CSnap/cheetsheetz
CSnap
/
cheetsheetz
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
cheetsheetz/FEMP.md

277 lines
6.6 KiB
Markdown
Raw Blame History

# Fedora based LEMP Setup List
*Inspired by the version permutation nightmares caused by sites like [this one](https://www.howtoforge.com/how-to-install-nginx-with-php-and-mariadb-lemp-stack-on-fedora-32/*)*
## Install packages
### Massive swiss-army knife setup
```
dnf install certbot certbot-nginx cockpit htop iftop iptraf nano openssh-server net-tools nginx* rsync screen vim wget && dnf groupinstall "Development Tools" "Web Server" "Mysql" "php"
```
### Or Less Extra
`dnf install certbot certbot-nginx nginx `
`dnf install vim nano rsync screen vim wget net-tools htop iftop iptraf openssh-server bash-completion`
`dnf groupinstall "Development Tools" "Web Server" "Mysql" "php"`
### More butter Rocky variant
`dnf install epel-release`
`dnf install git vim nano rsync screen vim wget net-tools htop iftop iptraf openssh-server bash-completion mariadb mariadb-server certbot python3-certbot-nginx nginx php-fpm`
`dnf groupinstall "Development Tools"`
## Add non-root administrator
`adduser user`
`usermod -aG wheel user`
`passwd user`
`vi /etc/sudoers`
`sudo -i -u user`
## Configure SSH
`ssh-keygen -t rsa -b 4096`
### Change port and root login settings
`vi /etc/ssh/sshd_config`
### Add keys ( also see `ssh-copy-id` )
`vi .ssh/authorized_keys`
## Firewall settings
```
systemctl enable firewalld
systemctl start firewalld
systemctl stop firewalld
systemctl restart firewalld
firewall-cmd --state
firewall-cmd --set-default-zone=public
firewall-cmd --zone=public --permanent --list-services
firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --add-port 20022/tcp
firewall-cmd --permanent --add-port 20022/tcp
firewall-cmd --permanent --add-port YOUR_PORT_HERE/tcp
firewall-cmd --remove-service ssh --permanent
firewall-cmd --reload
systemctl reload firewalld
```
## MariaDB
```
systemctl enable mariadb
systemctl start mariadb
mysql_secure_installation # Y-N-Y-Y-Y-Y
mysql -u root -p
CREATE USER 'user1'@localhost IDENTIFIED BY 'password1';
CREATE USER 'namenode'@localhost IDENTIFIED BY ':passwd';
GRANT ALL PRIVILEGES ON *.* TO 'user1'@localhost IDENTIFIED BY 'password1';
GRANT ALL PRIVILEGES ON *.* TO 'user2'@localhost IDENTIFIED BY 'passwd2';
FLUSH PRIVILEGES;
SHOW GRANTS FOR 'user1'@localhost;
SHOW GRANTS FOR 'user2'@localhost;
CREATE DATABASE 'yourDB';
SHOW DATABASES;
DROP USER 'user1'@localhost; # Just for example to show how to delete a user
```
## Redis Setup
`dnf install redis php-redis`
`sudo systemctl enable --now redis`
`vi /etc/redis/redis.conf`
Change bind (0.0.0.0), `requirepass`, `port (2*)`, `maxmemory` (256mb), and `maxmemory-policy allkeys-lru`.
`systemctl restart redis`
```
firewall-cmd --zone=public --permanent --add-port=26379/tcp
firewall-cmd --reload
```
## NGINX
### Important working directories:
```
/usr/share/nginx/
/etc/nginx/
```
### Create user working directory for custom configuration files:
```
mkdir /etc/nginx/sites-available # Create a directory for nginx.conf files
mkdir /usr/share/nginx/example.com/html -p # Create new webroot with specified structure
```
### Now we can create a new config file to start with:
`vi /etc/nginx/sites-available/example.com.conf`
### Link it to active conf directory
`ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/conf.d/`
### If it is required at some point, removing that symlink is as easy as:
`rm /etc/nginx/conf.d/example.com.conf`
### Now we edit the nginx.conf
`vi /etc/nginx/nginx.conf`
### Set the following lines after the line "include /etc/nginx/conf.d/*.conf" (if not already set):
```
server_names_hash_bucket_size 64; # Should already exist in recent versions
types_hash_max_size 4096; ## Should already be set
```
### Comment out the root location directive (Can uncomment after setup so as not to confuse cache while testing?)
**To test and reload the configuration:**
`nginx -t`
`systemctl reload nginx`
### Simple recap moving forward:
```
systemctl start nginx
systemctl restart nginx
systemctl enable nginx
systemctl status nginx
systemctl reload nginx
nginx -t
mkdir /etc/nginx/sites-available
mkdir /usr/share/nginx/example.com/html -p
vi /etc/nginx/sites-available/example.com.conf
ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/conf.d/
vi /etc/nginx/nginx.com # comment out the root in default server block (troubleshooting)
systemctl reload nginx
```
## PHP-FPM setup
### Change user in configuration (nginx):
`vi /etc/php-fpm.d/www.conf`
`systemctl enable php-fpm`
`systemctl restart php-fpm`
### PHP-OPCache setup
`vi /etc/php.d/10-opcache.ini`
```
opcache.enable_cli=1
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=4000
opcache.revalidate_freq=60
```
`systemctl restart php-fpm`
`systemctl reload nginx`
### phpMyAdmin setup
`dnf install phpmyadmin `
`ln -s /usr/share/phpMyAdmin/ /usr/share/nginx/hosting.namenode.xyz/dbpma`
`chown -R nginx:nginx /var/lib/php/session`
`chown -R nginx:nginx /var/lib/phpMyAdmin`
`chown -R nginx:nginx /etc/phpMyAdmin`
`vi /etc/phpMyAdmin/config.inc.php`
```
$cfg['Servers'][$i]['AllowNoPassword'] = false;
$cfg['Servers'][$i]['AllowRoot'] = false;
$cfg['TempDir'] = '/var/lib/phpMyAdmin/temp';
```
`systemctl reload php-fpm`
`systemctl reload nginx`
### Securing phpMyAdmin further
```
vi pass-infile ## make a password for openssl to encrypt - one line no spaces
```
```
openssl passwd -in pass-infile ## Copy the output (your encrypted password)
```
```
vi /etc/nginx/pma_pass # Create a user/pass pair for the authentication gateway.
```
### Format:
```
user:p@s$w0Rd # one line
```
### Add the required "dbpma" section
`vi /etc/nginx/sites-available/example.com.conf`
`systemctl reload nginx`
[Install and secure PMA with NGINX Ubuntu 18.04](https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-phpmyadmin-with-nginx-on-an-ubuntu-18-04-server)
## Cockpit Setup
`vi /etc/cockpit/cockpit.conf`
`vi /etc/nginx/sites-available/example.com.conf`
[Proxying Cockpit over NGINX](https://github.com/cockpit-project/cockpit/wiki/Proxying-Cockpit-over-nginx)
[Reverse proxy Cockpit over NGINX](https://www.freesoftwareservers.com/display/FREES/Reverse+Proxy+Cockpit+over+NGinX)
## Certbot setup (Examples)
```
certbot --nginx -d example.com -d www.example.com
certbot --nginx --agree-tos -d example.com -d www.example.com --email your-email-address
certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --must-staple -d example.com -d www.example.com --email your-email-address
```
`$ EDITOR=vim crontab -e`
```
25 2 * * 0 /usr/bin/certbot renew --quiet # Every Sunday 2:25am
```
Reference in New Issue View Git Blame Copy Permalink