Building a Wicked Fast CentOS Web Server with Nginx, PHP, and MySQL

April 22, 2014

centos

I’m migrating from RamNode back to my favorite host—Linode.

Some may ask why I left in the first place, and the answer is simply that for a while there RamNode had SSD and Linode didn’t. But Linode has fixed that, so I’m back.

Rebuilding danielmiessler.com

I’ve been wanting to do a write-up on configuring a new server from scratch for a long time now, and I’m using this migration back to Linode to do so. Here are some details on the server:

  • Host: Linode

  • Plan: 8192 (6 cores, 8GB memory, 196GB of SSD)

  • OS: 64-bit CentOS 6.5

My stack

My stack remains the same, and can be found at /stack, but here it is:

  • Host: Linode (8192 Plan: 6 Cores, 8GB Memory, 196GB of SSD)

  • Operating System: 64-bit CentOS 6.5

  • Web Server: Nginx for primary web server, using in-memory caching similar to Varnish

  • Content Delivery: Google’s Page Speed Service, which serves as a reverse proxy and CDN

  • CMS: WordPress for the /blog, but custom code for everything else

  • Code Editor: Vim

  • Source Management: Git

Basic Setup

Here are the basic steps I go through to configure a new server.

Software updates

Self explanatory.

Install a C compiler

I install a lot of my packages from source, so you need this early on.

  1. yum install gcc

  2. yum install gcc-c++

  3. yum install ncurses-devel (needed to install vim from source)

Vim installation and configuration

  1. Uninstall CentoOS’s Vim version

  2. Install from source

ZSH installation and configuration

  1. Install zsh

  2. Change default shell to zsh (chsh -s /bin/zsh)

  3. Copy over your .oh-my-zsh directory, extract

  4. Copy over your .zshrc file

  5. Source your .zshrc file

Change hostname

  1. Edit /etc/sysconfig/network with the proper hostname

  2. Add hostname entries to /etc/hosts

SSH configuration

  1. Settings lockdown (hardening)

  2. Key authentication enabled

  3. Restrict to certain users

Install firewall

  1. Copy over script

  2. Change hostname if necessary

  3. Run script

  4. iptables-save

Install nginx

  1. Get source from website

  2. Install the PCRE library (pcre-devel)

  3. Install the zlib library (zlib-devel)

  4. Get the more headers library

  5. Compile with –add-module=the_headers_library

  6. Make

  7. Make install

Install PHP

  1. Install php-fpm

Install mysql

  1. Install mysql

  2. Install mysql-server

  3. Change mysql root password

  4. Limit mysql to localhost

  5. Import blog database backup

Auto starts

  1. Auto start php-fpm

  2. Auto start nginx

  3. Auto start mysql

  4. The firewall is handled by service iptables save

Miscellaneous tools

  • nmap

  • httpd-tools

Security

Firewall

  • Copy over firewall script

  • Run it

  • /etc/init.d/iptables save

Nginx

PHP

  • Suhosin

Performance

PHP

  1. Install php-opcache

  2. Restart php-fpm

Related posts: