed StatisticsLoggingMaxFileSizeKb 1024; | |
EOF | |
mkdir /etc/nginx/sites-available /etc/nginx/sites-enabled | |
## | |
# install php and php-fpm | |
## | |
yum install -y php php-gd php-pdo php-fpm php-pecl-zendopcache php-mbstring php-mysql php-pecl-uploadprogress memcached | |
# create global socket for php-fpm | |
rm -Rf /etc/php-fpm.d/www.conf | |
cat <<EOF > /etc/php-fpm.d/global-pool.conf | |
[global-pool] | |
user = nginx | |
group = nginx | |
listen = /var/run/php-fpm/php-fpm-global.sock | |
listen.owner = nginx | |
listen.group = nginx | |
listen.mode = 0660 | |
pm = dynamic | |
pm.start_servers = 1 | |
pm.max_children = 5 | |
pm.min_spare_servers = 1 | |
pm.max_spare_servers = 5 | |
EOF | |
# change php settings | |
php_config=`ex /etc/php.ini <<-EOF | |
/^post_max_size | |
s/= 8M/= $PHP_POST_MAX_SIZE/ | |
/^upload_max_filesize | |
s/= 2M/= $PHP_UPLOAD_FILESIZE/ | |
/^; max_input_vars | |
s/= 1000/= 1000\rmax_input_vars = $PHP_MAX_INPUT_VARS/ | |
/^memory_limit | |
s/= 128M/= $PHP_MEMORY_LIMIT/ | |
/^max_input_time | |
s/= 60/= $PHP_MAX_INPUT_TIME/ | |
/^max_execution_time | |
s/= 30/= $PHP_MAX_EXEC_TIME/ | |
/^\[Date\] | |
/^;date.timezone | |
s/=/=\rdate.timezone = $PHP_TIMEZONE/ | |
wq | |
EOF` | |
## | |
# install mariadb 10 | |
## | |
# add repo | |
cat >> /etc/yum.repos.d/mariadb.repo << MARIADB | |
# MariaDB 10.0 CentOS repository list - created 2015-04-15 11:21 UTC | |
# http://mariadb.org/mariadb/repositories/ | |
[mariadb] | |
name = MariaDB | |
baseurl = http://yum.mariadb.org/10.0/centos7-amd64 | |
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB | |
gpgcheck=1 | |
MARIADB | |
# install | |
yum install -y MariaDB-server MariaDB-client | |
# secure mariadb install | |
service mysql start | |
# secure mysql installation | |
mysql -u root <<-EOF | |
UPDATE mysql.user SET Password=PASSWORD('$MYSQL_ROOT_PASSWORD') WHERE User='root'; | |
DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1'); | |
DELETE FROM mysql.user WHERE User=''; | |
DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%'; | |
FLUSH PRIVILEGES; | |
EOF | |
## | |
# create self-signed ssl certificate | |
## | |
mkdir /etc/nginx/ssl | |
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=localhost" -keyout /etc/nginx/ssl/localhost.key -out /etc/nginx/ssl/localhost.crt | |
## | |
# create drupal vhost | |
## | |
cat <<EOF > /etc/nginx/sites-available/drupal.conf | |
server { | |
client_max_body_size 64M; | |
listen 80; | |
server_name localhost; | |
root /home/nginx/drupal; | |
index index.php; | |
charset utf-8; | |
location / { | |
try_files \$uri \$uri/ /index.php?\$query_string; | |
} | |
location = /favicon.ico { access_log off; log_not_found off; } | |
location = /robots.txt { access_log off; log_not_found off; } | |
access_log /var/log/nginx/drupal-access.log; | |
error_log /var/log/nginx/drupal-error.log; | |
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ { | |
expires 30d; | |
add_header Pragma public; | |
add_header Cache-Control "public"; | |
try_files \$uri =404; | |
} | |
location ~ \.php$ { | |
fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
fastcgi_pass unix:/var/run/php-fpm/php-fpm-global.sock; | |
fastcgi_index index.php; | |
include fastcgi_params; | |
} | |
location ~ /\.ht { | |
deny all; | |
} | |
} | |
server { | |
client_max_body_size 64M; | |
listen 443 ssl spdy; | |
server_name localhost; | |
root /home/nginx/drupal; | |
ssl_certificate /etc/nginx/ssl/localhost.crt; | |
ssl_certificate_key /etc/nginx/ssl/localhost.key; | |
index index.php; | |
charset utf-8; | |
location / { | |
try_files \$uri \$uri/ /index.php?\$query_string; | |
} | |
location = /favicon.ico { access_log off; log_not_found off; } | |
location = /robots.txt { access_log off; log_not_found off; } | |
access_log /var/log/nginx/drupal-access.log; | |
error_log /var/log/nginx/drupal-error.log; | |
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ { | |
expires 30d; | |
add_header Pragma public; | |
add_header Cache-Control "public"; | |
try_files \$uri =404; | |
} | |
location ~ \.php$ { | |
fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
fastcgi_pass unix:/var/run/php-fpm/php-fpm-global.sock; | |
fastcgi_index index.php; | |
include fastcgi_params; | |
} | |
location ~ /\.ht { | |
deny all; | |
} | |
} | |
EOF | |
ln -s /etc/nginx/sites-available/drupal.conf /etc/nginx/sites-enabled/drupal.conf | |
# install drush | |
pear channel-discover pear.drush.org | |
pear install drush/drush | |
# install drupal | |
mysql -uroot -p$MYSQL_ROOT_PASSWORD -e "create database $MYSQL_DRUPAL_DB" | |
mysql -uroot -p$MYSQL_ROOT_PASSWORD -e "GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES ON $MYSQL_DRUPAL_DB.* TO '$MYSQL_DRUPAL_DB_USER'@'localhost' IDENTIFIED BY '$MYSQL_DRUPAL_DB_PASS'" | |
cd /home/nginx | |
drush dl drupal --drupal-project-rename=drupal | |
cd drupal | |
drush site-install standard --db-url="mysql://$MYSQL_DRUPAL_DB_USER:$MYSQL_DRUPAL_DB_PASS@localhost/$MYSQL_DRUPAL_DB" --site-name=Drupal -y | |
drush dis overlay -y | |
chown -R nginx:nginx /home/nginx/drupal | |
# enable and restart services | |
systemctl disable httpd | |
systemctl enable nginx | |
systemctl enable php-fpm | |
systemctl enable memcached | |
service nginx restart | |
service php-fpm restart | |
service memcached restart |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment