Nginx, Php-fpm, MariaDB on CentOS 7

Home » Computer Articles » Linux » Nginx, Php-fpm, MariaDB on CentOS 7
February 27, 2017 Linux No Comments

Using CentOS 7 for a web server, see my steps below. This setup was started on a vps provider online. So of course there maybe some steps missing if you were building on your local server.

 

CentOS 7 x86_64 minimal install.

As soon as the server has boot up, now it is time to start doing the setup.

 

Create a new user. As we will lock down root access later.

# passwd
# useradd username
# passwd username

 

Hostname

# hostnamectl set-hostname servername+domain

 

Setup timezone

# timedatectl set-timezone America/Toronto

 

DNS Server setup. Add or change entries in file.

# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=8.8.8.8
DNS2=8.8.4.4

I like to remove some Kernel packages, software I don't need and update the system.

# yum remove kernel-headers kernel-tools kernel-tools-libs wpa_supplicant
# yum update
# yum install nano bash-completion net-tools wget curl lsof yum-utils deltarpm iptables-services rsync

 

Setup some System limits.

vi /etc/security/limits.conf
* hard core 0
* soft nofile 65535
* hard nofile 65535

 

Setup some more system settings

vi /etc/sysctl.conf
###
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296

### IMPROVE SYSTEM MEMORY MANAGEMENT ###
# Increase size of file handles and inode cache
fs.file-max = 2097152

### GENERAL NETWORK SECURITY OPTIONS ###
# Number of times SYNACKs for passive TCP connection.
net.ipv4.tcp_synack_retries = 2

# Allowed local port range
net.ipv4.ip_local_port_range = 2000 65535

# Protect Against TCP Time-Wait
net.ipv4.tcp_rfc1337 = 1

# Decrease the time default value for connections to keep alive
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_fin_timeout = 30

### TUNING NETWORK PERFORMANCE ###
# Default Socket Receive Buffer
net.core.rmem_default = 31457280

# Maximum Socket Receive Buffer
net.core.rmem_max=16777216

# Default Socket Send Buffer
net.core.wmem_default = 31457280

# Maximum Socket Send Buffer
net.core.wmem_max=16777216

# Increase number of incoming connections
#net.core.somaxconn = 65536

# Increase number of incoming connections backlog
net.core.netdev_max_backlog = 65536

# Increase the maximum amount of option memory buffers
net.core.optmem_max = 25165824

# Increase the maximum total buffer-space allocatable
# This is measured in units of pages (4096 bytes)
net.ipv4.tcp_mem = 65536 131072 262144
net.ipv4.udp_mem = 65536 131072 262144

# Increase the read-buffer space allocatable
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.udp_rmem_min = 16384

# Increase the write-buffer-space allocatable
net.ipv4.tcp_wmem = 8192 65536 16777216
net.ipv4.udp_wmem_min = 16384

# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# http://www.blackmoreops.com/2014/09/22/linux-kernel-panic-issue-fix-hung_task_timeout_secs-blocked-120-seconds-problem/
vm.vfs_cache_pressure = 50

Iptables setup with some basic settings.

# systemctl enable iptables
# service iptables start
# systemctl disable firewalls
# vi /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#
## Block the most common attacks
# Blocking invalid packets
-A INPUT -m state --state INVALID -j DROP
# Blocking null packets.
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Next pattern to reject is a syn-flood attack.
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Next pattern to reject is XMAS packets, also a recon packet.
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -s 0/0 --icmp-type echo-request -j ACCEPT
#
-A INPUT -p tcp -s 0.0.0.0/0 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -s 0.0.0.0/0 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#
-A INPUT -s 0.0.0.0/0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -j ACCEPT
COMMIT

 

Iptables for IPV6 basic configuration.

# systemctl enable ip6tables
# service ip6tables start
# vi /etc/sysconfig/ip6tables
# sample configuration for ip6tables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

 

Adding some package repo's, Epel, Remi and Nginx.

# yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
# cd /etc/yum.repos.d/
# vi nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=0
enabled=1

 

Run Yum to update packages

# yum update

 

Lets install and setup Nginx.

# yum install nginx
# systemctl enable nginx
# systemctl start nginx.service
# systemctl status nginx.service

 

Lets now setup Php-fpm 7.1.

# cd /etc/yum.repos.d/
# vi remi-php71.repo
enabled=1

Install Php-fpm

# yum install php71-php-cli php71-php-fpm php71-php-common php71-php-gd php71-php-mbstring php71-php-mcrypt php71-php-mysql php71-php-pdo php71-php-xmlrpc php71-php-soap php71-php-pecl-lzf

Start Php-fpm

# systemctl start php71-php-fpm

 

MySQL install and basic setup.

# vi /etc/yum.repos.d/MariaDB.repo
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.2/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
# yum update
# yum install MariaDB-server MariaDB-client
# /etc/init.d/mysql start or # service mysql start

 

Connect Php-fpm and Nginx together.

# vi /etc/nginx/conf.d/domainame.conf

#
# A virtual host using mix of IP-, name-, and port-based configuration
#

server {
server_name www.domainname.com domainname,.com;
root /usr/share/nginx/html/domainname;
access_log off;
#access_log /usr/share/nginx/html/log/domainname.local-access.log;
error_log /usr/share/nginx/html/log/domainname.local-error.log crit;

location / {
index index.php;
try_files $uri $uri/ /index.php?$args;
}

# Do not allow access to files giving away your WordPress version
location ~ /(\.|wp-config.php|readme.html|licence.txt) {
return 404;
}

# Don't log robots.txt requests

location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}

# Rewrite for versioned CSS+JS via filemtime
location ~* ^.+\.(css|js)$ {
rewrite ^(.+)\.(\d+)\.(css|js)$ $1.$3 last;
expires 31536000s;
access_log off;
log_not_found off;
}

# Aggressive caching for static files
# If you alter static files often, please use
# add_header Cache-Control "max-age=31536000, public, must-revalidate, proxy-revalidate";
location ~* \.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|odb|odc|odf|odg|odp|ods|odt|ogg|ogv|otf|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|t?gz|tif|tiff|ttf|wav|webm|wma|woff|wri|xla|xls|xlsx|xlt|xlw|zip)$ {
expires 31536000s;
access_log off;
log_not_found off;
}

location ~ \.php$ {
# include /etc/nginx/fastcgi_params;
include /etc/nginx/fastcgi.conf;
fastcgi_pass unix:/tmp/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}

}

 

Check that there isn't any errors in nginx

# nginx -t

 

Restart Nginx

# systemctl restart nginx.service

 

You should now have a running CentOS 7, Php-fpm and MariaDB Web Server up and running.

 

Reference:

http://www.tecmint.com/things-to-do-after-minimal-rhel-centos-7-installation/
https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-centos-7
http://blog.remirepo.net/post/2016/02/14/Install-PHP-7-on-CentOS-RHEL-Fedora
https://www.cloudinsidr.com/content/how-to-install-php-7-on-centos-7-red-hat-rhel-7-fedora/
http://stackoverflow.com/questions/24756240/how-can-i-use-iptables-on-centos-7
https://www.centos.org/forums/viewtopic.php?t=51125
http://stackoverflow.com/questions/24756240/how-can-i-use-iptables-on-centos-7
# Disk Performance etc
https://lonesysadmin.net/2013/12/22/better-linux-disk-caching-performance-vm-dirty_ratio/
http://support.sas.com/resources/papers/proceedings11/342794_OptimizingSASonRHEL6and7.pdf
http://wiki.osnexus.com/index.php?title=IO_Performance_Tuning
https://www.suse.com/communities/blog/sles-1112-os-tuning-optimisation-guide-part-1/

 

Share This:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.