Nginx, Php-fpm, MariaDB on CentOS 7

Home » Computer Articles » Linux » Nginx, Php-fpm, MariaDB on CentOS 7
February 27, 2017 Linux No Comments

Using CentOS 7 for a web server, see my steps below. This setup was started on a vps provider online. So of course there maybe some steps missing if you were building on your local server.


CentOS 7 x86_64 minimal install.

As soon as the server has boot up, now it is time to start doing the setup.


Create a new user. As we will lock down root access later.

# passwd
# useradd username
# passwd username



# hostnamectl set-hostname servername+domain


Setup timezone

# timedatectl set-timezone America/Toronto


DNS Server setup. Add or change entry's in file.

# vi /etc/sysconfig/network-scripts/ifcfg-eth0


I like to remove some Kernel packages, software I don't need and update the system.

# yum remove kernel-headers kernel-tools kernel-tools-libs wpa_supplicant
# yum update
# yum install nano bash-completion net-tools wget curl lsof yum-utils deltarpm iptables-services rsync


Setup some System limits.

vi /etc/security/limits.conf
* hard core 0
* soft nofile 65535
* hard nofile 65535


Setup some more system settings

# Kernel sysctl configuration file for Red Hat Linux
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296

# Increase size of file handles and inode cache
fs.file-max = 2097152

# Number of times SYNACKs for passive TCP connection.
net.ipv4.tcp_synack_retries = 2

# Allowed local port range
net.ipv4.ip_local_port_range = 2000 65535

# Protect Against TCP Time-Wait
net.ipv4.tcp_rfc1337 = 1

# Decrease the time default value for connections to keep alive
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_fin_timeout = 30

# Default Socket Receive Buffer
net.core.rmem_default = 31457280

# Maximum Socket Receive Buffer

# Default Socket Send Buffer
net.core.wmem_default = 31457280

# Maximum Socket Send Buffer

# Increase number of incoming connections
#net.core.somaxconn = 65536

# Increase number of incoming connections backlog
net.core.netdev_max_backlog = 65536

# Increase the maximum amount of option memory buffers
net.core.optmem_max = 25165824

# Increase the maximum total buffer-space allocatable
# This is measured in units of pages (4096 bytes)
net.ipv4.tcp_mem = 65536 131072 262144
net.ipv4.udp_mem = 65536 131072 262144

# Increase the read-buffer space allocatable
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.udp_rmem_min = 16384

# Increase the write-buffer-space allocatable
net.ipv4.tcp_wmem = 8192 65536 16777216
net.ipv4.udp_wmem_min = 16384

# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

vm.vfs_cache_pressure = 50


Iptables setup with some basic settings.

# systemctl enable iptables
# vi /etc/sysconfig/iptables
# service iptables start
# systemctl disable firewalls

## Block the most common attacks
# Blocking invalid packets
-A INPUT -m state --state INVALID -j DROP
# Blocking null packets.
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Next pattern to reject is a syn-flood attack.
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Next pattern to reject is XMAS packets, also a recon packet.
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -s 0/0 --icmp-type echo-request -j ACCEPT
-A INPUT -p tcp -s --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -s --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state INVALID -j DROP


Iptables for IPV6 basic configuration.

# systemctl enable ip6tables
# vi /etc/sysconfig/ip6tables
# service ip6tables start


# sample configuration for ip6tables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited


Adding some package repo's, Epel, Remi and Nginx.

# yum install
# yum install
# cd /etc/yum.repos.d/
# vi nginx.repo
name=nginx repo


# yum update


Lets install and setup Nginx.

# yum install nginx
# systemctl enable nginx
# systemctl status nginx.service
# systemctl start nginx.service
# systemctl status nginx.service


Lets now setup Php-fpm 7.1.

# cd /etc/yum.repos.d/
# vi remi-php71.repo



# yum install php71-php-cli php71-php-fpm php71-php-common php71-php-gd php71-php-mbstring php71-php-mcrypt php71-php-mysql php71-php-pdo php71-php-xmlrpc php71-php-soap php71-php-pecl-lzf


# systemctl start php71-php-fpm


MySQL install and basic setup.

# vi /etc/yum.repos.d/MariaDB.repo
name = MariaDB
baseurl =

# yum update
# yum install MariaDB-server MariaDB-client
# /etc/init.d/mysql start or # service mysql start


Connect Php-fpm and Nginx together.

# vi /etc/nginx/conf.d/domainame.conf


# A virtual host using mix of IP-, name-, and port-based configuration

server {
server_name domainname,.com;
root /usr/share/nginx/html/domainname;
access_log off;
#access_log /usr/share/nginx/html/log/domainname.local-access.log;
error_log /usr/share/nginx/html/log/domainname.local-error.log crit;

location / {
index index.php;
try_files $uri $uri/ /index.php?$args;

# Do not allow access to files giving away your WordPress version
location ~ /(\.|wp-config.php|readme.html|licence.txt) {
return 404;

# Don't log robots.txt requests

location = /robots.txt {
allow all;
log_not_found off;
access_log off;

# Rewrite for versioned CSS+JS via filemtime
location ~* ^.+\.(css|js)$ {
rewrite ^(.+)\.(\d+)\.(css|js)$ $1.$3 last;
expires 31536000s;
access_log off;
log_not_found off;

# Aggressive caching for static files
# If you alter static files often, please use
# add_header Cache-Control "max-age=31536000, public, must-revalidate, proxy-revalidate";
location ~* \.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|odb|odc|odf|odg|odp|ods|odt|ogg|ogv|otf|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|t?gz|tif|tiff|ttf|wav|webm|wma|woff|wri|xla|xls|xlsx|xlt|xlw|zip)$ {
expires 31536000s;
access_log off;
log_not_found off;

location ~ \.php$ {
# include /etc/nginx/fastcgi_params;
include /etc/nginx/fastcgi.conf;
fastcgi_pass unix:/tmp/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;



# nginx -t

# systemctl restart nginx.service


You should now have a running CentOS 7, Php-fpm and MariaDB Web Server up and running.


# Disk Performance etc


Share This:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.