openec2 Article Description
Amazon Linux2023 Nginx for a WordPress Installation
This article assumes you know how to install the instance and other matters as shown in my other articles.
[I use 768MB swap disk. I see no point in 1GB as the system will freeze up prior to that] [Login is root, sudo su, and set -o vi] echo "vm.swappiness=10" >> /etc/sysctl.conf echo "vm.vfs_cache_pressure=200" >> /etc/sysctl.conf sysctl -w vm.swappiness=10 sysctl -w vm.vfs_cache_pressure=200 dd if=/dev/zero of=/swapfile bs=1024 count=786432 mkswap /swapfile chmod 0600 /swapfile swapon /swapfile echo "/swapfile swap swap defaults 0 0" >> /etc/fstab [Use your own Country/City. See /usr/share/zoneinfo] a="Australia/Brisbane";export a;echo $a ln -sf /usr/share/zoneinfo/$a /etc/localtime date [Change /etc/bashrc. Use your own domain name:] vi /etc/bashrc # [ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@\h \W]\\$ " [ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@mydomain.com: \w]\\$ " [save and exit] vi /etc/selinux/config # SELINUX=permissive SELINUX=disabled [save and exit] [Create a backup/backdoor user if ec2-user is compromised for any reason: Use your own name instead of "snoopy". You may get an error which you can correct as shown below.] adduser snoopy [Give snoopy a password:] Add snoopy to /etc/sudoers - note, when using the vi editor, go to the end of the file (SHIFT G), and append the entry. Then use :w! to save the entry as it is a read only file. vi /etc/sudoers snoopy ALL=(ALL) NOPASSWD:ALL [Exit the file after saving with :w! by using SHIFT ZZ] [Add the user to groups admin and root: (for Linux 2023, it is wheel and root)] sudo usermod -aG admin snoopy; sudo usermod -aG root snoopy [We will make a copy of a good verion of /home/admin/.ssh to /home:] cd /home/admin cp -pr .ssh ../SSH_BACKUP [ This completes the creation of a backup user that you can use in an emergency on the EC2 Contact console. If you get this error: ------------------------------- [sss_cache] [sysdb_domain_cache_connect] (0x0010): DB version too old [0.22], expected [0.23] for domain implicit_files! Higher version of database is expected! In order to upgrade the database, you must run SSSD. Removing cache files in /var/lib/sss/db should fix the issue, but note that removing cache files will also remove all of your cached credentials. Could not open available domains -------------------------------- To fix this, do the following:] cd /var/lib/sss/db rm * sss_cache -E [Then add the backup/backdoor user, e.g. snoopy as shown above] [We continue the installation:] dnf check-release-update [Install the update provided from the end of the output if there is an upgrade available. For example: dnf upgrade --releasever=2023.5.20240805] dnf install -y php php-common php-pear wget php-mysqli php-devel php-mbstring dnf install -y php-cli php-pdo php-fpm php-json php-mysqlnd php-opcache dnf install -y gd libzip-devel kernel-devel php-gd dnf install -y cronie cronie-anacron dnf -y install pcre-devel gcc zlib zlib-devel dnf -y install mariadb105 dnf -y install mariadb105-server dnf -y install libjpeg-turbo-utils dnf remove *httpd* [See the Linux 2023 article on Nginx with memcached to install memcached if you wish. I use it but have limited understanding of it.] pecl install zip pecl channel-update pecl.php.net
We configure php:
[Use your own Country/City. I use 512MB as memory. You may use 256, but I am hesitant these days with more load on PHP to do that.] vi /etc/php.ini ;;;;;;;;;;;;;;;;;;;;;; ; Dynamic Extensions ; ;;;;;;;;;;;;;;;;;;;;;; extension=zip.so; date.timezone = Australia/Brisbane max_execution_time = 300 max_input_time = 600 max_input_vars = 2500 post_max_size = 100M upload_max_filesize = 100M max_file_uploads = 20 memory_limit = 512M [save and exit] vi /etc/php.d/10-opcache.ini opcache.enable_cli=1 opcache.memory_consumption=128 opcache.interned_strings_buffer=16 opcache.max_accelerated_files=4000 [save and exit] cd /etc/php-fpm.d cp -p www.conf www.conf.o vi /etc/php-fpm.d/www.conf user = nginx group = nginx listen.owner = nginx listen.group = nginx listen.mode = 0660 ; listen.acl_users = nginx,nginx ---> these must be or remain commented as shown here ; listen.acl_groups = ; pm = dynamic pm = ondemand pm.max_children = 75 pm.start_servers = 10 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.process_idle_timeout = 10s; pm.max_requests = 500 php_admin_value[disable_functions] = exec,passthru,system php_admin_flag[allow_url_fopen] = off php_admin_value[memory_limit] = 512M [save and exit. Note the timeout line has a semicolon at the end] [We do not add a memory or autosave value in WordPress wp-config.php when using Nginx.] vi /etc/php-fpm.conf emergency_restart_threshold = 10 emergency_restart_interval = 1m process_control_timeout = 60s [save and exit] [We use crontab to safely reload php-fpm once a night, here shown at 5 past midnight] crontab -e 5 0 * * * /usr/bin/systemctl reload php-fpm >/dev/null 2>&1 [save and exit] [If using Let's Encrypt:] dnf -y install python3 python3-devel augeas-libs python3 -m venv /opt/certbot/ /opt/certbot/bin/pip install --upgrade pip /opt/certbot/bin/pip install certbot certbot-apache ln -s /opt/certbot/bin/certbot /usr/bin/certbot [Install Mariadb:] mysql_secure_installation "Enter current password for root" (enter for none): OK, successfully used password, moving on... "Switch to unix_socket authentication [Y/n]" n "Change the root password?" [Y/n] Y (nominate your database password) Y for the remaining questions] [We now start and enable our mariadb services. Enabling means they start at a reboot.] [If any problems, stop and restart your EC2 instance or do "sync;sync;reboot"] systemctl stop mariadb systemctl start mariadb systemctl enable mariadb systemctl enable httpd systemctl enable php-fpm [Install phpMyAdmin the same way as in the Debian 11 Nginx article, Part 6:] cd /usr/share wget https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.tar.gz ls tar xvf phpMyAdmin-latest-all-languages.tar.gz rm phpMyAdmin-latest-all-languages.tar.gz mv phpMyAdmin-5.2.1-all-languages phpMyAdmin cd phpMyAdmin mkdir tmp chmod 777 tmp cp -p config.sample.inc.php config.inc.php vi config.inc.php [Search for the blowfish line. Do a Google search on blowfish phpmyadmin generator. I use: https://phpsolved.com/phpmyadmin-blowfish-secret-generator/?g=[insert_php]echo%20$code;[/insert_php] from https://phpsolved.com. Paste the generated value into the blowfish value. Then after SaveDir as shown below, add TempDir...] $cfg['SaveDir'] = ''; $cfg['TempDir'] = '/tmp'; [save and exit] [Make sure your domain name DNS records are correct and the A record uses the instance IP4 address] [Here is an example of how you link to phpMyAdmin from the browser. Due to security, DO NOT log into phpMyAdmin until after we install Nginx and https:// is working. cd /var/www/html pwd ln -s /usr/share/phpMyAdmin phpMyAdmin ls -l [To get phpmyadmin to work have nginx group as shown:] cd /var/lib/php ls -l total 0 drwxrwx---. 2 root nginx 6 Feb 13 06:23 opcache drwxr-xr-x. 2 root root 6 Feb 13 06:23 peclxml drwxrwx---. 2 root nginx 6 Feb 13 06:23 session drwxrwx---. 2 root nginx 6 Feb 13 06:23 wsdlcache [fyi: latre you can create databases in phpMyAdmin with utf8mb4_general_ci if you like] [Check permissions and ownershios for the default /var/www/html directories we will use with Nginx. The same applies to multi-domains under, say, /var/www.] cd /var ls -l [Set these permissions: drwxrwsr-x 12 root nginx 4096 Aug 2 00:00 www] [e.g. chown root www;chgrp nginx www;chmod 2775 www] cd /var/www ls -l [If html is not present, create it with "mkdir html"] [Set these permissions: drwxrwsr-x 3 nginx nginx 4096 Jul 17 16:30 html] [e.g. chown nginx html;chgrp nginx html;chmod 2775 html] [Add the phpinfo.php file which we will use after Nginx is configured, to verify php configurations, including memcached if installed:] echo " < ?phpZphpinfo(); ? > "|sed 's/ //g'|sed 's/Z/ /g' > phpinfo.php chown nginx p*; chgrp nginx p*; chmod 664 p* ls -l [When we do install nginx, there is a process we go through to add SSL certificates. To test https://mydomain.com, you would use https://mydomain.com/phhpinfo.php, or add a dummy index.html file:] cd /var/www/html vi index.html testing mydomain.com [save and exit] [Make sure your file(s) in /car/www/html are chown nginx *; chgrp nginx *; chmod 664 *]
If you wish to install ImageMagick for shell scripting purposes: (e.g. to convert from your photo album images equivalent square-shaped thumbnails)
(If needed, one can install php-imagick for Debian 11 by searching on how to do that, but I don’t see enough reason to install it or pursue that here on AL23.
dnf install ImageMagick
Sections of the following references may be helpful. We need to install the current stable version of Nginx on Linux 2023.
We do not use dnf install nginx.
https://nginx.org/en/linux_packages.html#Amazon-Linux
https://www.cloudwithxavier.com/install-memcached-on-amazon-linux-2023-ami/
https://docs.aws.amazon.com/linux/al2023/ug/hosting-wordpress-aml-2023.html
Install Nginx:
dnf install yum-utils [In the vi editing below, we must include the lines that have [....] in them.] vi /etc/yum.repos.d/nginx.repo [nginx-stable] name=nginx stable repo baseurl=http://nginx.org/packages/amzn/2023/$basearch/ gpgcheck=1 enabled=1 gpgkey=https://nginx.org/keys/nginx_signing.key module_hotfixes=true priority=9 [nginx-mainline] name=nginx mainline repo baseurl=http://nginx.org/packages/mainline/amzn/2023/$basearch/ gpgcheck=1 enabled=1 gpgkey=https://nginx.org/keys/nginx_signing.key module_hotfixes=true priority=9 [save and exit] yum-config-manager --enable nginx-mainline yum install nginx [Just check these commands have been done somewhere along the way:] dnf install libgd dnf install lib-gd dnf install gd
To configure Nginx, please see Debian 11 – Part 7. I refer to this article as there a quite a few things to do.
Remember that when you include additional .conf files from my Scripts – Part 1 article, this can prevent wp-login.php or WordPress updates from executing, so just keep that in mind as yu can comment out an include file in your configs as a temporary measure.
When referring to the Debian Nginx article, we do not use php8.3 references but php-fpm, and fastcgi_pass unix:/run/php-fpm/www.sock;
And, we should approach memcached as a separate exercise, excluding it from our configurtions, until later when using the Linux 2023 – Nginx memcached article.
Keep in mind that a paid SSL certificate usually goes to these directories, and not /etc/ssl:
ssl_certificate “/etc/pki/tls/certs/mydomain_com.crt”;
ssl_certificate_key “/etc/pki/tls/private/mydomain_com.key”;
The Debain 11 article gives more information on how to obtain certificates – -which is quite a learning curve.
