一、环境准备
1.1 系统要求
| 组件 | 最低版本 | 推荐版本 |
|---|---|---|
| Debian | 11 (Bullseye) | 12 (Bookworm) |
| PHP | 8.1 | 8.3 |
| Nginx | 1.18 | 1.24+ |
| Composer | 2.x | 最新稳定版 |
| Laravel | 10.x | 11.x |
1.2 安装基础软件
# 更新系统
sudo apt update && sudo apt upgrade -y
# 安装Nginx
sudo apt install -y nginx
# 添加PHP仓库并安装
sudo apt install -y ca-certificates gnupg
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://packages.sury.org/php/apt.gpg | sudo gpg --dearmor -o /etc/apt/keyrings/sury-php.gpg
echo "deb [signed-by=/etc/apt/keyrings/sury-php.gpg] https://packages.sury.org/php $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/php.list
sudo apt update
# 安装PHP及Laravel所需扩展
sudo apt install -y php8.3-fpm php8.3-cli php8.3-common \
php8.3-mysql php8.3-pgsql php8.3-sqlite3 \
php8.3-mbstring php8.3-xml php8.3-curl \
php8.3-zip php8.3-bcmath php8.3-intl \
php8.3-readline php8.3-opcache php8.3-redis
# 安装Composer
curl -sS https://getcomposer.org/installer | sudo php -- --install-dir=/usr/local/bin --filename=composer
# 验证
nginx -v && php -v && composer --version
二、部署Laravel项目
2.1 创建项目
# 方式1:全新安装
cd /var/www
sudo composer create-project laravel/laravel myapp --prefer-dist
sudo chown -R www-data:www-data myapp
sudo chmod -R 755 myapp
# 方式2:从Git克隆
cd /var/www
sudo git clone https://github.com/your-org/myapp.git
cd myapp
sudo composer install --no-dev --optimize-autoloader
sudo chown -R www-data:www-data .
sudo chmod -R 755 .
2.2 配置环境文件
cd /var/www/myapp
cp .env.example .env
php artisan key:generate
# 编辑环境变量
nano .env
关键配置项:
APP_URL=https://yourdomain.com
APP_ENV=production
APP_DEBUG=false
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=laravel
DB_USERNAME=laravel_user
DB_PASSWORD=YourSecurePassword
CACHE_DRIVER=redis
SESSION_DRIVER=redis
QUEUE_CONNECTION=redis
REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379
2.3 优化生产环境
cd /var/www/myapp
# 优化自动加载
composer install --optimize-autoloader --no-dev
# 缓存配置、路由、视图
php artisan config:cache
php artisan route:cache
php artisan view:cache
# 优化事件映射
php artisan event:cache
# 设置存储目录权限
sudo chown -R www-data:www-data storage bootstrap/cache
sudo chmod -R 775 storage bootstrap/cache
三、Nginx配置
3.1 基础配置(HTTP)
# /etc/nginx/sites-available/myapp
server {
listen 80;
listen [::]:80;
server_name yourdomain.com www.yourdomain.com;
root /var/www/myapp/public;
index index.php index.html;
charset utf-8;
# 访问和错误日志
access_log /var/log/nginx/myapp_access.log;
error_log /var/log/nginx/myapp_error.log;
# 最大上传大小
client_max_body_size 50M;
# Laravel重写规则
location / {
try_files $uri $uri/ /index.php?$query_string;
}
# 禁止访问敏感文件
location ~ /\.(?!well-known) {
deny all;
}
# 禁止访问隐藏文件(如.git)
location ~ /\.(?!well-known).* {
deny all;
}
# PHP-FPM处理
location ~ \.php$ {
fastcgi_pass unix:/run/php/php8.3-fpm.sock;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
include fastcgi_params;
# 超时设置
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 32k;
fastcgi_buffers 8 32k;
}
# 静态资源缓存
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
expires 30d;
add_header Cache-Control "public, immutable";
access_log off;
}
# 健康检查端点
location /health {
access_log off;
return 200 "OK";
}
}
3.2 启用站点
# 创建软链接
sudo ln -s /etc/nginx/sites-available/myapp /etc/nginx/sites-enabled/
# 测试配置
sudo nginx -t
# 重启Nginx
sudo systemctl restart nginx
sudo systemctl enable nginx
# 启动PHP-FPM
sudo systemctl start php8.3-fpm
sudo systemctl enable php8.3-fpm
四、HTTPS配置(Let’s Encrypt)
4.1 安装Certbot
sudo apt install -y certbot python3-certbot-nginx
4.2 获取SSL证书
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
Certbot会自动修改Nginx配置,添加SSL相关指令。
4.3 手动HTTPS配置(可选)
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://yourdomain.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
root /var/www/myapp/public;
index index.php;
# SSL证书
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# SSL安全配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS(6个月后生效)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
# 其他配置与HTTP相同...
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php/php8.3-fpm.sock;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
include fastcgi_params;
}
}
4.4 自动续期
# 测试续期
sudo certbot renew --dry-run
# Certbot会自动添加定时任务
sudo systemctl status certbot.timer
五、PHP-FPM优化
5.1 进程池配置
; /etc/php/8.3/fpm/pool.d/www.conf
[www]
user = www-data
group = www-data
listen = /run/php/php8.3-fpm.sock
listen.owner = www-data
listen.group = www-data
listen.mode = 0660
; 动态进程管理
pm = dynamic
pm.max_children = 50
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500
pm.process_idle_timeout = 10s
; OPCache优化
php_admin_value[opcache.enable] = 1
php_admin_value[opcache.enable_cli] = 1
php_admin_value[opcache.memory_consumption] = 256
php_admin_value[opcache.max_accelerated_files] = 20000
php_admin_value[opcache.revalidate_freq] = 60
php_admin_value[opcache.validate_timestamps] = 0
php_admin_value[opcache.save_comments] = 1
php_admin_value[opcache.jit] = 1255
5.2 重启PHP-FPM
sudo systemctl restart php8.3-fpm
六、常见问题排查
6.1 500 Internal Server Error
# 检查Nginx错误日志
sudo tail -50 /var/log/nginx/myapp_error.log
# 检查PHP-FPM错误日志
sudo tail -50 /var/log/php8.3-fpm.log
# 检查Laravel日志
sudo tail -50 /var/www/myapp/storage/logs/laravel.log
# 常见原因:
# 1. 权限问题 → sudo chown -R www-data:www-data /var/www/myapp
# 2. .env未配置 → cp .env.example .env && php artisan key:generate
# 3. 缓存问题 → php artisan config:clear
6.2 502 Bad Gateway
# PHP-FPM未运行
sudo systemctl status php8.3-fpm
# socket文件不存在
ls -la /run/php/php8.3-fpm.sock
# 解决:检查listen路径是否与Nginx配置一致
6.3 静态资源404
# 检查root路径是否指向public目录
# 正确:root /var/www/myapp/public;
# 错误:root /var/www/myapp;
# 检查符号链接
ls -la /var/www/myapp/public/storage
# 如果不存在,创建存储链接
cd /var/www/myapp
php artisan storage:link
6.4 权限问题
# 标准权限设置
sudo chown -R www-data:www-data /var/www/myapp
sudo chmod -R 755 /var/www/myapp
sudo chmod -R 775 /var/www/myapp/storage
sudo chmod -R 775 /var/www/myapp/bootstrap/cache
七、性能优化建议
| 优化项 | 方法 | 效果 |
|---|---|---|
| OPcache | 启用并调优PHP OPcache | 减少PHP编译开销 |
| Redis缓存 | 使用Redis作为缓存和会话驱动 | 减少数据库查询 |
| Gzip压缩 | Nginx启用gzip | 减少传输大小60-70% |
| 静态资源CDN | 将图片/CSS/JS放到CDN | 加速全球访问 |
| 队列异步 | 使用Redis队列处理耗时任务 | 提升响应速度 |
| 数据库索引 | 为常用查询字段添加索引 | 加速数据库查询 |
| 页面缓存 | 使用Laravel响应缓存 | 减少重复计算 |
八、安全加固
# 1. 禁止目录列表
# 在Nginx location中添加:
# autoindex off;
# 2. 设置安全响应头
# 在Nginx server中添加:
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# 3. 限制请求方法
if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
return 405;
}
# 4. 防止点击劫持
add_header Content-Security-Policy "frame-ancestors 'self'" always;
# 5. Laravel安全命令
cd /var/www/myapp
php artisan down --message="系统维护中" --retry=60
# 维护完成后
php artisan up
九、部署检查清单
- [ ] Nginx已安装并运行
- [ ] PHP 8.3及所需扩展已安装
- [ ] Composer已安装
- [ ] Laravel项目已部署到
/var/www/myapp - [ ]
.env文件已配置(APP_URL、数据库、缓存等) - [ ]
php artisan key:generate已执行 - [ ] 存储和缓存目录权限已设置
- [ ] Nginx站点配置已创建并启用
- [ ]
nginx -t测试通过 - [ ] SSL证书已配置(Let’s Encrypt)
- [ ] PHP-FPM已优化配置
- [ ] 防火墙已配置(开放80/443端口)
- [ ] 日志目录可写
- [ ] 生产缓存已生成(config/route/view/event)
- [ ]
php artisan storage:link已执行
注:本文基于Laravel 11.x、PHP 8.3、Nginx 1.24、Debian 12编写,请根据实际环境调整。