Centmin Mod FAQ
If English isn't your first language, you can use dropdown menu translator to translate this page into your preferred language.
Centmin Mod was created and tested to work as standalone Nginx, PHP-FPM and MariaDB MySQL stack without the use of any control panels. The goal of the Centmin Mod menu based installation was to make it easier to manage without the aid of a control panel. Centmin Mod definitely doesn't work with WHM/Cpanel, Plesk or DirectAdmin. I am unsure if it will work with Webmin, ISPConfig or Kloxo. Reason is mainly due to custom source compiled versions for Nginx and PHP-FPM and how the configuration files and settings are structured and laid out are totally different from any CentOS YUM repository provided installs for Nginx and PHP-FPM and the fact that Centmin Mod LEMP stack uses MariaDB MySQL. If you do try this yourself, please do on a test server environment only and not your live production web servers.
Centmin Mod was born from extensive modification of the original Centmin script. As such there was never any intention of within the original Centmin or my Centmin Mod script for purposes of shared hosting with multiple end users using individual FTP usernames to manage sites and domains.
Centmin Mod like original Centmin script, was intended for a single root user/administrator to manage multiple or single web site domains on a VPS or dedicated server. By default, in current version of Centmin Mod there is no security in place to protect one site domain vhost account from access to another domain vhost account. As such, current Centmin Mod script isn't suited to shared hosting where you provide to admin users other than yourself with site ftp/ssh access. All users would be able to access each site account. Of course this doesn't prevent you from modifying Centmin Mod script and structure to support shared hosting yourself if you know what you're doing. Note: I won't be able to provide any help if you do such modifications though.
For future Centmin Mod script versions, I do plan to add such support eventually but it's definitely something planned way into the future. So not anything that will be available anytime soon. Centmin Mod is provided for free and as is, so I am only working on Centmin Mod in my free time.
For now most folks do not need to install FTP, instead just use native SFTP to upload to Centmin Mod installed servers using SFTP supported client i.e. Filezilla - documentation and google tutorials http://lmgtfy.com/?q=filezilla+sftp+connect+server+tutorial. A few example tutorials:
- http://wiki.filezilla-project.org/Using
- http://wiki.dreamhost.com/FileZilla_Setup
- http://kb.siteground.com/how_to_establish_sftp_connection_to_hosting_with_filezilla/
- http://kb.mediatemple.net/questions/880/Using+FileZilla+for+FTP%7B47%7DSFTP#gs
- http://psychologyit.rutgers.edu/helpdocs/filezilla.html
- http://blog.softlayer.com/2012/tips-and-tricks-how-to-use-sftp/
Update: Jan 19th, 2015 - Centmin Mod 1.2.3-eva2000.08 beta release has added basic isolated jailed FTP user support via pure-ftpd virtual FTP user features for beta testing. Virtual FTP user support is done via FTP with explicit TLS/SSL for encrypted transfers via a self-signed SSL certificate and PASV mode enabled. You'd want to disable PHP shell functions to further lock it down as per Getting Started Guide item 14.
Full install instructions here.
Upgrades in General
Centmin Mod 1.2.3-eva2000.08 and higher has changed the upgrade method for actual Centmin Mod code itself. You can read the full upgrade method on the Upgrade page. For upgading Nginx and PHP etc, it's still the same as outlined below.
Within same v1.2.2 branch or within same v1.2.3 upgrades
If you are upgrading a server which already previously had Centmin Mod installed of the same branch i.e. Centmin Mod v1.2.2-eva2000.** or within same v1.2.3-eva2000.** branch, you DO NOT need to run option #1 (in fact as of Centmin Mod v1.2.2-eva2000.14 it will be impossible to run option #1 as the script will detect previous install of Centmin Mod and abort the script). For the latest Centmin Mod code update instructions check out the newly added Centmin Mod upgrade page.
Once, Centmin Mod code is updated just run option #4
and then option #5 for upgrading Nginx web server and upgrading PHP. You only need to run these if you upgrading to new Nginx or PHP version. If your existing Centmin Mod install has the same versions for Nginx and PHP, there maybe no need to even run those menu options unless, new Nginx and/or PHP modules and extensions are added by the updated Centmin Mod code. Update: as of v1.2.3-eva2000.07+ and higher, there's a new centmin.sh menu option 22
which can upgrade Nginx, PHP-FPM and Siege benchmark versions to the versions set in centmin.sh
. This means if you are upgrade Centmin Mod from say .07 to .08, you only have to run centmin.sh menu option #21 from .08 release, to automatically upgrade Nginx, PHP-FPM and Siege benchmark. Again, if between Centmin Mod releases, you upgraded Nginx and PHP-FPM versions to versions matching those in the new Centmin Mod releases's centmin.sh
version number variables, then there is no need to run menu option #21.
v1.2.2 to v1.2.3+ upgrades
But if you are on the older, Centmin Mod v1.2.2-eva2000.** branch, and want to move to utilising the full 100% feature set of Centmin Mod v1.2.3 branch, you will need to use a fresh CentOS installed server and do fresh Centmin Mod v1.2.3 install rather than upgrade and transfer your old files to the new server. The reason is the Centmin Mod v1.2.3 branch has alot of new features that are installed at initial install time only and not via upgrade.
If you don't need 100% of the new features in Centmin Mod v1.2.3 branch and are only concerned with utilising v1.2.3 Nginx, PHP and MariaDB 5.5 improvements, then just running Nginx upgrade option #4
and PHP upgrade option #5 and MariaDB 5.2.x to 5.5.x upgrade option #12 will allow you to use all the new Nginx, PHP and MariaDB 5.5 features listed at Centmin Mod v1.2.3. So running Nginx upgrade option #4
, you will always still get Google SPDY and ngx_pagespeed and other listed modules support on Nginx page. Same if you run PHP upgrade option #5, you will always still get all compiled extensions supported and listed on PHP page.
Nginx upgrade
Menu option #4
will upgrade Nginx web server by prompting you to enter the Nginx version you want to install. You may receive 404 Not Found errors on php pages after Nginx upgrade. If you do, run Menu option #5 to upgrade/reinstall PHP version. You will find the latest stable and development versions on Nginx.org. The Nginx upgrade routine will do a preliminary YUM update check to make sure any new Centmin Mod options have their required YUM installed software prior to the upgrade.
You can also use the menu option #4
to downgrade Nginx versions as well just by entering a Nginx version you want. For Centmin Mod, I would stick with the stable version Nginx v1.1.xx to v1.2.xx as there are changes to nginx.conf etc which Centmin Mod caters to in it's configuration files, which earlier Nginx versions won't support.
Nginx upgrade process will also backup your existing Nginx conf directory and file via 3 options in centmin.sh: NGINXBACKUP='y', NGINXCONFDIR='/usr/local/nginx/conf', NGINXBACKUPDIR='/usr/local/nginxbackup'. You will find backups of previous Nginx versions in timestamped directories located within /usr/local/nginxbackup.
PHP Upgrade
Menu option #5 will upgrade your PHP version to whatever version you enter at the prompt. You'll find latest PHP versions stable releases on the top right corner column on php.net.
Prior to Centmin Mod 1.2.3-eva2000.07 stable release, upgrading PHP involved some additional steps if you had installed any of the following PHP extensions, Xcache, APC, Suhosin, FFMPEG, Memcache or generally any extension which required you to manually load a *.so file into php.ini. The reason why is the PHP upgrade routine will backup your existing php.ini which is at /usr/local/lib/php.ini and save backup to /usr/local/lib/php.ini-oldversion_timestamp and then overwrite that php.ini file with latest php.ini supplied by PHP tarbal download package. However, with Centmin Mod 1.2.3-eva2000.07 and higher versions, this is usually no longer required as the upgrade routine automatically detects previously compiled PHP extensions and auto recompiles them on major PHP upgrades only i.e. PHP 5.4 to 5.5 or 5.6. It will skip auto recompiles for minor PHP upgrades i.e. PHP 5.5.16 to 5.5.17.
The PHP upgrade process will then do a DIFF comparison check between new /usr/local/lib/php.ini and saved backup at /usr/local/lib/php.ini-oldversion_timestamp and display all the changes and differences between the file. There's a 60 second delay on the screen so you can use that opportunity to copy or note the changes for your own records. Usually, the changes will highlight what PHP extensions were installed previously and what is missing in the new php.ini.
Prior to Centmin Mod 1.2.3-eva2000.07 stable release, all you had to do after PHP upgrade was to re-install those PHP extensions via menu options listed below - for Suhosin and FFMPEG install is fine. However, with Centmin Mod 1.2.3-eva2000.07 and higher versions, this is usually no longer required unless there are issues requiring manual recompile via menu options outlined below:
- 6). XCache Re-install
- 7). APC Cache Re-install
- 10). Memcached Server Re-install (this also updates your libevent version)
- 15). Install/Re-install imagick PHP Extension
- 18). Suhosin PHP Extension install
- 19). Install FFMPEG and FFMPEG PHP Extension
The PHP upgrade process also backs up and overwrites your existing php-fpm configuration file /usr/local/etc/php-fpm.conf to /usr/local/etc/php-fpm.conf-oldversion_timestamped. It will prompt you and ask if you want to overwrite and backup the php-fpm.conf file. This is to ensure updated php-fpm.conf changes make it into your server's php-fpm configuration.
MariaDB 5.5 MySQL ?
As at July 28th, 2015, latest Centmin Mod v1.2.3 and higher have MariaDB 10.0.x MySQL default support as outlined here.
For existing Centmin Mod users still on MariaDB 5.2, you'll find the new revised menu option #12 is for MariaDB 5.2.x update to MariaDB 5.5.x for folks wanting to test older Centmin Mod installs upgrade process to MariaDB 5.5
Since MariaDB 10.0.x uses YUM repository, future updates can be done via YUM:
yum update MariaDB-client MariaDB-common MariaDB-compat MariaDB-devel MariaDB-server MariaDB-shared
Before upgrading it is highly recommended to backup all your mysql databases using mysqldump
backup
mysqldump -Q -K --max_allowed_packet=256M --net_buffer_length=65536 --routines --events --triggers --hex-blob -u mysqlusername -p mysqldatabasename > /path/to/mysqldatabasename_backup_date.sql
restore
mysql -u mysqlusername -p mysqldatabasename < /path/to/mysqldatabasename_backup_date.sql
MariaDB 5.2.x upgrade
Menu option #11 will upgrade existing MariaDB 5.2.x MySQL server users only within MariaDB 5.2.x branch (follow above instructions if you want to move from MariaDB 5.2.x to MariaDB 5.5.x). But unlike Nginx and PHP upgrade routines, it will not prompt for MariaDB version. The version that is upgraded to is determined by what is set in centmin.sh for the following variables:
Set to version you want to upgrade to:
MDB_VERONLY='5.2.14' MDB_BUILD='122'
Set to existing version you are already using:
MDB_PREVERONLY='5.2.12' MDB_PREBUILD='115'
So centmin.sh will look like this for MariaDB 5.2.12 Build 115 upgrade to MariaDB 5.2.14 Build 122.
# Define current MariaDB version MDB_VERONLY='5.2.14' MDB_BUILD='122' MDB_VERSION="${MDB_VERONLY}-${MDB_BUILD}" # Use this version of MariaDB ${MDB_VERONLY} # Define previous MariaDB version for proper upgrade MDB_PREVERONLY='5.2.12' MDB_PREBUILD='115' MDB_PREVERSION="${MDB_PREVERONLY}-${MDB_PREBUILD}" # Use this version of MariaDB ${MDB_VERONLY}
Please stick with only the latest MariaDB 5.2.x version tested and listed on official web site at changelog.html. I can not guarantee that higher versions which have not been tested by me to work 100%.
Before upgrading it is highly recommended to backup all your mysql databases using mysqldump
backup
mysqldump -u mysqlusername -p mysqldatabasename > /path/to/mysqldatabasename_backup_date.sql
restore
mysql -u mysqlusername -p mysqldatabasename < /path/to/mysqldatabasename_backup_date.sql
Centmin Mod 131.00stable or 140.00beta01 or higher releases are tested from fresh installs as well as upgrades with latest PHP (php-fpm) versions. For AlmaLinux/Rocky Linux 8, PHP 8.0 is the default and for AlmaLinux/Rocky Linux 9, PHP 8.1 is the default. Or you can use a different PHP default version Centmin Mod installer. Or you can switch between PHP versions via centmin.sh menu option 5
and entering your desired PHP version when prompted. Centmin Mod latest versions also support a SSH command line option: getphpver
which will list the latest PHP version for each PHP major branch so you can be informed of latest PHP version to enter when prompted.
While the getphpver
command lists PHP 5.5-7.1 versions, these are no longer supported in AlmaLinux or Rocky Linux 8/9 operating systems. AlmaLinux/Rocky Linux 8 minimum supported PHP version is PHP 7.2, while AlmaLinux/Rocky Linux 9 minimum supported PHP version is PHP 7.4 as Centmin Mod has backported patch support for PHP 7.4 and PHP 8.0 for EL9 operating systems as technically for EL9 operating systems, PHP 8.0 is minimum supported version due to PHP 7.4 and PHP 8.0 not natively supporting EL9's OpenSSL 3.0 crypto library.
getphpver 8.3.9 8.2.21 8.1.29 8.0.30 7.4.33 7.3.33 7.2.34 7.1.33 7.0.33 5.6.40 5.5.38
With getphpver
command you can also narrow the latest PHP version output to just one PHP major version:
getphpver 83 8.3.9 getphpver 82 8.2.21 getphpver 81 8.1.29 getphpver 80 8.0.30 getphpver 74 7.4.33 getphpver 73 7.3.33 getphpver 72 7.2.34
You can also find latest PHP versions stable releases on the top right corner column on php.net.
Example centmin.sh menu option 5
upgrade switch to PHP 8.3.9 version below:
-------------------------------------------------------- Centmin Mod Menu 140.00beta01 centminmod.com -------------------------------------------------------- 1). Centmin Install 2). Add Nginx vhost domain 3). NSD setup domain name DNS 4). Nginx Upgrade / Downgrade 5). PHP Upgrade / Downgrade 6). MySQL User Database Management 7). Persistent Config File Management 8). Option Being Revised (TBA) 9). Option Being Revised (TBA) 10). Memcached Server Re-install 11). MariaDB MySQL Upgrade & Management 12). Zend OpCache Install/Re-install 13). Install/Reinstall Redis PHP Extension 14). SELinux disable 15). Install/Reinstall ImagicK PHP Extension 16). Change SSHD Port Number 17). Multi-thread compression: zstd,pigz,pbzip2,lbzip2 18). Suhosin PHP Extension install 19). Install FFMPEG and FFMPEG PHP Extension 20). NSD Install/Re-Install 21). Data Transfer 22). Add Wordpress Nginx vhost + Cache Plugin 23). Update Centmin Mod Code Base 24). Exit -------------------------------------------------------- Enter option [ 1 - 24 ] 5 --------------------------------------------------------
PHP Upgrade/Downgrade - Would you like to continue? [y/n] y ---------------------------------------------------------------- Install which version of PHP? (i.e. 7.3.33, 7.4.33, 8.0.30, 8.1.29, 8.2.21, 8.3.9, NGDEBUG) PHP 7.x/7.1.x/7.2.x/7.3.x is GA Stable but still may have broken PHP extensions. NGDEBUG is PHP 8.4 dev builds minus incompatible PHP extensions ---------------------------------------------------------------- Current PHP Version: 8.4.0alpha1 Can Not Determine Latest PHP Version Installable: 8.3.9 8.2.21 8.1.29 8.0.30 7.4.33 7.3.33 7.2.34 7.1.33 7.0.33 5.6.40 5.5.38 Enter PHP Version number you want to upgrade/downgrade to: 8.3.9 Do you still want to continue? [y/n] y ---------------------------------------------------------------- existing php.ini will be backed up at /usr/local/lib/php.ini-oldversion_170724-231417 ---------------------------------------------------------------- ----------------------------------------------------------------------------------------- Detected PHP 8.3 branch. You can compile Zend OPcache (Zend Optimizer Plus+) support as an alternative to using APC Cache or Xcache cache. But Zend OPcache only provides PHP opcode cache and DOESN'T do data caching, so if your web apps such as Wordpress, Drupal or vBulletin require data caching to APC or Xcache, it won't work with Zend OPcache. ----------------------------------------------------------------------------------------- Do you want to use Zend OPcache [y/n] ? y
You can do this via Centmin Mod menu options #2 & #3. Full details here.
Remember to check your domain name's DNS is properly configured at both your domain registrar & web server end (NSD) by running domain name through these 3 dns test sites
From Centmin Mod v1.2.2-eva2000.15 and onwards, logging is automatically done when you run centmin.sh. A log directory is defined by variable CENTMINLOGDIR='/root/centminlogs' in inc/centminlogs.inc. When run menu option, the entire process will be logged to a time stamped text log file named ${CENTMINLOGDIR}/centminmod_${SCRIPT_VERSION}_${DT}_*.log so you can review the logs for error messages etc
ls -lhrt /root/centminlogs/ total 7.3M -rw-r--r-- 1 root root 4.3M Apr 14 17:14 centminmod_1.2.2-eva2000.15_140412-151749_install.log -rw-r--r-- 1 root root 1.7M Apr 14 17:44 centminmod_1.2.2-eva2000.15_140412-173219_php_upgrade.log -rw-r--r-- 1 root root 30K Apr 14 17:44 centminmod_1.2.2-eva2000.15_140412-173219_apc_reinstall.log -rw-r--r-- 1 root root 89K Apr 14 17:45 centminmod_1.2.2-eva2000.15_140412-173219_memcached_reinstall.log -rw-r--r-- 1 root root 24K Apr 14 17:46 centminmod_1.2.2-eva2000.15_140412-173219_suhosin_install.log -rw-r--r-- 1 root root 17K Apr 14 17:49 centminmod_1.2.2-eva2000.15_140412-173219_ffmpeg_install.log -rw-r--r-- 1 root root 1.3M Apr 14 18:02 centminmod_1.2.2-eva2000.15_140412-173219_nginx_upgrade.log -rw-r--r-- 1 root root 23K Apr 14 18:31 centminmod_1.2.2-eva2000.15_140412-183136_nsd_reinstall.log
Old method (prior to v1.2.2-eva2000.15): If you're testing Centmin Mod installation on a test server and want to log the entire output of the process to a log file, you can use script command before running centmin.sh.
Type this command before running centmin.sh
script -f centminv122mod.log
Run centmin.sh which will invoke the full menu and select options you wan to run i.e. option #1
./centmin.sh
When you finished running centmin.sh hit exit option then at command prompt type exit command, this finishes the log and writes everything to centminv122mod.log which you can download and review.
exit
To change timezone before install, edit centmin.sh
and find and change the ZONEINFO variable. For after install changes and more on ZONEINFO
variable read the full guide here. Centmin Mod 1.2.3-eva2000.08+
and higher versions also added a convenient mytimes
comand which outputs several timezones' relative times along with the server default timezone
mytimes Sun Aug 23 15:10:31 UTC 2015 [UTC] Mon Aug 24 01:10:31 AEST 2015 [Australia/Brisbane] Sun Aug 23 08:10:31 PDT 2015 [America/Los_Angeles] Sun Aug 23 10:10:31 CDT 2015 [America/Chicago] Sun Aug 23 11:10:31 EDT 2015 [America/New_York] Sun Aug 23 16:10:31 BST 2015 [Europe/London]
Time it takes varies depending on what software you opt to install, the server's network connectivity speed and the type of VPS or dedicated server you install it on. More powerful servers will take less time to install. The faster your server's network connectivity, the faster it downloads software (YUM/RPMs). On my local virtualbox test server (Xeon W3540 @3.5Ghz 2 cores allocated, 1.5GB memory, SATAII disk) for CentOS 5.5, 5.6 and 6.0, for full install for all prompted default options it takes roughly 20-22 minutes to install. On centminmod.com's cluster of 512MB / 1GB Burst OpenVZ based VPSes with 2 core Xeon E5520, the same full install took nearly 55 minutes. For Centmin Mod 1.2.3-eva2000.08+ and higher, the times have been relatively improved. From my local Virtualbox testing in 2015, install times were reduced from 1,300-1,800 seconds to 1,000-1,300 seconds. For OpenVZ testing on 4 cpu core VPS, times weere reduced from 1,000-1,300 seconds to 600-900 seconds. You may think that is a long time, but remember in most cases you'll be optimised post-install time ready to go as opposed to usual YUM/RPM install, you could spend hours post-install on getting everything optimised settings wise.
From 1.2.3-eva2000.08+ and higher versions, there's a one liner curl install method. This method provides additional statistics at end of install including the install times and a break down of download, yum, source compile and total install times. Example below:
--------------------------------------------------------------------------- Total Curl Installer YUM or DNF Time: 56.1786 seconds Total YUM Time: 12.470224222 seconds Total YUM or DNF + Source Download Time: 28.4158 Total Nginx First Time Install Time: 50.0480 Total PHP First Time Install Time: 150.4703 Download Zip From Github Time: 1.2459 Total Time Other eg. source compiles: 234.5482 Total Centmin Mod Install Time: 463.4823 --------------------------------------------------------------------------- Total Install Time (curl yum + cm install + zip download): 520.9068 seconds ---------------------------------------------------------------------------
Current versions of Centmin Mod Nginx auto installer has been tested on CentOS 7 (now end of life), AlmaLinux 8/9, Rocky Linux 8/9, Oracle Linux 8/9. However, as most web hosts offer only AlmaLinux or Rocky Linux, these are the recommended operating systems to install Centmin Mod on. For minimum and recommended memory and disk requirements which affect the choice of CentOS OS to use for Centmin Mod read official Centmin Mod Install page guide. Currently, only x86/x86_64 architecture is supported and ARMv7/8 based cpus isn't supported due to CentOS ARM compatibility with 3rd party YUM repositories that Centmin Mod uses. Hopefully, in future it maybe so keep an eye on Centmin Mod Community Forum's Beta Release forums for any updates.
Centmin Mod has tested on mainly on KVM and OpenVZ based VPS servers and dedicated servers with x86_64 architecture based CPU servers.
Currently, Centmin Mod is CentOS, AlmaLinux, Rocky Linux only - the focus is on developing all the planned features to be more mature before looking at other operating systems. There's a public official development dashboard roadmap for some of the planned features and wishlist features for Centmin Mod. But there's a definite possibility that in future, I'll write up a Debian version once I have Centmin Mod version settled in terms of features and stability. As for a FreeBSD Nginx auto installer script, there's no plans right now. But that can change.
Put simply, back when Centmin Mod was first developed in 2011 - MariaDB 5.2.x MySQL server had the best performance mix for both MyISAM and InnoDB storage engines in MySQL. You can read benchmarks I did on my blog Part 1 and Part 2. While it may not make as much difference for VPS and dedicated servers with low memory and cpu core count specifications, MariaDB 5.2.x uses Percona's XtraDB InnoDB engine so has same or somewhat better InnoDB performance as Percona but MariaDB is the only MySQL version which still focuses on MySQL core improvements as well as improvements to MyISAM engine.
MariaDB usage has continued since then. You can read about the differences and similarities between MariaDB Server vs Oracle MySQL vs Percona MySQL on the forums here.
yum -q -y install postfix Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package postfix.x86_64 2:2.6.6-2.2.el6_1 will be installed --> Processing Dependency: mysql-libs for package: 2:postfix-2.6.6-2.2.el6_1.x86_64 --> Finished Dependency Resolution Error: Package: 2:postfix-2.6.6-2.2.el6_1.x86_64 (base) Requires: mysql-libs You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest
This is a problem with MariaDB 5.2 RPM packages on CentOS 6.x which usually provides mysql-libs but to install MariaDB 5.2 you have to uninstall mysql-libs which postfix requires. This is fixed with MariaDB 5.5 packages as it includes the dependencies that CentOS 6.x mysql-lib usually provide.
As at May 18th, 2013, latest Centmin Mod v1.2.3 beta has MariaDB 5.5 MySQL default support as outlined here.
Note: MariaDB 5.5.30 currently has a bug when a host is configured to have both ipv6 and ipv4 enabled you may get 'Error establishing a database connection' with your web apps i.e. wordpress when connecting via localhost. If you use 127.0.0.1 instead of localhost it works fine. This bug is fixed in next MariaDB 5.5.31 release (bug reported).
Centmin Mod will very soon be moving to MariaDB 5.5 base installs by default for this very reason as well as the better performing MariaDB 5.5 server. Testing is currently being done with MariaDB 5.5. For updates as to when MariaDB 5.5 support comes to Centmin Mod, please follow me on Twitter or via Centmin Mod Google+ Page.
Example of successful install of postfix with test MariaDB 5.5 on Centmin Mod install
mysqladmin ver mysqladmin Ver 9.0 Distrib 5.5.25-MariaDB, for Linux on x86_64 Copyright 2000-2008 MySQL AB, 2008 Sun Microsystems, Inc, 2009 Monty Program Ab This software comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to modify and redistribute it under the GPL license Server version 5.5.25-MariaDB Protocol version 10 Connection Localhost via UNIX socket UNIX socket /var/lib/mysql/mysql.sock Uptime: 5 sec Threads: 1 Questions: 1 Slow queries: 0 Opens: 33 Flush tables: 1 Open tables: 26 Queries per second avg: 0.200
yum install postfix Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package postfix.x86_64 2:2.6.6-2.2.el6_1 will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================= Package Arch Version Repository Size ========================================================================= Installing: postfix x86_64 2:2.6.6-2.2.el6_1 base 2.0 M Transaction Summary ========================================================================= Install 1 Package(s) Total download size: 2.0 M Installed size: 9.7 M Is this ok [y/N]: y Downloading Packages: postfix-2.6.6-2.2.el6_1.x86_64.rpm | 2.0 MB 00:01 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : 2:postfix-2.6.6-2.2.el6_1.x86_64 1/1 Installed: postfix.x86_64 2:2.6.6-2.2.el6_1 Complete!
This depends on various factors including, what you choose to install software wise at installation time, opting to install Zend Opcache for php opcode caching, Memcached servers - choice between 1 or 2 instances and dependent on the operating systems minimum memory requirements. AlmaLinux and Rocky Linux 8/9 operating systems will generally use more memory than now end of life CentOS 7. For VPS based servers, it will also depend on what type of virtualization is implemented. OpenVZ based VPS out of box used more memory if left unchecked due to default stack sizes.
The minimum and recommended memory requirements have increased due to the base EL8 and EL9 memory requirements increasing.
- For AlmaLinux and Rocky Linux 8, the minimum system requirements are 1GB memory and 20GB disk. The recommended system requirements are at least 2GB memory and 40GB disk.
- For Centmin Mod on AlmaLinux & Rocky Linux 8, the minimum system requirements are 2GB memory + 4GB swap disk and 40GB disk. using a swap disk when there's not enough memory will still allow Centmin Mod to operate, but it will be a lot slower - as slow as the swap disk's underlying disk performance. Centmin Mod will auto detect if your do not have swap disk or not enough swap disk size and create a swap disk automatically. Recommended system requirements are at least 4GB memory + 4GB swap disk and 60GB disk. If you plan to install any type of Linux anti-malware/virus scanning software, you would want to add at least another 1-4GB of memory on top of those requirements. The optimal CPU core/threads is between 2-4. Though 1 CPU core is fine. The more CPU cores/threads, the faster the Centmin Mod source compiled routines will complete and the more concurrent workloads your server stack will generally be able to handle.
When I started modifying the original Centmin script for my own needs, the first thing I did was add command shortcuts to Centmin Mod. Normally, to edit server configuration files or start/stop/restart services in SSH2 telnet, you need to type in lengthy commands.
With command shortcuts, if you opted to install them at Centmin Mod installation time, you'll be able to type a one word command to perform the entire action. Of course, the software needs to be installed for command lines to work i.e. memcached or csf need to have been installed. The command shortcuts invokes the nano linux text editor, you can read up more about nano here and here.
Below are a list of command shortcuts:
- Edit custom_config.inc persistent config file = customconfig ( /etc/centminmod/custom_config.inc )
- mytimes = mytimes displays server date and time in multiple timezones (123.09beta01 only at /usr/bin/mytimes)
- Edit php.ini = phpedit ( /usr/local/lib/php.ini )
- Edit my.cnf = mycnf ( /etc/my.cnf )
- Edit php-fpm.conf = fpmconf ( /usr/local/etc/php-fpm.conf )
- Edit nginx.conf = nginxconf ( /usr/local/nginx/conf/nginx.conf )
- Edit (nginx) virtual.conf = vhostconf - only edits /usr/local/nginx/conf/conf.d/virtual.conf not the additional vhost domain.com.conf files added later
- Edit (nginx) php.conf = phpinc ( /usr/local/nginx/conf/php.conf )
- Edit (nginx) drop.conf = dropinc ( /usr/local/nginx/conf/drop.conf )
- Edit (nginx) staticfiles.conf = statfilesinc ( /usr/local/nginx/conf/staticfiles.conf )
- nginx stop/start/restart = ngxstop/ngxstart/ngxrestart
- php-fpm stop/start/restart = fpmstop/fpmstart/fpmrestart
- mysql stop/start/restart = mysqlstop/mysqlstart/mysqlrestart
- nginx + php-fpm stop/start/restart = npstop/npstart/nprestart
- memcached stop/start/restart = memcachedstop/memcachedstart/memcachedrestart
- csf stop/start/restart = csfstop/csfstart/csfrestart
Example of mytimes output:
mytimes Sun Oct 2 14:17:21 UTC 2016 [UTC] Mon Oct 3 00:17:21 AEST 2016 [Australia/Brisbane] Sun Oct 2 07:17:21 PDT 2016 [America/Los_Angeles] Sun Oct 2 09:17:21 CDT 2016 [America/Chicago] Sun Oct 2 10:17:21 EDT 2016 [America/New_York] Sun Oct 2 15:17:21 BST 2016 [Europe/London]
Setting shortcut to centmin.sh directory
Centmin Mod command shortcuts use hard coded files in /usr/bin/shortcutname as they are known paths etc. But for normal short cuts you might want to use more common alias command via /root/.bashrc file.
- backup contents of /root/.bashrc
- then edit /root/.bashrc to add aliases which are short cuts to command line statements you commonly run. One alias line per command. So to change to Centmin Mod centmin.sh directory if it's installed at /usr/local/src/centminmod/ (change directory path for below commands accordingly if you downloaded to different directory) you would type these 2 commands as root user in SSH telnet session.
alias cmod='pushd /usr/local/src/centminmod/'
echo "alias cmod='pushd /usr/local/src/centminmod/'" >> /root/.bashrc
Second command adds the alias command (first command) to /root/.bashrc.
I used pushd instead of cd command to change to directory as pushd along with popd are very useful. Read about their usage at http://www.eriwen.com/bash/pushd-and-popd/ and http://linux.101hacks.com/cd-command/dirs-pushd-popd/
To see all your listed and active alias commands type the command below. By default CentOS already has some alias commands set which will also be listed:
alias
Unfortunately, I haven't gotten my head around rewrite rules and regex as yet. Best place to ask for help for Apache rewrite/htaccess conversions to equivalent Nginx rewrite rule would be on Nginx's official forums at http://forum.nginx.org/. I am actively looking at compiling a list of standard working Nginx rewrite rules for various software like, wordpress & drupal perma links, vBulletin, xenforo, IPB forums and other software. Appropiate credit/linking to contributor and their site will be given on the compiled list page. So if you'd like to contribute to such a list, feel free to contact me.
When I started modifying the original Centmin script for my own needs, I had a very specific configuration in mind for Nginx, PHP-FPM, and MariaDB. They would be custom tuned settings wise from out of the box installations - ready to hit the ground running with optimised specific settings. The source install method for common software also allows using more recent versions that what CentOS YUM repositories can provide and also lessen Centmin Mod user's reliance on the developer when new versions of software are released. The end user can just run centmin.sh menu options 4 and 5 to upgrade to newer Nginx and PHP versions without any delay in waiting for YUM repo based RPMs to be released or built. So with source compiles for Nginx and PHP, there is a shorter time between when the Nginx and PHP developers announce a new version release on their web site and the time you get to install that newer version on your server. For YUM repo installs, that more lengthy delay can be days or weeks even between Nginx and PHP developer announced new version and time you get to install the new version on your server.
RPM/YUM while faster for installation, wouldn't satisfy my goals in that you'd spend alot more time after installation trying to customise each and every software. I also use Amazon EC2, Rackspace Cloud, GoGrid based cloud server hosting for testing as well for my Apache equivalent bash auto install script which I wrote from ground up prior to finding Centmin (alot of the Centmin Mod functions were ported over from my Apache bash auto installer sript - including the above command shortcut feature).
The Apache version like Centmin Mod, aimed at reducing the amount of post-install time in customising settings for all software. Afterall, cloud server hosting charges by the hour, so less time post-install configuring equals less costs incurred. So basically, some software is source compiled for this reason - weighing up a more lengthy install process for nearly zero time post-install custom configuration process. The other reason for source compile for Nginx, PHP-FPM, Xcache, APC, Memcached etc is that these are constantly updated with new versions and rather than be reliant on and waiting for YUM REPO/RPM binary updates which always lag behind the new releases, source compilation allowed much more timely updates. This is also important for Nginx to be able to add and update additional Nginx modules in a timely manner i.e. ngx_pagespeed module.
Nginx and PHP source installs also allow Centmin Mod to provide features and enhancements that not many other LEMP/LAMP stacks provide including. These are some features available optionally in latest Centmin mod 123.09beta01 and newer releases:
- PHP 7 Profile Guide Optimisations for +3-17% extra boost over PHP 7 standard installs
- Intel cpu optimised compiler options for Nginx and PHP installs which can improve performance by between 10-50%.
- Centmin Mod 123.09beta01 optional GCC 5.3 and GCC 6.2 support for Nginx and PHP compiles which again can offer another 3-20% performance for some work loads.
- Nginx HTTPS performance from static compiled OpenSSL 1.0.2/1.1.0 and LibreSSL 2.4/2.5 crypto libraries with added Cloudflare dynamic TLS record size patches and Cloudflare chacha20 patches for OpenSSL 1.0.2 and smarter chacha20 patch for OpenSSL 1.1.0.
- Nginx with OpenSSL 1.0.2+ support and LibreSSL means ALPN protocol support for HTTP/2 based HTTPS which standard CentOS distro Nginx can't provide as it uses system OpenSSL 1.0.1e that doesn't support ALPN protocol so no HTTP/2 based HTTPS for performance
- Nginx is compiled against jemalloc as alternate for better memory management and performance. Google search for the terms 'jemalloc vs glibc vs tcmalloc' or 'jemalloc vs glibc' for reading and here for Centmin Mod regarding optional support for tcmalloc but using jemalloc by default.
- Nginx with full dual RSA+ECDSA SSL cert support https://community.centminmod.com/th...-dual-ecdsa-rsa-ssl-certificate-support.7449/
- Nginx with dynamic Nginx module support for smaller Nginx binaries and flexibility/mem usage improvements
- Nginx nginScript module support as dynamic Nginx module
- Nginx brotli compression for up to 20% better static file compression size for faster page loads and reduced bandwidth consumption https://community.centminmod.com/th...sion-for-centmin-mod-nginx-web-servers.10688/
- Nginx Google ngx_pagespeed module support as a dynamic Nginx module
- Centmin Mod 123.009beta01+ and higher has work on free Letsencrypt SSL certificate integration.
Some of Centmin Mod's installed software will have their own access and error logs which maybe useful for diagnosing errors or give info, notes, or warning notices.
Note: There's no support provided by me for diagnosing such errors which may occur for various reasons including misconfiguration of installed php/mysql scripts or applications.
In SSH2 telnet you can use tail command to view the last X number of lines in the file.
For example for viewing last 10 lines in the file for:
For Nginx access and error logs:
tail -10 /usr/local/nginx/logs/access.log tail -10 /usr/local/nginx/logs/error.log
For specific domainname.com access and error log:
tail -10 /home/nginx/domains/domainname.com/log/access.log tail -10 /home/nginx/domains/domainname.com/log/error.log
For other system error logs located at /var/log:
list /var/log files in ascending time order so the most recently modified files are at the bottom
ls -lhrt /var/log total 2.7M -rw------- 1 root root 0 Aug 29 15:33 tallylog -rw------- 1 root root 0 Aug 29 15:33 spooler drwx------ 3 root root 4.0K Aug 29 15:35 samba drwxr-xr-x 2 root root 4.0K Aug 29 15:35 mail -rw-r--r-- 1 root 500 0 Oct 8 18:13 dmesg.old -rw------- 1 root 500 0 Oct 8 18:13 boot.log -rw-r--r-- 1 root 500 0 Oct 8 18:14 dmesg drwx------ 2 root root 4.0K Oct 8 18:14 httpd drwxr-xr-x 2 root root 4.0K Oct 8 19:08 php-fpm -rw-rw---- 1 mysql root 2.3K Oct 9 12:38 mysqld.log -rw------- 1 root root 9.2K Oct 26 10:48 yum.log -rw------- 1 root utmp 94K Nov 7 22:59 btmp drwxr-xr-x 2 root root 4.0K Nov 8 00:00 sa -rw------- 1 root root 269K Nov 8 21:39 messages -rw------- 1 root root 110K Nov 8 23:08 secure -rw-rw-r-- 1 root utmp 43K Nov 8 23:08 wtmp -rw-r--r-- 1 root root 144K Nov 8 23:08 lastlog -rw------- 1 root root 69K Nov 8 23:08 lfd.log -rw------- 1 root root 332K Nov 8 23:08 maillog -rw------- 1 root 500 1.6M Nov 8 23:10 cron
For PHP-FPM error log:
tail -10 /var/log/php-fpm/www-error.log
and/or
/var/log/php-fpm/www-php.error.log
For CentOS 7 systemd has it's own logging system via command:
journalctl -u php-fpm --no-pager
For MySQL / MariaDB error log:
For CentOS 6 only.
tail -10 /var/lib/mysql/YOURHOSTNAME.err
or
tail -10 /var/log/mysqld.log
For CentOS 7 systemd has it's own logging system via command:
journalctl -u mariadb --no-pager
For CSF firewall LFD log:
tail -10 /var/log/lfd.log
For Mail log:
tail -10 /var/log/maillog
For Cron job logs:
tail -10 /var/log/cron
You need to edit /usr/local/nginx/conf/conf.d/virtual.conf and find the very first instance of these lines
include /usr/local/nginx/conf/staticfiles.conf; include /usr/local/nginx/conf/php.conf; #include /usr/local/nginx/conf/phpstatus.conf; include /usr/local/nginx/conf/drop.conf; #include /usr/local/nginx/conf/errorpage.conf;
Uncomment and enable by remove # hash in front of phpstatus.conf
So this
#include /usr/local/nginx/conf/phpstatus.conf;
becomes
include /usr/local/nginx/conf/phpstatus.conf;
save /usr/local/nginx/conf/conf.d/virtual.conf, then restart Nginx
service nginx restart
or if you installed centmin mod shortcuts http://lb1.centminmod.com/faq.html#commandshortcuts you can use this command
ngxrestart
then install lynx via yum
yum -q -y install lynx
then run this command whenever you want to see php-fpm usage stats
lynx --dump http://127.0.0.1/phpstatus
You'll get output like below
pool: www process manager: static start time: 28/Jun/2012:21:24:51 +0400 start since: 75 accepted conn: 196 listen queue: 0 max listen queue: 0 listen queue len: 0 idle processes: 4 active processes: 1 total processes: 5 max active processes: 1 max children reached: 0
PHP Status explained:
- pool - the name of the pool that is listening on the connected socket, as defined in the php-fpm config.
- process manager - the method used by the process manager to control the number of child processes - either ondemand, dynamic or static - set on a per pool basis (in the php-fpm config) by the pm parameter.
- start time - the date, time, and UTC offset corresponding to when the PHP-FPM server was started.
- start since - the number of seconds that have elapsed since the PHP-FPM server was started (i.e. uptime).
- accepted conn - the number of incoming requests that the PHP-FPM server has accepted; when a connection is accepted it is removed from the listen queue (displayed in real time).
- listen queue - the current number of connections that have been initiated, but not yet accepted. If this value is non-zero it typically means that all the available server processes are currently busy, and there are no processes available to serve the next request. Raising pm.max_children (provided the server can handle it) should help keep this number low. This property follows from the fact that PHP-FPM listens via a socket (TCP or file based), and thus inherits some of the characteristics of sockets.
- max listen queue - the maximum value the listen queue has reached since the server was started.
- listen queue len - the upper limit on the number of connections that will be queued Once this limit is reached, subsequent connections will either be refused, or ignored. This value is set by the php-fpm per pool configuration option 'listen.backlog', which defaults to -1 (unlimited). However, this value is also limited by the system (sysctl) value 'net.core.somaxconn', which defaults to 128 on many Linux systems.
- idle processes - the number of servers in the 'waiting to process' state (i.e. not currently serving a page). This value should fall between the pm.min_spare_servers and pm.max_spare_servers values when the process manager is dynamic. (updated once per second)
- active processes - the number of servers current processing a page - the minimum is 1 (so even on a fully idle server, the result will be not read 0). (updated once per second)
- total processes - the total number of server processes currently running; the sum of idle processes + active processes. If the process manager is static, this number will match pm.max_children. (updated once per second)
- max active processes - the highest value that 'active processes' has reached since the php-fpm server started. This value should not exceed pm.max_children.
- max children reached - the number of times that pm.max_children has been reached since the php-fpm server started (only applicable if the process manager is ondemand or dynamic)
To increase or decrease Memcached server's allocated memory size, you will need to edit /etc/init.d/memcached start up file's MEMSIZE=8 variable. The variable assigns memory in MegaBytes (MB), so MEMSIZE=8 is equal to 8MB. If you want to allocate 256MB to Memcached server(s), then edit and change variable to MEMSIZE=256 and then restart memcached server:
service memcached restart
or via command shortcut
memcachedrestart
Since Centmin Mod v1.2.2-eva2000.09, installation automatically sets up a /etc/cron.daily/diskalert daily cron job script to monitor your disk space usage. By default the script will alert you to when disk space usage is >90% on any one partition on your server and sends email to root user unless you edit the script at /etc/cron.daily/diskalert to set the EMAIL='youremail@email.com' address. You can also change the preset warning percentage threshold by editing /etc/cron.daily/diskalert and changing ALERT='90' to different percentage.
It is important to monitor disk space usage - to be able to see how much free disk space you have left. It is sometimes one of the more commonly overlooked metrics on VPS or dedicated servers.
Centmin Mod additional PHP compiled extensions such as APC Cache, Xcache, Memcache/Memcached, ImagicK, igbinary, FFMPEG and Suhosin are usually loaded separately from php.ini for ease of management via the menu options. As such these PHP compiled extensions are loaded individually into their own respective *.ini files in the directory defined in centmin.sh script, CONFIGSCANBASE='/root/centminmod'. For Centmin Mod v1.2.3-eva2000.07+ and higher, this path will change to CONFIGSCANBASE='/etc/centminmod'
So if you need to edit settings or manually disable a PHP extension, you can do so at the following locations (provided you have actually installed the listed PHP extension):
- /root/centminmod/apc.ini (edit APC memory allocation here)
- /root/centminmod/xcache.ini (edit Xcache memory allocation here)
- /root/centminmod/igbinary.ini
- /root/centminmod/imagick.ini
- /root/centminmod/memcache.ini
- /root/centminmod/memcached.ini
- /root/centminmod/suhosin.ini (older installs will have ffmpeg.so directory loaded via (/usr/local/lib/php.ini)
- /root/centminmod/ffmpeg.ini (older installs will have suhosin.so directory loaded via (/usr/local/lib/php.ini)
Common errors you may come across while installing or using Centmin Mod on CentOS operating system:
Problem: If you forget to make centmin.sh script executable via chmoding it or setting it's permissions to 755 via FTP/SFTP you'll get permission denied message for centmin.sh. Make sure you are running centmin.sh as root administrative user.
./centmin.sh: Permission denied
Solution: in SSH2 telnet as root admin user chmod centmin.sh or via FTP/SFTP set 755 permissions on centmin.sh
chmod +x centmin.sh
Problem: Nginx upgrade option fails - nginx tarball file not found.
Compiling nginx... --2011-10-07 14:48:5-- http://nginx.org/download/nginx-.tar.gz Resolving nginx.org... 206.251.255.63 Connecting to nginx.org|206.251.255.63|:80... connected. HTTP request sent, awaiting response... 404 Not Found 2011-10-07 14:48:53 ERROR 404: Not Found. tar: nginx-.tar.gz: Cannot open: No such file or directory tar: Error is not recoverable: exiting now tar: Child returned status 2 tar: Error exit delayed from previous errors ./centmin.sh: line 1789: cd: nginx-: No such file or directory make: *** No rule to make target 'clean'. Stop. Would you like to compile nginx with IPv6 support? [y/n]
Solution: You didn't enter the correct nginx version number when prompted when you ran nginx upgrade option.
ie. enter 1.0.8 or 1.1.5 at prompt
-------------------------------------------------------- Centmin 1.2.2-eva2000.02 - http://centminmod.com Menu/Mods Author: eva2000 (vbtechsupport.com) Centmin Original Author: BTCentral (btcentral.org.uk) -------------------------------------------------------- Centmin Menu -------------------------------------------------------- 1). Centmin Install 2). Add Nginx vhost domain 3). NSD setup domain name DNS 4). Nginx Upgrade 5). PHP Upgrade 6). XCache Re-install 7). APC Cache Re-install 8). XCache Install 9). APC Cache Install 10). Memcached Server Re-install 11). MariaDB 5.2 Upgrade 12). Install ioping.sh vbtechsupport.com/1239/ 13). SELinux disable 14). Setup Logrotate for Nginx 15). Setup Logrotate for PHP-FPM 16). Change SSHD Port Number 17). Exit -------------------------------------------------------- Enter option [ 1 - 17 ] 4 -------------------------------------------------------- ********************************************************************** * Nginx Update script - Included in Centmin Extras * Version: 1.2.2-eva2000.02 - Date: 08/10/2011 - Copyright 2011 BTCentral ********************************************************************** This software comes with no warranty of any kind. You are free to use it for both personal and commercial use as licensed under the GPL. Nginx Upgrade - Would you like to continue? [y/n] y Install which version of Nginx? (version i.e. 1.0.6): 1.1.5
Problem: MySQL server not starting up, I get the following error message:
Starting MySQL................................ ERROR! Manager of pid-file quit without updating file.
Solution: Run the following commands:
Check mysql error log for unsupported mysql variable options you may have added or changed in /etc/my.cnf after Centmin Mod initial installation
Command to run in ssh2 telnet as root user:
tail -30 /var/lib/mysql/`hostname`.err | sed -e "s/`hostname`/yourserverhostname/g"
Also check:
tail -30 /var/log/mysqld.log | sed -e "s/`hostname`/yourserverhostname/g"
Check MySQL server status to see if it's running or stopped
Command to run in ssh2 telnet as root user:
service mysql status
If MySQL status says stopped but there's still mysql* processes showing up in first command below, run the second command to kill any lingering mysql processes preventing mysql to start up properly
1st command
ps aux |grep mysql |awk '{print $2, $7, $8, $9, $10, $11, $12}' | grep -Ev grep
2nd command
kill -9 `ps aux |grep mysql |awk '{print $2}'`
Restart MySQL server
Command to run in ssh2 telnet as root user:
service mysql restart
Problem: I can't connect to the installed Memcached server instance on 127.0.0.1 port 11211 ?
Solution: Steps to follow:
1. Check if memcached server is running and that php was successfully compiled with memcache extension (which it would of been when you said YES to memcached server install prompt).
Command to check memcached server running:
ps ax | grep memcached | grep -Ev grep
output showing memcached server running:
ps ax | grep memcached | grep -Ev grep 3210 ? Ssl 0:00 /usr/local/bin/memcached -d -m 8 -l 127.0.0.1 -p 11211 -c 2048 -t 4 -n 48 -f 1.05 -u nobody
Command to check memcache extension loaded with phpinfo:
php -i | grep memcache
output showing memcache php extension loaded and installed:
php -i | grep memcache memcache memcache support => enabled memcache.allow_failover => 1 => 1 memcache.chunk_size => 32768 => 32768 memcache.compress_threshold => 20000 => 20000 memcache.default_port => 11211 => 11211 memcache.hash_function => crc32 => crc32 memcache.hash_strategy => consistent => consistent memcache.lock_timeout => 15 => 15 memcache.max_failover_attempts => 20 => 20 memcache.protocol => ascii => ascii memcache.redundancy => 1 => 1 memcache.session_redundancy => 2 => 2 Registered save handlers => files user sqlite memcache
2. If you installed CSF firewall when prompted, the default memcached 11211 port would of been set to allow the memcached server through CSF firewall. If you didn't install CSF firewall, then you may have ip tables enabled running and it is blocking 11211 port so need to add a rule to allow memcached port 11211 through iptables.
Confirm if iptables is blocking 11211 port, by temporarily shutting down iptables service with command
service iptables stop
Now check if you can connet to your memcached server on default 127.0.0.1 and port 11211. If you can connect when iptables is stopped, then you need to allow port 11211 through iptables with either command or iptables file edit.
Start iptables service again
service iptables start
Command for iptables to allow port 11211
iptables -A INPUT -p tcp --dport 11211 -j ACCEPT
or edit /etc/sysconfig/iptables and add after the default port 22 line
-A INPUT -m state --state NEW -m tcp -p tcp --dport 11211 -j ACCEPT
restart iptables
service iptables restart
Problem: Tried upgrading MariaDB MySQL and it's still stuck on MariaDB 5.2.10 ?.
rpm -qa | grep MariaDB MariaDB-devel-5.2.10-107.el5.x86_64 MariaDB-client-5.2.10-107.el5.x86_64 MariaDB-server-5.2.10-107.el5.x86_64 MariaDB-shared-5.2.10-107.el5.x86_64 MariaDB-test-5.2.10-107.el5.x86_64
Solution: For a bried period during Centmin Mod's early versions, I used a YUM repo for MariaDB 5.2.x installs, but it never gets updated in timely manner and latest version was MariaDB 5.2.10. So I switched back to manual install and updates via RPM binaries. If you have MariaDB 5.2.10 still showing up after trying to run menu option to upgrade MariaDB 5.2.10, please follow below suggestions
1. Edit centmin.sh file and find these 3 settings and edit it to which ever MariaDB version and build you are stuck on. In this case 5.2.10 and build 107
# Define previous MariaDB version for proper upgrade MDB_PREVERONLY='5.2.10' MDB_PREBUILD='107' MDB_PREVERSION="${MDB_PREVERONLY}-${MDB_PREBUILD}" # Use this version of MariaDB ${MDB_VERONLY}
2. Then run MariaDB upgrade menu option #11
-------------------------------------------------------- Centmin 1.2.2-eva2000.15 - http://centminmod.com -------------------------------------------------------- Centmin Menu -------------------------------------------------------- 1). Centmin Install 2). Add Nginx vhost domain 3). NSD setup domain name DNS 4). Nginx Upgrade 5). PHP Upgrade 6). XCache Re-install 7). APC Cache Re-install 8). XCache Install 9). APC Cache Install 10). Memcached Server Re-install 11). MariaDB 5.2 Upgrade 12). Install ioping.sh vbtechsupport.com/1239/ 13). SELinux disable 14). Setup Logrotate for Nginx 15). Setup Logrotate for PHP-FPM 16). Change SSHD Port Number 17). Multi-thread compression: pigz,pbzip2,lbzip2,p7zip etc 18). Suhosin PHP Extension install 19). Install FFMPEG and FFMPEG PHP Extension 20). NSD Re-install 21). Exit -------------------------------------------------------- Enter option [ 1 - 21 ] 11 --------------------------------------------------------
3. When prompted for path to save downloads, enter /svr-setup to keep your version inline for future updates and reinstalls.
Where do you want the downloads stored ? Enter path to download directory (i.e. /usr/local/src) /svr-setup
4. After upgrade process you will be return to Centmin Mod menu, exit it and run the command to check your MariaDB MySQL server has been updated to latest version.
rpm -qa | grep MariaDB
rpm -qa | grep MariaDB MariaDB-shared-5.2.12-115.el5.i386 MariaDB-test-5.2.12-115.el5.i386 MariaDB-client-5.2.12-115.el5.i386 MariaDB-server-5.2.12-115.el5.i386 MariaDB-devel-5.2.12-115.el5.i386
For Centmin Mod it's all or nothing only. However, from 1.2.3-eva2000.08+ and higher for fresh initial installs you can enable some settings in centmin.sh
to disable services after they are initially installed. This allows for such services to be re-enabled later down the track if needed following the same manual steps outlined for Memcached server re-enabling. In centmin.sh
set these variables to =y
before initial Centmin Mod install
change from
# When set to =y, will disable those listed installed services # by default. The service is still installed but disabled # by default and can be re-enabled with commands: # service servicename start; chkconfig servicename on NSD_DISABLED=n # when set to =y, NSD disabled by default with chkconfig off MEMCACHED_DISABLED=n # when set to =y, Memcached server disabled by default via chkconfig off PHP_DISABLED=n # when set to =y, PHP-FPM disabled by default with chkconfig off MYSQLSERVICE_DISABLED=n # when set to =y, MariaDB MySQL service disabled by default with chkconfig off PUREFTPD_DISABLED=n # when set to =y, Pure-ftpd service disabled by default with chkconfig off
to
# When set to =y, will disable those listed installed services # by default. The service is still installed but disabled # by default and can be re-enabled with commands: # service servicename start; chkconfig servicename on NSD_DISABLED=y # when set to =y, NSD disabled by default with chkconfig off MEMCACHED_DISABLED=y # when set to =y, Memcached server disabled by default via chkconfig off PHP_DISABLED=y # when set to =y, PHP-FPM disabled by default with chkconfig off MYSQLSERVICE_DISABLED=y # when set to =y, MariaDB MySQL service disabled by default with chkconfig off PUREFTPD_DISABLED=y # when set to =y, Pure-ftpd service disabled by default with chkconfig off
This will stop and disable NSD, Memcached server, PHP-FPM, MariaDB MySQL and Pure-FTPD services.
Centmin Mod 1.2.3-eva2000.08+ and higher have open_basedir enabled in /usr/local/nginx/conf/php.conf
include file. This file is included in each created Nginx vhost config file i.e. /usr/local/nginx/conf/conf.d/newdomain.com.conf
. The relevant line is the 9th line in /usr/local/nginx/conf/php.conf
location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass 127.0.0.1:9000; #fastcgi_pass unix:/tmp/php5-fpm.sock; fastcgi_index index.php; #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;
This line locks you to each Nginx vhost's document web root i.e. /home/nginx/domains/newdomain.com/public
.
fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;
You can disable this globally across all Nginx vhosts, by commenting out the line and restarting Nginx and PHP-FPM services.
#fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;
Or you can disable it for a specific Nginx vhost domain only, leaving all other domains enabled with open_basedir protection. To disable it for a specific Nginx vhost domain only, you need to make a copy of the /usr/local/nginx/conf/php.conf
include file and change the php.conf include line within that specific Nginx vhost i.e. /usr/local/nginx/conf/conf.d/newdomain.com.conf
.
Make a copy of the /usr/local/nginx/conf/php.conf
include file called /usr/local/nginx/conf/php_disable_openbasedir.conf
.
cp -a /usr/local/nginx/conf/php.conf /usr/local/nginx/conf/php_disable_openbasedir.conf
Then in your /usr/local/nginx/conf/conf.d/newdomain.com.conf
, change the include line for /usr/local/nginx/conf/php.conf
to /usr/local/nginx/conf/php_disable_openbasedir.conf
#include /usr/local/nginx/conf/php.conf; include /usr/local/nginx/conf/php_disable_openbasedir.conf;
Then restart Nginx and PHP-FPM services
nprestart
Owning a VPS or dedicated server means you're responsible for keeping the server up to date software wise. I suggest you sign up for pushover.net service and download appropriate pushover mobile app client to your mobile or tablet device. This will allow you to use your pushover userkey email for notifications for backups or updates i.e. yourUSERkey+devicename+p1@api.pushover.net. Then setup automatic nightly YUM updates via yum-cron and also setup persistent settings that survive auto updates and as added precautiion install the Centmin Mod Addon for an anti-virus malware scanner - Linux Malware Detect (maldet) + ClamAV scanner.
The default php.ini location is at /usr/local/lib/php.ini
. However, PHP upgrades via centmin.sh menu option 5
can overwrite that. So it's best to set aside your php.ini level customisations in a separate *.ini file. Centmin Mod by default has a custom file at /etc/centminmod/php.d/a_customphp.ini
which has some tweaks to PHP settings already added by default. You can add custom settings to /etc/centminmod/php.d/a_customphp.ini
however, they can be also overwritten if future Centmin Mod updates adjust or add tweaks which are automated on PHP-FPM upgrades. So you can instead create a second custom file with naming convention alphabetically below that of /etc/centminmod/php.d/a_customphp.ini
i.e. /etc/centminmod/php.d/b_customphp.ini
.
Default /etc/centminmod/php.d/a_customphp.ini
contents. Note ;always_populate_raw_post_data=-1
is auto uncommented (remove semi-colon ;) when PHP 5.6+ is detected only.
date.timezone = UTC max_execution_time = 60 short_open_tag = On realpath_cache_size = 1024k realpath_cache_ttl = 14400 upload_max_filesize = 40M memory_limit = 160M post_max_size = 40M expose_php = Off mail.add_x_header = Off max_input_nesting_level = 128 max_input_vars = 2000 mysqlnd.net_cmd_buffer_size = 16384 ;always_populate_raw_post_data=-1
You can add your own custom settings to a newly created file at /etc/centminmod/php.d/b_customphp.ini
i.e. double default max_execution_time from 60 to 120. PHP-FPM will process those in a specific alpha-numeric order where later ini files override the former.
max_execution_time = 120
Then restart PHP-FPM service via either command shortcut or full service restart command
fpmrestart
or
service php-fpm restart
Confirming changes are in effect by looking at phpinfo file. Centmin Mod sets this up on main hostname with randomised prefix unqiue to each Centmin Mod install. You can rename this file, delete it or password protect or IP address restrict it if you want. In below example, the install created phpinfo file at /usr/local/nginx/html/417911c9_phpi.php
which would be accesible online via yourmainhostname.com/417911c9_phpi.php
or localhost/417911c9_phpi.php
.
ls -lah /usr/local/nginx/html | grep phpi -rw-r--r-- 1 nginx nginx 20 Jul 28 11:31 417911c9_phpi.php
You don't need to move out of SSH session to do a simple check - use lynx command grep can confirm the changes.
before
lynx -dump localhost/417911c9_phpi.php | grep max_execution_time max_execution_time 60 60
after
lynx -dump localhost/417911c9_phpi.php | grep max_execution_time max_execution_time 120 120
Typing the command php --ini
, will output the list of *.ini files PHP-FPM has detected and the order in which they are processed.
php --ini
default before custom /etc/centminmod/php.d/b_customphp.ini
file added
php --ini Configuration File (php.ini) Path: /usr/local/lib Loaded Configuration File: /usr/local/lib/php.ini Scan for additional .ini files in: /etc/centminmod/php.d Additional .ini files parsed: /etc/centminmod/php.d/a_customphp.ini, /etc/centminmod/php.d/curlcainfo.ini, /etc/centminmod/php.d/geoip.ini, /etc/centminmod/php.d/igbinary.ini, /etc/centminmod/php.d/imagick.ini, /etc/centminmod/php.d/memcache.ini, /etc/centminmod/php.d/memcached.ini, /etc/centminmod/php.d/mongodb.ini, /etc/centminmod/php.d/redis.ini, /etc/centminmod/php.d/zendopcache.ini
after custom /etc/centminmod/php.d/b_customphp.ini
file added and PHP-FPM service restarted
php --ini Configuration File (php.ini) Path: /usr/local/lib Loaded Configuration File: /usr/local/lib/php.ini Scan for additional .ini files in: /etc/centminmod/php.d Additional .ini files parsed: /etc/centminmod/php.d/a_customphp.ini, /etc/centminmod/php.d/b_customphp.ini, /etc/centminmod/php.d/curlcainfo.ini, /etc/centminmod/php.d/geoip.ini, /etc/centminmod/php.d/igbinary.ini, /etc/centminmod/php.d/imagick.ini, /etc/centminmod/php.d/memcache.ini, /etc/centminmod/php.d/memcached.ini, /etc/centminmod/php.d/mongodb.ini, /etc/centminmod/php.d/redis.ini, /etc/centminmod/php.d/zendopcache.ini
Check out guide on CSF Firewall page.
Nginx officially released their first Nginx HTTP/2 alpha version 1 patch on August 5, 2015 and version 2 patch on August 14, 2015. These patches are for testing and not production site usage. However, Centmin Mod 1.2.3-eva2000.09 beta01 has integrated the Nginx HTTP/2 patches into the Nginx install routine, so you will always get the latest Nginx HTTP/2 patch with each Nginx recompile via centmin.sh menu option 4. You can check out the Centmin Mod Nginx HTTP/2 benchmarks and info page for more details as well as dedicated Centmin Mod 1.2.3-eva2000.09 beta01 thread on the forums for the latest updates.
Centmin Mod compiled and installed Nginx server has additional official and third party Nginx modules added to extend Nginx server's feature set. These additional modules are outlined on official Nginx page. If you do not need these additional Nginx modules installed you can disable them. To do this you can either directory edit centmin.sh
Nginx module's corresponding variable. But these edits can be overidden on Centmin Mod code updates. To allow such changes to persist, you can setup a persistent configuration file as outlined here. Create a persistent config file at /etc/centminmod/custom_config.inc
and add the corresponding centmin.sh
variables to the file. Then recompile Nginx via centmin.sh menu option 4
.
Recommended modules you can disable for a minimal Nginx install for Centmin Mod 1.2.3-eva2000.08 stable
would be:
NGINX_STREAM=n # http://nginx.org/en/docs/stream/ngx_stream_core_module.html NGINX_RTMP=n # Nginx RTMP Module support https://github.com/arut/nginx-rtmp-module NGINX_FLV=n # http://nginx.org/en/docs/http/ngx_http_flv_module.html NGINX_MP4=n # Nginx MP4 Module http://nginx.org/en/docs/http/ngx_http_mp4_module.html NGINX_AUTHREQ=n # http://nginx.org/en/docs/http/ngx_http_auth_request_module.html NGINX_SECURELINK=n # http://nginx.org/en/docs/http/ngx_http_secure_link_module.html NGINX_FANCYINDEX=n # http://wiki.nginx.org/NgxFancyIndex NGINX_VHOSTSTATS=n # https://github.com/vozlt/nginx-module-vts NGINX_PAGESPEED=n # Install ngx_pagespeed NGINX_PASSENGER='n' # Install Phusion Passenger requires installing addons/passenger.sh before hand NGINX_WEBDAV=n # Nginx WebDAV and nginx-dav-ext-module NGINX_UPSTREAMCHECK='n' # nginx upstream check https://github.com/yaoweibin/nginx_upstream_check_module NGINX_OPENRESTY='n' # Agentzh's openresty Nginx modules LUAJIT_GITINSTALL='n' # opt to install luajit 2.1 from dev branch http://repo.or.cz/w/luajit-2.0.git/shortlog/refs/heads/v2.1 ORESTY_LUANGINX='n' # enable or disable or ORESTY_LUA* nginx modules below
Recommended modules you can disable for a minimal Nginx install for Centmin Mod 1.2.3-eva2000.09 beta
would be (.09 betas have additional Nginx module variables to fine tune what is installed):
NGINX_STREAM='n' # http://nginx.org/en/docs/stream/ngx_stream_core_module.html NGINX_STREAMGEOIP='n' # nginx 1.11.3+ option http://hg.nginx.org/nginx/rev/558db057adaa NGINX_STREAMREALIP='n' # nginx 1.11.4+ option http://hg.nginx.org/nginx/rev/9cac11efb205 NGINX_STREAMSSLPREREAD='n' # nginx 1.11.5+ option https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html NGINX_RTMP='n' # Nginx RTMP Module support https://github.com/arut/nginx-rtmp-module NGINX_FLV='n' # http://nginx.org/en/docs/http/ngx_http_flv_module.html NGINX_MP4='n' # Nginx MP4 Module http://nginx.org/en/docs/http/ngx_http_mp4_module.html NGINX_AUTHREQ='n' # http://nginx.org/en/docs/http/ngx_http_auth_request_module.html NGINX_SECURELINK='n' # http://nginx.org/en/docs/http/ngx_http_secure_link_module.html NGINX_FANCYINDEX='n' # http://wiki.nginx.org/NgxFancyIndex NGINX_VHOSTSTATS='n' # https://github.com/vozlt/nginx-module-vts NGINX_PAGESPEED='n' # Install ngx_pagespeed NGINX_PASSENGER='n' # Install Phusion Passenger requires installing addons/passenger.sh before hand NGINX_WEBDAV='n' # Nginx WebDAV and nginx-dav-ext-module NGINX_UPSTREAMCHECK='n' # nginx upstream check https://github.com/yaoweibin/nginx_upstream_check_module NGINX_OPENRESTY='n' # Agentzh's openresty Nginx modules LUAJIT_GITINSTALL='n' # opt to install luajit 2.1 from dev branch http://repo.or.cz/w/luajit-2.0.git/shortlog/refs/heads/v2.1 ORESTY_LUANGINX='n' # enable or disable or ORESTY_LUA* nginx modules below NGINX_STUBSTATUS=y # http://nginx.org/en/docs/http/ngx_http_stub_status_module.html required for nginx statistics NGINX_SUB='n' # http://nginx.org/en/docs/http/ngx_http_sub_module.html NGINX_ADDITION='n' # http://nginx.org/en/docs/http/ngx_http_addition_module.html NGINX_IMAGEFILTER='n' # http://nginx.org/en/docs/http/ngx_http_image_filter_module.html NGINX_CACHEPURGE='y' # https://github.com/FRiCKLE/ngx_cache_purge/ NGINX_ACCESSKEY='n' # NGINX_HTTPCONCAT='n' # https://github.com/alibaba/nginx-http-concat NGINX_THREADS='y' # https://www.nginx.com/blog/thread-pools-boost-performance-9x/ ORESTY_HEADERSMORE='y' # openresty headers more https://github.com/openresty/headers-more-nginx-module
After Nginx recompile, the end result for Nginx configuration would look more like
nginx -V nginx version: nginx/1.9.5 built by clang 3.4.2 (tags/RELEASE_34/dot2-final) built with LibreSSL 2.2.3 TLS SNI support enabled configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro' --with-cc-opt='-m64 -mtune=native -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-c++11-extensions -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_realip_module --with-http_geoip_module --with-openssl-opt=enable-tlsext --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_http_redis-0.3.7 --add-module=../headers-more-nginx-module-0.261 --with-openssl=../libressl-2.2.3 --with-libatomic --with-threads --with-pcre=../pcre-8.37 --with-pcre-jit
as opposed to the default with additional Nginx modules added by default
nginx version: nginx/1.9.5 built by clang 3.4.2 (tags/RELEASE_34/dot2-final) built with LibreSSL 2.2.3 TLS SNI support enabled configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -mtune=native -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-c++11-extensions -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module --with-http_secure_link_module --with-http_realip_module --with-http_geoip_module --with-openssl-opt=enable-tlsext --add-module=../ngx-fancyindex-ngx-fancyindex --add-module=../ngx_cache_purge-2.3 --add-module=../nginx-accesskey-2.0.3 --add-module=../nginx-http-concat-master --add-module=../openresty-memc-nginx-module-4f6f78f --add-module=../openresty-srcache-nginx-module-ffa9ab7 --add-module=../ngx_devel_kit-0.2.19 --add-module=../set-misc-nginx-module-0.29 --add-module=../echo-nginx-module-0.58 --add-module=../redis2-nginx-module-0.12 --add-module=../ngx_http_redis-0.3.7 --add-module=../lua-nginx-module-0.9.16 --add-module=../lua-upstream-nginx-module-0.03 --add-module=../lua-upstream-cache-nginx-module-0.1.1 --add-module=../nginx_upstream_check_module-0.3.0 --add-module=../nginx-module-vts --add-module=../headers-more-nginx-module-0.261 --with-openssl=../libressl-2.2.3 --with-libatomic --with-threads --with-stream --with-stream_ssl_module --with-pcre=../pcre-8.37 --with-pcre-jit --add-module=../ngx_pagespeed-release-1.9.32.6-beta
Most CDN providers are setup as pull orgin based and would require some changes at your web application level to use the CDN provided urls or your custom CNAME based CDN url i.e. cdn.domain.com
. You can utilise Centmin Mod Nginx installed and enabled ngx_http_sub_module compiled with --with-http_sub_module
to Nginx level find and replacement of specific CDN served content. So you do not need to change your web application itself. Example below is for Wordpress upload folder changing domain from domain.com
to cdn.domain.com
in web root in your nginx vhost file at /usr/local/nginx/conf/conf.d/domain.com.conf
and if SSL eanabled at /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
.
Replacing source code specific url instances in location context other than root /
location ~ /directory { sub_filter '<a href="http://domain.com/wp-content/uploads/' '<a href="http://cdn.domain.com/wp-content/uploads/'; sub_filter '<img src="http://domain.com/wp-content/uploads/' '<img src="http://cdn.domain.com/wp-content/uploads/'; sub_filter_last_modified on; sub_filter_once off; }
Or more general find and replace subsitution in location context other than root /
location ~ /directory { sub_filter 'http://domain.com/wp-content/uploads/' 'http://cdn.domain.com/wp-content/uploads/'; sub_filter_last_modified on; sub_filter_once off; }
Or server{} context find and replace subsitution if location context is root /
, it seems you can't have it in root /
and needs to be on it's own in server{}
context
server { sub_filter http://domain.com/wp-content/uploads/ http://cdn.domain.com/wp-content/uploads/; sub_filter_last_modified on; sub_filter_once off; }
restart Nginx afterwards
service nginx restart
or
ngxrestart
If you server has IPv6 enabled, then you need to compile Centmin Mod Nginx with IPv6 support if you use Centmin Mod 123.08stable and lower, to enable Nginx with IPv6 support, set in variable NGINX_IPV='y'
via persistent config setting. So create file /etc/centminmod/custom_config.inc
and add to it and then recompile Nginx via centmin.sh menu option 4
. However, if you are using Centmin Mod 123.09beta01 or newer, then you do not need to do this recompile step as Nginx 1.11.5+ versions have enabled IPv6 support natively:
NGINX_IPV='y'
Then you need to update your domains' DNS and also add a AAAA DNS record pointing to your IPv6 address i.e. 2604:180:1::fd2c:e4xx
. Then you can test if it resolves via SSH command below:
host -t AAAA yourdomain.com yourdomain.com has IPv6 address 2604:180:1::fd2c:e4xx
Also use ping6 command
ping6 -c4 yourdomain.com
Or you can do IPv6 testing at ip6.nl
Then you need to change every Nginx vhost domain's /usr/local/nginx/conf/conf.d/youdomain.com.conf
or /usr/local/nginx/conf/conf.d/youdomain.com.ssl.conf
file's listen directive within the server{}
context. Note from Nginx 1.3.4 and above, ipv6only
listen directive option is no longer needed as it defaults to ipv6only=on
in newer Nginx versions.
from
server { listen 80;
to
server { listen 80; listen [::]:80;
for SSL and listening on all IPv6 addresses, you would use
server { listen 443 ssl http2; listen [::]:443 ssl http2;
or if you want to assign a specific IPv6 address to a particular Nginx vhost you would pick one IPv6 address that your web host provided (i.e. 2604:180:1::fd2c:e4xx) and use it like this. Note for Nginx versions less than 1.3.4, you should only set the ipv6only
directive once per listen port number regardless of the number of Nginx vhost sites you have [example]. However, Nginx versions 1.3.4 and higher no longer need the ipv6only
listen directive option.
server { listen 80; listen [2604:180:1::fd2c:e4xx]:80;
for SSL and a specific IPv6 address (i.e. 2604:180:1::fd2c:e4xx
) you would use
server { listen 443 ssl http2; listen [2604:180:1::fd2c:e4xx]:443 ssl http2;
To find all Nginx vhost config files with listen 80
or listen 443
needing replacement, you can use these grep commands in SSH
grep -R ' 80;' /usr/local/nginx/conf/* grep -R ' 443;' /usr/local/nginx/conf/*
example for listen 80
grepped output
/usr/local/nginx/conf/conf.d/virtual.conf:# listen 80; /usr/local/nginx/conf/conf.d/mydomain.com.conf:# listen 80; /usr/local/nginx/conf/conf.d/demodomain.com.conf: listen 80; /usr/local/nginx/conf/conf.d/demodomain.com.conf: listen 80; /usr/local/nginx/conf/nginx.conf.default: listen 80;
Then restart Nginx and PHP-FPM
nprestart
To reset MySQL root password you can follow official MySQL documented instructions.
Step 1. Properly stop MySQL server. I usually stop Nginx too unless you want all visitors to your site(s) to see MySQL connection error as opposed to site down message - the later is better.
Stop Nginx and wait 30 seconds gives any existing MySQL activity time to complete before shutting down MySQL server
ngxstop && sleep 30
Then stop MySQL server
mysqlstop
Step 2. Restart MySQL server manually with --skip-grant-tables option and --skip-networking
mysqld_safe --skip-grant-tables --skip-networking &
hit enter to return to prompt for next step
Step 3. Set the new MySQL root user password using command - changing NEWROOTPASS
to your actual new MySQL root user password:
mysql -e "UPDATE mysql.user SET Password=PASSWORD('NEWROOTPASS') WHERE User='root'; FLUSH PRIVILEGES;" mysql
Step 4. Stop MySQL server and restart it again along with Nginx start
mysqlrestart ngxstart
Step 5. Then update /root/.my.cnf
with your new MySQL root user's password
[client] user=root password=NEWROOTPASS
The minimum system requirements are 256MB memory (128MB with variable tweak) for CentOS 6.x and 1GB memory for CentOS 7.x and 20GB disk space for OpenVZ VPS virtualization & 30GB for KVM and Xen virtualisation. Recommended memory & disk requirements are double the mininum for CentOS 6/7 respectively at CentOS 6.x 512MB memory and CentOS 7.x 64bit at 2GB memory and disk space of 40GB for OpenVZ and 60GB for KVM/Xen virtualisation. However, it's possible to install Centmin Mod LEMP stack on a minimum 128MB low memory VPS (and at least 64MB swap file). You would only want to do this with CentOS 6.x 32bit OS as 64bit have higher memory requirements.
So with CentOS 6.x 32bit OS, there's a minor Centmin Mod tweak needed prior to actual install of Centmin Mod. Prior to actual Centmin Mod install (via centmin.sh menu option #1), find and edit inc/memcheck.inc and find ISLOWMEM variable and change it's value from 262144 KB to 131072 KB. Then run centmin.sh
and select menu option #1. It is still recommended for best performance to have a minimum 256MB of memory, but at least with this updated change you can suffice with a 128MB Low End Box VPS.
If you don't use PHP, MySQL, Memcached server or Pure-FTPD server on the 128MB VPS server you can disable those services with these 4 commands:
service php-fpm stop service mysql stop service memcached stop service pure-ftpd stop chkconfig memcached off chkconfig php-fpm off chkconfig mysql off chkconfig pure-ftpd off
To renable them:
service php-fpm start service mysql start service memcached start service pure-ftpd start chkconfig memcached on chkconfig php-fpm on chkconfig mysql on chkconfig pure-ftpd on
Example CentOS 6.7 32bit 128MB OpenVZ VPS with 64MB swap with Centmin Mod LEMP stack installed for static file serving with mysql, memcached, pure-ftpd stopped:
free -m total used free shared buffers cached Mem: 128 26 101 59 0 18 -/+ buffers/cache: 8 119 Swap: 64 38 25
PHP-FPM is source compiled with the most commonly used PHP extension modules already installed out of the box by default. You can use the following commands in SSH session as root user to check.
Check PHP version
php -v
php -v PHP 5.6.17 (cli) (built: Jan 11 2016 03:25:15) Copyright (c) 1997-2015 The PHP Group Zend Engine v2.6.0, Copyright (c) 1998-2015 Zend Technologies with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2015, by Zend Technologies
Check where the custom source compiled PHP extension's respective *.ini settings files are:
php --ini
php --ini Configuration File (php.ini) Path: /usr/local/lib Loaded Configuration File: /usr/local/lib/php.ini Scan for additional .ini files in: /etc/centminmod/php.d Additional .ini files parsed: /etc/centminmod/php.d/a_customphp.ini, /etc/centminmod/php.d/curlcainfo.ini, /etc/centminmod/php.d/geoip.ini, /etc/centminmod/php.d/igbinary.ini, /etc/centminmod/php.d/imagick.ini, /etc/centminmod/php.d/mailparse.ini, /etc/centminmod/php.d/memcache.ini, /etc/centminmod/php.d/memcached.ini, /etc/centminmod/php.d/mongodb.ini, /etc/centminmod/php.d/redis.ini, /etc/centminmod/php.d/zendopcache.ini
Check which PHP extension modules are currently installed and loaded by PHP:
php -m
php -m [PHP Modules] bcmath bz2 calendar Core ctype curl date dom enchant ereg exif filter ftp gd geoip gettext gmp hash iconv igbinary imagick imap intl json libxml mailparse mbstring mcrypt memcache memcached mhash mongodb mysql mysqli mysqlnd openssl pcntl pcre PDO pdo_mysql pdo_sqlite Phar posix pspell readline redis Reflection session shmop SimpleXML snmp soap sockets SPL sqlite3 standard sysvmsg sysvsem sysvshm tidy tokenizer xml xmlreader xmlrpc xmlwriter xsl Zend OPcache zip zlib [Zend Modules] Zend OPcache
Check specific details of a particular PHP extension. For example to check Redis PHP extension - where name you check for is the name listed in the above php -m
output:
php --ri redis
php --ri redis redis Redis Support => enabled Redis Version => 2.2.7
Check PHP configuration options:
php-config
php-config Usage: /usr/local/bin/php-config [OPTION] Options: --prefix [/usr/local] --includes [-I/usr/local/include/php -I/usr/local/include/php/main -I/usr/local/include/php/TSRM -I/usr/local/include/php/Zend -I/usr/local/include/php/ext -I/usr/local/include/php/ext/date/lib] --ldflags [] --libs [-lcrypt -lc-client -lz -lexslt -ltidy -lcrypt -ledit -lncurses -laspell -lpspell -lrt -lmcrypt -lltdl -lstdc++ -lcrypt -lpam -lgmp -lt1 -lX11 -lXpm -lpng -lz -ljpeg -lvpx -lenchant -lcurl -lbz2 -lz -lrt -lm -ldl -lnsl -lrt -lxml2 -lz -lm -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lssl -lcrypto -lcurl -lxml2 -lz -lm -lssl -lcrypto -lfreetype -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lssl -lcrypto -licui18n -licuuc -licudata -lm -licuio -lxml2 -lz -lm -lnetsnmp -lxml2 -lz -lm -lcrypt -lxml2 -lz -lm -lxml2 -lz -lm -lxml2 -lz -lm -lxml2 -lz -lm -lxslt -lxml2 -lz -lm -lssl -lcrypto -lcrypt ] --extension-dir [/usr/local/lib/php/extensions/no-debug-non-zts-20131226] --include-dir [/usr/local/include/php] --man-dir [/usr/local/php/man] --php-binary [/usr/local/bin/php] --php-sapis [ cli fpm cgi] --configure-options [--enable-fpm --enable-intl --enable-pcntl --with-mcrypt --with-snmp --with-mhash --with-zlib --with-gettext --enable-exif --enable-zip --with-bz2 --enable-soap --enable-sockets --enable-sysvmsg --enable-sysvsem --enable-sysvshm --enable-shmop --with-pear --enable-mbstring --with-openssl --with-mysql=mysqlnd --with-libdir=lib64 --with-mysqli=mysqlnd --with-mysql-sock=/var/lib/mysql/mysql.sock --with-curl --with-gd --with-xmlrpc --enable-bcmath --enable-calendar --enable-ftp --enable-gd-native-ttf --with-freetype-dir=/usr --with-jpeg-dir=/usr --with-png-dir=/usr --with-xpm-dir=/usr --with-vpx-dir=/usr --with-t1lib=/usr --enable-pdo --with-pdo-sqlite --with-pdo-mysql=mysqlnd --enable-inline-optimization --with-imap --with-imap-ssl --with-kerberos --with-readline --with-libedit --with-gmp --with-pspell --with-tidy --with-enchant --with-fpm-user=nginx --with-fpm-group=nginx --disable-fileinfo --with-config-file-scan-dir=/etc/centminmod/php.d --with-xsl CC=/usr/bin/gcc CFLAGS=-O3 -m64 -mtune=native CXX=/usr/bin/g++ CXXFLAGS=-O3 -m64 -mtune=native] --version [5.6.17] --vernum [50617]
If you only need to temporarily disable some of the source compiled PHP extensions, just move their individual *.ini settings files out of php config scan directory at /etc/centminmod/php.d
.
Check which source compiled PHP extensions are loaded via their individual *.ini settings files in the php config scan directory at /etc/centminmod/php.d
using this command in SSH.
php --ini
Sample output:
php --ini Configuration File (php.ini) Path: /usr/local/lib Loaded Configuration File: /usr/local/lib/php.ini Scan for additional .ini files in: /etc/centminmod/php.d Additional .ini files parsed: /etc/centminmod/php.d/a_customphp.ini, /etc/centminmod/php.d/curlcainfo.ini, /etc/centminmod/php.d/geoip.ini, /etc/centminmod/php.d/igbinary.ini, /etc/centminmod/php.d/imagick.ini, /etc/centminmod/php.d/mailparse.ini, /etc/centminmod/php.d/memcache.ini, /etc/centminmod/php.d/memcached.ini, /etc/centminmod/php.d/mongodb.ini, /etc/centminmod/php.d/redis.ini, /etc/centminmod/php.d/zendopcache.ini
Move all the *.ini files out of the php config scan directory except a_customphp.ini
and curlcainfo.ini
ls -lah /etc/centminmod/php.d | egrep -v 'a_customphp|curlcainfo' total 68K drwxr-xr-x. 2 root root 4.0K Jan 7 05:35 . drwxr-xr-x. 3 root root 18 Dec 29 12:10 .. -rw-r--r--. 1 root root 59 Dec 29 12:34 geoip.ini -rw-r--r--. 1 root root 253 Dec 29 12:34 igbinary.ini -rw-r--r--. 1 root root 21 Dec 29 12:34 imagick.ini -rw-r--r--. 1 root root 23 Jan 3 19:40 mailparse.ini -rw-r--r--. 1 root root 334 Dec 29 12:34 memcached.ini -rw-r--r--. 1 root root 78 Dec 29 12:34 memcache.ini -rw-r--r--. 1 root root 21 Dec 29 12:34 mongodb.ini -rw-r--r--. 1 root root 19 Dec 29 12:34 redis.ini -rw-r--r--. 1 root root 695 Jan 7 05:35 zendopcache.ini
You can create a directory at /etc/centminmod/php.d-disabled
and move them to there and restart php-fpm to unload them from php
mkdir -p /etc/centminmod/php.d-disabled cd /etc/centminmod/php.d mv geoip.ini igbinary.ini imagick.ini mailparse.ini memcached.ini memcache.ini mongodb.ini redis.ini zendopcache.ini /etc/centminmod/php.d-disabled fpmrestart
Then when you want to move them back and re-enable/reload them into php just move them back.
cd /etc/centminmod/php.d-disabled mv geoip.ini igbinary.ini imagick.ini mailparse.ini memcached.ini memcache.ini mongodb.ini redis.ini zendopcache.ini /etc/centminmod/php.d fpmrestart
Now if you want to disable them from centmin.sh menu option 5
php upgrade/downgrades completely for Centmin Mod 123.08stable
or 123.09beta01
add to or manually create the persistent config /etc/centminmod/custom_config.inc
if it doesn't exist and set to =n
the ones you want to disable and then run centmin.sh menu option 5
to recompile php. Note Centmin Mod 123.08stable
has less options to control than 123.09beta01
.
These are the defaults for Centmin Mod 123.08stable
IGBINARY_INSTALL='y' PHPREDIS='y' PHPMONGODB=n # MongoDB PHP extension install PHPFINFO=n # Disable or Enable PHP File Info extension PHPPCNTL=y # Disable or Enable PHP Process Control extension PHPINTL=y # Disable or Enable PHP intl extension PHPRECODE=n # Disable or Enable PHP Recode extension PHPSNMP=y # Disable or Enable PHP SNMP extension
To disable them all Centmin Mod 123.08stable
, set them all to =n - add to or manually create the persistent config /etc/centminmod/custom_config.inc
if it doesn't exist and then run centmin.sh menu option 5
to recompile php.
IGBINARY_INSTALL=n PHPREDIS=n PHPMONGODB=n # MongoDB PHP extension install PHPFINFO=n # Disable or Enable PHP File Info extension PHPPCNTL=n # Disable or Enable PHP Process Control extension PHPINTL=n # Disable or Enable PHP intl extension PHPRECODE=n # Disable or Enable PHP Recode extension PHPSNMP=n # Disable or Enable PHP SNMP extension
These are the defaults for Centmin Mod 123.09beta01
IGBINARY_INSTALL='y' PHPREDIS='y' PHPMONGODB='n' # MongoDB PHP extension install PHP_FTPEXT='y' # ftp PHP extension PHP_MEMCACHE='y' # memcache PHP extension PHP_MEMCACHED='y' # memcached PHP extension PHPGEOIP_ALWAYS=y # GeoIP php extension is always reinstalled on php recompiles PHPFINFO=n # Disable or Enable PHP File Info extension PHPPCNTL=y # Disable or Enable PHP Process Control extension PHPINTL=y # Disable or Enable PHP intl extension PHPRECODE=n # Disable or Enable PHP Recode extension PHPSNMP=y # Disable or Enable PHP SNMP extension PHPIMAGICK=y # Disable or Enable PHP ImagicK extension PHPMAILPARSE=y # Disable or Enable PHP mailparse extension PHP_EXTRAOPTS=" --with-xsl"
To disable them all Centmin Mod 123.09beta01
, set them all to =n ( and set this variable to empty for PHP_EXTRAOPTS="") - add to or manually create the persistent config /etc/centminmod/custom_config.inc
if it doesn't exist and then run centmin.sh menu option 5
to recompile php.
IGBINARY_INSTALL=n PHPREDIS=n PHPMONGODB=n # MongoDB PHP extension install PHP_FTPEXT=n # ftp PHP extension PHP_MEMCACHE=n # memcache PHP extension PHP_MEMCACHED=n # memcached PHP extension PHPGEOIP_ALWAYS=n # GeoIP php extension is always reinstalled on php recompiles PHPFINFO=n # Disable or Enable PHP File Info extension PHPPCNTL=n # Disable or Enable PHP Process Control extension PHPINTL=n # Disable or Enable PHP intl extension PHPRECODE=n # Disable or Enable PHP Recode extension PHPSNMP=n # Disable or Enable PHP SNMP extension PHPIMAGICK=n # Disable or Enable PHP ImagicK extension PHPMAILPARSE=n # Disable or Enable PHP mailparse extension PHP_EXTRAOPTS=""
Only Centmin Mod 123.09beta01 and higher stable/betas have added Nginx dynamic module support which was introduced in Nginx 1.9.11 and is supported and tested in Centmin Mod default installed Nginx 1.11.1+ and higher versions. Nginx dynamic modules as opposed to statically compiled Nginx modules tend to use less memory and offer more flexible control over enabling or disabling a module. In future Nginx modules could offer modules which you can drop into the dynamic module directory just to enable a particular Nginx module. Until that time, you still will need to source compile dynamic module flags to get such support as with Centmin Mod 123.09beta01+ and higher versions out of the box do already.
To enable Nginx dynamic modules, you need to enable variable switches for them by placing them in persistent config file you create or append to existing file at /etc/centminmod/custom_config.inc
and then recompile Nginx via centmin.sh menu option 4
. This will override the default variables contained within centmin.sh
. The list below are the currently supported Nginx dynamic module variables you can enable or disable.
The default values are:
# Nginx Dynamic Module Switches NGXDYNAMIC_NJS='n' NGXDYNAMIC_XSLT='n' NGXDYNAMIC_PERL='n' NGXDYNAMIC_IMAGEFILTER='y' NGXDYNAMIC_GEOIP='n' NGXDYNAMIC_STREAM='y' NGXDYNAMIC_STREAMGEOIP='n' # nginx 1.11.3+ option http://hg.nginx.org/nginx/rev/558db057adaa NGXDYNAMIC_STREAMREALIP='n' # nginx 1.11.4+ option http://hg.nginx.org/nginx/rev/9cac11efb205 NGXDYNAMIC_HEADERSMORE='n' NGXDYNAMIC_SETMISC='n' NGXDYNAMIC_ECHO='n' NGXDYNAMIC_LUA='n' # leave disabled due to bug https://github.com/openresty/lua-nginx-module/issues/715 NGXDYNAMIC_SRCCACHE='n' NGXDYNAMIC_DEVELKIT='n' # leave disabled as it requires lua nginx module as dynamic but it has a bug in lua nginx NGXDYNAMIC_MEMC='n' NGXDYNAMIC_REDISTWO='n' NGXDYNAMIC_NGXPAGESPEED='n' NGXDYNAMIC_BROTLI='y' NGXDYNAMIC_FANCYINDEX='y' NGXDYNAMIC_HIDELENGTH='y'
You can enable them with 'y'
values:
# Nginx Dynamic Module Switches NGXDYNAMIC_NJS='n' NGXDYNAMIC_XSLT='y' NGXDYNAMIC_PERL='n' NGXDYNAMIC_IMAGEFILTER='y' NGXDYNAMIC_GEOIP='n' NGXDYNAMIC_STREAM='y' NGXDYNAMIC_STREAMGEOIP='y' # nginx 1.11.3+ option http://hg.nginx.org/nginx/rev/558db057adaa NGXDYNAMIC_STREAMREALIP='y' # nginx 1.11.4+ option http://hg.nginx.org/nginx/rev/9cac11efb205 NGXDYNAMIC_HEADERSMORE='y' NGXDYNAMIC_SETMISC='y' NGXDYNAMIC_ECHO='y' NGXDYNAMIC_LUA='n' # leave disabled due to bug https://github.com/openresty/lua-nginx-module/issues/715 NGXDYNAMIC_SRCCACHE='y' NGXDYNAMIC_DEVELKIT='n' # leave disabled as it requires lua nginx module as dynamic but it has a bug in lua nginx NGXDYNAMIC_MEMC='y' NGXDYNAMIC_REDISTWO='y' NGXDYNAMIC_NGXPAGESPEED='y' NGXDYNAMIC_BROTLI='y' NGXDYNAMIC_FANCYINDEX='y' NGXDYNAMIC_HIDELENGTH='y' NGINX_LIBBROTLI=y NGINX_PAGESPEED=y
The last two variables NGINX_LIBBROTLI
and NGINX_PAGESPEED
are Nginx module variables needed to be enabled before you can enable ngx_brotli and ngx_pagespeed as Nginx dynamic modules.
With Nginx dynamic modules that are compiled, you can then dynamically enable or disable the nginx module simply be commenting (adding hash # in front) or uncommenting (removing hash # in front) the Nginx dynamic module's load_module
line entry within Nginx include file at /usr/local/nginx/conf/dynamic-modules.conf
and then restarting Nginx service to take effect.
Example /usr/local/nginx/conf/dynamic-modules.conf
contents:
load_module "modules/ngx_http_brotli_filter_module.so"; load_module "modules/ngx_http_brotli_static_module.so"; load_module "modules/ngx_http_image_filter_module.so"; load_module "modules/ngx_http_headers_more_filter_module.so"; load_module "modules/ngx_http_memc_module.so"; load_module "modules/ngx_http_srcache_filter_module.so"; load_module "modules/ngx_http_set_misc_module.so"; load_module "modules/ngx_http_echo_module.so"; load_module "modules/ngx_http_redis2_module.so"; load_module "modules/ngx_http_fancyindex_module.so"; load_module "modules/ngx_pagespeed.so"; load_module "modules/ngx_stream_module.so";
Actual compiled Nginx dynamic module files are located at /usr/local/nginx/modules
:
ls -lAhrt /usr/local/nginx/modules total 22M -rwxr-xr-x 1 root root 143K Jun 18 19:02 ngx_http_image_filter_module.so -rwxr-xr-x 1 root root 106K Jun 18 19:02 ngx_http_brotli_static_module.so -rwxr-xr-x 1 root root 208K Jun 18 19:02 ngx_http_brotli_filter_module.so -rwxr-xr-x 1 root root 17M Jun 18 19:02 ngx_pagespeed.so -rwxr-xr-x 1 root root 149K Jun 18 19:02 ngx_http_fancyindex_module.so -rwxr-xr-x 1 root root 751K Jun 18 19:02 ngx_http_set_misc_module.so -rwxr-xr-x 1 root root 657K Jun 18 19:02 ngx_http_echo_module.so -rwxr-xr-x 1 root root 279K Jun 18 19:02 ngx_http_redis2_module.so -rwxr-xr-x 1 root root 396K Jun 18 19:02 ngx_http_memc_module.so -rwxr-xr-x 1 root root 395K Jun 18 19:02 ngx_http_srcache_filter_module.so -rwxr-xr-x 1 root root 280K Jun 18 19:02 ngx_http_headers_more_filter_module.so -rwxr-xr-x 1 root root 555K Jun 18 19:02 ngx_stream_module.so
End result is Nginx compiled with the following Nginx static + dynamic modules:
nginx -V nginx version: nginx/1.11.1 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) built with LibreSSL 2.3.6 TLS SNI support enabled configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -mtune=native -mfpmath=sse -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --with-openssl-opt=enable-tlsext --add-module=../nginx-module-vts --with-libatomic --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --add-dynamic-module=../ngx_pagespeed-release-1.11.33.2-beta --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.30 --add-dynamic-module=../echo-nginx-module-0.59 --add-dynamic-module=../redis2-nginx-module-0.13 --add-module=../ngx_http_redis-0.3.7 --add-module=../lua-nginx-module-0.10.5 --add-dynamic-module=../memc-nginx-module-0.17 --add-dynamic-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.30 --with-pcre=../pcre-8.38 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-openssl=../libressl-2.3.6
If you have multiple desktop, laptop and mobile devices on your local LAN which share the same ISP IP address with simultaneous connections and/or if you are using FTP client which is set to a massive amount of simultaneous connections and try to connect them to Centmin Mod LEMP stack server via Pure-FTPD virtual ftp user, you may trigger CSF Firewall to block that ISP IP address. This is due to the default security setting in CSF Firewall config file at /etc/csf/csf.conf
related to LF_DISTFTP
which is set to a value of 1. You can raise that value and restart CSF Firewall service via SSH command csf -r
.
Distributed FTP Logins. This option will keep track of successful FTP logins. If the number of successful logins to an individual account is at least LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses, then all of the IP addresses will be blocked This option can help mitigate the common FTP account compromise attacks that use a distributed network of zombies to deface websites. A sensible setting for this might be 5, depending on how many different IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL To disable set to "0"
As such it's advisable that in your FTP client application, you set more appropriate max simultaenous and concurrent user connections and transfer limits and don't go overboard or raise the Pure-FTPD default MaxClients and MaxClientsPerIP limits if you need to. Example, below for default Filezilla settings:
Pure-FTPD defaults to a maximum of 500 simultaneous user connections with max 200 simultaneous connections from same IP address in pure-ftpd.conf config file at /etc/pure-ftpd/pure-ftpd.conf
.
grep -C3 MaxClients /etc/pure-ftpd/pure-ftpd.conf # Maximum number of simultaneous users MaxClientsNumber 500 -- # Maximum number of sim clients with the same IP address MaxClientsPerIP 200
You can count how many connections are being made from the same IP address using this command in a separate SSH window while you're actively connected and using FTP via Pure-FTPD user login details.
netstat -plantu | grep YOURISP_IPADDRESS | wc -l
CSF Firewall is essential to securing your Centmin Mod LEMP stack server. However, at times maybe due to misconfiguration or situations outside of your control, you may block legit visitors. There are a few legit cases for this to happen:
- The user shares an IP address with a distributed/brute force attacker i.e. sshd brute force attacks on your server will automatically be blocked via CSF Firewall for better security.
- You enabled CSF Firewall block list at
/etc/csf/csf.blocklists
which can automatically communicate with known spam, abuse etc lists like SPAMHAUS, ProjectHoney Pot, Maxmind anonymous proxies list, Stopforumspam, and Dshield. So when a visitor with an IP listed in any of these known spam blacklists visits the server, CSF Firewall would block them. The CSF block lists are disabeld by default unless you enable them in/etc/csf/csf.blocklists
.
If you run into this problem, double check the visitor's IP address is not listed in those ban lists or disable the /etc/csf/csf.blocklists
if you enabled them and restart CSF Firewall service to confirm if it's the culprit. You can check IP addresses via web sites listed in /etc/csf/csf.blocklists
.
You can also temporarily enable CSF Fireall's WATCH_MODE
via the config file at /etc/csf/csf.conf
for watching IP addresses and logging the IP via /var/log/messages
. You can read up on watching IP addresses via CSF Firewall via the readme.txt documentation section 19 titled 'Watching IP Addresses' here or below.
19. Watching IP Addresses ######################### The CLI option csf --watch [ip] (csf -w [ip]) and configuration option WATCH_MODE logs TCP connection initiation (SYN) packets from a specified source as they traverse the iptables chains. This can be extremely useful in tracking where that IP address is being DROPed or ACCEPTed by iptables. WATCH_MODE should be used when watching IP addresses, although the csf -w [ip] option will still work without it but won't necessarily provide conclusive information on the final destination of the packet. WATCH_MODE is disabled by default and should be left as such unless actively watching an IP address as it will add an overhead to all accepted iptables traffic and increase overall iptables kernel logging through syslog. WATCH_MODE disables: DROP_NOLOG, PS_INTERVAL, DROP_ONLYRES WATCH_MODE enabled: DROP_LOGGING, DROP_IP_LOGGING, DROP_PF_LOGGING WATCH_MODE also logs iptables ACCEPT for watched IP addresses You should only watch a very small number of IP addresses at a time and for a very short period of time, otherwise the kernel log (usually /var/log/messages) will become flooded with entries. Also, any IP address rules added during the time of the watch will not necessarily be included in the logging rules for the watched IP addresses. IP address watches do not survive a csf (iptables) restart. You can use either an IP address or a CIDR address for csf -w [ip]. Recommended method to use this function: 1. Enable WATCH_MODE 2. Restart csf 3. Restart lfd 4. Use the following to watch an IP: csf -w 11.22.33.44 5. Watch the kernel iptables log for hits from the watched IP address Once you have finished watching an IP address you should: 1. Disable WATCH_MODE 2. Restart csf (which will also remove the watched ip rules) 3. Restart lfd The kernel iptables log lines for watching an IP (usually in /var/log/messages) contain the direction of the packet in the chain and the chain name, e.g. I:INPUT is Incoming to the chain INPUT, O:LOCALINPUT is Outgoing from chain LOCALINPUT. The following is a trimmed down example log watch of 192.168.254.4 connecting to port 22: Firewall: I:INPUT SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22 Firewall: I:LOCALINPUT SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22 Firewall: I:GDENYIN SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22 Firewall: O:GDENYIN SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22 Firewall: I:DSHIELD SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22 Firewall: O:DSHIELD SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22 Firewall: I:SPAMHAUS SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22 Firewall: O:SPAMHAUS SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22 Firewall: O:LOCALINPUT SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22 Firewall: I:INVALID SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22 Firewall: O:INVALID SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22 Firewall: I:LOGACCEPT SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
While still in WATCH_MODE
, you should also grep the problem IP addresses via command:
csf -g IPADDRESS
To park a 2nd domain name on top of an existing Nginx vhost site domain name involves editing your Nginx vhost site domain files. You can see full instructions on the forums here.
For example if you want to password protect /admin.php
and /install
directory. You would need to use Nginx's ngx_http_auth_basic_module feature and Nginx vhost syntax within your site's server{}
context would be something like below where /usr/local/nginx/conf/htpasswd_admin_php
contains the username and encrypted format of the username's password.
You can use different file names for /usr/local/nginx/conf/htpasswd_admin_php
for different directories you protect just make sure the auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
definition in there is changed accordingly
The include line for php.conf is required to serve php files.
location /admin.php { auth_basic "Private"; auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php; include /usr/local/nginx/conf/php.conf; } location /install/ { auth_basic "Private"; auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php; include /usr/local/nginx/conf/php.conf; }
Then to create and setup the auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php
and set your own USERNAME
and PASSWORD
for htaccess password protection you type in SSH the command using htpasswd.sh
script written to generate the /usr/local/nginx/conf/htpasswd_admin_php
and USERNAME
and PASSWORD
(in encrypted format). Re-running the create command will wipe previous entries in the file so you can change usernames and passwords via create command too.
/usr/local/nginx/conf/htpasswd.sh create /usr/local/nginx/conf/htpasswd_admin_php USERNAME PASSWORD
If you need additional usernames and passwords added use htpasswd.sh
with append
option instead of create
:
/usr/local/nginx/conf/htpasswd.sh append /usr/local/nginx/conf/htpasswd_admin_php USERNAME2 PASSWORD2