Quest 1 – Secure, Lightning Fast, CentOS 7.3 Virtualmin VPS, Apache2+MariaDB+Multiple PHP Versions+OpCache+NGINX+Varnish+Redis – 25,000 Concurrent Goal – Part 30 – Varnish Installation + Config with NGINX + Apache2

February 20, 2017March 17, 2017 / Brandon Kastning / Leave a comment

High Performance Cloud Web Servers – My Quest for The Perfect Budget Lightning Fast Power-housed Cloud Linux Configuration – Part 30 – VARNISH INSTALLATION + CONFIG WITH NGINX + APACHE2

Let’s install Varnish:

[root@server-1] yum install varnish

“Y” to install all marked packages for installation:

Output should look like the following:

Complete!

Let’s bang out NGINX’s configuration:

Change Directory:

[root@server-1] cd /etc/nginx/

Create Directory “sites-available”:

[root@server-1] mkdir sites-available

Create Directory “sites-enabled”:

[root@server-1] mkdir sites-enabled

We’re going to create 2 configuration files. 1) Root NGINX Conf with no Listen 2) exampledomain.com.conf:

Create backup of any existing nginx.conf:

[root@server-1] cp nginx.conf nginx.conf.bkup

If one exists, then let’s zero it out:

[root@server-1] cat dev/null > nginx.conf

Let’s load up nano:

[root@server-1] nano -c nginx.conf

Paste the following as our base configuration and our domains will be in the sites-available w/ symlinks to sites-enabled (with of course using your own schema):

user nginxu nginxu;
worker_processes 2;
worker_rlimit_nofile 8000;

events {
worker_connections 8192;
}

http {
perl_modules /opt/local/share/nginx;
perl_require Roboo.pm;

include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main ‘$remote_addr – $remote_user [$time_local] “$request” $status $bytes_sent “$http_referer” “$http_user_agent” “$gzip_ratio”‘;

client_header_timeout 10m;
client_body_timeout 10m;
send_timeout 10m;

connection_pool_size 256;
client_header_buffer_size 1k;
client_body_buffer_size 16k;
large_client_header_buffers 4 16k;
request_pool_size 4k;

gzip off;
gzip_min_length 0;
gzip_buffers 4 8k;
gzip_types text/plain application/x-shockwave-flash text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_proxied any;
gzip_http_version 1.0;
output_buffers 1 32k;
postpone_output 1460;

sendfile on;
tcp_nopush on;
tcp_nodelay on;

keepalive_timeout 75 20;

ignore_invalid_headers on;

server_tokens off;
proxy_cache_path /opt/local/share/nginx/cache levels=1:2 keys_zone=cache:10m inactive=10m max_size=1000m;

}

CNTRL + X , then “Y” to save all changes and ENTER to return to bash:

[root@server-1]

Change Directory:

[root@server-1] cd sites-available

Create file using nano:

[root@server-1] nano -c exampledomain.com.conf

Paste the following, using your schema:

user nginxu nginxu;
worker_processes 2;
worker_rlimit_nofile 8000;

events {
worker_connections 8192;
}

http {
perl_modules /opt/local/share/nginx;
perl_require Roboo.pm;

include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main ‘$remote_addr – $remote_user [$time_local] “$request” $status $bytes_sent “$http_referer” “$http_user_agent” “$gzip_ratio”‘;

client_header_timeout 10m;
client_body_timeout 10m;
send_timeout 10m;

connection_pool_size 256;
client_header_buffer_size 1k;
client_body_buffer_size 16k;
large_client_header_buffers 4 16k;
request_pool_size 4k;

gzip off;
gzip_min_length 0;
gzip_buffers 4 8k;
gzip_types text/plain application/x-shockwave-flash text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_proxied any;
gzip_http_version 1.0;
output_buffers 1 32k;
postpone_output 1460;

sendfile on;
tcp_nopush on;
tcp_nodelay on;

keepalive_timeout 75 20;

ignore_invalid_headers on;

server_tokens off;
proxy_cache_path /opt/local/share/nginx/cache levels=1:2 keys_zone=cache:10m inactive=10m max_size=1000m;
server {
listen exampledomain.comIP:443 ssl;
server_name exampledomain.com;

ssl on;
ssl_certificate /home/exampledomain/ssl.crt;
ssl_certificate_key /home/exampledomain/ssl.key;

location / {

proxy_pass http://127.0.0.1:80;
# proxy_pass fcgi://127.0.0.1:9071/home/exampledomain/public_html$1
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_redirect off;

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
}
};
access_log /dev/null;

location / {
perl Roboo::handler;
set $Roboo_challenge_modes “SWF,gzip”; # SWF or JS, optionally gzip for encoding (“JS,gzip” or “SWF,gzip”)

# Defaults
#set $Roboo_cookie_name “Anti-Robot”; # Cookie name used for challenge/response
#set $Roboo_validity_window 600; # Authentication validity time window
#set $Roboo_whitelist “IP(),UA(”),URI(”)”; # Whitelist – IP addresses (CIDR), user-agents or URIs (PCRE)
#set $Roboo_charset “UTF-8”; # Charset used during challenge (for proper POST resubmissions)
#set $Roboo_challenge_hash_input $remote_addr; # Advanced – challenge hash basis, can add $server_name$server_port$http_host$http_user_agent

error_page 555 = @proxy;
expires epoch;
add_header Last-Modified “”;
if ($Roboo_challenge_modes ~ gzip) {
gzip on;
}
access_log /var/log/nginx/challenged.log;
}

location @proxy {
proxy_pass http://example.com;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_cache cache;
proxy_cache_valid 5m;
gzip on;
access_log /var/log/nginx/verified.log;
}
}
}

CNTRL + X , “Y” to save all changes and ENTER to return to bash:

[root@server-1]

Source Articles, Blogs, Websites:

HTTPS Everywhere With NGINX, Varnish and Apache | Smashing Magazine

QUEST 1 : Lightning Fast Web Servers (STRUCTURED INDEX)

QUEST 1 : Lightning Fast Web Servers – PART 1 – INTRODUCTION

QUEST 1: Lightning Fast Web Servers – PART 2 – PREREQUISITES

QUEST 1: Lightning Fast Web Servers – PART 3 -OVERVIEW/PRIOR TO CENTOS 7.3 MINIMAL INSTALLATION

QUEST 1: Lightning Fast Web Servers – PART 4 – CentOS 7.3 NETWORK CONFIGURATION AND SSH2 DAEMON CONFIGURATION WITH 4096-BIT KEYS

QUEST 1: Lightning Fast Web Servers – PART 5 – VIRTUALMIN PRO INSTALLATION AND CONFIGURATION

QUEST 1: Lightning Fast Web Servers – Part 6 – CSF FIREWALL INSTALL CONFIGURATION – FINALIZE SSH2 4096-BIT KEYS

QUEST 1: Lightning Fast Web Servers – Part 7 – VIRTUALMIN WAN AND LAN STATIC IP ADDRESSING

QUEST 1: Lightning Fast Web Servers – Part 8 – BIND 9 CONFIGURATION + VIRTUALMIN AND APACHE2 OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 9 – INSTALL PHP 5.6.25, PHP 7.0.15, PHP 7.1.1 + VIRTUALMIN CONFIGURATION

QUEST 1: Lightning Fast Web Servers – Part 10 – ADD STATIC WAN IP ADDRESS + ENABLE PHP 7.1.1 ON BOOT + PHP-FPM + APACHE2 + PHP INFO

QUEST 1: Lightning Fast Web Servers – Part 11 – BIND 9 + SETUP AS AUTHORITATIVE DNS NAME SERVERS + VIRTUALMIN VIRTUAL SERVER #1 CREATION

QUEST 1: Lightning Fast Web Servers – Part 12 – APACHE2 FIXES + PHP AND PHP-FPM UPDATES

QUEST 1: Lightning Fast Web Servers – Part 13 – DOVECOT FIX + VIRTUAL SERVER #2 CREATION + REMOVE SYSTEM HOST IP FROM SHARED POOL

QUEST 1: Lightning Fast Web Servers – Part 14 – VIRTUALMIN CONFIGURATIONS + INSTALL PRO LICENSE + UPDATE SYSTEM + MODIFY SETTINGS

QUEST 1: Lightning Fast Web Servers – Part 15 – PHP-FPM 5.4.x + PHP-FPM 5.6.x + PHP-FPM 7.0.x + PHP-FPM 7.1.x

QUEST 1: Lightning Fast Web Servers – Part 16 – ROUNDCUBE + SSL ON VIRTUAL SERVER #1 + SSL ON VIRTUALMIN WEBUI + APACHE2 CONFIGURATIONS

QUEST 1: Lightning Fast Web Servers – Part 17 – STATIC LAN IP NETWORK SCHEMA + APACHE2 LAN BINDING TO VIRTUAL SERVER #1

QUEST 1: Lightning Fast Web Servers – Part 18 – OPENVPN ACCESS SERVER + OPENVPN SERVER + OPENVPN CLIENT + TEST VPN

QUEST 1: Lightning Fast Web Servers – Part 19 – PRIVATE BIND 9 DNS

QUEST 1: Lightning Fast Web Servers – Part 20 – APACHE2 CONFIGURATION UPDATE + INTERNAL VIRTUALHOST MAPPING

QUEST 1: Lightning Fast Web Servers – Part 21 – SECURITY ENHANCEMENT + OPENVPN

QUEST 1: Lightning Fast Web Servers – Part 22 – SSL DOVECOT + POSTFIX + MOZILLA THUNDERBIRD

QUEST 1: Lightning Fast Web Servers – Part 23 – FFMPEG X64 + MULTIMEDIA LIBRARIES

QUEST 1: Lightning Fast Web Servers – Part 24 – CRITICAL APACHE2 UPDATE ROCKETTHEME ROCKETLAUNCHER + JOOMLA

QUEST 1: Lightning Fast Web Servers – Part 25 – ROCKETTHEME ROCKETLAUNCHER + WORDPRESS

QUEST 1: Lightning Fast Web Servers – Part 26 – ROCKETTHEME ROCKETLAUNCHER + PHPBB

QUEST 1: Lightning Fast Web Servers – Part 27 – NGINX INSTALL FROM SOURCE + MODS

QUEST 1: Lightning Fast Web Servers – Part 28 – APACHE2 + SECURITY – MOD_SECURITY + MOD_EVASIVE + OWASP V3

QUEST 1: Lightning Fast Web Servers – Part 29 – MYSQL MARIADB TUNING AND OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 30 – VARNISH INSTALLATION + CONFIG WITH NGINX + APACHE2

QUEST 1: Lightning Fast Web Servers – Part 31 – APACHE2 TUNING AND OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 32 – REDIS CACHE SERVER

QUEST 1: Lightning Fast Web Servers – Part 33 – INSTALL HYBRID-IRCD + ANOPE SERVICES + SECURITY EGGDROP

QUEST 1: Lightning Fast Web Servers – Part 34 – INSTALL SHOUTCAST SERVER + WEBUI

QUEST 1: Lightning Fast Web Servers – Part 35 – JOOMLA CMS OPTIMIZATION + SECURITY

QUEST 1: Lightning Fast Web Servers – Part 36 – WORDPRESS CMS OPTIMIZATION + SECURITY

QUEST 1: Lightning Fast Web Servers – Part 37 – PHPBB FORUM OPTIMIZATION + SECURITY

Quest 1 – Secure, Lightning Fast, CentOS 7.3 Virtualmin VPS, Apache2+MariaDB+Multiple PHP Versions+OpCache+NGINX+Varnish+Redis – 25,000 Concurrent Goal – Part 29 – MySQL MariaDB Tuning and Optimization

February 18, 2017March 8, 2017 / Brandon Kastning / Leave a comment

High Performance Cloud Web Servers – My Quest for The Perfect Budget Lightning Fast Power-housed Cloud Linux Configuration – Part 29 – MYSQL MARIADB TUNING AND OPTIMIZATION

Let’s Backup our MariaDB Configuration File:

[root@server-1] cp /etc/my.cnf /etc/my.cnf.bkup

Let’s Nano our MariaDB Configuration File:

[root@server-1] nano -c /etc/my.cnf

Add the following to the bottom of the configuration file:

skip-name-resolve
innodb_buffer_pool_size = 6GB
innodb_log_file_size = 512M
innodb_flush_log_at_trx_commit = 1
innodb_log_buffer_size = 10MB
max_connections = 4096
query_cache_type = 1
query_cache_limit = 256K
query_cache_min_res_unit = 2k
long_query_time = 1
query_cache_size = 80M
tmp_table_size = 512M
max_heap_table_size = 512M
slow-query-log = 1
slow-query-log-file = /var/log/mariadb/mariadb-slow.log
wait_timeout = 60

CNTRL + X , then “Y” to save all changes and ENTER to return to bash:

[root@server-1]

Restart MariaDB MySQL Server Database Daemon:

[root@server-1] systemctl restart mariadb.service

Go to root ~/:

[root@server-1] cd ~

Create Directory “perl-scripts”:

[root@server-1] mkdir perl-scripts

Change Directory:

[root@server-1] cd perl-scripts

Download MySQLTuner.pl:

[root@server-1] wget https://github.com/major/MySQLTuner-perl/tarball/master

Extract Download:

[root@server-1] tar xf master

Change Directory:

[root@server-1] cd major-MySQLTuner-perl-48be29a

Executing MySQLTuner.pl:

[root@server-1] ./mysqltuner.pl

Please enter your MySQL administrative login:

enter your MySQL Administrative Login (Normally root)

Please enter your MySQL administrative password:

After entering MySQL root / and your very secure root MySQL password, you should see MySQLTuner.pl kick off…

You will probably immediately see what concerns me with this version of MariaDB MySQL Server that comes default in the CentOs 7.3 repositories seems to be pretty vulnerable to many security bulletins for MySQL 5.5.

For obvious reasons, let’s go ahead and backup our databases and re-install MySQL using 5.7 Community Server version in place of our current version.

[root@server-1]

Backup Virtual Server #1 -> exampledomain.com:

[root@server-1]

MySQLDump:

[root@server-1] mysqldump -u root -p(password) user > /home/user.sql

Now that we’ve backed up our sql file for Virtual Server #1 – exampledomain.com, let’s get MySQL 5.7 Installed and Configured!

[root@server-1]

Change Directory:

[root@server-1] cd /opt/

Download MySQL 5.7 Community Release:

[root@server-1] wget https://dev.mysql.com/get/mysql57-community-release-el7-9.noarch.rpm

Install RPM:

[root@server-1] rpm -ivh mysql57-community-release-el7-9.noarch.rpm

Your output should look like this:

Preparing… ################################# [100%]
Updating / installing…
1:mysql57-community-release-el7-9 ################################# [100%]

This added some repos for us to install via repository.

[root@server-1] yum install mysql-server

Your installation screen should look something similar:

Dependencies Resolved

======================================================================================================================================================================
Package                                            Arch                          Version                              Repository                                Size
======================================================================================================================================================================
Installing:
mysql-community-client                             x86_64                        5.7.17-1.el7                         mysql57-community                         24 M
replacing mariadb.x86_64 1:5.5.52-1.el7
mysql-community-devel                              x86_64                        5.7.17-1.el7                         mysql57-community                        3.6 M
replacing mariadb-devel.x86_64 1:5.5.52-1.el7
mysql-community-libs                               x86_64                        5.7.17-1.el7                         mysql57-community                        2.1 M
replacing mariadb-libs.x86_64 1:5.5.52-1.el7
mysql-community-libs-compat                        x86_64                        5.7.17-1.el7                         mysql57-community                        2.0 M
replacing mariadb-libs.x86_64 1:5.5.52-1.el7
mysql-community-server                             x86_64                        5.7.17-1.el7                         mysql57-community                        162 M
replacing mariadb-server.x86_64 1:5.5.52-1.el7
Installing for dependencies:
mysql-community-common                             x86_64                        5.7.17-1.el7                         mysql57-community                        271 k

Transaction Summary
======================================================================================================================================================================
Install 5 Packages (+1 Dependent package)

Total download size: 194 M
Is this ok [y/d/N]:

Perfect! Exactly what we wanted 🙂

“Y” to select yes and install all marked packages for installation:

Into the installation some, you will be prompted something like this:

Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql
Importing GPG key xxxxxxxxxx:
Userid     : “MySQL Release Engineering <mysql-build@oss.oracle.com>”
Fingerprint: xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx                    Package    : mysql57-community-release-el7-9.noarch (installed)
From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-mysql
Is this ok [y/N]:

Select “Y”

Eventually you will see:

Complete!

Nano /etc/my.cnf and remove thread_concurrency=8 line:

[root@server-1] nano -c /etc/my.cnf

Delete line

CNTRL + X, then “Y” to save changes and ENTER to return to bash:

[root@server-1]

Start MySQL Server 5.7:

[root@server-1] systemctl start mysqld.service

Enable MySQL Server 5.7 on start-up:

[root@server-1] systemctl enable mysqld.service

Run the following script and use your previous root password for MySQL server:

[root@server-1] mysql_secure_installation

All done!

Source Articles, Blogs, Websites:

Ten MySQL Performance Tuning Settings after Installation

How To Install MySQL on CentOS 7 | DigitalOcean

QUEST 1 : Lightning Fast Web Servers (STRUCTURED INDEX)

QUEST 1 : Lightning Fast Web Servers – PART 1 – INTRODUCTION

QUEST 1: Lightning Fast Web Servers – PART 2 – PREREQUISITES

QUEST 1: Lightning Fast Web Servers – PART 3 -OVERVIEW/PRIOR TO CENTOS 7.3 MINIMAL INSTALLATION

QUEST 1: Lightning Fast Web Servers – PART 4 – CentOS 7.3 NETWORK CONFIGURATION AND SSH2 DAEMON CONFIGURATION WITH 4096-BIT KEYS

QUEST 1: Lightning Fast Web Servers – PART 5 – VIRTUALMIN PRO INSTALLATION AND CONFIGURATION

QUEST 1: Lightning Fast Web Servers – Part 6 – CSF FIREWALL INSTALL CONFIGURATION – FINALIZE SSH2 4096-BIT KEYS

QUEST 1: Lightning Fast Web Servers – Part 7 – VIRTUALMIN WAN AND LAN STATIC IP ADDRESSING

QUEST 1: Lightning Fast Web Servers – Part 8 – BIND 9 CONFIGURATION + VIRTUALMIN AND APACHE2 OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 9 – INSTALL PHP 5.6.25, PHP 7.0.15, PHP 7.1.1 + VIRTUALMIN CONFIGURATION

QUEST 1: Lightning Fast Web Servers – Part 10 – ADD STATIC WAN IP ADDRESS + ENABLE PHP 7.1.1 ON BOOT + PHP-FPM + APACHE2 + PHP INFO

QUEST 1: Lightning Fast Web Servers – Part 11 – BIND 9 + SETUP AS AUTHORITATIVE DNS NAME SERVERS + VIRTUALMIN VIRTUAL SERVER #1 CREATION

QUEST 1: Lightning Fast Web Servers – Part 12 – APACHE2 FIXES + PHP AND PHP-FPM UPDATES

QUEST 1: Lightning Fast Web Servers – Part 13 – DOVECOT FIX + VIRTUAL SERVER #2 CREATION + REMOVE SYSTEM HOST IP FROM SHARED POOL

QUEST 1: Lightning Fast Web Servers – Part 14 – VIRTUALMIN CONFIGURATIONS + INSTALL PRO LICENSE + UPDATE SYSTEM + MODIFY SETTINGS

QUEST 1: Lightning Fast Web Servers – Part 15 – PHP-FPM 5.4.x + PHP-FPM 5.6.x + PHP-FPM 7.0.x + PHP-FPM 7.1.x

QUEST 1: Lightning Fast Web Servers – Part 16 – ROUNDCUBE + SSL ON VIRTUAL SERVER #1 + SSL ON VIRTUALMIN WEBUI + APACHE2 CONFIGURATIONS

QUEST 1: Lightning Fast Web Servers – Part 17 – STATIC LAN IP NETWORK SCHEMA + APACHE2 LAN BINDING TO VIRTUAL SERVER #1

QUEST 1: Lightning Fast Web Servers – Part 18 – OPENVPN ACCESS SERVER + OPENVPN SERVER + OPENVPN CLIENT + TEST VPN

QUEST 1: Lightning Fast Web Servers – Part 19 – PRIVATE BIND 9 DNS

QUEST 1: Lightning Fast Web Servers – Part 20 – APACHE2 CONFIGURATION UPDATE + INTERNAL VIRTUALHOST MAPPING

QUEST 1: Lightning Fast Web Servers – Part 21 – SECURITY ENHANCEMENT + OPENVPN

QUEST 1: Lightning Fast Web Servers – Part 22 – SSL DOVECOT + POSTFIX + MOZILLA THUNDERBIRD

QUEST 1: Lightning Fast Web Servers – Part 23 – FFMPEG X64 + MULTIMEDIA LIBRARIES

QUEST 1: Lightning Fast Web Servers – Part 24 – CRITICAL APACHE2 UPDATE ROCKETTHEME ROCKETLAUNCHER + JOOMLA

QUEST 1: Lightning Fast Web Servers – Part 25 – ROCKETTHEME ROCKETLAUNCHER + WORDPRESS

QUEST 1: Lightning Fast Web Servers – Part 26 – ROCKETTHEME ROCKETLAUNCHER + PHPBB

QUEST 1: Lightning Fast Web Servers – Part 27 – NGINX INSTALL FROM SOURCE + MODS

QUEST 1: Lightning Fast Web Servers – Part 28 – APACHE2 + SECURITY – MOD_SECURITY + MOD_EVASIVE + OWASP V3

QUEST 1: Lightning Fast Web Servers – Part 29 – MYSQL MARIADB TUNING AND OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 30 – VARNISH INSTALLATION + CONFIG WITH NGINX + APACHE2

QUEST 1: Lightning Fast Web Servers – Part 31 – APACHE2 TUNING AND OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 32 – REDIS CACHE SERVER

QUEST 1: Lightning Fast Web Servers – Part 33 – INSTALL HYBRID-IRCD + ANOPE SERVICES + SECURITY EGGDROP

QUEST 1: Lightning Fast Web Servers – Part 34 – INSTALL SHOUTCAST SERVER + WEBUI

QUEST 1: Lightning Fast Web Servers – Part 35 – JOOMLA CMS OPTIMIZATION + SECURITY

QUEST 1: Lightning Fast Web Servers – Part 36 – WORDPRESS CMS OPTIMIZATION + SECURITY

QUEST 1: Lightning Fast Web Servers – Part 37 – PHPBB FORUM OPTIMIZATION + SECURITY

Quest 1 – Secure, Lightning Fast, CentOS 7.3 Virtualmin VPS, Apache2+MariaDB+Multiple PHP Versions+OpCache+NGINX+Varnish+Redis – 25,000 Concurrent Goal – Part 28 – Apache2 + Security – mod_security + mod_evasive + OWASP V3

February 18, 2017March 7, 2017 / Brandon Kastning / Leave a comment

High Performance Cloud Web Servers – My Quest for The Perfect Budget Lightning Fast Power-housed Cloud Linux Configuration – Part 28 – APACHE2 + SECURITY – MOD_SECURITY + MOD_EVASIVE + OWASP V3

Let’s su root into server-1 and hit bash:

[root@server-1]

Let’s change directories to /opt/:

[root@server-1] cd /opt

Download Mod_Security-2.9.1:

[root@server-1] wget https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz

Extract Mod_Security 2.9.1:

[root@server-1] tar xzfv modsecurity-2.9.1.tar.gz

Change Directories:

[root@server-1] cd modsecurity-2.9.1

Let’s install libcurl-devel:

[root@server-1] yum install libcurl-devel

Select “Y” to install all marked packages for installation

Let’s install httpd-devel:

[root@server-1] yum install httpd-devel

Select “Y” to install all marked packages for installation

Let’s configure Mod_Security 2.9.1:

[root@server-1] ./configure

You should have a similar output:

config.status: creating build/apxs-wrapper
config.status: creating mlogc/mlogc-batch-load.pl
config.status: creating tests/regression/misc/40-secRemoteRules.t
config.status: creating tests/regression/misc/50-ipmatchfromfile-external.t
config.status: creating tests/regression/misc/60-pmfromfile-external.t
config.status: creating tests/run-unit-tests.pl
config.status: creating tests/run-regression-tests.pl
config.status: creating tests/gen_rx-pm.pl
config.status: creating tests/csv_rx-pm.pl
config.status: creating tests/regression/server_root/conf/httpd.conf
config.status: creating tools/rules-updater.pl
config.status: creating mlogc/Makefile
config.status: creating tests/Makefile
config.status: creating apache2/modsecurity_config_auto.h
config.status: executing depfiles commands
config.status: executing libtool commands

Let’s, make install:

[root@server-1] make install

You should have a similar output:

Making install in tests
make[1]: Entering directory `/opt/modsecurity-2.9.1/tests’
make[2]: Entering directory `/opt/modsecurity-2.9.1/tests’
make[2]: Nothing to be done for `install-exec-am’.
make[2]: Nothing to be done for `install-data-am’.
make[2]: Leaving directory `/opt/modsecurity-2.9.1/tests’
make[1]: Leaving directory `/opt/modsecurity-2.9.1/tests’
make[1]: Entering directory `/opt/modsecurity-2.9.1′
make[2]: Entering directory `/opt/modsecurity-2.9.1′
make[2]: Nothing to be done for `install-exec-am’.
make[2]: Nothing to be done for `install-data-am’.
make[2]: Leaving directory `/opt/modsecurity-2.9.1′
make[1]: Leaving directory `/opt/modsecurity-2.9.1′

Let’s go ahead and configure Mod_Security:

Create our modsecurity.conf file:

[root@server-1] cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf

Copy unicode.mapping to /etc/httpd/conf.d/:

[root@server-1] cp unicode.mapping /etc/httpd/conf.d/

Let’s backup our httpd.conf:

[root@server-1] cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bkup7

Now we will nano our httpd.conf and add some loadmodule lines:

[root@server-1] nano -c /etc/httpd/conf/httpd.conf

CNTRL + V until you get to the very bottom, then add the following lines.

NEW LINES:

LoadModule security2_module modules/mod_security2.so

LoadModule unique_id_module modules/mod_unique_id.so

CNTRL + X, then “Y” to save all changes, ENTER to return to bash:

[root@server-1]

Restart Apache2 with newly loaded modules:

[root@server-1] systemctl restart httpd.service

Great, now we have our newly installed Mod_Security 2.9.1 installed and loaded in our Apache2 build!

Installing OWASP V3

Let’s change directories:

[root@server-1] cd /etc/httpd

Let’s git clone the latest OWASP from github:

[root@server-1] git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

Let’s rename the folder:

[root@server-1] mv owasp-modsecurity-crs modsecurity-crs

Let’s change directories:

[root@server-1] cd modsecurity-crs

Copy our OWASP configuration file:

[root@server-1] cp crs-setup.conf.example crs-setup.conf

Restart Apache2 Server Daemon:

[root@server-1] systemctl restart httpd.service

Installing Mod_Evasive

Install Mod_Evasive:

[root@server-1] yum install mod_evasive

Select “Y” to install all marked packages for installation

Let’s backup mod_evasive.conf before making modifications to it:

[root@server-1] cp /etc/httpd/conf.d/mod_evasive.conf /etc/httpd/conf.d/mod_evasive.conf.bkup

Let’s nano /etc/httpd/conf.d/mod_evasive.conf:

[root@server-1] nano -c /etc/httpd/conf.d/mod_evasive.conf

Go to Line 18

Was:

DOSPageCount 2

Now:

DOSPageCount 5

Go to Line 41

Was:

DOSBlockingPeriod 10

Now:

DOSBlockingPeriod 300

Go to line 48

Was:

#DOSEmailNotify you@yourdomain.com

Now:

DOSEmailNotify admin@exampledomain.com

Go to Line 66

Was:

#DOSLogDir “/var/lock/mod_evasive”

Now:

DOSLogDir “/var/log/mod_evasive”

CNTRL + X, then “Y” to save changes and then ENTER to return to bash:

[root@server-1]

Create log directory:

[root@server-1] mkdir /var/log/mod_evasive

Chown with Custom Apache2 User:

[root@server-1] chown httpdu /var/log/mod_evasive

Restart Apache2 with Mod_Evasive enabled:

[root@server-1] systemctl restart httpd.service

Whitelist OpenVPN Client IP Address (mod_evasive):

[root@server-1] nano -c /etc/httpd/conf/httpd.conf

Paste the following at the bottom of the configuration file:

DOSWhitelist 172.27.240.100

CNTRL + X , then “Y” to save all changes, ENTER to return to bash:

[root@server-1]

Whitelist OpenVPN Client IP Address (mod_security & OWASP): (METHOD #1)

.htaccess

Add the following line to your exampledomain.com .htaccess file (Placing it at the top work’s just fine.)

SetEnvIfNoCase Remote_Addr ^172\.27\.240\.100$ MODSEC_ENABLE=Off

Whitelist OpenVPN Client IP Address (mod_security & OWASP): (METHOD #2)

/etc/httpd/conf.d/modsecurity.conf (Whitelist Line)

Nano modsecurity.conf:

[root@server-1] nano -c /etc/httpd/conf.d/modsecurity.conf

Add the following line to the very bottom and CNTRL + X, then “Y” to save changes and ENTER to return to bash:

SecRule REMOTE_ADDR “^172\.27\.240\.100$” phase:1,log,allow,ctl:ruleEngine=Off,id:999945

[root@server-1]

Restart Apache2 w/ updated Whitelist for our Open VPN Client Static IP 🙂

[root@server-1] systemctl restart httpd.service

Source Articles, Blogs, Websites:

How to install and setup OWASP on CentOS 7

CentOS 7 : Apache httpd : configure mod_evasive | Server World

mod_evasive on Apache

apache – How to Whitelist an IP Address Using Mod_Security – Stack Overflow

QUEST 1 : Lightning Fast Web Servers (STRUCTURED INDEX)

QUEST 1 : Lightning Fast Web Servers – PART 1 – INTRODUCTION

QUEST 1: Lightning Fast Web Servers – PART 2 – PREREQUISITES

QUEST 1: Lightning Fast Web Servers – PART 3 -OVERVIEW/PRIOR TO CENTOS 7.3 MINIMAL INSTALLATION

QUEST 1: Lightning Fast Web Servers – PART 4 – CentOS 7.3 NETWORK CONFIGURATION AND SSH2 DAEMON CONFIGURATION WITH 4096-BIT KEYS

QUEST 1: Lightning Fast Web Servers – PART 5 – VIRTUALMIN PRO INSTALLATION AND CONFIGURATION

QUEST 1: Lightning Fast Web Servers – Part 6 – CSF FIREWALL INSTALL CONFIGURATION – FINALIZE SSH2 4096-BIT KEYS

QUEST 1: Lightning Fast Web Servers – Part 7 – VIRTUALMIN WAN AND LAN STATIC IP ADDRESSING

QUEST 1: Lightning Fast Web Servers – Part 8 – BIND 9 CONFIGURATION + VIRTUALMIN AND APACHE2 OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 9 – INSTALL PHP 5.6.25, PHP 7.0.15, PHP 7.1.1 + VIRTUALMIN CONFIGURATION

QUEST 1: Lightning Fast Web Servers – Part 10 – ADD STATIC WAN IP ADDRESS + ENABLE PHP 7.1.1 ON BOOT + PHP-FPM + APACHE2 + PHP INFO

QUEST 1: Lightning Fast Web Servers – Part 11 – BIND 9 + SETUP AS AUTHORITATIVE DNS NAME SERVERS + VIRTUALMIN VIRTUAL SERVER #1 CREATION

QUEST 1: Lightning Fast Web Servers – Part 12 – APACHE2 FIXES + PHP AND PHP-FPM UPDATES

QUEST 1: Lightning Fast Web Servers – Part 13 – DOVECOT FIX + VIRTUAL SERVER #2 CREATION + REMOVE SYSTEM HOST IP FROM SHARED POOL

QUEST 1: Lightning Fast Web Servers – Part 14 – VIRTUALMIN CONFIGURATIONS + INSTALL PRO LICENSE + UPDATE SYSTEM + MODIFY SETTINGS

QUEST 1: Lightning Fast Web Servers – Part 15 – PHP-FPM 5.4.x + PHP-FPM 5.6.x + PHP-FPM 7.0.x + PHP-FPM 7.1.x

QUEST 1: Lightning Fast Web Servers – Part 16 – ROUNDCUBE + SSL ON VIRTUAL SERVER #1 + SSL ON VIRTUALMIN WEBUI + APACHE2 CONFIGURATIONS

QUEST 1: Lightning Fast Web Servers – Part 17 – STATIC LAN IP NETWORK SCHEMA + APACHE2 LAN BINDING TO VIRTUAL SERVER #1

QUEST 1: Lightning Fast Web Servers – Part 18 – OPENVPN ACCESS SERVER + OPENVPN SERVER + OPENVPN CLIENT + TEST VPN

QUEST 1: Lightning Fast Web Servers – Part 19 – PRIVATE BIND 9 DNS

QUEST 1: Lightning Fast Web Servers – Part 20 – APACHE2 CONFIGURATION UPDATE + INTERNAL VIRTUALHOST MAPPING

QUEST 1: Lightning Fast Web Servers – Part 21 – SECURITY ENHANCEMENT + OPENVPN

QUEST 1: Lightning Fast Web Servers – Part 22 – SSL DOVECOT + POSTFIX + MOZILLA THUNDERBIRD

QUEST 1: Lightning Fast Web Servers – Part 23 – FFMPEG X64 + MULTIMEDIA LIBRARIES

QUEST 1: Lightning Fast Web Servers – Part 24 – CRITICAL APACHE2 UPDATE ROCKETTHEME ROCKETLAUNCHER + JOOMLA

QUEST 1: Lightning Fast Web Servers – Part 25 – ROCKETTHEME ROCKETLAUNCHER + WORDPRESS

QUEST 1: Lightning Fast Web Servers – Part 26 – ROCKETTHEME ROCKETLAUNCHER + PHPBB

QUEST 1: Lightning Fast Web Servers – Part 27 – NGINX INSTALL FROM SOURCE + MODS

QUEST 1: Lightning Fast Web Servers – Part 28 – APACHE2 + SECURITY – MOD_SECURITY + MOD_EVASIVE + OWASP V3

QUEST 1: Lightning Fast Web Servers – Part 29 – MYSQL MARIADB TUNING AND OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 30 – VARNISH INSTALLATION + CONFIG WITH NGINX + APACHE2

QUEST 1: Lightning Fast Web Servers – Part 31 – APACHE2 TUNING AND OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 32 – REDIS CACHE SERVER

QUEST 1: Lightning Fast Web Servers – Part 33 – INSTALL HYBRID-IRCD + ANOPE SERVICES + SECURITY EGGDROP

QUEST 1: Lightning Fast Web Servers – Part 34 – INSTALL SHOUTCAST SERVER + WEBUI

QUEST 1: Lightning Fast Web Servers – Part 35 – JOOMLA CMS OPTIMIZATION + SECURITY

QUEST 1: Lightning Fast Web Servers – Part 36 – WORDPRESS CMS OPTIMIZATION + SECURITY

QUEST 1: Lightning Fast Web Servers – Part 37 – PHPBB FORUM OPTIMIZATION + SECURITY

Quest 1 – Secure, Lightning Fast, CentOS 7.3 Virtualmin VPS, Apache2+MariaDB+Multiple PHP Versions+OpCache+NGINX+Varnish+Redis – 25,000 Concurrent Goal – Part 27 – Apache2 MPM_EVENT + MOD_PageSpeed + NGINX Install from Source + Mods

February 18, 2017March 7, 2017 / Brandon Kastning / Leave a comment

High Performance Cloud Web Servers – My Quest for The Perfect Budget Lightning Fast Power-housed Cloud Linux Configuration – Part 27 – APACHE2 MPM_EVENT + MOD_PAGESPEED + NGINX INSTALL FROM SOURCE + MODS

APACHE2 – ENABLING MPM_EVENT

Let’s start off by switching to su root bash on server-1:

[root@server-1]

Backup /etc/httpd/conf/httpd.conf

[root@server-1] cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bkup6

Nano /etc/httpd/conf/httpd.conf

[root@server-1] nano -c /etc/httpd/conf/httpd.conf

Add the following code to the bottom of the httpd.conf file:

<IfModule mpm_prefork_module>
php_value session.save_handler “files”
php_value session.save_path “/var/lib/php/session”
</IfModule>

CNTRL + W (Searches in Nano):

and type “php_value” , then hit enter. You can re-peat this process until the whole document has been checked by repeating the command.

We want to either delete the php_value entries or null the line with a comment #hash.

Do this several times until all php_value is #php_value … or removed from our configuration file.

The only php_value should be at the very bottom of the file within our mpm_prefork)

If you don’t do this, when we disable prefork and enable mpm_event, apache2 won’t restart and return errors until this is done.

Backup /etc/httpd/conf.modules.d/00-mpm.conf

[root@server-1] cp /etc/httpd/conf.modules.d/00-mpm.conf /etc/httpd/conf.modules.d/00-mpm.conf.bkup

Go to Line 6:

Was:

LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

Now:

#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

Go to Line 18:

Was:

#LoadModule mpm_event_module modules/mod_mpm_event.so

Now:

LoadModule mpm_event_module modules/mod_mpm_event.so

CNTRL + X , “Y” to save changes and ENTER to return to bash:

[root@server-1]

Restart Apache2 with MPM_EVENTS enabled:

[root@server-1] systemctl restart httpd.service

All should be smooth!

APACHE2 – Mod-PageSpeed – Installation & Enabling

Change directories to /tmp/:

[root@server-1] cd /tmp/

Download Latest Mod-PageSpeed:

[root@server-1] wget https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_x86_64.rpm

Install at:

[root@server-1] yum install at

Select “Y” to install all the marked packages for installation

Complete!

[root@server-1]

Install Mod-Pagespeed RPM file:

[root@server-1] rpm -U mod-pagespeed-*.rpm

You might get a similar output as I did:

warning: mod-pagespeed-stable_current_x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID xxxxxxxx: NOKEY
Redirecting to /bin/systemctl start atd.service
job 1 at Fri Mar 3 16:15:00 2017

Backup /etc/httpd/conf.d/pagespeed.conf:

[root@server-1] cp /etc/httpd/conf.d/pagespeed.conf /etc/httpd/conf.d/pagespeed.conf.bkup1

Nano /etc/httpd/conf.d/pagespeed.conf:

[root@server-1] nano -c /etc/httpd/conf.d/pagespeed.conf

Go to Line 37:

Was:

AddOutputFilterByType MOD_PAGESPEED_OUTPUT_FILTER text/html

Now:

# AddOutputFilterByType MOD_PAGESPEED_OUTPUT_FILTER text/html

CNTRL + X , “Y” to save all changes, and ENTER to return to bash:

[root@server-1]

Restart Apache2 with Mod-Pagespeed Enabled:

[root@server-1] systemctl restart httpd.service

NGINX – INSTALLATION FROM SOURCE + ROBOO + CUSTOM DAEMON USER

su root on server-1 in bash:

Let’s Install some packages:

[root@server-1] yum install gperf libxml2-devel libxslt-devel gd-devel perl-ExtUtils-Embed GeoIP-devel gperftools-devel

Select “Y” to install all marked packages for installation.

Complete!

We need to create a custom username for the NGINX process daemon:

For the purpose of this blog, we will be using the following username for our nginx.service build:

Default:

user = nobody

group = nobody

Custom:

user = rproxyu

group = rproxyu

Let’s create our new user in su root bash:

[root@server-1] useradd rproxyu

[root@server-1] usermod -s /sbin/nologin rproxyu

Let’s set a complicated password of 38+ characters for our new NGINX Daemon user “rproxyu” in group “rproxyu”:

[root@server-1] passwd rproxyu

Changing password for user rproxyu.

New password:

Retype new password:

passwd: all authentication tokens updated successfully.

[root@server-1]

Create nginx directory structure:

[root@server-1] mkdir -p /etc/nginx/modules

Change directories:

[root@server-1] cd /etc/nginx/modules

Download NGINX Module “ngx_pagespeed”:

[root@server-1] wget https://github.com/pagespeed/ngx_pagespeed/archive/latest-stable.tar.gz

Extract NGINX Module “ngx_pagespeed”:

[root@server-1] tar -xzvf latest-stable.tar.gz

Rename Extracted Directory:

[root@server-1] mv ngx_pagespeed-latest-stable ngx_pagespeed

Change Directory:

[root@server-1] cd ngx_pagespeed

Download PSOL Library Files that are required for Ngx_Pagespeed to function properly:

[root@server-1] wget https://dl.google.com/dl/page-speed/psol/1.9.32.2.tar.gz

Extract PSOL Library Files:

[root@server-1] tar -xzvf 1.9.32.2.tar.gz

Change Directory:

[root@server-1] cd /etc/nginx/modules

Download Roboo – HTTP Robot Mitigator:

[root@server-1] wget https://github.com/yuri-gushin/Roboo/archive/master.zip

Extract Roboo – HTTP Robot Mitigator:

[root@server-1] unzip master.zip

Rename Directory:

[root@server-1] mv Roboo-master ngx_roboo

Change Directory:

[root@server-1] cd /etc/nginx

Download NGINX Latest, currently “nginx-1.11.10.tar.gz”:

[root@server-1] wget http://nginx.org/download/nginx-1.11.10.tar.gz

Extract NGINX “nginx-1.11.10.tar.gz”:

[root@server-1] tar -xzvf nginx-1.11.10.tar.gz

Change Directory:

[root@server-1] cd nginx-1.11.10

Let’s install some Roboo Perl Requirements:

[root@server-1] yum install cpan

Select “Y” to install all packages marked for installation.

Drop down to the cpan shell so that we can install PERL Modules used by Roboo HTTP Robot Mitigator … by configuring it:

[root@server-1] cpan

You will be prompted to configure it automatically. I went ahead and chose yes, and when it gave me the choice to do sudo, manual, etc. I chose sudo and then default settings until I came to the following screen:

cpan[1]> install CPAN

After cpan[1] finishes installing, proceed to the next:

cpan[2]> reload cpan

After cpan[2] finishes reloading, proceed to the next:

cpan[3]> install Net::IP::Match::Regexp

After cpan[3] finishes installing, proceed to the next:

cpan[4]> install Compress::Zlib

After cpan[4] finishes installing, proceed to the next:

cpan[5]> install Digest::SHA

After cpan[5] finishes installing, proceed to the next:

cpan[6]> install Crypt::Random

We will be prompted to do this automatically, select “Y” and ENTER. This one takes a while to install.

Exit PERL CPAN Shell:

cpan[7]> exit

Terminal does not support GetHistory.

Lockfile removed.

[root@server-1]

Let’s copy Roboo.pm to the appropriate NGINX location:

[root@server-1] cp /etc/nginx/modules/ngx_roboo/Roboo.pm /opt/local/share/nginx/Roboo.pm

If you get an error that it doesn’t exist. Run this command.

[root@server-1] mkdir -p /opt/local/share/nginx

Then repeat the copy.

Let’s install NGINX from Source:

[root@server-1] cd /etc/nginx/nginx-1.11.10

Let’s run ./configure script with the specified parameters:

[root@server-1] ./configure –sbin-path=/usr/sbin/nginx –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-log-path=/var/log/nginx/access.log –pid-path=/var/run/nginx.pid –lock-path=/var/run/nginx.lock –http-client-body-temp-path=/var/cache/nginx/client_temp –http-proxy-temp-path=/var/cache/nginx/proxy_temp –http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp –http-scgi-temp-path=/var/cache/nginx/scgi_temp –user=rproxyu –group=rproxyu –with-http_perl_module –with-http_gzip_static_module –with-http_gunzip_module –with-http_geoip_module –with-http_ssl_module

You will get an output like the following:

checking for perl
+ perl version: This is perl 5, version 16, subversion 3 (v5.16.3) built for x86_64-linux-thread-multi
+ perl interpreter multiplicity found
checking for GeoIP library … found
checking for GeoIP IPv6 support … found
creating objs/Makefile

Configuration summary
+ using system PCRE library
+ using system OpenSSL library
+ using system zlib library

nginx path prefix: “/usr/local/nginx”
nginx binary file: “/usr/sbin/nginx”
nginx modules path: “/usr/local/nginx/modules”
nginx configuration prefix: “/etc/nginx”
nginx configuration file: “/etc/nginx/nginx.conf”
nginx pid file: “/var/run/nginx.pid”
nginx error log file: “/var/log/nginx/error.log”
nginx http access log file: “/var/log/nginx/access.log”
nginx http client request body temporary files: “/var/cache/nginx/client_temp”
nginx http proxy temporary files: “/var/cache/nginx/proxy_temp”
nginx http fastcgi temporary files: “/var/cache/nginx/fastcgi_temp”
nginx http uwsgi temporary files: “uwsgi_temp”
nginx http scgi temporary files: “/var/cache/nginx/scgi_temp”

Let’s make our build:

[root@server-1] make

You will get an output like the following:

objs/ngx_modules.o \
-ldl -lpthread -lcrypt -lpcre -lssl -lcrypto -ldl -lz -lGeoIP \
-Wl,–enable-new-dtags -Wl,-rpath,/usr/lib64/perl5/CORE -fstack-protector -L/usr/lib64/perl5/CORE -lperl -lresolv -lnsl -ldl -lm -lcrypt -lutil -lpthread -lc \
-Wl,-E
sed -e “s|%%PREFIX%%|/usr/local/nginx|” \
-e “s|%%PID_PATH%%|/var/run/nginx.pid|” \
-e “s|%%CONF_PATH%%|/etc/nginx/nginx.conf|” \
-e “s|%%ERROR_LOG_PATH%%|/var/log/nginx/error.log|” \
< man/nginx.8 > objs/nginx.8
make[1]: Leaving directory `/etc/nginx/nginx-1.11.10′

Let’s make our build’s installation:

[root@server-1] make install

You will get an output like the following:

make -f objs/Makefile install
make[1]: Entering directory `/etc/nginx/nginx-1.11.10′
cd objs/src/http/modules/perl && make install
make[2]: Entering directory `/etc/nginx/nginx-1.11.10/objs/src/http/modules/perl’
Files found in blib/arch: installing files in blib/lib into architecture dependent library tree
Installing /usr/local/lib64/perl5/auto/nginx/nginx.so
Installing /usr/local/lib64/perl5/auto/nginx/nginx.bs
Installing /usr/local/lib64/perl5/nginx.pm
Installing /usr/local/share/man/man3/nginx.3pm
Appending installation info to /usr/lib64/perl5/perllocal.pod
make[2]: Leaving directory `/etc/nginx/nginx-1.11.10/objs/src/http/modules/perl’
test -d ‘/usr/local/nginx’ || mkdir -p ‘/usr/local/nginx’
test -d ‘/usr/sbin’ \
|| mkdir -p ‘/usr/sbin’
test ! -f ‘/usr/sbin/nginx’ \
|| mv ‘/usr/sbin/nginx’ \
‘/usr/sbin/nginx.old’
cp objs/nginx ‘/usr/sbin/nginx’
test -d ‘/etc/nginx’ \
|| mkdir -p ‘/etc/nginx’
cp conf/koi-win ‘/etc/nginx’
cp conf/koi-utf ‘/etc/nginx’
cp conf/win-utf ‘/etc/nginx’
test -f ‘/etc/nginx/mime.types’ \
|| cp conf/mime.types ‘/etc/nginx’
cp conf/mime.types ‘/etc/nginx/mime.types.default’
test -f ‘/etc/nginx/fastcgi_params’ \
|| cp conf/fastcgi_params ‘/etc/nginx’
cp conf/fastcgi_params \
‘/etc/nginx/fastcgi_params.default’
test -f ‘/etc/nginx/fastcgi.conf’ \
|| cp conf/fastcgi.conf ‘/etc/nginx’
cp conf/fastcgi.conf ‘/etc/nginx/fastcgi.conf.default’
test -f ‘/etc/nginx/uwsgi_params’ \
|| cp conf/uwsgi_params ‘/etc/nginx’
cp conf/uwsgi_params \
‘/etc/nginx/uwsgi_params.default’
test -f ‘/etc/nginx/scgi_params’ \
|| cp conf/scgi_params ‘/etc/nginx’
cp conf/scgi_params \
‘/etc/nginx/scgi_params.default’
test -f ‘/etc/nginx/nginx.conf’ \
|| cp conf/nginx.conf ‘/etc/nginx/nginx.conf’
cp conf/nginx.conf ‘/etc/nginx/nginx.conf.default’
test -d ‘/var/run’ \
|| mkdir -p ‘/var/run’
test -d ‘/var/log/nginx’ \
|| mkdir -p ‘/var/log/nginx’
test -d ‘/usr/local/nginx/html’ \
|| cp -R html ‘/usr/local/nginx’
test -d ‘/var/log/nginx’ \
|| mkdir -p ‘/var/log/nginx’
make[1]: Leaving directory `/etc/nginx/nginx-1.11.10′

nano -c /etc/init.d/nginx:

[root@server-1] nano -c /etc/init.d/nginx

Paste the following into this file, then CNTRL + X , then “Y” ENTER to save changes and return to bash:

#!/bin/sh
#
# nginx        Startup script for nginx
#
# chkconfig: - 85 15
# processname: nginx
# config: /etc/nginx/nginx.conf
# config: /etc/sysconfig/nginx
# pidfile: /var/run/nginx.pid
# description: nginx is an HTTP and reverse proxy server
#
### BEGIN INIT INFO
# Provides: nginx
# Required-Start: $local_fs $remote_fs $network
# Required-Stop: $local_fs $remote_fs $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop nginx
### END INIT INFO

# Source function library.
. /etc/rc.d/init.d/functions

if [ -L $0 ]; then
    initscript=`/bin/readlink -f $0`
else
    initscript=$0
fi

sysconfig=`/bin/basename $initscript`

if [ -f /etc/sysconfig/$sysconfig ]; then
    . /etc/sysconfig/$sysconfig
fi

nginx=${NGINX-/usr/sbin/nginx}
prog=`/bin/basename $nginx`
conffile=${CONFFILE-/etc/nginx/nginx.conf}
lockfile=${LOCKFILE-/var/lock/subsys/nginx}
pidfile=${PIDFILE-/var/run/nginx.pid}
SLEEPMSEC=${SLEEPMSEC-200000}
UPGRADEWAITLOOPS=${UPGRADEWAITLOOPS-5}
RETVAL=0

start() {
    echo -n $"Starting $prog: "

    daemon --pidfile=${pidfile} ${nginx} -c ${conffile}
    RETVAL=$?
    echo
    [ $RETVAL = 0 ] && touch ${lockfile}
    return $RETVAL
}

stop() {
    echo -n $"Stopping $prog: "
    killproc -p ${pidfile} ${prog}
    RETVAL=$?
    echo
    [ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile}
}

reload() {
    echo -n $"Reloading $prog: "
    killproc -p ${pidfile} ${prog} -HUP
    RETVAL=$?
    echo
}

upgrade() {
    oldbinpidfile=${pidfile}.oldbin

    configtest -q || return
    echo -n $"Starting new master $prog: "
    killproc -p ${pidfile} ${prog} -USR2
    echo

    for i in `/usr/bin/seq $UPGRADEWAITLOOPS`; do
        /bin/usleep $SLEEPMSEC
        if [ -f ${oldbinpidfile} -a -f ${pidfile} ]; then
            echo -n $"Graceful shutdown of old $prog: "
            killproc -p ${oldbinpidfile} ${prog} -QUIT
            RETVAL=$?
            echo
            return
        fi
    done

    echo $"Upgrade failed!"
    RETVAL=1
}

configtest() {
    if [ "$#" -ne 0 ] ; then
        case "$1" in
            -q)
                FLAG=$1
                ;;
            *)
                ;;
        esac
        shift
    fi
    ${nginx} -t -c ${conffile} $FLAG
    RETVAL=$?
    return $RETVAL
}


rh_status() {
    status -p ${pidfile} ${nginx}
}

# See how we were called.
case "$1" in
    start)
        rh_status >/dev/null 2>&1 && exit 0
        start
        ;;
    stop)
        stop
        ;;
    status)
        rh_status
        RETVAL=$?
        ;;
    restart)
        configtest -q || exit $RETVAL
        stop
        start
        ;;
    upgrade)
        rh_status >/dev/null 2>&1 || exit 0
        upgrade
        ;;
    condrestart|try-restart)
        if rh_status >/dev/null 2>&1; then
            stop
            start
        fi
        ;;
    force-reload|reload)
        reload
        ;;
    configtest)
        configtest
        ;;
    *)
        echo $"Usage: $prog {start|stop|restart|condrestart|try-restart|force-reload|upgrade|reload|status|help|configtest}"
        RETVAL=2
esac

exit $RETVAL

t|force-reload|upgrade|reload|status|help|configtest}"
        RETVAL=2

Chmod 0755 /etc/init.d/nginx:

[root@server-1] chmod 0755 /etc/init.d/nginx

Chown root:root /etc/init.d/nginx:

[root@server-1] chown root:root /etc/init.d/nginx

Roboo HTTP Robot Mitigator enabled NGINX Default Conf:

user rproxyu rproxyu;
worker_processes 2;
worker_rlimit_nofile 8000;

events {
worker_connections 8192;
}

http {
perl_modules /opt/local/share/nginx;
perl_require Roboo.pm;

include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main ‘$remote_addr – $remote_user [$time_local] “$request” $status $bytes_sent “$http_referer” “$http_user_agent” “$gzip_ratio”‘;

client_header_timeout 10m;
client_body_timeout 10m;
send_timeout 10m;

connection_pool_size 256;
client_header_buffer_size 1k;
client_body_buffer_size 16k;
large_client_header_buffers 4 16k;
request_pool_size 4k;

gzip off;
gzip_min_length 0;
gzip_buffers 4 8k;
gzip_types text/plain application/x-shockwave-flash text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_proxied any;
gzip_http_version 1.0;
output_buffers 1 32k;
postpone_output 1460;

sendfile on;
tcp_nopush on;
tcp_nodelay on;

keepalive_timeout 75 20;

ignore_invalid_headers on;

server_tokens off;
proxy_cache_path /opt/local/share/nginx/cache levels=1:2 keys_zone=cache:10m inactive=10m max_size=1000m;
server {
listen 8080;
server_name _;

access_log /dev/null;

location / {
perl Roboo::handler;
set $Roboo_challenge_modes “SWF,gzip”; # SWF or JS, optionally gzip for encoding (“JS,gzip” or “SWF,gzip”)

# Defaults
#set $Roboo_cookie_name “Anti-Robot”; # Cookie name used for challenge/response
#set $Roboo_validity_window 600; # Authentication validity time window
#set $Roboo_whitelist “IP(),UA(”),URI(”)”; # Whitelist – IP addresses (CIDR), user-agents or URIs (PCRE)
#set $Roboo_charset “UTF-8”; # Charset used during challenge (for proper POST resubmissions)
#set $Roboo_challenge_hash_input $remote_addr; # Advanced – challenge hash basis, can add $server_name$server_port$http_host$http_user_agent

error_page 555 = @proxy;
expires epoch;
add_header Last-Modified “”;
if ($Roboo_challenge_modes ~ gzip) {
gzip on;
}
access_log /var/log/nginx/challenged.log;
}

location @proxy {
proxy_pass http://example.com;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_cache cache;
proxy_cache_valid 5m;
gzip on;
access_log /var/log/nginx/verified.log;
}
}
}

Create Directory:

[root@server-1] mkdir -p /var/cache/nginx/client_temp

Start NGINX:

[root@server-1] systemctl start nginx.service

Start NGINX on Boot:

[root@server-1] chkconfig nginx on

Check NGINX Version:

[root@server-1] nginx -v

You should get the following output:

nginx version: nginx/1.11.10

Source Articles, Blogs, Websites:

Apache 2.4 + mpm_event

DigitalOcean | How To Get Started with mod_pagespeed with Apache on CentOS

DigitalOcean | How To Add ngx_pagespeed to Nginx on CentOS 7

How to Install Nginx 1.6.2 with PageSpeed on Linux CentOS 6

Rep+ @ vandemar – irc.freenode / #nginx

QUEST 1 : Lightning Fast Web Servers (STRUCTURED INDEX)

QUEST 1 : Lightning Fast Web Servers – PART 1 – INTRODUCTION

QUEST 1: Lightning Fast Web Servers – PART 2 – PREREQUISITES

QUEST 1: Lightning Fast Web Servers – PART 3 -OVERVIEW/PRIOR TO CENTOS 7.3 MINIMAL INSTALLATION

QUEST 1: Lightning Fast Web Servers – PART 4 – CentOS 7.3 NETWORK CONFIGURATION AND SSH2 DAEMON CONFIGURATION WITH 4096-BIT KEYS

QUEST 1: Lightning Fast Web Servers – PART 5 – VIRTUALMIN PRO INSTALLATION AND CONFIGURATION

QUEST 1: Lightning Fast Web Servers – Part 6 – CSF FIREWALL INSTALL CONFIGURATION – FINALIZE SSH2 4096-BIT KEYS

QUEST 1: Lightning Fast Web Servers – Part 7 – VIRTUALMIN WAN AND LAN STATIC IP ADDRESSING

QUEST 1: Lightning Fast Web Servers – Part 8 – BIND 9 CONFIGURATION + VIRTUALMIN AND APACHE2 OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 9 – INSTALL PHP 5.6.25, PHP 7.0.15, PHP 7.1.1 + VIRTUALMIN CONFIGURATION

QUEST 1: Lightning Fast Web Servers – Part 10 – ADD STATIC WAN IP ADDRESS + ENABLE PHP 7.1.1 ON BOOT + PHP-FPM + APACHE2 + PHP INFO

QUEST 1: Lightning Fast Web Servers – Part 11 – BIND 9 + SETUP AS AUTHORITATIVE DNS NAME SERVERS + VIRTUALMIN VIRTUAL SERVER #1 CREATION

QUEST 1: Lightning Fast Web Servers – Part 12 – APACHE2 FIXES + PHP AND PHP-FPM UPDATES

QUEST 1: Lightning Fast Web Servers – Part 13 – DOVECOT FIX + VIRTUAL SERVER #2 CREATION + REMOVE SYSTEM HOST IP FROM SHARED POOL

QUEST 1: Lightning Fast Web Servers – Part 14 – VIRTUALMIN CONFIGURATIONS + INSTALL PRO LICENSE + UPDATE SYSTEM + MODIFY SETTINGS

QUEST 1: Lightning Fast Web Servers – Part 15 – PHP-FPM 5.4.x + PHP-FPM 5.6.x + PHP-FPM 7.0.x + PHP-FPM 7.1.x

QUEST 1: Lightning Fast Web Servers – Part 16 – ROUNDCUBE + SSL ON VIRTUAL SERVER #1 + SSL ON VIRTUALMIN WEBUI + APACHE2 CONFIGURATIONS

QUEST 1: Lightning Fast Web Servers – Part 17 – STATIC LAN IP NETWORK SCHEMA + APACHE2 LAN BINDING TO VIRTUAL SERVER #1

QUEST 1: Lightning Fast Web Servers – Part 18 – OPENVPN ACCESS SERVER + OPENVPN SERVER + OPENVPN CLIENT + TEST VPN

QUEST 1: Lightning Fast Web Servers – Part 19 – PRIVATE BIND 9 DNS

QUEST 1: Lightning Fast Web Servers – Part 20 – APACHE2 CONFIGURATION UPDATE + INTERNAL VIRTUALHOST MAPPING

QUEST 1: Lightning Fast Web Servers – Part 21 – SECURITY ENHANCEMENT + OPENVPN

QUEST 1: Lightning Fast Web Servers – Part 22 – SSL DOVECOT + POSTFIX + MOZILLA THUNDERBIRD

QUEST 1: Lightning Fast Web Servers – Part 23 – FFMPEG X64 + MULTIMEDIA LIBRARIES

QUEST 1: Lightning Fast Web Servers – Part 24 – CRITICAL APACHE2 UPDATE ROCKETTHEME ROCKETLAUNCHER + JOOMLA

QUEST 1: Lightning Fast Web Servers – Part 25 – ROCKETTHEME ROCKETLAUNCHER + WORDPRESS

QUEST 1: Lightning Fast Web Servers – Part 26 – ROCKETTHEME ROCKETLAUNCHER + PHPBB

QUEST 1: Lightning Fast Web Servers – Part 27 – NGINX INSTALL FROM SOURCE + MODS

QUEST 1: Lightning Fast Web Servers – Part 28 – APACHE2 + SECURITY – MOD_SECURITY + MOD_EVASIVE + OWASP V3

QUEST 1: Lightning Fast Web Servers – Part 29 – MYSQL MARIADB TUNING AND OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 30 – VARNISH INSTALLATION + CONFIG WITH NGINX + APACHE2

QUEST 1: Lightning Fast Web Servers – Part 31 – APACHE2 TUNING AND OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 32 – REDIS CACHE SERVER

QUEST 1: Lightning Fast Web Servers – Part 33 – INSTALL HYBRID-IRCD + ANOPE SERVICES + SECURITY EGGDROP

QUEST 1: Lightning Fast Web Servers – Part 34 – INSTALL SHOUTCAST SERVER + WEBUI

QUEST 1: Lightning Fast Web Servers – Part 35 – JOOMLA CMS OPTIMIZATION + SECURITY

QUEST 1: Lightning Fast Web Servers – Part 36 – WORDPRESS CMS OPTIMIZATION + SECURITY

QUEST 1: Lightning Fast Web Servers – Part 37 – PHPBB FORUM OPTIMIZATION + SECURITY

Quest 1 – Secure, Lightning Fast, CentOS 7.3 Virtualmin VPS, Apache2+MariaDB+Multiple PHP Versions+OpCache+NGINX+Varnish+Redis – 25,000 Concurrent Goal – Part 26 – RocketTheme RocketLauncher + phpBB

February 18, 2017February 22, 2017 / Brandon Kastning / Leave a comment

High Performance Cloud Web Servers – My Quest for The Perfect Budget Lightning Fast Power-housed Cloud Linux Configuration – Part 26 – ROCKETTHEME ROCKETLAUNCHER + PHPBB

Before we can install phpBB , we need to make some modifications. phpBB doesn’t support PHP 7.x at this time, so we will have to make special sub directory specifications within our Apache2 VirtualHost directives and pass the /forum folder to PHP 5.6.25 using RH56-PHP-FPM instead of our default PHP 7.1 pass.

Let’s get started!

Switch over to Terminator on server-1 as su root and let’s hit bash:

[root@server-1]

Let’s backup our Apache2 configuration file:

[root@server-1] cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bkup6

Now we will update our Apache2 configuration files to match the following: (Which is cleaned up heavily on the Virtual Server #1 – exampledomain.com blocks.)

/etc/httpd/conf/httpd.conf

CONTENTS:

ServerRoot “/etc/httpd”
Listen xxx.xx.x.4:80

Include conf.modules.d/*.conf
User httpdu
Group httpdu
ServerAdmin admin@exampledomain.com
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot “/var/www/html/”

<Directory “/var/www”>
AllowOverride None
# Allow open access:
Require all granted
</Directory>
<Directory “/var/www/html”>
#
# Possible values for the Options directive are “None”, “All”,
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that “MultiViews” must be named *explicitly* — “Options All”
# doesn’t give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks

#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be “All”, “None”, or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None

#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9056/var/www/html/

<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<Files “.ht*”>
Require all denied
</Files>
ErrorLog “logs/error_log”
LogLevel warn

<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat “%h %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\”” combined
LogFormat “%h %l %u %t \”%r\” %>s %b” common

<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat “%h %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\” %I %O” combinedio
</IfModule>

#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog “logs/access_log” common

#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
CustomLog “logs/access_log” combined
</IfModule>

<IfModule alias_module>
#
# Redirect: Allows you to tell clients about documents that used to
# exist in your server’s namespace, but do not anymore. The client
# will make a new request for the document at its new location.
# Example:
# Redirect permanent /foo http://www.example.com/bar

#
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
#
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL. You will also likely
# need to provide a <Directory> section to allow access to
# the filesystem path.

#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client. The same rules about trailing “/” apply to ScriptAlias
# directives as to Alias.
#
ScriptAlias /cgi-bin/ “/var/www/cgi-bin/”

</IfModule>
<Directory “/var/www/cgi-bin”>
AllowOverride None
Options None
Require all granted
</Directory>

<IfModule mime_module>
#
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
#
TypesConfig /etc/mime.types

#
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#
#AddType application/x-gzip .tgz
#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
#
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
#
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

#
# AddHandler allows you to map certain file extensions to “handlers”:
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add “ExecCGI” to the “Options” directive.)
#
#AddHandler cgi-script .cgi

# For type maps (negotiated resources):
#AddHandler type-map var

#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add “Includes” to the “Options” directive.)
#
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8

<IfModule mime_magic_module>
#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on

# VIRTUAL SERVER 1 #
# TLD: exampledomain.com #
# Username: w1-edcom #

# NON-SSL #

IncludeOptional conf.d/*.conf
SSLProtocol ALL -SSLv2
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
ServerTokens Minimal
ServerSignature Off
TraceEnable Off
<VirtualHost xxx.xx.x.120:80>
ServerName exampledomain.com
ServerAlias http://www.exampledomain.com
DocumentRoot /home/w1-edcom/public_html
ErrorLog /home/w1-edcom/exampledomain.com_non-ssl_error_log
CustomLog /home/w1-edcom/exampledomain.com_non-ssl_access_log combined
DirectoryIndex index.html index.php index.php4 index.php5 index.htm
<Directory /home/w1-edcom/public_html>
Options -Indexes +FollowSymlinks +ExecCGI
AllowOverride All
Require all granted
</Directory>
<LocationMatch ^(.*\.php)$>
ProxyPass fcgi://127.0.0.1:9071/home/w1-edcom/public_html$1
</LocationMatch>
<LocationMatch ^/forum(.*\.php)$>
ProxyPass fcgi://127.0.0.1:9056/home/w1-edcom/public_html/forum$1
</LocationMatch>
RewriteEngine on
RewriteCond %{HTTP_HOST} =www.exampledomain.com
RewriteRule ^(.*) https://exampledomain.com/ [R]
php_value memory_limit 64M
php_value suhosin.session.encrypt Off
</VirtualHost>
# VIRTUAL SERVER 1 #
# TLD: exampledomain.com #
# Username: w1-edcom #

# SSL #

<VirtualHost xxx.xx.x.120:443>
ServerName exampledomain.com
ServerAlias http://www.exampledomain.com
DocumentRoot /home/w1-edcom/public_html
ErrorLog /home/w1-edcom/exampledomain.com_ssl_error_log
CustomLog /home/w1-edcom/exampledomain.com_ssl_access_log combined
DirectoryIndex index.html index.php index.php4 index.php5 index.htm
<Directory /home/w1-edcom/public_html>
Options -Indexes +FollowSymlinks +ExecCGI
AllowOverride All
Require all granted
</Directory>
<LocationMatch ^(.*\.php)$>
ProxyPass fcgi://127.0.0.1:9071/home/w1-edcom/public_html$1
</LocationMatch>
<LocationMatch ^/forum(.*\.php)$>
ProxyPass fcgi://127.0.0.1:9056/home/w1-edcom/public_html/forum$1
</LocationMatch>
RewriteEngine on
RewriteCond %{HTTP_HOST} =www.exampledomain.com
RewriteRule ^(.*) https://exampledomain.com/ [R]
SSLEngine on
SSLCertificateFile /home/w1-edcom/ssl.cert
SSLCertificateKeyFile /home/w1-edcom/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
php_value memory_limit 64M
php_value suhosin.session.encrypt Off
</VirtualHost>
# VIRTUAL SERVER 1 #
# TLD: exampledomain.com #
# Username: w1-edcom #

# SSL #

<VirtualHost 10.1.1.100:443>
ServerName exampledomain.com
ServerAlias http://www.exampledomain.com
DocumentRoot /home/w1-edcom/public_html
ErrorLog /home/w1-edcom/exampledomain.com_ssl_error_log
CustomLog /home/w1-edcom/exampledomain.com_ssl_access_log combined
DirectoryIndex index.html index.php index.php4 index.php5 index.htm
<Directory /home/w1-edcom/public_html>
Options -Indexes +FollowSymlinks
AllowOverride All
Require all granted
</Directory>
<LocationMatch ^(.*\.php)$>
ProxyPass fcgi://127.0.0.1:9071/home/w1-edcom/public_html$1
</LocationMatch>
<LocationMatch ^/forum(.*\.php)$>
ProxyPass fcgi://127.0.0.1:9056/home/w1-edcom/public_html/forum$1
</LocationMatch>
RewriteEngine on
RewriteCond %{HTTP_HOST} =www.exampledomain.com
RewriteRule ^(.*) https://exampledomain.com/ [R]
SSLEngine on
SSLCertificateFile /home/w1-edcom/ssl.cert
SSLCertificateKeyFile /home/w1-edcom/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
php_value memory_limit 64M
php_value suhosin.session.encrypt Off
</VirtualHost>

# VIRTUAL SERVER 2 #
# TLD: server-1.wethepeopleonline.com #
# Username: w2-syshn #

# NON-SSL LAN #

<VirtualHost 10.1.1.2:80>
ServerName server-1.exampledomain.com
ServerAlias http://www.server-1.exampledomain.com
DocumentRoot /home/w2-syshn/public_html
ErrorLog /home/w2-syshn/server-1.exampledomain.com_non-ssl_error_log
CustomLog /home/vs-lwtpo/server-1.exampledomain.com_non-ssl_access_log combined
ScriptAlias /cgi-bin/ /home/w2-syshn/cgi-bin/
DirectoryIndex index.html index.php index.php4 index.php5 index.htm
<Directory /home/w2-syshn/public_html>
Options -Indexes +FollowSymlinks +ExecCGI
#allow from all
AllowOverride None Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
#AllowOverride All
Require all granted
AddType application/x-httpd-php .php
AddType application/x-httpd-php5 .php5
</Directory>
<Directory /home/w2-syshn/cgi-bin>
#allow from all
AllowOverride None Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
#AllowOverride All
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =www.server-1.exampledomain.com
RewriteRule ^(.*) https://server-1.exampledomain.com/ [R]
SuexecUserGroup “#502” “#501”
<LocationMatch ^(.*\.php)$>
ProxyPass fcgi://127.0.0.1:9071/home/w2-syshn/public_html$1
</LocationMatch>
php_value memory_limit 64M
php_value suhosin.session.encrypt Off
</VirtualHost>

# VIRTUAL SERVER 2 #
# TLD: server-1.exampledomain.com #
# Username: w2-syshn #

# SSL – LAN #

<VirtualHost 10.1.1.2:443>
ServerName server-1.exampledomain.com
ServerAlias http://www.server-1.exampledomain.com
DocumentRoot /home/w2-syshn/public_html
ErrorLog /home/w2-syshn/server-1.exampledomain.com_ssl_error_log
CustomLog /home/w2-syshn/server-1.exampledomain.com_ssl_access_log combined
ScriptAlias /cgi-bin/ /home/w2-syshn/cgi-bin/
DirectoryIndex index.html index.php index.php4 index.php5 index.htm
<Directory /home/w2-syshn/public_html>
Options -Indexes +FollowSymlinks +ExecCGI
#allow from all
#AllowOverride None Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
AllowOverride All
Require all granted
AddType application/x-httpd-php .php
AddType application/x-httpd-php5 .php5
</Directory>
<Directory /home/w2-syshn/cgi-bin>
#allow from all
#AllowOverride None Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =www.server-1.exampledomain.com
RewriteRule ^(.*) https://server-1.exampledomain.com/ [R]
SSLEngine on
SSLCertificateFile /home/w2-syshn/ssl.cert
SSLCertificateKeyFile /home/w2-syshn/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
php_value memory_limit 64M
php_value suhosin.session.encrypt Off
<LocationMatch ^(.*\.php)$>
ProxyPass fcgi://127.0.0.1:9071/home/w2-syshn/public_html$1
</LocationMatch>
</VirtualHost>

Null httpd.conf:

[root@server-1] cat /dev/null > /etc/httpd/conf/httpd.conf

Nano & Paste / Edit Apache2 Update:

[root@server-1] nano -c /etc/httpd/conf/httpd.conf

Paste and Edit to fit your server schema

CNTRL + X , then “Y” to save changes and ENTER to return to bash:

[root@server-1]

Restart Apache2:

[root@server-1] systemctl restart httpd.service

All is good without a hitch! 🙂

Now we have everything in exampledomain.com/ (using PHP 7.1.2) unless otherwise specified (using the second LocationMatch Apache2 Directive for the sub-directory /forum/ or any other sub directory for exampledomain.com that requires a specified version of PHP) … the possibilities are endless… which is great for flexibility and scaling!

In our case:

/ = PHP 7.1.2

/forum = PHP 5.6.25

We have 1 more requirement for installing phpBB in our servers current build and that is ImageMagick.

Let’s take care of that! 🙂

[root@server-1] yum install php-devel

“Y” to install selected marked packages

[root@server-1] yum install ImageMagick ImageMagick-devel

“Y” to install selected marked packages

We need to a configuration change to the following daemons:

PHP-FPM (5.4.x)
RH-PHP56-PHP-FPM (5.6.25)
PHP70-PHP-FPM (7.0.x)
PHP71-PHP-FPM (7.1.x)

Let’s backup /etc/php-fpm.d/www.conf:

[root@server-1] cp /etc/php-fpm.d/www.conf /etc/php-fpm.d/www.conf.bkup2

Let’s edit the file using Nano:

[root@server-1] nano -c /etc/php-fpm.d/www.conf

Go to Line 39:

OLD LINE:

user = apache

NEW LINE:

user = httpdu

Go to Line 41:

OLD LINE:

group = apache

NEW LINE:

group = httpdu

CNTRL + X , then “Y” to save all changes and ENTER to return to bash:

[root@server-1]

Let’s backup /etc/opt/rh/rh-php56/php-fpm.d/www.conf:

[root@server-1] p /etc/opt/rh/rh-php56/php-fpm.d/www.conf /etc/opt/rh/rh-php56/php-fpm.d/www.conf.bkup2

Let’s edit the file using Nano:

[root@server-1] nano -c /etc/opt/rh/rh-php56/php-fpm.d/www.conf

Go to Line 23:

OLD LINE:

user = apache

NEW LINE:

user = httpdu

Go to Line 25:

OLD LINE:

group = apache

NEW LINE:

group = httpdu

CNTRL + X , then “Y” to save all changes and ENTER to return to bash:

[root@server-1]

Let’s backup /etc/opt/remi/php70/php-fpm.d/www.conf:

[root@server-1] cp /etc/opt/remi/php70/php-fpm.d/www.conf /etc/opt/remi/php70/php-fpm.d/www.conf.bkup2

Let’s edit the file using Nano:

[root@server-1] nano -c /etc/opt/remi/php70/php-fpm.d/www.conf

Go to Line 24:

OLD LINE:

user = apache

NEW LINE:

user = httpdu

Go to Line 26:

OLD LINE:

group = apache

NEW LINE:

group = httpdu

CNTRL + X , then “Y” to save all changes and ENTER to return to bash:

[root@server-1]

Let’s backup /etc/opt/remi/php71/php-fpm.d/www.conf:

[root@server-1] cp /etc/opt/remi/php71/php-fpm.d/www.conf /etc/opt/remi/php71/php-fpm.d/www.conf.bkup2

Let’s edit the file using Nano:

[root@server-1] nano -c /etc/opt/remi/php71/php-fpm.d/www.conf

Go to Line 24:

OLD LINE:

user = apache

NEW LINE:

user = httpdu

Go to Line 26:

OLD LINE:

group = apache

NEW LINE:

group = httpdu

CNTRL + X , then “Y” to save all changes and ENTER to return to bash:

[root@server-1]

Let’s restart our PHP-FPM server daemons:

[root@server-1] systemctl restart php-fpm.service

[root@server-1] systemctl restart rh-php56-php-fpm.service

[root@server-1] systemctl restart php70-php-fpm.service

[root@server-1] systemctl restart php71-php-fpm.service

Let’s restart Apache2 server daemon:

[root@server-1] systemctl restart httpd.service

Okay that’s finished. Now let’s move on to installing phpBB 3.1.10 core installation, and then install RocketTheme Premium Ambrosia phpBB Style and required Extensions from RocketTheme.

QUEST 1 : Lightning Fast Web Servers (STRUCTURED INDEX)

QUEST 1 : Lightning Fast Web Servers – PART 1 – INTRODUCTION

QUEST 1: Lightning Fast Web Servers – PART 2 – PREREQUISITES

QUEST 1: Lightning Fast Web Servers – PART 3 -OVERVIEW/PRIOR TO CENTOS 7.3 MINIMAL INSTALLATION

QUEST 1: Lightning Fast Web Servers – PART 4 – CentOS 7.3 NETWORK CONFIGURATION AND SSH2 DAEMON CONFIGURATION WITH 4096-BIT KEYS

QUEST 1: Lightning Fast Web Servers – PART 5 – VIRTUALMIN PRO INSTALLATION AND CONFIGURATION

QUEST 1: Lightning Fast Web Servers – Part 6 – CSF FIREWALL INSTALL CONFIGURATION – FINALIZE SSH2 4096-BIT KEYS

QUEST 1: Lightning Fast Web Servers – Part 7 – VIRTUALMIN WAN AND LAN STATIC IP ADDRESSING

QUEST 1: Lightning Fast Web Servers – Part 8 – BIND 9 CONFIGURATION + VIRTUALMIN AND APACHE2 OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 9 – INSTALL PHP 5.6.25, PHP 7.0.15, PHP 7.1.1 + VIRTUALMIN CONFIGURATION

QUEST 1: Lightning Fast Web Servers – Part 10 – ADD STATIC WAN IP ADDRESS + ENABLE PHP 7.1.1 ON BOOT + PHP-FPM + APACHE2 + PHP INFO

QUEST 1: Lightning Fast Web Servers – Part 11 – BIND 9 + SETUP AS AUTHORITATIVE DNS NAME SERVERS + VIRTUALMIN VIRTUAL SERVER #1 CREATION

QUEST 1: Lightning Fast Web Servers – Part 12 – APACHE2 FIXES + PHP AND PHP-FPM UPDATES

QUEST 1: Lightning Fast Web Servers – Part 13 – DOVECOT FIX + VIRTUAL SERVER #2 CREATION + REMOVE SYSTEM HOST IP FROM SHARED POOL

QUEST 1: Lightning Fast Web Servers – Part 14 – VIRTUALMIN CONFIGURATIONS + INSTALL PRO LICENSE + UPDATE SYSTEM + MODIFY SETTINGS

QUEST 1: Lightning Fast Web Servers – Part 15 – PHP-FPM 5.4.x + PHP-FPM 5.6.x + PHP-FPM 7.0.x + PHP-FPM 7.1.x

QUEST 1: Lightning Fast Web Servers – Part 16 – ROUNDCUBE + SSL ON VIRTUAL SERVER #1 + SSL ON VIRTUALMIN WEBUI + APACHE2 CONFIGURATIONS

QUEST 1: Lightning Fast Web Servers – Part 17 – STATIC LAN IP NETWORK SCHEMA + APACHE2 LAN BINDING TO VIRTUAL SERVER #1

QUEST 1: Lightning Fast Web Servers – Part 18 – OPENVPN ACCESS SERVER + OPENVPN SERVER + OPENVPN CLIENT + TEST VPN

QUEST 1: Lightning Fast Web Servers – Part 19 – PRIVATE BIND 9 DNS

QUEST 1: Lightning Fast Web Servers – Part 20 – APACHE2 CONFIGURATION UPDATE + INTERNAL VIRTUALHOST MAPPING

QUEST 1: Lightning Fast Web Servers – Part 21 – SECURITY ENHANCEMENT + OPENVPN

QUEST 1: Lightning Fast Web Servers – Part 22 – SSL DOVECOT + POSTFIX + MOZILLA THUNDERBIRD

QUEST 1: Lightning Fast Web Servers – Part 23 – FFMPEG X64 + MULTIMEDIA LIBRARIES

QUEST 1: Lightning Fast Web Servers – Part 24 – CRITICAL APACHE2 UPDATE ROCKETTHEME ROCKETLAUNCHER + JOOMLA

QUEST 1: Lightning Fast Web Servers – Part 25 – ROCKETTHEME ROCKETLAUNCHER + WORDPRESS

QUEST 1: Lightning Fast Web Servers – Part 26 – ROCKETTHEME ROCKETLAUNCHER + PHPBB

QUEST 1: Lightning Fast Web Servers – Part 27 – NGINX INSTALL FROM SOURCE + MODS

QUEST 1: Lightning Fast Web Servers – Part 28 – APACHE2 + SECURITY – MOD_SECURITY + MOD_EVASIVE + OWASP V3

QUEST 1: Lightning Fast Web Servers – Part 29 – MYSQL MARIADB TUNING AND OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 30 – VARNISH INSTALLATION + CONFIG WITH NGINX + APACHE2

QUEST 1: Lightning Fast Web Servers – Part 31 – APACHE2 TUNING AND OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 32 – REDIS CACHE SERVER

QUEST 1: Lightning Fast Web Servers – Part 33 – INSTALL HYBRID-IRCD + ANOPE SERVICES + SECURITY EGGDROP

QUEST 1: Lightning Fast Web Servers – Part 34 – INSTALL SHOUTCAST SERVER + WEBUI

QUEST 1: Lightning Fast Web Servers – Part 35 – JOOMLA CMS OPTIMIZATION + SECURITY

QUEST 1: Lightning Fast Web Servers – Part 36 – WORDPRESS CMS OPTIMIZATION + SECURITY

QUEST 1: Lightning Fast Web Servers – Part 37 – PHPBB FORUM OPTIMIZATION + SECURITY

Quest 1 – Secure, Lightning Fast, CentOS 7.3 Virtualmin VPS, Apache2+MariaDB+Multiple PHP Versions+OpCache+NGINX+Varnish+Redis – 25,000 Concurrent Goal – Part 25 – RocketTheme RocketLauncher + WordPress

February 17, 2017February 22, 2017 / Brandon Kastning / Leave a comment

High Performance Cloud Web Servers – My Quest for The Perfect Budget Lightning Fast Power-housed Cloud Linux Configuration – Part 25 – ROCKETTHEME ROCKETLAUNCHER + WORDPRESS

Switching over to Virtualmin, let’s navigate to the following:

Webmin -> Others -> File Manager

Go into your home directory for Virtual Server #1:

-> / -> /home -> /w1-edcom

Create Directory for WordPress; we’ll use the name “blog”:

Go to File -> Create New Directory

Type “blog” in the dialog box and click the “Create” button:

Right click on the new “blog” folder; right click -> Properties -> Change Ownership:

In the dialog box we are going to use our Apache2 username for User and Group:

User = httpdu

Group = httpdu

Recursive = Checked Box

Then hit the “Change” button:

Click into the “blog” folder:

Navigate to File -> Upload to Current Directory:

Click the paperclip icon so that we can select our RocketTheme RocketLauncher WordPress 4 installation file:

Select “ambrosia-1.1.4-rocketlauncher_wp.zip” and click “Open”:

Click “Upload Files” button:

Once the upload is completed, right click on “ambrosia-1.1.4-rocketlauncher_wp.zip” and click “Extract”:

Change “Show Entries” to 1000, this makes sure we select all the files

Once extracted, click “Select All” in the upper right hand corner:

Right Click on all Selected Files -> Properties -> Change Ownership:

We will use the “httpdu” and “httpdu” for User and Group and make sure the Recursive checkbox is checked. Then click the “Change” button:

Let’s switch over to a new FireFox tab and navigate to the following:

https://exampledomain.com/blog/

You will see the following WordPress 4 installation screen; click on “Continue”:

We will click “Let’s go”:

In the next screen, we’re going to put in our database user and password for Virtual Server #1 – exampledomain.com and setup a prefix for the WordPress 4 installation.

We will use the following prefix schema for WordPress 4:

wpress1_

We will type in our Virtual Server #1 – exampledomain.com database (same as our Joomla installation in Part 24), just with a different prefix:

After filling in the details, go ahead and click the “Submit” button

Now we will click the “Run the install” button:

Next we are prompted to type in our Site Title, our Admin email, an Administrator Username and an Administrator Password. (Let’s use a nice and strong password!):

Once done filling everything in, go ahead and click “Install WordPress”:

We now receive a success message with a button that says “Login”; let’s click that:

Go ahead and login with your set username and password, and when logged into the administrator dashboard, we will be prompted with updates. Let’s start by clicking “Plugins” on the left panel:

We will click “Select All” checkbox and then click “Update Plugins”:

We will be prompted with a completion screen and then we will click “Updates” on the upper left pane:

Let’s “Select All” checkbox and then click the “Update Themes” button:

We will be prompted with a completion screen, and then we will click “Updates” again in the upper left corner:

Now we will be prompted to Update WordPress Core, let’s do that by pressing the “Update Now” button:

Next, we will be prompted to update the database, let’s do this by pressing the “Update WordPress Database” button:

Next, we’re prompted that the update is complete. Let’s click “Continue”:

Now you should see , “Welcome to WordPress 4.7.2” in our administrator dashboard:

Let’s navigate in FireFox to the following URL:

https://exampledomain.com/blog/pricing/

It should look like the following image:

Using Free tools at Pingdom.com , let’s do a quick speed test and see how we are faring so far…

Currently Clocking:

Load Time = 1.06 seconds

Performance Grade = 87

Faster Than = 88% of tested sites

Let’s make it faster

QUEST 1 : Lightning Fast Web Servers (STRUCTURED INDEX)

QUEST 1 : Lightning Fast Web Servers – PART 1 – INTRODUCTION

QUEST 1: Lightning Fast Web Servers – PART 2 – PREREQUISITES

QUEST 1: Lightning Fast Web Servers – PART 3 -OVERVIEW/PRIOR TO CENTOS 7.3 MINIMAL INSTALLATION

QUEST 1: Lightning Fast Web Servers – PART 4 – CentOS 7.3 NETWORK CONFIGURATION AND SSH2 DAEMON CONFIGURATION WITH 4096-BIT KEYS

QUEST 1: Lightning Fast Web Servers – PART 5 – VIRTUALMIN PRO INSTALLATION AND CONFIGURATION

QUEST 1: Lightning Fast Web Servers – Part 6 – CSF FIREWALL INSTALL CONFIGURATION – FINALIZE SSH2 4096-BIT KEYS

QUEST 1: Lightning Fast Web Servers – Part 7 – VIRTUALMIN WAN AND LAN STATIC IP ADDRESSING

QUEST 1: Lightning Fast Web Servers – Part 8 – BIND 9 CONFIGURATION + VIRTUALMIN AND APACHE2 OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 9 – INSTALL PHP 5.6.25, PHP 7.0.15, PHP 7.1.1 + VIRTUALMIN CONFIGURATION

QUEST 1: Lightning Fast Web Servers – Part 10 – ADD STATIC WAN IP ADDRESS + ENABLE PHP 7.1.1 ON BOOT + PHP-FPM + APACHE2 + PHP INFO

QUEST 1: Lightning Fast Web Servers – Part 11 – BIND 9 + SETUP AS AUTHORITATIVE DNS NAME SERVERS + VIRTUALMIN VIRTUAL SERVER #1 CREATION

QUEST 1: Lightning Fast Web Servers – Part 12 – APACHE2 FIXES + PHP AND PHP-FPM UPDATES

QUEST 1: Lightning Fast Web Servers – Part 13 – DOVECOT FIX + VIRTUAL SERVER #2 CREATION + REMOVE SYSTEM HOST IP FROM SHARED POOL

QUEST 1: Lightning Fast Web Servers – Part 14 – VIRTUALMIN CONFIGURATIONS + INSTALL PRO LICENSE + UPDATE SYSTEM + MODIFY SETTINGS

QUEST 1: Lightning Fast Web Servers – Part 15 – PHP-FPM 5.4.x + PHP-FPM 5.6.x + PHP-FPM 7.0.x + PHP-FPM 7.1.x

QUEST 1: Lightning Fast Web Servers – Part 16 – ROUNDCUBE + SSL ON VIRTUAL SERVER #1 + SSL ON VIRTUALMIN WEBUI + APACHE2 CONFIGURATIONS

QUEST 1: Lightning Fast Web Servers – Part 17 – STATIC LAN IP NETWORK SCHEMA + APACHE2 LAN BINDING TO VIRTUAL SERVER #1

QUEST 1: Lightning Fast Web Servers – Part 18 – OPENVPN ACCESS SERVER + OPENVPN SERVER + OPENVPN CLIENT + TEST VPN

QUEST 1: Lightning Fast Web Servers – Part 19 – PRIVATE BIND 9 DNS

QUEST 1: Lightning Fast Web Servers – Part 20 – APACHE2 CONFIGURATION UPDATE + INTERNAL VIRTUALHOST MAPPING

QUEST 1: Lightning Fast Web Servers – Part 21 – SECURITY ENHANCEMENT + OPENVPN

QUEST 1: Lightning Fast Web Servers – Part 22 – SSL DOVECOT + POSTFIX + MOZILLA THUNDERBIRD

QUEST 1: Lightning Fast Web Servers – Part 23 – FFMPEG X64 + MULTIMEDIA LIBRARIES

QUEST 1: Lightning Fast Web Servers – Part 24 – CRITICAL APACHE2 UPDATE ROCKETTHEME ROCKETLAUNCHER + JOOMLA

QUEST 1: Lightning Fast Web Servers – Part 25 – ROCKETTHEME ROCKETLAUNCHER + WORDPRESS

QUEST 1: Lightning Fast Web Servers – Part 26 – ROCKETTHEME ROCKETLAUNCHER + PHPBB

QUEST 1: Lightning Fast Web Servers – Part 27 – NGINX INSTALL FROM SOURCE + MODS

QUEST 1: Lightning Fast Web Servers – Part 28 – APACHE2 + SECURITY – MOD_SECURITY + MOD_EVASIVE + OWASP V3

QUEST 1: Lightning Fast Web Servers – Part 29 – MYSQL MARIADB TUNING AND OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 30 – VARNISH INSTALLATION + CONFIG WITH NGINX + APACHE2

QUEST 1: Lightning Fast Web Servers – Part 31 – APACHE2 TUNING AND OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 32 – REDIS CACHE SERVER

QUEST 1: Lightning Fast Web Servers – Part 33 – INSTALL HYBRID-IRCD + ANOPE SERVICES + SECURITY EGGDROP

QUEST 1: Lightning Fast Web Servers – Part 34 – INSTALL SHOUTCAST SERVER + WEBUI

QUEST 1: Lightning Fast Web Servers – Part 35 – JOOMLA CMS OPTIMIZATION + SECURITY

QUEST 1: Lightning Fast Web Servers – Part 36 – WORDPRESS CMS OPTIMIZATION + SECURITY

QUEST 1: Lightning Fast Web Servers – Part 37 – PHPBB FORUM OPTIMIZATION + SECURITY

Quest 1 – Secure, Lightning Fast, CentOS 7.3 Virtualmin VPS, Apache2+MariaDB+Multiple PHP Versions+OpCache+NGINX+Varnish+Redis – 25,000 Concurrent Goal – Part 24 – Critical Apache2 Update + RocketTheme RocketLauncher + Joomla

February 17, 2017February 21, 2017 / Brandon Kastning / Leave a comment

High Performance Cloud Web Servers – My Quest for The Perfect Budget Lightning Fast Power-housed Cloud Linux Configuration – Part 24 – CRITICAL APACHE2 UPDATE ROCKETTHEME ROCKETLAUNCHER + JOOMLA

Virtual Server #1 Schema:

Domain: exampledomain.com

Username: w1-edcom

Home Path: /home/w1-edcom/

Apache2 Home Path: /home/w1-edcom/public_html/

Virtual Server #2 Schema:

Domain: server-1.exampledomain.com

Username: w2-syshn

Home Path: /home/w2-syshn

Apache2 Home Path: /home/w2-syshn/public_html/

Main Binding IP for Apache2:

xxx.xx.x.4 = shared.exampledomain.com

Apache2 Custom Daemon Username:

httpdu

The Apache2 configuration is a little messy and needs a clean-up for this to all work properly.

Let’s fire up Terminator and su root bash:

[root@server-1]

Let’s backup Apache2 configuration file

[root@server-1] cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bkup4

The following httpd.conf is configured with the following schema:

Virtual Server #1 = exampledomain.com = PUBLIC & LAN (80/443):

https://exampledomain.com

PUBLIC IP = xxx.xx.x.120

LAN IP = 10.1.1.100

Virtual Server #2 = server-1.exampledomain.com = LAN (80/443) (VPN Accessible Only):

https://server-1.exampledomain.com/databases/ = phpMyAdmin 4.6.6

https://server-1.exampledomain.com/mail/ = RoundCube 1.2.3

LAN IP = 10.1.1.2

Working Apache2 Configuration file that matches above schema:

/etc/httpd/conf/httpd.conf

CONTENTS:

ServerRoot “/etc/httpd”

Listen xxx.xx.x.4:80

Include conf.modules.d/*.conf

User httpdu
Group httpdu

ServerAdmin admin@exampledomain.com

<Directory />
AllowOverride none
Require all denied
</Directory>

DocumentRoot “/var/www/html/”

<Directory “/var/www”>
AllowOverride None
# Allow open access:
Require all granted
</Directory>

<Directory “/var/www/html”>
#
# Possible values for the Options directive are “None”, “All”,
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that “MultiViews” must be named *explicitly* — “Options All”
# doesn’t give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks

#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be “All”, “None”, or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None

#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9071/var/www/html/

<IfModule dir_module>
DirectoryIndex index.html
</IfModule>

<Files “.ht*”>
Require all denied
</Files>

ErrorLog “logs/error_log”

LogLevel warn

<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat “%h %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\”” combined
LogFormat “%h %l %u %t \”%r\” %>s %b” common

<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat “%h %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\” %I %O” combinedio
</IfModule>

#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog “logs/access_log” common

#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
CustomLog “logs/access_log” combined
</IfModule>

<IfModule alias_module>
#
# Redirect: Allows you to tell clients about documents that used to
# exist in your server’s namespace, but do not anymore. The client
# will make a new request for the document at its new location.
# Example:
# Redirect permanent /foo http://www.example.com/bar

#
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
#
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL. You will also likely
# need to provide a <Directory> section to allow access to
# the filesystem path.

#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client. The same rules about trailing “/” apply to ScriptAlias
# directives as to Alias.
#
ScriptAlias /cgi-bin/ “/var/www/cgi-bin/”

</IfModule>

<Directory “/var/www/cgi-bin”>
AllowOverride None
Options None
Require all granted
</Directory>

<IfModule mime_module>
#
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
#
TypesConfig /etc/mime.types

#
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#
#AddType application/x-gzip .tgz
#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
#
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
#
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

#
# AddHandler allows you to map certain file extensions to “handlers”:
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add “ExecCGI” to the “Options” directive.)
#
#AddHandler cgi-script .cgi

# For type maps (negotiated resources):
#AddHandler type-map var

#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add “Includes” to the “Options” directive.)
#
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>

AddDefaultCharset UTF-8

<IfModule mime_magic_module>
#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
MIMEMagicFile conf/magic
</IfModule>

EnableSendfile on

# VIRTUAL SERVER 1 #
# TLD: exampledomain.com #
# Username: w1-edcom #

# NON-SSL #

IncludeOptional conf.d/*.conf
SSLProtocol ALL -SSLv2
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
ServerTokens Minimal
ServerSignature Off
TraceEnable Off
<VirtualHost xxx.xx.x.120:80>
ServerName exampledomain.com
ServerAlias http://www.exampledomain.com
DocumentRoot /home/w1-edcom/public_html
ErrorLog /home/w1-edcom/exampledomain.com_non-ssl_error_log
CustomLog /home/w1-edcom/exampledomain.com_non-ssl_access_log combined
ScriptAlias /cgi-bin/ /home/w1-edcom/cgi-bin/
DirectoryIndex index.html index.php index.php4 index.php5 index.htm
<Directory /home/w1-edcom/public_html>
Options -Indexes +FollowSymlinks
#allow from all
#AllowOverride None Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
<Directory /home/w1-edcom/cgi-bin>
#allow from all
#AllowOverride None Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =www.exampledomain.com
RewriteRule ^(.*) https://exampledomain.com/ [R]
<LocationMatch ^(.*\.php)$>
ProxyPass fcgi://127.0.0.1:9071/home/w1-edcom/public_html$1
</LocationMatch>
php_value memory_limit 64M
php_value suhosin.session.encrypt Off
</VirtualHost>

# VIRTUAL SERVER 1 #
# TLD: exampledomain.com #
# Username: w1-edcom #

# SSL #

<VirtualHost xxx.xx.x.120:443>
ServerName exampledomain.com
ServerAlias http://www.exampledomain.com
DocumentRoot /home/w1-edcom/public_html
ErrorLog /home/w1-edcom/exampledomain.com_ssl_error_log
CustomLog /home/w1-edcom/exampledomain.com_ssl_access_log combined
ScriptAlias /cgi-bin/ /home/w1-edcom/cgi-bin/
DirectoryIndex index.html index.php index.php4 index.php5 index.htm
<Directory /home/w1-edcom/public_html>
Options -Indexes +FollowSymlinks
#allow from all
#AllowOverride None Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
<Directory /home/w1-edcom/cgi-bin>
#allow from all
#AllowOverride None Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =www.exampledomain.com
RewriteRule ^(.*) https://exampledomain.com/ [R]
SSLEngine on
SSLCertificateFile /home/w1-edcom/ssl.cert
SSLCertificateKeyFile /home/w1-edcom/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
php_value memory_limit 64M
php_value suhosin.session.encrypt Off
<LocationMatch ^(.*\.php)$>
ProxyPass fcgi://127.0.0.1:9071/home/w1-edcom/public_html$1
</LocationMatch>
</VirtualHost>

# VIRTUAL SERVER 1 #
# TLD: exampledomain.com #
# Username: w1-edcom #

# SSL LAN #

<VirtualHost 10.1.1.100:443>
ServerName exampledomain.com
ServerAlias http://www.exampledomain.com
DocumentRoot /home/w1-edcom/public_html
ErrorLog /home/w1-edcom/exampledomain.com_ssl_error_log
CustomLog /home/w1-edcom/exampledomain.com_ssl_access_log combined
ScriptAlias /cgi-bin/ /home/w1-edcom/cgi-bin/
DirectoryIndex index.html index.php index.php4 index.php5 index.htm
<Directory /home/w1-edcom/public_html>
Options -Indexes +FollowSymlinks
#allow from all
#AllowOverride None Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
<Directory /home/w1-edcom/cgi-bin>
#allow from all
#AllowOverride None Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =www.exampledomain.com
RewriteRule ^(.*) https://exampledomain.com/ [R]
SSLEngine on
SSLCertificateFile /home/w1-edcom/ssl.cert
SSLCertificateKeyFile /home/w1-edcom/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
php_value memory_limit 64M
php_value suhosin.session.encrypt Off
<LocationMatch ^(.*\.php)$>
ProxyPass fcgi://127.0.0.1:9071/home/w1-edcom/public_html$1
</LocationMatch>
</VirtualHost>

# VIRTUAL SERVER 2 #
# TLD: server-1.exampledomain.com #
# Username: w2-syshn #

# NON-SSL LAN #

<VirtualHost 10.1.1.2:80>
ServerName server-1.exampledomain.com
ServerAlias http://www.server-1.exampledomain.com
DocumentRoot /home/w2-syshn/public_html
ErrorLog /home/w2-syshn/server-1.exampledomain.com_non-ssl_error_log
CustomLog /home/w2-syshn/server-1.exampledomain.com_non-ssl_access_log combined
ScriptAlias /cgi-bin/ /home/w2-syshn/cgi-bin/
DirectoryIndex index.html index.php index.php4 index.php5 index.htm
<Directory /home/w2-syshn/public_html>
Options -Indexes +FollowSymlinks +ExecCGI
#allow from all
AllowOverride None Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
#AllowOverride All
Require all granted
AddType application/x-httpd-php .php
AddType application/x-httpd-php5 .php5
</Directory>
<Directory /home/w2-syshn/cgi-bin>
#allow from all
AllowOverride None Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
#AllowOverride All
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =www.server-1.exampledomain.com
RewriteRule ^(.*) https://server-1.exampledomain.com/ [R]
SuexecUserGroup “#502” “#501”
<Directory /home/w2-syshn/public_html/php56>
Options +Indexes +IncludesNOEXEC +SymLinksifOwnerMatch +ExecCGI
#allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
<LocationMatch ^(.*\.php)$>
ProxyPass fcgi://127.0.0.1:9071/home/w2-syshn/public_html$1
</LocationMatch>
php_value memory_limit 64M
php_value suhosin.session.encrypt Off
</VirtualHost>

# VIRTUAL SERVER 2 #
# TLD: server-1.exampledomain.com #
# Username: w2-syshn #

# SSL – LAN #

<VirtualHost 10.1.1.2:443>
ServerName server-1.exampledomain.com
ServerAlias http://www.server-1.exampledomain.com
DocumentRoot /home/w2-syshn/public_html
ErrorLog /home/w2-syshn/server-1.exampledomain.com_ssl_error_log
CustomLog /home/w2-syshn/server-1.exampledomain.com_ssl_access_log combined
ScriptAlias /cgi-bin/ /home/w2-syshn/cgi-bin/
DirectoryIndex index.html index.php index.php4 index.php5 index.htm
<Directory /home/w2-syshn/public_html>
Options -Indexes +FollowSymlinks +ExecCGI
#allow from all
#AllowOverride None Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
AllowOverride All
Require all granted
AddType application/x-httpd-php .php
AddType application/x-httpd-php5 .php5
</Directory>
<Directory /home/w2-syshn/cgi-bin>
#allow from all
#AllowOverride None Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =www.server-1.exampledomain.com
RewriteRule ^(.*) https://server-1.exampledomain.com/ [R]
SSLEngine on
SSLCertificateFile /home/w2-syshn/ssl.cert
SSLCertificateKeyFile /home/w2-syshn/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
php_value memory_limit 64M
php_value suhosin.session.encrypt Off
<LocationMatch ^(.*\.php)$>
ProxyPass fcgi://127.0.0.1:9071/home/w2-syshn/public_html$1
</LocationMatch>
</VirtualHost>

Paste the above contents into httpd.conf , edit the variables accordingly to match your true schema…

Null httpd.conf

[root@server-1] dev /cat/null > /etc/httpd/conf/httpd.conf

Edit httpd.conf

[root@server-1] nano -c /etc/httpd/conf/httpd.conf

Paste, Edit

CNTRL + X , “Y” to save changes and ENTER to return to bash:

[root@server-1]

Restart Apache2 with new configuration:

[root@server-1] systemctl restart httpd.service

Let’s edit the permissions of the following directories and chown them with our new apache2 username :

/var/opt/remi/php71/lib/php/session

/var/opt/remi/php71/lib/php/opcache

/var/opt/remi/php71/lib/php/wsdlcache

[root@server-1] cd /var/opt/remi/php71/lib/php

[root@server-1] chown -R httpdu:httpdu session

[root@server-1] chown -R httpdu:httpdu opcache

[root@server-1] chown -R httpdu:httpdu wsdlcache

Since we can access our RoundCube on VPN using the following URL:

https://server-1.exampledomain.com/mail/

Let’s go ahead and uninstall RoundCube from Virtual Server #1 – exampledomain.com:

Virtualmin -> select exampledomain.com [dropdown-box] -> Install Scripts -> Installed Scripts -> Check /mail/ and click Uninstall

Virtualmin currently doesn’t support what we have already achieved and continue on to achieve… so we’re basically using Virtualmin for specific features and doing the rest in Terminal.

And therefore means more maintenance and steps to take to get things running correctly.

Since this quest is security minded, we don’t have a running FTP Server and we’re not enabling login for our apache2 custom user. And we’re using PHP-FPM , therefore we will need to either use Terminal or Webmin -> Others -> File Manager to manage website files for the various domains, and within their custom username folders, we will be changing the ownership user and group to our new apache2 user “httpdu”.

This way, we still maintain Virtualmin and our System working together properly. And for all PHP Processing within our Virtual Server’s, the sub-folders will always be owned by “httpdu:httpdu”.

If I ever figure out a better way to do this… I will update this blog accordingly.

We want Security, Speed, Performance and Reliability!

In this part of the quest, we will be deploying three different CMS (Content Management System) PHP Scripts.

Joomla 3.6
WordPress 4.x
phpBB 3.1.x

Using Rocket Theme’s Premium Style Set “Ambrosia”…

RocketTheme – Joomla – Ambrosia

RocketTheme – WordPress – Ambrosia

RocketTheme – phpBB – Ambrosia

Let’s begin with deploying RocketTheme Ambrosia for Joomla:

Your local RocketTheme Joomla Pack files should look something similar:

ambrosia-1.1.4-rocketlauncher_j36.zip

ambrosia-1.1.4-template.zip

joomla-pkg_gantry5_v5.4.8.zip

We’re going to use the rocketlauncher file: ambrosia-1.1.4-rocketlauncher_j36.zip on the root directory of Virtual Server #1 – exampledomain.com

Switching over to Virtualmin, let’s navigate to the following:

Webmin -> Others -> File Manager

You’re home directory should be bare bones. If you still have the info.php , it’s best that you remove it. Since we have it on server-1 (VPN Only) … and it would provide the public with private server information.

It should look like the following, then we will be uploading our RocketTheme Joomla 3.6 RocketLauncher for Ambrosia Premium Theme.

Now we’re about to select the file, click the paperclip as pictured:

Select the file as follows:

Now that we selected our file, let’s go ahead and click “Upload Files” button:

Once it finishes uploading, right click on the .zip and choose “Extract” like follows:

Once it finishes extracting, we are going to select all the files like the following:

Once we have all the folders and files selected, we’re going to right click -> Properties -> Change Ownership, like pictured:

Once the dialog box pops up, we’re going to want to use our custom apache2 user, which is what PHP-FPM uses to process our PHP Files through our web server: (Make sure to use your own custom apache2 user in replacement of here. And check Reclusive. This ensures all sub-directories are affected by this change:

Now we’re going to delete the index.html that we were using a placeholder. (Always good practice to put a placeholder when changing, uploading, your root directory for your Virtual Server):

CREATING configuration.php (Essential for install) 🙂

In file Manager, navigate to “File -> Create File” and create “configuration.php”

Then right click on it and go to Properties -> Ownership -> httpdu (user) httpdu (group)

Then right click on it and go to Properties -> Permissions -> Make sure it’s writeable by everyone but public, this should equate to 0664

Now let’s switch over to a different FireFox tab and navigate to the following:

https://exampledomain.com

This should take you to the following Joomla RocketLauncher installation screen, which you need to type in your admin@exampledomain.com , your Page Name, Page Description and create an Administrator User and Password (make sure to use a strong password!):

In the next screen, we’re going to put in our database user and password for Virtual Server #1 – exampledomain.com and setup a prefix for the Joomla 3.6 installation.

We will use the following prefix schema for Joomla 3.6:

joom1_

Your next screen should look identical to the following, then click “Install”:

You should see the following screen saying Joomla 3.6 installation has completed. There is a remove installation folder button, go ahead and click it. You will get an error returned to you… This is because our apache2 user “httpdu” does not own the parent folder (/home/w1-edcom/ , however it owns everything inside of it. So we will have to manually remove it in file manager after receiving the error message. See below:

Error Message:

Let’s switch back to Webmin -> Others -> File Manager:

Select “Installation” and then click the upper right Delete Trash Can Icon:

Now that we have our Joomla 3.6 RocketTheme RocketLauncher for Ambrosia Installed… Let’s switch over to FireFox and navigate to the following URL (which we will restrict publically, so it only works on our LAN 10.x block, for VPN only.) 🙂 :

https://exampledomain.com/administrator/

Login with your chosen Administrator Username and Password:

You will immediately be prompted to update your extensions and joomla core. Let’s do that, starting with extensions:

Click “View Updates”:

Check “RokSprocket Module” and click “Update” in the upper left corner as follows:

Update Successful Message…

Click the upper left Joomla Icon and go back to the homepage where you will be prompted to update Joomla core…

Click the “Install the Update”…

You should now have a completion update to Joomla 3.6.5:

Now navigate to System -> Global Configuration:

Select “Use URL Rewriting” to -> YES

Then click the “Server” sub-tab:

Select “GZIP Page Compression” -> YES

Select “Your Server’s Local Time Zone”

then “Save and Close”

Configuration Successfully Saved:

Now let’s switch over to Terminator on server-1 as su root on bash:

[root@server-1] cd /home/w1-edcom/public_html

Copy htaccess.txt to .htaccess

[root@server-1] cp htaccess.txt .htaccess

Delete htaccess.txt

[root@server-1] rm -rf htaccess.txt

Switching back to FireFox, let’s navigate to the following URL, which will re-write as follows:

https://exampledomain.com/pages/pricing/

Using Free tools at Pingdom.com , let’s do a quick speed test and see how we are faring so far…

Currently Clocking:

Load Time = 1.12 seconds

Performance Grade = 77

Faster Than = 87% of tested sites

Let’s make it faster 🙂

Source Articles, Blogs, Websites:

ServerFault – Apache 2.4 + PHP-FPM – ProxyPassMatch

ServerFault – php-fpm – File Not Found

QUEST 1 : Lightning Fast Web Servers (STRUCTURED INDEX)

QUEST 1 : Lightning Fast Web Servers – PART 1 – INTRODUCTION

QUEST 1: Lightning Fast Web Servers – PART 2 – PREREQUISITES

QUEST 1: Lightning Fast Web Servers – PART 3 -OVERVIEW/PRIOR TO CENTOS 7.3 MINIMAL INSTALLATION

QUEST 1: Lightning Fast Web Servers – PART 4 – CentOS 7.3 NETWORK CONFIGURATION AND SSH2 DAEMON CONFIGURATION WITH 4096-BIT KEYS

QUEST 1: Lightning Fast Web Servers – PART 5 – VIRTUALMIN PRO INSTALLATION AND CONFIGURATION

QUEST 1: Lightning Fast Web Servers – Part 6 – CSF FIREWALL INSTALL CONFIGURATION – FINALIZE SSH2 4096-BIT KEYS

QUEST 1: Lightning Fast Web Servers – Part 7 – VIRTUALMIN WAN AND LAN STATIC IP ADDRESSING

QUEST 1: Lightning Fast Web Servers – Part 8 – BIND 9 CONFIGURATION + VIRTUALMIN AND APACHE2 OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 9 – INSTALL PHP 5.6.25, PHP 7.0.15, PHP 7.1.1 + VIRTUALMIN CONFIGURATION

QUEST 1: Lightning Fast Web Servers – Part 10 – ADD STATIC WAN IP ADDRESS + ENABLE PHP 7.1.1 ON BOOT + PHP-FPM + APACHE2 + PHP INFO

QUEST 1: Lightning Fast Web Servers – Part 11 – BIND 9 + SETUP AS AUTHORITATIVE DNS NAME SERVERS + VIRTUALMIN VIRTUAL SERVER #1 CREATION

QUEST 1: Lightning Fast Web Servers – Part 12 – APACHE2 FIXES + PHP AND PHP-FPM UPDATES

QUEST 1: Lightning Fast Web Servers – Part 13 – DOVECOT FIX + VIRTUAL SERVER #2 CREATION + REMOVE SYSTEM HOST IP FROM SHARED POOL

QUEST 1: Lightning Fast Web Servers – Part 14 – VIRTUALMIN CONFIGURATIONS + INSTALL PRO LICENSE + UPDATE SYSTEM + MODIFY SETTINGS

QUEST 1: Lightning Fast Web Servers – Part 15 – PHP-FPM 5.4.x + PHP-FPM 5.6.x + PHP-FPM 7.0.x + PHP-FPM 7.1.x

QUEST 1: Lightning Fast Web Servers – Part 16 – ROUNDCUBE + SSL ON VIRTUAL SERVER #1 + SSL ON VIRTUALMIN WEBUI + APACHE2 CONFIGURATIONS

QUEST 1: Lightning Fast Web Servers – Part 17 – STATIC LAN IP NETWORK SCHEMA + APACHE2 LAN BINDING TO VIRTUAL SERVER #1

QUEST 1: Lightning Fast Web Servers – Part 18 – OPENVPN ACCESS SERVER + OPENVPN SERVER + OPENVPN CLIENT + TEST VPN

QUEST 1: Lightning Fast Web Servers – Part 19 – PRIVATE BIND 9 DNS

QUEST 1: Lightning Fast Web Servers – Part 20 – APACHE2 CONFIGURATION UPDATE + INTERNAL VIRTUALHOST MAPPING

QUEST 1: Lightning Fast Web Servers – Part 21 – SECURITY ENHANCEMENT + OPENVPN

QUEST 1: Lightning Fast Web Servers – Part 22 – SSL DOVECOT + POSTFIX + MOZILLA THUNDERBIRD

QUEST 1: Lightning Fast Web Servers – Part 23 – FFMPEG X64 + MULTIMEDIA LIBRARIES

QUEST 1: Lightning Fast Web Servers – Part 24 – CRITICAL APACHE2 UPDATE ROCKETTHEME ROCKETLAUNCHER + JOOMLA

QUEST 1: Lightning Fast Web Servers – Part 25 – ROCKETTHEME ROCKETLAUNCHER + WORDPRESS

QUEST 1: Lightning Fast Web Servers – Part 26 – ROCKETTHEME ROCKETLAUNCHER + PHPBB

QUEST 1: Lightning Fast Web Servers – Part 27 – NGINX INSTALL FROM SOURCE + MODS

QUEST 1: Lightning Fast Web Servers – Part 28 – APACHE2 + SECURITY – MOD_SECURITY + MOD_EVASIVE + OWASP V3

QUEST 1: Lightning Fast Web Servers – Part 29 – MYSQL MARIADB TUNING AND OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 30 – VARNISH INSTALLATION + CONFIG WITH NGINX + APACHE2

QUEST 1: Lightning Fast Web Servers – Part 31 – APACHE2 TUNING AND OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 32 – REDIS CACHE SERVER

QUEST 1: Lightning Fast Web Servers – Part 33 – INSTALL HYBRID-IRCD + ANOPE SERVICES + SECURITY EGGDROP

QUEST 1: Lightning Fast Web Servers – Part 34 – INSTALL SHOUTCAST SERVER + WEBUI

QUEST 1: Lightning Fast Web Servers – Part 35 – JOOMLA CMS OPTIMIZATION + SECURITY

QUEST 1: Lightning Fast Web Servers – Part 36 – WORDPRESS CMS OPTIMIZATION + SECURITY

QUEST 1: Lightning Fast Web Servers – Part 37 – PHPBB FORUM OPTIMIZATION + SECURITY

Quest 1 – Secure, Lightning Fast, CentOS 7.3 Virtualmin VPS, Apache2+MariaDB+Multiple PHP Versions+OpCache+NGINX+Varnish+Redis – 25,000 Concurrent Goal – Part 23 – Ffmpeg x64 + Multimedia Libraries

February 17, 2017February 21, 2017 / Brandon Kastning / Leave a comment

High Performance Cloud Web Servers – My Quest for The Perfect Budget Lightning Fast Power-housed Cloud Linux Configuration – Part 23 – FFMPEG X64 + MULTIMEDIA LIBRARIES

In order to host videos like YouTube or Vimeo, there are special packages that are required for these types of PHP Scripts to run properly.

One of the requirements for a script that I will be using in my Quests will require the following. Regardless of the script you decide to use if you are hosting videos, these libraries will be required, so it might be nice to have them pre-installed for your leisure.

Let’s fire up Terminator and su root bash:

We will start by installing CentOS 7.3 group “Development Tools”

CentOS 7.3 Development Tools – Installation

[root@server-1] yum groupinstall “Development Tools”

“Y” to install all selected packages marked for installation

Complete!
[root@server-1]

Dynamic Linked Libraries Path

[root@server-1] grep /usr/local/lib /etc/ld.so.conf || echo “/usr/local/lib” >>/etc/ld.so.conf

Yasm – Installation

[root@server-1] cd /usr/local/src/

[root@server-1] wget http://www.tortall.net/projects/yasm/releases/yasm-1.3.0.tar.gz

[root@server-1] tar zxf yasm-1.3.0.tar.gz

[root@server-1] cd yasm-1.3.0

[root@server-1] ./configure && make && make install

The completion of the output for the yasm 1.3.0 compile will be known when the process stop and you see the following lines:

make[3]: Leaving directory `/usr/local/src/yasm-1.3.0′
make[2]: Leaving directory `/usr/local/src/yasm-1.3.0′
make[1]: Leaving directory `/usr/local/src/yasm-1.3.0′

Let’s check installation and version:

[root@server-1] yasm –version
yasm 1.3.0
Compiled on Feb 18 2017.
Copyright (c) 2001-2014 Peter Johnson and other Yasm developers.
Run yasm –license for licensing overview and summary.
[root@server-1]

Libogg – Installation

[root@server-1] cd /usr/local/src

[root@server-1] wget http://downloads.xiph.org/releases/ogg/libogg-1.3.2.tar.gz

[root@server-1] tar xvf libogg-1.3.2.tar.gz

[root@server-1] cd libogg-1.3.2

[root@server-1] ./configure && make clean && make && make install

The completion of the output for the libogg-1.3.2 compile will be known when the process stop and you see the following lines:

make[2]: Leaving directory `/usr/local/src/libogg-1.3.2′
make[1]: Leaving directory `/usr/local/src/libogg-1.3.2′

Now we’ll type the following:

[root@server-1] ldconfig

Libvorbis – Installation

[root@server-1] cd /usr/local/src

[root@server-1] wget http://downloads.xiph.org/releases/vorbis/libvorbis-1.3.5.tar.gz

[root@server-1] tar zxvf libvorbis-1.3.5.tar.gz

[root@server-1] cd libvorbis-1.3.5

[root@server-1] ./configure && make clean && make && make install

The completion of the output for the libvorbis-1.3.5 compile will be known when the process stop and you see the following lines:

make[2]: Leaving directory `/usr/local/src/libvorbis-1.3.5′
make[1]: Leaving directory `/usr/local/src/libvorbis-1.3.5′
[root@server-1]

Theora – Installation

[root@server-1] cd /usr/local/src

[root@server-1] wget http://downloads.xiph.org/releases/theora/libtheora-1.1.1.tar.gz

[root@server-1] tar zxvf libtheora-1.1.1.tar.gz

[root@server-1] cd libtheora-1.1.1

[root@server-1] ./configure && make clean && make && make install

The completion of the output for the libtheora-1.1.1 compile will be known when the process stop and you see the following lines:

make[2]: Leaving directory `/usr/local/src/libtheora-1.1.1′
make[1]: Leaving directory `/usr/local/src/libtheora-1.1.1′

[root@server-1]

Libx264 – Installation

[root@server-1] cd /usr/local/src

[root@server-1] wget ftp://ftp.videolan.org/pub/videolan/x264/snapshots/x264-snapshot-`date -d “-1 days” +%Y%m%d`-2245-stable.tar.bz2

[root@server-1] tar jxf x264-snapshot-20170217-2245-stable.tar.bz2

[root@server-1] cd x264-snapshot-20170217-2245-stable

[root@server-1] ./configure –enable-shared && make clean && make && make install

The completion of the output for the x264-snapshot-20170217-2245-stable compile will be known when the process stop and you see the following lines:

install -d /usr/local/bin
install x264 /usr/local/bin
install -d /usr/local/include
install -d /usr/local/lib
install -d /usr/local/lib/pkgconfig
install -m 644 ./x264.h /usr/local/include
install -m 644 x264_config.h /usr/local/include
install -m 644 x264.pc /usr/local/lib/pkgconfig
ln -f -s libx264.so.148 /usr/local/lib/libx264.so
install -m 755 libx264.so.148 /usr/local/lib

[root@server-1]

Amr – Installation

[root@server-1] cd /usr/local/src

[root@server-1] wget https://downloads.sourceforge.net/project/opencore-amr/opencore-amr/opencore-amr-0.1.4.tar.gz

[root@server-1] tar zxf opencore-amr-0.1.4.tar.gz

[root@server-1] cd opencore-amr-0.1.4

[root@server-1] ./configure && make clean && make && make install

The completion of the output for the opencore-amr-0.1.4 compile will be known when the process stop and you see the following lines:

make[2]: Leaving directory `/usr/local/src/opencore-amr-0.1.4/amrwb’
make[1]: Leaving directory `/usr/local/src/opencore-amr-0.1.4/amrwb’
make[1]: Entering directory `/usr/local/src/opencore-amr-0.1.4′
make[2]: Entering directory `/usr/local/src/opencore-amr-0.1.4′
make[2]: Nothing to be done for `install-exec-am’.
make[2]: Nothing to be done for `install-data-am’.
make[2]: Leaving directory `/usr/local/src/opencore-amr-0.1.4′
make[1]: Leaving directory `/usr/local/src/opencore-amr-0.1.4′

[root@server-1]

Libfaac – Installation

[root@server-1] cd /usr/local/src

[root@server-1] wget https://downloads.sourceforge.net/project/faac/faac-src/faac-1.28/faac-1.28.tar.gz

[root@server-1] tar zxvf faac-1.28.tar.gz

[root@server-1] cd faac-1.28

[root@server-1] ./configure && make clean && make && make install

The completion of the output for the faac-1.28 compile will be known when the process stop and you see the following lines:

Unfortunately, we get the following error which can be quickly resolved:

make[3]: *** [3gp.o] Error 1
make[3]: Leaving directory `/usr/local/src/faac-1.28/common/mp4v2′
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/usr/local/src/faac-1.28/common’
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/local/src/faac-1.28′
make: *** [all] Error 2

Change directory:

[root@server-1] cd common

[root@server-1] cd mp4v2

[root@server-1] nano -c mpeg4ip.h

Go to Line 126, and delete it. It should look like the following:

char *strcasestr(const char *haystack, const char *needle);

CNTRL + X , “Y” to save changes and ENTER to return to bash:

[root@server-1] cd ..

[root@server-1] cd ..

[root@server-1] make clean && ./configure && make && make install

The completion of the output for the faac-1.28 compile will be known when the process stop and you see the following lines:

make[2]: Leaving directory `/usr/local/src/faac-1.28/frontend’
make[1]: Leaving directory `/usr/local/src/faac-1.28/frontend’
make[1]: Entering directory `/usr/local/src/faac-1.28′
make[2]: Entering directory `/usr/local/src/faac-1.28′
make[2]: Nothing to be done for `install-exec-am’.
make[2]: Nothing to be done for `install-data-am’.
make[2]: Leaving directory `/usr/local/src/faac-1.28′
make[1]: Leaving directory `/usr/local/src/faac-1.28′

[root@server-1]

Lame – Installation

[root@server-1] cd /usr/local/src

[root@server-1] wget https://downloads.sourceforge.net/project/lame/lame/3.99/lame-3.99.5.tar.gz

[root@server-1] tar zxvf lame-3.99.5.tar.gz

[root@server-1] cd lame-3.99.5

[root@server-1] ./configure && make clean && make && make install

The completion of the output for the lame-3.99.5 compile will be known when the process stop and you see the following lines:

make[1]: Entering directory `/usr/local/src/lame-3.99.5/vc_solution’
make[2]: Entering directory `/usr/local/src/lame-3.99.5/vc_solution’
make[2]: Nothing to be done for `install-exec-am’.
make[2]: Nothing to be done for `install-data-am’.
make[2]: Leaving directory `/usr/local/src/lame-3.99.5/vc_solution’
make[1]: Leaving directory `/usr/local/src/lame-3.99.5/vc_solution’
make[1]: Entering directory `/usr/local/src/lame-3.99.5′
make[2]: Entering directory `/usr/local/src/lame-3.99.5′
make[2]: Nothing to be done for `install-exec-am’.
make[2]: Nothing to be done for `install-data-am’.
make[2]: Leaving directory `/usr/local/src/lame-3.99.5′
make[1]: Leaving directory `/usr/local/src/lame-3.99.5′

[root@server-1]

Libvpx – Installation

[root@server-1] cd /usr/local/src

[root@server-1] wget http://www.loongnix.org/cgit/libvpx/snapshot/libvpx-1.5.0.tar.gz

[root@server-1] tar zxvf libvpx-1.5.0.tar.gz

[root@server-1] cd libvpx-1.5.0

[root@server-1] ./configure –enable-vp8 –enable-pic –enable-shared && make && make install && ldconfig

The completion of the output for the libvpx-1.5.0 compile will be known when the process stop and you see the following lines:

[LN] libvpx.so.3.0.0 /usr/local/lib/libvpx.so
[LN] libvpx.so.3.0.0 /usr/local/lib/libvpx.so.3
[LN] libvpx.so.3.0.0 /usr/local/lib/libvpx.so.3.0
[INSTALL] /usr/local/lib/libvpx.so.3.0.0
[INSTALL] /usr/local/lib/pkgconfig/vpx.pc
[INSTALL] /usr/local/bin/vpxdec
[INSTALL] /usr/local/bin/vpxenc
make[1]: Nothing to be done for `install’.

[root@server-1]

Yamdi – Installation

[root@server-1] cd /usr/local/src

[root@server-1] wget https://downloads.sourceforge.net/project/yamdi/yamdi/1.9/yamdi-1.9.tar.gz

[root@server-1] tar xzf yamdi-1.9.tar.gz

[root@server-1] cd yamdi-1.9

[root@server-1] gcc yamdi.c -o yamdi -O2 -Wall

[root@server-1] strip yamdi

[root@server-1] cp yamdi /usr/bin/yamdi

Flvtool2 – Installation

[root@server-1] cd /usr/local/src

[root@server-1] gem install flvtool2

You will get the following output:

Fetching: flvtool2-1.0.6.gem (100%)
Successfully installed flvtool2-1.0.6
Parsing documentation for flvtool2-1.0.6
Installing ri documentation for flvtool2-1.0.6
1 gem installed

[root@server-1]

Ffmpeg x64 – Installation

[root@server-1] yum install libdc1394-devel

Select “Y” to install packages marked for installation.

[root@server-1]

Install the “ATrpms” repository:

[root@server-1] yum localinstall –nogpgcheck http://dl.atrpms.net/el7-x86_64/atrpms/stable/atrpms-repo-7-7.el7.x86_64.rpm

[root@server-1] yum install ffmpeg ffmpeg-devel

Select “Y” to install packages marked for installation.

You will get an output like this, select Y

Complete!

[root@server-1]

Version Check:

[root@server-1] ffmpeg -version
ffmpeg version 2.2.1
built on Jun 17 2014 01:25:46 with gcc 4.8.2 (GCC) 20140120 (Red Hat 4.8.2-16)
configuration: –prefix=/usr –libdir=/usr/lib64 –shlibdir=/usr/lib64 –mandir=/usr/share/man –enable-shared –enable-runtime-cpudetect –enable-gpl –enable-version3 –enable-postproc –enable-avfilter –enable-pthreads –enable-x11grab –enable-vdpau –disable-avisynth –enable-frei0r –enable-libdc1394 –enable-libgsm –enable-libmp3lame –enable-libnut –enable-libopencore-amrnb –enable-libopencore-amrwb –enable-libopenjpeg –enable-librtmp –enable-libspeex –enable-libtheora –enable-libvorbis –enable-libvpx –enable-libx264 –enable-libxavs –enable-libxvid –extra-cflags=’-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC’ –disable-stripping
libavutil      52. 66.100 / 52. 66.100
libavcodec     55. 52.102 / 55. 52.102
libavformat    55. 33.100 / 55. 33.100
libavdevice    55. 10.100 / 55. 10.100
libavfilter     4. 2.100 / 4. 2.100
libswscale      2. 5.102 / 2. 5.102
libswresample   0. 18.100 / 0. 18.100
libpostproc    52. 3.100 / 52. 3.100

Source Articles, Blogs, Websites:

JOOMBOOST | JOOMVIDEOS – INSTALLATION OF VIDEO TOOLS

9XHOST | Install Ffmpeg on CentOs 7

QUEST 1 : Lightning Fast Web Servers (STRUCTURED INDEX)

QUEST 1 : Lightning Fast Web Servers – PART 1 – INTRODUCTION

QUEST 1: Lightning Fast Web Servers – PART 2 – PREREQUISITES

QUEST 1: Lightning Fast Web Servers – PART 3 -OVERVIEW/PRIOR TO CENTOS 7.3 MINIMAL INSTALLATION

QUEST 1: Lightning Fast Web Servers – PART 4 – CentOS 7.3 NETWORK CONFIGURATION AND SSH2 DAEMON CONFIGURATION WITH 4096-BIT KEYS

QUEST 1: Lightning Fast Web Servers – PART 5 – VIRTUALMIN PRO INSTALLATION AND CONFIGURATION

QUEST 1: Lightning Fast Web Servers – Part 6 – CSF FIREWALL INSTALL CONFIGURATION – FINALIZE SSH2 4096-BIT KEYS

QUEST 1: Lightning Fast Web Servers – Part 7 – VIRTUALMIN WAN AND LAN STATIC IP ADDRESSING

QUEST 1: Lightning Fast Web Servers – Part 8 – BIND 9 CONFIGURATION + VIRTUALMIN AND APACHE2 OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 9 – INSTALL PHP 5.6.25, PHP 7.0.15, PHP 7.1.1 + VIRTUALMIN CONFIGURATION

QUEST 1: Lightning Fast Web Servers – Part 10 – ADD STATIC WAN IP ADDRESS + ENABLE PHP 7.1.1 ON BOOT + PHP-FPM + APACHE2 + PHP INFO

QUEST 1: Lightning Fast Web Servers – Part 11 – BIND 9 + SETUP AS AUTHORITATIVE DNS NAME SERVERS + VIRTUALMIN VIRTUAL SERVER #1 CREATION

QUEST 1: Lightning Fast Web Servers – Part 12 – APACHE2 FIXES + PHP AND PHP-FPM UPDATES

QUEST 1: Lightning Fast Web Servers – Part 13 – DOVECOT FIX + VIRTUAL SERVER #2 CREATION + REMOVE SYSTEM HOST IP FROM SHARED POOL

QUEST 1: Lightning Fast Web Servers – Part 14 – VIRTUALMIN CONFIGURATIONS + INSTALL PRO LICENSE + UPDATE SYSTEM + MODIFY SETTINGS

QUEST 1: Lightning Fast Web Servers – Part 15 – PHP-FPM 5.4.x + PHP-FPM 5.6.x + PHP-FPM 7.0.x + PHP-FPM 7.1.x

QUEST 1: Lightning Fast Web Servers – Part 16 – ROUNDCUBE + SSL ON VIRTUAL SERVER #1 + SSL ON VIRTUALMIN WEBUI + APACHE2 CONFIGURATIONS

QUEST 1: Lightning Fast Web Servers – Part 17 – STATIC LAN IP NETWORK SCHEMA + APACHE2 LAN BINDING TO VIRTUAL SERVER #1

QUEST 1: Lightning Fast Web Servers – Part 18 – OPENVPN ACCESS SERVER + OPENVPN SERVER + OPENVPN CLIENT + TEST VPN

QUEST 1: Lightning Fast Web Servers – Part 19 – PRIVATE BIND 9 DNS

QUEST 1: Lightning Fast Web Servers – Part 20 – APACHE2 CONFIGURATION UPDATE + INTERNAL VIRTUALHOST MAPPING

QUEST 1: Lightning Fast Web Servers – Part 21 – SECURITY ENHANCEMENT + OPENVPN

QUEST 1: Lightning Fast Web Servers – Part 22 – SSL DOVECOT + POSTFIX + MOZILLA THUNDERBIRD

QUEST 1: Lightning Fast Web Servers – Part 23 – FFMPEG X64 + MULTIMEDIA LIBRARIES

QUEST 1: Lightning Fast Web Servers – Part 24 – CRITICAL APACHE2 UPDATE ROCKETTHEME ROCKETLAUNCHER + JOOMLA

QUEST 1: Lightning Fast Web Servers – Part 25 – ROCKETTHEME ROCKETLAUNCHER + WORDPRESS

QUEST 1: Lightning Fast Web Servers – Part 26 – ROCKETTHEME ROCKETLAUNCHER + PHPBB

QUEST 1: Lightning Fast Web Servers – Part 27 – NGINX INSTALL FROM SOURCE + MODS

QUEST 1: Lightning Fast Web Servers – Part 28 – APACHE2 + SECURITY – MOD_SECURITY + MOD_EVASIVE + OWASP V3

QUEST 1: Lightning Fast Web Servers – Part 29 – MYSQL MARIADB TUNING AND OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 30 – VARNISH INSTALLATION + CONFIG WITH NGINX + APACHE2

QUEST 1: Lightning Fast Web Servers – Part 31 – APACHE2 TUNING AND OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 32 – REDIS CACHE SERVER

QUEST 1: Lightning Fast Web Servers – Part 33 – INSTALL HYBRID-IRCD + ANOPE SERVICES + SECURITY EGGDROP

QUEST 1: Lightning Fast Web Servers – Part 34 – INSTALL SHOUTCAST SERVER + WEBUI

QUEST 1: Lightning Fast Web Servers – Part 35 – JOOMLA CMS OPTIMIZATION + SECURITY

QUEST 1: Lightning Fast Web Servers – Part 36 – WORDPRESS CMS OPTIMIZATION + SECURITY

QUEST 1: Lightning Fast Web Servers – Part 37 – PHPBB FORUM OPTIMIZATION + SECURITY

Quest 1 – Secure, Lightning Fast, CentOS 7.3 Virtualmin VPS, Apache2+MariaDB+Multiple PHP Versions+OpCache+NGINX+Varnish+Redis – 25,000 Concurrent Goal – Part 22 – SSL Dovecot + Postfix + Mozilla Thunderbird

February 17, 2017February 21, 2017 / Brandon Kastning / Leave a comment

High Performance Cloud Web Servers – My Quest for The Perfect Budget Lightning Fast Power-housed Cloud Linux Configuration – Part 22 – SSL DOVECOT + POSTFIX + MOZILLA THUNDERBIRD

Postfix

Postfix SSL Certificate Paths:

According to /etc/postfix/main.cf

smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem

Dovecot

Dovecot SSL Certificate Paths:

According to /etc/dovecot/conf.d/10-ssl.conf

ssl_cert = ssl_key =

Let’s fire up Terminator and su root bash server-1:

[root@server-1]

Let’s su over to our Virtual Server #1 user (w1-edcom):

[root@server-1] su – w1-edcom

[Last login: Fri Feb 17 01:11:54 PST 2017 on pts/0
-sh-4.2$

-sh-4.2$ mkdir certs

-sh-4.2$ cd certs

-sh-4.2$ mkdir postfix

-sh-4.2$ mkdir dovecot

-sh-4.2$ cp ssl.cert /home/w1-edcom/certs/postfix/ssl.cert

-sh-4.2$ cp ssl.csr /home/w1-edcom/certs/postfix/ssl.csr

-sh-4.2$ cp ssl.key /home/w1-edcom/certs/postfix/ssl.key

-sh-4.2$ cp ssl.cert /home/w1-edcom/certs/dovecot/ssl.cert

-sh-4.2$ cp ssl.csr /home/w1-edcom/certs/dovecot/ssl.csr

-sh-4.2$ cp ssl.key /home/w1-edcom/certs/dovecot/ssl.key

-sh-4.2$ cd postfix

-sh-4.2$ cp ssl.cert postfix.cert.pem

-sh-4.2$ cp ssl.key postfix.key.pem

If you have the CA in your SSL Provider (I pulled mine from SSL Dragon) , then just nano create and save with pasting the contents of the CA signing from your SSL Provider’s WebUI.

-sh-4.2$ nano postfix.ca.pem

Paste CA Code from SSL Provider

CNTRL + X, then “Y” to save changes, then ENTER to return to bash:

-sh-4.2$ cp postfix.cert.pem /home/w1-edcom/certs/dovecot/dovecot.public.pem

-sh-4.2$ cp postfix.key.pem /home/w1-edcom/certs/dovecot/dovecot.private.pem

Let’s logout of w1-edcom and go back to root:

-sh-4.2$ exit

[root@server-1]

Let’s update Postfix configuration with our SSL Certificates that we just organized:

[root@server-1] nano -c /etc/postfix/main.cf

Go to Line 690:

Current Line:

#smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem

New Line:

smtpd_tls_cert_file = /home/w1-edcom/certs/postfix/postfix.cert.pem

Go to Line 691:

Current Line:

#smtpd_tls_key_file = /etc/postfix/postfix.key.pem

New Line:

smtpd_tls_key_file = /home/w1-edcom/certs/postfix/postfix.key.pem

Go to Last Line:

Current Line:

#smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem

New Line:

smtpd_tls_CAfile = /home/w1-edcom/certs/postfix/postfix.ca.pem

CNTRL + X , then “Y” to save changes and ENTER to return to bash:

[root@server-1]

Let’s update Dovecot configuration with our SSL Certificates that we just organized:

[root@server-1] nano -c /etc/dovecot/conf.d/10-ssl.conf

Go to Line 14:

Current Line:

ssl_cert =

New Line:

ssl_cert =

Go to Line 15:

Current Line:

ssl_key =

New Line:

ssl_key =

Go to Line 29:

If you have a CA code block, paste it into /dovecot/dovecot.ca.pem and continue

Current Line:

ssl_ca =

New Line:

ssl_ca =

CNTRL + X , then “Y” to save changes and ENTER to return to bash:

[root@server-1]

Let’s restart Postfix Daemon:

[root@server-1] systemctl restart postfix.service

Let’s restart Dovecot Daemon:

[root@server-1] systemctl restart dovecot.service

QUEST 1 : Lightning Fast Web Servers (STRUCTURED INDEX)

QUEST 1 : Lightning Fast Web Servers – PART 1 – INTRODUCTION

QUEST 1: Lightning Fast Web Servers – PART 2 – PREREQUISITES

QUEST 1: Lightning Fast Web Servers – PART 3 -OVERVIEW/PRIOR TO CENTOS 7.3 MINIMAL INSTALLATION

QUEST 1: Lightning Fast Web Servers – PART 4 – CentOS 7.3 NETWORK CONFIGURATION AND SSH2 DAEMON CONFIGURATION WITH 4096-BIT KEYS

QUEST 1: Lightning Fast Web Servers – PART 5 – VIRTUALMIN PRO INSTALLATION AND CONFIGURATION

QUEST 1: Lightning Fast Web Servers – Part 6 – CSF FIREWALL INSTALL CONFIGURATION – FINALIZE SSH2 4096-BIT KEYS

QUEST 1: Lightning Fast Web Servers – Part 7 – VIRTUALMIN WAN AND LAN STATIC IP ADDRESSING

QUEST 1: Lightning Fast Web Servers – Part 8 – BIND 9 CONFIGURATION + VIRTUALMIN AND APACHE2 OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 9 – INSTALL PHP 5.6.25, PHP 7.0.15, PHP 7.1.1 + VIRTUALMIN CONFIGURATION

QUEST 1: Lightning Fast Web Servers – Part 10 – ADD STATIC WAN IP ADDRESS + ENABLE PHP 7.1.1 ON BOOT + PHP-FPM + APACHE2 + PHP INFO

QUEST 1: Lightning Fast Web Servers – Part 11 – BIND 9 + SETUP AS AUTHORITATIVE DNS NAME SERVERS + VIRTUALMIN VIRTUAL SERVER #1 CREATION

QUEST 1: Lightning Fast Web Servers – Part 12 – APACHE2 FIXES + PHP AND PHP-FPM UPDATES

QUEST 1: Lightning Fast Web Servers – Part 13 – DOVECOT FIX + VIRTUAL SERVER #2 CREATION + REMOVE SYSTEM HOST IP FROM SHARED POOL

QUEST 1: Lightning Fast Web Servers – Part 14 – VIRTUALMIN CONFIGURATIONS + INSTALL PRO LICENSE + UPDATE SYSTEM + MODIFY SETTINGS

QUEST 1: Lightning Fast Web Servers – Part 15 – PHP-FPM 5.4.x + PHP-FPM 5.6.x + PHP-FPM 7.0.x + PHP-FPM 7.1.x

QUEST 1: Lightning Fast Web Servers – Part 16 – ROUNDCUBE + SSL ON VIRTUAL SERVER #1 + SSL ON VIRTUALMIN WEBUI + APACHE2 CONFIGURATIONS

QUEST 1: Lightning Fast Web Servers – Part 17 – STATIC LAN IP NETWORK SCHEMA + APACHE2 LAN BINDING TO VIRTUAL SERVER #1

QUEST 1: Lightning Fast Web Servers – Part 18 – OPENVPN ACCESS SERVER + OPENVPN SERVER + OPENVPN CLIENT + TEST VPN

QUEST 1: Lightning Fast Web Servers – Part 19 – PRIVATE BIND 9 DNS

QUEST 1: Lightning Fast Web Servers – Part 20 – APACHE2 CONFIGURATION UPDATE + INTERNAL VIRTUALHOST MAPPING

QUEST 1: Lightning Fast Web Servers – Part 21 – SECURITY ENHANCEMENT + OPENVPN

QUEST 1: Lightning Fast Web Servers – Part 22 – SSL DOVECOT + POSTFIX + MOZILLA THUNDERBIRD

QUEST 1: Lightning Fast Web Servers – Part 23 – FFMPEG X64 + MULTIMEDIA LIBRARIES

QUEST 1: Lightning Fast Web Servers – Part 24 – CRITICAL APACHE2 UPDATE ROCKETTHEME ROCKETLAUNCHER + JOOMLA

QUEST 1: Lightning Fast Web Servers – Part 25 – ROCKETTHEME ROCKETLAUNCHER + WORDPRESS

QUEST 1: Lightning Fast Web Servers – Part 26 – ROCKETTHEME ROCKETLAUNCHER + PHPBB

QUEST 1: Lightning Fast Web Servers – Part 27 – NGINX INSTALL FROM SOURCE + MODS

QUEST 1: Lightning Fast Web Servers – Part 28 – APACHE2 + SECURITY – MOD_SECURITY + MOD_EVASIVE + OWASP V3

QUEST 1: Lightning Fast Web Servers – Part 29 – MYSQL MARIADB TUNING AND OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 30 – VARNISH INSTALLATION + CONFIG WITH NGINX + APACHE2

QUEST 1: Lightning Fast Web Servers – Part 31 – APACHE2 TUNING AND OPTIMIZATION

QUEST 1: Lightning Fast Web Servers – Part 32 – REDIS CACHE SERVER

QUEST 1: Lightning Fast Web Servers – Part 33 – INSTALL HYBRID-IRCD + ANOPE SERVICES + SECURITY EGGDROP

QUEST 1: Lightning Fast Web Servers – Part 34 – INSTALL SHOUTCAST SERVER + WEBUI

QUEST 1: Lightning Fast Web Servers – Part 35 – JOOMLA CMS OPTIMIZATION + SECURITY

QUEST 1: Lightning Fast Web Servers – Part 36 – WORDPRESS CMS OPTIMIZATION + SECURITY

QUEST 1: Lightning Fast Web Servers – Part 37 – PHPBB FORUM OPTIMIZATION + SECURITY

Quest 1 – Secure, Lightning Fast, CentOS 7.3 Virtualmin VPS, Apache2+MariaDB+Multiple PHP Versions+OpCache+NGINX+Varnish+Redis – 25,000 Concurrent Goal – Part 21 – Security Enhancement + OpenVPN

February 16, 2017February 21, 2017 / Brandon Kastning / Leave a comment

High Performance Cloud Web Servers – My Quest for The Perfect Budget Lightning Fast Power-housed Cloud Linux Configuration – Part 21 – SECURITY ENHANCEMENT + OPENVPN

After looking at what we’ve accomplished already, what’s left in the quest, it’s a good time to do a security audit and tighten up some loose ends.

Apache2 and Virtualmin

Apache2 – Change Daemon User from Default “apache” user to something different. After we create a new user and map the user to the apache2 daemon folder, we need to update Virtualmin, so that it automatically know’s our new user, so when we add more Virtual Servers, it will add that user to their custom Username Group’s.

Let’s begin with creating our new user. For the purposes of this quest, we will change “apache” to “httpdu”

Fire up Terminator and su root on Server-1 bash:

We’ll begin by creating the user:

[root@server-1] adduser httpdu

Next, we’ll set a complicated strong password (38+ characters and a KeePassX entry should be sufficient.) 🙂

[root@server-1] passwd httpdu

Changing password for user httpdu.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@server-1]

So by default, creating that user, generated the default settings for the user “httpdu”:

Home Directory: /home/httpdu/

Shell: /bin/bash

Groups: httpdu

We need to change those to the following:

Home Directory: /usr/share/httpd

Shell: /sbin/nologin

Groups: httpdu, w1-edcom, w2-syshn

Checkbox: “Temporarily disable login”

Next, we will switch over to Virtualmin and go to the following to make the above changes:

Webmin -> System -> Users and Groups

Scroll down to the bottom of the user list and you will see “httpdu” , click that username

Home Directory first…

Home Directory -> Directory -> Empty Box -> /usr/share/httpd

Shell next…

Shell -> Drop-down box -> /sbin/nologin

Disable Login…

Checkbox -> Login temporarily disabled

Scroll down to “Group Membership”:

Secondary Groups -> All Groups -> Select “w1-edcom” and “w2-syshn” and then the -> Arrow button to add them on the right column list.

Click the green “Save” button on the bottom left!

Now, while we’re in Virtualmin, we need to update the Server Templates options for Apache, let’s do it.

Navigate to the following within Virtualmin:

Virtualmin -> System Settings -> Server Templates

This will show us 3 templates:

Default Settings
Settings For Sub-Servers
PHP-FPM

Let’s update the Apache part for Default Settings and PHP-FPM templates…

Click “Custom” under “Apache” on the Default Settings Template Line:

The first thing we’re going to do is remove the 2 entries for “allow from all” under Directives and Settings for new websites

Find the 2 lines and delete them.

Then scroll down until you see “Add Apache user to Unix group for new servers?” and scroll to the right until you see “Yes, Apache user is: apache” …

Replace “apache” with your “httpdu” username.

Scroll down to the bottom left and click the green “Save” button

Now let’s repeat this process for the “PHP-FPM” -> Apache? -> Custom”

Same steps repeated and click the green “Save” button

Now let’s switch over to Terminator, su root bash server-1:

Let’s make a backup copy of httpd.conf

[root@server-1] cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bkup3

Let’s edit httpd.conf and change the username and group, then restart apache2

[root@server-1] nano -c /etc/httpd/conf/httpd.conf

Go to Line 10

Current Line:

User apache

New Line:

User httpdu

Go to Line 11

Current Line:

Group apache

New Line:

Group httpdu

CNTRL + X , then “Y” to save changes, ENTER to return to bash:

[root@server-1]

Let’s restart apache2:

[root@server-1] systemctl restart httpd.service

Okay, so that wraps up Apache2 for right now. (And there is a reason why we haven’t gone into mod_security and mod_evasive w/ OWASP V3 rules here or earlier in the guide.) We need to measure performance throughout several stages of deployment, so we can see any mistakes or pros and cons of certain features, mods, etc.

For instance, speed and load tests with Apache2 only, then another with NGINX -> Apache, and a third with VARNISH -> NGINX -> Apache …

I feel this is important because of the goal at hand… 25k minimum concurrent PHP connections using 1 budget server.

SSH2 and OpenVPN Client IP

Switch back over to Terminator, su root bash server-1:

[root@server-1]

Let’s backup our SSH2 Daemon Configuration file:

[root@server-1] cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bkup

Let’s edit the current configuration and make our change:

[root@server-1] nano -c /etc/ssh/sshd_config

Go to Line 19:

Current Line:

ListenAddress xxx.xx.x.2

New Line:

ListenAddress 10.1.1.2

Go to the last line and add the following:

AllowUsers user@172.27.240.100

172.27.240.100 is our VPN Client Static IP

user is our system’s main user that we SSH2 into server-1, so make sure to change that accordingly.

CNTRL + X, then “Y” to save changes and EXIT to return to bash:

[root@server-1]

Let’s restart SSH2 Daemon:

[root@server-1] systemctl restart sshd.service

Outstanding, now we can only SSH2 into server-1 with our chosen user in combination with our Static IP for our OpenVPN Client!

That way everything stays the same without public access on our vital services.

Webmin and Virtualmin

Let’s edit the webmin configuration file and change our BINDING IP address from WAN to LAN. This way, we can only access Webmin and Virtualmin while we’re connected to our OpenVPN Access Server.

We will start by backing up our webmin configuration file: