Setup Ajenti & PHP7.2 & NGINX - aalfiann/reSlim GitHub Wiki

How to setup Ajenti & PHP7 & NGINX

Today, PHP7.2 has very big improvement for performance and NGINX is the best server to handle thousand concurrent connections. So in this tutorial we will run PHP7 & NGINX in Ubuntu 16.04 and Ajenti-V Panel for easy to manage multiple website hosting.

Why we use Ajenti?

We choose ajenti because it is open source and core admin system is made with phyton. Also we can run pure NGINX (not reverse proxy) or Nodejs server.

Requirements

• VPS with fresh installed Ubuntu 16.04
• IP Public static
• Registered domain

A. Install Ajenti + Ajenti-V + PHP7.2 + NGINX

• Set Hostname

nano /etc/hostname
nano /etc/hosts

• Set Timezone

dpkg-reconfigure tzdata

• Reboot to refresh the hostname

reboot

• Install Ajenti Core

apt-get update
wget http://repo.ajenti.org/debian/key -O- | apt-key add -
echo "deb http://repo.ajenti.org/ng/debian main main ubuntu" >> /etc/apt/sources.list
apt-get update
apt-get install ajenti -y
service ajenti restart

If you meet error with phyton-imaging dependencies not installed

apt-get install python-pillow
wget http://ftp.ubuntu.com/ubuntu/ubuntu/pool/universe/p/pillow/python-imaging_3.1.2-0ubuntu1.6_all.deb
dpkg -i python-imaging_3.1.2-0ubuntu1.6_all.deb
apt-get update
apt-get install ajenti -y
service ajenti restart

• Uninstall Apache2 if any

apt-get autoremove && apt-get remove apache2* -y

• Install Properties common

apt-get install software-properties-common -y

• Add repository PHP7

apt-add-repository ppa:ondrej/php
apt-get update

• Install Ajenti-v

apt-get install ajenti-v ajenti-v-nginx -y

• Install PHP7.2

apt-get install ajenti-v-php7.2-fpm php7.2-mysql php7.2-curl php7.2-json php7.2-xml php7.2-gd php7.2-zip php7.2-mbstring php7.2-bcmath -y

Note: If you want to use PHP7.4 just change 7.2 to 7.4

• If you want FTP

apt-get install pure-ftpd ajenti-v-ftp-pureftpd -y

• If you want MySQL

apt-get install ajenti-v-mysql

If you need mysql to be allowed access remotely,

nano /etc/mysql/mysql.conf.d/mysqld.cnf  

Set bind-address = 0.0.0.0
Then restart MySQL service mysqld restart

• If you want mail

apt-get install ajenti-v-mail -y

Don't forget to allow imap, pop3 and smtp port 25, 143, 465, 587, 993, 2525, 2526

• If you want POP support (for gmail etc.)

apt-get install courier-pop -y

• Restart All Services

service php7.2-fpm restart
service nginx restart
service ajenti restart

Note: If you use php7.4 then it becomes service php7.4-fpm restart

B. Setup reSlim on Ajenti

• In this case assume your domain is server1.omovv.com

• Go to https://yourip:8000
  Username: root
  Password: admin

• Change default password
  To change password is on Password menu

• Go to Websites menu
  Input your domain in New field, then click Create
  After done you can see your website like in this picture:
  

• Now click Manage then on General tab input like in this picture
  

• Now on Domain tab input like in this picture
  

• Now on Ports tab input like in this picture
  

• Skip the SSL tab, then click the Content tab

  • For the first time you have to create PHP FastCGI
    
  • Then, in Advanced field you can paste this code:

    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass_header Authorization;
    

    See like in this picture
    

• Now on Advanced tab menu, paste this nginx conf:

  # Basic security
  server_tokens off;
  add_header X-Frame-Options SAMEORIGIN;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
  
  # Compression
  gzip on;
  
  # Compression level (1-9).
  # 5 is a perfect compromise between size and cpu usage, offering about
  # 75% reduction for most ascii files (almost identical to level 9).
  gzip_comp_level    5;
  
  # Don't compress anything that's already small and unlikely to shrink much
  # if at all (the default is 20 bytes, which is bad as that usually leads to
  # larger files after gzipping).
  gzip_min_length    256;
  
  # Compress data even for clients that are connecting to us via proxies,
  # identified by the "Via" header (required for CloudFront).
  gzip_proxied       any;
  
  # Tell proxies to cache both the gzipped and regular version of a resource
  # whenever the client's Accept-Encoding capabilities header varies;
  # Avoids the issue where a non-gzip capable client (which is extremely rare
  # today) would display gibberish if their proxy gave them the gzipped version.
  gzip_vary          on;
  
  # Compress all output labeled with one of the following MIME-types.
  gzip_types
    application/atom+xml
    application/javascript
    application/json
    application/ld+json
    application/manifest+json
    application/rss+xml
    application/vnd.geo+json
    application/vnd.ms-fontobject
    application/x-font-ttf
    application/x-web-app-manifest+json
    application/xhtml+xml
    application/xml
    font/opentype
    image/bmp
    image/svg+xml
    image/x-icon
    text/cache-manifest
    text/css
    text/plain
    text/vcard
    text/vnd.rim.location.xloc
    text/vtt
    text/x-component
    text/x-cross-domain-policy;
  # text/html is always compressed by gzip module
  
  # Don't compress for older Internet Explorer
  gzip_disable "MSIE [1-6]\.(?!.*SV1)";
  
  # This order might seem weird - this is attempted to match last if rules below fail.
  location / {
    try_files $uri $uri/ /api/index.php?$args;
    access_log off;
  }
  
  # Directives to send expires headers and turn off 404 error logging.
  location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
    access_log off; 
    log_not_found off; 
    expires max;
    add_header Pragma public;
    add_header Cache-control "public";
  }
  
  location = /favicon.ico {
    log_not_found off;
    access_log off;
  }
  
  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }
  
  # Deny all attempts to access hidden files/folders such as .git, .htaccess, .htpasswd, .DS_Store (Mac), etc...
  location ~ /\. {
    deny all;
    access_log off;
    log_not_found off;
  }
  
  # Deny yaml, twig, markdown, ini file access
  location ~* /.+\.(markdown|md|twig|yaml|yml|ini)$ {
    deny all;
    access_log off;
    log_not_found off;
  }
  
  # Deny all grunt, package files
  location ~* (Gruntfile|package)\.(js|json|jsonc)$ {
    deny all;
    access_log off;
    log_not_found off;
  }
  
  # Deny all composer files
  location ~* composer\. {
    deny all;
    access_log off;
    log_not_found off;
  }
  
  # Deny access to any files with a .php extension in the uploads directory
  # Works in sub-directory installs and also in multisite network
  # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
  location ~* /(?:upload)/.*\.php$ {
    deny all;
  }
  

  See in this picture
  

• Now on Custom Top Level Configuration
  Note:

  • Change yourdomain.com with your current domain
  • This top level configuration will not afffect to your other websites because it is wrapped inside server block.

  server {
    server_name www.yourdomain.com;
    return 301 $scheme://yourdomain.com$request_uri;
  }
  

  See in this picture

• If you want to add simple layer7 ddos mitigation
  Note:

  • Be careful, if you run in multiple website, this top level configuration will affect to all your websites.
  • Because this configuration is not wrapped inside server block

  limit_conn_zone $http_x_forwarded_for zone=conperiplimit:16m;
  limit_conn conperiplimit 10;
  

• Now click Apply Changes

• Done
  Now PHP7.2 and NGINX will work perfectly for reSlim

• Troubleshoot
  If NGINX fail to start, because address with port 80 already in used. This is commonly that apache is still use that port, so you have to kill it process and try to start nginx service again.

C. Upload reSlim files with FTP

• Go to FTP tab then set your credential login
  See like in this picture
  

• Now you can directly upload files through FTP with Filezilla or any software for FTP.

• Done

D. MySQL Database

• Go to MySQL tab for setup database
• After successful created and login then you have to create database name and user
• Then just Grant All Access
• To manage it, you can use Navicat or Mysql Workbench installed on your computer

Note:

• For Email and MySQL database, we recommend you to make separate on different server, to get best performance and easy to maintenance in the future.

E. Firewall Basic Security

To protect your ajenti server, you should create firewall basic rule.
See picture below.

Note:

• Disable FTP and use SFTP for more secure (you won't see port 20,21 for FTP because just don't use it).
• For better security, you should change default port for SSH.
• Leave default for firewall (ipv6).