SETUP AND INSTALL WORDPRESS ON CENTOS 7 FROM SCRATCH (CENTOS 7, NGINX, PHP 7.1, PHP-FPM, MARIADB, NTP, WORDPRESS, SSH2, SSL, PHPMYADMIN, CACHING, FTP, TMPFS)

Let’s install a brand new Centos 7 Server along with needed database, web servers and WordPress.

PREREQUISITES

$ sudo yum update
$ sudo yum install net-tools yum-utils htop autoconf automake bind-utils wget curl unzip gcc-c++ pcre-devel zlib-devel libtool make nmap-netcat ntp pam-devel gd gd-devel perl-ExtUtils-Embed geoip-devel gperftools-devel

There is both public and local ip
$ ifconfig

eno16777728: flags=4163 mtu 1500
inet 50.201.93.40 netmask 255.255.255.224 broadcast 50.201.93.63
inet6 fe80::20c:29ff:fe5b:71b1 prefixlen 64 scopeid 0x20 ether 00:0c:29:5b:71:b1 txqueuelen 1000 (Ethernet)
RX packets 185681 bytes 258376736 (246.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 68659 bytes 5327288 (5.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Let’s check the network config file along with IPADDR, DNS1, DNS2, GATEWAY
$ sudo cat /etc/sysconfig/network-scripts/ifcfg-eno16777728

TYPE=”Ethernet”
BOOTPROTO=”none”
DEFROUTE=”yes”
IPV4_FAILURE_FATAL=”no”
IPV6INIT=”yes”
IPV6_AUTOCONF=”yes”
IPV6_DEFROUTE=”yes”
IPV6_FAILURE_FATAL=”no”
NAME=”eno16777728″
UUID=”8845f479-33a9-43d0-a292-84c4c9b281aa”
DEVICE=”eno16777728″
ONBOOT=”yes”
IPADDR=”50.201.93.40″
PREFIX=”27″
GATEWAY=”50.201.93.33″
DNS1=”50.201.93.34″
DNS2=”8.8.8.8″
IPV6_PEERDNS=”yes”
IPV6_PEERROUTES=”yes”
IPV6_PRIVACY=”no”

slow ssh login solution
$ sudo vi /etc/ssh/sshd_config

UseDNS=no

$ sudo systemctl restart sshd

Firewall Settings
$ sudo firewall-cmd --permanent --add-service=http
$ sudo firewall-cmd --permanent --add-service=https
$ sudo firewall-cmd --permanent --add-service=mysql
$ sudo firewall-cmd --reload
$ sudo systemctl restart firewalld.service
$ sudo firewall-cmd --permanent --zone=public --list-sources
$ sudo iptables -L

update selinux
$ sudo vi /etc/sysconfig/selinux

SELINUX=permissive

$ sudo systemctl restart network

============================================================================

SETUP MARIADB REPO

select your OS to get the latest MariaDB repo
https://downloads.mariadb.org/mariadb/repositories
you can rename a similar name to MariaDB
$ sudo vi /etc/yum.repos.d/MariaDB.repo
copy paste this:

# MariaDB 10.2 CentOS repository list – created 2017-09-12 16:39 UTC
# http://downloads.mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.2/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

update yum
$ sudo yum update

to install mariadb
$ sudo yum install MariaDB-server MariaDB-client
to start mariadb
$ sudo systemctl start mysql
($ sudo /etc/init.d/mysql start)
to enable at startup
$ sudo systemctl enable mysql
run security script
$ sudo mysql_secure_installation
(username: root, password: blabla)
to check status of mariadb
$ sudo systemctl status mysql
to stop mariadb
$ sudo systemctl stop mysql
login database
$ sudo mysql -u root -p

MariaDB [(none)]> show databases;
mysql>exit;

main config file is here
$ sudo vi /etc/my.cnf.d/server.cnf

============================================================================

CONFIGURE NTP

We have Eastern Time, so we need to change it!
$ date

Tue Sep 12 12:44:02 EDT 2017

install ntp (network time protocol) server to synchronize time
$ sudo yum install ntp
first go to official http://www.pool.ntp.org/en/
choose your Continent area where the server physically is located, then search for your Country location
For United Sates:

server 0.us.pool.ntp.org
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
server 3.us.pool.ntp.org

go to ntp config file
$ sudo vi /etc/ntp.conf

Your date might not match
$ date

Fri Apr 1 08:26:59 CDT 2016

Uncomment initials:

#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst

copy paste this to the ntp.conf

server 0.us.pool.ntp.org
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
server 3.us.pool.ntp.org

let’s start ntp for the first time
$ sudo systemctl start ntpdate
$ sudo systemctl enable ntpdate
$ sudo systemctl status ntpdate
$ sudo systemctl restart ntpdate

Unfortunately, it still does not match?!
$ date

Tue Sep 12 12:51:39 EDT 2017

if date still not matching run this manually
$ sudo ntpdate us.pool.ntp.org

12 Sep 12:52:37 ntpdate[4405]: adjust time server 64.113.44.54 offset 0.000242 sec

one more thing we need to do. Check out the date-time, it’s still NewYork Eastern Time
$ timedatectl

Local time: Tue 2017-09-12 12:53:47 EDT
Universal time: Tue 2017-09-12 16:53:47 UTC
RTC time: Tue 2017-09-12 16:53:47
Time zone: America/New_York (EDT, -0400)
NTP enabled: no
NTP synchronized: no
RTC in local TZ: no
DST active: yes
Last DST change: DST began at
Sun 2017-03-12 01:59:59 EST
Sun 2017-03-12 03:00:00 EDT
Next DST change: DST ends (the clock jumps one hour backwards) at
Sun 2017-11-05 01:59:59 EDT
Sun 2017-11-05 01:00:00 EST

Since NTP enabled is no above, you can enable it like this (it will ask for your root password)
$ sudo timedatectl set-ntp yes

then check out date-time again, upppss still same 😦
$ timedatectl

Local time: Tue 2017-09-12 12:54:49 EDT
Universal time: Tue 2017-09-12 16:54:49 UTC
RTC time: Tue 2017-09-12 16:54:49
Time zone: America/New_York (EDT, -0400)
NTP enabled: yes
NTP synchronized: yes
RTC in local TZ: no
DST active: yes
Last DST change: DST began at
Sun 2017-03-12 01:59:59 EST
Sun 2017-03-12 03:00:00 EDT
Next DST change: DST ends (the clock jumps one hour backwards) at
Sun 2017-11-05 01:59:59 EDT
Sun 2017-11-05 01:00:00 EST

if you still see a different timezone
$ sudo timedatectl set-timezone America/Chicago

if you want to restart ntp, then you need to first unrelate ntp from timedatectl
$ sudo timedatectl set-ntp no
$ sudo systemctl restart ntpdate
$ sudo systemctl enable ntpdate
$ sudo ntpdate us.pool.ntp.org
$ sudo timedatectl set-ntp yes

make sure your timezone is also correct
(please follow http://www.putorius.net/2015/04/setting-time-and-date-in-red-hat-7.html to play with timedatectl command)
list all the timezones just for curiosity
$ timedatectl list-timezones

Finally!!!! Date looks now fine in Central Time
$ date

Tue Sep 12 11:58:00 CDT 2017

$ timedatectl

Local time: Tue 2017-09-12 11:58:58 CDT
Universal time: Tue 2017-09-12 16:58:58 UTC
RTC time: Tue 2017-09-12 16:58:58
Time zone: America/Chicago (CDT, -0500)
NTP enabled: yes
NTP synchronized: yes
RTC in local TZ: no
DST active: yes
Last DST change: DST began at
Sun 2017-03-12 01:59:59 CST
Sun 2017-03-12 03:00:00 CDT
Next DST change: DST ends (the clock jumps one hour backwards) at
Sun 2017-11-05 01:59:59 CDT
Sun 2017-11-05 01:00:00 CST

============================================================================

INSTALL PHP7.1

Let’s first install epel-release and web static repository, then update repository
$ sudo yum install epel-release
$ sudo rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
$ sudo yum update
$ sudo yum search php71w

if you see them, then install php7.1
$ sudo yum install php71w-bcmath php71w-cli mod_php71w php71w-common php71w-dba php71w-devel php71w-embedded php71w-enchant php71w-fpm php71w-gd php71w-imap php71w-interbase php71w-intl php71w-ldap php71w-mbstring php71w-mcrypt php71w-mysqlnd php71w-odbc php71w-opcache php71w-pdo php71w-pdo_dblib php71w-pear php71w-pecl-apcu php71w-pecl-apcu-devel php71w-pecl-geoip php71w-pecl-igbinary php71w-pecl-igbinary-devel php71w-pecl-imagick php71w-pecl-imagick-devel php71w-pecl-libsodium php71w-pecl-memcached php71w-pecl-mongodb php71w-pecl-redis php71w-pecl-xdebug php71w-pgsql php71w-phpdbg php71w-process php71w-pspell php71w-recode php71w-snmp php71w-soap php71w-tidy php71w-xml php71w-xmlrpc

check if php 7.1 installed
$ php -version

PHP 7.1.8 (cli) (built: Aug 9 2017 19:19:49) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies
with Zend OPcache v7.1.8, Copyright (c) 1999-2017, by Zend Technologies
with Xdebug v2.5.5, Copyright (c) 2002-2017, by Derick Rethans

upload max filesize
$ sudo vi /etc/php.ini

upload_max_filesize = 1024M
memory_limit = 2048M
post_max_size = 128M
max_input_vars = 5000
max_execution_time = 0
cgi.fix_pathinfo=0
allow_url_include = On

============================================================================

SSH2 SOLUTION FOR PHP7 ON CENTOS 7

First make sure you have gcc, php71w-devel, libssh2, libssh2-devel, wget and unzip packages installed
$ sudo yum install gcc php71w-devel libssh2 libssh2-devel wget unzip

go to opt folder
$ cd /opt/

download php7 branch source of php ssh2
$ sudo wget https://github.com/Sean-Der/pecl-networking-ssh2/archive/php7.zip
unzip and enter the folder
$ sudo unzip php7.zip
$ cd pecl-networking-ssh2-php7/

prepare build environment for this extension using phpize which will create the needed file and folder structure and configure file
$ sudo phpize

Configuring for:
PHP Api Version: 20160303
Zend Module Api No: 20160303
Zend Extension Api No: 320160303
check the configuration

$ sudo ./configure

…….

now make the extension, you should see build complete.
$ sudo make

…..
…..
Build complete.
Don’t forget to run ‘make test’.

finally install the extension
$ sudo make install

Installing shared extensions: /usr/lib64/php/modules/

put the extension manually
$ sudo vi /etc/php.d/ssh2.ini

extension=ssh2.so

restart web server and php-fpm
$ sudo systemctl restart nginx
$ sudo systemctl restart php-fpm

check php info, you’ll see the ssh2 module
$ php -i

ssh2

SSH2 support => enabled
extension version => 0.12+dev
libssh2 version => 1.4.3
banner => SSH-2.0-libssh2_1.4.3

or re-check php modules, you’ll see ssh2 module enabled
$ php -m

============================================================================

You can install nginx either from repo or manually.

INSTALL NGINX

When you search, you don’t see nginx
$ sudo yum search nginx
So after you install epel-release
$ sudo yum install epel-release
check it again, you’ll see the packages
$ sudo yum search nginx

let’s install nginx
$ sudo yum install nginx

nginx commands
$ sudo systemctl start nginx
$ sudo systemctl stop nginx
$ sudo systemctl restart nginx
$ sudo systemctl enable nginx
$ sudo systemctl status nginx

php-fpm commands
$ sudo systemctl start php-fpm
$ sudo systemctl stop php-fpm
$ sudo systemctl restart php-fpm
$ sudo systemctl status php-fpm

check it out, you should see the default nginx page

http://50.201.93.40/

============================================================================

INSTALL NGINX MANUALLY (PREFERRED)

let’s remove nginx completely if pre-installed
$ sudo systemctl stop nginx
$ sudo systemctl stop php-fpm
$ sudo yum remove nginx

install the development tools
$ sudo yum groupinstall "Development Tools”
$ sudo yum install pcre-devel zlib-devel openssl-devel

download latest version of nginx manually from http://nginx.org/download/
the purpose with source code is we want to compile ngx_cache_purge along together
$ cd /tmp/
$ sudo wget http://nginx.org/download/nginx-1.13.5.tar.gz
$ sudo wget http://labs.frickle.com/files/ngx_cache_purge-2.3.tar.gz

nginx-1.13.5 and ngx_cache_purge-2.3 will be created
$ sudo tar -xzf nginx-1.13.5.tar.gz
$ sudo tar -xzf ngx_cache_purge-2.3.tar.gz
$ cd nginx-1.13.5
$ sudo ./configure --sbin-path=/usr/sbin --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --with-debug --with-http_stub_status_module --with-http_flv_module --with-http_ssl_module --with-http_dav_module --add-module=/tmp/ngx_cache_purge-2.3 --with-http_geoip_module --with-http_image_filter_module --with-http_gunzip_module --with-threads --with-file-aio --with-http_sub_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_slice_module --with-http_degradation_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-google_perftools_module --with-cpp_test_module

make root
$ sudo su
$ make && make install

now let’s check it out
$ nginx -V

nginx version: nginx/1.13.5
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: –sbin-path=/usr/sbin –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –pid-path=/var/run/nginx.pid –lock-path=/var/lock/nginx.lock –http-log-path=/var/log/nginx/access.log –http-client-body-temp-path=/var/lib/nginx/body –http-proxy-temp-path=/var/lib/nginx/proxy –http-fastcgi-temp-path=/var/lib/nginx/fastcgi –with-debug –with-http_stub_status_module –with-http_flv_module –with-http_ssl_module –with-http_dav_module –with-ipv6 –add-module=/tmp/ngx_cache_purge-2.3

create the system file so that you can use the start, stop, enable and status commands
Source: https://www.nginx.com/resources/wiki/start/topics/examples/systemd/

$ vi /lib/systemd/system/nginx.service

[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target

check syntax
$ nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

enable and start nginx
$ sudo systemctl enable nginx
$ sudo systemctl start nginx

let’s check the ngx_cache_purge module again
$ nginx -V 2>&1 | grep ngx_cache_purge -o

ngx_cache_purge

============================================================================

NGINX AND PHP-FPM CONFIGURATIONS

PHP-FPM SETTINGS

let’s update php-fpm config
$ sudo vi /etc/php-fpm.d/www.conf

listen.mode = 0660
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
#listen = 127.0.0.1:9000
listen = /var/run/php-fpm/php-fpm.sock
listen.allowed_clients = 127.0.0.1
pm = dynamic
pm.max_children = 50
pm.max_requests = 500
pm.start_servers = 15
pm.min_spare_servers = 5
pm.max_spare_servers = 35
security.limit_extensions = .php .php3 .php4 .php5 .php7

NGINX SETTINGS

first create the wpnau folder (wordpress for nau), will use it later
$ sudo mkdir /usr/share/nginx/html/wpnau
then create the wpgls folder (wordpress for gls), will use it later
$ sudo mkdir /usr/share/nginx/html/wpgls
create cache folder, we’ll use it later for cache purposes
$ sudo mkdir /etc/nginx/cache
give full access
$ sudo chmod 777 /etc/nginx/cache
create a test page under wpnau, we’ll test this for cache purposes
$ sudo vi /usr/share/nginx/html/wpnau/time.php

create a test page under wpgls, we’ll test this for cache purposes
$ sudo vi /usr/share/nginx/html/wpgls/time.php

that’s the main nginx configuration file, no need to update, just check it out
$ sudo vi /etc/nginx/nginx.conf
#let’s store all config files here

include /etc/nginx/conf.d/*.conf;

============================================================================

SPLIT CONFIGS

retrieved from http://www.ehowstuff.com/setup-wordpress-nginx-with-fastcgi-caching-in-centos-7/
updated according to our needs. Splitting the configs makes it easier to read

let’s create the config files, first the create the most common configs
$ sudo vi /etc/nginx/conf.d/common.conf

# Global configuration file.
# ESSENTIAL : Configure Nginx Listening Port
listen 80;
# ESSENTIAL : Default file to serve. If the first file isn’t found,
index index.php index.html index.htm;
# ESSENTIAL : no favicon logs
location = /favicon.ico {
log_not_found off;
access_log off;
}
# ESSENTIAL : robots.txt
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# ESSENTIAL : Configure 404 Pages
error_page 404 /404.html;
# ESSENTIAL : Configure 50x Pages
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# SECURITY : Deny all attempts to access hidden files .abcde
location ~ /\. {
deny all;
}
# PERFORMANCE : Set expires headers for static files and turn off logging.
location ~* ^.+\.(js|css|swf|xml|txt|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
access_log off; log_not_found off; expires 30d;
# expires max;
add_header Pragma no-cache;
add_header Cache-Control “public”;
}

then create the gzip config
$ sudo vi /etc/nginx/conf.d/gzip.conf

gzip on;
gzip_comp_level 6;
gzip_proxied any;
gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_disable “MSIE [1-6]\.(?!.*SV1)”;

gzip_types text/css text/x-component application/ecmascript application/json application/pdf application/javascript application/x-javascript text/javascript application/postscript text/x-js text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon;

gzip_http_version 1.1;
gzip_vary on;

then create the fast-cgi and other option configs
$ sudo vi /etc/nginx/conf.d/option.conf

## FAST-CGI Configurations
fastcgi_cache_path /etc/nginx/cache levels=1:2 keys_zone=WPCACHE:1024m inactive=60m;
fastcgi_cache_key “$scheme$request_method$host$request_uri”;
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
add_header X-Fastcgi-Cache $upstream_cache_status;

## Other server option
server_tokens off;
keepalive_requests 100000;
reset_timedout_connection on;
port_in_redirect off;
client_body_timeout 1460;
client_header_timeout 1460;
client_max_body_size 10m;
send_timeout 1460;

let’s create the main nau wordpress file
$ sudo vi /etc/nginx/conf.d/wordpress.conf

# WORDPRESS : Rewrite rules, sends everything through index.php and keeps the appended query string intact
location / {
try_files $uri $uri/ /index.php?q=$uri&$args;
}

# SECURITY : Deny all attempts to access PHP Files in the uploads directory
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}

# REQUIREMENTS : Enable PHP Support
location ~ \.php$ {
# SECURITY : Zero day Exploit Protection
try_files $uri =404;

# ENABLE : Enable PHP, listen fpm sock
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_send_timeout 300s;
fastcgi_read_timeout 300s;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_buffer_size 512k;
fastcgi_buffers 1024 16k;
fastcgi_busy_buffers_size 1024k;
fastcgi_temp_file_write_size 1024k;
fastcgi_intercept_errors on;
##Added below for fastcgi_cache
fastcgi_cache_bypass $no_cache;
fastcgi_no_cache $no_cache;
fastcgi_cache WPCACHE;
fastcgi_cache_valid 200 60m;
fastcgi_cache_valid 404 60m;
fastcgi_max_temp_file_size 16m;
fastcgi_cache_use_stale updating;
fastcgi_cache_methods GET HEAD; # Only GET and HEAD methods apply
add_header X-Fastcgi-Cache $upstream_cache_status;
}

# Deny access to .php files in the /wp-content/ directory (including sub-folders)
location ~* ^/wp-content/.*.(php|phps)$ {
deny all;
}

#added by Mehmet Sen
location ~ /purge(/.*) {
fastcgi_cache_purge WPCACHE “$scheme$request_method$host$1”;
}

## Block SQL injections
location ~* union.*select.*\( {access_log /var/log/nginx/*.*.log blocked; deny all;}
location ~* union.*all.*select.* {access_log /var/log/nginx/*.*.log blocked; deny all;}
location ~* concat.*\( {access_log /var/log/nginx/*.*.log blocked; deny all;}
#
### Block common exploits
#disabled by Mehmet Sen because it was giving invalid number of arguments error
#location ~* (|%3E) {access_log /var/log/nginx/*.*.log blocked; deny all;}
location ~* base64_(en|de)code\(.*\) {access_log /var/log/nginx/*.*.log blocked; deny all;}
location ~* (%24&x) {access_log /var/log/nginx/*.*.log blocked; deny all;}
location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) {access_log /var/log/nginx/*.*.log blocked; deny all;}
location ~* \.\.\/ {access_log /var/log/nginx/*.*.log blocked; deny all;}
location ~* ~$ {access_log /var/log/nginx/*.*.log blocked; deny all;}
location ~* proc/self/environ {access_log /var/log/nginx/*.*.log blocked; deny all;}
location ~* /\.(htaccess|htpasswd|svn) {access_log /var/log/nginx/*.*.log blocked; deny all;}
#
### Block file injections
location ~* [a-zA-Z0-9_]=(\.\.//?)+ {access_log /var/log/nginx/*.*.log blocked; deny all;}
location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ {access_log /var/log/nginx/*.*.log blocked; deny all;}
#
### wordpress security
location ~* wp-config.php {access_log /var/log/nginx/*.*.log blocked; deny all;}
location ~* wp-admin/includes {access_log /var/log/nginx/*.*.log blocked; deny all;}
location ~* wp-admin/setup-config.php {access_log /var/log/nginx/*.*.log blocked; deny all;}
location ~* wp-app\.log {access_log /var/log/nginx/*.*.log blocked; deny all;}
location ~* (licence|readme|license)\.(html|txt) {access_log /var/log/nginx/*.*.log blocked; deny all;}

# PLUGINS : Enable Rewrite Rules for Yoast SEO SiteMap
rewrite ^/sitemap_index\.xml$ /index.php?sitemap=1 last;
rewrite ^/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.xml$ “/index.php?xml_sitemap=params=$2” last;
rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.xml\.gz$ “/index.php?xml_sitemap=params=$2;zip=true” last;
rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.html$ “/index.php?xml_sitemap=params=$2;html=true” last;

configure Cache Exceptions
$ sudo vi /etc/nginx/conf.d/fastcgi_no_cache.conf

set $no_cache 0;

# POST requests and URLs with a query string should always go to PHP
if ($request_method = POST) {
set $no_cache 1;
}

if ($query_string != “”) {
set $no_cache 1;
}

# Don’t cache URIs containing the following segments
if ($request_uri ~* “/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php
|sitemap(_index)?.xml”) {
set $no_cache 1;
}

# Don’t use the cache for logged-in users or recent commenters
if ($http_cookie ~* “comment_author|wordpress_[a-f0-9]+|wp-postpass
|wordpress_no_cache|wordpress_logged_in”) {
set $no_cache 1;
}

The application config files, remember we have 2 wordpress sites!

nau config
$ sudo vi /etc/nginx/conf.d/wpnau.conf

server {
listen 80;
server_name na.edu;
rewrite ^/(.*)$ http://www.na.edu/$1 permanent;
}

server {
server_name http://www.na.edu;
root /usr/share/nginx/html/wpnau;
access_log /var/log/nginx/wpnau.access.log;
error_log /var/log/nginx/wpnau.log;

#include config files
include /etc/nginx/conf.d/common.conf;
#nginx for WordPress and security
include /etc/nginx/conf.d/wordpress.conf;
#Configure Nginx Fast-CGI Cache Exceptions
include /etc/nginx/conf.d/fastcgi_no_cache.conf;
}

gls config
$ sudo vi /etc/nginx/conf.d/wpgls.conf

server {
listen 80;
server_name gls.edu;
rewrite ^/(.*)$ http://www.gls.edu/$1 permanent;
}

server {
server_name http://www.gls.edu;
root /usr/share/nginx/html/wpgls;
access_log /var/log/nginx/wpgls.access.log;
error_log /var/log/nginx/wpgls.log;
#include config files
include /etc/nginx/conf.d/common.conf;
#nginx for WordPress and security
include /etc/nginx/conf.d/wordpress.conf;
#Configure Nginx Fast-CGI Cache Exceptions
include /etc/nginx/conf.d/fastcgi_no_cache.conf;
}

the main nginx config file, delete any server block, we’ll create it ourself
and also realize that the user is ‘nginx’ here which we’ll set the same ‘nginx’ user to phpmyadmin later as well
$ sudo vi /etc/nginx/nginx.conf

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
worker_connections 1024;
}

http {
log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
‘$status $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” “$http_x_forwarded_for”‘;
#added by Mehmet Sen
log_format blocked ‘$time_local: Blocked request from $remote_addr $request’;
access_log /var/log/nginx/access.log main;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
#updated to 1300 by Mehmet Sen
keepalive_timeout 1300;
types_hash_max_size 2048;

include /etc/nginx/mime.types;
default_type application/octet-stream;

# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
# disabled by Mehmet Sen
# include /etc/nginx/conf.d/*.conf;

######## added by Mehmet Sen
include /etc/nginx/conf.d/gzip.conf;

#FastCGI Cache and other configuration options
include /etc/nginx/conf.d/option.conf;

# default worpress entry page
include /etc/nginx/conf.d/default.conf;

# nau wordpress config file
include /etc/nginx/conf.d/wpnau.conf;

# gls wordpress config file
include /etc/nginx/conf.d/wpgls.conf;
##########
}

verify syntax
$ sudo nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

restart nginx and php-fpm
$ sudo systemctl restart nginx
$ sudo systemctl restart php-fpm

============================================================================

INSTALL PHPMYADMIN

Search first for phpmyadmin, if you don’t see it then install epel-release first.
$ sudo yum search phpmyadmin
To install phpMyAdmin easily on CentOS 7, first install extra packages for enterprise linux (epel)
$ sudo yum install epel-release
finally install phpMyAdmin
$ sudo yum install phpMyAdmin
create the symlink named “puma” of phpmyadmin
$ sudo ln -s /usr/share/phpMyAdmin/ /usr/share/nginx/html/default/pma
check it out
$ ls -l /usr/share/nginx/html/

….
lrwxrwxrwx. 1 root root 22 Sep 13 15:07 phpmyadmin -> /usr/share/phpMyAdmin/
….

fix session and blowfish_secret problem on phpmyadmin login page
$ sudo chown -R root:nginx /var/lib/php/session
$ sudo chown -R root:nginx /etc/phpMyAdmin/

restart nginx and php-fpm
$ sudo systemctl restart php-fpm
$ sudo systemctl restart nginx

create a default config
$ sudo vi /etc/nginx/conf.d/default.conf

server {

listen 80 default_server;
listen [::]:80 default_server;
server_name wordpress.na.edu;
root /usr/share/nginx/html/default;
index index.php index.html index.htm;

location / {
try_files $uri $uri/ index.html index.php =404;
}

error_page 404 /404.html;
location /40x.html {
root /usr/share/nginx/html/default;
}
error_page 500 502 503 504 /50x.html;
location /50x.html {
root /usr/share/nginx/html/default;
}

location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}

#phpmyadmin
location /pma {
alias /usr/share/phpMyAdmin;
index index.php;
}

access_log /var/log/nginx/default.access.log;
error_log /var/log/nginx/default.log;
}

let’s put one more security layer on before phpmyadmin login page, type Nau@blabla
$ sudo openssl passwd
Password:
Verifying – Password:
Warning: truncating password to 8 characters
zRaBVt.gAB6ok

create the authentication file along with username and generated password above
$ sudo vi /etc/nginx/pma_pass
admin:zRaBVt.gAB6ok

now go back to default config file and update accordingly
$ sudo vi /etc/nginx/conf.d/default.conf

server {

listen 80 default_server;
listen [::]:80 default_server;
server_name wordpress.na.edu;
root /usr/share/nginx/html/default;
index index.php index.html index.htm;

location / {
try_files $uri $uri/ index.html index.php =404;
}

error_page 404 /404.html;
location /40x.html {
root /usr/share/nginx/html/default;
}
error_page 500 502 503 504 /50x.html;
location /50x.html {
root /usr/share/nginx/html/default;
}

location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}

#phpmyadmin
location /pma {
alias /usr/share/phpMyAdmin;
index index.php;
auth_basic “Admin Login”;
auth_basic_user_file /etc/nginx/pma_pass;

}

access_log /var/log/nginx/default.access.log;
error_log /var/log/nginx/default.log;
}

restart nginx
$ sudo systemctl restart nginx

now try url again, it will require authentication username and password!
http://wordpress.na.edu/pma (‘admin’ and ‘Nau@blabla’)

Go and create a new database ‘wp_nau’ and ‘wp_gls’ along with new user and password, give it all privileges on each database at localhost
user: usrwp, passw: Nau@blabla

============================================================================

TEST CACHE ON GLS

to test the cache on gls first update the gls config
$ sudo vi /etc/nginx/conf.d/wpgls.conf

server {
listen 80;
server_name gls.edu;
rewrite ^/(.*)$ http://www.gls.edu/$1 permanent;
}

server {
server_name http://www.gls.edu;
root /usr/share/nginx/html/wpgls;
access_log /var/log/nginx/wpgls.access.log;
error_log /var/log/nginx/wpgls.log;
#include config files
include /etc/nginx/conf.d/common.conf;
#nginx for WordPress and security
#include /etc/nginx/conf.d/wordpress.conf;
#Configure Nginx Fast-CGI Cache Exceptions
#include /etc/nginx/conf.d/fastcgi_no_cache.conf;

location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
}
}

create a time.php file
$ sudo vi /usr/share/nginx/html/wpgls/time.php

restart nginx and php-fpm
$ sudo systemctl restart php-fpm
$ sudo systemctl restart nginx

now go to the gls page and refresh it many times, you’ll see different results
http://www.gls.edu/time.php

1505410696
1505410727
1505410737
1505410747
1505410764

change the gls config back to its original format where the fastcgi cache is enabled
$ sudo vi /etc/nginx/conf.d/wpgls.conf

server {
listen 80;
server_name gls.edu;
rewrite ^/(.*)$ http://www.gls.edu/$1 permanent;
}

server {
server_name http://www.gls.edu;
root /usr/share/nginx/html/wpgls;
access_log /var/log/nginx/wpgls.access.log;
error_log /var/log/nginx/wpgls.log;
#include config files
include /etc/nginx/conf.d/common.conf;
#nginx for WordPress and security
include /etc/nginx/conf.d/wordpress.conf;
#Configure Nginx Fast-CGI Cache Exceptions
include /etc/nginx/conf.d/fastcgi_no_cache.conf;
}

restart nginx and php-fpm
$ sudo systemctl restart php-fpm
$ sudo systemctl restart nginx

now go again to the gls page and refresh it many times, you’ll see only one result on each refresh, try from another browser you’ll see the same result

http://www.gls.edu/time.php
1505411049

the pages and other files will be cached here
$ sudo ls /etc/nginx/cache/

============================================================================

ANOTHER CACHE TEST METHOD

$ curl -X GET -I http://www.gls.edu

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 18 Sep 2017 17:28:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.1.8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: ; rel=”https://api.w.org/”
X-Fastcgi-Cache: HIT

============================================================================

INSTALL WORDPRESS

finally, let’s install wordpress, first go to the opt folder
$ cd /opt/
download the latest version
$ sudo wget http://wordpress.org/latest.tar.gz
extract the archived files
$ sudo tar xzvf latest.tar.gz
make sure the gls root folder is empty, if not clean it
$ sudo rm -R /usr/share/nginx/html/wpgls/*
then move the wordpress files to the gls root folder
$ sudo rsync -avP wordpress/ /usr/share/nginx/html/wpgls/
create an upload directory
$ sudo mkdir /usr/share/nginx/html/wpgls/wp-content/uploads
give the right permission to the files
$ sudo chown -R root:nginx /usr/share/nginx/html/*
go to the gls root folder
$ sudo cd /usr/share/nginx/html/wpgls/
copy the config file from the sample file
$ sudo cp wp-config-sample.php wp-config.php
confgure wordpress
$ sudo vi wp-config.php

// ** MySQL settings – You can get this info from your web host ** //
/** The name of the database for WordPress */
define(‘DB_NAME’, ‘wp_gls’);
/** MySQL database username */
define(‘DB_USER’, ‘dbusername’);
/** MySQL database password */
define(‘DB_PASSWORD’, ‘dbpassword’);
/** MySQL hostname */
define(‘DB_HOST’, ‘localhost’);

give the right permissions
$ sudo chmod 755 -R /usr/share/nginx/html/wpgls/
$ sudo chown -R nginx:nginx /usr/share/nginx/html/wpgls/

now go to the gls.edu, you’ll see the welcome page along with admin form, fill it out and click Install WordPress button
It will create the tables and show you a login button page, click Log In
After you login, it will take a little while and then you are in!!!

YEEEEYYYYYY!!!

But we are not finished yet!!!

============================================================================

UPDATE CURL

check curl version
$ curl -V

curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.21 Basic ECC zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets

update curl
$ sudo yum update curl.86_64

if no new version create a new repository
$ sudo vi /etc/yum.repos.d/city-fan.repo

[CityFan]
name=City Fan Repo
baseurl=http://www.city-fan.org/ftp/contrib/yum-repo/rhel$releasever/$basearch/
enabled=1
gpgcheck=0

enable EPEL repository
$ sudo yum install epel-release
rerun the updater
$ sudo yum update curl.86_64

============================================================================

CONFIGURE FTP USER FOR GLS

update yum repo
$ sudo yum update
install ftp
$ sudo yum install vsftpd
allow_writeable_chroot=YES is added manually
$ sudo vi /etc/vsftpd/vsftpd.conf

anonymous_enable=NO
ascii_upload_enable=YES
ascii_download_enable=YES
write_enable=YES
local_enable=YES
chroot_local_user=YES
ftpd_banner=Welcome to blah FTP service.
allow_writeable_chroot=YES

$ sudo systemctl restart vsftpd
$ sudo systemctl enable vsftpd
$ sudo firewall-cmd --permanent --add-port=21/tcp
$ sudo firewall-cmd --permanent --add-service=ftp
$ sudo firewall-cmd --reload

$ sudo yum provides \*/bin/ftp

add new user
$ sudo useradd glsftp
$ sudo passwd glsftp

Changing password for user glsftp.
New password: blabla
Retype new password: blabla

make user writeable
$ sudo chmod a-w /home/glsftp/
$ sudo systemctl restart vsftpd

allow user to access home directory
$ sudo setsebool -P ftp_home_dir on

test ftp account
use any sftp client such as Filezilla

Host: 50.201.93.40
username: glsftp
password: blabla
Port: 22

============================================================================

INSTALL SSL FOR GLS

first install openssl
$ sudo yum install openssl
$ sudo yum install openssl-devel pcre-devel

allow ssl port 443
$ sudo firewall-cmd --permanent --add-port=443/tcp
$ sudo firewall-cmd —reload
$ sudo iptables -L

go to certification folder
$ cd /etc/pki/tls/certs/

create the key file
$ sudo openssl genrsa -out server.key 2048
create the csr file
$ sudo openssl req -new -key server.key -out server.csr

Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:TEXAS
Locality Name (eg, city) [Default City]:STAFFORD
Organization Name (eg, company) [Default Company Ltd]:GULF LANGUAGE SCHOOL
Organizational Unit Name (eg, section) []:GLS
Common Name (eg, your name or your server’s hostname) []:gls.edu
Email Address []:msen@na.edu

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

now verify the car file
$ openssl req -text -noout -verify -in server.csr

After that, I bought a 3 year Standard SSL Certificate from Godaddy and copy pasted the server.csr content to godaddy to get the crt file

Godaddy sent me this Unique ID along with instructions how to verify https://www.godaddy.com/help/verify-domain-ownership-html-or-dns-7452
7ugkvkgldci3nph75535hgneem

to verify through HTML Page create the directories godaddy requested from you
$ sudo mkdir /usr/share/nginx/html/wpgls/.well-known
$ sudo mkdir /usr/share/nginx/html/wpgls/.well-known/pki-validation
copy paste the unique id
$ sudo vi /usr/share/nginx/html/wpgls/.well-known/pki-validation/godaddy.html

7ugkvkgldci3nph75535hgneem

change gls nginx config so that ssl can find gls.edu
$ sudo vi /etc/nginx/conf.d/wpgls.conf

server {
listen 80;
server_name http://www.gls.edu;

# $scheme will get the http protocol
# and 301 is best practice for tablet, phone, desktop and seo
return 301 $scheme://gls.edu$request_uri;
}

server {
server_name gls.edu;

root /usr/share/nginx/html/wpgls;

access_log /var/log/nginx/wpgls.access.log;
error_log /var/log/nginx/wpgls.log;

#include config files
include /etc/nginx/conf.d/common.conf;
#nginx for WordPress and security
include /etc/nginx/conf.d/wordpress.conf;
#Configure Nginx Fast-CGI Cache Exceptions
include /etc/nginx/conf.d/fastcgi_no_cache.conf;
}

check and restart nginx
$ sudo nginx -t
$ sudo systemctl restart nginx

now disable the block temporarily
$ sudo vi /etc/nginx/conf.d/common.conf

#location ~ /\. {
# deny all;
#}

then go to this link, you should be able to see it. (the http://www.gls.edu would not work if we didn’t change the above wpgls.conf file)
http://gls.edu/.well-known/pki-validation/godaddy.html

go back to the godaddy Certificate Request Verification page and click Check My Update, you should see a green validation response that says
We have verified your domain. Please allow 5-10 minutes for this to take affect.

You’ll also get a verification email along with downloadable crt link
https://certs.godaddy.com/home.pki?AccountUid=60686aa7-9d88-11e7-80fd-3417ebe60eb6

Certificate Details
Less info
Status
Certificate issued (Revoke)
Domain name gls.edu
Encryption Strength Starfield SHA-2
Validity Period 9/19/2017 – 9/19/2020
Serial Number a7:b5:dd:5a:38:e1:5f:9b

Click Download
Download gls.edu.zip file to your computer, you’ll see 2 crt files;
a7b5dd5a38e15f9b.crt
sfig2_bundle.crt
ftp the first a7b5dd5a38e15f9b.crt to the server’s
/etc/pki/tls/certs with FileZilla
give the same ownership as others in certs folder
$ sudo chown root:root a7b5dd5a38e15f9b.crt

now this step is important, create the pem file
$ sudo bash -c 'cat a7b5dd5a38e15f9b.crt server.key > gls.pem'

after creating the gls.pem file, re-update the wpgls.config file
$ sudo vi /etc/nginx/conf.d/wpgls.conf

server {
listen 80;
server_name http://www.gls.edu;
rewrite ^ https://$host$request_uri? permanent;
}

server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/pki/tls/certs/gls.pem;
ssl_certificate_key /etc/pki/tls/certs/server.key;
server_name gls.edu;

root /usr/share/nginx/html/wpgls;

access_log /var/log/nginx/wpgls.access.log;
error_log /var/log/nginx/wpgls.log;

#include config files
include /etc/nginx/conf.d/common.conf;
#nginx for WordPress and security
include /etc/nginx/conf.d/wordpress.conf;
#Configure Nginx Fast-CGI Cache Exceptions
include /etc/nginx/conf.d/fastcgi_no_cache.conf;
}

don’t forget to enable this line
$ sudo vi /etc/nginx/conf.d/common.conf

location ~ /\. {
deny all;
}

restart nginx and php-fpm
$ sudo systemctl restart nginx
$ sudo systemctl restart php-fpm

============================================================================

GLS CloudFlare Account

We purchased Pro Version $20/mo, follow the CloudFlare Instructions and make sure there is no other dns server pointing your ip

============================================================================

INSTALL TMPFS

first check it out
$ sudo df -h

/dev/mapper/centos-root 50G 3.5G 47G 7% /
devtmpfs 7.8G 0 7.8G 0% /dev
tmpfs 7.8G 0 7.8G 0% /dev/shm
tmpfs 7.8G 425M 7.4G 6% /run
tmpfs 7.8G 0 7.8G 0% /sys/fs/cgroup
/dev/mapper/centos-home 42G 33M 42G 1% /home
/dev/sda1 497M 181M 317M 37% /boot
tmpfs 1.6G 0 1.6G 0% /run/user/1000
tmpfs 1.6G 0 1.6G 0% /run/user/1001

mount the nginx cache directory with 6Gig RAM size, tmpfs filesystem is created to serve Nignx cache from RAM
$ sudo mount -t tmpfs -o size=6G tmpfs /etc/nginx/cache

check it out
$ sudo df -ah | grep tmpfs

tmpfs 6.0G 0 6.0G 0% /etc/nginx/cache

configure the nginx cache directory to be created into RAM automatically after reboot
$ sudo vi /etc/fstab

tmpfs /etc/nginx/cache tmpfs defaults,size=6G 0 0

restart nginx and php-fpm
$ sudo systemctl restart nginx
$ sudo systemctl restart php-fpm

Advertisements