AndiSusanto15 · April 11, 2020 12:57
diff --git a/LEMP Stack Centos7 Ter-Powerfull b/LEMP Stack Centos7 Ter-Powerfull
 todo :
      1. Install Nginx
      2. Install PHP71
      3. Config Nginx-PHP-FPM
      4. Install Percona Server 57
      5. Setting Firewalld & SElinux
      
 Catatan ini saya buat untuk membantu diri saya di masa depan, karena manusia tempatnya salah dan lupa.
 Jika kamu menemukan catatan ini Selamat, kamu termasuk orang yang beruntung karena disini saya akan menjelaskan 
 bagaimana membuat atau meng-install LEMP Stack di Centos7 terbaru dengan standar config yang powerfull.
 Lets start beibeh...!!

 Disini saya asumsikan kita sudah melakukan update `sudo yum update -y`

 1.  Install Nginx
    :~$ sudo yum install epel-release
    :~$ sudo yum update
    :~$ vim /etc/yum.repos.d/nginx.repo
        isinya ini
 =======================
 # nginx.repo
 [nginx-stable]
 name=nginx stable repo
 baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
 gpgcheck=1
 enabled=1
 gpgkey=https://nginx.org/keys/nginx_signing.key
 =======================
    :~$ sudo yum install nginx -y
    :~$ sudo systemctl start nginx
    :~$ sudo systemctl enable nginx
    

 2.  Install PHP71
    Disni kita menggunakan repo ius untuk install PHP
    
    Pertama tambahkan dulu repo IUS-nya
    :~$ sudo yum install -y https://centos7.iuscommunity.org/ius-release.rpm
    
    Kemudian install paket PHP dari IUS repo
    :~$ sudo yum install php71u php71u-common php71u-fpm php71u-cli php71u-bcmath php71u-dba php71u-dbg php71u-devel php71u-gd php71u-gmp php71u-imap php71u-intl php71u-json php71u-mbstring php71u-mcrypt php71u-mysqlnd php71u-opcache php71u-pdo php71u-pecl-apcu php71u-pecl-igbinary php71u-pecl-redis php71u-pspell php71u-recode php71u-tidy php71u-xml php71u-xmlrpc -y
    :~$ sudo systemctl enable  php-fpm --now
    
    Untuk alasan keamanan beritahun PHP-FPM untuk hanya memproses file php yang ada di server caranya
    :~$ sudo vim /etc/php.ini
    #Kemudian cari dan ganti menjadi:
    cgi.fix_pathinfo=0
    expose_php = Off
    
    #yang ini untuk increase upload size
    upload_max_filesize = 40M
    post_max_size = 40M
    
 3.  Config Nginx-PHP-FPM
    Buat pool php-fpm baru, tujuannya untuk lebih memudahkan pengelolaan resource dan monitoring. 
    Kita ambil contoh pool php-fpm untuk user Vagrant.
    :~$ sudo vim /etc/php-fpm.d/vagrant.conf
    Isi-nya:
    
 ### START CONFIG FILE ###
 ================================================================
 [batutah]


 listen = /var/run/phpfpm-batutah.sock
 listen.backlog = 655
 listen.allowed_clients = 127.0.0.1


 listen.owner = batutah
 listen.group = batutah
 listen.mode = 0666
 user = batutah
 group = batutah
 pm = dynamic
 pm.max_children = 200
 pm.start_servers = 5
 pm.min_spare_servers = 5
 pm.max_spare_servers = 20
 pm.max_requests = 2000
 pm.process_idle_timeout = 1s

 request_terminate_timeout = 2m
 request_slowlog_timeout = 5s
 slowlog = /var/log/php-fpm/batutah-slow.log
 rlimit_core = unlimited
 catch_workers_output = yes
 security.limit_extensions = .php

 php_flag[display_errors] = off
 php_admin_value[error_log] = /var/log/php-fpm/batutah-error.log
 php_admin_flag[log_errors] = on
 php_admin_value[memory_limit] = 256M


 ; Set session path to a directory owned by process user
 php_value[session.save_handler] = files
 php_value[session.save_path] = /var/lib/php/session
 ================================================================
 ### END CONFIG FILE ###

 kemudian restart php-fpm
 :~$ sudo service php-fpm restart

 Lalu setting Nginx-nya:
 :~$ sudo mkdir /etc/nginx/sites-available
 :~$ sudo mkdir /etc/nginx/sites-enabled 

 :~$ sudo mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.dead
 :~$ sudo vim /etc/nginx/nginx.conf
 Isinya seperti ini:

 ### START CONFIG FILE ###
 ================================================================
 user  nginx;
 worker_processes  1;

 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;


 events {
    use epoll;
    multi_accept       off;
    worker_connections 1024;

 }


 http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile       on;
    tcp_nopush     on;
    tcp_nodelay    on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*.conf;
 }
 ================================================================
 ### END CONFIG FILE ###

 Kemudian kita buat file config upstream di /etc/nginx/conf.d/upstream.conf
 :~$ sudo vim /etc/nginx/conf.d/upstream.conf, isi dengan:
 ### START CONFIG FILE ###
 ================================================================
 upstream fpm-mysite {
    server      unix:/var/run/phpfpm-vagrant.sock; #ini harus sama dengan file yang kita config di pool php-fpm
 }
 ================================================================
 ### END CONFIG FILE ###

 :~$ sudo vim /etc/nginx/conf.d/log-format.conf
 ### START CONFIG FILE ###
 ================================================================
 log_format main '$remote_addr - $remote_user [$time_local] "$host" "$request" '
        '["$request_method $scheme://$host$request_uri $server_protocol"] '
        '$status $body_bytes_sent "$http_referer" '
        '"$http_user_agent" $request_time';
 ================================================================
 ### END CONFIG FILE ###

 :~$ sudo vim /etc/nginx/conf.d/http-block-tunning.conf
 ### START CONFIG FILE ###
 ================================================================
 access_log off;

 client_body_buffer_size      10K;
 client_header_buffer_size    1k;
 client_max_body_size         40m;
 large_client_header_buffers  4 4k;
 client_body_timeout          12;
 client_header_timeout        12;
 keepalive_timeout            60;
 send_timeout                 10;

 reset_timedout_connection  on;

 #: caching
 open_file_cache            max=1000 inactive=20s;
 open_file_cache_valid      30s;
 open_file_cache_min_uses   5;
 open_file_cache_errors     off;


 #: security
 server_tokens    off;
 ================================================================
 ### END CONFIG FILE ###

 :~$ sudo vim /etc/nginx/conf.d/gzip.conf
 ### START CONFIG FILE ###
 ================================================================
 gzip on;
 gzip_disable "msie6";

 gzip_comp_level 6;
 gzip_min_length 400;
 gzip_buffers 16 8k;
 gzip_proxied any;
 gzip_types
    text/plain
    text/css
    text/js
    text/xml
    text/javascript
    application/javascript
    application/x-javascript
    application/json
    application/xml
    application/rss+xml
    image/svg+xml;
 ================================================================
 ### END CONFIG FILE ###

 Sekarang kita buat server block Nginx-nya:
 :~$ sudo vim /etc/nginx/sites-available/mysite.com

 ### START CONFIG FILE ###
 ================================================================
 server {
  listen 80;
  server_name  batutah.id;

  root         /home/batutah/public_html/batutah.id;
  error_log    /var/log/nginx/batutah.id_error.log warm;
  access_log   /var/log/nginx/batutah.id_access.log;
  index        index.php;

  location = /favicon.ico {
    log_not_found off;
    access_log off;
  }

  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }

  location ~ /\. {
    deny all;
  }

  location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
  }

  location / {
    try_files $uri $uri/ /index.php?q=$uri&$args;
  }

  location ~ \.php$ {
    include                       fastcgi_params;
    fastcgi_intercept_errors      on;
    fastcgi_pass                  fpm-batutah;
    fastcgi_buffers               256 16k;
    fastcgi_buffer_size           128k;
    fastcgi_busy_buffers_size     256k;
    fastcgi_temp_file_write_size  256k;
    
    fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
    fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
  }

  location ~* \.(js|css|png|jpg|jpeg|gif|ico|woff|woff2)$ {
    expires        max;
    log_not_found  off;
  }

 }
 ================================================================
 ### END CONFIG FILE ###

 4.  Install Percona57 via yum
    :~$ sudo yum install https://repo.percona.com/yum/percona-release-latest.noarch.rpm
    :~$ sudo yum install Percona-Server-server-57
    :~$ sudo systemctl start mysql
    :~$ sudo systemctl enable mysql
    :~$ sudo grep -i 'pass' /var/log/mysqld.log
    :~$ sudo mysql_secure_installation

    Untuk tunning file configurasinya percona menyediakan mysql config generator di https://tools.percona.com/wizard
    Isi field yang di sediakan dan masukan di file mysqld.cnf
    Kalo ga yakin lebih baik di backup dulu yaa file config aslinya
    :~$ sudo vim /etc/percona-server.conf.d/mysqld.cnf


 5.  Setting Firewalld & SElinux
    Masuk babak akhir yaitu setting firewalld dan SElinux fungsinya untuk keamanan server kita

    Tambahkan service http dan https(kalo ada) di firewall
    :~$ sudo firewall-cmd --zone=public --add-service=http --permanent
    :~$ sudo firewall-cmd --reload

    Kita mau memindahkan root direkori web kita ke homedir user vagrant, secara default itu tidak di perbolehkan oleh SElinux
    sekarang kasih tau SElinux agar PHP-FPM bisa mengakses file di homedir user vagrant
    :~$ sudo yum install policycoreutils-python -y #ini untuk memanage SElinux
    :~$ sudo setsebool -P httpd_read_user_content 1
    :~$ sudo setsebool -P httpd_enable_homedirs 1
    :~$ sudo setsebool -P httpd_unified 1 # ini untuk access write php-fpm
    :~$ setsebool httpd_can_network_connect_db 1
	todo :
	1. Install Nginx
	2. Install PHP71
	3. Config Nginx-PHP-FPM
	4. Install Percona Server 57
	5. Setting Firewalld & SElinux

	Catatan ini saya buat untuk membantu diri saya di masa depan, karena manusia tempatnya salah dan lupa.
	Jika kamu menemukan catatan ini Selamat, kamu termasuk orang yang beruntung karena disini saya akan menjelaskan
	bagaimana membuat atau meng-install LEMP Stack di Centos7 terbaru dengan standar config yang powerfull.
	Lets start beibeh...!!

	Disini saya asumsikan kita sudah melakukan update `sudo yum update -y`

	1. Install Nginx
	:~$ sudo yum install epel-release
	:~$ sudo yum update
	:~$ vim /etc/yum.repos.d/nginx.repo
	isinya ini
	=======================
	# nginx.repo
	[nginx-stable]
	name=nginx stable repo
	baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
	gpgcheck=1
	enabled=1
	gpgkey=https://nginx.org/keys/nginx_signing.key
	=======================
	:~$ sudo yum install nginx -y
	:~$ sudo systemctl start nginx
	:~$ sudo systemctl enable nginx


	2. Install PHP71
	Disni kita menggunakan repo ius untuk install PHP

	Pertama tambahkan dulu repo IUS-nya
	:~$ sudo yum install -y https://centos7.iuscommunity.org/ius-release.rpm

	Kemudian install paket PHP dari IUS repo
	:~$ sudo yum install php71u php71u-common php71u-fpm php71u-cli php71u-bcmath php71u-dba php71u-dbg php71u-devel php71u-gd php71u-gmp php71u-imap php71u-intl php71u-json php71u-mbstring php71u-mcrypt php71u-mysqlnd php71u-opcache php71u-pdo php71u-pecl-apcu php71u-pecl-igbinary php71u-pecl-redis php71u-pspell php71u-recode php71u-tidy php71u-xml php71u-xmlrpc -y
	:~$ sudo systemctl enable php-fpm --now

	Untuk alasan keamanan beritahun PHP-FPM untuk hanya memproses file php yang ada di server caranya
	:~$ sudo vim /etc/php.ini
	#Kemudian cari dan ganti menjadi:
	cgi.fix_pathinfo=0
	expose_php = Off

	#yang ini untuk increase upload size
	upload_max_filesize = 40M
	post_max_size = 40M

	3. Config Nginx-PHP-FPM
	Buat pool php-fpm baru, tujuannya untuk lebih memudahkan pengelolaan resource dan monitoring.
	Kita ambil contoh pool php-fpm untuk user Vagrant.
	:~$ sudo vim /etc/php-fpm.d/vagrant.conf
	Isi-nya:

	### START CONFIG FILE ###
	================================================================
	[batutah]


	listen = /var/run/phpfpm-batutah.sock
	listen.backlog = 655
	listen.allowed_clients = 127.0.0.1


	listen.owner = batutah
	listen.group = batutah
	listen.mode = 0666
	user = batutah
	group = batutah
	pm = dynamic
	pm.max_children = 200
	pm.start_servers = 5
	pm.min_spare_servers = 5
	pm.max_spare_servers = 20
	pm.max_requests = 2000
	pm.process_idle_timeout = 1s

	request_terminate_timeout = 2m
	request_slowlog_timeout = 5s
	slowlog = /var/log/php-fpm/batutah-slow.log
	rlimit_core = unlimited
	catch_workers_output = yes
	security.limit_extensions = .php

	php_flag[display_errors] = off
	php_admin_value[error_log] = /var/log/php-fpm/batutah-error.log
	php_admin_flag[log_errors] = on
	php_admin_value[memory_limit] = 256M


	; Set session path to a directory owned by process user
	php_value[session.save_handler] = files
	php_value[session.save_path] = /var/lib/php/session
	================================================================
	### END CONFIG FILE ###

	kemudian restart php-fpm
	:~$ sudo service php-fpm restart

	Lalu setting Nginx-nya:
	:~$ sudo mkdir /etc/nginx/sites-available
	:~$ sudo mkdir /etc/nginx/sites-enabled

	:~$ sudo mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.dead
	:~$ sudo vim /etc/nginx/nginx.conf
	Isinya seperti ini:

	### START CONFIG FILE ###
	================================================================
	user nginx;
	worker_processes 1;

	error_log /var/log/nginx/error.log warn;
	pid /var/run/nginx.pid;


	events {
	use epoll;
	multi_accept off;
	worker_connections 1024;

	}


	http {
	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';

	access_log /var/log/nginx/access.log main;

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;

	keepalive_timeout 65;

	#gzip on;

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*.conf;
	}
	================================================================
	### END CONFIG FILE ###

	Kemudian kita buat file config upstream di /etc/nginx/conf.d/upstream.conf
	:~$ sudo vim /etc/nginx/conf.d/upstream.conf, isi dengan:
	### START CONFIG FILE ###
	================================================================
	upstream fpm-mysite {
	server unix:/var/run/phpfpm-vagrant.sock; #ini harus sama dengan file yang kita config di pool php-fpm
	}
	================================================================
	### END CONFIG FILE ###

	:~$ sudo vim /etc/nginx/conf.d/log-format.conf
	### START CONFIG FILE ###
	================================================================
	log_format main '$remote_addr - $remote_user [$time_local] "$host" "$request" '
	'["$request_method $scheme://$host$request_uri $server_protocol"] '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" $request_time';
	================================================================
	### END CONFIG FILE ###

	:~$ sudo vim /etc/nginx/conf.d/http-block-tunning.conf
	### START CONFIG FILE ###
	================================================================
	access_log off;

	client_body_buffer_size 10K;
	client_header_buffer_size 1k;
	client_max_body_size 40m;
	large_client_header_buffers 4 4k;
	client_body_timeout 12;
	client_header_timeout 12;
	keepalive_timeout 60;
	send_timeout 10;

	reset_timedout_connection on;

	#: caching
	open_file_cache max=1000 inactive=20s;
	open_file_cache_valid 30s;
	open_file_cache_min_uses 5;
	open_file_cache_errors off;


	#: security
	server_tokens off;
	================================================================
	### END CONFIG FILE ###

	:~$ sudo vim /etc/nginx/conf.d/gzip.conf
	### START CONFIG FILE ###
	================================================================
	gzip on;
	gzip_disable "msie6";

	gzip_comp_level 6;
	gzip_min_length 400;
	gzip_buffers 16 8k;
	gzip_proxied any;
	gzip_types
	text/plain
	text/css
	text/js
	text/xml
	text/javascript
	application/javascript
	application/x-javascript
	application/json
	application/xml
	application/rss+xml
	image/svg+xml;
	================================================================
	### END CONFIG FILE ###

	Sekarang kita buat server block Nginx-nya:
	:~$ sudo vim /etc/nginx/sites-available/mysite.com

	### START CONFIG FILE ###
	================================================================
	server {
	listen 80;
	server_name batutah.id;

	root /home/batutah/public_html/batutah.id;
	error_log /var/log/nginx/batutah.id_error.log warm;
	access_log /var/log/nginx/batutah.id_access.log;
	index index.php;

	location = /favicon.ico {
	log_not_found off;
	access_log off;
	}

	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}

	location ~ /\. {
	deny all;
	}

	location ~* /(?:uploads\|files)/.*\.php$ {
	deny all;
	}

	location / {
	try_files $uri $uri/ /index.php?q=$uri&$args;
	}

	location ~ \.php$ {
	include fastcgi_params;
	fastcgi_intercept_errors on;
	fastcgi_pass fpm-batutah;
	fastcgi_buffers 256 16k;
	fastcgi_buffer_size 128k;
	fastcgi_busy_buffers_size 256k;
	fastcgi_temp_file_write_size 256k;

	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param SCRIPT_NAME $fastcgi_script_name;
	}

	location ~* \.(js\|css\|png\|jpg\|jpeg\|gif\|ico\|woff\|woff2)$ {
	expires max;
	log_not_found off;
	}

	}
	================================================================
	### END CONFIG FILE ###

	4. Install Percona57 via yum
	:~$ sudo yum install https://repo.percona.com/yum/percona-release-latest.noarch.rpm
	:~$ sudo yum install Percona-Server-server-57
	:~$ sudo systemctl start mysql
	:~$ sudo systemctl enable mysql
	:~$ sudo grep -i 'pass' /var/log/mysqld.log
	:~$ sudo mysql_secure_installation

	Untuk tunning file configurasinya percona menyediakan mysql config generator di https://tools.percona.com/wizard
	Isi field yang di sediakan dan masukan di file mysqld.cnf
	Kalo ga yakin lebih baik di backup dulu yaa file config aslinya
	:~$ sudo vim /etc/percona-server.conf.d/mysqld.cnf


	5. Setting Firewalld & SElinux
	Masuk babak akhir yaitu setting firewalld dan SElinux fungsinya untuk keamanan server kita

	Tambahkan service http dan https(kalo ada) di firewall
	:~$ sudo firewall-cmd --zone=public --add-service=http --permanent
	:~$ sudo firewall-cmd --reload

	Kita mau memindahkan root direkori web kita ke homedir user vagrant, secara default itu tidak di perbolehkan oleh SElinux
	sekarang kasih tau SElinux agar PHP-FPM bisa mengakses file di homedir user vagrant
	:~$ sudo yum install policycoreutils-python -y #ini untuk memanage SElinux
	:~$ sudo setsebool -P httpd_read_user_content 1
	:~$ sudo setsebool -P httpd_enable_homedirs 1
	:~$ sudo setsebool -P httpd_unified 1 # ini untuk access write php-fpm
	:~$ setsebool httpd_can_network_connect_db 1