RHEL: Difference between revisions
Line 86: | Line 86: | ||
} | } | ||
</source> | </source> | ||
Create a file named <code>/etc/nginx/php_81_params.conf</code> | Create a file named <code>/etc/nginx/php_81_params.conf</code> | ||
Line 105: | Line 107: | ||
fastcgi_pass 127.0.0.1:9000; | fastcgi_pass 127.0.0.1:9000; | ||
} | } | ||
</source> | |||
Add <code>include /etc/nginx/sites-enabled/*.conf;</code> at the end of the first block before the closing brace. Then add a link inside the /etc/nginx/sites-enabled/ folder | |||
<source lang="console"> | |||
# ln -s /etc/nginx/sites-available/unm.edu.conf ./ | |||
</source> | </source> | ||
Revision as of 13:54, 3 November 2021
Setting up from scratch on a VM at work
Web services
Install NGINX
$ sudo yum install yum-utils
Create /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
Install nginx
$ sudo yum install nginx
Set up folders
# cd /etc/nginx
# mkdir sites-available
# mkdir sites-enabled
Create a file named sites-available/unm.edu.conf
server {
listen 80;
listen [::]:80;
server_name unm.edu *.unm.edu;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ~^(?<subdomain>.+)\.unm\.dev$;
if (!-d /srv/www/unm.edu/$subdomain) {
set $subdomain "base";
}
set $public "";
if (-d /srv/www/unm.edu/$subdomain/public) {
set $public public;
}
root /srv/www/unm.edu/$subdomain/$public;
index index.php index.html index.htm;
access_log /var/log/nginx/access-wildcard.unm.edu.log;
error_log /var/log/nginx/error-wildcard.unm.edu.log;
include php_81_params.conf;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
ssl_certificate /etc/pki/tls/certs/_wildcard.unm.edu.pem;
ssl_certificate_key /etc/pki/tls/private/_wildcard.unm.edu-key.pem;
include ssl_params.conf;
}
Create a file named /etc/nginx/php_81_params.conf
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
}
Add include /etc/nginx/sites-enabled/*.conf;
at the end of the first block before the closing brace. Then add a link inside the /etc/nginx/sites-enabled/ folder
# ln -s /etc/nginx/sites-available/unm.edu.conf ./
Create /etc/ssl/certs/dhparams.pem
# openssl dhparam -out dhparams.pem 4096
Create a file named /etc/nginx/ssl_params.conf
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECD
SA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
Install SSL certificates
Certificates should have been created by something like mkcert for development environment. The certificate should be in /etc/pki/tls/certs/
and the private key should be stored in /etc/pki/tls/private/
. Then secure the private key with:
# chmod 600 /etc/pki/tls/private/_wildcard.unm.edu-key.pem
Install EPEL & REMI repo
$ sudo subscription-manager repos --enable rhel-7-server-optional-rpms --enable rhel-7-server-extras-rpms
$ cd /tmp
$ wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
$ sudo yum -y install epel-release-latest-7.noarch.rpm
$ sudo yum install -y https://rpms.remirepo.net/enterprise/remi-release-7.rpm
Install PHP 8.1
# yum-config-manager --enable remi-php81
# yum -y autoremove rh-php72
# yum install -y php php-cli php-bcmath php-devel php-fpm php-gd imap php-intl php-mbstring php-mysqlnd php-oci8 php-odbc php-pdo php-tidy php-xml
Useful commands
Package management
Clean up cache for yum PM
$ sudo service rhsmcertd restart
$ sudo subscription-manager refresh
$ sudo yum clean all && sudo rm -rf /var/cache/yum && sudo yum makecache
List all subscriptions
$ sudo subscription-manager list --all --available | more
Install downloaded RPM package
$ sudo yum -y localinstall ~/Downloads/screen
Check if there are any disabled repositories
$ egrep -Hi '(^\[|^enabled)' /etc/yum.repos.d/*
/etc/yum.repos.d/epel.repo.rpmsave:[epel]
/etc/yum.repos.d/epel.repo.rpmsave:enabled=1
/etc/yum.repos.d/epel.repo.rpmsave:[epel-debuginfo]
/etc/yum.repos.d/epel.repo.rpmsave:enabled=0
/etc/yum.repos.d/epel.repo.rpmsave:[epel-source]
/etc/yum.repos.d/epel.repo.rpmsave:enabled=0
/etc/yum.repos.d/nginx.repo:[nginx-stable]
/etc/yum.repos.d/nginx.repo:enabled=1
/etc/yum.repos.d/nginx.repo:[nginx-mainline]
/etc/yum.repos.d/nginx.repo:enabled=1
...