LAMP环境下安装Typecho

准确来说是Debian10, Apache2, Mariadb和PHP环境下从头开始装Typecho的记录
同时使用certbot来申请letsencrypt的免费通配符TLS证书
(写得又长又乱,算了反正也没人看就酱吧
本文将按如下顺序讲述:

  • 获取Debian Buster packages
  • 利用ufw打开https和http防火墙端口(当然包括SSH端口)
  • 配置mariadb
  • 获取SSL证书,可能包括通过cloudflare获取通配符证书
  • 配置apache2,包括给Typecho配置静态地址的conf设置, TLSv1.3和HTTP2.0的启用
  • 安装Typecho
root@server:~$sudo command
the following line/lines are output

例如:

root@server~$ apt update
Hit:1 http://deb.debian.org/debian buster InRelease
Get:2 http://deb.debian.org/debian-security buster/updates InRelease [39.1 kB]
Get:3 http://deb.debian.org/debian buster-updates InRelease [49.3 kB]
Get:4 http://deb.debian.org/debian-security buster/updates/main amd64 Packages [82.1 kB]
Get:5 http://deb.debian.org/debian-security buster/updates/main Translation-en [50.8 kB]
Fetched 221 kB in 1s (370 kB/s)
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.

如果你嫌每次都打sudo很麻烦,那么可以su root进入加过钱的超级用户模式,这时候你的美元就升级为#号了

root@server:~#

*#号前面的~其实是你当前登录用户的根目录,如果是root那么在/root如果是其他用户,比如touamano那么在/home/touamano
查看当前文件路径请拨打 pwd并选择回车*

获取Debian Buster packages

分为两部分,
第一个部分的包括ufw, web server apache,relational database mariadb,和typecho需要的一些php插件

root@server:~$ sudo apt install ufw apache2 mariadb-server php php-mysql php-mbstring php-curl 

第二部分包括certbot和certbot-dns-cloudflare插件
通过cloudflare申请通配符域名证书需要由cloudflare为你的域名提供DNS解析,certbot提供多个DNS解析服务商插件详情见https://certbot.eff.org/docs/using.html#dns-plugins

root@server:~$ sudo apt install certbot python-certbot-apache python3-certbot-dns-cloudflare

ufw放行http https和ssh端口

root@server:~$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

这里会提示开启ufw可能会终端现有的ssh连接,输入y允许。

root@server:~$ sudo ufw allow http
Rule added
Rule added (v6)

允许https和ssh

root@server:~$ sudo ufw allow https
root@server:~$ sudo ufw allow ssh

注意有些VPS服务商提供的SSH登录端口可能不是默认的22端口,请务必根据情况把ssh改成对应的端口避免服务重启后无法链接
查看防火墙状态:

root@server:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW IN    Anywhere                  
443/tcp                    ALLOW IN    Anywhere                  
22/tcp                     ALLOW IN    Anywhere                  
80/tcp (v6)                ALLOW IN    Anywhere (v6)             
443/tcp (v6)               ALLOW IN    Anywhere (v6)             
22/tcp (v6)                ALLOW IN    Anywhere (v6)

配置mariadb

**第一个问题直接按Enter,因为默认root密码是空的
第二个按y,并在New password这行输入你的密码(不会显示你输入的内容)
Re-enter New password这行重新输入一遍密码
之后都是按y**

root@server:~$ sudo mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password: 
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

设置Typecho专用数据库用户,创建数据库,和给予该数据库的所有权限

root@server:~$ sudo mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 16
Server version: 10.1.38-MariaDB-0+deb9u1 Debian 9.8

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

接下来创建名为 ‘typecho’的用户,密码为‘yourpassword’
注意现在已经进入MariaDB的界面,‘MariaDB[(none)]>’。none是没有选择数据库
MariaDB[(none)]> 后面的内容你是你需要的command

MariaDB [(none)]> create user 'typecho'@'localhost' identified by 'yourpassword';
Query OK, 0 rows affected (0.00 sec)

创建名为‘typecho_db’的数据库

MariaDB [(none)]> create database typecho_db;
Query OK, 1 row affected (0.00 sec)

授予用户‘typecho’在‘typecho_db’数据库上的所有权限

MariaDB [(none)]> grant all on typecho_db.* to 'typecho'@'localhost';
Query OK, 0 rows affected (0.00 sec)

现在退出数据库界面

MariaDB [(none)]> exit
Bye
root@server:~$

获取SSL证书

开始本部分内容前,需要将你的域名DNS解析托管到cloudflare并把ip指向你的vps
并确认已经安装 apache2 certbot python-certbot-apache python3-certbot-dns-cloudflare
同时确认放行80端口,apache2在运行状态

  1. 获取证书

    root@server:~$ sudo certbot certonly -d yourdomain.com -d www.yourdomain.com --apache

成功之后会给出两个路径

Congratulations! Your certificate and chain have been saved at:
  
/etc/letsencrypt/live/demonstration.touamano.com/fullchain.pem
   Your key file has been saved at:
/etc/letsencrypt/live/demonstration.touamano.com/privkey.pem

注意记下这两个证书的路径,后面设置apache conf的时候会用到。
其实正确的输出会让你填一个应急邮箱,然后同意TOS,然后问你是否愿意给EFF共享你的邮箱地址。
我这个其实是revoke掉之前的证书然后重新申请一次的output。
刚刚忘记保存了,结果之前敲了好久的内容都没了。哎。

  1. 获取通配符证书

需要获取一个cloudflare的global api然后在 ~/.secret里新建一个cf.ini文件

root@server:~$ sudo mkdir .secret
root@server:~$ sudo vim .secret/cf.ini
按insert左下角会出现--insert--这时候就可以输入了
dns_cloudflare_email = 你的邮箱
dns_cloudflare_api_key = 你的api
按ESC后输入:wq来保存文件
root@server:~$ sudo chmod 0600 .secret .secret/*
root@server:~$ sudo certbot certonly \
> --dns-cloudflare \
> --dns-cloudflare-credentials ~/.secret/cf.ini \
> -d *.yourdomain.com
> -d yourdomain.com
> --apache

输出跟上面差不多,需要填邮箱,同意TOS,选择是否共享邮箱地址给EFF

配置apache2

先打开一堆apache2的模组:

root@server:~$ sudo a2enmod rewrite ssl headers http2
root@server:~$ cd /etc/apache2/sites-enabled
root@server:/etc/apache2/sites-enabled$ ls
000-default.conf
root@server:/etc/apache2/sites-enabled$ sudo vim 000-default.conf

参考我的conf配置:

<VirtualHost *:80>

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/blog
    # 之后Typecho会放blog目录
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    # Https重定向

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>


<IfModule mod_ssl.c>
<VirtualHost *:443>

    ServerName yourdomain.com
    # ServerAlias www.yourdomain.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/blog
    # 之后Typecho会放Blog目录
    
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # 下面这部分指定了http协议的优先级,优先用http2
    Protocols h2 h2c http/1.1
    # 下面这部分指定了TLS版本和SSLCipherSuite的优先使用加密方法
    SSLProtocol -all +TLSv1.3 +TLSv1.2
    SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
    SSLCipherSuite SSL ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
    SSLHonorCipherOrder on
    # 如果不需要TLSv1.3,可以去掉+TLSv1.3, 同时去掉SSLCipherSuite TLSv1.3 和SSLCipherSuite SSL后面的这个SSL
    # 添加HSTS的头部
    Header always set Strict-Transport-Security "max-age=15768000"
    #之前申请SSL证书的时候多加了一行--apache,所以下面多了一行这个,可以去掉。不去掉的话等等还得去修改这个conf
    Include /etc/letsencrypt/options-ssl-apache.conf
    # 下面两行指向刚刚生气的SSL证书,记得把yourdomain.com改成你申请到证书的正确路径
    SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
</VirtualHost>
</IfModule>

ESC并键入:wq保存并退出。

这时候可以重启apache2了

root@server:/etc/apache2/sites-enabled$  sudo systemctl restart apache2

如果报错那么查看下问题:

root@server:/etc/apache2/sites-enabled$ sudo systemctl status apache2.service

一般是版本不对导致开不了TLSv1.3, 或者必须的模组没打开 或者是 SSL证书的文件路径不对
可选择开启Typecho静态地址

root@server:~$ cd /etc/apache2
root@server:/etc/apache2$ sudo vim apache2.conf
输入173 再按shift和g,快速到达173行。额外添加以下内容
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php/$1 [L]

最后像下面这样:

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php/$1 [L]
</Directory>

后就可以ESC,并:wq保存并推出。记得重启下apache2

可选择使用http2
由于apache2默认使用mpm_prefork模组,所以不能直接通过a2enmod http2来生效
https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config

root@server:~$ sudo apt-get install php-fpm
root@server:~$ sudo a2enmod proxy_fcgi
root@server:~$ sudo a2enconf php7.3-fpm
root@server:~$ sudo a2dismod php7.3
root@server:~$ sudo a2dismod mpm_prefork
root@server:~$ sudo a2enmod mpm_event
root@server:~$ sudo systemctl restart apache2

截至到今天,Debian10默认包的php版本是7.3.4所以上面是php7.3-fpm,请使用对应的php版本
apache2的版本好像只要高于2.4.17就可以开启http2了,别忘记a2enmod http2

推荐设置下/etc/apache2/conf-enabled/security.conf:

ServerToken Prod
ServerSignature Off
Header set X-Content-Type-Options: "nosniff"
Header set X-Frame-Options: "sameorigin"

安装Typecho

root@server:~$ mkdir /var/www/blog
root@server:~$ cd !$
root@server:/var/www/blog$ sudo wget https://github.com/typecho/typecho/releases/download/v1.1-17.10.30-release/1.1.17.10.30.-release.tar.gz
root@server:/var/www/blog$ sudo tar zxvf 1.1.17.10.30.-release.tar.gz
root@server:/var/www/blog$ sudo mv build/* . | sudo rm 1.1.17.10.30.-release.tar.gz
root@server:/var/www/blog$ sudo rmdir build
root@server:/var/www/blog$ ls
admin  index.php  install  install.php  LICENSE.txt  usr  var

临时把blog文件夹所属用户改为www-data

root@server:/var/www/blog$ sudo chown www-data /var/www/blog

这时候可以打开浏览器到yourdomain.com
按教程输入在配置Mariadb里设定的用户名,密码,数据库名后设置下密码。
把blog文件夹所属用户改回root, 把config.inc.php的所属用户和用户组改为root
删除install文件夹

root@server:/var/www/blog$ sudo chown root /var/www/blog
root@server:/var/www/blog$ sudo chown root:root /var/www/blog/config.inc.php
root@server:/var/www/blog$ sudo rm /var/www/blog/install/*
root@server:/var/www/blog$ sudo rmdir /var/www/blog/install

修改admin路径为, new_entrance

root@server:/var/www/blog$ sudo vim config.inc.php
键入20 并按shift和g到达20行,把/admin/修改为new_entrance
define('__TYPECHO_ADMIN_DIR__', '/new_entrance/');
按ESC,并键入:wq保存并退出

修改admin文件夹为new_entrance

root@server:/var/www/blog$ sudo mv admin new_entrance

这样子新的后台路口就变成了:
https://yourdomain.com/new_entrance