[LEMP] Install

# Vagrant
---------------------------------------------------------------
# fix error share folder
vagrant plugin install vagrant-vbguest

# Link box base centos 7 no soft
https://vagrantcloud.com/centos/boxes/7/versions/1902.01/providers/virtualbox.box

# export box file
vagrant package --output enqtran_vm_centos_7
---------------------------------------------------------------



# VIM 
---------------------------------------------------------------
:q to quit (short for :quit)
:q! to quit without saving (short for :quit!)
:wq to write and quit
:wq! to write and quit even if file has only read permission (if file does not have write permission: force write)
:x to write and quit (similar to :wq, but only write if there are changes)
:exit to write and exit (same as :x)
:qa to quit all (short for :quitall)
:cq to quit without saving and make Vim return non-zero error (i.e. exit with error)
---------------------------------------------------------------



# Check centos version
---------------------------------------------------------------
cat /etc/redhat-release
cat /proc/cpuinfo
free -h
df -h
---------------------------------------------------------------


# Off ssh require -> use password
---------------------------------------------------------------
/etc/ssh/sshd_config
PasswordAuthentication yes

systemctl restart sshd.service
---------------------------------------------------------------

# Install PHP 7.3
---------------------------------------------------------------
sudo yum install epel-release -y
sudo yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm -y
sudo yum --enablerepo=remi-php73 install php -y
sudo yum --enablerepo=remi-php73 install php-soap php-xmlrpc php-json php-opcache php-pecl-apcu php-cli php-pear php-pdo php-mysqlnd php-pgsql php-pecl-sqlite php-pecl-memcache php-pecl-memcached php-gd php-mbstring php-mcrypt php-xml -y
php -v
---------------------------------------------------------------



# Install NGINX 1.15
---------------------------------------------------------------
yum install -y epel-release

sudo vi /etc/yum.repos.d/nginx.repo

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

sudo yum-config-manager --enable nginx-mainline

dnf install nginx

sudo yum install nginx -y

systemctl enable nginx.service
systemctl start nginx.service
systemctl restart nginx.service
systemctl status nginx.service

# check err
tail -f /var/log/nginx/error.log
---------------------------------------------------------------



# Install MySQL 8.0
---------------------------------------------------------------
sudo yum localinstall https://dev.mysql.com/get/mysql80-community-release-el7-1.noarch.rpm -y
sudo yum localinstall https://dev.mysql.com/get/mysql80-community-release-el7-1.noarch.rpm
sudo yum install mysql-community-server -y

sudo systemctl enable mysqld
sudo systemctl start mysqld
sudo systemctl restart mysqld
sudo systemctl status mysqld

sudo grep 'temporary password' /var/log/mysqld.log

sudo mysql_secure_installation

mysql -u root -p
uHfIyViGs0/,1
---------------------------------------------------------------


# MongoDB 4.0
---------------------------------------------------------------
vi /etc/yum.repos.d/mongodb.repo

[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/testing/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc

yum -y install mongodb-org

vi /etc/security/limits.d/99-mongodb-nproc.conf
mongod soft nofile 64000
mongod hard nofile 64000
mongod soft nproc 64000
mongod hard nproc 64000

semanage port -a -t mongod_port_t -p tcp 27017
systemctl start mongod
systemctl stop mongod
systemctl restart mongod
systemctl status mongod
mongod --version
netstat -antup | grep -i 27017
mongo

vi /etc/mongod.conf
security:
  authorization: enabled
---------------------------------------------------------------



# Setup PHP-FPM
# nginx not support process php. Nginx forward request to service php-fpm.
---------------------------------------------------------------
sudo yum install -y php-fpm

/etc/opt/remi/php73/php-fpm.d

systemctl enable php-fpm
systemctl start php-fpm
systemctl restartphp-fpm
systemctl status php-fpm

# config setting SELINUX
SELINUX=disabled
---------------------------------------------------------------



# install nodejs v11.
---------------------------------------------------------------
yum install -y gcc-c++ make
curl -sL https://rpm.nodesource.com/setup_12.x | sudo -E bash -
sudo yum install -y nodejs
node -v
npm -v
---------------------------------------------------------------



# Firewall
---------------------------------------------------------------
sudo yum install firewalld
sudo systemctl enable firewalld
sudo reboot

sudo firewall-cmd --state
-> running

firewall-cmd --get-default-zone
-> public

firewall-cmd --get-active-zones
sudo firewall-cmd --list-all
firewall-cmd --get-zones
sudo firewall-cmd --zone=home --list-all
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload
-> success
---------------------------------------------------------------



# Install Certbot. Nginx with Let's Encrypt on CentOS 7
---------------------------------------------------------------
sudo yum install epel-release
sudo yum install certbot-nginx
-> /etc/nginx/nginx.conf
-> server_name example.com www.example.com;
sudo systemctl reload nginx
sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https
sudo firewall-cmd --runtime-to-permanent
sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
sudo certbot --nginx -d example.com -d www.example.com
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
-> /etc/nginx/nginx.conf
-> + ssl_dhparam /etc/ssl/certs/dhparam.pem;
sudo nginx -t
sudo systemctl reload nginx
sudo crontab -e
0 2 * * * /usr/bin/certbot renew --quiet
---------------------------------------------------------------


# Gzip Compression
---------------------------------------------------------------
sudo nano /etc/nginx/nginx.conf

# enable gzip compression
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
# end gzip configuration

sudo /etc/init.d/nginx reload
---------------------------------------------------------------


# Make Browsers Cache Static Files On nginx
---------------------------------------------------------------
sudo nano /etc/nginx/conf.d/default.conf

location ~*  \.(jpg|jpeg|png|gif|ico|css|js)$  {
              expires 365d;
}

location ~* \.(?:ico|css|js|jpe?g|png|gif|svg|pdf|mov|mp4|mp3|woff)$ {
    expires 7d;
    add_header Pragma public;
    add_header Cache-Control "public";
    gzip_vary on;
}

sudo /etc/init.d/nginx reload
---------------------------------------------------------------


# firewalld:
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --reload

# iptables:
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j ACCEPT

conf.d

# Folder /etc/nginx/conf.d
server {
    listen       80;
    server_name  192.168.33.10;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    root   /var/www/html;
    index  index.php index.html index.htm;

    location / {
        try_files $uri $uri/ /index.php$query_string;
    }

    error_page  404              /404.html;
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    
    location ~ \.php$ {
        # root           html;
        root   /var/www/html;
        try_files $uri =404;
        fastcgi_read_timeout 864000;
        fastcgi_pass   127.0.0.1:9000;
       fastcgi_index  index.php;
       fastcgi_param  SCRIPT_FILENAME  /var/www/html$fastcgi_script_name;
        include        fastcgi_params;
    }



    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}

    location ~ /\. {
        access_log off;
        log_not_found off; 
        deny all;
    }

    location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ {
        access_log        off;
        log_not_found     off;
        expires           360d;
    }

}

nginx config

# Folder /etc/nginx

user  nginx;

# you must set worker processes based on your CPU cores, nginx does not benefit from setting more than that
worker_processes auto; #some last versions calculate it automatically

# number of file descriptors used for nginx
# the limit for the maximum FDs on the server is usually set by the OS.
# if you don't set FD's then OS settings will be used which is by default 2000
worker_rlimit_nofile 100000;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

# only log critical errors
error_log /var/log/nginx/error.log crit;

events {
    # determines how much clients will be served per worker
    # max clients = worker_connections * worker_processes
    # max clients is also limited by the number of socket connections available on the system (~64k)
    worker_connections 4000;

    # optimized to serve many clients with each thread, essential for linux -- for testing environment
    use epoll;

    # accept as many connections as possible, may flood worker connections if set too low -- for testing environment
    multi_accept on;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    # access_log  /var/log/nginx/access.log  main;

    # cache informations about FDs, frequently accessed files
    # can boost performance, but you need to test those values
    open_file_cache max=200000 inactive=20s;
    open_file_cache_valid 30s;
    open_file_cache_min_uses 2;
    open_file_cache_errors on;

    # to boost I/O on HDD we can disable access logs
    access_log off;

    # copies data between one FD and other from within the kernel
    # faster than read() + write()
    sendfile on;

    # send headers in one piece, it is better than sending them one by one
    tcp_nopush on;

    # don't buffer data sent, good for small data bursts in real time
    tcp_nodelay on;

    # reduce the data that needs to be sent over network -- for testing environment
    gzip on;
    # gzip_static on;
    gzip_min_length 10240;
    gzip_comp_level 1;
    gzip_vary on;
    gzip_disable msie6;
    gzip_proxied expired no-cache no-store private auth;
    gzip_types
        # text/html is always compressed by HttpGzipModule
        text/css
        text/javascript
        text/xml
        text/plain
        text/x-component
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        application/atom+xml
        font/truetype
        font/opentype
        application/vnd.ms-fontobject
        image/svg+xml;

    # allow the server to close connection on non responding client, this will free up memory
    reset_timedout_connection on;

    # request timed out -- default 60
    client_body_timeout 10;

    # if client stop responding, free up memory -- default 60
    send_timeout 2;

    # server will close connection after this time -- default 75
    keepalive_timeout 30;

    # number of requests client can make over keep-alive -- for testing environment
    keepalive_requests 100000;

    # security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "no-referrer-when-downgrade" always;
    add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # SSL Settings
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    # Optimize session cache
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 1d;

    # Enable session tickets
    ssl_session_tickets on;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
    resolver_timeout 2s;

    include /etc/nginx/conf.d/*.conf;
}

php-fpm.d

; Folder /etc/php-fpm.d
; change from apache -> nginx (line ~ 23)
user = nginx
group = nginx

selinux

# Folder /etc/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded. <== this update
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted