[CentOS7] tomcat 8 Binary install

tomcat 8 Binary install 문서

tomcat Binary 파일은 https://archive.apache.org/dist/tomcat/ 에서 다운 받으실수 있습니다.

 

 

  • 차후 apache-tomcat 연동시 필요한 패키지를 설치 합니다.
[root@CentOS7 ~]# yum install -y httpd httpd-devel java-1.7.0-openjdk-devel

 

  • tomcat group 생성 및 user 를 생성 합니다.
[root@CentOS7 ~]# mkdir -p /opt/tomcat
[root@CentOS7 ~]# groupadd tomcat
[root@CentOS7 ~]# useradd -M -s /bin/nologin -g tomcat -d /opt/tomcat tomcat
[root@CentOS7 ~]# wget https://archive.apache.org/dist/tomcat/tomcat-8/v8.5.38/bin/apache-tomcat-8.5.38.tar.gz
[root@CentOS7 ~]# tar xvf apache-tomcat-8.5.38.tar.gz -C /opt/tomcat --strip-components=1
[root@CentOS7 ~]# cd /opt/tomcat
[root@CentOS7 ~]# chgrp -R tomcat /opt/tomcat
[root@CentOS7 ~]# chmod -R g+r conf
[root@CentOS7 ~]# chmod g+x conf
[root@CentOS7 tomcat]# chown -R tomcat webapps/ work/ temp/ logs/

 

  • systemd 파일 생성합니다.
[root@CentOS7 tomcat]# vi /etc/systemd/system/tomcat.service
# Systemd unit file for tomcat
[Unit]
Description=Apache Tomcat Web Application Container
After=syslog.target network.target

[Service]
Type=forking

Environment=JAVA_HOME=/usr/lib/jvm/jre
Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_BASE=/opt/tomcat
Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'
Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'

ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/bin/kill -15 $MAINPID

User=tomcat
Group=tomcat
UMask=0007
RestartSec=10
Restart=always

[Install]
WantedBy=multi-user.target

 

  • daemon-reload 및 tomcat 데몬을 실행 합니다.
[root@CentOS7 tomcat]# systemctl daemon-reload
[root@CentOS7 tomcat]# systemctl enable tomcat
[root@CentOS7 tomcat]# systemctl start tomcat

[root@CentOS7 tomcat]# systemctl status tomcat
● tomcat.service - Apache Tomcat Web Application Container
Loaded: loaded (/etc/systemd/system/tomcat.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2019-02-18 07:05:59 KST; 15s ago
Process: 1879 ExecStart=/opt/tomcat/bin/startup.sh (code=exited, status=0/SUCCESS)
Main PID: 1887 (catalina.sh)
CGroup: /system.slice/tomcat.service
├─1887 /bin/sh /opt/tomcat/bin/catalina.sh start
└─1888 java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Djava.util.logging.ma...

Feb 18 07:05:59 CentOS7 systemd[1]: Starting Apache Tomcat Web Application Container...
Feb 18 07:05:59 CentOS7 systemd[1]: Started Apache Tomcat Web Application Container.
[root@CentOS7 tomcat]#

 

  • web-site 확인
  • http://192.168.0.10:8080/
[root@CentOS7 ~]# firewall-cmd --permanent --add-port=8080/tcp
[root@CentOS7 ~]# firewall-cmd --reload

 

 

  • tomcat-users.xml 파일 설정
  • admin user 와 password 를 지정 합니다.
[root@CentOS7 tomcat]# vi /opt/tomcat/conf/tomcat-users.xml
# line 추가
<user username="admin" password="password" roles="manager-gui,admin-gui"/>

 

  • 특정 아이피 대역에서만 접속 설정
[root@CentOS7 ~]# vi /opt/tomcat/webapps/manager/META-INF/context.xml
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192.168.0.1" />

[root@CentOS7 ~]# systemctl restart tomcat

 

  • http://192.168.0.10:8080/manager/html 접속 확인
  • admin / password 를 입력합니다.

 

[GCP] docker wordpress 이관 작업

2019-02-17일 GCP 이관 작업을 하였습니다.

docker-compose 로 구성된 wordpress blog 디렉토리와 db-data 만 이관 하면 됩니다.

간단한 작업이였는데… 문제는 wordpress에 미디어 추가시 wp-content/uploads/2010/02 로 업로드 할수 없습니다. 와 함께..

이미지 업로드가 되지 않았습니다.

결론부터 말씀 드리면 wordpress 사용자 권한 문제 였습니다. 🙂

 

  • 기존 사용자 권한
  • 문제가 되는 부분은 www-data 권한으로 설정된 wordpress 부분 이였고 해당 부분 설정후 정상적으로 wordpress 에 이미지 업로드를 할수 있었습니다.
testone@web-service01:~/Workspace/web-service/blog$ ll
total 20
drwxrwxr-x 4 testone testone 4096 Oct  3 15:26 ./
drwxrwxr-x 7 testone testone 4096 Oct 30 00:31 ../
drwxr-xr-x 5 www-data www-data 4096 Feb 17 14:31 blog1/
drwxr-xr-x 5      999 testone 4096 Feb 17 14:31 db-data/
-rw-rw-r-- 1 testone testone  699 Oct 23  2017 docker-compose.yml
testone@web-service01:~/Workspace/web-service/blog$

 

  • 이관된 데이터 디렉토리 사용자 권한
testone@web-service01:~/Workspace/web-service/blog$ ll
total 20
drwxrwxr-x 4 testone testone 4096 Oct  3 15:26 ./
drwxrwxr-x 7 testone testone 4096 Oct 30 00:31 ../
drwxr-xr-x 5 testone testone 4096 Feb 17 14:31 blog1/
drwxr-xr-x 5      999 testone 4096 Feb 17 14:31 db-data/
-rw-rw-r-- 1 testone testone  699 Oct 23  2017 docker-compose.yml
testone@web-service01:~/Workspace/web-service/blog$

 

 

[CentOS7] Tomcat 9 install

tomcat download : https://archive.apache.org/dist/tomcat/

 

  • tomcat 설치전 java-1.8 을 설치 합니다.
  • tomcat 유저를 생성 합니다.
[root@CentOS7 ~]# yum install -y java-1.8.0-openjdk-devel
[root@CentOS7 ~]# useradd -m -U -d /opt/tomcat -s /bin/false tomcat

 

  • apache-tomcat-9.0.14 를 다운 받습니다.
  • 압축 해제후 /opt/tomcat 으로 이동 합니다.
  • tomcat.service 파일을 생성 합니다.
  • daemon-reload 후 tomcat 을 구동 합니다.
[root@CentOS7 ~]# cd /tmp
[root@CentOS7 tmp]# wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.14/bin/apache-tomcat-9.0.14.tar.gz
[root@CentOS7 tmp]# tar -xf apache-tomcat-9.0.14.tar.gz
[root@CentOS7 tmp]# mv apache-tomcat-9.0.14 /opt/tomcat/
[root@CentOS7 tmp]# ln -s /opt/tomcat/apache-tomcat-9.0.14 /opt/tomcat/latest
[root@CentOS7 tmp]# chown -R tomcat: /opt/tomcat
[root@CentOS7 tmp]# sh -c 'chmod +x /opt/tomcat/latest/bin/*.sh'
[root@CentOS7 tmp]# vi /etc/systemd/system/tomcat.service
[Unit]
Description=Tomcat 9 servlet container
After=network.target

[Service]
Type=forking

User=tomcat
Group=tomcat

Environment="JAVA_HOME=/usr/lib/jvm/jre"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"

Environment="CATALINA_BASE=/opt/tomcat/latest"
Environment="CATALINA_HOME=/opt/tomcat/latest"
Environment="CATALINA_PID=/opt/tomcat/latest/temp/tomcat.pid"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

ExecStart=/opt/tomcat/latest/bin/startup.sh
ExecStop=/opt/tomcat/latest/bin/shutdown.sh

[Install]
WantedBy=multi-user.target

[root@CentOS7 tmp]# systemctl daemon-reload
[root@CentOS7 tmp]# systemctl enable tomcat
[root@CentOS7 tmp]# systemctl start tomcat

 

  • 방화벽 사용시 8080 포트를 오픈 합니다.
[root@CentOS7 ~]# firewall-cmd --zone=public --permanent --add-port=8080/tcp
[root@CentOS7 ~]# firewall-cmd --reload

 

  • tomcat 에 접속해 봅니다.

 

  • Tomcat 웹 관리 인터페이스 구성
  • 8080 port 를 통하여 웹 접속은 가능 하지만 사용자를 만들지 않아 웹 관리 인터페이스에 액세스 할수 없습니다.
  • Tomcat 사용자는 tomcat-users.xml 파일에 정의 됩니다.
  • tomcat-users.xml 를 수정 합니다.
[root@CentOS7 ~]# vi /opt/tomcat/latest/conf/tomcat-users.xml
<!--
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
  <user username="role1" password="<must-be-changed>" roles="role1"/>
-->
   <role rolename="admin-gui"/>
   <role rolename="manager-gui"/>
   <user username="admin" password="password1" roles="admin-gui,manager-gui"/>
</tomcat-users>

 

  • 기본적으로 Tomcat 웹 관리 인터페이스는 localhost 에서만 액세스 할수 있도록 구성 되어 있습니다.
  • 보안 위험이 있음으로 원격 ip 또는 권장 되지 않은 곳에서 웹 인터페이스에 액세스 하려면  context.xml 파일을 수정 해야 합니다.
  • 어디에서나 접근 가능하게 설정 하기 위하여 아래 라인을 주석 처리 합니다.

 

모든 ip 접속 가능 설정

[root@CentOS7 ~]# vi /opt/tomcat/latest/webapps/manager/META-INF/context.xml
<Context antiResourceLocking="false" privileged="true" >
<!--  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
  <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
-->
</Context>


[root@CentOS7 ~]# vi /opt/tomcat/latest/webapps/host-manager/META-INF/context.xml
<!--  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
  <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
-->
</Context>

 

  •  설정변경후 tomcat 재시작
[root@CentOS7 ~]# systemctl restart tomcat

 

특정 아이피 192.168.0.1 에서만 접속 설정

[root@CentOS7 ~]# vi /opt/tomcat/latest/webapps/manager/META-INF/context.xml
<Context antiResourceLocking="false" privileged="true" >
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192.168.0.1" />
</Context>

[root@CentOS7 ~]# vi /opt/tomcat/latest/webapps/host-manager/META-INF/context.xml
<Context antiResourceLocking="false" privileged="true" >
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|192.168.0.1" />
</Context>

 

  •  설정변경후 tomcat 재시작
[root@CentOS7 ~]# systemctl restart tomcat

 

 

  • 응용프로그램 을 배포, 배포해제 , 시작 , 중시 및 리로드 할수 있습니다.

 

 

[CentOS7] Let’s Encrypt Wildcard 설정

site : https://letsencrypt.org/

site: https://certbot.eff.org/docs/install.html

Let’s Encrypt 이용시 2차 도메인 마다 인증서를 생성 해야 합니다. 만약  test.com 을 가지고 있다고 하면

www.test.com / blog.test.com / work.test.com 등으로 인증서를 계속 생성 해서 관리 해야 하죠.

Wildcard 인증서를 사용하게 되면, 한번 등록으로 사이트에 적용할수 있습니다.

참고사항: Let’s encrypt wildcard 설정의 아래내용을 참고 하여 작업하시면 됩니다.

일반적인 named 운영 환경에서는 자동인증을 사용할수 없으며 Obtain API Key 를 제공 하는 DNS 를 이용 해야 합니다.

https://developerinsider.co/how-to-create-and-auto-renew-lets-encrypt-wildcard-certificate/

 

 

  •  기존 인증서 삭제
[root@CentOS7 certbot]# ./certbot-auto delete --cert-name web.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deleted all files relating to certificate web.com.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@CentOS7 certbot]# ./certbot-auto delete --cert-name www.web.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deleted all files relating to certificate www.web.com.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@CentOS7 certbot]#

 

  • Wildcard 인증서 생성
[root@CentOS7 certbot]# ./certbot-auto delete --cert-name www.web.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deleted all files relating to certificate www.web.com.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@CentOS7 certbot]# ./certbot-auto certonly --manual -d "*.web.com" -d web.com  --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for web.com
dns-01 challenge for web.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.web.com with the following value:

-----------------------------------------mha

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.web.com with the following value:

-----------------------------------------mhb

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. web.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.web.com

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: web.com
   Type:   None
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.web.com
[root@CentOS7 certbot]#

 

  • named 작업 ( mha , mhb 값을 dns zone 파일에 txt 값으로 넣어야 합니다.)
_acme-challenge.web.com with the following value:

-----------------------------------------mha

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.web.com with the following value:

-----------------------------------------mhb


[root@CentOS7 certbot]# vi /var/named/web.com
$TTL 3H
@       IN SOA  @ ns.web.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
                        IN      NS      ns.web.com.
                        IN      MX 10   mail.web.com.
web.com.             IN      A       200.200.200.200
                        IN      A       200.200.200.200
mail                    IN      A       200.200.200.200
ns                      IN      A       200.200.200.200
ns1                     IN      A       200.200.200.201
www                     IN      A       200.200.200.200
_acme-challenge.web.com.        IN      TXT     -----------------------------------------mha
_acme-challenge.web.com.        IN      TXT     -----------------------------------------mhb


[root@CentOS7 certbot]# systemctl restart named



[root@CentOS7 certbot]# ./certbot-auto certonly --manual -d "*.web.com" -d web.com  --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for web.com
dns-01 challenge for web.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.web.com with the following value:

-----------------------------------------mha

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.web.com with the following value:

-----------------------------------------mhb

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/web.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/web.com/privkey.pem
   Your cert will expire on 2019-05-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[root@CentOS7 certbot]# vi /var/named/web.com
[root@CentOS7 certbot]# systemctl restart named
[root@CentOS7 certbot]# nslookup -q=txt _acme-challenge.web.com
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
_acme-challenge.web.com      text = "-----------------------------------------mha"
_acme-challenge.web.com      text = "-----------------------------------------mhb"

Authoritative answers can be found from:

[root@CentOS7 certbot]#

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/web.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/web.com/privkey.pem
Your cert will expire on 2019-05-06. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

[root@CentOS7 certbot]#

 

  • nginx 설정을 변경 합니다.
[root@CentOS7 certbot]# vi /etc/nginx/sites-enabled/web_com.conf
server {
    listen       443;
    server_name  www.web.com web.com;
    root   /var/www/html;
    index  index.php index.html index.htm;
    location / {
        try_files $uri $uri/ /index.php?$query_string;
        autoindex on;
    }

    access_log  /var/www/html/web.com/logs/access.log;
    error_log  /var/www/html/web.com/logs/error.log warn;
    ssl         on;
    ssl_certificate /etc/letsencrypt/live/web.com/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/wweb.com/privkey.pem;
    ssl_session_timeout  5m;

 

  • blog.web.com 을 테스트 합니다.
[root@CentOS7 certbot]# cd /etc/nginx/sites-enabled/
[root@CentOS7 sites-enabled]# cp web_com.conf web_blog.conf
[root@CentOS7 sites-enabled]# vi web_blog.conf
server {

    listen       80;
    server_name  blog.web.com;
    root   /var/www/html/blog.web.com/public_html;
    index  index.php index.html index.htm;
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    }
}
server {
    listen       443;
    server_name  blog.web.com;
    root   /var/www/html/blog.web.com/public_html;
    index  index.php index.html index.htm;
    location / {
        try_files $uri $uri/ /index.php?$query_string;
        autoindex on;
    }

    access_log  /var/www/html/blog.web.com/logs/access.log;
    error_log  /var/www/html/blog.web.com/logs/error.log warn;
    ssl         on;
    ssl_certificate /etc/letsencrypt/live/web.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/web.com/privkey.pem;
    ssl_session_timeout  5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}
[root@CentOS7 ~]# mkdir -p /var/www/html/blog.web.com/{public_html,logs}
[root@CentOS7 ~]# chown -R nginx:nginx /var/www/html/blog.web.com/
[root@CentOS7 ~]# systemctl restart nginx
[root@CentOS7 ~]# vi /var/www/html/blog.web.com/public_html/index.php
<?php phpinfo(); ?>

 

  • web 테스트 https 와 http 를 테스트 합니다.

 

 

 

[CentOS7] Let’s Encrypt 설정 및 apache-nginx 설정

certboot 설치전 apache 필수 패키지

# yum -y update
# yum -y install httpd mod_ssl epel-release yum-utils

certbot 참고 페이지 : https://certbot.eff.org/lets-encrypt/centosrhel7-apache.html 

스크린샷에 보이는 web.com 의 도메인은 임의로 지정한 도메인 입니다.

Official site: https://letsencrypt.org  

certbot-auto site: https://certbot.eff.org/docs/install.html

 

  • certbot-auto down

[root@CentOS7 ~]# mkdir /usr/local/certbot
[root@CentOS7 ~]# cd /usr/local/certbot
[root@CentOS7 certbot]# wget https://dl.eff.org/certbot-auto
[root@CentOS7 certbot]# chmod a+x ./certbot-auto
[root@CentOS7 certbot]# ./certbot-auto --help
Usage: certbot-auto [OPTIONS]
A self-updating wrapper script for the Certbot ACME client. When run, updates
to both this script and certbot will be downloaded and installed. After
ensuring you have the latest versions installed, certbot will be invoked with
all arguments you have provided.

Help for certbot itself cannot be provided until it is installed.

  --debug                                   attempt experimental installation
  -h, --help                                print this help
  -n, --non-interactive, --noninteractive   run without asking for user input
  --no-bootstrap                            do not install OS dependencies
  --no-self-upgrade                         do not download updates
  --os-packages-only                        install OS dependencies and exit
  --install-only                            install certbot, upgrade if needed, and exit
  -v, --verbose                             provide more output
  -q, --quiet                               provide only update/error output;
                                            implies --non-interactive

All arguments are accepted and forwarded to the Certbot client when run.
[root@CentOS7 certbot]#

 

  • certbot-auto 실행
  • certbot-auto 실행시 필요한 패키지를 자동 설치 합니다. 
  • y를 눌러 설치를 완료 합니다. 
[root@CentOS7 certbot]# ./certbot-auto
Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
yum is hashed (/usr/bin/yum)
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: centos.mirror.cdnetworks.com
 * epel: mirror.premi.st
 * extras: data.aonenetworks.kr
 * remi-php71: ftp.riken.jp
 * remi-safe: ftp.riken.jp
 * updates: data.aonenetworks.kr
Package gcc-4.8.5-36.el7.x86_64 already installed and latest version
Package augeas-libs-1.4.0-6.el7_6.1.x86_64 already installed and latest version
Package 1:openssl-1.0.2k-16.el7.x86_64 already installed and latest version
Package redhat-rpm-config-9.1.0-87.el7.centos.noarch already installed and latest version
Package ca-certificates-2018.2.22-70.0.el7_5.noarch already installed and latest version
Resolving Dependencies
--> Running transaction check
~중략
Complete!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): webtest@gamil.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: www.web.com
2: web.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for web.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Failed redirect for web.com
Unable to set enhancement redirect for web.com
Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection

IMPORTANT NOTES:
 - We were unable to set up enhancement redirect for your server,
   however, we successfully installed your certificate.
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/web.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/web.com/privkey.pem
   Your cert will expire on 2019-05-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
[root@CentOS7 certbot]#

 

  • certbot 인증서 생성후 ssl.conf 파일의 설정을 확인 합니다. 
[root@CentOS7 ~]# vi /etc/httpd/conf.d/ssl.conf

<VirtualHost *:443>
ServerName web.com
ServerAlias www.web.com
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCACertificateFile /etc/pki/tls/certs/webca.crt

 <Files ~ "\.(cgi|shtml|phtml|php3?)$">
     SSLOptions +StdEnvVars
  </Files>
  <Directory "/var/www/cgi-bin">
     SSLOptions +StdEnvVars
  </Directory>
SetEnvIf User-Agent ".*MSIE.*"nokeepalive ssl-unclean-shutdown
ErrorLog logs/example.com-ssl_error_log
TransferLog logs/example.com-ssl_access_log
LogLevel warn
CustomLog logs/example.com-ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLCertificateFile /etc/letsencrypt/live/web.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/web.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/web.com/chain.pem
</VirtualHost>

 

  • web접속 테스트를 진행 합니다. 
  • https://web.com 이며 www.web.com 의 경우 별도의 인증서가 필요 합니다. 
  • 모든 2차 도메인을 지정 하기 위해서는 wildcard 인증서가 필요 합니다. 
  • wildcard 인증서는 별도로 다루 도록 하겠습니다. 

 

  • www.web.com 의 인증서를 생성 합니다.
[root@CentOS7 certbot]# ./certbot-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: web.com
2: www.web.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.web.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/httpd/conf.d/httpd-vhosts.conf to ssl vhost in /etc/httpd/conf.d/ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.web.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.web.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.web.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.web.com/privkey.pem
   Your cert will expire on 2019-05-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[root@CentOS7 certbot]#

 

  • apache 데몬을 재시작 합니다. 
[root@CentOS7 certbot]# systemctl restart httpd

 

  • web site 를 확인 합니다. 

 

  • Nginx 설정
[root@CentOS7 ~]# cd /usr/local/certbot/
[root@CentOS7 certbot]# ./certbot-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: web.com
2: www.web.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/web.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/web_com.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/web_com.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://web.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=web.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/web.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/web.com/privkey.pem
   Your cert will expire on 2019-05-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[root@CentOS7 certbot]#

 

  • web 테스트 https://web.com 접속 테스트

 

  • https://www.web.com 인증서 생성 
[root@CentOS7 certbot]# ./certbot-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: web.com
2: www.web.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/www.web.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/web_com.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/web_com.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.web.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.web.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.web.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.web.com/privkey.pem
   Your cert will expire on 2019-05-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[root@CentOS7 certbot]#

 

  • 인증서 생성시 참고
./certbot-auto -d web.com -d www.web.com   형식으로 만들어야 http://www.web.com 접속시 https 오류가 없으며 
./certbot-auto --nginx 로 web-server 를 지정 할수 있습니다.

 

 

  • web 테스트 https://www.web.com 접속 테스트

 

  • Let’s Encrypt 인증서 자동 갱신 추가
[root@CentOS7 ~]# vi /etc/crontab
* 1 1 * * root /usr/local/certbot/certbot-auto renew >> /var/log/le-renew.log

자동갱신 테스트
[root@CentOS7 ~]# /usr/local/certbot/certbot-auto renew >> /var/log/le-renew.log
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal
Cert not yet due for renewal
[root@CentOS7 ~]#

 

 

 

apache ssl 인증서 사용 및 nginx ssl 인증서 사용

인증서 사용시 싱글 사인 ssl key 를 사용 하였습니다.

ssl single sign 의 경우 차후 포스팅 하겠습니다.

Windows 에서 테스트 할경우 /windows/system32/drivers/etc/hosts 에 www.web.com / web.com 도메인을 등록 합니다.

 

  • apache 에서 ssl 인증서를 사용 하기 위하여 mod_ssl 패키지를 설치 합니다.
[root@CentOS7 ~]# yum install -y mod_ssl

 

  • ssl.conf 파일을 수정 합니다.
[root@CentOS7 ~]# vi /etc/httpd/conf.d/ssl.conf
NameVirtualHost *:443

<VirtualHost *:443>
ServerName web.com
ServerAlias www.web.com
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/web.crt
SSLCertificateKeyFile /etc/pki/tls/private/web.key
SSLCACertificateFile /etc/pki/tls/certs/webca.crt

 <Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
 </Files>
 <Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
 </Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
ErrorLog logs/example.com-ssl_error_log
TransferLog logs/example.com-ssl_access_log
LogLevel warn
CustomLog logs/example.com-ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

 

  • web site 접속 테스트를 합니다.

 

  • http 로 접속 하면 강제로 https 로 전환
[root@CentOS7 httpd]# vi conf.d/httpd-vhosts.conf
<VirtualHost *:80>
       ServerAdmin admin@web.com
       DocumentRoot /var/www/html/
       ServerName web.com
       ServerAlias www.web.com
<Location />
RedirectMatch /(.*)$ https://www.web.com/$1
</Location>
       ErrorLog /var/www/html/web.com/logs/web.com-error_log
       CustomLog /var/www/html/web.com/logs/web.com-access_log common
</VirtualHost>

 

  • apache 에서 nginx 서비스 이관
[root@CentOS7 ~]# yum install -y nginx php-fpm
[root@CentOS7 ~]# vi /etc/nginx/nginx.conf
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*.conf;
}
[root@CentOS7 ~]# vi /etc/nginx/conf.d/default.conf
server {
    listen       80;
    server_name  localhost;

    charset UTF-8;

        root   /usr/share/nginx/html;
        index  index.php index.html index.htm;
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        #fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

}

[root@CentOS7 ~]# vi /etc/php-fpm.d/www.conf
user = nginx
group = nginx

listen.owner = nginx
listen.group = nginx
listen.mode = 0660

[root@CentOS7 ~]# systemctl enable php-fpm
[root@CentOS7 ~]# systemctl start php-fpm
[root@CentOS7 ~]# systemctl start nginx

 

  • Virtualhost 설정
[root@CentOS7 ~]#  vi /etc/nginx/conf.d/default.conf
server {
    listen       80 default_server;
    server_name  localhost;

[root@CentOS7 ~]# mkdir -p /var/www/html/web.com/{public_html,logs}
[root@CentOS7 ~]# mkdir /etc/nginx/sites-enabled
[root@CentOS7 ~]# vi /etc/nginx/sites-enabled/web_com.conf
server {
    listen       80;
    server_name  www.web.com web.com;
    root   /var/www/html/web.com/public_html;
    index  index.php index.html index.htm;
    location / {
        return 301 https://web.com$request_uri;
    }


    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    }
}

server {
    listen       443;
    server_name  www.web.com web.com;
    root   /var/www/html/web.com/public_html;
    index  index.php index.html index.htm;
    location / {
        try_files $uri $uri/ /index.php?$query_string;
        autoindex on;
    }

    access_log  /var/www/html/web.com/logs/access.log;
    error_log  /var/www/html/web.com/logs/error.log warn;
    ssl         on;
    ssl_certificate      /etc/pki/tls/certs/web.crt;
    ssl_certificate_key  /etc/pki/tls/private/web.key;
    ssl_session_timeout  5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

 

  • Web page 테스트를 진행 합니다.
  • 80 port www.web.com 접속을 하여도 443 https 로 자동으로 넘어 가는지 확인 합니다.

 

 

[CentOS7] LEMP Stack – nginx-percona-plugin install

몇일전 고객 요청으로 nginx 위에 cacti 를 설치 했습니다.

1.1.38 Version 의 경우 기본으로 제공되는 템플릿이 없어서  그래프를 그릴수 없습니다.

모니터링시 Authentication Method – > Builtin Authentication 을 None 으로

변경 해야 모든 그래프를 볼수 있습니다.

Percona-plugin 을 사용 하지 않을시 별도의 cacti user 계정은 필요 없습니다.

Nginx 모니터링시 ss_get_by_ssh 스크립트 이용으로 인하여 cacti 또는 별도의 계정이 필요 합니다.

cacti 계정 사용시 필히 /etc/cacti/db.php 권한을 cacti 로 변경 해야 합니다.  변경하지 않았을 경우 cacti 작동이 정상적으로 되지 않습니다.

 

 

nginx 설치전 System update 를 진행 합니다.

System update 후 rebooting  을 합니다.

[root@CentOS7 ~]# yum update -y
[root@CentOS7 ~]# init 6

 

  • nginx repo file 를 생성 합니다.
[root@CentOS7 ~]# vi /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1
[root@CentOS7 ~]# yum clean all ; yum list

 

  • nginx 설치
[root@CentOS7 ~]# yum install -y nginx

 

  • php71 설치를 위한 epel-release 패키지 설치및 remi-release-7 패키지 설치
[root@CentOS7 ~]# yum install -y epel-release
[root@CentOS7 ~]# rpm -Uvh http://rpms.remirepo.net/enterprise/remi-release-7.rpm   
[root@CentOS7 ~]# yum clean all ; yum list
[root@CentOS7 ~]# yum update -y
[root@CentOS7 ~]# init 6
[root@CentOS7 ~]# yum-config-manager --enable remi-php71

 

  • php71 설치
[root@CentOS7 ~]# yum install -y php php-opcache php-mysql php-fpm php-gd \
 php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-soap curl curl-devel

 

[root@CentOS7 ~]# vi /etc/yum.repos.d/mariadb.repo
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.1/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
[root@CentOS7 ~]# yum clean all ; yum list

 

  • mariadb 설치
[root@CentOS7 ~]# yum install -y mariadb mariadb-server

 

 

 

  • mariadb Daemon enable & start
[root@CentOS7 ~]# systemctl enable mariadb
[root@CentOS7 ~]# systemctl start mariadb

 

  • mysql_secure_installation 실행
[root@CentOS7 ~]# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!
[root@CentOS7 ~]#

 

  • nginx daemon enable & start
[root@CentOS7 ~]# systemctl enable nginx
[root@CentOS7 ~]# systemctl start nginx

 

 

  • nginx.conf 설정
[root@CentOS7 ~]# vi /etc/nginx/nginx.conf
user  nginx;
worker_processes  1;
 
error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;
 
 
events {
    worker_connections  1024;
}
 
 
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
 
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
 
    access_log  /var/log/nginx/access.log  main;
 
    sendfile        on;
    #tcp_nopush     on;
 
    keepalive_timeout  65;
 
    #gzip  on;
 
    include /etc/nginx/conf.d/*.conf;
}

 

  • default.conf 파일 설정
[root@CentOS7 ~]# vi /etc/nginx/conf.d/default.conf
server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;
        root   /usr/share/nginx/html;
        index  index.php index.html index.htm;
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }


    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

}

 

  • nginx deamon restart
[root@CentOS7 ~]# systemctl restart nginx

 

  • php-fpm.conf 설정
[root@CentOS7 ~]# vi /etc/php-fpm.d/www.conf
user = nginx
group = nginx

listen.owner = nginx
listen.group = nginx
listen.mode = 0660

 

  • php-fpm daemon enable & start
[root@CentOS7 ~]# systemctl enable php-fpm
[root@CentOS7 ~]# systemctl start php-fpm

 

  • phpinfo() 확인
[root@CentOS7 ~]# vi /usr/share/nginx/html/info.php
<?php phpinfo(); ?>

 

  • web-site 확인

 

  • cacti 설치
[root@CentOS7 ~]# yum install -y httpd httpd-devel mariadb-server php-mysql php-pear php-common php-gd \
 php-devel php php-mbstring php-cli php-snmp net-snmp-utils net-snmp-libs rrdtool cacti

 

  • db 생성
[root@CentOS7 ~]# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 10.1.37-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database cacti;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> GRANT ALL ON cacti.* TO cacti@localhost IDENTIFIED BY 'password';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> FLUSH privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> quit;
Bye
[root@CentOS7 ~]#

 

  • cacati db 작업
[root@CentOS7 ~]# rpm -ql cacti | grep cacti.sql
/usr/share/doc/cacti-1.1.38/cacti.sql

[root@CentOS7 ~]# rpm -ql cacti | grep cacti.sql
/usr/share/doc/cacti-1.1.38/cacti.sql
[root@CentOS7 ~]# mysql -u root -p cacti < /usr/share/doc/cacti-1.1.38/cacti.sql
Enter password:
[root@CentOS7 ~]# vi /etc/cacti/db.php
$database_type     = 'mysql';
$database_default  = 'cacti';
$database_hostname = 'localhost';
$database_username = 'cacti';
$database_password = 'password';
$database_port     = '3306';
$database_ssl      = false;

 

  • nginx default.conf 수정
[root@CentOS7 ~]# vi /etc/nginx/conf.d/default.conf
    location /server-status {
        stub_status on;
        allow 127.0.0.1;
        #deny all;
    }
    # cacti settings
    location /cacti {
    alias /usr/share/cacti;
    index index.php;
    }

    location ~ ^/cacti.+\.php$ {
    # fastcgi_pass unix:/var/run/php-fpm.sock;
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_index index.php;

    fastcgi_split_path_info ^/cacti(.+\.php)(.*)$;
    fastcgi_param SCRIPT_FILENAME /usr/share/cacti/$fastcgi_script_name;
    include /etc/nginx/fastcgi_params;
    }

 

  • nginx deamon restart 및 /server-status 확인
[root@CentOS7 ~]# systemctl restart nginx
[root@CentOS7 ~]# curl http://localhost/server-status
Active connections: 1
server accepts handled requests
 1 1 1
Reading: 0 Writing: 1 Waiting: 0
[root@CentOS7 ~]#

 

  • db.php 권한 변경
[root@CentOS7 ~]# chown nginx:nginx /etc/cacti/db.php

 

 

  • mysql.time_zone_name 설정
[root@CentOS7 ~]# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 15
Server version: 10.1.37-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> GRANT SELECT ON mysql.time_zone_name to 'cacti'@'localhost' IDENTIFIED BY 'password';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> FLUSH privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> quit
Bye
[root@CentOS7 ~]#

 

  • php.ini 설정 및 php-gpm 패키지 설치
[root@CentOS7 ~]# vi /etc/php.ini
date.timezone =Asia/Seoul

[root@CentOS7 ~]# yum install -y php-gmp

 

  • mariadb 설정
[root@CentOS7 ~]# vi /etc/my.cnf.d/server.cnf
[server]
character-set-server=utf8mb4
collation-server = utf8mb4_unicode_ci
max_heap_table_size = 200M
max_allowed_packet = 16777216
tmp_table_size = 64M
join_buffer_size = 64M
innodb_buffer_pool_size = 921M
innodb_doublewrite = OFF
innodb_additional_mem_pool_size = 80M
innodb_flush_log_at_timeout = 3
innodb_read_io_threads = 32
innodb_write_io_threads = 16


[root@CentOS7 ~]# vi /etc/my.cnf.d/client.cnf
[client]
default-character-set = utf8mb4


[root@CentOS7 ~]# systemctl restart mariadb
[root@CentOS7 ~]# systemctl restart nginx
[root@CentOS7 ~]# systemctl restart php-fpm

[root@CentOS7 ~]# mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql
Enter password:
Warning: Unable to load '/usr/share/zoneinfo/leapseconds' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/tzdata.zi' as time zone. Skipping it.
[root@CentOS7 ~]#

 

  • 모든 설정을 완료 하였습니다.

 

  • Next 를 클릭 합니다.

 

  • Next 를 클릭 합니다.

 

  • spine 을 설치 합니다.
  • spine 최신 버젼은 https://www.cacti.net/downloads/spine/ 에서 확인 할수 있습니다.
[root@CentOS7 spine]# wget https://www.cacti.net/downloads/spine/cacti-spine-1.1.38.tar.gz
[root@CentOS7 ~]# yum install -y gcc mysql-devel net-snmp-devel autoconf automake libtool dos2unix help2man
[root@CentOS7 ~]# mkdir spine
[root@CentOS7 ~]# cd spine/
[root@CentOS7 spine]# wget https://www.cacti.net/downloads/spine/cacti-spine-1.1.38.tar.gz
[root@CentOS7 spine]# tar xvf cacti-spine-1.1.38.tar.gz
[root@CentOS7 spine]# cd cacti-spine-1.1.38/
[root@CentOS7 cacti-spine-1.1.38]# ./bootstrap
INFO: Spine bootstrap process completed

  These instructions assume the default install location for spine
  of /usr/local/spine.  If you choose to use another prefix, make
  sure you update the commands as required for that new path.

  To compile and install Spine using MySQL versions 5.5 or higher
  please do the following:

  ./configure
  make
  make install
  chown root:root /usr/local/spine/bin/spine
  chmod +s /usr/local/spine/bin/spine

  To compile and install Spine using MySQL versions previous to 5.5
  please do the following:

  ./configure --with-reentrant
  make
  make install
  chown root:root /usr/local/spine/bin/spine
  chmod +s /usr/local/spine/bin/spine
[root@CentOS7 cacti-spine-1.1.38]# ./configure
[root@CentOS7 cacti-spine-1.1.38]# make && make install
[root@CentOS7 cacti-spine-1.1.38]# chown root:root /usr/local/spine/bin/spine
[root@CentOS7 cacti-spine-1.1.38]# chmod +s /usr/local/spine/bin/spine
[root@CentOS7 ~]# cp /usr/local/spine/etc/spine.conf.dist /etc/spine.conf
[root@CentOS7 ~]# vi /etc/spine.conf
B_Host                 localhost
DB_Database             cacti
DB_User                 cacti
DB_Pass                 password
DB_Port                 3306

 

  • spine 테스트
[root@CentOS7 ~]# /usr/local/spine/bin/spine
SPINE: Using spine config file [/etc/spine.conf]
SPINE: Version 1.1.38 starting
SPINE: Time: 0.0249 s, Threads: 5, Devices: 0
[root@CentOS7 ~]#

 

 

  • Next 를 클릭 합니다.

 

  • cacti 1.1.38 Version 의 경우 별도의 권한 설정이 필요 합니다.
  • 설치시 옵션
[root@CentOS7 ~]# chown -R nginx.nginx /usr/share/cacti/resource/
[root@CentOS7 ~]# chown -R nginx.nginx /usr/share/cacti/scripts/
[root@CentOS7 ~]# chown -R nginx.nginx /usr/share/cacti/log/
[root@CentOS7 ~]# chown -R nginx.nginx /usr/share/cacti/cache/

 

 

  • Next 를 클릭 합니다.

 

  • 모니터링 Device 를 선택후 Next 를 클릭 합니다.
  • 최초 로그인 id/pass 는 admin/admin 이며 Keep me signed in 을 체크 해야 합니다.

 

  • 로그인 완료 모습

 

  • 설치후 cacti 디렉토리 권한
[root@CentOS7 ~]# chown -R nginx:nginx /usr/share/cacti/
[root@CentOS7 ~]# chown -R nginx:nginx /var/lib/cacti/cache/
[root@CentOS7 ~]# chown -R nginx:nginx /var/lib/cacti/cli/
[root@CentOS7 ~]# chown -R nginx:nginx /var/lib/cacti/rra/
[root@CentOS7 ~]# chown -R nginx:nginx /var/lib/cacti/scripts/

 

  • snmpd 설정
[root@CentOS7 ~]# systemctl enable snmpd
[root@CentOS7 ~]# systemctl start snmpd

[root@CentOS7 ~]# vi /etc/snmp/snmpd.conf
#       sec.name  source          community
com2sec public  default       public

####
# Second, map the security name into a group name:

#       groupName      securityModel securityName
group   public v1           public
group   public v2c          public

####
# Third, create a view for us to let the group have rights to:

# Make at least  snmpwalk -v 1 localhost -c public system fast again.
#       name           incl/excl     subtree         mask(optional)
#view    systemview    included   .1.3.6.1.2.1.1
#view    systemview    included   .1.3.6.1.2.1.25.1.1
view     all           included    .1

####
# Finally, grant the group read-only access to the systemview view.

#       group          context sec.model sec.level prefix read   write  notif
#access  notConfigGroup ""      any       noauth    exact  systemview none none
access  public ""      any       noauth    exact  all none none

[root@CentOS7 ~]# systemctl restart snmpd
[root@CentOS7 ~]# snmpwalk -v2c -c public 192.168.0.33

 

  • poller.php 설정
[root@CentOS7 ~]# vi /etc/cron.d/cacti
*/5 * * * *     nginx   /usr/bin/php /usr/share/cacti/poller.php > /dev/null 2>&1


## 주의 ss_get_by_ssh 스크립트 이용시에는 cacti 권한이 아니면 정상적으로 스크립트를 실행할수 없습니다. 

[root@CentOS7 ~]# vi /etc/cron.d/cacti
*/5 * * * *     cacti   /usr/bin/php /usr/share/cacti/poller.php > /dev/null 2>&1

 

  • Device temp 파일 다운 로드
[root@CentOS7 ~]# mkdir cacti
[root@CentOS7 ~]# cd cacti/

[root@CentOS7 cacti]# wget https://docs.cacti.net/_media/template:package:generic_snmp_device.xml.gz

[root@CentOS7 cacti]# wget https://docs.cacti.net/_media/template:package:local_linux_machine.xml.gz -O local_linux_machine.xml.gz

[root@CentOS7 cacti]# wget https://docs.cacti.net/_media/template:package:netsnmp_device.xml.gz -O netsnmp_device.xml.gz

[root@CentOS7 cacti]# chmod +x /usr/share/cacti/cli/import_package.php

[root@CentOS7 cacti]# /usr/share/cacti/cli/import_package.php --filename=./local_linux_machine.xml.gz

[root@CentOS7 cacti]# /usr/share/cacti/cli/import_package.php --filename=./template:package:generic_snmp_device.xml.gz

[root@CentOS7 cacti]# /usr/share/cacti/cli/import_package.php --filename=./netsnmp_device.xml.gz

 

  • cacti device 생성

 

  • Create Graphs for this Device 클릭

 

  • Create  클릭

 

  • Graphs 로 이동 합니다.

 

  • View 버튼 클릭

 

  • 최상위 메뉴중 Logs 를 클릭 합니다.

 

  • Console -> Configureation -> Settings ->  Authentication
  • Authentication Method – > Builtin Authentication 을 None 으로 변경 합니다

 

  • Graphs 로 이동 합니다.

 

  • 10 분후 정상적으로 그래프를 볼수 있습니다.

 

  • nginx percona temp 설치
[root@CentOS7 cacti]# wget https://www.percona.com/downloads/percona-monitoring-plugins/percona-monitoring-plugins-1.1.7/binary/redhat/7/x86_64/percona-cacti-templates-1.1.7-2.noarch.rpm
[root@CentOS7 cacti]# yum install -y percona-cacti-templates-1.1.7-2.noarch.rpm

 

  • nginx percona temp load
[root@CentOS7 cacti]# php /usr/share/cacti/cli/import_template.php --filename=/usr/share/cacti/resource/percona/templates/cacti_host_template_percona_nginx_server_ht_0.8.6i-sver1.1.7.xml
Read 42607 bytes of XML data
Import Results
Cacti has imported the following items for the Template:
CDEF
[success] Percona Turn Into Bits CDEF [new]
[success] Percona Negate CDEF [new]
GPRINT Preset
[success] Percona Nginx Server Checksum c5c20ca1d61ee9ccbb45854a46ce6fe8 [new]
[success] Percona Nginx Server Version t1.1.7:s1.1.7 [new]
[success] Percona Normal [new]
Data Input Method
[success] Percona Get Nginx Stats/Nginx Requests IM [new]
[success] Percona Get Nginx Stats/Nginx Accepts/Handled IM [new]
[success] Percona Get Nginx Stats/Nginx Scoreboard IM [new]
Data Template
[success] Percona Nginx Requests DT [new]
[success] Percona Nginx Accepts/Handled DT [new]
[success] Percona Nginx Scoreboard DT [new]
Graph Template
[success] Percona Nginx Requests GT [new]
[success] Percona Nginx Accepts/Handled GT [new]
[success] Percona Nginx Scoreboard GT [new]
Device Template
[success] Percona Nginx Server HT [new]
[root@CentOS7 cacti]#
[root@CentOS7 cacti]# chown -R cacti:nginx resource/

 

  • Data Collection -> Data Input Methods  로 이동합니다.

 

  • Input String 변경
기존 <path_php_binary> -q <path_cacti>/scripts/ss_get_by_ssh.php –host <hostname> –type nginx –items hw,ig,ih,ii –server <server> –url <url> –http-user <http-user> –http-password <password>

변경 <path_php_binary> -q <path_cacti>/scripts/ss_get_by_ssh.php –host <hostname> –type nginx –items hw,ig,ih,ii

 

 

  • Save 한후 모든 nginx 템플릿에 동일하게 적용 합니다.
  • Add Graph Template

 

 

  • Create Graphs for this Device 를 클릭 합니다.

 

  • Console -> Data Collection -> Data Collectiors -> Web Site Hostname 변경 192.168.0.33
  • Save 를 클릭 하여 저장 합니다.

 

  • User 생성
[root@CentOS7 ~]# useradd -d /usr/share/cacti cacti
[root@CentOS7 ~]# mkdir /usr/share/cacti/.ssh
[root@CentOS7 ~]# chmod 700 /usr/share/cacti/.ssh
[root@CentOS7 ~]# chown cacti:cacti /usr/share/cacti/.ssh

 

  • ss_get_by_ssh.php 설정
[root@CentOS7 cacti]# su - cacti
-bash-4.2$ pwd
/usr/share/cacti
-bash-4.2$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/usr/share/cacti/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /usr/share/cacti/.ssh/id_rsa.
Your public key has been saved in /usr/share/cacti/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:y7EHWx/3qKXjoDnq68yDRV79YBx/kkglxdtsTVb8KZ0 cacti@CentOS7
The key's randomart image is:
+---[RSA 2048]----+
|          .+o  .o|
|          o..   +|
|         + + =.++|
|      . . * =.=Eo|
|     o .S..o.+o  |
|      o. B ..o o |
|     o  = o . o .|
|    .o. .+ ..+   |
|     oB+o. .+.   |
+----[SHA256]-----+
-bash-4.2$ cd .ssh/
-bash-4.2$ cat id_rsa.pub >> authorized_keys
-bash-4.2$ chmod 600 authorized_keys
-bash-4.2$ ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:ZWA5Uum+t2aMbqe60UBUVGMLCoTWSkOdVF50tY70k+w.
ECDSA key fingerprint is MD5:c9:d5:01:7b:e7:49:69:e4:73:39:bb:58:65:a5:0a:c2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Last login: Tue Feb  5 02:50:25 2019
-bash-4.2$

 

  • ss_get_by_ssh.php 테스트
[root@CentOS7 ~]# cd /usr/share/cacti/scripts/
[root@CentOS7 scripts]# chown cacti:cacti ss_get_by_ssh.php
[root@CentOS7 scripts]# chmod +x ss_get_by_ssh.php

[root@CentOS7 scripts]# su - cacti
Last login: Tue Feb  5 02:55:06 KST 2019 on pts/0
-bash-4.2$ php /usr/share/cacti/scripts/ss_get_by_ssh.php --type nginx --host 127.0.0.1 --items hw,hx
hw:7 hx:46-bash-4.2$

 

  • Nginx percona 사용을 위한 권한 변경
[root@CentOS7 ~]# chown -R cacti:nginx /var/lib/cacti/
[root@CentOS7 ~]# chown -R cacti:nginx /usr/share/cacti/
[root@CentOS7 ~]# chown -R cacti:nginx /var/lib/cacti/cache/
[root@CentOS7 ~]# chown -R cacti:nginx /var/lib/cacti/cli/
[root@CentOS7 ~]# chown -R cacti:nginx /var/lib/cacti/rra
[root@CentOS7 ~]# chown -R cacti:nginx /var/lib/cacti/scripts/
[root@CentOS7 ~]# chown -R cacti:nginx /var/log/cacti/
[root@CentOS7 ~]# chown cacti:nginx /etc/cacti/db.php

[root@CentOS7 ~]# vi /etc/cron.d/cacti
*/5 * * * *     cacti   /usr/bin/php /usr/share/cacti/poller.php > /dev/null 2>&1

 

  • nginx 모니터링 결과

 

  • 추가설정
  • Configuration -> Settings -> Paths에서 Spine config File Path 을 설정합니다.
  • /etc/spine.conf

 

  • Configuration -> Settings -> Poller 에서 Poller Type 을 변경합니다.
  • Poller Type : spine 으로 변경
  • Poller interval : Every Minute 으로 변경

 

  • Spine Specific Execution Parameters 변경
  • Maximum Threads per Process 1 -> 16
  • Number of PHP Script Servers 1 -> 8

 

  • Save 를 클릭 하여 설정을 마무리 합니다.
  • nginx 모니터링 실패시 아래와 같은 log 파일을 확인 할수 있습니다.
  • Device 항목에서 Debug 항목을 eanble 하면 자세한 로그를 확인 할수 있습니다.
  • Console -> Data Collection -> Data Collectiors 의 web site hostname 을 확인 합니다.
  • [root@CentOS7 scripts]# tail -f /var/log/secure cacti 유저 로그인 잘되는지 확인 합니다.
  • crontab 의 cacti 스크립트의 유저명을 확인 합니다.

 

  • cacti admin 비번 분실
루트 비번 락킹

[root@localhost log]# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 430
Server version: 10.1.35-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> use cacti;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [cacti]> update user_auth set enabled=('on');
Query OK, 1 row affected (0.03 sec)
Rows matched: 3  Changed: 1  Warnings: 0

MariaDB [cacti]>  flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [cacti]>