Learn about Centmin Mod LEMP Stack today
Register Now

Install Beginner CentMinMod Installation Video Tutorials

Discussion in 'Centmin Mod User Tutorials & Guides' started by Rake-GH, Mar 25, 2020.

  1. Rake-GH

    Rake-GH Active Member

    179
    93
    28
    Jul 29, 2019
    USA
    Ratings:
    +144
    Local Time:
    2:12 AM
    default
    default
    This video series is for beginners. If you are new to CentMin Mod or nginx this will be very helpful to you. It's a 5-6 part series which is very thorough in showing you the entire process of setting up a website on CentMinMod.

    I'm not an expert with web hosting and CentMinMod but I try to teach everything that I know in the best way that I can, again this is for beginners. These videos are not a substitution for reading documentation, they are a useful guide for beginners in video format.

    This series will show you basic centminmod installation using Cloudflare and later we will show you how to setup phpmyadmin, Xenforo 2, mailcow and much more.

    What you will learn in part 1 of this CentMinMod Tutorial:
    • Initial installation of CentMin Mod on a Digital Ocean droplet
    • nginx vhost setup and basics of nginx config files
    • lets encrypt SSL cert generation
    • How to remove a vhost
    • Cloudflare setup and configuration with CentMinMod
    • persisitent custom php config file
    • centminmod custom config flags
    • How to connect to your server via FTP
    • locking down default vhost with htpasswd
    • basics of managing your server



    If you are planning to use CentMinMod it is important that you read the documentation a few times and run 2-3 test installs and migrations before doing it live.
    For the latest up to date info about this series visit the main thread
     
    Last edited: Apr 2, 2020
  2. Rake-GH

    Rake-GH Active Member

    179
    93
    28
    Jul 29, 2019
    USA
    Ratings:
    +144
    Local Time:
    2:12 AM
    default
    default
    CentMinMod Tutorial 2 - Cloudflare, nginx rate limiting & more

    In our last video you learned how to setup and manage a centminmod website with cloudflare, in this video I will teach you how to setup authenticated origin pulls and some more tips on managing your server.

    In this video tutorial you will learn:
    • Cloudflare Authenticated Origin Pulls
    • Full vs Strict SSL Cloudflare settings
    • Cloudflare Force SSL Redirects & Re-writes
    • Coudflare automated IP whitelisting
    • How to update nginx & phpfpm
    • How to enable Profile Guided Optimizations
    • How to enable Zero Downtime nginx updates
    • seperate nginx redirect map
    • nginx rate limiting
    • ssh FTP Mode with Filezilla
    • how to manage /var/spool/mail/root
    • Simple manual backup script


    Cloudflare Authenticated Origin Pulls
    - Cloudflare - Setting Up Cloudflare Authenticated Origin Pulls Protecting Your Origins

    Full vs Strict SSL Cloudflare settings
    No SSL on origin = Flexible mode
    Self Signed or Let's Encrypt = Full
    Let's Encrypt or other CA cert = Strict

    Cloudflare Force SSL Redirects & Re-writes
    Always use HTTPS = redirect all queries for HTTP to HTTPS

    HTTPS Re-writes = On the CDN side, it will replace all your internal links from HTTP to HTTPS, therefore you don't need to change all your internal links. Also, less server load because it's done on the CDN side.

    Enable Profile Guided Optimizations
    - Insight Guide - How to boost Centmin Mod LEMP stack performance

    Code:
    echo "PHP_PGO='y'" >> /etc/centminmod/custom_config.inc
    Then recompile PHP via Centmin PHP upgrade option

    Enable Zero Downtime nginx upgrades
    Code:
    echo "NGINX_ZERODT='y'" >> /etc/centminmod/custom_config.inc
    Normally your server won't be accessible for 10-30 seconds, with zero downtime upgrades enabled your server will only be down for less than 1 second, if at all.

    - Beta Branch - Nginx Upgrade - zero downtime mode

    How to Update NGINX and PHP-FPM
    You can easily do both of these via the centmin.sh menu, it can take 5-10 minutes to complete. But your server will only go down for 5-30 seconds in my experience during the final stages of the upgrade. You can downgrade and upgrade easily at any time with very minimal impact.

    Seperate nginx redirect map
    Create redirects.conf in the same folder as your other nginx config files ( /usr/local/nginx/conf/conf.d/ )

    redirects.conf:
    Code:
    
    map $request_uri $redirect_uri {
    
        /403.html /404.html
    
    }
    inside your sites .conf file, find the location block and modify it to look similar to this:

    Code:
      location / {
    
        #map redirects from redirects.conf
    
        if ( $redirect_uri ) {
    
          return 301 $redirect_uri;
    
        }
      }
    NGINX Rate Limiting
    - NGINX Rate Limiting

    Inside your site's .conf file, add this to your global namespace:

    Code:
    limit_req_zone $binary_remote_addr zone=public:10m rate=200r/m;
    Inside your main / location block add:
    Code:
    limit_req zone=public burst=400 nodelay;

    This will allow 200 requests per minute per ip address, with an ability to burst up to 400 requests per minute when necessary. If your server is receiving many requests from a single user, the burst & nodelay option will allow them to bypass the rate limiting. If there are many users doing many requests, such as during a DDOS attack the burst and nodelay settings will not apply and the rate limiting will still protect you. Read more: NGINX Rate Limiting

    Simple Manual Backup Script
    Code:
    tar -zcvpf /home/nginx/domains/testserver.best/backup/full_backups/$(date +"%m_%d_%Y")-sitebackupPUBLIC-.tar.gz /home/nginx/domains/testserver.best/public/;
    
    tar -zcvpf /home/nginx/domains/testserver.best/backup/full_backups/$(date +"%m_%d_%Y")-mainPUBLIC.tar.gz /usr/local/nginx/html/;
    
    tar -zcvpf /home/nginx/domains/testserver.best/backup/full_backups/$(date +"%m_%d_%Y")-CONF.tar.gz /usr/local/nginx/conf/conf.d/;
    
     
    Last edited: Mar 25, 2020
  3. Rake-GH

    Rake-GH Active Member

    179
    93
    28
    Jul 29, 2019
    USA
    Ratings:
    +144
    Local Time:
    2:12 AM
    default
    default
    CentMinMod Tutorial 3 - Install Xenforo 2 on nginx

    This tutorial will teach you how to setup Xenforo 2 on nginx, specifically using CentMinMod but it will be applicable to most any Xenforo 2 nginx installation.

    You will learn how to:
    • install Xenforo 2
    • setup mysql database
    • proper nginx config setup
    • how to use mysqldump
    • how to setup memcached
    • how to view statistic files for zend opcache, memcached
    • password protect internal main vhost


    Commands for changing permissions of Xenforo files and directories after upload
    Code:
    find /home/nginx/domains/testserver.best/public/ -type f -print0 | xargs -0 chmod 0644
    find /home/nginx/domains/testserver.best/public/ -type d -print0 | xargs -0 chmod 0755
    find /home/nginx/domains/testserver.best/public/internal_data/ -type f -print0 | xargs -0 chmod 0777
    find /home/nginx/domains/testserver.best/public/data/ -type f -print0 | xargs -0 chmod 0777
    find /home/nginx/domains/testserver.best/public/internal_data/ -type d -print0 | xargs -0 chmod 0777
    find /home/nginx/domains/testserver.best/public/data/ -type d -print0 | xargs -0 chmod 0777
    chmod 0755 /home/nginx/domains/testserver.best/public
    Password Protect Xenforo folders in nginx config

    Code:
    location /admin.php {
        auth_basic "Private";
        auth_basic_user_file /usr/local/nginx/conf/htpasswd;
        include /usr/local/nginx/conf/php.conf;
    }
    
    location /install/ {
        auth_basic "Private";
        auth_basic_user_file /usr/local/nginx/conf/htpasswd;
        include /usr/local/nginx/conf/php.conf;
    }   
    Add to the bottom of your config.php file to enable memcached:
    Code:
    $config['cache']['enabled'] = true;
    $config['cache']['provider'] = 'Memcached';
    $config['cache']['config'] = [
        'server' => '127.0.0.1',
        'port' => '11211'
    ];
    
    To flush memcached:
    Code:
    echo 'flush_all' | nc localhost 11211
    Simple mysqldump gzipped with date:
    Code:
    /usr/bin/mysqldump DBNAME | gzip > ~/backups/db.$(date +%F).sql.gz
    Important Links
    Installation and upgrades - XenForo 2 Manual
    Options - XenForo 2 Manual
     
  4. Rake-GH

    Rake-GH Active Member

    179
    93
    28
    Jul 29, 2019
    USA
    Ratings:
    +144
    Local Time:
    2:12 AM
    default
    default
    CentMin Mod Tutorial 4 - vBulletin NGINX redirects for Xenforo 2

    Many people have migrated their forums from vBulletin 4 to Xenforo 2. So many in fact, that Xenforo has a vbulletin to Xenforo redirect plugin
    This addon doesn't work out of the box with NGINX, especially when using SEO friendly URLS. I'm going to show you how to fix that.

    In order to use Friendly URLS, Xenforo 2 requires special changes to the NGINX config. On Apache it works out of the box, but if you're using NGINX you need to make some changes outlined in the Xenforo 2 Manual.

    This tutorial will teach you how to setup Friendly URL redirection from vBulletin to Xenforo using NGINX.

    If you're using the vBulletin -> Xenforo 2 redirect plugin you will also need to modify the try_files directive because out of the box this plugin does not work on NGINX with vBulletin redirects. It works fine out of the box in Apache but not NGINX.



    The specific change you need to make is here:

    Code:
    location ~ \.php$ {
        #normal:
        #try_files $uri =404;
    
        #vbulletin redirect fix
        try_files $uri /index.php?$uri&$args;
    
        fastcgi_pass    127.0.0.1:9000;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include         fastcgi_params;
    }
    eva says the bottom part of this code is redundant as it's handled in another file but I could not get friendly URLS to work with vbulletin redirects without this.

    Important Links
     
    Last edited: Mar 28, 2020
  5. Rake-GH

    Rake-GH Active Member

    179
    93
    28
    Jul 29, 2019
    USA
    Ratings:
    +144
    Local Time:
    2:12 AM
    default
    default
    CentMin Mod Tutorial 5 - How to install phpMyAdmin & SSL Certs

    This tutorial will show you how to install phpmyadmin on CentMin Mod under our default main vhost. You will learn how to generate a new SSL certificate from Let's Encrypt for the subdomain so that we can enable Full Strict SSL mode in Cloudflare.

    In the previous video we setup authenticated origin pulls but the main vhost wasn't accesible using Full Strict SSL because it was using a self signed certificate.

    You will learn how to:
    - Change hostname
    - Install phpmyadmin
    - issue and install a new subdomain certificate
    - use the vhost generator from centminmod



    Install phpyadmin:
    Code:
    cd /usr/local/src/centminmod/addons
    wget --no-check-certificate https://github.com/centminmod/phpmyadmin/raw/master/phpmyadmin.sh -O phpmyadmin.sh
    chmod 0700 /usr/local/src/centminmod/addons/phpmyadmin.sh
    ./phpmyadmin.sh install
    For everything else follow the video and the vhost generator linked below

    Important Links:
     
    Last edited: Mar 31, 2020
  6. Rake-GH

    Rake-GH Active Member

    179
    93
    28
    Jul 29, 2019
    USA
    Ratings:
    +144
    Local Time:
    2:12 AM
    default
    default
    How to Install Mailcow Tutorial + Xenforo 2 - Self hosted email

    Mailcow is by far the best self hosted email server. It is incredibly easy to install Mailcow as it is distributed as a docker container. @0xDEC0DE introduced it to me so thank you to him.

    It only takes 15 minutes to install and get all setup. In 15 minutes you can hook your website up with it's own email server. You want to use a separate email server because you cannot proxy your mail server behind Cloudflare. In order to hide your origin IP address you cannot use your web server as your email server. There are also several things you need to do to keep your server from getting blacklisted by spam blacklists which I will teach you.

    In this Mailcow tutorial you will learn how to:
    • Install mailcow on an Ubuntu Digital Ocean droplet
    • Set it up using Let's Encrypt SSL
    • Cloudflare configuration
    • DNS configuration
    • SPF, DKIM & DMARC setup
    • How to add mailboxes
    • How to setup Xenforo to use your mailcow server
    • Xenforo bounced email handling & one click unsubscribes
    • SMTP, POP3 usage



    Video links
     
    Last edited: Apr 2, 2020
  7. Rake-GH

    Rake-GH Active Member

    179
    93
    28
    Jul 29, 2019
    USA
    Ratings:
    +144
    Local Time:
    2:12 AM
    default
    default
    cfautouam - CloudFlare Under Attack Mode Automation



    Get updated source code from the github repo:
    guided-hacking/cfautouam

    What does it do
    Enables Cloudflare's Under Attack Mode based on CPU load percentage using the Cloudflare API.

    Why
    Running your site on Under Attack Mode permanently is not great for visitors. This script will enable it under high CPU load which is indicative of a DDOS attack.

    Warning
    This is a beta script and I barely know what I'm doing so test this thoroughly before using.

    How?
    It creates a service that runs on a timer, which executes our main shell script which gets the current CloudFlare Security Level and checks the CPU usage. If CPU usage is above our defined limit, it uses the CloudFlare API to set the Security Level to Under Attack Mode. If CPU usage normalizes and the time limit has passed, it will change the Security Level back to your defined "normal" Security Level.

    How to install
    Navigate to the parent path where you want to install. If you want to install to /home/cfautouam then navigate to /home

    wget https://raw.githubusercontent.com/guided-hacking/cfautouam/master/cfautouam.sh;
    Define the parent path where you want to install the script, your Cloudflare email, API key, Zone ID, regular_status and regular_status_s as it related to your normal security level

    Code:
    mkdir cfautouam;
    cp cfautouam.sh cfautouam/cfautouam.sh
    cd cfautouam;
    chmod +x cfautouam.sh;
    ./cfautouam.sh -install;
    
    It's now installed and running from the defined parent path, check the logs and confirm it's working. You can delete the original file.

    After confirming it works, set debug level to 0.

    Command Line Arguments
    -install : installs and enables service
    -uninstall : uninstalls and then deletes the sub folder
    -disable_script : temporarily disables the service from running
    -enable_script : re-enables the service
    -enable_uam : enables Under Attack Mode manually
    -disable_uam : disables Under Attack Mode manually

    Notes
    This script was designed to run out of it's own separate folder, if you change that you may have problems.

    source from video:
    Code:
    #!/bin/bash
    # Cloudflare Auto Under Attack Mode = CF Auto UAM
    # version 0.9beta
    
    # Security Level Enums
    SL_OFF=0
    SL_ESSENTIALLY_OFF=1
    SL_LOW=2
    SL_MEDIUM=3
    SL_HIGH=4
    SL_UNDER_ATTACK=5
    
    SL_OFF_S="off"
    SL_ESSENTIALLY_OFF_S="essentially_off"
    SL_LOW_S="low"
    SL_MEDIUM_S="medium"
    SL_HIGH_S="high"
    SL_UNDER_ATTACK_S="under_attack"
    
    #config
    debug_mode=1 # 1 = true, 0 = false
    install_parent_path="/home"
    cf_email=""
    cf_apikey=""
    cf_zoneid=""
    upper_cpu_limit=20 # 10 = 10% load, 20 = 20% load.  Total load, taking into account # of cores
    lower_cpu_limit=5
    regular_status=$SL_HIGH
    regular_status_s=$SL_HIGH_S
    time_limit_before_revert=$((60 * 10)) # 10 minutes by default
    #end config
    
    # Functions
    
    install() {
      mkdir $install_parent_path"/cfautouam"
    
      cat >$install_parent_path"/cfautouam/cfautouam.service" <<EOF
    [Unit]
    Description=Enable Cloudflare Under Attack Mode under high load
    [Service]
    ExecStart=$install_parent_path/cfautouam/cfautouam.sh
    EOF
    
      cat >$install_parent_path"/cfautouam/cfautouam.timer" <<EOF
    [Unit]
    Description=Enable Cloudflare Under Attack Mode under high load
    [Timer]
    OnBootSec=60
    OnUnitActiveSec=7
    AccuracySec=1
    [Install]
    WantedBy=timers.target
    EOF
    
      chmod +x $install_parent_path"/cfautouam/cfautouam.service"
      systemctl enable $install_parent_path"/cfautouam/cfautouam.timer"
      systemctl enable $install_parent_path"/cfautouam/cfautouam.service"
      systemctl start cfautouam.timer
      exit
    }
    
    uninstall() {
      systemctl stop cfautouam.timer
      systemctl stop cfautouam.service
      systemctl disable cfautouam.timer
      systemctl disable cfautouam.service
      rm -R $install_parent_path"/cfautouam"
      exit
    }
    
    disable_uam() {
      curl -X PATCH "https://api.cloudflare.com/client/v4/zones/$cf_zoneid/settings/security_level" \
        -H "X-Auth-Email: $cf_email" \
        -H "X-Auth-Key: $cf_apikey" \
        -H "Content-Type: application/json" \
        --data "{\"value\":\"$regular_status_s\"}" &>/dev/null
    
      # log time
      date +%s >$install_parent_path"/cfautouam/uamdisabledtime"
    
      echo "$(date) - cfautouam - CPU Load: $curr_load - Disabled UAM" >>$install_parent_path"/cfautouam/cfautouam.log"
    }
    
    enable_uam() {
      curl -X PATCH "https://api.cloudflare.com/client/v4/zones/$cf_zoneid/settings/security_level" \
        -H "X-Auth-Email: $cf_email" \
        -H "X-Auth-Key: $cf_apikey" \
        -H "Content-Type: application/json" \
        --data '{"value":"under_attack"}' &>/dev/null
    
      # log time
      date +%s >$install_parent_path"/cfautouam/uamenabledtime"
    
      echo "$(date) - cfautouam - CPU Load: $curr_load - Enabled UAM" >>$install_parent_path"/cfautouam/cfautouam.log"
    }
    
    get_current_load() {
      numcores=$(grep -c 'model name' /proc/cpuinfo)
      currload=$(uptime | awk -F'average:' '{ print $2 }' | awk '{print $1}' | sed 's/,/ /')
      currload=$(bc <<<"scale=2; $currload / $numcores * 100")
      currload=${currload%.*}
      return $currload
    }
    
    get_security_level() {
      curl -X GET "https://api.cloudflare.com/client/v4/zones/$cf_zoneid/settings/security_level" \
        -H "X-Auth-Email: $cf_email" \
        -H "X-Auth-Key: $cf_apikey" \
        -H "Content-Type: application/json" 2>/dev/null |
        awk -F":" '{ print $4 }' | awk -F',' '{ print $1 }' | tr -d '"' >$install_parent_path"/cfautouam/cfstatus"
    
      security_level=$(cat $install_parent_path"/cfautouam/cfstatus")
    
      case $security_level in
      "off")
        return $SL_OFF
        ;;
      "essentially_off")
        return $SL_ESSENTIALLY_OFF
        ;;
      "low")
        return $SL_LOW
        ;;
      "medium")
        return $SL_MEDIUM
        ;;
      "high")
        return $SL_HIGH
        ;;
      "under_attack")
        return $SL_UNDER_ATTACK
        ;;
      *)
        return 100 # error
        ;;
      esac
    }
    
    main() {
      # Get current protection level & load
      get_security_level
      curr_security_level=$?
      get_current_load
      curr_load=$?
    
      if [ $debug_mode == 1 ]; then
        #curr_load=5
        time_limit_before_revert=30
      fi
    
      # If UAM was recently enabled
    
      if [[ $curr_security_level == "$SL_UNDER_ATTACK" ]]; then
        uam_enabled_time=$(<uamenabledtime)
        currenttime=$(date +%s)
        timediff=$((currenttime - uam_enabled_time))
    
        # If time limit has passed
        if [[ $timediff -gt $time_limit_before_revert ]]; then
    
          # If time limit has passed & cpu limit has normalized
          if [[ $curr_load -lt $upper_cpu_limit ]]; then
            if [ $debug_mode == 1 ]; then
              echo "$(date) - cfautouam - CPU Load: $curr_load - CPU Below threshhold, time limit has passed" >>$install_parent_path"/cfautouam/cfautouam.log"
            fi
            disable_uam
          else
            if [ $debug_mode == 1 ]; then
              echo "$(date) - cfautouam - CPU Load: $curr_load - CPU Above threshhold, time limit has passed - do nothing" >>$install_parent_path"/cfautouam/cfautouam.log"
            fi
          fi
    
        else
          if [ $debug_mode == 1 ]; then
            echo "$(date) - cfautouam - CPU Load: $curr_load - UAM already set, waiting out time limit" >>$install_parent_path"/cfautouam/cfautouam.log"
          fi
        fi
        exit
      fi
    
      # Enable and Disable UAM based on load
    
      #if load is higher than limit
      if [[ $curr_load -gt $upper_cpu_limit && $curr_security_level == "$regular_status" ]]; then
        enable_uam
      #else if load is lower than limit
      elif [[ $curr_load -lt $lower_cpu_limit && $curr_security_level == "$SL_UNDER_ATTACK" ]]; then
        disable_uam
      else
        if [ $debug_mode == 1 ]; then
          echo "$(date) - cfautouam - CPU Load: $curr_load - no change necessary" >>$install_parent_path"/cfautouam/cfautouam.log"
        fi
      fi
    }
    
    # End Functions
    
    # Main
    
    if [ "$1" = '-install' ]; then
      install
      exit
    elif [ "$1" = '-uninstall' ]; then
      uninstall
      exit
    elif [ "$1" = '-disable_script' ]; then
      systemctl disable cfautouam.timer
      systemctl disable cfautouam.service
      echo "$(date) - cfautouam - Script Manually Disabled" >>$install_parent_path"/cfautouam/cfautouam.log"
      disable_uam
      rm  $install_parent_path"/cfautouam/uamdisabledtime"
      rm  $install_parent_path"/cfautouam/uamenabledtime"
      exit
    elif [ "$1" = '-enable_script' ]; then
      systemctl enable $install_parent_path"/cfautouam/cfautouam.timer"
      systemctl enable $install_parent_path"/cfautouam/cfautouam.service"
      systemctl start cfautouam.timer
      echo "$(date) - cfautouam - Script Manually Enabled" >>$install_parent_path"/cfautouam/cfautouam.log"
      exit
    elif [ "$1" = '-enable_uam' ]; then
      echo "$(date) - cfautouam - UAM Manually Enabled" >>$install_parent_path"/cfautouam/cfautouam.log"
      enable_uam
      exit
    elif [ "$1" = '-disable_uam' ]; then
      echo "$(date) - cfautouam - UAM Manually Disabled" >>$install_parent_path"/cfautouam/cfautouam.log"
      disable_uam
    exit
    elif [ -z "$1" ]; then
      main
      exit
    else
      echo "cfautouam - Invalid argument"
      exit
    fi
    
    This script will automate cloudflare under attack mode aka enable cloudflare automatically aka enable cloudflare ddos protection automatically
     
    Last edited: Apr 11, 2020
  8. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    3:12 PM
    Mainline
    10.2
    This isn't true, during Nginx upgrade without the zerodowntime config.. Sites will work fine except for the time nginx restart which takes 1 second only.
     
  9. Rake-GH

    Rake-GH Active Member

    179
    93
    28
    Jul 29, 2019
    USA
    Ratings:
    +144
    Local Time:
    2:12 AM
    default
    default
    I updated this thread to include the latest 3 updates to this series:
    CentMin Mod Tutorial 4 - vBulletin NGINX redirects for Xenforo 2
    CentMin Mod Tutorial 5 - How to install phpMyAdmin & SSL Certs
    How to Install Mailcow Tutorial + Xenforo 2 - Self hosted email

    You can find them above ^