CentOS 7 Server Setup including NginX, NodeJs, MongoDB, Redis, Docker, etc...

Centos7.md

Note: For newer versions of NodeJS, Nginx and MongoDB, checkout their websites and update the related parts.

0.Pre-requisites

run all the commands in terminal as the root user (sudo su)

yum update
yum install -y epel-release
yum install -y vim wget zip yum-utils net-tools gcc-c++ make chrony jq

since yum install git installs git v1.x, for git v2 we should run the following to install it from another resource.

yum -y install https://packages.endpoint.com/rhel/7/os/x86_64/endpoint-repo-1.7-1.x86_64.rpm
yum -y install git

to check/set server timezone and enable NTP time sync:

timedatectl set-timezone UTC #Asia/Dubai
timedatectl set-ntp on
systemctl enable --now chronyd
## check status
chronyc sources
chronyc activity
timedatectl

1.Setup a Proxy (if needed)

Replace USER and PASS and PROXY for proxy settings.

export https_proxy=http://USER:PASS@PROXY:443/
vim /etc/yum.conf
#proxy=http://PROXY:443/
#proxy_username=USER
#proxy_password=PASS

OR a DNS proxy in the system level dns:

##yum install -y NetworkManager-tui
#nmtui
vim /etc/resolv.conf
#nameserver 185.51.200.2
#nameserver 178.22.122.100

2.Nginx

Since you have installed epel-release, you have access to the rpm of nginx and you could simply install it with the following command:

yum -y install nginx

For a newer version, of if you have not installed epel-release you have to make the repo file yourself like this:

vim /etc/yum.repos.d/nginx.repo

then press i, and paste (ctrl/command+v) this:

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key

then press esc then type :wq and press enter

yum install -y nginx
service nginx start
chkconfig nginx on

For preventing 403 and permission errors for nginx, if SELinux is in enforcing mode (check with getenforce) use the following to allow serving static files

setsebool -P httpd_can_network_connect on
setsebool -P httpd_setrlimit on
chcon -Rt httpd_sys_content_t /var/www # OR /usr/share/nginx/html/

If the configuration above did not resolve permission issues with nginx filea read or proxying, please read https://www.nginx.com/blog/using-nginx-plus-with-selinux/

For preventing (24: Too many open files) errors in nginx, since defaults of ulimit is low (1024 soft, 4096 hard), you can increase it just for the nginx processes by setting specific configurations in it's systemd service file, like this:

# systemctl edit nginx
echo "[Service]" >> /etc/systemd/system/nginx.service.d/override.conf
echo "LimitNOFILE=65536" >> /etc/systemd/system/nginx.service.d/override.conf
systemctl daemon-reload
## Add the following to your main nginx.conf (this number is suitable for 4 workers)
# worker_rlimit_nofile 16384;
systemctl restart nginx
## Check with the following
ps aux | grep nginx
cat /proc/<nginx-pid>/limits

For SSL: first install certbot with it's nginx extentions like below, then run it to issue or install the certificate(s) for your domain(s). Make sure to create your nginx config for those domains in /etc/nginx/conf.d/DOMAN.conf, and your server_name is similiar to the domain you will issue a certificate for.

yum install -y certbot python2-certbot-nginx
#certbot certonly --nginx #only issues certificate
#certbot install --nginx #only installs an already issued certificate
certbot #issues and installs certificate

Alternatively, replace DOMAIN and EMAIL in the following with yours, and choose to run the one that suits you (wildcard or non-wildcard certificate)

# for non-wildcard certificates (automatic challange resolving & renewable):
certbot certonly --nginx --non-interactive --agree-tos --redirect -m [email protected] -d www.DOMAIN.com
echo "0 0,12 * * * root certbot renew" | sudo tee -a /etc/crontab > /dev/null

# for wildcard certificates (manual issue and renew by resolving dns challange each 3 month):
certbot certonly --agree-tos --manual --manual-public-ip-logging-ok --preferred-challenges dns-01 -m [email protected] -d "*.DOMAIN.com,DOMAIN.com"

3.Node

The following commands installs nodejs from NodeSource, you can change its version from 10 to 12, 14 (LTS) or 15.

curl -sL https://rpm.nodesource.com/setup_10.x | bash -
curl -sL https://dl.yarnpkg.com/rpm/yarn.repo | tee /etc/yum.repos.d/yarn.repo
yum install -y nodejs yarn
npm i -g pm2 typescript
#pm2 startup systemd -u gitlab-runner --hp /home/gitlab-runner
pm2 install typescript
pm2 install pm2-logrotate

some other useful npm packages:

npm i -g gulp gulp-cli bower

4.MongoDB

You can make a yum repo config and install everything with a single command like:

vim /etc/yum.repos.d/mongodb-org-4.4.repo

then press i, and paste (ctrl/command+v) this:

[mongodb-org-4.4]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.4/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.4.asc

then press esc then type :wq and press enter

yum install -y mongodb-org

OR you can install all mongodb packages separately directly with their RPM links found in this link. PS: You have to install them in order to prevent dependancy errors.

yum install -y https://repo.mongodb.org/yum/redhat/7/mongodb-org/???/x86_64/RPMS/mongodb-org-??????.el7.x86_64.rpm

After installing, run and check like this:

systemctl start mongod
systemctl enable mongod
#mongo
mongosh

Please also consider disabling Transparent Huge Pages for better performance: https://docs.mongodb.com/manual/tutorial/transparent-huge-pages/

5.Redis

yum install -y redis
systemctl start redis
systemctl enable redis
#redis-cli ping

You can also consider the following performance optimizations. First one enables Redis AOF for better data persistense. Second one improves memory performance for Redis.

vim /etc/redis.conf
#appendonly yes
#appendfsync everysec

sysctl vm.overcommit_memory=1
vim /etc/sysctl.conf
vm.overcommit_memory = 1

6.Config Firewall

firewall-cmd --permanent --zone=public --add-service=http 
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --permanent --add-port=3000/tcp
firewall-cmd --reload

OR

yum install -y system-config-firewall-tui
system-config-firewall-tui

Also if you keep SELinux in enforcing mode, there are restrictions on http ports you can open. this will show a list of ports you can open:

semanage port -l | grep http_port_t

and this will add to it

semanage port -a -t http_port_t  -p tcp 30000

7.Config Gitlab

#exec ssh-agent bash
#eval `ssh-agent -s`
#ssh-keygen -t rsa
#ssh-add ~/.ssh/gitlab
#vim /etc/ssh/sshd_config
  #Host gitlab.com
  #RSAAuthentication yes
  #IdentityFile ~/.ssh/gitlab
#systemctl restart sshd.service

curl -L https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.rpm.sh | sudo bash
yum install -y gitlab-runner
gitlab-runner register

enter https://gitlab.com

8.Docker

yum install -y device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce
usermod -aG docker $(whoami)
systemctl enable docker
systemctl start docker

For docker-compose

#yum install -y python-pip python-devel
#yum groupinstall 'development tools'
#pip install --upgrade pip
#pip install docker-compose
curl -L "https://github.com/docker/compose/releases/download/1.25.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
docker-compose --version
curl -L https://raw.githubusercontent.com/docker/compose/1.25.1/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose
source /etc/bash_completion.d/docker-compose

For docker alias commands you can use the ones provided here: https://gist.github.com/cjus/20c2e1026524e83db532b113dce02403

vim ~/.docker_aliases

then press i, and paste (ctrl/command+v) the content of the .docker_aliases file, then press esc and then shift+Z+Z

vim ~/.bash_profile

add the following to the top of the file (after the similiar script that loads .bashrc) by pressing i, and pasting (ctrl/command+v) this:

if [ -f ~/.docker_aliases ]; then
        . ~/.docker_aliases
fi

then press esc and then shift+Z+Z

then run it for the current ssh session:

source ~/.docker_aliases

9.Usefull Commands (Bonus)

Adding Users:

When editing authorized_keys file for each user, paste that user's public keys from each of his machines in a separate line.

adduser username
passwd -d username
su username
mkdir -p ~/.ssh
chmod 700 ~/.ssh
vim ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

To enable or disable login with passwords, you should change PasswordAuthentication from the following config file and reload sshd service:

vim /etc/ssh/config
service sshd reload

Yum:

yum list | grep mongo
yum downgrade mongodb*
yum remove mongodb*
yum clean all
yum makecache fast
package-cleanup --oldkernels --count=1 #for disk cleanup (reboot first to make sure you are using latest downloaded kernel)

Copying files:

source and/or destination could be either a local path or a remote path (in host:/path format).

scp -p source destination
scp -rp source destination
docker cp source destination #use docker container ID instead of host name
rsync -azvhP source destination #for fewer files with larger sizes
rsync -ah --info=progress2 source destination #for more files with smaller sizes

Check Disk Space:

df -h #look for the one mounted at /
du -sh #./*

Check Open Ports by Programs:

netstat -tulpn

Get unique IPs from a file:

grep -Po '\d+\.\d+\.\d+\.\d+' /var/log/nginx/access.log | uniq | sort
grep -Po '\d+\.\d+\.\d+\.\d+' /var/log/nginx/access.log | uniq | wc -l

Change hostname:

#hostnamectl
hostnamectl set-hostname hostname
echo 127.0.0.1 hostname >> /etc/hosts

Passwordless SSH:

ssh-keygen # to create id_rsa & id_rsa.pub
ssh-copy-id SERVER # use password to store your id_rsa.pub into the remote account's authorized_keys

Bash Completions:

yum install -y bash-completion bash-completion-extras
source /etc/profile.d/bash_completion.sh

Colored Bash Prompt (with Git Prompt):

you can change prompt colors by changing 1;34m and 36m from the last line (add/remove 1; for light/bold switch or use other numbers for other colors: 🔴red=31, 🟢green=32, 🟡yellow=33, 🔵blue=34, 🟣purple=35, 💧cyan=36)

curl "https://raw.githubusercontent.com/git/git/$(gitver=$(git --version); echo "${gitver/git version /v}")/contrib/completion/git-prompt.sh" > /etc/.git-prompt.sh
echo "source /etc/.git-prompt.sh" >> /etc/bashrc
echo 'export GIT_PS1_SHOWCOLORHINTS=1 GIT_PS1_SHOWDIRTYSTATE=1 GIT_PS1_SHOWSTASHSTATE=1 GIT_PS1_SHOWUNTRACKEDFILES=1 GIT_PS1_SHOWUPSTREAM="auto verbose"' >> /etc/bashrc
echo "export PROMPT_COMMAND='"'__git_ps1 "\033[1;34m[\033[1;36m\u\033[36m@\h\033[1;34m:\w]\\\$\033[m" "\n> "'"'" >> /etc/bashrc

SSH Banner:

you can use some online ASCII art generator service

vim /etc/issue
# Put banner content here
vim /etc/ssh/sshd_config 
# Banner /etc/issue
service sshd restart

LAMP.md

Note: For newer versions of PHP and MariaDB, checkout their websites and update the related parts.

1.Apache2

yum install -y httpd
systemctl start httpd
systemctl enable httpd
#curl http://127.0.0.1/
setsebool -P httpd_unified 1
chmod -R 755 /var/www
mkdir /etc/httpd/sites-available /etc/httpd/sites-enabled
echo 'IncludeOptional sites-enabled/*.conf' >> /etc/httpd/conf/httpd.conf

Now for each vistual server (e.g. example.com hostname) do the following

mkdir -p /var/www/example.com/html
mkdir -p /var/www/example.com/log
semanage fcontext -a -t httpd_log_t "/var/www/example.com/log(/.*)?"
restorecon -R -v /var/www/example.com/log
ls -dZ /var/www/example.com/log
echo 'example.com' > /var/www/example.com/html/index.html
vim /etc/httpd/sites-available/example.com.conf

now in the config file you can use a minimal config like this:

<VirtualHost *:80>
    ServerName www.example.com
    ServerAlias example.com
    DocumentRoot /var/www/example.com/html
    ErrorLog /var/www/example.com/log/error.log
    CustomLog /var/www/example.com/log/requests.log combined
</VirtualHost>

And finally with a sudoer user run the following, or if already su replace $USER with a username manually:

sudo chown -R $USER:$USER /var/www/example.com/html

And for enabling any site

ln -s /etc/httpd/sites-available/example.com.conf /etc/httpd/sites-enabled/example.com.conf
systemctl restart httpd

2.MySQL

For MariaDB Server 10.6 (40MB download, 200MB install), run:

curl -sL https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | bash -
yum install -y MariaDB-server
systemctl start mariadb
systemctl enable mariadb
mariadb-secure-installation
systemctl restart mariadb
#mariadb -u root -p
#mariadb> show databases;

OR, For MySQL 8 Community Server (almost 500MB download size and 2.2GB after install), run:

rpm -Uvh https://repo.mysql.com/mysql80-community-release-el7-3.noarch.rpm
sed -i 's/enabled=1/enabled=0/' /etc/yum.repos.d/mysql-community.repo
yum --enablerepo=mysql80-community install -y mysql-community-server
systemctl start mysqld
systemctl enable mysqld
grep "A temporary password" /var/log/mysqld.log
mysql_secure_installation
systemctl restart mysqld
#mysql -u root -p
#mysql> show databases;

For creating a new DB and user and grant permissions, replace db_name, newuser, password, and possibly localhost in the following commands, and run it.

mysql -u root -p
CREATE DATABASE db_name;
CREATE USER 'newuser'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON db_name.* TO 'newuser'@'localhost';
FLUSH PRIVILEGES;

3.PHP

To install PHP 7.4 with a bunch of commonly usded modules, run the following:

yum install -y https://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum-config-manager --enable remi-php74
yum install -y php php-cli php-fpm php-mysqlnd php-zip php-devel php-gd php-mcrypt php-mbstring php-curl php-xml php-pear php-bcmath php-json
#php -v
#php --modules

echo '<?php phpinfo(); ?>' > /var/www/html/info.php
systemctl restart httpd
#curl http://127.0.0.1/info.php
#rm /var/www/html/info.php

PHPMyAdmin

yum install -y phpmyadmin
systemctl restart httpd

4.FTP Server

yum install -y vsftpd
systemctl start vsftpd
systemctl enable vsftpd
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.default
vim /etc/vsftpd/vsftpd.conf
#anonymous_enable=NO
vim /etc/vsftpd/user_list
systemctl restart vsftpd

To use a jump box in Windows SSH via ssh -J jumphost host or via ~/.ssh/config file parameter ProxyJump jumphost you need to use at OpenSSH Win32/64 with version 8+ (default version of OpenSSH Win32/64 in Win 10 (or below) is below v8 and has a bug on interpreting jump host)