From Linux Install to WordPress

A typical installation of Debian 8.x (Jessie) precedes this where I only select base system and ssh server options during operating system installation.  After installation, this is a typical configuration to get me up and running. These are my notes.

Debian Customization

These are customizations to suit my taste.

apt-get update && apt-get upgrade
dpkg-reconfigure dash
echo UseDNS no >>/etc/ssh/sshd_config && /etc/init.d/ssh restart
apt-get install fail2ban vim-nox unzip

Webserver Installation: nginx

wget http://nginx.org/keys/nginx_signing.key
apt-key add nginx_signing.key
echo 'deb http://nginx.org/packages/debian/ jessie nginx' >> /etc/apt/sources.list
echo 'deb-src http://nginx.org/packages/debian/ jessie nginx' >> /etc/apt/sources.list
apt-get update && apt-get install nginx

nginx Configuration

There are a few customizations I make and I have scripted most of this since it’s repetitive.

In the first line below, worker_processes 2; is derived from grep 'cpu cores' /proc/cpuinfo | head -1
sed -i 's/user[ ]*nginx/user www-data/g; s/worker_processes[ ]*1/worker_processes 2/g' /etc/nginx/nginx.conf
sed -i 's/access_log.*;/access_log off;/g' /etc/nginx/nginx.conf
sed -i '/access_log off;/a client_max_body_size 12m;' /etc/nginx/nginx.conf
/etc/init.d/nginx restart

With basic configuration changes made to nginx.conf, I now focus on creating the site configuration.

rm /etc/nginx/conf.d/*

cat <<EOF >>/etc/nginx/conf.d/`hostname`.conf
server {
        listen 80;
        root /var/www;
        index index.php index.html index.htm;

        server_name techish.net www.techish.net;

        location / {
                try_files $uri $uri/ /index.php;
        }

        location ~ .php$ {
                try_files $uri =404;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name
;
                include fastcgi_params;
                fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
        }

    location ~ /.well-known {
                allow all;
        }
}
EOF

That concludes nginx installation and configuration to THIS point. I’ll revisit toward the end when I implement SSL.

PHP 7 Installation

I use dotdeb to install PHP 7.0 via apt-get.

echo 'deb http://packages.dotdeb.org jessie all' >> /etc/apt/sources.list
echo 'deb-src http://packages.dotdeb.org jessie all' >> /etc/apt/sources.list
wget https://www.dotdeb.org/dotdeb.gpg
apt-key add dotdeb.gpg
apt-get update
apt-get install php7.0-fpm php7.0-mysql php7.0-gd php7.0-mcrypt

PHP 7 Configuration

With PHP7 installation completed, I make a few changes.

sed -i 's/^upload_max_filesize.*/upload_max_filesize = 10m/g; s/^allow_url_fopen.*/allow_url_fopen = Off/g; s/^post_max_size.*/post_max_size = 12m/g' /etc/php/7.0/fpm/php.ini

MySQL (MariaDB) Installation

Installing MariaDB is pretty straight forward with only a minor tweak in the configuration at the end.

apt-get install mariadb-server

MariaDB Configuration

sed -i 's/^bind-address/#bind-address/g; /^#bind-address/a skip-networking' /etc/mysql/my.cnf
mysql_secure_installation

Restart Services & Test

Restart the services and test out things to make sure everything works.

systemctl restart nginx.service
systemctl restart php7-fpm.service
systemctl restart mysql.service

WordPress Installation

WordPress installation is straight forward.

Database Preparation

Make sure to substitute wordpress, wpuser and ... below to reflect your database, database username and database user password.
cd /var/www
mysql -uroot -p -e create database wordpress; grant all on wordpress.* to 'wpuser'@'%' identified by '...'; flush privileges

WordPress Download & Extract

wget https://wordpress.org/latest.zip
unzip latest.zip
mv wordpress/* .
rm -rf wordpress/; rm latest.zip
chown www-data.www-data -R .

WordPress Configuration

At this point, the database is ready to go and I just visit my website to finish the WordPress installation via Web interface.

Let’s Encrypt SSL Certificate

Installation

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Add Jessie backports repo and install.

echo 'deb http://ftp.debian.org/debian jessie-backports main' >>/etc/apt/sources.list
apt-get update
apt-get install certbot -t jessie-backports

Certificate Generation

I generate a certificate for my top level domain and subdomain.

certbot certonly --webroot -w /var/www -d techish.net
certbot certonly --webroot -w /var/www -d www.techish.net

nginx SSL Configuration

Create a directory in /etc/nginx to store a few snippets of nginx configuration.

mkdir /etc/nginx/ssl

Create SSL parameters configuration file, ssl-params.conf, that we’ll call in our site configuration file.

cat <<EOF >>/etc/nginx/ssl/ssl-params.conf
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security max-age=63072000; includeSubdomains; preload;
    add_header Strict-Transport-Security max-age=63072000; includeSubdomains;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
EOF

Create a configuration file, ssl-kreider.conf, that will reference where my top level domain SSL certificate is stored. I call this file from main nginx site configuration file later.

cat <<EOF >>/etc/nginx/ssl/ssl-kreider.conf
ssl_certificate /etc/letsencrypt/live/techish.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/techish.net/privkey.pem;
EOF

Create a configuration file, ssl-www-kreider.conf, that will reference where my www subdomain SSL certificate is stored. I call this file from main nginx site configuration file later.

cat <<EOF >>/etc/nginx/ssl/ssl-www-kreider.conf
ssl_certificate /etc/letsencrypt/live/www.techish.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.techish.net/privkey.pem;
EOF

I update my main site’s nginx configuration.

Note that `hostname` will expand the system hostname automatically. Replace `hostname`.conf (including backticks) with your configuration file name as applicable.
vim /etc/nginx/conf.d/`hostname`.conf

My finalized site configuration file.

server {
        listen 80;
        server_name techish.net www.techish.net;
        return 307 https://techish.net$request_uri;
}

server {
        listen 443 ssl;
        include ssl/ssl-kreider.conf;
        include ssl/ssl-params.conf;
        root /var/www;
        index index.php index.html index.htm;

        server_name techish.net;

        location / {
                try_files $uri $uri/ /index.php;
        }

        location ~ .php$ {
                try_files $uri =404;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name                                                                                                                               ;
                include fastcgi_params;
                fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
        }
}

Create a Redirect to your Google+ Profile

width=90It is pretty simple to setup your domain to redirect to your Google+ profile.  For example, I have https://techish.net/+ which redirects to my Google+ profile.  This is handy instead of having to link to your Google+ profile manually or using a third-party service.  Keeps everything in your control.  =)

Apache

If you are using Apache, modify your .htaccess file and include the following lines.

<IfModule mod_rewrite.c>
RewriteEngine On
Redirect /+ https://plus.google.com/your_google_plus_profile_id/
</IfModule>

Nginx

If you are using Nginx, modify your nginx.conf file and put the following line within your location {} stanza.

rewrite ^/+ https://plus.google.com/your_google_plus_profile_id/ permanent;

Enable Directory Listing in Nginx

I switched from Apache to Nginx a few months ago and have been learning many things.  One recent task I encountered was how to enable directory listing of a directory when an index file was not present.

This is what I typically see by default when trying to view a path that does not contain an index file in Nginx webserver.

width=883

Error

Nginx’s HttpAutoIndexModule handles this.

Auto indexing can be enabled in http, server or location context.  I specifically wanted to allow auto indexing on only a particular subdirectory of my website.

I opened up Nginx’s configuration for the site I’m using which was found in /etc/nginx/sites-enabled/techish.net.conf

Under the http context, I created a location context and told it to use auto indexing if it did not find an index file.

location /pub/test {
        autoindex on;
        autoindex_exact_size off;
        autoindex_localtime on;
    }

autoindex on – turns auto indexing on
autoindex_exact_size off – I want file sizes rounded (KB, MB, GB, etc.). The default is off which uses Bytes.
autoindex_localtime on – Enables the file times to be shown locally. By default this is disabled and uses GMT.

A quick reload of Nginx and then I browse to https://techish.net/pub/test and directory browsing is working. No more 403 Forbidden errors.

width=840

Nginx

W: GPG error: The following signatures couldn’t be verified because the public key is not available

W: GPG error: http://nginx.org squeeze Release: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY ABF5BD827BD9BF62

Resolution

1.  gpg --keyserver pgpkeys.mit.edu --recv-key THEKEY
2.  gpg -a --export THEKEY | apt-key add -
root@node1:~# gpg --keyserver pgpkeys.mit.edu --recv-key ABF5BD827BD9BF62
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: requesting key 7BD9BF62 from hkp server pgpkeys.mit.edu
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 7BD9BF62: public key "nginx signing key " imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
root@node1:~# gpg -a --export ABF5BD827BD9BF62 | apt-key add -
OK

LEMP + Cacti 0.8.7i

This is my setup of LEMP with Cacti 0.8.7i.

LEMP stands for Linux nginx (prounounced Engine x) MySQL and PHP.  Most notably, LEMP is just replacing Apache (LAMP) with nginx.

My base linux distribution is Debian 6 AMD64.

Software Required:

Debian 6 AMD64 (6.0.3) Business Card:  http://cdimage.debian.org/debian-cd/6.0.3/amd64/iso-cd/debian-6.0.3-amd64-businesscard.iso
PHP 5.3
Nginx 1.0.11
MySQL 5

I boot my system from the ISO and go through the basic install.  On the software installation screen, I chose only SSH Server and Standard System Utilities as noted in the screenshot below.

width=800

Software

After install finishes up and a fresh reboot, I log in as root and add the following to my apt repository at the bottom:

# vim.tiny/etc/apt/sources.list

deb http://nginx.org/packages/debian/ squeeze nginx
deb-src http://nginx.org/packages/debian/ squeeze nginx

Add the key for nginx.org:

root@cacti-087i:~# wget http://nginx.org/packages/keys/nginx_signing.key
--2012-01-16 11:45:38--  http://nginx.org/packages/keys/nginx_signing.key
Resolving nginx.org... 206.251.255.63
Connecting to nginx.org|206.251.255.63|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1561 (1.5K) [text/plain]
Saving to: nginx_signing.key

100%[======================================>] 1,561       --.-K/s   in 0s

2012-01-16 11:45:38 (156 MB/s) - nginx_signing.key

root@cacti-087i:~# cat nginx_signing.key | apt-key add -
OK

Then run apt-get update

Now we’ll be downloading the latest version 1.0.11-1. You can verify this went as expected with apt-cache show nginx and look at the package’s version.

Install nginx

apt-get install nginx

Verify it is installed and running by visiting http://127.0.0.1/ or whatever the IP address of your server is configured as. You should see a “Welcome to nginx!” page displayed.

Install MySQL Server

root@cacti-087i:/var/www# apt-get install mysql-server
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libdbd-mysql-perl libdbi-perl libhtml-template-perl libnet-daemon-perl
  libplrpc-perl mysql-client-5.1 mysql-server-5.1 mysql-server-core-5.1
Suggested packages:
  libipc-sharedcache-perl libterm-readkey-perl tinyca
The following NEW packages will be installed:
  libdbd-mysql-perl libdbi-perl libhtml-template-perl libnet-daemon-perl
  libplrpc-perl mysql-client-5.1 mysql-server mysql-server-5.1
  mysql-server-core-5.1
0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
Need to get 22.0 MB of archives.
After this operation, 56.3 MB of additional disk space will be used.
Do you want to continue [Y/n]?

Note:  You will need to provide a root password for MySQL during installation.

Install PHP CGI

The version I’m installing as of this writing is from the stable repository for Squeeze (Version: 5.3.3-7+squeeze3).

root@cacti-087i:~# apt-get install php5-cgi
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libonig2 libqdbm14 php5-common php5-suhosin
Suggested packages:
  php-pear
The following NEW packages will be installed:
  libonig2 libqdbm14 php5-cgi php5-common php5-suhosin
0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Need to get 6,827 kB of archives.
After this operation, 17.7 MB of additional disk space will be used.
Do you want to continue [Y/n]?

Install PHP5 MySQL module

root@cacti-087i:/var/www# apt-get install php5-mysql
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libmysqlclient16 mysql-common
The following NEW packages will be installed:
  libmysqlclient16 mysql-common php5-mysql
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,132 kB of archives.
After this operation, 5,050 kB of additional disk space will be used.
Do you want to continue [Y/n]? y

Now I need to setup spawn fast cgi since this will be the PHP backend for nginx.

Install spawn-fcgi

root@cacti-087i:~# apt-get install spawn-fcgi

Install Daemontools service manager

I will use daemontools as my service manager for fastcgi process.

root@cacti-087i:~# aptitude install daemontools daemontools-run

Now to configure the service…

root@cacti-087i:~# mkdir -p /etc/sv/spawn-fcgi
root@cacti-087i:~# cd /etc/sv/spawn-fcgi

Create a file called ‘run’ in this directory. Use your favorite editor, like VIM!?

root@cacti-087i:/etc/sv/spawn-fcgi# vim.tiny run

Use the following content (tweaked to your environment) in the run file.

root@cacti-087i:/etc/sv/spawn-fcgi# cat run
#!/bin/sh
exec /usr/bin/spawn-fcgi -n -a 127.0.0.1 -p 9000 -u www-data -g www-data -C 5 /usr/bin/php5-cgi

Give the file executable permissions and add it to the services.

root@cacti-087i:/etc/sv/spawn-fcgi# chmod +x run

root@cacti-087i:/etc/sv/spawn-fcgi# update-service –add /etc/sv/spawn-fcgi spawn-fcgi
Service spawn-fcgi added.

Check to see if it is now running…

root@cacti-087i:/etc/sv/spawn-fcgi# ps -edf | grep cgi
root      1943  1931  0 11:59 ?        00:00:00 supervise spawn-fcgi
www-data  1944  1943  0 11:59 ?        00:00:00 /usr/bin/php5-cgi
www-data  1945  1944  0 11:59 ?        00:00:00 /usr/bin/php5-cgi
www-data  1946  1944  0 11:59 ?        00:00:00 /usr/bin/php5-cgi
www-data  1947  1944  0 11:59 ?        00:00:00 /usr/bin/php5-cgi
www-data  1948  1944  0 11:59 ?        00:00:00 /usr/bin/php5-cgi
www-data  1949  1944  0 11:59 ?        00:00:00 /usr/bin/php5-cgi

Sweet, looks good so far!

Configure Nginx

Modify nginx’s default configuration file in /etc/ngxin/conf.d/default.conf

Change the following to reflect where your web content will be stored. I use /var/www and had to make the directory first.

root@cacti-087i:~#  mkdir /var/www

Modify /etc/nginx/conf.d/default.conf:

server {
    listen       80;
    server_name  localhost;
    root /var/www;
    include /etc/nginx/fastcgi_php;

    location / {
        index  index.php;
        if (!-e $request_filename) {
                rewrite ^(.*)$ /index.php last;
        }
    }
}

Create /etc/nginx/fastcgi_php file now with the following:

location ~ .php$ {
    include /etc/nginx/fastcgi_params;

    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    if (-f $request_filename) {
        fastcgi_pass 127.0.0.1:9000;
    }
}

Once these files are saved, restart nginx.

root@cacti-0871i:~# /etc/init.d/nginx/restart

I created a test file in /var/www/ named index.php:

root@cacti-0871i:~# echo <?php phpinfo(); ?> >/var/www/index.php

Test Nginx + PHP

Then I browsed to the site http://127.0.0.1/phptest.php.

Install rrdtool

apt-get install rrdtool

Install PHP5 needed modules

root@cacti-087i:~# apt-get install php5-snmp php5-ldap php5-xmlrpc
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  fancontrol libperl5.10 libsensors4 libsnmp-base libsnmp15 lm-sensors
Suggested packages:
  snmp-mibs-downloader sensord read-edid i2c-tools
The following NEW packages will be installed:
  fancontrol libperl5.10 libsensors4 libsnmp-base libsnmp15 lm-sensors
  php5-ldap php5-snmp php5-xmlrpc
0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
Need to get 3,612 kB of archives.
After this operation, 7,008 kB of additional disk space will be used.
Do you want to continue [Y/n]?

Install Cacti Pre-requisites

PHP5-CLI

apt-get install php5-cli

SNMP tools

apt-get install snmp

Install Cacti 0.8.7i

I’m going to download 0.8.7i with PIA (plugin architecture):  http://www.cacti.net/downloads/cacti-0.8.7i-PIA-3.1.tar.gz

wget http://www.cacti.net/downloads/cacti-0.8.7i-PIA-3.1.tar.gz
tar zxvf cacti-0.8.7i-PIA-3.1.tar.gz
cd cacti-0.8.7i-PIA-3.1/

Follow install instructions per Cacti: http://docs.cacti.net/manual:087:1_installation.1_install_unix.5_install_and_configure_cacti

After following the instructions you should be able to get to the Cacti logon screen now.

This is for my own documentation notes.

nginx 502 bad gateway

[note]May 22, 2012: I have since moved away from TCP backend to Unix sockets. This has resolved my sporadic 502’s and gave better performance.
In /etc/rc.local I removed the -a and -p arguments and replaced with -b /tmp/php.socket and in my nginx configuration, I set fastcgi_pass unix:/tmp/php.socket;
[/note]

I discovered I needed a manager for fastcgi so I decided on daemontools instead of php-fpm.

Instructions for setting this up are here:  http://wiki.linuxwall.info/doku.php/en:ressources:dossiers:nginx:daemontools_spawnfcgi

I also had to modify my /etc/nginx/fastcgi_php file to reflect that I am now working on TCP port php5-cgi instead of a Unix socket.

location ~ .php$ {
    include /etc/nginx/fastcgi_params;

    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    if (-f $request_filename) {
-        fastcgi_pass unix:/var/run/www/php.sock;
+        fastcgi_pass 127.0.0.1:9000;
    }
}

This is my run command for the spawn-fcgi service:

root@node1:~# cat /etc/sv/spawn-fcgi/run
#! /bin/sh
exec /usr/bin/spawn-fcgi -n -a 127.0.0.1 -p 9000 -u www-data -g www-data -C 5 /usr/bin/php5-cgi

Now, no more intermittent 502 Bad Gateways. This isn’t nginx’s fault, it’s just PHP crashing and there isn’t a monitor to restart the process. That has been resolved now.

nginx error – 413 Request Entity Too Large

I was getting an error when trying to upload and attach images larger than 2MB via WordPress.

I discovered that nginx has a configuration setting called client_max_body_size that is default set to 1M.

To change this, I altered my nginx vhost configuration and added the following line:

server {
    server_name techish.net www.techish.net;
    root /var/www/techish.net;
    include /etc/nginx/fastcgi_php;
    client_max_body_size 5M;
    location / {
        index index.php;
        if (!-e $request_filename) {
            rewrite ^(.*)$  /index.php last;
        }
    }
}

This should suffice for most of my image uploading needs.  However, if you have large uploads you perform to your server through nginx, you may need to increase that!

Reload nginx

/etc/init.d/nginx reload

Here’s nginx configuration’s HttpCoreModule documentation on this configuration value:

client_max_body_size

syntax: client_max_body_size size
default: client_max_body_size 1m
context: http, server, location

Directive assigns the maximum accepted body size of client request, indicated by the line Content-Length in the header of request.

If size is greater the given one, then the client gets the error “Request Entity Too Large” (413).

It is necessary to keep in mind that the browsers do not know how to correctly show this error.

Note: You’ll need to match your PHP value also.

/etc/php5/cgi/php.ini

upload_max_filesize = 5M

Restart php-cgi

/etc/init.d/php-cgi restart

 

Gallery3 + Nginx

I have Gallery3 working with Nginx. Here’s my setup and some configuration for http://gallery.techish.net/   I no longer am using Gallery3 or nginx.  (7/21/2012)

  • Nginx 1.0.11
  • PHP 5.3.3-7
  • PHP5 GD Graphics Library
  • Gallery 3.0.2

Nginx virtual host configuration:

server {
    server_name gallery.techish.net;
    root /var/www/gallery.techish.net;
    include /etc/nginx/fastcgi_php;

    location / {
    fastcgi_index  index.php;
    fastcgi_split_path_info ^(.+.php)(.*)$;
    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    fastcgi_param  PATH_INFO        $fastcgi_path_info;
    include fastcgi_params;

        index index.php;
        if (-f $request_filename) {
                expires max;
                break;
        }
        if (!-e $request_filename) {
                rewrite ^/(.+)$ /index.php?kohana_uri=$1 last;
        }
    }
}

I also had to modify Gallery3’s configuration (/application/config/config.php):

$config["index_page"] = "";

Much of the tips came from:  http://codex.gallery2.org/Gallery3:Using_NGINX