Month
February 2020
And nothing goes better with fresh croutons than French onion soup!
Posted on February 5, 2020
Turning a bunch of stale sourdough bread into croutons.
Posted on February 5, 2020
A few years ago, I wrote a blog post documenting how I installed a LAMP stack on a Linode VPS running CentOS 7. This set up has been serving me well in the intervening years, but recently CentOS released version 8 of their Linux distribution, so I wanted to investigate what the set up of a similar LAMP stack would look like on CentOS 8.
The good news is that setting up a modern stack is a lot easier on CentOS 8 than it was on CentOS 7. For one thing, many of the defaults on CentOS 8 are better than they were on CentOS 7. For example, Apache on Centos 8 now ships with the Event MPM as the default rather than the Prefork MPM. Additionally, CentOS 8’s new system of module streams makes it much easier to upgrade packages to newer versions. (I’m looking at you PHP!)
So in the hope that this might be helpful to others, below are the steps I followed to install a LAMP stack on a VPS running CentOS 8 and hosted by Linode. Just like last time, I’m not going to fully document each step. Instead, I’m going to link to the different pieces of documentation I used as reference during my setup and include additional notes to clarify what’s important and what you can safely ignore. I also hope to fill in a few gaps that I found in Linode’s documentation, so that you can benefit from the time I spent researching solutions to problems.
Note: CentOS 8 is based on Red Hat Enterprise Linux (RHEL) 8 which is based in turn on Fedora 28. Follow the appropriate instructions in the links below accordingly.
Provisioning
Provision your Linode using the instructions in Getting Started with Linode.
- Turn on Linode’s backup service and set a time for backups to occur in Linode Manager.
- Add a private IP address to the Linode, if needed, using the instructions found in the “Adding Private IP Addresses” section of Linode’s Remote Access documentation. (Private IP addresses are most useful if your Linode will be commumunicating with other Linodes [e.g. a database or redis server] in the same data center.)
- Add private IP addresses of other Linodes to /etc/hosts, if needed.
Domain Name Service (DNS)
- Set up DNS records for your new Linode at your DNS host or domain registrar.
- Set up Reverse DNS using the instructions found in Configure Your Linode for Reverse DNS (rDNS)
EPEL Repository
Install the EPEL repository, which includes extra useful packages not distributed with Centos 8:
sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm -y
Security
Secure your Linode using the instructions found in How to Secure Your Server.
- Set up your server to automatically install security updates using the instructions found in Automatic Security Updates with DNF.
- Note: in /etc/dnf/automatic.conf, set:
upgrade_type = security
download_updates = yes
apply_updates = yes
- Note: in /etc/dnf/automatic.conf, set:
- SSH Daemon Options:
- Create .ssh directory and copy public keys to server
- Disable SSH password authentication
- Permit SSH login on both IP4 and IP6 networks
- fail2ban is a software package that monitors your server for signs of possibly malicious access attempts and locks out IP addresses associated with these attempts. Install fail2ban using the instructions found in A Tutorial for Using Fail2ban to Secure Your Server and How to Install Fail2Ban to Protect SSH on CentOS/RHEL 8.
- Configure FirewallD to act as the firewall for your new server using the instructions found in Introduction to FirewallD on CentOS.
- Commands:
sudo firewall-cmd --zone=public --permanent --add-service=http
sudo firewall-cmd --zone=public --permanent --add-service=https - Reboot the Linode to activate new permanent firewall rules.
- Commands:
Email Configuration
I don’t run my own email server, and you probably shouldn’t either. It’s just way too easy to misconfigure something and accidentally cause a security vulnerability. As a result, I configure my servers to send necessary email through SendGrid.
- Create a free account with SendGrid, if needed.
- Install Postfix:
sudo dnf install postfix
sudo dnf start postfix
sudo dnf enable postfix - Install mailx:
sudo dnf install mailx
- Install SASL dependencies needed for Postfix/SendGrid connection:
sudo dnf install cyrus-sasl-plain
- Log into SendGrid and create a “Full Access” API Key using the instructions in SendGrid API Keys.
- Configure Postfix for SendGrid using the instructions found in SendGrid Postfix.
- Send a test email to make sure email is configured correctly, replacing the email address with your own email address:
echo "Test mail from Postfix" | mail -s "Test Postfix" you@domain.com
Apache Web Server
- Install Apache:
sudo dnf module install httpd
sudo systemctl enable httpd
sudo systemctl start httpd - Enable SELinux booleans needed to enable necessary features for Apache:
sudo setsebool -P httpd_can_network_connect on
sudo setsebool -P httpd_can_network_connect_db on
sudo setsebool -P httpd_can_sendmail on
sudo setsebool -P httpd_unified on - Test Apache by visiting your server in a web browser. It should return the welcome page.
PHP
- Install the “remi” repository, which contains the newest versions of PHP for CentOS 8:
sudo dnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm
- Install PHP 7.4:
sudo dnf module install php:remi-7.4
sudo dnf install php-sodium
sudo systemctl enable php-fpm
sudo systemctl start php-fpm - Restart Apache so that it uses the newly installed php-fpm:
sudo systemctl restart httpd
Test Apache with PHP-FPM
- Create file /var/www/html/info.php that contains only the single line:
<?php phpinfo(); ?>
- In a web browser visit http://hostname.domain.com/info.php, replacing “hostname” and “domain” as needed. A PHP info page should be displayed that includes “FPM/FastCGI” as the “Server API”.
- Delete /var/www/html/info.php since it is no longer needed.
SSL Certificates
- In your DNS host or domain registrar, create a DNS record for a host named “centos8”, assigning it the IP address of your new server.
- Set up a virtual host for testing:
- Create /etc/httpd/centos8.conf containing the following lines. Replace “email” and “domain.com” as needed.
<VirtualHost *:80>
ServerAdmin email@domain.com
ServerName centos8.domain.com
DocumentRoot /var/www/centos8/public_html/
ErrorLog /var/www/centos8/logs/error.log
CustomLog /var/www/centos8/logs/access.log combined<Directory "/var/www/centos8/public_html">
Options FollowSymLinks
AllowOverride AllOrder allow,deny
Allow from all
</Directory></VirtualHost>
- Create and configure the directories referenced in virtual host config file:
sudo mkdir -p /var/www/centos8/public_html
sudo mkdir -p /var/www/centos8/logs
sudo chown -R apache:apache /var/www/centos8/
sudo chmod -R 755 /var/www/centos8/ - Reload Apache config files to start virtual host:
sudo systemctl reload httpd
- Create the file /var/www/centos8/public_html with the following contents:
<html>
<body>
<h1>Hello World: CentOS 8</h1>
</body>
</html> - Visit http://centos8.domain.com (replacing “domain.com” as needed) in a web browser to test your new virtual host. (Note: this is regular HTTP.)
- Create /etc/httpd/centos8.conf containing the following lines. Replace “email” and “domain.com” as needed.
- Install wget (needed for Certbot installation below):
sudo dnf install wget
- Certbot is a project of the EFF that aims to make it simple to install the free SSL certificates issued by Let’s Encrypt. Install Certbot by following the instructions on the Certbot website.
- Install an SSL certificate for centos8.domain.com, replacing “domain.com” as needed:
sudo /usr/local/bin/certbot-auto --apache -d centos8.domain.com
- The IETF no longer recommends the use of TLS 1.0 and TLS 1.1, and the maintainers of major web browsers are removing support for these protocols. However, Certbot still installs support for TLS 1.0 and TSL 1.1. To correct this, the permitted cipher protocols used by Apache should be modified.
- Open /etc/letsencrypt/option-ssl-apache.conf in an editor.
- Find the line that includes “SSLProtocol” and change it to:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
- Restart Apache:
sudo systemctl restart httpd
- Visit https://centos8.domain.com (replacing “domain.com” as needed) in a web browser to test the new SSL certificate.
- Use the SSL Labs SSL Server Test to test the SSL configuration.
MariaDB/MySQL
- Install mariadb module:
sudo dnf module install mariadb
- Install and start the mariadb service:
sudo systemctl enable mariadb
sudo systemctl start mariadb - Initialize and secure MariaDB:
sudo mysql_secure_installation
Conclusion
I hope that these instructions are helpful and save your from having to perform some of the research that I had to do when setting this up for the first time. If you have any suggestions or corrections, please let me know.
Posted on February 5, 2020
Just completed spinning up my first server based on Centos 8. LAMP stack installed, secured, and (most importantly) documented.
Posted on February 3, 2020
? You know, all these permission denied errors could just go away. All it would take is disabling SELinux.
? Now you know that’s not the right answer. You’d solve your problem today, but security would be compromised forever.
? But at least the problem would be solved!
⚖️?