Centmin Mod Nginx

Centmin Mod Advanced Customised Installation Guide

2 Comments / centminmod, control panels, guides / By

The initial Centmin Mod install guide and the Getting Started guide outline the normal way of installing Centmin Mod LEMP stack ideally on CentOS 7.x 64bit based server. However, there’s additional steps  you can do to further customise your Centmin Mod LEMP stack install’s default out of the box configuration and post-install steps to enable additional optional features. The following outlined SSH commands are to be run within the same SSH session window.

Reading Time: 3 minutes

First set your desired notification email address in variable, EMAIL

# set your email address you want to receive alerts and server emails
EMAIL=youremail@address.com

Then setup the persistent configuration file which allows you to override Centmin Mod’s centmin.sh menu script’s default settings without modifying centmin.sh itself.

# create initial persistent config file to override centmin.sh defaults
# https://centminmod.com/upgrade.html#persistent
mkdir -p /etc/centminmod
touch /etc/centminmod/custom_config.inc

Populate the persistent configuration file with variables which enable advanced features in Centmin Mod LEMP stack

# dynamically tune nginx ssl_session_cache in /usr/local/nginx/conf/ssl_include.conf based on system detected memory
# https://community.centminmod.com/posts/76615/
echo "NGINX_SSLCACHE_ALLOWOVERRIDE='y'" >> /etc/centminmod/custom_config.inc

# override Nginx default OCSP response cache refresh time 1h (3600 seconds) to 24hrs (86400 seconds)
# https://community.centminmod.com/threads/19515/
echo "NGINX_STAPLE_CACHE_OVERRIDE='y'" >> /etc/centminmod/custom_config.inc
echo "NGINX_STAPLE_CACHE_TTL='86400'" >> /etc/centminmod/custom_config.inc

# SET_DEFAULT_MYSQLCHARSET='utf8mb4' to override MariaDB MySQL 
# default characterset and collation from default utf8 to utf8mb4
# https://community.centminmod.com/threads/17949/
echo "SET_DEFAULT_MYSQLCHARSET='utf8mb4'" >> /etc/centminmod/custom_config.inc

# enable nginx backlog override https://community.centminmod.com/threads/17620/
echo "AUTOHARDTUNE_NGINXBACKLOG='y'" >> /etc/centminmod/custom_config.inc

# enable zstd compressed logrotation for nginx & php-fpm https://community.centminmod.com/threads/16374/
echo "ZSTD_LOGROTATE_NGINX='y'" >> /etc/centminmod/custom_config.inc
echo "ZSTD_LOGROTATE_PHPFPM='y'" >> /etc/centminmod/custom_config.inc

# enable letsencrypt ssl certificate + dual RSA+ECDSA ssl certs https://centminmod.com/acmetool/
echo "LETSENCRYPT_DETECT='y'" >> /etc/centminmod/custom_config.inc
echo "DUALCERTS='y'" >> /etc/centminmod/custom_config.inc

# enable ECC 256bit ECDSA self-signed SSL certificate generation https://community.centminmod.com/posts/82177/
echo "SELFSIGNEDSSL_ECDSA='y'" >> /etc/centminmod/custom_config.inc

# enable nginx zero downtime on the fly nginx binary upgrades https://community.centminmod.com/threads/8000/
#echo "NGINX_ZERODT='y'" >> /etc/centminmod/custom_config.inc

# enable brotli compression https://community.centminmod.com/threads/10688/
echo "NGINX_LIBBROTLI='y'" >> /etc/centminmod/custom_config.inc
echo "NGXDYNAMIC_BROTLI='y'" >> /etc/centminmod/custom_config.inc

# boost PHP 7 performance by enabling Profile Guided Optimisation flag
# https://centminmod.com/perf/
# will dramatically increase PHP-FPM compile/install times but result in
# 5-20% faster PHP 7+ performance. PHP_PGO='y' only works with servers with
# 2+ or more cpu threads. However, you can force PHP PGO optimisations with
# 1 cpu thread servers via PHP_PGO_ALWAYS='y'
echo "PHP_PGO_ALWAYS='y'" >> /etc/centminmod/custom_config.inc
echo "PHP_PGO='y'" >> /etc/centminmod/custom_config.inc

# php compression extensions https://community.centminmod.com/posts/70777/
echo "PHP_BROTLI='y'" >> /etc/centminmod/custom_config.inc
echo "PHP_LZFOUR='y'" >> /etc/centminmod/custom_config.inc
echo "PHP_LZF='y'" >> /etc/centminmod/custom_config.inc
echo "PHP_ZSTD='y'" >> /etc/centminmod/custom_config.inc

# php file info
echo "PHPFINFO='y'" >> /etc/centminmod/custom_config.inc

# enable centmin.sh menu option 22 WordPress Cache Enabler Query String inclusions
# https://community.centminmod.com/posts/85927/
echo "WPCLI_CE_QUERYSTRING_INCLUDED='y'" >> /etc/centminmod/custom_config.inc

The actual Centmin Mod LEMP stack install command using latest betainstaller73.sh script so PHP (php-fpm) 7.3 latest version is default installed.

# install centmin mod latest beta with php-fpm 7.3 default
# https://community.centminmod.com/threads/centmin-mod-09-beta-branch-testing.4128/
yum -y update; curl -O https://centminmod.com/betainstaller73.sh && chmod 0700 betainstaller73.sh && bash betainstaller73.sh

Then you can pre-create Nginx HTTPS site’s dhparam file before hand to speed up subsequent Nginx vhost creation routines. On slow systems, this command will take a few minutes to complete.

openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048

Then optional extra features you can choose to enable after Centmin Mod LEMP stack has been installed for Auditd and CSF Firewall advance blocklists

# install and configure auditd https://community.centminmod.com/posts/37680/
echo "AUDITD_ENABLE='y'" >> /etc/centminmod/custom_config.inc
/usr/local/src/centminmod/tools/auditd.sh setup

# setup extended CSF Firewall blocklists https://community.centminmod.com/posts/50060/
/usr/local/src/centminmod/tools/csf-advancetweaks.sh

Optionally enable CSF Firewall native fail2ban like rules

# enable CSF Firewall native fail2ban like support
# https://community.centminmod.com/posts/62343/
csf --profile backup backup-b4-customregex
cp -a /usr/local/csf/bin/regex.custom.pm /usr/local/csf/bin/regex.custom.pm.bak
egrep 'CUSTOM1_LOG|CUSTOM2_LOG|CUSTOM3_LOG|CUSTOM4_LOG' /etc/csf/csf.conf
sed -i "s|CUSTOM1_LOG = .*|CUSTOM1_LOG = \"/home/nginx/domains/\*/log/access.log\"|" /etc/csf/csf.conf
sed -i "s|CUSTOM2_LOG = .*|CUSTOM2_LOG = \"/home/nginx/domains/\*/log/error.log\"|" /etc/csf/csf.conf
sed -i "s|CUSTOM3_LOG = .*|CUSTOM3_LOG = \"/var/log/nginx/localhost.access.log\"|" /etc/csf/csf.conf
sed -i "s|CUSTOM4_LOG = .*|CUSTOM4_LOG = \"/var/log/nginx/localhost.error.log\"|" /etc/csf/csf.conf
egrep 'CUSTOM1_LOG|CUSTOM2_LOG|CUSTOM3_LOG|CUSTOM4_LOG' /etc/csf/csf.conf
wget -O /usr/local/csf/bin/regex.custom.pm https://gist.github.com/centminmod/f5551b92b8aba768c3b4db84c57e756d/raw/regex.custom.pm
csf -ra

Then setup disk space usage alerts making use of EMAIL variable you populated at the start of this guide.

# setup email alerts for diskalert cronjob /etc/cron.daily/diskalert
# https://community.centminmod.com/posts/59973/
sed -i "s|EMAIL=.*|EMAIL='$EMAIL'|" /etc/cron.daily/diskalert

Lastly, if you intend to use Cloudflare in front of your Centmin Mod LEMP stack’s Nginx server, you can setup csfcf.sh cronjob to automatically manage Cloudflare’s IPs in CSF Firewall and Nginx real IP address detection.

# cloudflare cronjob
# https://community.centminmod.com/threads/6241/
crontab -l > cronjoblist
sed -i '/csfcf.sh/d' cronjoblist
echo "23 */12 * * * /usr/local/src/centminmod/tools/csfcf.sh auto >/dev/null 2>&1" >> cronjoblist
crontab cronjoblist

End result is an optimised Centmin Mod LEMP stack installation

With Nginx mainline version with OpenSSL 1.1.1 branch with HTTP/2 HTTPS TLS 1.3 support and built using GCC 8.3.1 compiler

nginx -V
nginx version: nginx/1.17.1 (120719-190938-centos7-kvm)
built by gcc 8.3.1 20190311 (Red Hat 8.3.1-3) (GCC)
built with OpenSSL 1.1.1c 28 May 2019
TLS SNI support enabled
configure arguments: –with-ld-opt=’-Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/lib -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/usr/local/lib’ –with-cc-opt=’-I/usr/local/zlib-cf/include -I/usr/local/include -m64 -march=x86-64 -mavx -mavx2 -mpclmul -msse4 -msse4.1 -msse4.2 -DTCP_FASTOPEN=23 -g -O3 -fstack-protector-strong -flto -fuse-ld=gold –param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wno-cast-function-type -Wno-format-extra-args -Wp,-D_FORTIFY_SOURCE=2′ –sbin-path=/usr/local/sbin/nginx –conf-path=/usr/local/nginx/conf/nginx.conf –build=120719-190938-centos7-kvm –with-compat –with-http_stub_status_module –with-http_secure_link_module –with-libatomic –with-http_gzip_static_module –with-http_sub_module –with-http_addition_module –with-http_image_filter_module=dynamic –with-http_geoip_module –with-stream_geoip_module –with-stream_realip_module –with-stream_ssl_preread_module –with-threads –with-stream –with-stream_ssl_module –with-http_realip_module –add-dynamic-module=../ngx-fancyindex-0.4.2 –add-module=../ngx_cache_purge-2.5 –add-dynamic-module=../ngx_devel_kit-0.3.0 –add-dynamic-module=../set-misc-nginx-module-0.32 –add-dynamic-module=../echo-nginx-module-0.61 –add-module=../redis2-nginx-module-0.15 –add-module=../ngx_http_redis-0.3.7 –add-module=../memc-nginx-module-0.18 –add-module=../srcache-nginx-module-0.31 –add-dynamic-module=../headers-more-nginx-module-0.33 –with-pcre-jit –with-zlib=../zlib-cloudflare-1.3.0 –with-http_ssl_module –with-http_v2_module –with-openssl=../openssl-1.1.1c

PHP 7.3 latest php-fpm build

php -v
PHP 7.3.7 (cli) (built: Jul 14 2019 19:51:27) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.7, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.3.7, Copyright (c) 1999-2018, by Zend Technologies

MariaDB MySQL 10.3 server

mysqladmin ver
mysqladmin Ver 9.1 Distrib 10.3.16-MariaDB, for Linux on x86_64
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Server version 10.3.16-MariaDB
Protocol version 10
Connection Localhost via UNIX socket
UNIX socket /var/lib/mysql/mysql.sock
Uptime: 2 days 5 hours 55 min 16 sec

Threads: 5 Questions: 385311 Slow queries: 12 Opens: 44 Flush tables: 1 Open tables: 36 Queries per second avg: 1.984

Then check out the following: