Building-Up CentOS 5 Linux Operating System
Wed Aug 5 21:57:59 2009 EDT (-0400 GMT)When setting up my VPS server there were a number of options for building it. The VPS admin tool gives you “virtual” control over the power switch and the ability to rebuild the server with a fresh OS image at any time. A2 Web Hosting has a few flavours of Linux to choose from: CentOS (the GPL-based rebuild of Red Hat’s Enterprise Server 5), Gentoo and Ubuntu. I went with CentOS as I use it at work, and Enterprise-Grade always seems good to me.
From here on I’ll assume that you know something about the command line, and that you’ve got a good SSH client like the OS X Terminal or Putty and a way to upload files via an SFTP client like Cyberduck or Filezilla.
One my first steps with a pristine Linux operating system is to create a folder called “backup” and an “etc_original” folder in there and copy all of the original etc folder files there for reference.
mkdir /backup
mkdir /backup_original
cp -r /etc/ /backup/etc_original
What you’ll need on your server
Depending on the install/image you use you may have everything you need right there, but here are the packages I install out of the gate:
First off I install the screen tool (more about screen at www.cyberciti.biz/tips/how-to-use-screen-command-under-linux.html) so that I can walk away and reconnect to this process, rsync for moving things and backing things up and telnet for testing ports/servers:
yum install screen rsync telnet
Make sure Apache’s installed and that we’ve got all the PHP modules we need:
yum install httpd php php-cli php-zip php-mysql php-mcrypt php-mbstring
Also get some SSL support:
yum install mod_ssl openssl
Install MySQL client and server:
yum install mysql mysql-server
Install the firewall
yum install iptables
Once all of those packages are installed you’ll need to set them up.
Securing SSH and the rest of the server
Here’s a great a guide to securing SSH itself and setting up iptables, so I will deffer to it: wiki.centos.org/HowTos/Network/SecuringSSH
Be sure to allow the appropriate ports you’ll need later (http 80, https 443, and your current ssh port because you’d never keep it at 22, right?).
Setting up Apache
For Apache I like to edit the httpd.conf nano -w /etc/httpd/conf/httpd.conf
and turn off the following modules by commenting them out with a #:
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
#LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
#LoadModule authz_default_module modules/mod_authz_default.so
#LoadModule ldap_module modules/mod_ldap.so
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
#LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
#LoadModule info_module modules/mod_info.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule cache_module modules/mod_cache.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule file_cache_module modules/mod_file_cache.so
LoadModule mem_cache_module modules/mod_mem_cache.so
LoadModule cgi_module modules/mod_cgi.so
Other than a few tweaks like commenting out the cgi-bin there isn’t much else I do to the httpd.conf. You may also need to remove the /etc/httpd/conf.d/proxy_ajp.conf file.
What I like to do for the rest of my Apache configurations is create a file with a name/location like “/etc/httpd/conf.d/current_server_name.conf”. This is where I put the rest of my modifications. This file will get loaded and applied when Apache starts and is protected from updates etc by being placed in the conf.d folder.
Some examples of configurations I often add are:
DirectoryIndex index.rss index.php index.html
# THINGS TO CHANGE WHEN THE SERVER GETS SLOW (switch 'em)
# Buffering logs - Not good for dev, very good for production
BufferedLogs On
HostnameLookups Off
When you’re ready start apache:
/etc/init.d/httpd start
and to make sure it always starts with the server:
/sbin/chkconfig --add httpd
Turbo Charge PHP
I’m a big fan of the APC PHP Pre-Compiler/Accelerator. It works by caching the text-based PHP file’s compiled opcode and runs that until the original file is modified. This greatly speeds up the process of PHP files and speeds up larger PHP-based applications with a lot of files, like WordPress. You can even tell APC to not even check the drive for updates, just served the cached page, until the server is restarted or the cached cleared. I also like the persistent shared memory it can introduce to PHP.
It requires the developer tools to be installed:
install gcc make mlocate autoconf
Then I’d recommend install APC based on this guide: 2bits.com/articles/installing-php-apc-gnulinux-centos-5.html
For the record, here’s what my “/etc/php.d/apc.ini” file currently looks like. I’ve assigned 48mb of ram, and I’m telling APC not to check the disk for updates, just serve the cached page:
extension="apc.so"
apc.enabled = 1
apc.shm_size = 48
apc.ttl = 7200
apc.user_ttl = 7200
apc.optimization = 1
apc.stat=0
MySQL
Start MySQL:
/etc/init.d/mysql start
and to make sure it always starts with the server:
/sbin/chkconfig --add mysql
You’ll have to set a root password for MySQL:
mysqladmin -u root password yourrootsqlpassword
and then proceed to add whatever accounts and database you’d like to add however you’d like to do that. In my case I download PHPMyAdmin and configuring it. What I also do is add to my own Apache config file some IP restrictions like this (with some example IPs):
<Location "/phpmyadmin">
Order deny,allow
deny from ALL
Allow from 127.0.0.1
Allow from 192.168.
# Force clients from the Internet to use HTTPS
RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^phpmyadmin/*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</Location>
That’s the really geeky part covered, next I’ll look at the more interesting element: Setting-up Google Apps including Gmail for the whole system’s mail.
September 3rd, 2009 at 00:17
Hey good stuff…keep up the good work!
October 13th, 2009 at 15:00
Wow, I wish I had found this a long time ago. While I’ve already had a web server up and running for a while, I just spent hours banging my head against a problem where APC file uploads worked on Ubuntu but not on Centos.
I ran into two huge issues in solving this problem:
– Make and Locate were not installed by default (wtf?!). Your blog post would’ve keyed me into this, if I had found it in time.
– The Yum installable PHP version is 5.1.x. The APC RFC.1867-specific options (apc.rfc1867, apc.rfc1867_freq, apc.rfc1867_name, apc.rfc1867_prefix) don’t show up until PHP 5.2.x. I kept banging my head against a wall until I hit up “php -v” and saw my problem. Oh, and then getting the new version of PHP…
The lack of standardization between the Linux variants is my single biggest computing impediment, these days. I have abandoned Windows servers a while back, but things like this sometimes make me regret it.
ANYways, thanks for the great blog post.
October 22nd, 2009 at 09:48
Thanks for the positive words. I’m almost ready to post the follow-up of how integrate Google apps for the rest of the job. I’m just waiting for the third person I’ve convinced to make the switch to complete the process so that I’ve got a large enough frame of reference.
I can’t conceive of ever running a windows server, but I admit that’s because I’ve got no experience with it and the complexity of the security side just scares me — but Linux really needs to push towards standardization. I’m not sure of common starting points like the Red Hat derived distros and the Debian derived distros are making thing more standardized or making them deceptively similar.