6.5 KiB
Fedora Super-LEMP setup:
Based on https://www.howtoforge.com/how-to-install-nginx-with-php-and-mariadb-lemp-stack-on-fedora-32/
Install packages
Massive swiss-army knife setup
dnf install certbot certbot-nginx cockpit htop iftop iptraf nano openssh-server net-tools nginx* rsync screen vim wget && dnf groupinstall "Development Tools" "Web Server" "Mysql" "php"
Or Less Extra
dnf install certbot certbot-nginx nginx
dnf install vim nano rsync screen vim wget net-tools htop iftop iptraf openssh-server bash-completion
dnf groupinstall "Development Tools" "Web Server" "Mysql" "php"
More butter Rocky variant
dnf install epel-release
dnf install git vim nano rsync screen vim wget net-tools htop iftop iptraf openssh-server bash-completion mariadb mariadb-server certbot python3-certbot-nginx nginx php-fpm
dnf groupinstall "Development Tools"
Add non-root administrator
adduser user
usermod -aG wheel user
passwd user
vi /etc/sudoers
sudo -i -u user
Configure SSH
ssh-keygen -t rsa -b 4096
Change port and root login settings
vi /etc/ssh/sshd_config
Add keys ( also see ssh-copy-id )
vi .ssh/authorized_keys
Firewall settings
systemctl enable firewalld
systemctl start firewalld
systemctl stop firewalld
systemctl restart firewalld
firewall-cmd --state
firewall-cmd --set-default-zone=public
firewall-cmd --zone=public --permanent --list-services
firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --add-port 20022/tcp
firewall-cmd --permanent --add-port 20022/tcp
firewall-cmd --permanent --add-port YOUR_PORT_HERE/tcp
firewall-cmd --remove-service ssh --permanent
firewall-cmd --reload
systemctl reload firewalld
MariaDB
systemctl enable mariadb
systemctl start mariadb
mysql_secure_installation # Y-N-Y-Y-Y-Y
mysql -u root -p
CREATE USER 'user1'@localhost IDENTIFIED BY 'password1';
CREATE USER 'namenode'@localhost IDENTIFIED BY ':passwd';
GRANT ALL PRIVILEGES ON *.* TO 'user1'@localhost IDENTIFIED BY 'password1';
GRANT ALL PRIVILEGES ON *.* TO 'user2'@localhost IDENTIFIED BY 'passwd2';
FLUSH PRIVILEGES;
SHOW GRANTS FOR 'user1'@localhost;
SHOW GRANTS FOR 'user2'@localhost;
CREATE DATABASE 'yourDB';
SHOW DATABASES;
DROP USER 'user1'@localhost; # Just for example to show how to delete a user
Redis Setup
dnf install redis php-redis
sudo systemctl enable --now redis
vi /etc/redis/redis.conf
Change bind (0.0.0.0), requirepass, port (2*), maxmemory (256mb), and maxmemory-policy allkeys-lru.
systemctl restart redis
firewall-cmd --zone=public --permanent --add-port=26379/tcp
firewall-cmd --reload
NGINX
Important working directories:
/usr/share/nginx/
/etc/nginx/
Create user working directory for custom configuration files:
mkdir /etc/nginx/sites-available # Create a directory for nginx.conf files
mkdir /usr/share/nginx/example.com/html -p # Create new webroot with specified structure
Now we can create a new config file to start with:
vi /etc/nginx/sites-available/example.com.conf
Link it to active conf directory
ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/conf.d/
If it is required at some point, removing that symlink is as easy as:
rm /etc/nginx/conf.d/example.com.conf
Now we edit the nginx.conf
vi /etc/nginx/nginx.conf
Set the following lines after the line "include /etc/nginx/conf.d/*.conf" (if not already set):
server_names_hash_bucket_size 64; # Should already exist in recent versions
types_hash_max_size 4096; ## Should already be set
Comment out the root location directive (Can uncomment after setup so as not to confuse cache while testing?)
To test and reload the configuration:
nginx -t
systemctl reload nginx
Simple recap moving forward:
systemctl start nginx
systemctl restart nginx
systemctl enable nginx
systemctl status nginx
systemctl reload nginx
nginx -t
mkdir /etc/nginx/sites-available
mkdir /usr/share/nginx/example.com/html -p
vi /etc/nginx/sites-available/example.com.conf
ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/conf.d/
vi /etc/nginx/nginx.com # comment out the root in default server block (troubleshooting)
systemctl reload nginx
PHP-FPM setup
Change user in configuration (nginx):
vi /etc/php-fpm.d/www.conf
systemctl enable php-fpm
systemctl restart php-fpm
PHP-OPCache setup
vi /etc/php.d/10-opcache.ini
opcache.enable_cli=1
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=4000
opcache.revalidate_freq=60
systemctl restart php-fpm
systemctl reload nginx
phpMyAdmin setup
dnf install phpmyadmin
ln -s /usr/share/phpMyAdmin/ /usr/share/nginx/hosting.namenode.xyz/dbpma
chown -R nginx:nginx /var/lib/php/session
chown -R nginx:nginx /var/lib/phpMyAdmin
chown -R nginx:nginx /etc/phpMyAdmin
vi /etc/phpMyAdmin/config.inc.php
$cfg['Servers'][$i]['AllowNoPassword'] = false;
$cfg['Servers'][$i]['AllowRoot'] = false;
$cfg['TempDir'] = '/var/lib/phpMyAdmin/temp';
systemctl reload php-fpm
systemctl reload nginx
Securing phpMyAdmin further
vi pass-infile ## make a password for openssl to encrypt - one line no spaces
openssl passwd -in pass-infile ## Copy the output (your encrypted password)
vi /etc/nginx/pma_pass # Create a user/pass pair for the authentication gateway.
Format:
user:p@s$w0Rd # one line
Add the required "dbpma" section
vi /etc/nginx/sites-available/example.com.conf
systemctl reload nginx
Install and secure PMA with NGINX Ubuntu 18.04
Cockpit Setup
vi /etc/cockpit/cockpit.conf
vi /etc/nginx/sites-available/example.com.conf
Reverse proxy Cockpit over NGINX
Certbot setup (Examples)
certbot --nginx -d example.com -d www.example.com
certbot --nginx --agree-tos -d example.com -d www.example.com --email your-email-address
certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --must-staple -d example.com -d www.example.com --email your-email-address
$ EDITOR=vim crontab -e
25 2 * * 0 /usr/bin/certbot renew --quiet # Every Sunday 2:25am