Static Website Configuration for Nginx Web Server on CentOS 6 / CentOS 7

Q. How to configure and host static website on Nginx web server?

A. Nginx is a lightweight web server and an alternative to Apache. In order to run a static website on Nginx web server, you must configure your server to at least the following basic configuration. Failure to do this will stop some basic functions such as access to sitemap.xml which is required when submit a page to google and bing in webmaster tool.

Note : The following steps has been tested using root access on Nginx web server :

Static Website Configuration for Nginx Web Server

1. This is main Nginx configuration file. Make sure that sites-available folder was included at the bottom of the configuration as below :

# sudo vim /etc/nginx/nginx.conf
user  nginx;
worker_processes  2;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;


    include /etc/nginx/sites-available/*.conf;
}

2. Create static.conf file which contains the configuration specific for static website that running on Nginx web server :

# sudo vim /etc/nginx/conf.d/static.conf
# WORDPRESS : Rewrite rules, sends everything through index.php and keeps the appended query string intact
location / {
    try_files $uri $uri/ /index.php?q=$uri&$args;
}

# SECURITY : Deny all attempts to access PHP Files in the uploads directory
location ~* /(?:uploads|files)/.*.php$ {
    deny all;
}
# REQUIREMENTS : Enable PHP Support
location ~ .php$ {
    # SECURITY : Zero day Exploit Protection
    try_files $uri =404;
    # ENABLE : Enable PHP, listen fpm sock
    fastcgi_split_path_info ^(.+.php)(/.+)$;
    #fastcgi_pass unix:/tmp/php-fpm.sock;
    fastcgi_pass   127.0.0.1:9000;
    fastcgi_index index.php;
    fastcgi_send_timeout 300s;
    fastcgi_read_timeout 300s;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_buffer_size 128k;
    fastcgi_buffers 256 4k;
    fastcgi_busy_buffers_size 256k;
    fastcgi_temp_file_write_size 256k;
    fastcgi_intercept_errors on;
}

location /sitemap.xml.gz {
    add_header Cache-Control "public, must-revalidate";
}

3. Create common.conf file for common option in Nginx web server :

# sudo vim /etc/nginx/conf.d/common.conf

Add below :

# Global configuration file.
# ESSENTIAL : Configure Nginx Listening Port
listen 80;
# ESSENTIAL : Default file to serve. If the first file isn't found,
index index.php index.html index.htm;
# ESSENTIAL : no favicon logs
location = /favicon.ico {
    log_not_found off;
    access_log off;
}
# ESSENTIAL : robots.txt
location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}
# ESSENTIAL : Configure 404 Pages
error_page 404 /404.html;
# ESSENTIAL : Configure 50x Pages
error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }
# SECURITY : Deny all attempts to access hidden files .abcde
location ~ /. {
    deny all;
}
# PERFORMANCE : Set expires headers for static files and turn off logging.
location ~* ^.+.(js|css|swf|xml|txt|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
    access_log off; log_not_found off; expires 30d;
   add_header Pragma no-cache;
   add_header Cache-Control "public";
}

4. Configure website1 configuration :

# sudo vim /etc/nginx/sites-available/website1.com.conf
server {
    listen      80;
    server_name website1.com;
    rewrite ^/(.*)$ http://www.website1.com/$1 permanent;

}

server {
        server_name www.website1.com;
        root /var/www/html/website1.com;
        access_log /var/log/nginx/website1.com.access.log;
        error_log /var/log/nginx/website1.com.error.log;
        include conf.d/common.conf;
        include conf.d/static.conf;

}

5. Verify Nginx configuration syntax :

# sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

6. Restart Nginx web server :

For CentOS 7 :

# sudo systemctl restart nginx

For CentOS 5/ CentOS 6

# sudo service nginx restart

static website

Static website are the cheapest was to start a website and does not require a lot of server resources to run it. Basic shared hosting plan is sufficient to use and nowaday static website is widely used by companies that are smaller.

How to Install IonCube Loader in CentOS 6 / CentOS 7

ioncube loader

What is IonCube Loader ?

IonCube Loader is a PHP module or extension for PHP files decoding encrypted and is often required for many applications based on PHP. It helps us to protect php applications from unauthorized execution and at the same time can accelerate the website. This article will show you how you can install ioncube loader on CentOS 6 and the steps also works on CentOS 7.

1. Check and verify ioncube version :

# php -v
PHP 5.4.33 (cli) (built: Sep 20 2014 16:20:03)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies

Your PHP version must match ioncube version :
eg. PHP 5.5 will use file: ioncube_loader_lin_5.5.so
eg. PHP 5.4 will use file: ioncube_loader_lin_5.4.so
eg. PHP 5.3 will use file: ioncube_loader_lin_5.3.so

In this case, php version is PHP 5.4, and the matching ioncube loader version should be ioncube_loader_lin_5.4.so.

2. Create directory for ioncube :

# mkdir /usr/local/ioncube

3. Download and extract the ioncube:

# wget http://downloads3.ioncube.com/loader_downloads/ioncube_loaders_lin_x86-64.tar.gz
# tar xzvf ioncube_loaders_lin_x86-64.tar.gz

4. Open the extracted ioncube folder and copy the ioncube loader file match to your php version. :

# cd ioncube
# cp -p ioncube_loader_lin_5.4.so /usr/local/ioncube

5. Now locate php.ini file. This is how you can find location of php.ini.

# php -i| grep php.ini
Configuration File (php.ini) Path => /etc
Loaded Configuration File => /etc/php.ini

6. Edit php.ini file and save :

# vim /etc/php.ini

Add the following at the bottom of php.ini :

..
..
zend_extension = /usr/local/ioncube/ioncube_loader_lin_5.4.so

7. Verify the php version, it is now should include file “ioncube_loader_lin_5.4.so” in PHP 5.4 if you get the display as below :

# php -v
PHP 5.4.33 (cli) (built: Sep 20 2014 16:20:03)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies
    with the ionCube PHP Loader v4.7.5, Copyright (c) 2002-2014, by ionCube Ltd.

If you can see the version of PHP with ionCube loader version, meaning you have successfully installed and configured ioncube PHP loader in your linux system.

How to Install CentOS Web panel(CWP) on CentOS 6

There are many open source control panel to run linux web hosting on the internet like ISPConfig, Webmin, Virtualmin and Open Panel. In this post, I want to share how to install CentOS Web panel (CWP) on CentOS 6. CentOS Web panel is a free Web Hosting panel designed for easy management of servers ( VPS & Dedicated ) without the need to use their expertise and knowledge in the linux command line and without SSH access to the server.

From the CWP official website, they do not provide uninstaller and reinstall the server to remove it. CWP should be install on the fresh CentOS operating system without any non-default configuration.

Follow the following step to install CWP on CentOS 6.6.

1. Install Fresh CentOS 6.6 with direct internet connection :
2. Allocate atleast 512MB RAM for 32 bit systems and 1024MB for 64 bit systems. In this example we will allocate 4GB RAM.

3. Configure your server hostname :
a. Modify the hostname and reboot the server to take effect:

# vi /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=centos66.ehowstuff.local
GATEWAY=192.168.0.1

a. Verify hostname :

[root@centos66 ~]# hostname
centos66.ehowstuff.local

4. Update your server before begin. Reboot the server to take effect the changes :

# yum update -y

5. Install CWP:
a. Change directory to /usr/local/src/ directory:

# cd /usr/local/src

b. Download the installer via wget :

# wget http://centos-webpanel.com/cwp-latest

Or try the following URL if above url not working :

# wget http://dl1.centos-webpanel.com/files/cwp-latest

c. Start CWP installer

# sh cwp-latest

6. The installation will take up to 50 minutes, depend on your internet connection speed :

cmp-2

7. Once the installation completed, you will see the the screen below. In this case i leave mySQL root password blank.
cmp-3

Press Enter to reboot the server.

8. Go to your browser and enter CWP ip address with 2030 port number. You will see login page as below. CentOS WebPanel Admin GUI at http://SERVER-IP:2030/

Username: root
Password: your server root password

cmp-4

9. You can start configure your CWP via dasgboard panel below. Get consult from official website, and the CWP forum to proceed the configuration.

cmp-5

10. You can start configure your CWP server and then start hosting your website.

  • Setup nameservers
  • Setup shared ip (must be your public IP address)
  • Setup at least one hosting package (or edit default package)
  • Setup root email
  • & now you are ready to host domains…

11. Install Softaculous Apps Installer via command :

# /usr/local/src/install.sh --quick
-----------------------------------------------
 Welcome to Softaculous Apps Installer
-----------------------------------------------

///////////////////////////////
// INSTALLING SOFTACULOUS :
// 1) CONFIGURING universal.php
// 2) FETCHED A LICENSE
// 3) UPDATING Categories
// 4) UPDATING Scripts List
// 5) UPDATING Installed Scripts List
// 6) SETTING A CRON JOB
// 7) DOWNLOADING SCRIPTS
///////////////////////////////

ln: creating symbolic link `/usr/local/cwpsrv/conf.d/softaculous.conf': File exists
cwpsrvd: Could not reliably determine the server's fully qualified domain name, using centos66.ehowstuff.local for ServerName
=====================================================
Congratulations, Softaculous was installed successfully
Softaculous has been installed at:
Path : /usr/local/softaculous
Scripts Path : /var/softaculous

We request you to please register for updates and notifications at :
http://www.softaculous.com/board/index.php?act=register
It also inspires us when you register. Registration is free and just a one minute job.

If you need any support you can always count on us. Just drop in at our Support Board:
http://www.softaculous.com/board
Alternatively, you can contact us via Email at support@softaculous.com

Thank you for using Softaculous

How to Enable Logging for Email Subject Fields in Postfix Maillog

Postfix MTA basically just capture ‘From’ and ‘To’ field while the subject is not logged to the maillog. There are simple steps to enable logging of the e – mail subject in postfix maillog. This will very useful for email administrators when performing troubleshooting of problems related with email.

1. Assume that postfix has been installed. Open the postfix main configuration file :
# vi /etc/postfix/main.cf
2. Uncomment the following :
..
..
header_checks = regexp:/etc/postfix/header_checks
..
..
3. Open /etc/postfix/header_checks file and add the following line at the bottom :
# vi /etc/postfix/header_checks
..
..
/^Subject:/     WARN
4. Run postmap to apply the new configuration in /etc/postfix/header_checks :
# postmap /etc/postfix/header_checks :
5. Restart or reload postfix configuration :
# service postfix restart

or

# postfix reload
6. Test send email with subject:test-ABC :
# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 centos66.ehowstuff.local ESMTP Postfix
ehlo abc.com
250-centos66.ehowstuff.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:admin@ehowstuff.com
250 2.1.0 Ok
rcpt to:admin@ehowstuff.com
250 2.1.5 Ok
data
354 End data with .
subject:test-ABC
.
250 2.0.0 Ok: queued as 196AD1FDEA
quit
221 2.0.0 Bye
Connection closed by foreign host.
7. Please confirm that the subject “test – ABC” is appearing in the log :
# tail -f /var/log/maillog
Apr  6 23:41:28 centos66 postfix/smtpd[4919]: connect from localhost[::1]
Apr  6 23:41:58 centos66 postfix/smtpd[4919]: 196AD1FDEA: client=localhost[::1]
Apr  6 23:42:07 centos66 postfix/cleanup[4924]: 196AD1FDEA: warning: header subject:test-ABC from localhost[::1]; from= to= proto=ESMTP helo=
Apr  6 23:42:07 centos66 postfix/cleanup[4924]: 196AD1FDEA: message-id=<20150406154158.196AD1FDEA@centos66.ehowstuff.local>
Apr  6 23:42:07 centos66 postfix/qmgr[4914]: 196AD1FDEA: from=, size=365, nrcpt=1 (queue active)
Apr  6 23:42:09 centos66 postfix/smtpd[4919]: disconnect from localhost[::1]

Postfix_logo

How To Get Email Alerts for SSH Login on Linux Server

Enable SSH server on a virtual private server (VPS) will expose the server to the internet and provide opportunities for hacking activities, especially when VPS still using root as a primary access. VPS should be configured with a email alert automatically to each successful login attempts via SSH server . VPS server owner shall be notified of any SSH server access log, such as who, when and which source IP address. This is an important security concern for server owners to protect the server from unknown login attempts. This is because if hackers use brute force to log into your VPS via ssh then it can be very dangerous. In this article, I will explain how to set up an email alert to all SSH login users on linux CentOS 6, CentOS 7, RHEL 6 and RHEL 7.

1. Login to your server as root user :

2. Configure at alert from source global definitions (/etc/bashrc). This will enabled for root and normal users :

[root@vps ~]# vi /etc/bashrc

Add the following at the bottom of the files.

echo 'ALERT - Root Shell Access (vps.ehowstuff.com) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" recipient@gmail.com

3. Optionally you can enable alert for root only :

[root@vps ~]# vi .bashrc

Add the following at the bottom of /root/.bashrc :

echo 'ALERT - Root Shell Access (vps.ehowstuff.com) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" recipient@gmail.com

Full Configuration file example :

# .bashrc

# User specific aliases and functions

alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'

# Source global definitions
if [ -f /etc/bashrc ]; then
        . /etc/bashrc
fi
echo 'ALERT - Root Shell Access (vps.ehowstuff.com) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" recipient@gmail.com

4. Optionally you can enable alert for specify normal user (e.g skytech ) :

[root@vps ~]# vi /home/skytech/.bashrc

Add the following at the bottom of /home/skytech/.bashrc :

echo 'ALERT - Root Shell Access (vps.ehowstuff.com) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" recipient@gmail.com

fail2ban-security

How to Use Fail2ban to Stop/Prevent SSH Brute Force on Linux

Brute-force break-in attempts are quite frequent against the SSH server. However, there is an open source software that can help you deal with this problem automatically, namely fail2ban. Fail2ban provides a way to protect private virtual server( VPS ) from malicious behavior by intruders or hackers automatically. This program works by scanning through log files and respond to unsuccessful login attempts and repeated login attempts. Here are the steps on how to implement fail2ban and steps have been tested on CentOS 6, CentOS 7, RHEL 6 and RHEL 7.

1. Install fail2ban :

# yum install fail2ban -y

2. Make a copy of original config file :

# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

3. Update jail.local configuration file :

# vi /etc/fail2ban/jail.local

Add as below :

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=receipient@gmail.com, sender=fail2ban@ehowstuff.com, sendername="Fail2Ban"]
logpath  = /var/log/secure
maxretry = 5

4. Configure the prefered “bantime”, “findtime” and “maxretry” before a host get banned :

# vi /etc/fail2ban/jail.local

Update to the following :

..
..
# "bantime" is the number of seconds that a host is banned.
bantime  = 7200

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3
..
..

5. Verify sshd filter file :
You can verify the default sshd filter file.

# vi /etc/fail2ban/filter.d/sshd.conf

6. Restart fail2ban :

# service fail2ban restart

7. After a few hours of implementation, fail2ban start capturing and banned for such violence and attempts to guess the password for my VPS. Look at the log at path /var/log/secure for monitoring :

# tail -f /var/log/secure
Mar  3 13:37:59 rn sshd[30681]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.231.218.57  user=root
Mar  3 13:38:02 rn sshd[30681]: Failed password for root from 115.231.218.57 port 2919 ssh2
Mar  3 13:38:05 rn sshd[30681]: Failed password for root from 115.231.218.57 port 2919 ssh2
Mar  3 13:38:07 rn sshd[30681]: Failed password for root from 115.231.218.57 port 2919 ssh2
Mar  3 13:38:09 rn sshd[30681]: Failed password for root from 115.231.218.57 port 2919 ssh2
Mar  3 13:38:12 rn sshd[30681]: Failed password for root from 115.231.218.57 port 2919 ssh2
Mar  3 13:38:13 rn sshd[30681]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.231.218.57  user=root
Mar  3 13:38:48 rn sshd[30702]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.231.218.57  user=root
Mar  3 13:38:50 rn sshd[30702]: Failed password for root from 115.231.218.57 port 3090 ssh2
Mar  3 13:38:52 rn sshd[30702]: Failed password for root from 115.231.218.57 port 3090 ssh2
Mar  3 13:38:54 rn sshd[30702]: Failed password for root from 115.231.218.57 port 3090 ssh2
Mar  3 13:38:56 rn sshd[30702]: Failed password for root from 115.231.218.57 port 3090 ssh2
Mar  3 13:38:58 rn sshd[30702]: Failed password for root from 115.231.218.57 port 3090 ssh2
Mar  3 13:38:58 rn sshd[30702]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.231.218.57  user=root
Mar  3 13:39:00 rn sshd[30704]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.231.218.57  user=root
Mar  3 13:39:02 rn sshd[30704]: Failed password for root from 115.231.218.57 port 3090 ssh2
Mar  3 13:39:04 rn sshd[30704]: Failed password for root from 115.231.218.57 port 3090 ssh2
Mar  3 13:39:07 rn sshd[30704]: Failed password for root from 115.231.218.57 port 3090 ssh2
Mar  3 13:39:09 rn sshd[30704]: Failed password for root from 115.231.218.57 port 3090 ssh2
Mar  3 13:39:11 rn sshd[30704]: Failed password for root from 115.231.218.57 port 3090 ssh2
Mar  3 13:39:12 rn sshd[30704]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.231.218.57  user=root
Mar  3 13:39:24 rn sshd[30708]: Invalid user admin from 115.231.218.57
Mar  3 13:39:24 rn sshd[30708]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.231.218.57
Mar  3 13:39:26 rn sshd[30708]: Failed password for invalid user admin from 115.231.218.57 port 2898 ssh2
Mar  3 13:39:27 rn sshd[30708]: Failed password for invalid user admin from 115.231.218.57 port 2898 ssh2
Mar  3 13:39:30 rn sshd[30708]: Failed password for invalid user admin from 115.231.218.57 port 2898 ssh2
Mar  3 13:39:33 rn sshd[30708]: Failed password for invalid user admin from 115.231.218.57 port 2898 ssh2
Mar  3 13:39:35 rn sshd[30708]: Failed password for invalid user admin from 115.231.218.57 port 2898 ssh2
Mar  3 13:39:35 rn sshd[30708]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.231.218.57

8. Fail2ban start to ban and unban after two hours :

# tail -f /var/log/messages
Mar  3 13:38:13 rn fail2ban.actions[25912]: WARNING [ssh-iptables] Ban 115.231.218.57
Mar  3 13:38:58 rn fail2ban.actions[25912]: INFO [ssh-iptables] 115.231.218.57 already banned
Mar  3 13:39:12 rn fail2ban.actions[25912]: INFO [ssh-iptables] 115.231.218.57 already banned
Mar  3 13:39:33 rn fail2ban.actions[25912]: INFO [ssh-iptables] 115.231.218.57 already banned
Mar  3 13:39:43 rn fail2ban.actions[25912]: INFO [ssh-iptables] 115.231.218.57 already banned
Mar  3 13:39:56 rn fail2ban.actions[25912]: INFO [ssh-iptables] 115.231.218.57 already banned
Mar  3 13:40:20 rn fail2ban.actions[25912]: INFO [ssh-iptables] 115.231.218.57 already banned
Mar  3 13:40:30 rn fail2ban.actions[25912]: INFO [ssh-iptables] 115.231.218.57 already banned
Mar  3 13:40:41 rn fail2ban.actions[25912]: INFO [ssh-iptables] 115.231.218.57 already banned
Mar  3 13:40:51 rn fail2ban.actions[25912]: INFO [ssh-iptables] 115.231.218.57 already banned
Mar  3 15:30:32 rn fail2ban.actions[25912]: INFO [ssh-iptables] 115.231.218.57 already banned
Mar  3 15:30:46 rn fail2ban.actions[25912]: INFO [ssh-iptables] 115.231.218.57 already banned
Mar  3 15:31:35 rn fail2ban.actions[25912]: INFO [ssh-iptables] 115.231.218.57 already banned
Mar  3 15:32:34 rn fail2ban.actions[25912]: INFO [ssh-iptables] 115.231.218.57 already banned
Mar  3 15:32:51 rn fail2ban.actions[25912]: INFO [ssh-iptables] 115.231.218.57 already banned
Mar  3 15:33:02 rn fail2ban.actions[25912]: INFO [ssh-iptables] 115.231.218.57 already banned
Mar  3 15:33:32 rn fail2ban.actions[25912]: INFO [ssh-iptables] 115.231.218.57 already banned
Mar  3 15:33:43 rn fail2ban.actions[25912]: INFO [ssh-iptables] 115.231.218.57 already banned
Mar  3 15:33:54 rn fail2ban.actions[25912]: INFO [ssh-iptables] 115.231.218.57 already banned
Mar  3 15:34:06 rn fail2ban.actions[25912]: INFO [ssh-iptables] 115.231.218.57 already banned
Mar  3 15:38:14 rn fail2ban.actions[25912]: WARNING [ssh-iptables] Unban 115.231.218.57

9. All the ban action followed by the email trigger as per screenshot :
fail2ban-1

fail2ban-security

10. Check the Which IP already listed in the ban list :

# iptables -L
..
..
Chain fail2ban-NoAuthFailures (1 references)
target     prot opt source               destination
REJECT     all  --  141.101.98.8         anywhere            reject-with icmp-port-unreachable
REJECT     all  --  108.162.210.231      anywhere            reject-with icmp-port-unreachable
REJECT     all  --  108.162.221.246      anywhere            reject-with icmp-port-unreachable
REJECT     all  --  108.162.238.35       anywhere            reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

How to Install EPEL Yum Repository on Linux CentOS 7 / RHEL 7

Epel yum repository is an open source centos yum repository or rpm repository for developers and system administrators to perform the installation of RPM packages via yum on their virtual private server (VPS) or dedicated server.

EPEL yum repository is redhat yum repository for CentOS and additional yum repository for the existing CentOS repository.

It provides 100 % high quality software packages for Linux distributions, including RHEL (Red Hat Enterprise Linux), CentOS and Debian, and all packages maintained by Fedora repo team.

1. Prepare EPEL repository for RHEL 7/CentOS 7 64 bit (epel centos 7/epel rhel 7) :

# sudo rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
# # sudo rpm -Uvh https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-9.noarch.rpm

Example :

# sudo rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
# sudo rpm -Uvh https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-9.noarch.rpm
Retrieving https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-9.noarch.rpm
Preparing...                          ################################# [100%]
Updating / installing...
   1:epel-release-7-9                 ################################# [100%]

In CentOS 7, an alternative way to install the EPEL repo is by using the command yum :

# sudo yum install epel-release -y

2. Command to verify that the EPEL repository is enabled.

# sudo yum repolist

Sample output :

# sudo yum repolist
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.linode.com
 * epel: ftp.osuosl.org
 * extras: mirrors.linode.com
 * updates: mirrors.linode.com
repo id                                                       repo name                                                                                 status
base/7/x86_64                                                 CentOS-7 - Base                                                                            9,363
epel/x86_64                                                   Extra Packages for Enterprise Linux 7 - x86_64                                            11,046
extras/7/x86_64                                               CentOS-7 - Extras                                                                            200
nginx/x86_64                                                  nginx repo                                                                                    41
updates/7/x86_64                                              CentOS-7 - Updates                                                                           438
varnish-4.1/x86_64                                            Varnish Cache 4.1 for Enterprise Linux                                                        31
repolist: 21,119

3. Install httpd package using epel repo option –enablerepo=epel :

# sudo yum --enablerepo=epel install httpd

EPEL Yum Repository

How to Remove / Uninstall Nginx on CentOS 7 / RHEL 7 / Oracle Linux 7

Nginx web server is alternative web server to Apache and Lighttpd. Nginx popularity now growing because it focuses on high concurrency, high performance while maintaining low memory usage. However, due to certain reasons webmaster or system administrator can not use Nginx on their server and decide to uninstall Nginx. Most of the webmaster, administrator and programmer still prefer to user Apache over Nginx as a web server because of the following reasons :

  • Not many webmaster, administrator and programmer comfortable with Nginx configuration
  • Apache has built-in support for a wide range of web programming languages, including Perl, PHP and Python
  • Apache languages are easy to learn and can be used to create powerful online applications
  • Apache is still the most popular web server on the Internet
  • Apache is the oldest web server, you won’t have any trouble finding people skilled in configuring it.

For the linux server platform that running on CentOS 7, RHEL 7 and Oracle linux 7, the removal step for Nginx is quite different from older version. Therefore, this article will explain the steps to remove or uninstall Nginx that was installed from source on CentOS 7, RHEL 7 and Oracle Linux 7.

Note : These steps to Remove / Uninstall Nginx has been tested on CentOS, RHEL and Oracle Linux platform and was running under root privilege.

1. Stop Nginx service and remove Nginx auto start script :

[root@rhel7 ~]# sudo systemctl stop nginx.service
[root@rhel7 ~]# sudo systemctl disable nginx.service

2. Remove Nginx user and it related directory :

[root@rhel7 ~]# sudo userdel -r nginx

3. Delete and related Nginx installation directory :

[root@rhel7 ~]# sudo rm -rf /etc/nginx
[root@rhel7 ~]# sudo rm -rf /var/log/nginx
[root@rhel7 ~]# sudo rm -rf /var/cache/nginx/

4. Remove the created nginx.service script under systemd :

[root@rhel7 ~]# sudo rm -rf /usr/lib/systemd/system/nginx.service

Uninstall Nginx

How to Check and Verify the Version of Python on CentOS 6 / CentOS 7

Python is a popular programming language, which is widely used, high-level programming languages ??and has a design philosophy that emphasizes code readability. It is considered as a programming language that is easy to learn and master because of its focus on readability. Python syntax allows programmers to express concepts in fewer lines of code as possible in languages ??other programming such as C ++ or Java. This article show you how to check and verify the version of Python on CentOS 6, CentOS 7, RHEL 6 and RHEL 7.

1. Check Python version :

[root@vps ~]# python --version
Python 2.7.5

2. Enter python command line :

[root@vps ~]# python
Python 2.7.5 (default, Jun 17 2014, 18:11:42)
[GCC 4.8.2 20140120 (Red Hat 4.8.2-16)] on linux2
Type "help", "copyright", "credits" or "license" for more information.

3. To exit, run the following command :

>>> quit()

How to Grant a New User to Root Privileges on CentOS 6 / CentOS 7

One recommended way to manage virtual private server (VPS) or a dedicated linux server is not using the root account as the main access for SSH login. This is because usually the hackers will try to brute force your root password and potentially get access to your server. Instead of using the default root account, you can create a new account and assign root privileges to it and issue the sudo command line to root from it. Please make sure that the normal user account given root privileges accounts work properly before you disable the default root login access. The following command has been tested works on CentOS 6, CentOS 7, RHEL 6 and RHEL 7 VPS.

1. Create new account named skytech and set the password :

[root@vps ~]# useradd skytech
[root@vps ~]# passwd skytech
Changing password for user skytech.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

2. Grant a New User to Root Privileges

[root@vps ~]# visudo

Add the following code at the bottom of the file and save the file with the command :wq :

## Allow skytech user to run any commands anywhere
skytech    ALL=(ALL)       ALL

This will grant a root privileges to the normal user skytech.

linux-banner

How to Install Varnish 4 on CentOS 6 / CentOS 7

Varnish is an open source web accelerator typically run in front of web servers such as Apache or Nginx. It is also known as HTTP reverse proxy and designed to serve static content, such as images, stylesheets or scripts. Varnish will keep copies of pages from page revisit the same web server ( Apache or Nginx ) and re-use the cached copy for subsequent requests. This will help dynamic website such as wordpress or joomla improve in website response times and also will reduce the server load.

Varnish is also can be downloaded from EPEL (Extra Packages for Enterprise Linux) package repositories but the new major versions will not hit EPEL and it is not necessarily up to date. The following steps will describe how we can install Varnish 4 on CentOS 6 and CentOS 7.

Install Varnish 4 on CentOS 6 :

1. Prepare varnish repository :

# rpm -Uvh http://repo.varnish-cache.org/redhat/varnish-4.0/el6/noarch/varnish-release/varnish-release-4.0-4.el6.noarch.rpm

2. Prepare EPEL repository :

# rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-6
# rpm -Uvh https://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

3. Install Varnish :

# yum install varnish -y

4. Start varnish and make varnish start at boot :

# service varnish start
# chkconfig varnish on

Install Varnish 4 on CentOS 7 :

1. Prepare EPEL repository :

# rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
# rpm -Uvh https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm

Or alternatively you can install by using yum command :

# sudo yum install epel-release -y

2. Install Varnish :

# sudo yum install varnish -y

3. Start varnish and make varnish start at boot :

# sudo systemctl start varnish.service
# sudo systemctl enable varnish.service

varnish-cache

How to Pass Clients/Visitors IP Through Varnish to Nginx

Varnish is a great open source software known as a HTTP reverse proxy is typically run in front of web servers such as Apache or Nginx. In this case we will discuss Varnish and Nginx . The aim of Varnish is to stores the Varnish cache and remember what web server response to the user at the time of the first content access. Then return the cached copy for subsequent requests from end users without asking Nginx web server again. Therefore, Nginx access logs will display the local IP proxy (usually 127.0.0.1 if installed on the same server) instead of user’s IP as per below Nginx access logs.

127.0.0.1 - - [16/Feb/2015:01:03:09 +0800] "GET /red-hat-details-next-linux-and-storage-platforms-for-cloud-big-data-era/?share=google-plus-1 HTTP/1.1" 302 5 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
127.0.0.1 - - [16/Feb/2015:01:03:15 +0800] "GET /how-to-install-and-configure-epel-repository-on-centos-5-8/ HTTP/1.1" 200 15212 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36"
127.0.0.1 - - [16/Feb/2015:01:03:22 +0800] "POST /ngx_pagespeed_beacon?url=http%3A%2F%2Fwww.ehowstuff.com%2Fhow-to-install-telnet-client-on-centos-6-3%2F HTTP/1.1" 404 564 "https://webhostinggeeks.com/howto/how-to-install-telnet-client-on-centos-6-3/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36"
127.0.0.1 - - [16/Feb/2015:01:03:23 +0800] "GET /how-to-setup-squid-proxy-server-on-linux-centos-6-3/ HTTP/1.1" 200 16246 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"

Varnish

This will be a problem for a software like awstats or log analysis software due to incomplete information of the visitors. This article will teach you how to relay your blog visitor IP address through Varnish, to Nginx logs. The steps has been tested on CentOS 6.6 and CentOS 7. But before we start please make sure that http_realip_module has been enabled. This module allows to change the client’s IP address to value from request header (e. g. X-Real-IP or X-Forwarded-For). This module isn’t built by default, enable it with the configure option

--with-http_realip_module

Steps 1

Include “X-Forwareded-For” in the sub vcl_recv default.vcl :

[root@centos66 ~]# vi /etc/varnish/default.vcl
sub vcl_recv {
        # IP forwarding
        if (req.restarts == 0) {
                if (req.http.x-forwarded-for) {
                set req.http.X-Forwarded-For =
                        req.http.X-Forwarded-For + ", " + client.ip;
                } else {
                set req.http.X-Forwarded-For = client.ip;
                }
        }
..
..

Steps 2

Add the following in nginx.conf :

[root@centos66 ~]# vi /etc/nginx/nginx.conf
http {
..
..
    set_real_ip_from   127.0.0.1;
    real_ip_header      X-Forwarded-For;

..
..
}

Steps 3
Restart Nginx web server and Varnish :

[root@centos66 ~]# service nginx restart
[root@centos66 ~]# service varnish restart

Steps 4

Check and monitor the nginx access log again. It should returned the actual visitor IP as below :

157.55.39.102 - - [16/Feb/2015:01:06:04 +0800] "GET /how-to-download-centos-6-2-iso/ HTTP/1.1" 200 14622 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
68.180.228.247 - - [16/Feb/2015:01:06:16 +0800] "GET /tag/centos-6-2/page/4/ HTTP/1.1" 200 14474 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
220.181.108.178 - - [16/Feb/2015:01:06:25 +0800] "GET /howto-guides/howto-centos/ HTTP/1.1" 200 13863 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
66.249.79.116 - - [16/Feb/2015:01:06:33 +0800] "GET /how-to-enable-root-login-on-ubuntu-14-04/ HTTP/1.1" 200 15547 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"