Linux服务器生产环境完全配置指南:从裸机到上线的24个关键步骤
买了一台新服务器,第一件事做什么?不是装宝塔,是读这篇文章。本文覆盖从系统初始化到生产上线的每一个关键步骤,适用于CentOS、Ubuntu、Debian。
目录
- 系统初始化与安全加固
- SSH安全配置
- 防火墙与端口管理
- 用户与权限体系
- Nginx安装与配置
- SSL证书自动化
- Docker容器化部署
- 数据库安全配置
- 监控与告警系统
- 日志管理
- 自动化备份
- 性能优化调参
一、系统初始化与安全加固
拿到服务器后的前30分钟决定了未来几年的安全底线。
1.1 系统更新
# Ubuntu/Debian
apt update && apt upgrade -y
# CentOS/RHEL
dnf update -y
1.2 设置时区和主机名
timedatectl set-timezone Asia/Shanghai
hostnamectl set-hostname prod-web-01
1.3 禁用不必要的服务
systemctl disable bluetooth cups avahi-daemon
systemctl stop bluetooth cups avahi-daemon
1.4 内核参数优化
编辑 /etc/sysctl.conf:
# 网络优化
net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 30
# 安全加固
net.ipv4.conf.all.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
# 文件描述符
fs.file-max = 655350
fs.inotify.max_user_watches = 524288
sysctl -p
二、SSH安全配置
SSH是服务器的大门,90%的入侵从这里开始。
2.1 生成强密钥
ssh-keygen -t ed25519 -C "[email protected]"
2.2 配置sshd_config
cat >> /etc/ssh/sshd_config << 'EOF'
Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers deploy
EOF
systemctl restart sshd
2.3 安装fail2ban
apt install fail2ban -y
cat > /etc/fail2ban/jail.local << 'EOF'
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400
findtime = 600
EOF
systemctl enable fail2ban
systemctl start fail2ban
三、防火墙与端口管理
3.1 UFW(Ubuntu)
ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp comment 'SSH'
ufw allow 80/tcp comment 'HTTP'
ufw allow 443/tcp comment 'HTTPS'
ufw enable
ufw status verbose
3.2 firewalld(CentOS)
firewall-cmd --permanent --add-port=2222/tcp
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
四、用户与权限体系
4.1 创建运维用户
useradd -m -s /bin/bash deploy
usermod -aG sudo deploy
echo "deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl, /usr/bin/docker" >> /etc/sudoers.d/deploy
4.2 目录权限规范
mkdir -p /var/www/app
chown -R deploy:www-data /var/www/app
chmod -R 750 /var/www/app
五、Nginx安装与配置
5.1 安装最新稳定版
curl -fsSL https://nginx.org/keys/nginx_signing.key | gpg --dearmor -o /usr/share/keyrings/nginx-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu $(lsb_release -cs) nginx" > /etc/apt/sources.list.d/nginx.list
apt update && apt install nginx -y
5.2 生产级配置
user nginx;
worker_processes auto;
worker_rlimit_nofile 65535;
events {
worker_connections 4096;
multi_accept on;
use epoll;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
server_tokens off;
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/javascript text/xml;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
include /etc/nginx/conf.d/*.conf;
}
5.3 站点配置
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
root /var/www/app/public;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
location /api {
limit_req zone=api burst=20 nodelay;
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
六、SSL证书自动化
apt install certbot python3-certbot-nginx -y
certbot --nginx -d example.com -d www.example.com
# 自动续期
echo "0 3 * * * certbot renew --quiet --post-hook 'systemctl reload nginx'" | crontab -
七、Docker容器化部署
7.1 安装Docker
curl -fsSL https://get.docker.com | sh
usermod -aG docker deploy
apt install docker-compose-plugin -y
7.2 docker-compose.yml模板
version: '3.8'
services:
app:
image: your-app:latest
restart: unless-stopped
ports:
- "127.0.0.1:3000:3000"
environment:
- NODE_ENV=production
volumes:
- app-data:/app/data
depends_on:
- db
db:
image: postgres:16-alpine
restart: unless-stopped
environment:
- POSTGRES_DB=app
- POSTGRES_USER=user
- POSTGRES_PASSWORD=*** volumes:
- db-data:/var/lib/postgresql/data
ports:
- "127.0.0.1:5432:5432"
redis:
image: redis:7-alpine
restart: unless-stopped
command: redis-server --requirepass yourpassword
ports:
- "127.0.0.1:6379:6379"
volumes:
app-data:
db-data:
7.3 Docker安全
docker update --memory="512m" --cpus="1.0" app
docker system prune -af
docker scout cves your-app:latest
八、数据库安全配置
8.1 PostgreSQL加固
ALTER SYSTEM SET password_encryption = 'scram-sha-256';
ALTER SYSTEM SET listen_addresses = '127.0.0.1';
ALTER SYSTEM SET ssl = on;
8.2 Redis加固
# redis.conf
bind 127.0.0.1
requirepass your-strong-password
rename-command FLUSHALL ""
rename-command CONFIG ""
protected-mode yes
九、监控与告警系统
9.1 Prometheus + Grafana
version: '3.8'
services:
prometheus:
image: prom/prometheus:latest
volumes:
- ./prometheus.yml:/etc/prometheus/prometheus.yml
ports:
- "127.0.0.1:9090:9090"
grafana:
image: grafana/grafana:latest
ports:
- "127.0.0.1:3001:3000"
node-exporter:
image: prom/node-exporter:latest
pid: host
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
9.2 告警规则
groups:
- name: server-alerts
rules:
- alert: HighCPU
expr: 100 - (avg by(instance)(rate(node_cpu_seconds_total{mode="idle"}[5m])) * 100) > 80
for: 5m
annotations:
summary: "CPU使用率超过80%"
- alert: HighMemory
expr: (1 - node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes) * 100 > 85
for: 5m
- alert: DiskAlmostFull
expr: (1 - node_filesystem_avail_bytes / node_filesystem_size_bytes) * 100 > 90
for: 5m
十、日志管理
# 日志轮转
cat > /etc/logrotate.d/app << 'EOF'
/var/log/app/*.log {
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 0640 deploy adm
}
EOF
十一、自动化备份
#!/bin/bash
BACKUP_DIR="/opt/backups/$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR
# 数据库备份
docker exec db pg_dump -U user app | gzip > $BACKUP_DIR/app_$(date +%H%M%S).sql.gz
# 文件备份
tar czf $BACKUP_DIR/app-files.tar.gz /var/www/app
# 保留7天
find /opt/backups -mtime +7 -delete
# 每天凌晨3点执行
echo "0 3 * * * /opt/scripts/backup.sh >> /var/log/backup.log 2>&1" | crontab -
十二、性能优化调参
# 文件描述符
cat >> /etc/security/limits.conf << 'EOF'
* soft nofile 655350
* hard nofile 655350
EOF
# 禁用透明大页
echo never > /sys/kernel/mm/transparent_hugepage/enabled
# Swappiness
echo "vm.swappiness = 10" >> /etc/sysctl.conf
sysctl -p
总结
生产环境配置的核心原则:
- 安全优先:宁可多一步验证,不可少一道防线
- 自动化一切:备份、证书续期、日志轮转都要自动化
- 监控先行:没有监控的服务器就是定时炸弹
- 最小权限:每个用户、每个服务只给必要的权限
- 文档即代码:所有配置都应该版本化管理
把这份清单保存好,每次开新服务器对照检查,能避免90%的生产事故。
本文基于Ubuntu 24.04 LTS + Docker实测 | 更新时间:2026年6月
评论