Blog 10-30-22

I use HocVPS Script to simplify the installation process, allowing for simple management in the future.

Info

HocVPS Script will support:

  • Centos 7
  • Centos 8
  • Rocky Linux 8
  • Ubuntu 18.04
  • Ubuntu 20.04

HocVPS Script will automatically install:

  • Webserver nginx latest version.
  • The latest version of database MariaDB (MySQL is optimized).
  • Option to install and update New Mariadb versions during setup
  • PHP latest version options: PHP 8.0, PHP7.4, PHP 7.3, PHP 7.2, PHP 7.1, PHP 7.0, PHP 5.6; comes Zend OPcache which makes - PHP work fastest
  • latest phpMyAdmin
  • the latest eXtplorer to manage File Manager, can create user, separate permissions
  • Option to install firewall using CSF
  • Support to install let’s Encrypt SSL certificate for website
  • Supports installation of commercial SSL certificates (Sectigo, Geotrust, IDE)

Run the following command to install:

1
curl -sO https://hocvps.com/install && bash install

When the prompt to enter your email appears, just input your working email.

THen enter PHP version that you want to use. I choose the latest PHP 8.0

PHP version
PHP version

Enter your domain, for example: pquan.info

PHP version
Your Domain

Then enter your secret desired port admin, which is from the range of (2000 – 9999), can be change later. It’s used for these following stuff:

  • Access the admin link, in the form of: http://domain.com:port/
  • Using phpMyAdmin, link form: http://domain.com:port/phpmyadmin/
  • File Manager, link form: http://domain.com:port/filemanager/
  • Monitor System Status, link form: http://domain.com:port/serverinfo/
  • Track Zend Opcache Status, link form: http://domain.com:port/op.php

You’ll be ask to specify MariaDB version:

MariaDB version
MariaDB version

After that, you let the script automatically perform the installation process, which can take 3-5 minutes depending on the configuration and network of the VPS / Server.

Finally, if no problem occurs, you will receive successful installation notifications and VPS management information as below. At the same time, this information will also be saved in the text file with the path /root/hocvps-script.txt for you to review later.

Success
Success

After installing hocvps Script, you can use SFTP to manage files, upload code to /home/domain.com/public_html/ and point the domain name to IP of the VPS and start using.

Run hocvps to access the script menu.

1
hocvps

Note: after uploading the source to the web folder, you use Hocvps menu 14 Webserver permissions for NGINX to read the website content.

If you want to connect to SSH, use port 2222.

During use, being in any function you can press Ctrl + C will exit the Script immediately.

Create the following file:

1
nano /etc/yum.repos.d/nginx.repo 

After that add the following content which specifies the Nginx repository which we will use to install the latest Nginx version:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

Save the file and exit. Then run hocvps script.

Update Nginx
Update Nginx

Choose menu 15, then select option 2 to update Nginx to latest stable version.


Install Certbot:

1
yum -y install certbot

Issue Let’s Encrypt for domain:

1
2
3
4
5
# Stop Nginx
service nginx stop

# Issue SSL Let's Encrypt
certbot certonly --standalone

Next you enter the domain name that will use the SSL certificate, and then press Enter. This step you only enter the non-www And www versions of 1 domain or subdomain.

Create a DH Parameters 2048 bit file:

1
2
mkdir /etc/nginx/ssl/
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

Note: When the number of bits, in this case 4096, comes after the option where to put the file (-out), openssl seems to output meaningful data. That is the correct way. The script may fail to create a param file, if you put the option after the numbits, be it 512, 2048 or 4096.

Modify the domain cofiguration by editing yourdomain.com.conf:

1
nano /etc/nginx/conf.d/yourdomain.com.conf

Configuring SSL processing requests

In the block server { … } adjustment as follows:

Convert listen 80 default_server to listen 443 ssl default_server;

After the server_name yourdomain.com added SSL configuration snippet:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
# SSL
	ssl_certificate /etc/letsencrypt/live/hocvps.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/hocvps.com/privkey.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
	ssl_prefer_server_ciphers on; 
	ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

        # Improve HTTPS performance with session resumption
        ssl_session_cache shared:SSL:50m;
        ssl_session_timeout 1d;

        # DH parameters
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;
        # Enable HSTS
        add_header Strict-Transport-Security "max-age=31536000" always;

 The Nginx configuration file will be similar to the following:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
server {
        listen 443 ssl http2;
        server_name www.yourdomain.com;

        # SSL
        ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

        rewrite ^(.*) https://yourdomain.com$1 permanent;
}

server {
        listen 80;

        server_name yourdomain.com www.yourdomain.com;
        rewrite ^(.*) https://yourdomain.com$1 permanent;
}

server {                                                                                                            
        listen 443 ssl http2 default_server;                                                                 
        # access_log off;                                                                                    
        access_log /home/yourdomain.com/logs/access.log;                                                         
        # error_log off;                                                                                     
        error_log /home/yourdomain.com/logs/error.log;                                                           
                                                                                                             
        root /home/yourdomain.com/public_html;                                                                   
        index index.php index.html index.htm;                                                                
        server_name yourdomain.com;                                                                              
        # SSL                                                                                                
        ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;                                      
        ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;                                    
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;                                                                 
        ssl_prefer_server_ciphers on;                                                                        
        ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; 
                                                                                                             
        # Improve HTTPS performance with session resumption                                                  
        ssl_session_cache shared:SSL:50m;                                                                    
        ssl_session_timeout 1d;                                                                              
                                                                                                             
        # DH parameters                                                                                      
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;                                                              
        # Enable HSTS                                                                                        
        add_header Strict-Transport-Security "max-age=31536000" always;                                      
 	location / {
		try_files $uri $uri/ /index.php?$args;
	}
	
	# Custom configuration
	include /home/yourdomain.com/public_html/*.conf;
 
    	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
        	include /etc/nginx/fastcgi_params;
        	fastcgi_pass 127.0.0.1:9000;
        	fastcgi_index index.php;
		fastcgi_connect_timeout 1000;
		fastcgi_send_timeout 1000;
		fastcgi_read_timeout 1000;
		fastcgi_buffer_size 256k;
		fastcgi_buffers 4 256k;
		fastcgi_busy_buffers_size 256k;
		fastcgi_temp_file_write_size 256k;
		fastcgi_intercept_errors on;
        	fastcgi_param SCRIPT_FILENAME /home/hocvps.com/public_html$fastcgi_script_name;
    	}
	location /nginx_status {
  		stub_status on;
  		access_log   off;
                allow 127.0.0.1;
                deny all;
	}
	location /php_status {
		fastcgi_pass 127.0.0.1:9000;
		fastcgi_index index.php;
		fastcgi_param SCRIPT_FILENAME  /home/hocvps.com/public_html$fastcgi_script_name;
		include /etc/nginx/fastcgi_params;
                allow 127.0.0.1;
                deny all;
    	}
	# Disable .htaccess and other hidden files
	location ~ /\.(?!well-known).* {
		deny all;
		access_log off;
		log_not_found off;
	}
        location = /favicon.ico {
                log_not_found off;
                access_log off;
        }
        location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
        }
	location ~* \.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|eot|svg|ttf|woff)$ {
	        gzip_static off;
		add_header Pragma public;
		add_header Cache-Control "public, must-revalidate, proxy-revalidate";
		access_log off;
		expires 30d;
		break;
        }

        location ~* \.(txt|js|css)$ {
	        add_header Pragma public;
		add_header Cache-Control "public, must-revalidate, proxy-revalidate";
		access_log off;
		expires 30d;
		break;
        }
}

HocVPS Script will also install iptables. So you can skip installing steps and go straight to iptables Commands and Options.

In CentOS, iptables was replaced by firewalld.

To install iptables, first you need to stop firewalld. Enter the following commands:

1
2
3
sudo systemctl stop firewalld
sudo systemctl disable firewalld
sudo systemctl mask firewalld

The commands stop and prevent firewalld from starting at boot, and do not let other services start firewalld.

Next, install and enable iptables. First, install the iptables services package with the following command:

1
sudo yum -y install iptables-services

Enter the following commands to enable and start iptables in CentOS:

1
2
sudo systemctl enable iptables
sudo systemctl start iptables

In general, an iptables command looks as follows:

1
sudo iptables [option] CHAIN_rule [-j target]

Here is a list of some common iptables options:

-A –append – Add a rule to a chain (at the end). -C –check – Look for a rule that matches the chain’s requirements. -D –delete – Remove specified rules from a chain. -F –flush – Remove all rules. -I –insert – Add a rule to a chain at a given position. -L –list – Show all rules in a chain. -N -new-chain – Create a new chain. -v –verbose – Show more information when using a list option. -X –delete-chain – Delete the provided chain.

To view the current set of rules on your server, enter the following in the terminal window:

1
sudo iptables -L

It’s safe to allow traffic from your own system (the localhost). Append the Input chain by entering the following:

1
sudo iptables -A INPUT -i lo -j ACCEPT
1
2
3
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

The options work as follows:

-p – Check for the specified protocol (tcp). –dport – Specify the destination port. -j jump – Take the specified action.

You can use the -F option to clear all iptables firewall rules. A more precise method is to delete the line number of a rule.

First, list all rules by entering the following:

1
sudo iptables -L --line-numbers

Locate the line of the firewall rule you want to delete and run this command:

1
sudo iptables -D INPUT <Number>

Iptables does not keep the rules you created when the system reboots. Whenever you configure iptables in Linux, all the changes you make apply only until the first restart.

To save the rules in Debian-based systems, enter:

1
sudo /sbin/iptables–save

To save the rules in Red-Hat based systems, enter:

1
sudo /sbin/service iptables save

The next time your system starts, iptables will automatically reload the firewall rules.