CentOS 7 LEMP Nginx MariaDB PHP Setup

User

1
2
3
4
adduser username
passwd username
Grant sudo permission
gpasswd -a username wheel

Install SSH public key:
@local$ ssh-copy-id username@SERVER_IP_ADDRESS

1
vi /etc/ssh/sshd_config

Hint: To search for this line, type /PermitRoot then hit ENTER. This should bring the cursor to the “P” character on that line.

Uncomment the line by deleting the “#” symbol (press Shift-x).

Now move the cursor to the “yes” by pressing c.

Now replace “yes” by pressing cw, then typing in “no”. Hit Escape when you are done editing. It should look like this:

PermitRootLogin no

DigitalOcean
1
2
systemctl reload sshd
exit

Login with new user
@local$ ssh username@SERVER_IP_ADDRESS

Firewall

1
2
3
4
5
6
sudo yum install firewalld
sudo systemctl start firewalld
sudo firewall-cmd --get-services
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https

If it’s a port:

sudo firewall-cmd –permanent –add-port=8484/tcp

1
2
3
sudo firewall-cmd --permanent --list-all
sudo firewall-cmd --reload
sudo systemctl enable firewalld

Date & Time

1
2
3
4
5
6
sudo timedatectl list-timezones
sudo timedatectl set-timezone Asia/Taipei
sudo systemctl start ntpd
sudo systemctl enable ntpd
sudo yum install ntp
sudo timedatectl

Prerequisites

1
2
3
sudo yum install epel-release
sudo yum install yum-utils
sudo yum install https://rpms.remirepo.net/enterprise/remi-release-7.rpm

Nginx

1
sudo vi /etc/yum.repos.d/nginx.repo
/etc/yum.repos.d/nginx.repo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
1
2
3
sudo yum-config-manager --enable nginx-mainline
sudo yum install nginx
sudo systemctl start nginx

Test http://server_domain_name_or_IP/

1
sudo systemctl enable nginx

MariaDB

1
sudo vi /etc/yum.repos.d/MariaDB.repo
/etc/yum.repos.d/MariaDB.repo
1
2
3
4
5
6
7
# MariaDB 10.4 CentOS repository list - created 2020-03-17 15:09 UTC
# http://downloads.mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.4/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
1
2
3
4
sudo yum install MariaDB-server MariaDB-client
sudo systemctl start mariadb
sudo mysql_secure_installation
sudo systemctl enable mariadb

PHP

1
2
sudo yum-config-manager --enable remi-php72
sudo yum install php php-fpm php-mysql php-cli php-mbstring php-mcrypt php-gd php-curl php-zip php-xml
1
sudo vi /etc/php.ini
/etc/php.ini
1
2
3
...
cgi.fix_pathinfo=0
...
1
sudo vi /etc/php-fpm.d/www.conf
/etc/php-fpm.d/www.conf
1
2
3
4
5
user = nginx
group = nginx
listen.owner = nobody
listen.group = nobody
listen = /var/run/php-fpm/php-fpm.sock
1
2
sudo systemctl start php-fpm
sudo systemctl enable php-fpm

Composer

1
sudo yum install composer

Node.js

1
2
curl -sL https://rpm.nodesource.com/setup_13.x | sudo bash -
sudo yum install -y nodejs

To install the Yarn package manager, run:
curl -sL https://dl.yarnpkg.com/rpm/yarn.repo | sudo tee /etc/yum.repos.d/yarn.repo
sudo yum install yarn

Git

1
2
3
sudo yum remove git
sudo rpm -U https://centos7.iuscommunity.org/ius-release.rpm
sudo yum install git2u

Nginx Config

https://www.digitalocean.com/community/tools/nginx#
sudo nginx -t && systemctl restart nginx

Note that the path of php-fpm.sock might be different from the template.

GODDAMN SELinux

Got Permission denied in /var/log/nginx/error.log???

Check the SELinux audit log:

1
sudo cat /var/log/audit/audit.log | grep nginx | grep denied
1
2
ls -Z /var/www
sudo chcon -Rv -t httpd_sys_content_t /var/www/

To enable write permission for httpd:

1
2
3
4
5
sudo chcon -Rv -t httpd_sys_rw_content_t /var/www/html/storage
sudo chcon -Rv -t httpd_sys_rw_content_t /var/www/html/bootstrap/cache
sudo chown $USER:nginx -R /var/www/html
sudo chmod -R 775 /var/www/html/storage
sudo chmod -R 775 /var/www/html/bootstrap/cache

some says sudo chmod u=+srwX,g=+srX,o=rX -R /var/www/html/

To allow httpd to create connection (usually to a load balancer or WebSocket):

1
sudo setsebool -P httpd_can_network_connect 1

Fix PHP session permission:

1
sudo chown -R nginx: /var/lib/php/session

If there’s another permission denied problem:
sudo chcon -R -t httpd_var_run_t /var/lib/php/session
Reference (maybe httpd_var_run_t is enough?):
sudo restorecon -v /var/lib/php/session
sudo semanage fcontext -a -t httpd_sys_rw_content_t /var/lib/php/session

MDFK

Flying is learning how to throw yourself at the ground and miss.

Douglas Adams