What to do after Centmin Mod initial install ?
If English isn't your first language, you can use dropdown menu translator to translate this page into your preferred language.
After Centmin Mod initial install, there are certain steps to setup and configure your VPS or dedicated server including enabling free SSL certificates via Letsencrypt integration. I'll outline below the steps I take right after Centmin Mod install. Ultimately, how much benefit you get out of using Centmin Mod LEMP web stack is directly related to how much effort and time you put into reading and learning how Centmin Mod LEMP web stack operates. Reading fully the below information will definitely be a step in the right direction !
- Setup The Default Server Main Hostname Nginx Vhost
- Add Your First Domain Name's Nginx Vhost Configuration
- Setup Domain Name Newdomain.Com's DNS Settings
- CSF Firewall Settings
- Proxies And Visitor's Real IP Address
- Example Nginx Configurations
- Centmin Mod Addons
- Setting Up @Yourdomain.Com Based Emails
- Enable Google Nginx PageSpeed ?
- Backing Up Your Server Data
- MySQL Database Management
- Keeping Server Up To Date / Security
- Statistics Pages
- PHP-FPM Security
- Centmin Mod Community Forums
- Linux Monitoring & Troubleshooting Tools
- Customising php.ini Settings
- Managing root user emails
- Keeping Centmin Mod Code Updated
- Ensure Postfix Outbound Emails Do Not End Up In Spam Inbox
- How To Boost Centmin Mod LEMP Stack Performance
- Summary
1. Setup the default server main hostname Nginx vhost.
Note: remember to also add the approprate DNS A record for your hostname.newdomain.com pointing to the main server's IP address.
The default server main hostname is a separate hostname from your normal web site domain names and can not be the same. For example, if my intended site domain name is centminmod.com, the default server main hostname you set in this step 1, will be different i.e. mainhost.centminmod.com. The mainhost part can be any subdomain you like as long as it's not the same as your intended site domain name which in this example is centminmod.com.
Your default server hostname is usually the hostname used to purchase the VPS or dedicated server in the first place. It's basically a subdomain that links your order so would usually be something like hostname.newdomain.com where subdomain = hostname - it can be any name you like if you have a particular naming theme. I like to have an hostname name that lets me differentiate between web hosts I use as I use many different web hosts. So if on my order form with web host I specified my hostname as hostname.newdomain.com. Then your VPS or dedicated server's hostname is hostname.newdomain.com. You can confirm this within SSH telnet by typing:
uname -n
which would output
hostname.newdomain.com
Add DNS entries for hostname.newdomain.com
To be able to properly resolve your server's hostname.newdomain.com you need to add a DNS A record
entry pointing to your server's main IP address for your newdomain.com's DNS via your domain registrar's domain DNS manager or if DNS is local via NSD (see step 3 below). You may also want to add a SPF/TXT
DNS record for this hostname just to cover emails sent from your server via Postfix. For DNS A record
, you can either use a CNAME DNS entry or my prefered is an A record pointing to your server's IP address. This way if you have 3x VPS servers with main hostnames like hostname1.newdomain.com ,hostname2.newdomain.com, hostname3.newdomain.com, I would add 3 separate A records for newdomain.com for hostname1, hostname2 and hostname3 pointing to 3 separate VPS servers' IP addresses.
If you're looking for a reliable and free DNS provider, you can use Cloudflare DNS Only hosting
Here's an example from Namesilo.com DNS management area for adding a DNS A record
for hostname.mydomain.com
pointing to server IP address = 1.1.1.1.
To cover the main hostname's sent email via Postfix, you may also want to add a SPF/TXT
DNS record for this main hostname i.e. hostname.newdomain.com with simply just the following:
"v=spf1 a ~all"
Changing hostname
If the hostname returned from uname -n command does not match the hostname you used to place your order for your server, then you can get your web host to correct it for you or do it yourself as follows:
For CentOS 6.x, as root user in SSH telnet edit file at /etc/sysconfig/network. Using nano, vi or pico text editor:
nano -w /etc/sysconfig/network
Change HOSTNAME variable to your desired hostname. It has to be a valid hostname in format of hostname.newdomain.com.
HOSTNAME=hostname.newdomain.com
For CentOS 7.x, AlmaLinux 8/9 or Rocky Linux 8/9, as root user in SSH telnet edit file at /etc/hostname. Using nano, vi or pico text editor:
nano -w /etc/hostname
CentOS 7.x, AlmaLinux 8/9 or Rocky Linux 8/9 just needs to enter the hostname itself nothing else:
hostname.newdomain.com
For CentOS 7.x, AlmaLinux 8/9 or Rocky Linux 8/9 you can use hostnamectl command to check and set the hostname too:
hostnamectl status
hostnamectl --help hostnamectl [OPTIONS...] COMMAND ... Query or change system hostname. -h --help Show this help --version Show package version --transient Only set transient hostname --static Only set static hostname --pretty Only set pretty hostname -P --privileged Acquire privileges before execution --no-ask-password Do not prompt for password -H --host=[USER@]HOST Operate on remote host Commands: status Show current hostname settings set-hostname NAME Set system hostname set-icon-name NAME Set icon name for host set-chassis NAME Set chassis type for host
To set the hostname:
hostnamectl set-hostname hostname.newdomain.com
Edit /etc/hosts file in SSH telnet and add a new entry to existing entries associating your server's main IP address i.e. 111.222.333.444 to the new hostname
111.222.333.444 hostname.newdomain.com hostname
On one of my VPS /etc/hosts now looks like:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 111.222.333.444 hostname.newdomain.com hostname
Type following:
hostname hostname.newdomain.com
Then restart network service via command for AlmaLinux/Rocky Linux 8/9:
systemctl restart NetworkManager systemctl status NetworkManager --no-pager -l
Then restart network service via command for CentOS 7:
service network restart service network status
Now try uname -n command again.
The server's default hostname's Nginx vhost configuration file is located at /usr/local/nginx/conf/conf.d/virtual.conf and can be accessed quickly via command shortcut within SSH telnet:
vhostconf
The command shortcut invokes the nano linux text editor, you can read up more about nano here and here.
Or via your favourite linux text editor nano, pico or vi edit /usr/local/nginx/conf/conf.d/virtual.conf
nano -w /usr/local/nginx/conf/conf.d/virtual.conf
You need to change one line within this default hostname's Nginx vhost configuration file for the server_name defined as localhost
Note: Centmin Mod v1.2.3-eva2000.04+ and higher will automatically do this step.
server_name localhost;
change localhost to default hostname, hostname.newdomain.com as per below
server { # listen 80; listen 80 default_server; server_name hostname.newdomain.com; root html; access_log /var/log/nginx/localhost.access.log main buffer=32k; error_log /var/log/nginx/localhost.error.log error; # limit_conn limit_per_ip 16; # ssi on; location / { # Enables directory listings when index file not found # autoindex on; # Shows file listing times as local time # autoindex_localtime on; # Enable for vBulletin usage WITHOUT vbSEO installed # try_files $uri $uri/ /index.php; } # example nginx-http-concat # /csstest/??one.css,two.css #location /csstest { #concat on; #concat_max_files 20; #} include /usr/local/nginx/conf/staticfiles.conf; include /usr/local/nginx/conf/php.conf; include /usr/local/nginx/conf/phpstatus.conf; include /usr/local/nginx/conf/drop.conf; #include /usr/local/nginx/conf/errorpage.conf; }
2. Add your first domain name's Nginx vhost configuration.
You will need to enable Centmin Mod's free SSL certificates support via its Letsencrypt integration. If you use Cloudflare in front of your domains, pay attention to section for using the recommended Cloudflare DNS API domain validation method instead of default Letsencrypt webroot domain validation method.
You can add a new domain Nginx vhost site via centmin.sh menu option #2 as per instructions outlined here or via the new /usr/bin/nv
SSH command line method outlined on the here. If you wish to use IPv6 you need to enable it within Nginx and update domain DNS with AAAA record. For instructions for Nginx IPv6 setup, read FAQ item 34.
If you need to create multiple Nginx vhosts and MySQL users/databases check out the forum guide here
Also ensure your site domain name and server main hostname have valid SPF/TXT and PTR DNS records setup as outlined here.
When you run menu option #2, you will be prompted to enter domain name you want to add, whether you want to create a self-signed SPDY SSL certificate vhost as well and prompt you for your desired Pure-FTPD virtual FTP username and whether you want to auto generate the FTP password or set one yourself. I recommend you auto generate the FTP password for better strength password. Once entered it will check if the domain name already exists within Nginx. If domain name doesn't already exist, it will create your Nginx vhost configuration file, your sites web directory and web public root and your site's log directory and give you the full path locations to these for your own records. Make note of these.
If you need to delete the Nginx vhost/domain and data later on, read the Nginx vhost and domain deletion guide here.
Below example, I added new domain called newdomain.com.
- Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
- Nginx SPDY SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
- Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
- Vhost public web root will be at /home/nginx/domains/newdomain.com/public
- Vhost log directory will be at /home/nginx/domains/newdomain.com/log
-------------------------------------------------------- Centmin Mod 1.2.3-eva2000.08 - http://centminmod.com -------------------------------------------------------- Centmin Mod Menu -------------------------------------------------------- 1). Centmin Install 2). Add Nginx vhost domain 3). NSD setup domain name DNS 4). Nginx Upgrade / Downgrade 5). PHP Upgrade / Downgrade 6). XCache Re-install 7). APC Cache Re-install 8). XCache Install 9). APC Cache Install 10). Memcached Server Re-install 11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu 12). Zend OpCache Install/Re-install 13). Install ioping.sh vbtechsupport.com/1239/ 14). SELinux disable 15). Install/Reinstall ImagicK PHP Extension 16). Change SSHD Port Number 17). Multi-thread compression: pigz,pbzip2,lbzip2... 18). Suhosin PHP Extension install 19). Install FFMPEG and FFMPEG PHP Extension 20). NSD Re-install 21). Update - Nginx + PHP-FPM + Siege 22). Add Wordpress Nginx vhost + WP Super Cache 23). Update Centmin Mod Code Base 24). Exit -------------------------------------------------------- Enter option [ 1 - 24 ] 2 -------------------------------------------------------- --------------------------------------------- Enter vhost domain name to add (without www. prefix): newdomain.com Create a self-signed SSL certificate Nginx vhost? [y/n]: y Create FTP username for vhost domain (enter username): MYFTPUSERNAME Auto generate FTP password (recommended) [y/n]: y FTP username you entered: MYFTPUSERNAME FTP password auto generated: WpTY9dorKBQz3F@~ew70BQq8a9s76eh1! Password: Enter it again: --------------------------------------------------------------- SSL Vhost Setup... --------------------------------------------------------------- --------------------------------------------------------------- Generating self signed SSL certificate... Generating a 2048 bit RSA private key .................................................................................................................................+++ ..................................................................+++ writing new private key to 'newdomain.com.key' ----- Signature ok subject=/C=US/ST=California/L=Los Angeles/O=newdomain.com/CN=newdomain.com Getting Private key --------------------------------------------------------------- Generating dhparam.pem file - can take a few minutes... Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ..........................+.........................................................................................................................................................................................................................................................................................+....................................................+..............................................................................................................................................................................................................+.....................................................................................................................................................................+.............................................................................+.............................................................................................................................+....................................................................................................+...........................................................................................+........................................................................................................................................................+.......................................................................................................................................................++*++* dhparam file generation time: 12.149109355 ------------------------------------------------------------- service nginx reload Reloading nginx configuration (via systemctl): [ OK ] systemctl restart pure-ftpd.service ------------------------------------------------------------- FTP hostname : IPADDRESS FTP port : 21 FTP mode : FTP (explicit SSL) FTP Passive (PASV) : ensure is checked/enabled FTP username created for newdomain.com : MYFTPUSERNAME FTP password created for newdomain.com : WpTY9dorKBQz3F@~ew70BQq8a9s76eh1! ------------------------------------------------------------- vhost for newdomain.com created successfully domain: http://newdomain.com vhost conf file for newdomain.com created: /usr/local/nginx/conf/conf.d/newdomain.com.conf vhost ssl for newdomain.com created successfully domain: https://newdomain.com vhost ssl conf file for newdomain.com created: /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf /usr/local/nginx/conf/ssl_include.conf created Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt SSL Private Key: /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key SSL CSR File: /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.csr upload files to /home/nginx/domains/newdomain.com/public vhost log files directory is /home/nginx/domains/newdomain.com/log ------------------------------------------------------------- Current vhost listing at: /usr/local/nginx/conf/conf.d/ Jul 16 19:04 845 ssl.conf Jul 16 19:04 1.1K demodomain.com.conf Jul 16 19:08 1.6K virtual.conf Jul 20 01:09 1.9K newdomain.com.conf Jul 24 01:42 1.7K newdomain2.com.conf Jul 24 01:42 3.4K newdomain2.com.ssl.conf Jul 24 01:51 1.7K newdomain.com.conf Jul 24 01:51 3.4K newdomain.com.ssl.conf ------------------------------------------------------------- Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/newdomain.com Jul 24 01:50 1.7K newdomain.com.key Jul 24 01:50 1009 newdomain.com.csr Jul 24 01:50 1.2K newdomain.com.crt Jul 24 01:51 424 dhparam.pem ------------------------------------------------------------- Commands to remove newdomain.com rm -rf /usr/local/nginx/conf/conf.d/newdomain.com.conf rm -rf /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf rm -rf /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt rm -rf /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key rm -rf /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.csr rm -rf /home/nginx/domains/newdomain.com service nginx restart -------------------------------------------------------------
Uploading files to the new Nginx vhost domain
Centmin Mod FAQ #2 outlines that Centmin Mod isn't for shared hosting right now. Jailed chrooted Nginx vhost user accounts are in the works (see preview). So right now to upload files, you use the server's native SFTP support with your FTP client set to use SFTP and username = root and fill in your ipaddress for your server and SSH port (default is 22) unless you changed it and point the remote directory to your web root at /home/nginx/domains/newdomain.com/public.
With Centmin Mod 1.2.3-eva2000.08+ and higher, you can also use the generated Pure-FTPD virtual FTP username and password that you created via centmin.sh menu option #2
which would of outputted the relevant info i.e.
Other Firewalls
- Note passive Pure-ftpd TCP ports in range between
3000 to 3050
forCentmin Mod 123.08stable
or30001 to 50011
forCentmin Mod 123.09 beta and higher
are required to be open for Pure-ftpd server to accept connections. CSF Firewall installed by Centmin Mod takes care of this on server side. - However, if you have other firewalls between your connecting computer and the Centmin Mod server, they may block connections as well. Some web hosts such as Amazon AWS EC2, Google Cloud Compute, Vultr and OVH (OVH Gaming servers) may have their own firewall in front of your server which you can either turn off or configure to whitelist the required TCP ports. CSF Firewall config file
/etc/csf/csf.conf
has a list of default ports in comma separated listing that are whitelisted for variablesTCP_IN
,TCP_OUT
,TCP6_IN
,TCP6_OUT
,UDP_IN
,UDP_OUT
,UDP6_IN
andUDP6_OUT
that you can reference. If your local PC or router has restricted ports, you may also need to whitelist them at that level as well.
Ensure to setup your FTP client's settings to enable FTP explicit SSL with SSL certificate verification disabled (as the Pure-FTPD server TLS/SSL is setup with self-signed certificate) and that FTP Passive PASV support is enabled.
------------------------------------------------------------- FTP hostname : IPADDRESS FTP port : 21 FTP mode : FTP (explicit SSL) FTP Passive (PASV) : ensure is checked/enabled FTP username created for newdomain.com : MYFTPUSERNAME FTP password created for newdomain.com : WpTY9dorKBQz3F@~ew70BQq8a9s76eh1! ------------------------------------------------------------- vhost for newdomain.com created successfully
Location you upload files is listed when you created your new Nginx vhost:
upload files to /home/nginx/domains/newdomain.com/public
Whenever you completed uploading new files, you'd need to give them correct user and group permissions within SSH window as root user type:
chown -R nginx:nginx /home/nginx/domains/newdomain.com/public
You do not need to do this will files created via PHP-FPM or Nginx, i.e. if you use Wordpress and used Wordpress admin to add a new Wordpress plugin, the plugin will automatically have nginx user and group permissions as it was processed by PHP-FPM.
To verify the files and directories are with nginx user and group permissions, use command
ls -lah directorypath
i.e.
ls -lah /home/nginx/domains/newdomain.com/public total 36K drwxr-sr-x 2 nginx nginx 151 Aug 11 05:24 . drwxr-sr-x 6 nginx nginx 56 Aug 11 05:24 .. -rw-r--r-- 1 nginx nginx 1.6K Aug 11 05:24 403.html -rw-r--r-- 1 nginx nginx 1.6K Aug 11 05:24 404.html -rw-r--r-- 1 nginx nginx 2.1K Aug 11 05:24 500.html -rw-r--r-- 1 nginx nginx 2.1K Aug 11 05:24 502.html -rw-r--r-- 1 nginx nginx 2.2K Aug 11 05:24 503.html -rw-r--r-- 1 nginx nginx 2.1K Aug 11 05:24 504.html -rw-r--r-- 1 nginx nginx 2.2K Aug 11 05:24 50x.html -rw-r--r-- 1 nginx nginx 1.2K Aug 11 05:24 index.html -rw-r--r-- 1 nginx nginx 2.2K Aug 11 05:24 maintenance.html
3. Setup domain name newdomain.com's DNS settings.
Note: If you chose to use DigitalOcean for your VPS, they also offer DNS management for your domain hosted with them. Update your domain registrar's records to point to the DigitalOcean name servers (ns1.digitalocean.com, ns2.digitalocean.com, ns3.digitalocean.com). Then you can manage DNS from their control panel.
I always use 3rd party web host or domain registrar's DNS name servers rather than use NSD dns hosted on same Centmin Mod server for higher uptime and stability and better performance. I use DNSMadeEasy DNS services for Anycast DNS performance you can read about on my blog.
To use 3rd party DNS, just following Part 1 outlined here. If on other hand you want to host DNS locally on your server via NSD on Centmin Mod installed server, you need to do both Part 1 (creating private or vanity nameservers with domain registrar) and 2 outlined here.
You can see a full step by step example of setting up a local NSD DNS nameservers for your added domains on the Centmin Mod Community forums.
Remember to check your domain name's DNS is properly configured at both your domain registrar & web server end (NSD) by running domain name through these 3 dns test sites
4. CSF Firewall settings.
CSF Firewall is an important tool to keep your server secure. If you have issues with blocked FTP/SCP, connecting to remote MySQL servers or sending outgoing email via 3rd party SMTP providers, then you need to whitelist IPs and/or ports. All info available here and on Centmin Mod Community forums. It's a must read if you rely on or use web services such as Pingdom.com, NodePing.com or other monitoring services. Or have other server connecting to and from your Centmin Mod based server (i.e. remote MySQL database servers).
Whitelist IP addresses: If you have any other servers which you want to connect to/from this Centmin Mod install. You'd want to whitelist and allow them from CSF Firewall. This also helps if you ever get locked out of the server by CSF Firewall, you can still log in via one of the other whitelisted servers you have access to. If you want to a cheap 2nd VPS to do this from, check out RamNode's 128MB memory and 50GB disk space based OpenVZ SSD-Cached VPSes from US$15-24/yr (yes per year!). You can install Centmin Mod on 2nd VPS too and even use the 2nd VPS as a backup server. Just remember to whitelist this 2nd VPS server's IP address and vice versa whitelist the 1st VPS server's IP address on the 2nd VPS server.
If you need to whitelist a dynamic IP address, you would need to use a dynamic DNS service provider like noip.com or dnsexit.com to create a hostname to point to your dynamic IP address and then use a provided client to auto or manually update that hostname's assigned dynamic IP address when it is changed at your ISP level. You will then need to enable CSF Firewall's Dynamic DNS support options outlined on the forums here.
Setup a 128MB VPS backup: With 128MB low memory VPS (and at least 64MB swap file), there's a minor Centmin Mod tweak needed prior to actual install of Centmin Mod.
- For Centmin Mod 123.08stable and below, prior to actual Centmin Mod install (via centmin.sh menu option #1), find and edit inc/memcheck.inc and find ISLOWMEM variable and change it's value from 262144 KB to 131072 KB. Then run
centmin.sh
and select menu option #1. - For Centmin Mod 123.09beta01 and higher, there's now a persistent config file option avaiable,
LOWMEM_INSTALL='y'
outlined at here.
It is still recommended for best performance to have a minimum 256MB of memory, but at least with this updated change you can suffice with a 128MB Low End Box VPS.
If you don't use PHP, MySQL, Memcached server or Pure-FTPD server on the 128MB VPS server you can disable those services with these 4 commands:
service php-fpm stop service mysql stop service memcached stop service pure-ftpd stop chkconfig memcached off chkconfig php-fpm off chkconfig mysql off chkconfig pure-ftpd off
To renable them:
service php-fpm start service mysql start service memcached start service pure-ftpd start chkconfig memcached on chkconfig php-fpm on chkconfig mysql on chkconfig pure-ftpd on
5. Proxies and visitor's real IP address.
If you use reverse proxy or proxy service such as Cloudflare, Amazon AWS Cloudfront, Incapsula, Google PageSpeed Service, Varnish Cache in front of Nginx web server. You need to properly setup Nginx via Nginx's ngx_http_realip_module module. You can find guide link on Nginx Configuration page or directly here. For Cloudflare to prevent IP leaks you also want to enable Cloudflare Authenticated Origin Pull certificates on your Cloudflare Full SSL enabled sites.
6. Example Nginx configurations.
Example Nginx configurations for Nginx SSL setup, Nginx Google SPDY, OCSP Stapling, Wordpress, Xenforo, vBulletin etc available here.
7. Centmin Mod Addons.
Check out additional Centmin Mod Addons, which are standalone scripts to further extend Centmin Mod.
8. Setting up @yourdomain.com based emails.
Check out how to setup @yourdomain.com with third party free or paid email providers like Zoho Mail, Google Apps, Microsoft Outlook, Atmail, FastMail, Rackspace Email, and Amazon WorkMail. Also ensure your site domain name and server main hostname have valid DMARC, SPF/TXT and PTR DNS records setup as outlined here.
9. Enable Google Nginx PageSpeed ?
Decide whether you want to enable Google Nginx ngx_pagespeed module and PageSpeed Console.
10. Backing up your server data
- 250GB Storage Backup (KVM VPS) = $10/month
- 500GB Storage Backup (KVM VPS) = $20/month
- 750GB Storage Backup (KVM VPS) = $30/month
- 1000GB Storage Backup (KVM VPS) = $40/month
While there are no actual included tools for backing up your Centmin Mod based server, you should still look into backup options available from your web host if any. If you chose to use DigitalOcean for your VPS, they include options for both nightly backups and snapshot backups for your VPS that you can enable. Backup option cost is ~10% of your VPS cost.
Another cheap option if you have less than 50GB of data, is RamNode's 128MB memory and 50GB disk space based OpenVZ SSD-Cached VPSes from US$15-24/yr (yes per year!). Just remember the tweaks needed for 128MB VPS Centmin Mod install.
Then there's Backupsy.com KVM based VPS storage servers listed above. They have servers located in Dallas, TX; Miami, FL; Chicago, IL; Denver, CO; Buffalo, NY; Los Angeles, CA and The Netherlands. Very cheap if you need alot of storage and best of all for additional $2/month you can upgrade to normal VPS usage instead of restricted backup usage and you can install Centmin Mod on them as well.
11. MySQL database management
Note: default /etc/my.cnf sets default storage engine to MyISAM (default-storage-engine = MyISAM). If you want to use InnoDB storage engine tables, set in /etc/my.cnf, default-storage-engine = InnoDB and restart MySQL server.
Update: August 9th, 2016 if you need to create multiple Nginx vhosts and MySQL users/databases check out the forum guide here
Currently, Centmin Mod doesn't bundle any tools to manage MariaDB MySQL by default. You have to do it:
- Via SSH telnet command line see MySQL documentation at http://dev.mysql.com/doc/refman/5.5/en/tutorial.html, MySQL Access Privilege System and MySQL User Account Management (example shown in Wordpress + WP-FFPC plugin + ngx_pagespeed guide and in IP.Board setup guide) OR
- Install phpmyadmin yourself via Centmin Mod Addon that is currently in beta status (addon properly secures the phpmyadmin installation unlike other online guides) (see more info further below) OR
- Install tools such as HeidiSQL on your own pc to connect to your server ?
Centmin Mod Addons - phpmyadmin.sh & mysqladmin_shell.sh
- If you need to create MySQL databases, there's a custom Centmin Mod Addon for installing phpmyadmin
- There's also another Addon I wrote called mysqladmin_shell.sh which can be run from SSH command line instead.
Both Addons are in a beta build state, so there's no 100% guarantee it will always work. Your feedback on the forums and testing will help me improve the Addons ;)
12. Keeping server up to date / Security
Owning a VPS or dedicated server means you're responsible for keeping the server up to date software wise. I suggest you sign up for pushover.net service and download appropriate pushover mobile app client to your mobile or tablet device. This will allow you to use your pushover userkey email for notifications for backups or updates i.e. yourUSERkey+devicename+p1@api.pushover.net. Then setup automatic nightly YUM updates via yum-cron and as added precautiion install the Centmin Mod Addon for an anti-virus malware scanner - Linux Malware Detect (maldet) + ClamAV scanner and if on Centmin Mod 123.09beta01 or newer, to help troubleshoot issues in future, install and read up on how to use addons/auditd.sh.
13. Statistics Pages
You can find discussion thread here.
A PHP opcode cacher is installed by default. For Centmin Mod 1.2.3-eva2000.07 stable PHP 5.4.33 is installed with APC Cache 3.1.13. Centmin Mod supports other PHP opcode cachers via running centmin.sh menu options for Xcache and Zend Opcache. All three PHP opcode cachers have their own respective statistics admin pages.
Memcached server 1.4.20 is installed by default with both memcache and memcached/libmemcached PHP extension support. It too has it's own statistics admin page.
For all PHP opcode caches, APC Cache, Xcache, Zend Opcache and Memcached server caching, the admin statistics pages are located and served from the Centmin Mod default hostname web root /usr/local/nginx/html/ at your hostname.yourdomain.com/* (outlined in step 1 of Getting Started guide) as well as a PHP INFO page at XXX_phpi.php. So to access these files you would go to hostname.yourdomain.com/${N}_myapc.php.
- APC Cache - located at /usr/local/nginx/html/${N}_myapc.php where ${N} is randomised number unique to each Centmin Mod installation. You can change the file name or location if you want after install. You can password protect the file if you want and/or change it's filename and location.
- Xcache - located at /usr/local/nginx/html/myxcacheadmin which is username and password protected with a unique login auto generated for each Centmin Mod installation. You can change the directory location and name if you want after install. Username and password are located in your Centmin Mod initial install log at /root/centminlogs/centminmod_1.2.3-eva2000.07_DDMMYY-TIMESTAMP_install.log
- Zend Opcache - located at /usr/local/nginx/html/${N}_opcache.php where ${N} is randomised number unique to each Centmin Mod installation. You can change the file name or location if you want after install. You can password protect the file if you want and/or change it's filename and location.
- Memcached - located at /usr/local/nginx/html/memcache_${N}.php where ${N} is randomised number unique to each Centmin Mod installation. You can change the file name or location if you want after install. Memcached statistics page has an auto generated username and password unique to each Centmin Mod install which is printed out at end of the Centmin Mod initial install output. If you missed that info, you can find the username and password
located in your Centmin Mod initial install log at /root/centminlogs/centminmod_1.2.3-eva2000.07_DDMMYY-TIMESTAMP_install.log. You can use grep to easily find the relevant part of the install log containing the user/pass details:
grep -A13 'Setup memcached_' /root/centminlogs/centminmod_1.2.3-eva2000.07_DDMMYY-TIMESTAMP_install.log
- PHP INFO page - located at XXX_phpi.php where XXX is randomised number unique to each Centmin Mod installation. You can change the file name or location if you want after install.
For all 5 locations, in additional to password protection you can also IP address restrict access via this context added to your main hostname's Nginx vhost at /usr/local/nginx/conf/conf.d/virtual.conf (command short to launch nano text editor for it = vhostconf).
Make sure to change the file name matches in location to your specific filenames.
location ~ ^/(XX_op|memcache_XXX|XXX_phpi\.php) { include /usr/local/nginx/conf/php.conf; allow 127.0.0.1; allow YOURIPADDRESS; deny all; } location ~ ^/myxcacheadmin { include /usr/local/nginx/conf/php.conf; allow 127.0.0.1; allow YOURIPADDRESS; deny all; }
To edit the memory allocation or settings for PHP Opcachers, you do this via each of their respective PHP *.ini files which can find via SSH command.
php --ini
Sample output for APC Cache with Memcached server.
php --ini Configuration File (php.ini) Path: /usr/local/lib Loaded Configuration File: /usr/local/lib/php.ini Scan for additional .ini files in: /etc/centminmod/php.d Additional .ini files parsed: /etc/centminmod/php.d/apc.ini, /etc/centminmod/php.d/igbinary.ini, /etc/centminmod/php.d/imagick.ini, /etc/centminmod/php.d/memcache.ini, /etc/centminmod/php.d/memcached.ini
So to edit memory allocation to APC Cache, edit /etc/centminmod/php.d/apc.ini. For Xcache, edit /etc/centminmod/php.d/xcache.ini and for Zend Opcache edit /etc/centminmod/php.d/zendopcache.ini. You need to restart PHP-FPM service after making *.ini file changes.
However, for Memcached server memory allocation, settings are located directly within /etc/init.d/memcached startup script. Default memory allocation for Memcached server is set by MEMSIZE and is 8MB. You need to restart Memcached service after making /etc/init.d/memcached changes.
BINNAME=memcached BIN=/usr/local/bin/memcached USER=nobody LOGGING='n' LOGFILE="/var/log/memcached.log" LOGFILEB="/var/log/memcached2.log" CON=1024 THREADS=4 MINSP=72 CHUNKF=1.25 PORT1=11211 PORT2=11212 SOCKET_ENABLE=n SOCKETA='-s /var/run/memcached/memcached1.sock -a 0755' SOCKETB='-s /var/run/memcached/memcached2.sock -a 0755' MEMSIZE=8 SERVERCOUNT=1 SERVERIP='127.0.0.1' OPTIONS='-o slab_reassign,slab_automove'
14. PHP-FPM Security
To further lock down PHP-FPM security, Centmin Mod 1.2.3-eva2000.08+ and higher enable open_basedir restrictions and you can also manually disable some PHP functions. However, check with your respective web app PHP developers whether those disabled PHP functions are needed otherwise disabling these PHP functions can break your PHP web app software.
At very bottom of PHP-FPM config file at /usr/local/etc/php-fpm.conf (command shortcut in SSH = fpmconf), just after PHP error log definition you will find a line like below (if using Centmin Mod 1.2.3-eva2000.08 beta) or if using Centmin Mod 1.2.3-eva2000.07 stable release, you need to add that line right after the PHP error log definition. PHP-FPM config file edit is preferred over php.ini file edit as it will survive subsequent PHP-FPM upgrades where new php.ini files are put in place.
php_admin_value[error_log] = /var/log/php-fpm/www-php.error.log php_admin_value[disable_functions] = shell_exec
You can extend the number of PHP functions to disable to further lock down and secure your PHP web apps provided your PHP web apps do not rely on and use such PHP functions.
For example.
php_admin_value[disable_functions] = show_source, system, shell_exec, passthru, exec, popen, proc_open
Then after editing /usr/local/etc/php-fpm.conf restart PHP-FPM service
service php-fpm restart
or
fpmrestart
open_basedir
Centmin Mod 1.2.3-eva2000.08+ and higher have open_basedir enabled in /usr/local/nginx/conf/php.conf
include file. This file is included in each created Nginx vhost config file i.e. /usr/local/nginx/conf/conf.d/newdomain.com.conf
. The relevant line is the 9th line in /usr/local/nginx/conf/php.conf
location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass 127.0.0.1:9000; #fastcgi_pass unix:/tmp/php5-fpm.sock; fastcgi_index index.php; #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;
This line locks you to each Nginx vhost's document web root i.e. /home/nginx/domains/newdomain.com/public
.
fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;
You can disable this globally across all Nginx vhosts, by commenting out the line and restarting Nginx and PHP-FPM services.
#fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;
Or you can disable it for a specific Nginx vhost domain only, leaving all other domains enabled with open_basedir protection. To disable it for a specific Nginx vhost domain only, you need to make a copy of the /usr/local/nginx/conf/php.conf
include file and change the php.conf include line within that specific Nginx vhost i.e. /usr/local/nginx/conf/conf.d/newdomain.com.conf
.
Make a copy of the /usr/local/nginx/conf/php.conf
include file called /usr/local/nginx/conf/php_disable_openbasedir.conf
.
cp -a /usr/local/nginx/conf/php.conf /usr/local/nginx/conf/php_disable_openbasedir.conf
Then in your /usr/local/nginx/conf/conf.d/newdomain.com.conf
, change the include line for /usr/local/nginx/conf/php.conf
to /usr/local/nginx/conf/php_disable_openbasedir.conf
#include /usr/local/nginx/conf/php.conf; include /usr/local/nginx/conf/php_disable_openbasedir.conf;
Then restart Nginx and PHP-FPM services
nprestart
15. Centmin Mod Community Forums
If you want to delve deeper into Centmin Mod code and structure to further customise and/or extend your Centmin Mod server installation, you can check out the Centmin Mod Insights forums as well as the general Centmin Mod forum category. Be sure to sign up to be able to post on the Centmin Mod Community forums.
16. Linux monitoring & troubleshooting tools
Check out Nginx Amplify monitoring service for Nginx and PHP-FPM and general server monitoring. You can setup PHP-FPM status metric monitoring and individual metric alerts as well. Example here.
Also check out the Server Monitoring statistics page on how to setup Nodequery.com or Nixstats.com for monitoring your server statistics and uptime. Also Community forum has a System Administration forum sticky outlining alot of Linux monitoring and troubleshooting commands and tools.
17. Customising php.ini Settings
The default php.ini location is at /usr/local/lib/php.ini
. However, PHP upgrades via centmin.sh menu option 5
can overwrite that. So it's best to set aside your php.ini level customisations in a separate *.ini file. Centmin Mod by default has a custom file at /etc/centminmod/php.d/a_customphp.ini
which has some tweaks to PHP settings already added by default. You can add custom settings to /etc/centminmod/php.d/a_customphp.ini
however, they can be also overwritten if future Centmin Mod updates adjust or add tweaks which are automated on PHP-FPM upgrades. So you can instead create a second custom file with naming convention alphabetically below that of /etc/centminmod/php.d/a_customphp.ini
i.e. /etc/centminmod/php.d/b_customphp.ini
.
Default /etc/centminmod/php.d/a_customphp.ini
contents. Note ;always_populate_raw_post_data=-1
is auto uncommented (remove semi-colon ;) when PHP 5.6+ is detected only.
date.timezone = UTC max_execution_time = 60 short_open_tag = On realpath_cache_size = 1024k realpath_cache_ttl = 14400 upload_max_filesize = 40M memory_limit = 160M post_max_size = 40M expose_php = Off mail.add_x_header = Off max_input_nesting_level = 128 max_input_vars = 2000 mysqlnd.net_cmd_buffer_size = 16384 ;always_populate_raw_post_data=-1
You can add your own custom settings to a newly created file at /etc/centminmod/php.d/b_customphp.ini
i.e. double default max_execution_time from 60 to 120. PHP-FPM will process those in a specific alpha-numeric order where later ini files override the former.
max_execution_time = 120
Then restart PHP-FPM service via either command shortcut or full service restart command
fpmrestart
or
service php-fpm restart
Confirming changes are in effect by looking at phpinfo file. Centmin Mod sets this up on main hostname with randomised prefix unqiue to each Centmin Mod install. You can rename this file, delete it or password protect or IP address restrict it if you want. In below example, the install created phpinfo file at /usr/local/nginx/html/417911c9_phpi.php
which would be accesible online via yourmainhostname.com/417911c9_phpi.php
or localhost/417911c9_phpi.php
.
ls -lah /usr/local/nginx/html | grep phpi -rw-r--r-- 1 nginx nginx 20 Jul 28 11:31 417911c9_phpi.php
You don't need to move out of SSH session to do a simple check - use lynx command grep can confirm the changes.
before
lynx -dump localhost/417911c9_phpi.php | grep max_execution_time max_execution_time 60 60
after
lynx -dump localhost/417911c9_phpi.php | grep max_execution_time max_execution_time 120 120
Typing the command php --ini
, will output the list of *.ini files PHP-FPM has detected and the order in which they are processed.
php --ini
default before custom /etc/centminmod/php.d/b_customphp.ini
file added
php --ini Configuration File (php.ini) Path: /usr/local/lib Loaded Configuration File: /usr/local/lib/php.ini Scan for additional .ini files in: /etc/centminmod/php.d Additional .ini files parsed: /etc/centminmod/php.d/a_customphp.ini, /etc/centminmod/php.d/curlcainfo.ini, /etc/centminmod/php.d/geoip.ini, /etc/centminmod/php.d/igbinary.ini, /etc/centminmod/php.d/imagick.ini, /etc/centminmod/php.d/memcache.ini, /etc/centminmod/php.d/memcached.ini, /etc/centminmod/php.d/mongodb.ini, /etc/centminmod/php.d/redis.ini, /etc/centminmod/php.d/zendopcache.ini
after custom /etc/centminmod/php.d/b_customphp.ini
file added and PHP-FPM service restarted
php --ini Configuration File (php.ini) Path: /usr/local/lib Loaded Configuration File: /usr/local/lib/php.ini Scan for additional .ini files in: /etc/centminmod/php.d Additional .ini files parsed: /etc/centminmod/php.d/a_customphp.ini, /etc/centminmod/php.d/b_customphp.ini, /etc/centminmod/php.d/curlcainfo.ini, /etc/centminmod/php.d/geoip.ini, /etc/centminmod/php.d/igbinary.ini, /etc/centminmod/php.d/imagick.ini, /etc/centminmod/php.d/memcache.ini, /etc/centminmod/php.d/memcached.ini, /etc/centminmod/php.d/mongodb.ini, /etc/centminmod/php.d/redis.ini, /etc/centminmod/php.d/zendopcache.ini
18. Managing root user emails
Servers will have system related email notifications that are sent to the system root user by default. These emails end up in the root user's mail spool file at /var/spool/mail/root
. These emails remain there until the root user reads and deletes them so over time this root user mail spool file will grow. You can view the size via command:
ls -lah /var/spool/mail/root -rw------- 1 root mail 928K Dec 28 04:58 /var/spool/mail/root
You can manually empty the accumulated root mail spool emails via the command:
echo "" > /var/spool/mail/root
If you do not want root user emails to accumulate in the root user mail spool and want to be able to receive these emails to a regular email account, you can setup the root user mail forwarder file at /root/.forward
. Add to the file your email address:
youremail@domain.com
Then any server system destined root user emails will bypass the mail spool and be forwarded to your listed email address in /root/.forward
file. These emails most likely will end up in your email's spam or junk folders. So I would specifically setup a mail filter of Gmail label filter so that any email coming the the from email of your server email (usually will be root@yourhostname.domain.com
), will skip the spam or junk folders and not be marked as spam. I'd also make it skip your inbox folder for a specific mail folder if possible (i.e. Gmail)
If you use Gmail or Google Apps based email for the listing in your /root/.forward
file, you can make it even easier to setup a filtered label by using email alias. If your Gmail address is yourusername@gmail.com
, you can append +label
to your username and still get emails but then you can filter based on the that specific delivered to address. For example, yourusername+linode1@gmail.com
emails with an alias of +linode1
, will still go to yourusername@gmail.com
but the delivered to address you receive from will be listed as yourusername+linode1@gmail.com
.
Delivered-To: yourusername+linode1@gmail.com
or if your mail app doesn't support filter based on Delivered-To
field, filter based on From and To addresses.
From: yourusername@gmail.com To: yourusername@gmail.com
One of the most common root user destined email messages you will receive is due to CSF Firewall alerting you everytime you log in via SSH to your server. An example email message looks like below:
To: root@yourhostname.domain.com Subject: lfd on root@yourhostname.domain.com: SSH login alert for user root from 111.222.333.444.(AU/Australia/111.222.333.444) Message-Id: <20151228045858.EE862EC@yourhostname.domain.com> Date: Mon, 28 Dec 2015 04:58:58 +0000 (UTC) Time: Mon Dec 28 04:58:58 2015 +0000 IP: 111.222.333.444.(AU/Australia/111.222.333.444) Account: root Method: password authentication
Another common root user destined email message is when CSF Firewall's LFD daemon notifies you of permanent firewall blocking of IP addresses which are trying to brute force log into your server via SSH and fail after 5 attempts.
From: root@yourhostname.domain.com To: root@yourhostname.domain.com Subject: lfd on yourhostname.domain.com: blocked 124.199.98.204 (TW/Taiwan/124-199-98-204.HINET-IP.hinet.net) Message-Id: <20151223195006.D5522576@yourhostname.domain.com> Date: Wed, 23 Dec 2015 19:50:06 +0000 (UTC) Time: Wed Dec 23 19:50:06 2015 +0000 IP: 124.199.98.204 (TW/Taiwan/124-199-98-204.HINET-IP.hinet.net) Failures: 5 (sshd) Interval: 3600 seconds Blocked: Permanent Block Log entries: Dec 23 19:48:48 yourhostname sshd[23279]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.199.98.204 user=root Dec 23 19:48:50 yourhostname sshd[23279]: Failed password for root from 124.199.98.204 port 62046 ssh2 Dec 23 19:49:14 yourhostname sshd[23280]: Did not receive identification string from 124.199.98.204 Dec 23 19:49:19 yourhostname sshd[23308]: Did not receive identification string from 124.199.98.204 Dec 23 19:49:50 yourhostname sshd[23358]: Did not receive identification string from 124.199.98.204
19. Keeping Centmin Mod Code Updated
Centmin Mod LEMP stack's script code is constantly updated for improvements, bug fixes and security fixes so keeping the Centmin Mod code up to date is important. With Centmin Mod 1.2.3-eva2000.08) (123.08stable) and higher releases, a newly added centmin.sh menu option 23 allows much easier code updates and version branch switching via Git backed environment you can setup. For full details read the following links:
- New centmin.sh menu option 23 updating
- Centmin Mod Upgrades
- How To Keep Informed Of Centmin Mod Related Updates
- Tracking Centmin Mod Config Changes Which Are Not Automatically Synced
- Cronjob Auto Updating Centmin Mod Code Guide
- How to upgrade Centmin Mod + backing up customisations
20. Ensure Postfix Outbound Emails Do Not End Up In Spam Inbox
To ensure your site and server sent emails do not end up in users' spam inboxes, you need proper SPF/TXT, DKIM, DMARC and reverse PTR DNS records setup for you domain and server's main hostname. You can read the full details on how to setup SPF/TXT, DKIM and DMARC for your email here.
VPS Provider Blocked SMTP Port 25 Outbound Emails
To combat spam, some VPS providers are now blocking SMTP port 25 outbound emails from servers by default and requiring you contact them and provide ID verification to unblock the SMTP port for a one time task. Other VPS providers have outright blocked SMTP Port 25 outbound emails entirely and require you to use a 3rd party SMTP provide for email relaying (Postfix Relay SMTP). DigitalOcean is one such provider, so you will need to setup Postfix SMTP Relay with Centmin Mod for sending outbound emails from the server itself. Details outlined here.
21. How To Boost Centmin Mod LEMP Stack Performance
If using Centmin Mod 123.09beta01 or newer, you can further boost your Centmin Mod LEMP stack performance with more advanced options outlined in the How To Boost Centmin Mod LEMP Stack Performance guide.
Summary
End result is that visiting:
- hostname.newdomain.com should have a valid working DNS entry (either an A record pointing to server's IP address or CNAME entry) and should go to default Nginx setup page which is controlled via Nginx vhost configuration file at /usr/local/nginx/conf/conf.d/virtual.conf with document root at /usr/local/nginx/html
- newdomain.com should also have a valid DNS entry preferably A record pointing to server IP address and go to your site's pages controlled via Nginx vhost configuration file at /usr/local/nginx/conf/conf.d/newdomain.com.conf with document root at /home/nginx/domains/newdomain.com/public