内蒙古医院
VPN地址
地址: 116.113.68.126端口: 10443账号: xsesf密码: XAkckj@123456董老师电脑账号2: 01680董老师电脑密码2: Xxk@123123mysql密码: L615KXXFu?>N3i!+WZ!zredis密码: L615KXXFusIsl$54P
内网服务器
ip地址: 10.66.156.88账号: root密码: kchbb@132进入项目命令: sudo -u www bash -c "cd ~ && cd php-docker-env/www/kc_api/ && exec bash"
外网服务器
ip地址: 10.88.156.83外网ip地址: 116.113.68.126:7080账号: root密码: kchbb@132
UOS Server 20网络配置
确定网络接口名称
执行:
ip addr
输出类似:
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 ...
inet 192.168.1.10/24 brd 192.168.1.255 scope global dynamic noprefixroute ens33
二、使用 NetworkManager(推荐方式)
- 查看现有连接名
nmcli connection show
输出示例:
NAME UUID TYPE DEVICE
ens192 dffb5ef8-3171-47e8-a4c1-faa1fe3ddff1 ethernet ens192
- 修改为静态 IP、网关、DNS /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens192
UUID=dffb5ef8-3171-47e8-a4c1-faa1fe3ddff1
DEVICE=ens192
ONBOOT=yes
IPADDR=10.66.77.91
PREFIX=24
GATEWAY=10.66.77.254
DNS1=202.99.224.8
IPV6_PRIVACY=no
- 重启网络服务
systemctl restart NetworkManager
- 验证是否修改
ip route
cat /etc/resolv.conf
- 开通防火墙端口
# 所有防火墙
sudo firewall-cmd --list-all
# 验证当前开放端口
sudo firewall-cmd --list-ports
# 临时添加
sudo firewall-cmd --add-port=20000/tcp
# 删除临时
sudo firewall-cmd --remove-port=20000/tcp
# 永久
sudo firewall-cmd --permanent --add-port=20000/tcp
sudo firewall-cmd --reload
# 删除永久放行(如果曾加过 --permanent)
sudo firewall-cmd --permanent --remove-port=20000/tcp
sudo firewall-cmd --reload
# iptables
sudo iptables -L INPUT -n --line-numbers | grep -E '20000|INPUT'
sudo iptables -t nat -L -n | grep 20000
# 临时添加(不重启生效)
sudo iptables -I INPUT 1 -p tcp --dport 20000 -j ACCEPT
# 删除临时
sudo iptables -D INPUT -p tcp --dport 20000 -j ACCEPT
# 看是否有命中计数
sudo iptables -L -n -v | grep 20000
安装docker
1、验证glibc版本
ldd --version
输出类似
ldd (GNU libc) 2.28
如果是2.28(或低于2.32),当前系统是RHEL8系内核环境 2、下载el8版本的docker包
mkdir docker && cd docker
wget https://download.docker.com/linux/centos/8/x86_64/stable/Packages/containerd.io-1.6.28-3.1.el8.x86_64.rpm
wget https://download.docker.com/linux/centos/8/x86_64/stable/Packages/docker-ce-26.1.2-1.el8.x86_64.rpm
wget https://download.docker.com/linux/centos/8/x86_64/stable/Packages/docker-ce-cli-26.1.2-1.el8.x86_64.rpm
wget https://download.docker.com/linux/centos/8/x86_64/stable/Packages/docker-buildx-plugin-0.11.2-1.el8.x86_64.rpm
wget https://download.docker.com/linux/centos/8/x86_64/stable/Packages/docker-compose-plugin-2.27.0-1.el8.x86_64.rpm
sudo curl -L "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
docker-compose version
tip
⚠️ 注意: 这些包名中一定要有 el8.x86_64.rpm 不能是 el9.x86_64.rpm 或 el7.x86_64.rpm
- 命令安装
cd /root/docker
sudo yum localinstall ./*.rpm -y
- 启动docker
systemctl start docker
systemctl enable docker
- 验证docker是否安装成功
docker version
镜像导入
1、导入镜像
# 当前镜像文件路径为/root/php-docker-env/images/
docker load -i <镜像文件>
- 启动容器
cd /root/php-docker-env
docker-compose up -d
- 验证容器是否启动成功
docker ps -a
- 加载特定yml文件
docker-compose -f <yml文件> up -d
- 只重建单个容器
# 比如mysql-intranet
docker-compose -f compose-intranet.yml up -d --force-recreate --build mysql-intranet
- 清理旧数据重新初始化
docker-compose -f compose-intranet.yml down -v mysql-intranet
- 删除所有容器
docker-compose -f <yml文件> down
# 删除指定容器
docker-compose -f <yml文件> down <服务名称>
- 重新启动容器
# 启动某个容器
docker-compose -f compose-intranet.yml up -d mysql-intranet
- 查看所有网络
docker network inspect $(docker network ls -q) | grep -E "(Name|IPv4Address)"
镜像导出
1、导出镜像
docker save -o <镜像文件> <镜像名称>
- 导出容器
docker export -o <容器文件> <容器名称>
创建非root用户
- 创建用户:
useradd -m -s /bin/bash www
-m生成 home 目录 /home/www
-s /bin/bash:指定默认 shell
- 设置密码:
passwd www
- 添加用户到 docker 用户组:
usermod -aG docker www
- 普通用户添加sudoers
sudo usermod -aG wheel www # 在 CentOS/UnionTechOS 中 wheel 组通常有 sudo 权限
添加gitee webhook 服务
1. 创建systemd Service文件和内容
[Unit]
Description=Python Webhook Service
After=network.target
[Service]
Type=simple
User=www-data
WorkingDirectory=/home/www
ExecStart=/usr/bin/python3 /home/www/deploy_webhook.py
Restart=always
RestartSec=5
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=webhook_service
[Install]
WantedBy=multi-user.target
- Restart=always → 脚本挂掉会自动重启
- RestartSec=5 → 重启间隔时间
- WorkingDirectory → 脚本所在目录,方便日志或 git pull 相对路径
- ExecStart → 脚本启动命令
- User → 运行用户
2. 重新加载systemd并启动服务
sudo systemctl daemon-reload
sudo systemctl enable webhook.service # 开机自启
sudo systemctl start webhook.service # 启动服务
3. 查看服务状态和日志
sudo systemctl status webhook.service
sudo journalctl -u webhook.service -f
4. nginx 基础配置
# 内网区Nginx配置文件
# 针对内网环境的安全配置
# 适用于:医院内网环境,内部用户访问
server {
listen 80;
server_name _;
# 根目录配置
root /var/www/html/kc_api/api/web;
index index.php index.html index.htm;
# 访问日志
access_log /var/log/nginx/intranet-access.log main;
error_log /var/log/nginx/intranet-error.log warn;
# 静态文件缓存配置
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
expires 1y;
add_header Cache-Control "public, immutable";
add_header Vary "Accept-Encoding";
# 安全设置:禁止执行PHP文件
location ~ \.php$ {
deny all;
}
}
# 隐藏敏感文件
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location ~ /(composer\.json|composer\.lock|\.env|\.git|\.htaccess|README\.md)$ {
deny all;
access_log off;
log_not_found off;
}
location ^~ /webhook/ {
proxy_pass http://host.docker.internal:9009;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# PHP文件处理 - 针对Yii2框架优化
location ~ \.php$ {
try_files $uri =404;
# 连接到内网区的PHP-FPM服务
fastcgi_pass php-intranet:9000;
fastcgi_index index.php;
# FastCGI参数配置 - 针对Yii2路由优化
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
# 安全相关的FastCGI参数
fastcgi_param HTTP_PROXY "";
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# 针对Yii2的REQUEST_URI处理
fastcgi_param REQUEST_URI $request_uri;
include fastcgi_params;
# 超时设置
fastcgi_connect_timeout 30s;
fastcgi_send_timeout 30s;
fastcgi_read_timeout 30s;
# 缓冲区设置
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
}
# 主应用路由
location / {
try_files $uri $uri/ /index.php?$args;
}
# 健康检查端点
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
# 页面静态资源路由
location /pages/ {
alias /var/www/html/pages/;
index index.html index.htm;
# 静态文件缓存配置
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
# 处理子目录访问
try_files $uri $uri/ =404;
}
}
# 内网API限流区域定义(比DMZ宽松)
limit_req_zone $binary_remote_addr zone=api-intranet:10m rate=500r/m;
# 连接数限制区域
limit_conn_zone $binary_remote_addr zone=perip:10m;
# 全局安全设置
client_max_body_size 20m; # 内网允许更大的文件上传
# 隐藏Nginx版本信息
server_tokens off;
5. nginx proxy服务器配置
server{
listen 7080;
server_name _;
location ^~ /webhook/ {
proxy_pass http://host.docker.internal:9009;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /adminer/ {
proxy_pass http://adminer:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location ~ ^/pages/(tszh|yxzx|school_wx)/ {
proxy_pass http://nginx-dmz;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
}
location ~ ^/v1/ {
if ($http_referer ~* "/pages/(tszh|yxzx|school_wx)/") {
proxy_pass http://nginx-dmz;
}
proxy_pass http://10.66.156.87:10000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
proxy_pass http://10.66.156.87:10000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
6. ssl证书生成
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout server.key -out server.crt -config ip.cnf
server.key:私钥 server.crt:自签证书 server.csr:可选,用于向 CA 申请签名证书
7. 验证证书是否正确
openssl x509 -in server.crt -text -noout
返回内容为:
X509v3 Subject Alternative Name:
IP Address:10.88.98.139