Install DigitalOcean VPS installation questions

dooma · Nov 2, 2016

Hello,

I created a new fresh DigitalOcean VPS. Should I configure and secure it before installing the centminmod like these tutorials 1 , 2 as example or I will install the centminmod directly without configuring anything with my server ?

Thanks

Sunka · Nov 2, 2016

I went straight with centmin after I created droplet.
For centmin, all is done with root user, and firewall (CFS) is going to be installed through centmin

dooma · Nov 2, 2016

Even without configuring SSH daemon or timezone as ex. ??

Thanks for your replay

Sunka · Nov 2, 2016

time zone and other settings you can do later, after centmin is installed (through custom php.ini).
Swap and setting related to that do before centmin.
As I remember, I just add swap to server. Maybe 2-3 settings more and than install centmin.
But, to be sure, wait for someone with more knowledge to answer you.
And do snapshot of your droplet before install centmin, just to be sure.
My advise is to install centmin beta, not stable, because centmin beta give you much more and it is very stable.

But, as I said, wait for answer from Eva2000 here.
Before that, read this 3:

Centmin Mod LEMP Stack Install Nginx on CentOS

Getting Started Guide - CentminMod.com LEMP Nginx web stack for CentOS

FAQ - CentminMod.com LEMP Nginx web stack for CentOS

eva2000 · Nov 3, 2016

dooma said: ↑

Hello,

I created a new fresh DigitalOcean VPS. Should I configure and secure it before installing the centminmod like these tutorials 1 , 2 as example or I will install the centminmod directly without configuring anything with my server ?

Thanks
Click to expand...

install Centmin Mod first

in Initial Server Setup with CentOS 7 | DigitalOcean sudo user and sshd key authentication you can do after but be sure to understand what and how to use sudo user before hand otherwise you won't be able to manage your server via Centmin Mod bash shell menu if you don't know how to switch from sudo user to root to manage Centmin Mod LEMP stack which assumes root user in play. If you follow guide to disable root logins and use ssh key authentication, also need to understand how to regain ssh access to your server if you loose your ssh private key. For DigitalOcean need to know how to use their out of band Console mentioned below in the how to recover file system corruption guide.

Before you look into ssh key only (+disable password authentication), make sure your web host is setup with features that allow you to regain access to your server if you ever loose your ssh key's private key and that you know how to use those features to regain access.

If you don't know how to use those features, setup a test instance/VPS with that web host and test it out. If you're with web host with hourly billed VPSes like Linode, DigitalOcean, and Vultr then it is relatively cheap to test out for a few hours on a test VPS.

Here's a example text you can use to ask your web host to be sure

If my server is setup with public ssh key authentication only and set PasswordAuthentication to no, what is the process or steps I can do to regain ssh access if I loose my ssh private key ?
Click to expand...

There's numerous how to use ssh key login guides online, but not many go beyond that to explain what to do if you loose your ssh private key and are unable to use password logins. And that can come down to your web host and what measures they have in place i.e. out of band console access etc and recovery ISO/cds available.

And some relevant guides with different web hosts about setting up SSH key authentication and also about recovery as well general need to know info.

DigitalOcean

Has out of band console access

How To Use SSH Keys with DigitalOcean Droplets | DigitalOcean

How To Recover from File System Corruption Using Fsck and a Recovery ISO | DigitalOcean. Just the part about using Console but not the Fsck and file system recovery steps Don't need to do that just to get ssh access when you loose normal ssh access to your server i.e. loose ssh private key for ssh public key authentication.

Linode

Has out of band console access called Lish

Use Public Key Authentication with SSH

Using the Linode Shell (Lish)

Vultr

Has out of band console access

How Do I Generate SSH Keys? - Vultr.com

Access Single User Mode (Reset Root Password) - Vultr.com

Using Finnix Rescue CD to Rescue, Repair, or Backup Your Linux System - Vultr.com

OVH

Installation of OVH SSH key — OVH Documentation 0.0.1 documentation

SSH key for Public Cloud — OVH Documentation 0.0.1 documentation

Creating SSH keys- OVH

Replacing your lost SSH key pair - OVH

Become root and select a password - OVH

RamNode

How do I add an SSH key to my VPS? - Knowledgebase - RamNode

Others

Finnix Recovery CD - Mammoth Cloud

from Additional Recommended Steps for New CentOS 7 Servers | DigitalOcean

Centmin Mod disables firewalld in CentOS 7 and like CentOS 6 installs, installs CSF Firewall see Getting Started Guide Step 4 and CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS

Centmin Mod already configures ntp and timezones for non-openvz vps like DO's KVM VPSes. If you use Centmin Mod 123.09beta01, there's also a mytimes command that Centmin Mod installs which lists common timezone times around the world including server default UTC time. So its very easy to figure out your server times using mytimes while leaving server on UTC defaults
Code (Text):
mytimes
Wed Nov  2 22:20:38 UTC 2016    [UTC]
Thu Nov  3 08:20:38 AEST 2016   [Australia/Brisbane]
Wed Nov  2 15:20:38 PDT 2016    [America/Los_Angeles]
Wed Nov  2 17:20:38 CDT 2016    [America/Chicago]
Wed Nov  2 18:20:38 EDT 2016    [America/New_York]
Wed Nov  2 18:20:38 EDT 2016    [America/Montreal]
Wed Nov  2 22:20:38 GMT 2016    [Europe/London]
Wed Nov  2 23:20:38 CET 2016    [Europe/Berlin]
Thu Nov  3 05:20:39 ICT 2016    [Asia/Bangkok]
Thu Nov  3 05:20:39 ICT 2016    [Asia/Ho_Chi_Minh]
Thu Nov  3 05:20:39 WIB 2016    [Asia/Jakarta]
Thu Nov  3 06:20:39 MYT 2016    [Asia/Kuala_Lumpur]
Thu Nov  3 06:20:39 SGT 2016    [Asia/Singapore]
Centmin Mod 123.09beta01 installs also take care of swap file creation if missing.

eva2000 · Nov 3, 2016

Sunka said: ↑

My advise is to install centmin beta, not stable, because centmin beta give you much more and it is very stable.
Click to expand...

yes Centmin Mod 123.09beta01 is the future Beta Branch - Centmin Mod .09 beta branch Testing | Centmin Mod Community

dooma · Nov 3, 2016

eva2000 said: ↑

install Centmin Mod first
Click to expand...

Thanks for your answer. I'm familiar with using DO initial server setup and installing the additional recommended steps but I will do that after installing centminmod only or after installing it and following the getting started points too.

eva2000 said: ↑

from Additional Recommended Steps for New CentOS 7 Servers | DigitalOcean
Click to expand...

So I will ignore these steps as it's already in centminmod, and follow only this tutorial.

Sorry for asking you many questions but I started self learning of linux two months ago after using managed servers with many web hosting provider and using cPanel/WHM for more than 5 years so I decided to manage my own server. Which company do you suggest to use ?, I'm using DO and I think it's the best, may be you have another point of view.

Thank you very much...

eva2000 · Nov 3, 2016

beginner wise, DigitalOcean is good as there's alot of tutorials out there and snapshot system allows you to install centos, make a snapshot, install centmin mod, make a snapshot, do whatever and if mess up, revert to previous good snapshot and try again. Makes learning easy as no fear of messing up - especially if you do a test site/server first before moving a live site to DO and Centmin Mod.

dooma · Nov 3, 2016

Thanks a lot but what is your answer regarding this point :

I'm familiar with using DO initial server setup and installing the additional recommended steps but I will do that after installing centminmod only or after installing it and following the getting started points too.

eva2000 · Nov 3, 2016

centmin mod first and getting started guide

then anything afterwards

dooma · Nov 3, 2016

can you tell me how to make sure that the cron update every 6 hours of my server is installed correctly and running every 6 hrs ?

Thanks

eva2000 · Nov 3, 2016

check your cron log at /var/log/cron which logs cronjob runs

FAQ item 19 has list of logs

example the centmin mod default cminfo_updater cronjob check /var/log/cron with grep filter on cminfo_updater and use tail to list last 10 lines of /var/log/cron

runs every 4 minutes
Code (Text):
grep 'cminfo_updater' /var/log/cron | tail -10
Nov  3 00:32:01 hostname CROND[2382]: (root) CMD (/usr/bin/cminfo_updater)
Nov  3 00:36:01 hostname CROND[3999]: (root) CMD (/usr/bin/cminfo_updater)
Nov  3 00:40:01 hostname CROND[5309]: (root) CMD (/usr/bin/cminfo_updater)
Nov  3 00:44:01 hostname CROND[6952]: (root) CMD (/usr/bin/cminfo_updater)
Nov  3 00:48:01 hostname CROND[8762]: (root) CMD (/usr/bin/cminfo_updater)
Nov  3 00:52:01 hostname CROND[10998]: (root) CMD (/usr/bin/cminfo_updater)
Nov  3 00:56:01 hostname CROND[12607]: (root) CMD (/usr/bin/cminfo_updater)
Nov  3 01:00:01 hostname CROND[13239]: (root) CMD (/usr/bin/cminfo_updater)
Nov  3 01:04:01 hostname CROND[15828]: (root) CMD (/usr/bin/cminfo_updater)
Nov  3 01:08:01 hostname CROND[17433]: (root) CMD (/usr/bin/cminfo_updater)
use crontab -l to list cronjobs and grep to filter search for specific cronjob i.e. cminfo_updater
Code (Text):
crontab -l | grep cminfo_updater
*/4 * * * * /usr/bin/cminfo_updater

dooma · Nov 4, 2016

Hi, regarding open_basedir restrictions which may cause error to xenforo, I found the line mentioned has "#" before it so no need for this point correct ?? or should I remove the "#" ?thanks

eva2000 · Nov 4, 2016

dooma said: ↑

Hi, regarding open_basedir restrictions which may cause error to xenforo, I found the line mentioned has "#" before it so no need for this point correct ?? or should I remove the "#" ?thanks
Click to expand...

if hash # in front means it's disabled/commented out already so nothing to do

dooma · Nov 4, 2016

regarding the friendly URLs of xenforo, I added the official nginx conf. to my configuration file with changing the path for sure. And then I will add centminmod configuration listed here to the same file but i will change the IP.. to my static IP ?? what do you mean by my static IP ?? my pub server IP ?

AM I correct ?

eva2000 · Nov 4, 2016

for xenforo just follow Nginx Rewrites for Xenforo Friendly Urls - CentminMod.com LEMP Nginx web stack for CentOS is all you need

STATIC IP as referred to in Nginx Rewrites for Xenforo Friendly Urls - CentminMod.com LEMP Nginx web stack for CentOS is for your ISP ip address so you whitelist and allow your ISP ip access only.

dooma · Nov 4, 2016

hi

when I added the info below to my conf file(at the end of the file) my forum down "cant find server" :
Code:
location / {
            index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$uri&$args;
       
        }
 
        location /internal_data/ {
        internal;
        allow 127.0.0.1;
        allow my ISP ip;
        deny all;
        }

        location /library/ {
        internal;
        allow 127.0.0.1;
        allow my ISP ip;
        deny all;
        }
and when I tried to restart nginx I got this error :

Restarting nginx (via systemctl): Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.
[FAILED]

eva2000 · Nov 4, 2016

When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)

Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf

Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf

Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com

Vhost public web root will be at /home/nginx/domains/newdomain.com/public

Vhost log directory will be at /home/nginx/domains/newdomain.com/log

Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

also what's output of
Code (Text):
nginx -t

dooma · Nov 4, 2016

The Outputs are :

Code (Text):

cat /usr/local/nginx/conf/conf.d/mydomain.com.conf
# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html

# redirect from non-www to www
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
#server {
#            listen   80;
#            server_name mydomain.com;
#            return 301 $scheme://www.mydomain.com$request_uri;
#       }

server {

  server_name mydomain.com www.mydomain.com;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/mydomain.com/log/access.log main_ext buffer=256k flush=60m;
  error_log /home/nginx/domains/mydomain.com/log/error.log;

  include /usr/local/nginx/conf/autoprotect/mydomain.com/autoprotect-mydomain.com.conf;
  root /home/nginx/domains/mydomain.com/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  # prevent access to ./directories and files
  #location ~ (?:^|/)\. {
  # deny all;
  #}

  location / {
  include /usr/local/nginx/conf/503include-only.conf;

# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;

  # Enable for vBulletin usage WITHOUT vbSEO installed
  # More example Nginx vhost configurations at
  # http://centminmod.com/nginx_configure.html
  #try_files    $uri $uri/ /index.php;

  }

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}
location / {
            index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$uri&$args;

        }

        location /internal_data/ {
        internal;
        allow 127.0.0.1;
        allow my ISP ip;
        deny all;
        }

        location /library/ {
        internal;
        allow 127.0.0.1;
        allow my ISP ip;
        deny all;
        }

------------------

Code (Text):

cat /usr/local/nginx/conf/conf.d/mydomain.com.ssl.conf
# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For SPDY SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
# server {
#       listen   80;
#       server_name mydomin.com www.mydomain.com;
#       return 302 https://$server_name$request_uri;
# }

server {
  listen 443 ssl http2;
  server_name mydomian.com www.mydomain.com;

  ssl_dhparam /usr/local/nginx/conf/ssl/mydomain.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

  http2_max_field_size 16k;
  http2_max_header_size 32k;
  # mozilla recommended
  ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;

  # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;

  # enable ocsp stapling
  #resolver 8.8.8.8 8.8.4.4 valid=10m;
  #resolver_timeout 10s;
  #ssl_stapling on;
  #ssl_stapling_verify on;
  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/mydomaint.com/mydomain.com-trusted.crt;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/mydomain.com/log/access.log main_ext buffer=256k flush=60m;
  error_log /home/nginx/domains/mydomain.com/log/error.log;

  include /usr/local/nginx/conf/autoprotect/mydomain.com/autoprotect-mydomain.com.conf;
  root /home/nginx/domains/mydomain.com/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  # prevent access to ./directories and files
  #location ~ (?:^|/)\. {
  # deny all;
  #}

  location / {
  include /usr/local/nginx/conf/503include-only.conf;

# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;

  # Enable for vBulletin usage WITHOUT vbSEO installed
  # More example Nginx vhost configurations at
  # http://centminmod.com/nginx_configure.html
  #try_files    $uri $uri/ /index.php;

  }

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

--------------

Code (Text):

nginx -t
nginx: [emerg] "location" directive is not allowed here in /usr/local/nginx/conf/conf.d/mysite.com.conf:69
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

eva2000 · Nov 5, 2016

there's your problem the location context for web root / is duplicated and the xenforo location contexts are outside of the server{} context. If you look at example at Nginx Rewrites for Xenforo Friendly Urls - CentminMod.com LEMP Nginx web stack for CentOS at bottom you can see that

you replace this part
Code (Text):
  location / {
  include /usr/local/nginx/conf/503include-only.conf;

# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;

  # Enable for vBulletin usage WITHOUT vbSEO installed
  # More example Nginx vhost configurations at
  # http://centminmod.com/nginx_configure.html
  #try_files    $uri $uri/ /index.php;

  }
with
Code (Text):
location / {
           index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$uri&$args;

        }
And right after location /, you place these parts so they are within the most outer server{} context brackets which embrace the whole nginx vhost file - comment out ISP ip static if you don't have static ISP ip
Code (Text):
       location /internal_data/ {
        internal;
        allow 127.0.0.1;
        #allow my ISP ip;
        deny all;
        }

        location /library/ {
        internal;
        allow 127.0.0.1;
        #allow my ISP ip;
        deny all;
        }

Log in / Register

Forums

Join the community today

Install DigitalOcean VPS installation questions

dooma Active Member

Sunka Well-Known Member

dooma Active Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

DigitalOcean

Linode

Vultr

OVH

RamNode

Others

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Join the community today

Install DigitalOcean VPS installation questions

dooma Active Member

Sunka Well-Known Member

dooma Active Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

DigitalOcean

Linode

Vultr

OVH

RamNode

Others

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

dooma Active Member

eva2000 Administrator Staff Member

.