Centos Server Setup - thiagobs-webdev/helptools GitHub Wiki

# Initial Server Setup

1. Instructions:

https://www.digitalocean.com/community/tutorials/initial-server-setup-with-centos-8

# Git

1. Instructions:

https://www.digitalocean.com/community/tutorials/how-to-install-git-on-centos-8

# NGINX

1. Install packges:

   dnf -y install epel-release curl wget tree zip unzip gcc gcc-c++ make pcre pcre-devel openssl openssl-devel zlib zlib-devel perl perl-devel perl-ExtUtils-Embed gd gd-devel libxslt libxslt-devel libxml2 libxml2-devel
   

2. Development Tools:

   dnf groupinstall -y 'Development Tools'
   

3. Download packges:

   wget https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.43/pcre2-10.43.tar.gz \
   && tar xzvf pcre2-10.43.tar.gz
   

   wget https://zlib.net/zlib-1.3.1.tar.gz \
   && tar xzvf zlib-1.3.1.tar.gz
   

   wget https://www.openssl.org/source/openssl-3.0.13.tar.gz \
   && tar xzvf openssl-3.0.13.tar.gz
   

4. Download NGNIX:

   wget http://nginx.org/download/nginx-1.26.0.tar.gz \
   && tar xzvf nginx-1.26.0.tar.gz
   

5. Remove files tar.gz:

   rm -rf *.tar.gz
   

6. Setup NGINX:

   cd nginx-1.26.0 \
   && cp man/nginx.8 /usr/share/man/man8/ \
   && gzip /usr/share/man/man8/nginx.8
   

7. Install NGINX:

   ./configure \
   --build=CentOS \
   --builddir=nginx-1.26.0 \
   --prefix=/usr/local/nginx \
   --sbin-path=/usr/sbin/nginx \
   --conf-path=/etc/nginx/nginx.conf \
   --modules-path=/usr/lib64/nginx/modules \
   --error-log-path=/var/log/nginx/error.log \
   --pid-path=/var/run/nginx.pid \
   --lock-path=/var/run/nginx.lock \
   --user=nginx \
   --group=nginx \
   --http-log-path=/var/log/nginx/access.log \
   --http-client-body-temp-path=/var/cache/nginx/client_temp \
   --http-proxy-temp-path=/var/cache/nginx/proxy_temp \
   --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
   --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
   --http-scgi-temp-path=/var/cache/nginx/scgi_temp \
   --with-file-aio \
   --with-threads \
   --with-compat \
   --with-http_ssl_module \
   --with-http_v2_module \
   --with-http_realip_module \
   --with-http_addition_module \
   --with-http_xslt_module=dynamic \
   --with-http_image_filter_module=dynamic \
   --with-http_sub_module \
   --with-http_dav_module \
   --with-http_flv_module \
   --with-http_mp4_module \
   --with-http_gunzip_module \
   --with-http_gzip_static_module \
   --with-http_auth_request_module \
   --with-http_random_index_module \
   --with-http_secure_link_module \
   --with-http_degradation_module \
   --with-http_slice_module \
   --with-http_stub_status_module \
   --with-http_perl_module=dynamic \
   --with-mail=dynamic \
   --with-mail_ssl_module \
   --with-openssl=../openssl-3.0.13 \
   --with-openssl-opt=no-nextprotoneg \
   --with-perl=/usr/bin/perl \
   --with-perl_modules_path=/usr/lib64/perl5 \
   --with-pcre=../pcre2-10.43 \
   --with-pcre-jit \
   --with-poll_module \
   --with-select_module \
   --with-stream=dynamic \
   --with-stream_ssl_module \
   --with-stream_realip_module \
   --with-stream_ssl_preread_module \
   --with-zlib=../zlib-1.3.1 \
   --with-debug
   

   make
   

   make install
   

8. Setup NGINX environmnent:

   ln -s /usr/lib64/nginx/modules /etc/nginx/modules
   

   useradd --system --home /var/cache/nginx --shell /sbin/nologin --comment "nginx user" --user-group nginx
   

   mkdir -p /var/cache/nginx/client_temp /var/cache/nginx/fastcgi_temp /var/cache/nginx/proxy_temp /var/cache/nginx/scgi_temp /var/cache/nginx/uwsgi_temp
   

   chmod 700 /var/cache/nginx/*
   

   chown nginx:root /var/cache/nginx/*
   

   vi /etc/systemd/system/nginx.service
   

   [Unit]
   Description=nginx - high performance web server
   Documentation=https://nginx.org/en/docs/
   After=network-online.target remote-fs.target nss-lookup.target
   Wants=network-online.target
   
   [Service]
   Type=forking
   PIDFile=/var/run/nginx.pid
   ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf
   ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
   ExecReload=/bin/kill -s HUP $MAINPID
   ExecStop=/bin/kill -s TERM $MAINPID
   
   [Install]
   WantedBy=multi-user.target
   

   systemctl enable nginx.service
   

   systemctl start nginx.service
   

   systemctl status nginx.service
   

   mkdir /etc/nginx/{conf.d,snippets,sites-available,sites-enabled}
   

   chmod 640 /var/log/nginx/*
   

   chown nginx:adm /var/log/nginx/access.log /var/log/nginx/error.log
   

   vi /etc/logrotate.d/nginx
   

   /var/log/nginx/*.log {
       daily
       missingok
       rotate 52
       compress
       delaycompress
       notifempty
       create 640 nginx adm
       sharedscripts
       postrotate
       if [ -f /var/run/nginx.pid ]; then
           kill -USR1 `cat /var/run/nginx.pid`
       fi
       endscript
   }
   

   rm -rf nginx-1.26.0/ openssl-3.0.13/ pcre2-10.43/ zlib-1.3.1/
   

# Install PHP

1. Enable Remi’s and EPEL repositories

   dnf -y install http://rpms.remirepo.net/enterprise/remi-release-9.rpm \
   && dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
   

2. Update dnf cache

   dnf makecache -y
   

3. List configured repositories on the system.

   dnf repolist
   

4. Reset default PHP module on the system.

   dnf module reset php -y
   

5. Install PHP 8.3

   dnf module -y install php:remi-8.3
   

6. Install modules:

   dnf install -y php-{opcache,common,pear,cgi,curl,mbstring,gd,mysqlnd,gettext,bcmath,json,xml,fpm,intl,zip,imap,mcrypt,cli,mysql,ldap,fileinfo,pdo}
   

7. Setup php-fpm: vi /etc/php-fpm.d/www.conf

   user = nginx
   group = nginx
   ;listen = 127.0.0.1:9000
   ;listen = /var/run/php-fpm.sock
   listen = /run/php-fpm.sock
   listen.owner = nginx
   listen.group = nginx
   listen.mode = 0660
   

   systemctl start php-fpm
   

   systemctl enable php-fpm
   

   systemctl status php-fpm
   

8. Restart the Nginx and PHP-FPM:

   systemctl restart nginx php-fpm
   

# Secure Nginx with Let's Encrypt (SSL)

1. Add EPEL repository:

   dnf install epel-release -y
   

2. Install all of the required packages:

   dnf install certbot python3-certbot-nginx
   

3. Updating the Firewall Rules:

   3.1 check which services are already enabled:

    sudo firewall-cmd --permanent --list-all
   

   3.2 Enable http:

    sudo firewall-cmd --permanent --add-service=http
   

   3.3 Enable https:

    sudo firewall-cmd --permanent --add-service=https
   

   3.4 Reload:

    sudo firewall-cmd --reload
   

4. Obtaining a Certificate:

   sudo certbot --nginx -d your_domain -d www.your_domain
   

5. Domain informations:

   sudo certbot --nginx
   

6. Setting Up Auto-Renewal:

   6.1 Edit the crontab to create a new job that will run the renewal twice per day:

    sudo crontab -e
   

   6.2 Add script:

    0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew --quiet
   

# Create Let's Encrypt Wildcard Certificates

1. Install host command:

   dnf install bind-utils
   

2. Test that wildcard DNS is working as intended:

   host one.example.com