Skip to content

Instantly share code, notes, and snippets.

@spyric

spyric/Info.md

Last active February 28, 2018 11:56
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save spyric/153a901842febaada6c972ed0f1c6f9b to your computer and use it in GitHub Desktop.
Save spyric/153a901842febaada6c972ed0f1c6f9b to your computer and use it in GitHub Desktop.
Download ZIP
New server
Raw
Info.md

Installation

In this instruction You can find some pattern to replace:

  • $DOMAIN - domain that you want to change
  • $MYSQL_ROOT_PASSWORD$ - password for MySQL root user

Step 0. Install git

sudo apt-get install git

Step 1. Add repository

sudo add-apt-repository ppa:ondrej/php
sudo apt-get update

Step 2. Install PHP7.1

sudo apt-get install php7.1-fpm php7.1-mysql php7.1-xml php7.1-mbstring php7.1-curl

Step 3. Install MySQL

Installing

sudo apt-get install mysql-server

Getting remote root access (optional)

Open nano /etc/mysql/my.cnf, then find

bind-address            = 127.0.0.1

and replace to

bind-address            = 0.0.0.0

Then create user with login root@% :

GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '$MYSQL_ROOT_PASSWORD$' WITH GRANT OPTION;

Then restart server by executing next command

sudo service mysql restart

Step 4. Install Nginx

Install nginx

sudo apt-get install nginx

Create template for letsencrypt

sudo mkdir /etc/nginx/template/
sudo touch /etc/nginx/template/letsencrypt.conf

With that content:

location ~ ^/(.well-known) {
    allow all;
    root  /opt/cert;
    break;
}

Step 5. Configure PHP5

php.ini

sudo nano /etc/php/7.1/fpm/php.ini

Find cgi.fix_pathinfo. This will be commented out with a semi-colon (;) and set to "1" by default.

Change it to

cgi.fix_pathinfo=0

Also you can config any other staff If you want Save and close the file when you are finished.

Configuing pools

Rename /etc/php/7.1/fpm/pool.d/www.conf to /etc/php/7.1/fpm/pool.d/$DOMAIN$.conf (It's highly recommend to keep different sites in different pools)

Then

sudo nano /etc/php/7.1/fpm/pool.d/$DOMAIN$.conf

Change listen parameter to

/run/php/$DOMAIN$.sock

Then save the file and execute

sudo service php7.1-fpm restart

PHP is ready to accept requests

Step 6. Set up nginx config

Create new file with config in nginx folder

sudo touch /etc/nginx/sites-available/000-$DOMAIN$.conf

and past content of the Server config section below. Then you need to create symlink to this file from /etc/nginx/sites-available/ folder

ln -s /etc/nginx/sites-available/000-$DOMAIN$.com /etc/nginx/sites-enabled/000-$DOMAIN$.com

Note: if you will have more then one site on this machine, it's recommended to increment 000 for each new site.

Restart Nginx

sudo service nginx restart

Step 7. Install Let's Encrypt

Run this commands

cd /usr/local/sbin
sudo wget https://dl.eff.org/certbot-auto
sudo chmod a+x /usr/local/sbin/certbot-auto

Create /opt/cert folder

sudo mkdir /opt/cert

Incresing security of your SSL connection

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Step 8. Setting up Let's Encrypt Certificate

Execeute this command. you can add -d DOMAIN_NAME parameters to issue certificate for many domains

sudo certbot-auto certonly -a webroot --webroot-path=/opt/cert -d $DOMAIN$ -d www.$DOMAIN$

Step 9. Applying SSL certificate

Open sudo nano /etc/nginx/sites-available/000-$DOMAIN$.conf and uncomment lines:

    ssl_certificate /etc/letsencrypt/live/$DOMAIN$/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/$DOMAIN$/privkey.pem;

And restart Nginx

sudo service nginx restart
Raw
Server config
server {
listen 443;
server_name $DOMAIN$ *.$DOMAIN$;
#ssl_certificate /etc/letsencrypt/live/$DOMAIN$/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/$DOMAIN$/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
root "/web/$DOMAIN$/public";
index index.php index.html index.htm;
access_log off;
error_log /var/log/nginx/$DOMAIN.error.log crit;
# removes trailing slashes (prevents SEO duplicate content issues)
if (!-d \$request_filename) {
rewrite ^/(.+)/\$ /\$1 permanent;
}
# unless the request is for a valid file (image, js, css, etc.), send to bootstrap
if (!-e \$request_filename) {
rewrite ^/(.*)\$ /index.php?/\$1 last;
break;
}
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)\$;
fastcgi_pass unix:/run/php/$DOMAIN$.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
}
server {
listen 80;
server_name $DOMAIN$ *.$DOMAIN$;
include template/letsencrypt.conf;
location ~ ^/(?!(.well-known)) {
return 301 https://$host$request_uri;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment