CentOS7.6安装Caddy服务器及PHP7.4环境,实现QUIC配置

Written by

in

本文旨在描述使用CADDY启用QUIC协议-
QUIC(Quick UDP Internet Connection)是谷歌制定的一种基于UDP的低时延的互联网传输层协议。在2016年11月国际互联网工程任务组(IETF)召开了第一次QUIC工作组会议,受到了业界的广泛关注。这也意味着QUIC开始了它的标准化过程,成为新一代传输层协议 。

1.安装CADDY服务器。本文采用CENTOS7.5安装。

 curl https://getcaddy.com | bash -s personal http.cache,http.geoip,http.git,http.grpc
Downloading Caddy for linux/amd64...
https://caddyserver.com/download/linux/amd64?plugins=
Extracting...
Putting caddy in /usr/local/bin (may require password)
[sudo] password for sammy:
Caddy 0.10.2
Successfully installed

查询caddy位置

which caddy
/usr/local/bin/caddy

为了安全起见,不要以root用户身份运行Caddy二进制文件。为了使Caddy能够以非root用户身份绑定到特权端口(例如80、443),您需要运行以下setcap命令:

sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy

创建专用的系统用户和用户组caddy,创建的用户caddy只能用于管理Caddy服务,而不能用于登录.

sudo useradd -r -d /var/www -M -s /sbin/nologin caddy

设定站点主目录 /var/www

sudo mkdir -p /var/www/example.com
sudo chown -R caddy:caddy /var/www

创建SSL证书存放目录,并设定权限。注意权限很重要。

sudo mkdir /etc/ssl/caddy
sudo chown -R caddy:root /etc/ssl/caddy
sudo chmod 0770 /etc/ssl/caddy

创建 Caddy配置文件 存储目录,并设定权限。

sudo mkdir /etc/caddy
sudo chown -R root:caddy /etc/caddy

创建CADDY配置文件和设定权限,并简单设置配置文件.注意这里只是简单的配置示例文件,更多的配置设置方式可以参考官方文档。

sudo touch /etc/caddy/Caddyfile
sudo chown caddy:caddy /etc/caddy/Caddyfile
sudo chmod 444 /etc/caddy/Caddyfile
cat <<EOF | sudo tee -a /etc/caddy/Caddyfile
example.com {
    root /var/www/example.com
    gzip
    tls admin@example.com
}
EOF

创建Caddy的systemd系统服务管理文件

sudo vi /etc/systemd/system/caddy.service

输入以下内容并保存。

[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

[Service]
Restart=on-abnormal

; User and group the process will run as.
User=caddy
Group=caddy

; Letsencrypt-issued certificates will be written to this directory.
Environment=CADDYPATH=/etc/ssl/caddy

; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp
ExecReload=/bin/kill -USR1 $MAINPID

; Use graceful shutdown with a reasonable timeout
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s

; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Unmodified caddy is not expected to use more than that.
LimitNPROC=512

; Use private /tmp and /var/tmp, which are discarded after caddy stops.
PrivateTmp=true
; Use a minimal /dev
PrivateDevices=true
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/etc/ssl/caddy

; The following additional security directives only work with systemd v229 or later.
; They further retrict privileges that can be gained by caddy. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
;AmbientCapabilities=CAP_NET_BIND_SERVICE
;NoNewPrivileges=true

[Install]
WantedBy=multi-user.target

启动Caddy服务,并使其在系统启动时自动启动:

sudo systemctl daemon-reload
sudo systemctl start caddy.service
sudo systemctl enable caddy.service

如果有开启防火墙,还需要设定防火墙规格 打开端口80和443端口如下:

sudo firewall-cmd --permanent --zone=public --add-service=http 
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

您的网站创建测试页

echo '<h1>Hello World!</h1>' | sudo tee /var/www/example.com/index.html

启动Caddy服务以加载新 配置

sudo systemctl restart caddy.service

你将看到成功的示例首页。

2.安装php7.4

由于Centos系统默认的php版本仍然为古董的php5.6版本,目前最新版为RC的7.4版本。只能从第三方源中安装。

首先安装 EPEL 源, REMI 源 , Yum 源管理工具 ,更新yum缓存

rpm -vih http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm
rpm -Uvh http://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum install yum-utils
yum clean all && yum makecache

设置PHP默认版本为php74,如果你想安装其他版本可以设置为对应版本。如5.6,7.0,7.3,7.4等

 yum-config-manager --enable remi-php74

安装php核心

 yum -y install php php-fpm php-opcache

安装常用php扩展组件

yum -y install php-mysql php-gd php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-soap curl curl-devel

如果想安装php其他组件,可以按照以下查询php扩展组件

rpm -qa | grep 'php'
php-json-7.4.0~RC3-5.el7.remi.x86_64
php-7.4.0~RC3-5.el7.remi.x86_64
php-xml-7.4.0~RC3-5.el7.remi.x86_64
php-gd-7.4.0~RC3-5.el7.remi.x86_64
php-common-7.4.0~RC3-5.el7.remi.x86_64
php-cli-7.4.0~RC3-5.el7.remi.x86_64
php-opcache-7.4.0~RC3-5.el7.remi.x86_64
php-process-7.4.0~RC3-5.el7.remi.x86_64
php-fedora-autoloader-1.0.0-1.el7.noarch
php-mbstring-7.4.0~RC3-5.el7.remi.x86_64
php-odbc-7.4.0~RC3-5.el7.remi.x86_64
php-xmlrpc-7.4.0~RC3-5.el7.remi.x86_64
php-ldap-7.4.0~RC3-5.el7.remi.x86_64
php-soap-7.4.0~RC3-5.el7.remi.x86_64
php-pdo-7.4.0~RC3-5.el7.remi.x86_64
php-pear-1.10.9-3.el7.remi.noarch
php-mysqlnd-7.4.0~RC3-5.el7.remi.x86_64
php-fpm-7.4.0~RC3-5.el7.remi.x86_64

设置php服务,设置开机启动,启动php

systemctl enable php-fpm
systemctl start php-fpm

vi /etc/php-fpm.d/www.conf

变更其中的user = 和group =字段为设定的caddy服务器执行用户caddy和caddy,然后启动php

systemctl start php-fpm

一般为/etc/php-fpm.conf或者/etc/php-fpm.d/www.conf文件中

3.修改Caddy配置

mkdir /etc/caddy
mkdir /etc/caddy/conf
echo 'import ./conf/*' >> /etc/caddy/Caddyfile
sudo mkdir /etc/ssl/caddy

4.开启caddy QUIC协议

修改 /etc/systemd/system/caddy.service ,在 ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp 后面加上 -quic ,如下。 重启服务即可启用。

vim /etc/systemd/system/caddy.service

ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp -quic

sudo systemctl daemon-reload
sudo systemctl restart caddy.service

php启用配置文件实例。要确保PHP-FPM正在运行并侦听指定的unix套接字 ;检查 php-fpm.conf 中的 listen =  字段后面的内容,作为caddy配置后的php fastcgi监听字段。

abc.com {
    tls XXX@XXX.com
    root /data/wwwroot/abc.com
    gzip
    fastcgi / listen = 127.0.0.1:9000
    rewrite {
        if {path} not_match ^\/wp-admin
        to {path} {path}/ /index.php?_url={uri}
    }
}

注意:php在caddy中启用fastcgi接入,所以php-fpm配置文件中的用户名和监控的sock字段的listen值必须和caddy中对应。

Comments

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注