35.153.135.60

CentOS 7 - NGINX, PHP, LetsEncrypt SSL - Installation and Configuration

CentOS 7.5 - NGINX (Mainline), PHP 7.3, LetsEncrypt SSL - Installation & Configuration

NGINX is superior to most other web servers in regards to performance, potential to mitigate attacks, and resource usage. But many people have a hard time getting everything working properly, and with good reason. Many installation scripts that manage Nginx for you or other guides may give you steps on how to install an outdated version, which may be lacking critical security update or performance changes, or a PHP configuration that renders server errors in browsers. We've tested ours and guarantee it works in this environment.

Install PHP 7.3 from Remi repository

Install yum-utils for the yum-config-manager tool

yum install -y yum-utils

Install Epel and Remi repositories

yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install -y http://rpms.remirepo.net/enterprise/remi-release-7.rpm

Enable Remi repository

yum-config-manager --enable remi-php73

Note: You can change php73 to php72 (or other versions) throughout this guide to use a different PHP version if the one here doesn't support modules needed by you.

Run update then install the PHP packages

yum update -y
yum install -y php73 php73-php-fpm

We need to edit the php.ini config for this PHP installation (you can use any text editor, we prefer nano, we're cooler than vim'ers)

nano /etc/opt/remi/php73/php.ini

Replace:

;cgi.fix_pathinfo=1

With:

cgi.fix_pathinfo=0

(Remove semicolon, change 1 to 0)

Now we need to edit the configuration for PHP-FPM

nano /etc/opt/remi/php73/php-fpm.d/www.conf

Replace:

listen = 127.0.0.1:9000

With:

listen = /var/run/php73-fpm/php73-fpm.sock

Now edit the same file, lower in the configuration you will need to change the following nano /etc/opt/remi/php73/php-fpm.d/www.conf

Replace:

;listen.owner = nobody
;listen.group = nobody

With:

listen.owner = nginx
listen.group = nginx

(Remove semicolons and change 'nobody' to 'nginx')

Now edit the same file again, near the top of the configuration you will need to change the following nano /etc/opt/remi/php73/php-fpm.d/www.conf

Replace:

user = apache
group = apache

With:

user = nginx
group = nginx

Now create the directory for the socket file

mkdir /var/run/php73-fpm

Change file permissions of the sessions directory so PHP sessions work properly

chown -R nginx:nginx /var/opt/remi/php73/lib/php/session

After installing NGINX we can start PHP-FPM, if we try now it will give an error since the nginx system user is not created yet

systemctl restart php73-php-fpm
systemctl enable php73-php-fpm

Note: You will need to install Nginx below first before starting PHP-FPM.

Install NGINX Mainline from Nginx repository

First we must add the NGINX PGP key to verify integrity and confirm the origin of the packages

wget http://nginx.org/keys/nginx_signing.key
rpm --import nginx_signing.key && rm -rf nginx_signing.key

Lets add the NGINX repo now, create a new file

nano /etc/yum.repos.d/nginx.repo

Add the following contents and save:

[nginx]
name=nginx
baseurl=http://nginx.org/packages/mainline/centos/7/x86_64/
gpgcheck=1
enabled=1

Now we can install NGINX Mainline

yum update -y
yum install -y nginx

Start NGINX and enable at boot

systemctl start nginx
systemctl enable nginx

Check the NGINX version and status to confirm

systemctl status nginx && nginx -v

Now we can create a new virtual host config for our domain. Make sure to replace all occurrences of example.com with your own domain

nano /etc/nginx/conf.d/example.com.conf

Paste the following contents:

server {
  listen 80;
  server_name www.example.com example.com;
  root /usr/share/nginx/example.com;
  index index.php index.html index.htm;
  
  location / {
    try_files $uri $uri/ /index.php$query_string;
  }
  
  error_page 404 /404.html;
  error_page 500 502 503 504 /50x.html;
  location = /50x.htm {
    root /usr/share/nginx/example.com;
  }
  
  location ~ .php$ {
    try_files $uri =404;
    fastcgi_pass unix:/var/run/php73-fpm/php73-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
  }
}

Now restart NGINX, also restart PHP-FPM since the nginx user has been created now

systemctl restart nginx
systemctl restart php73-php-fpm

Lets make the web directory for the virtual host now and create an index file and a PHP info file to confirm PHP processing is working

mkdir /usr/share/nginx/example.com
echo test index >> /usr/share/nginx/example.com/index.html
echo  >> /usr/share/nginx/example.com/info.php

Visit your domain in your web browser now to confirm all is working. You can go to your domain /info.php to check PHP modules and parameters

To update NGINX in the future to new mainline builds, just run the following

yum update nginx -y
systemctl restart nginx

If you are using a firewall, make sure to allow both web ports firewalld:

firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --reload

iptables:

iptables -I INPUT -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j ACCEPT

Install LetsEncrypt SSL and enable HTTPS and HTTP/2 for virtual host

Now install LetsEncrypt certbot

yum install -y certbot-nginx

Run certbot now, it will ask for the webroot directory and your e-mail. The certbot-nginx that we installed should modify your Nginx virtual host config automatically, so no manual changes should be needed.

certbot --authenticator webroot --installer nginx

Create a crontab entry to renew the certificate automatically each month

crontab -e

Add:

35 4 * * 1 certbot renew >> /var/log/certbot-renew.log

All done!