What to do after Centmin Mod initial install ?

If English isn't your first language, you can use Bing Translator to translate this page into your preferred language. Click translate button. Then click the down arrow and select your preferred language.



After Centmin Mod initial install, there are certain steps to setup and configure your VPS or dedicated server. I'll outline below the steps I take right after Centmin Mod install. Ultimately, how much benefit you get out of using Centmin Mod LEMP web stack is directly related to how much effort and time you put into reading and learning how Centmin Mod LEMP web stack operates. Reading fully the below information will definitely be a step in the right direction !

  1. Setup The Default Server Main Hostname Nginx Vhost
  2. Add Your First Domain Name's Nginx Vhost Configuration
  3. Setup Domain Name Newdomain.Com's DNS Settings
  4. CSF Firewall Settings
  5. Proxies And Visitor's Real IP Address
  6. Example Nginx Configurations
  7. Centmin Mod Addons
  8. Setting Up @Yourdomain.Com Based Emails
  9. Enable Google Nginx PageSpeed ?
  10. Backing Up Your Server Data
  11. MySQL Database Management
  12. Keeping Server Up To Date / Security
  13. Statistics Pages
  14. PHP-FPM Security
  15. Centmin Mod Community Forums
  16. Linux Monitoring & Troubleshooting Tools
  17. Customising php.ini Settings
  18. Managing root user emails
  19. Keeping Centmin Mod Code Updated
  20. Ensure Postfix Outbound Emails Do Not End Up In Spam Inbox
  21. How To Boost Centmin Mod LEMP Stack Performance
  22. Summary



1. Setup the default server main hostname Nginx vhost.

Note: remember to also add the approprate DNS A record for your hostname.newdomain.com pointing to the main server's IP address.

The default server main hostname is a separate hostname from your normal web site domain names and can not be the same. For example, if my intended site domain name is centminmod.com, the default server main hostname you set in this step 1, will be different i.e. mainhost.centminmod.com. The mainhost part can be any subdomain you like as long as it's not the same as your intended site domain name which in this example is centminmod.com.

Your default server hostname is usually the hostname used to purchase the VPS or dedicated server in the first place. It's basically a subdomain that links your order so would usually be something like hostname.newdomain.com where subdomain = hostname - it can be any name you like if you have a particular naming theme. I like to have an hostname name that lets me differentiate between web hosts I use as I use many different web hosts. So if on my order form with web host I specified my hostname as hostname.newdomain.com. Then your VPS or dedicated server's hostname is hostname.newdomain.com. You can confirm this within SSH telnet by typing:

uname -n

which would output

hostname.newdomain.com

Add DNS entries for hostname.newdomain.com

To be able to properly resolve your server's hostname.newdomain.com you need to add a DNS A record entry pointing to your server's main IP address for your newdomain.com's DNS via your domain registrar's domain DNS manager or if DNS is local via NSD (see step 3 below). You may also want to add a SPF/TXT DNS record for this hostname just to cover emails sent from your server via Postfix. For DNS A record, you can either use a CNAME DNS entry or my prefered is an A record pointing to your server's IP address. This way if you have 3x VPS servers with main hostnames like hostname1.newdomain.com ,hostname2.newdomain.com, hostname3.newdomain.com, I would add 3 separate A records for newdomain.com for hostname1, hostname2 and hostname3 pointing to 3 separate VPS servers' IP addresses.

If you're looking for a reliable and free DNS provider, you can use Cloudflare DNS Only hosting

Here's an example from Namesilo.com DNS management area for adding a DNS A record for hostname.mydomain.com pointing to server IP address = 1.1.1.1.

To cover the main hostname's sent email via Postfix, you may also want to add a SPF/TXT DNS record for this main hostname i.e. hostname.newdomain.com with simply just the following:

"v=spf1 a ~all"

Changing hostname

If the hostname returned from uname -n command does not match the hostname you used to place your order for your server, then you can get your web host to correct it for you or do it yourself as follows:

For CentOS 6.x, as root user in SSH telnet edit file at /etc/sysconfig/network. Using nano, vi or pico text editor:

  nano -w /etc/sysconfig/network

Change HOSTNAME variable to your desired hostname. It has to be a valid hostname in format of hostname.newdomain.com.

  HOSTNAME=hostname.newdomain.com

For CentOS 7.x, as root user in SSH telnet edit file at /etc/hostname. Using nano, vi or pico text editor:

  nano -w /etc/hostname

CentOS 7.x just needs to enter the hostname itself nothing else:

  hostname.newdomain.com

For CentOS 7.x you can use hostnamectl command to check and set the hostname too:

  hostnamectl status

  hostnamectl --help
hostnamectl [OPTIONS...] COMMAND ...

Query or change system hostname.

  -h --help              Show this help
     --version           Show package version
     --transient         Only set transient hostname
     --static            Only set static hostname
     --pretty            Only set pretty hostname
  -P --privileged        Acquire privileges before execution
     --no-ask-password   Do not prompt for password
  -H --host=[USER@]HOST  Operate on remote host

Commands:
  status                 Show current hostname settings
  set-hostname NAME      Set system hostname
  set-icon-name NAME     Set icon name for host
  set-chassis NAME       Set chassis type for host

To set the hostname:

  hostnamectl set-hostname hostname.newdomain.com

Edit /etc/hosts file in SSH telnet and add a new entry to existing entries associating your server's main IP address i.e. 111.222.333.444 to the new hostname

  111.222.333.444 hostname.newdomain.com hostname

On one of my VPS /etc/hosts now looks like:

  127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
111.222.333.444 hostname.newdomain.com hostname

Type following:

  hostname hostname.newdomain.com

Then restart network service via command:

  service network restart

Now try uname -n command again.

The server's default hostname's Nginx vhost configuration file is located at /usr/local/nginx/conf/conf.d/virtual.conf and can be accessed quickly via command shortcut within SSH telnet:

vhostconf

The command shortcut invokes the nano linux text editor, you can read up more about nano here and here.

Or via your favourite linux text editor nano, pico or vi edit /usr/local/nginx/conf/conf.d/virtual.conf

nano -w /usr/local/nginx/conf/conf.d/virtual.conf

You need to change one line within this default hostname's Nginx vhost configuration file for the server_name defined as localhost

Note: Centmin Mod v1.2.3-eva2000.04+ and higher will automatically do this step.

            server_name localhost;

change localhost to default hostname, hostname.newdomain.com as per below

server {
#         listen   80;
            listen   80 default_server;
            server_name hostname.newdomain.com;
            root   html;

        access_log              /var/log/nginx/localhost.access.log     main buffer=32k;
        error_log               /var/log/nginx/localhost.error.log      error;

# limit_conn limit_per_ip 16;
# ssi  on;

            location / {

#               Enables directory listings when index file not found
#               autoindex  on;

#               Shows file listing times as local time
#               autoindex_localtime on;

#               Enable for vBulletin usage WITHOUT vbSEO installed
#               try_files               $uri $uri/ /index.php;

            }

        # example nginx-http-concat
        # /csstest/??one.css,two.css
        #location /csstest {
        #concat on;
        #concat_max_files 20;
        #}

include /usr/local/nginx/conf/staticfiles.conf;
include /usr/local/nginx/conf/php.conf;
include /usr/local/nginx/conf/phpstatus.conf;
include /usr/local/nginx/conf/drop.conf;
#include /usr/local/nginx/conf/errorpage.conf;

       }

2. Add your first domain name's Nginx vhost configuration.

Update: August 9th, 2016 if you need to create multiple Nginx vhosts and MySQL users/databases check out the forum guide here

Do this via centmin.sh menu option #2 as per instructions outlined here or via the new /usr/bin/nv SSH command line method outlined on the here. If you wish to use IPv6 you need to enable it within Nginx and update domain DNS with AAAA record. For instructions for Nginx IPv6 setup, read FAQ item 34.

Also ensure your site domain name and server main hostname have valid SPF/TXT and PTR DNS records setup as outlined here.

When you run menu option #2, you will be prompted to enter domain name you want to add, whether you want to create a self-signed SPDY SSL certificate vhost as well and prompt you for your desired Pure-FTPD virtual FTP username and whether you want to auto generate the FTP password or set one yourself. I recommend you auto generate the FTP password for better strength password. Once entered it will check if the domain name already exists within Nginx. If domain name doesn't already exist, it will create your Nginx vhost configuration file, your sites web directory and web public root and your site's log directory and give you the full path locations to these for your own records. Make note of these.

If you need to delete the Nginx vhost/domain and data later on, read the Nginx vhost and domain deletion guide here.

Below example, I added new domain called newdomain.com.

  • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
  • Nginx SPDY SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
  • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
  • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
  • Vhost log directory will be at /home/nginx/domains/newdomain.com/log

--------------------------------------------------------
Centmin Mod 1.2.3-eva2000.08 - http://centminmod.com
--------------------------------------------------------
                   Centmin Mod Menu                   
--------------------------------------------------------
1).  Centmin Install
2).  Add Nginx vhost domain
3).  NSD setup domain name DNS
4).  Nginx Upgrade / Downgrade
5).  PHP Upgrade / Downgrade
6).  XCache Re-install
7).  APC Cache Re-install
8).  XCache Install
9).  APC Cache Install
10). Memcached Server Re-install
11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
12). Zend OpCache Install/Re-install
13). Install ioping.sh vbtechsupport.com/1239/
14). SELinux disable
15). Install/Reinstall ImagicK PHP Extension
16). Change SSHD Port Number
17). Multi-thread compression: pigz,pbzip2,lbzip2...
18). Suhosin PHP Extension install
19). Install FFMPEG and FFMPEG PHP Extension
20). NSD Re-install
21). Update - Nginx + PHP-FPM + Siege
22). Add Wordpress Nginx vhost + WP Super Cache
23). Update Centmin Mod Code Base
24). Exit
--------------------------------------------------------
Enter option [ 1 - 24 ] 2
--------------------------------------------------------

---------------------------------------------

Enter vhost domain name to add (without www. prefix): newdomain.com

Create a self-signed SSL certificate Nginx vhost? [y/n]: y

Create FTP username for vhost domain (enter username): MYFTPUSERNAME
Auto generate FTP password (recommended) [y/n]: y

FTP username you entered: MYFTPUSERNAME
FTP password auto generated: WpTY9dorKBQz3F@~ew70BQq8a9s76eh1!

Password: 
Enter it again: 
---------------------------------------------------------------
SSL Vhost Setup...
---------------------------------------------------------------

---------------------------------------------------------------
Generating self signed SSL certificate...
Generating a 2048 bit RSA private key
.................................................................................................................................+++
..................................................................+++
writing new private key to 'newdomain.com.key'
-----
Signature ok
subject=/C=US/ST=California/L=Los Angeles/O=newdomain.com/CN=newdomain.com
Getting Private key
---------------------------------------------------------------
Generating dhparam.pem file - can take a few minutes...
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..........................+.........................................................................................................................................................................................................................................................................................+....................................................+..............................................................................................................................................................................................................+.....................................................................................................................................................................+.............................................................................+.............................................................................................................................+....................................................................................................+...........................................................................................+........................................................................................................................................................+.......................................................................................................................................................++*++*
dhparam file generation time: 12.149109355

-------------------------------------------------------------
service nginx reload
Reloading nginx configuration (via systemctl):  [  OK  ]
systemctl restart pure-ftpd.service

-------------------------------------------------------------
FTP hostname : IPADDRESS
FTP port : 21
FTP mode : FTP (explicit SSL)
FTP Passive (PASV) : ensure is checked/enabled
FTP username created for newdomain.com : MYFTPUSERNAME
FTP password created for newdomain.com : WpTY9dorKBQz3F@~ew70BQq8a9s76eh1!
-------------------------------------------------------------
vhost for newdomain.com created successfully

domain: http://newdomain.com
vhost conf file for newdomain.com created: /usr/local/nginx/conf/conf.d/newdomain.com.conf

vhost ssl for newdomain.com created successfully

domain: https://newdomain.com
vhost ssl conf file for newdomain.com created: /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
/usr/local/nginx/conf/ssl_include.conf created
Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt
SSL Private Key: /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key
SSL CSR File: /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.csr

upload files to /home/nginx/domains/newdomain.com/public
vhost log files directory is /home/nginx/domains/newdomain.com/log

-------------------------------------------------------------
Current vhost listing at: /usr/local/nginx/conf/conf.d/

                       
Jul 16  19:04   845    ssl.conf
Jul 16  19:04   1.1K   demodomain.com.conf
Jul 16  19:08   1.6K   virtual.conf
Jul 20  01:09   1.9K   newdomain.com.conf
Jul 24  01:42   1.7K   newdomain2.com.conf
Jul 24  01:42   3.4K   newdomain2.com.ssl.conf
Jul 24  01:51   1.7K   newdomain.com.conf
Jul 24  01:51   3.4K   newdomain.com.ssl.conf

-------------------------------------------------------------
Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/newdomain.com

                       
Jul 24  01:50   1.7K   newdomain.com.key
Jul 24  01:50   1009   newdomain.com.csr
Jul 24  01:50   1.2K   newdomain.com.crt
Jul 24  01:51   424    dhparam.pem

-------------------------------------------------------------
Commands to remove newdomain.com

 rm -rf /usr/local/nginx/conf/conf.d/newdomain.com.conf
 rm -rf /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
 rm -rf /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt
 rm -rf /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key
 rm -rf /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.csr
 rm -rf /home/nginx/domains/newdomain.com
 service nginx restart
-------------------------------------------------------------

Uploading files to the new Nginx vhost domain

Centmin Mod FAQ #2 outlines that Centmin Mod isn't for shared hosting right now. Jailed chrooted Nginx vhost user accounts are in the works (see preview). So right now to upload files, you use the server's native SFTP support with your FTP client set to use SFTP and username = root and fill in your ipaddress for your server and SSH port (default is 22) unless you changed it and point the remote directory to your web root at /home/nginx/domains/newdomain.com/public.

With Centmin Mod 1.2.3-eva2000.08+ and higher, you can also use the generated Pure-FTPD virtual FTP username and password that you created via centmin.sh menu option #2 which would of outputted the relevant info i.e.


Other Firewalls

  • Note passive Pure-ftpd TCP ports in range between 3000 to 3050 for Centmin Mod 123.08stable or 30001 to 50011 for Centmin Mod 123.09 beta and higher are required to be open for Pure-ftpd server to accept connections. CSF Firewall installed by Centmin Mod takes care of this on server side.
  • However, if you have other firewalls between your connecting computer and the Centmin Mod server, they may block connections as well. Some web hosts such as Amazon AWS EC2, Google Cloud Compute, Vultr and OVH (OVH Gaming servers) may have their own firewall in front of your server which you can either turn off or configure to whitelist the required TCP ports. CSF Firewall config file /etc/csf/csf.conf has a list of default ports in comma separated listing that are whitelisted for variables TCP_IN, TCP_OUT, TCP6_IN, TCP6_OUT, UDP_IN, UDP_OUT, UDP6_IN and UDP6_OUT that you can reference. If your local PC or router has restricted ports, you may also need to whitelist them at that level as well.

Ensure to setup your FTP client's settings to enable FTP explicit SSL with SSL certificate verification disabled (as the Pure-FTPD server TLS/SSL is setup with self-signed certificate) and that FTP Passive PASV support is enabled.

-------------------------------------------------------------
FTP hostname : IPADDRESS
FTP port : 21
FTP mode : FTP (explicit SSL)
FTP Passive (PASV) : ensure is checked/enabled
FTP username created for newdomain.com : MYFTPUSERNAME
FTP password created for newdomain.com : WpTY9dorKBQz3F@~ew70BQq8a9s76eh1!
-------------------------------------------------------------
vhost for newdomain.com created successfully

Location you upload files is listed when you created your new Nginx vhost:

upload files to /home/nginx/domains/newdomain.com/public

Whenever you completed uploading new files, you'd need to give them correct user and group permissions within SSH window as root user type:

chown -R nginx:nginx /home/nginx/domains/newdomain.com/public

You do not need to do this will files created via PHP-FPM or Nginx, i.e. if you use Wordpress and used Wordpress admin to add a new Wordpress plugin, the plugin will automatically have nginx user and group permissions as it was processed by PHP-FPM.

To verify the files and directories are with nginx user and group permissions, use command

ls -lah directorypath

i.e.

ls -lah /home/nginx/domains/newdomain.com/public
total 36K
drwxr-sr-x 2 nginx nginx  151 Aug 11 05:24 .
drwxr-sr-x 6 nginx nginx   56 Aug 11 05:24 ..
-rw-r--r-- 1 nginx nginx 1.6K Aug 11 05:24 403.html
-rw-r--r-- 1 nginx nginx 1.6K Aug 11 05:24 404.html
-rw-r--r-- 1 nginx nginx 2.1K Aug 11 05:24 500.html
-rw-r--r-- 1 nginx nginx 2.1K Aug 11 05:24 502.html
-rw-r--r-- 1 nginx nginx 2.2K Aug 11 05:24 503.html
-rw-r--r-- 1 nginx nginx 2.1K Aug 11 05:24 504.html
-rw-r--r-- 1 nginx nginx 2.2K Aug 11 05:24 50x.html
-rw-r--r-- 1 nginx nginx 1.2K Aug 11 05:24 index.html
-rw-r--r-- 1 nginx nginx 2.2K Aug 11 05:24 maintenance.html

3. Setup domain name newdomain.com's DNS settings.

Note: If you chose to use DigitalOcean for your VPS, they also offer DNS management for your domain hosted with them. Update your domain registrar's records to point to the DigitalOcean name servers (ns1.digitalocean.com, ns2.digitalocean.com, ns3.digitalocean.com). Then you can manage DNS from their control panel.

I always use 3rd party web host or domain registrar's DNS name servers rather than use NSD dns hosted on same Centmin Mod server for higher uptime and stability and better performance. I use DNSMadeEasy DNS services for Anycast DNS performance you can read about on my blog.

To use 3rd party DNS, just following Part 1 outlined here. If on other hand you want to host DNS locally on your server via NSD on Centmin Mod installed server, you need to do both Part 1 (creating private or vanity nameservers with domain registrar) and 2 outlined here.

You can see a full step by step example of setting up a local NSD DNS nameservers for your added domains on the Centmin Mod Community forums.

Remember to check your domain name's DNS is properly configured at both your domain registrar & web server end (NSD) by running domain name through these 3 dns test sites

4. CSF Firewall settings.

CSF Firewall is an important tool to keep your server secure. If you have issues with blocked FTP/SCP, connecting to remote MySQL servers or sending outgoing email via 3rd party SMTP providers, then you need to whitelist IPs and/or ports. All info available here and on Centmin Mod Community forums. It's a must read if you rely on or use web services such as Pingdom.com, NodePing.com or other monitoring services. Or have other server connecting to and from your Centmin Mod based server (i.e. remote MySQL database servers).

Whitelist IP addresses: If you have any other servers which you want to connect to/from this Centmin Mod install. You'd want to whitelist and allow them from CSF Firewall. This also helps if you ever get locked out of the server by CSF Firewall, you can still log in via one of the other whitelisted servers you have access to. If you want to a cheap 2nd VPS to do this from, check out RamNode's 128MB memory and 50GB disk space based OpenVZ SSD-Cached VPSes from US$15-24/yr (yes per year!). You can install Centmin Mod on 2nd VPS too and even use the 2nd VPS as a backup server. Just remember to whitelist this 2nd VPS server's IP address and vice versa whitelist the 1st VPS server's IP address on the 2nd VPS server.

If you need to whitelist a dynamic IP address, you would need to use a dynamic DNS service provider like noip.com or dnsexit.com to create a hostname to point to your dynamic IP address and then use a provided client to auto or manually update that hostname's assigned dynamic IP address when it is changed at your ISP level. You will then need to enable CSF Firewall's Dynamic DNS support options outlined on the forums here.

Setup a 128MB VPS backup: With 128MB low memory VPS (and at least 64MB swap file), there's a minor Centmin Mod tweak needed prior to actual install of Centmin Mod.

  • For Centmin Mod 123.08stable and below, prior to actual Centmin Mod install (via centmin.sh menu option #1), find and edit inc/memcheck.inc and find ISLOWMEM variable and change it's value from 262144 KB to 131072 KB. Then run centmin.sh and select menu option #1.
  • For Centmin Mod 123.09beta01 and higher, there's now a persistent config file option avaiable, LOWMEM_INSTALL='y' outlined at here.

It is still recommended for best performance to have a minimum 256MB of memory, but at least with this updated change you can suffice with a 128MB Low End Box VPS.

If you don't use PHP, MySQL, Memcached server or Pure-FTPD server on the 128MB VPS server you can disable those services with these 4 commands:

service php-fpm stop
service mysql stop
service memcached stop
service pure-ftpd stop
chkconfig memcached off
chkconfig php-fpm off
chkconfig mysql off
chkconfig pure-ftpd off

To renable them:

service php-fpm start
service mysql start
service memcached start
service pure-ftpd start
chkconfig memcached on
chkconfig php-fpm on
chkconfig mysql on
chkconfig pure-ftpd on

5. Proxies and visitor's real IP address.

If you use reverse proxy or proxy service such as Cloudflare, Amazon AWS Cloudfront, Incapsula, Google PageSpeed Service, Varnish Cache in front of Nginx web server. You need to properly setup Nginx via Nginx's ngx_http_realip_module module. You can find guide link on Nginx Configuration page or directly here. For Cloudflare to prevent IP leaks you also want to enable Cloudflare Authenticated Origin Pull certificates on your Cloudflare Full SSL enabled sites.

6. Example Nginx configurations.

Example Nginx configurations for Nginx SSL setup, Nginx Google SPDY, OCSP Stapling, Wordpress, Xenforo, vBulletin etc available here.

7. Centmin Mod Addons.

Check out additional Centmin Mod Addons, which are standalone scripts to further extend Centmin Mod.

8. Setting up @yourdomain.com based emails.

Check out how to setup @yourdomain.com with third party free or paid email providers like Zoho Mail, Google Apps, Microsoft Outlook, Atmail, FastMail, Rackspace Email, and Amazon WorkMail. Also ensure your site domain name and server main hostname have valid DMARC, SPF/TXT and PTR DNS records setup as outlined here.

9. Enable Google Nginx PageSpeed ?

Decide whether you want to enable Google Nginx ngx_pagespeed module and PageSpeed Console.

10. Backing up your server data

While there are no actual included tools for backing up your Centmin Mod based server, you should still look into backup options available from your web host if any. If you chose to use DigitalOcean for your VPS, they include options for both nightly backups and snapshot backups for your VPS that you can enable. Backup option cost is ~10% of your VPS cost.

Another cheap option if you have less than 50GB of data, is RamNode's 128MB memory and 50GB disk space based OpenVZ SSD-Cached VPSes from US$15-24/yr (yes per year!). Just remember the tweaks needed for 128MB VPS Centmin Mod install.

Then there's Backupsy.com KVM based VPS storage servers listed above. They have servers located in Dallas, TX; Miami, FL; Chicago, IL; Denver, CO; Buffalo, NY; Los Angeles, CA and The Netherlands. Very cheap if you need alot of storage and best of all for additional $2/month you can upgrade to normal VPS usage instead of restricted backup usage and you can install Centmin Mod on them as well.

11. MySQL database management

Note: default /etc/my.cnf sets default storage engine to MyISAM (default-storage-engine = MyISAM). If you want to use InnoDB storage engine tables, set in /etc/my.cnf, default-storage-engine = InnoDB and restart MySQL server.

Update: August 9th, 2016 if you need to create multiple Nginx vhosts and MySQL users/databases check out the forum guide here

Currently, Centmin Mod doesn't bundle any tools to manage MariaDB MySQL by default. You have to do it:

  1. Via SSH telnet command line see MySQL documentation at http://dev.mysql.com/doc/refman/5.5/en/tutorial.html, MySQL Access Privilege System and MySQL User Account Management (example shown in Wordpress + WP-FFPC plugin + ngx_pagespeed guide and in IP.Board setup guide) OR
  2. Install phpmyadmin yourself via Centmin Mod Addon that is currently in beta status (addon properly secures the phpmyadmin installation unlike other online guides) (see more info further below) OR
  3. Install tools such as HeidiSQL on your own pc to connect to your server ?

Centmin Mod Addons - phpmyadmin.sh & mysqladmin_shell.sh

Both Addons are in a beta build state, so there's no 100% guarantee it will always work. Your feedback on the forums and testing will help me improve the Addons ;)

12. Keeping server up to date / Security

Owning a VPS or dedicated server means you're responsible for keeping the server up to date software wise. I suggest you sign up for pushover.net service and download appropriate pushover mobile app client to your mobile or tablet device. This will allow you to use your pushover userkey email for notifications for backups or updates i.e. [email protected]. Then setup automatic nightly YUM updates via yum-cron and as added precautiion install the Centmin Mod Addon for an anti-virus malware scanner - Linux Malware Detect (maldet) + ClamAV scanner and if on Centmin Mod 123.09beta01 or newer, to help troubleshoot issues in future, install and read up on how to use addons/auditd.sh.

13. Statistics Pages

You can find discussion thread here.

A PHP opcode cacher is installed by default. For Centmin Mod 1.2.3-eva2000.07 stable PHP 5.4.33 is installed with APC Cache 3.1.13. Centmin Mod supports other PHP opcode cachers via running centmin.sh menu options for Xcache and Zend Opcache. All three PHP opcode cachers have their own respective statistics admin pages.

Memcached server 1.4.20 is installed by default with both memcache and memcached/libmemcached PHP extension support. It too has it's own statistics admin page.

For all PHP opcode caches, APC Cache, Xcache, Zend Opcache and Memcached server caching, the admin statistics pages are located and served from the Centmin Mod default hostname web root /usr/local/nginx/html/ at your hostname.yourdomain.com/* (outlined in step 1 of Getting Started guide) as well as a PHP INFO page at XXX_phpi.php. So to access these files you would go to hostname.yourdomain.com/${N}_myapc.php.

  • APC Cache - located at /usr/local/nginx/html/${N}_myapc.php where ${N} is randomised number unique to each Centmin Mod installation. You can change the file name or location if you want after install. You can password protect the file if you want and/or change it's filename and location.
  • Xcache - located at /usr/local/nginx/html/myxcacheadmin which is username and password protected with a unique login auto generated for each Centmin Mod installation. You can change the directory location and name if you want after install. Username and password are located in your Centmin Mod initial install log at /root/centminlogs/centminmod_1.2.3-eva2000.07_DDMMYY-TIMESTAMP_install.log
  • Zend Opcache - located at /usr/local/nginx/html/${N}_opcache.php where ${N} is randomised number unique to each Centmin Mod installation. You can change the file name or location if you want after install. You can password protect the file if you want and/or change it's filename and location.
  • Memcached - located at /usr/local/nginx/html/memcache_${N}.php where ${N} is randomised number unique to each Centmin Mod installation. You can change the file name or location if you want after install. Memcached statistics page has an auto generated username and password unique to each Centmin Mod install which is printed out at end of the Centmin Mod initial install output. If you missed that info, you can find the username and password

    located in your Centmin Mod initial install log at /root/centminlogs/centminmod_1.2.3-eva2000.07_DDMMYY-TIMESTAMP_install.log. You can use grep to easily find the relevant part of the install log containing the user/pass details:

      grep -A13 'Setup memcached_' /root/centminlogs/centminmod_1.2.3-eva2000.07_DDMMYY-TIMESTAMP_install.log
    

  • PHP INFO page - located at XXX_phpi.php where XXX is randomised number unique to each Centmin Mod installation. You can change the file name or location if you want after install.

For all 5 locations, in additional to password protection you can also IP address restrict access via this context added to your main hostname's Nginx vhost at /usr/local/nginx/conf/conf.d/virtual.conf (command short to launch nano text editor for it = vhostconf).

Make sure to change the file name matches in location to your specific filenames.

  location ~ ^/(XX_op|memcache_XXX|XXX_phpi\.php) {
        include /usr/local/nginx/conf/php.conf;
        allow 127.0.0.1;
        allow YOURIPADDRESS;
        deny all;
}

location ~ ^/myxcacheadmin {
        include /usr/local/nginx/conf/php.conf;
        allow 127.0.0.1;
        allow YOURIPADDRESS;
        deny all;
}

To edit the memory allocation or settings for PHP Opcachers, you do this via each of their respective PHP *.ini files which can find via SSH command.

  php --ini

Sample output for APC Cache with Memcached server.

php --ini
Configuration File (php.ini) Path: /usr/local/lib
Loaded Configuration File:         /usr/local/lib/php.ini
Scan for additional .ini files in: /etc/centminmod/php.d
Additional .ini files parsed:      /etc/centminmod/php.d/apc.ini,
/etc/centminmod/php.d/igbinary.ini,
/etc/centminmod/php.d/imagick.ini,
/etc/centminmod/php.d/memcache.ini,
/etc/centminmod/php.d/memcached.ini

So to edit memory allocation to APC Cache, edit /etc/centminmod/php.d/apc.ini. For Xcache, edit /etc/centminmod/php.d/xcache.ini and for Zend Opcache edit /etc/centminmod/php.d/zendopcache.ini. You need to restart PHP-FPM service after making *.ini file changes.

However, for Memcached server memory allocation, settings are located directly within /etc/init.d/memcached startup script. Default memory allocation for Memcached server is set by MEMSIZE and is 8MB. You need to restart Memcached service after making /etc/init.d/memcached changes.

BINNAME=memcached
BIN=/usr/local/bin/memcached
USER=nobody
LOGGING='n'
LOGFILE="/var/log/memcached.log"
LOGFILEB="/var/log/memcached2.log"
CON=1024
THREADS=4
MINSP=72
CHUNKF=1.25
PORT1=11211
PORT2=11212
SOCKET_ENABLE=n
SOCKETA='-s /var/run/memcached/memcached1.sock -a 0755'
SOCKETB='-s /var/run/memcached/memcached2.sock -a 0755'
MEMSIZE=8
SERVERCOUNT=1
SERVERIP='127.0.0.1'
OPTIONS='-o slab_reassign,slab_automove'

14. PHP-FPM Security

To further lock down PHP-FPM security, Centmin Mod 1.2.3-eva2000.08+ and higher enable open_basedir restrictions and you can also manually disable some PHP functions. However, check with your respective web app PHP developers whether those disabled PHP functions are needed otherwise disabling these PHP functions can break your PHP web app software.

At very bottom of PHP-FPM config file at /usr/local/etc/php-fpm.conf (command shortcut in SSH = fpmconf), just after PHP error log definition you will find a line like below (if using Centmin Mod 1.2.3-eva2000.08 beta) or if using Centmin Mod 1.2.3-eva2000.07 stable release, you need to add that line right after the PHP error log definition. PHP-FPM config file edit is preferred over php.ini file edit as it will survive subsequent PHP-FPM upgrades where new php.ini files are put in place.

  php_admin_value[error_log] = /var/log/php-fpm/www-php.error.log
  php_admin_value[disable_functions] = shell_exec

You can extend the number of PHP functions to disable to further lock down and secure your PHP web apps provided your PHP web apps do not rely on and use such PHP functions.

For example.

  php_admin_value[disable_functions] = show_source, system, shell_exec, passthru, exec, popen, proc_open

Then after editing /usr/local/etc/php-fpm.conf restart PHP-FPM service

  service php-fpm restart

or

  fpmrestart

open_basedir

Centmin Mod 1.2.3-eva2000.08+ and higher have open_basedir enabled in /usr/local/nginx/conf/php.conf include file. This file is included in each created Nginx vhost config file i.e. /usr/local/nginx/conf/conf.d/newdomain.com.conf. The relevant line is the 9th line in /usr/local/nginx/conf/php.conf

location ~ \.php$ {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass   127.0.0.1:9000;
    #fastcgi_pass   unix:/tmp/php5-fpm.sock;
    fastcgi_index  index.php;
    #fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    fastcgi_param  SCRIPT_FILENAME    $request_filename;
    fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;

This line locks you to each Nginx vhost's document web root i.e. /home/nginx/domains/newdomain.com/public.

    fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;

You can disable this globally across all Nginx vhosts, by commenting out the line and restarting Nginx and PHP-FPM services.

    #fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;

Or you can disable it for a specific Nginx vhost domain only, leaving all other domains enabled with open_basedir protection. To disable it for a specific Nginx vhost domain only, you need to make a copy of the /usr/local/nginx/conf/php.conf include file and change the php.conf include line within that specific Nginx vhost i.e. /usr/local/nginx/conf/conf.d/newdomain.com.conf.

Make a copy of the /usr/local/nginx/conf/php.conf include file called /usr/local/nginx/conf/php_disable_openbasedir.conf.

    cp -a /usr/local/nginx/conf/php.conf /usr/local/nginx/conf/php_disable_openbasedir.conf

Then in your /usr/local/nginx/conf/conf.d/newdomain.com.conf, change the include line for /usr/local/nginx/conf/php.conf to /usr/local/nginx/conf/php_disable_openbasedir.conf

    #include /usr/local/nginx/conf/php.conf;
    include /usr/local/nginx/conf/php_disable_openbasedir.conf;

Then restart Nginx and PHP-FPM services

    nprestart

15. Centmin Mod Community Forums

If you want to delve deeper into Centmin Mod code and structure to further customise and/or extend your Centmin Mod server installation, you can check out the Centmin Mod Insights forums as well as the general Centmin Mod forum category. Be sure to sign up to be able to post on the Centmin Mod Community forums.

16. Linux monitoring & troubleshooting tools

Check out Nginx Amplify monitoring service for Nginx and PHP-FPM and general server monitoring. You can setup PHP-FPM status metric monitoring and individual metric alerts as well. Example here.

Also check out the Server Monitoring statistics page on how to setup Nodequery.com or Nixstats.com for monitoring your server statistics and uptime. Also Community forum has a System Administration forum sticky outlining alot of Linux monitoring and troubleshooting commands and tools.

17. Customising php.ini Settings

The default php.ini location is at /usr/local/lib/php.ini. However, PHP upgrades via centmin.sh menu option 5 can overwrite that. So it's best to set aside your php.ini level customisations in a separate *.ini file. Centmin Mod by default has a custom file at /etc/centminmod/php.d/a_customphp.ini which has some tweaks to PHP settings already added by default. You can add custom settings to /etc/centminmod/php.d/a_customphp.ini however, they can be also overwritten if future Centmin Mod updates adjust or add tweaks which are automated on PHP-FPM upgrades. So you can instead create a second custom file with naming convention alphabetically below that of /etc/centminmod/php.d/a_customphp.ini i.e. /etc/centminmod/php.d/b_customphp.ini.

Default /etc/centminmod/php.d/a_customphp.ini contents. Note ;always_populate_raw_post_data=-1 is auto uncommented (remove semi-colon ;) when PHP 5.6+ is detected only.

date.timezone = UTC
max_execution_time = 60
short_open_tag = On
realpath_cache_size = 1024k
realpath_cache_ttl = 14400
upload_max_filesize = 40M
memory_limit = 160M
post_max_size = 40M
expose_php = Off
mail.add_x_header = Off
max_input_nesting_level = 128
max_input_vars = 2000
mysqlnd.net_cmd_buffer_size = 16384
;always_populate_raw_post_data=-1

You can add your own custom settings to a newly created file at /etc/centminmod/php.d/b_customphp.ini i.e. double default max_execution_time from 60 to 120. PHP-FPM will process those in a specific alpha-numeric order where later ini files override the former.

max_execution_time = 120

Then restart PHP-FPM service via either command shortcut or full service restart command

fpmrestart

or

service php-fpm restart

Confirming changes are in effect by looking at phpinfo file. Centmin Mod sets this up on main hostname with randomised prefix unqiue to each Centmin Mod install. You can rename this file, delete it or password protect or IP address restrict it if you want. In below example, the install created phpinfo file at /usr/local/nginx/html/417911c9_phpi.php which would be accesible online via yourmainhostname.com/417911c9_phpi.php or localhost/417911c9_phpi.php.

ls -lah /usr/local/nginx/html | grep phpi                          
-rw-r--r-- 1 nginx nginx   20 Jul 28 11:31 417911c9_phpi.php

You don't need to move out of SSH session to do a simple check - use lynx command grep can confirm the changes.

before

lynx -dump localhost/417911c9_phpi.php | grep max_execution_time    
   max_execution_time 60 60

after

lynx -dump localhost/417911c9_phpi.php | grep max_execution_time    
   max_execution_time 120 120

Typing the command php --ini, will output the list of *.ini files PHP-FPM has detected and the order in which they are processed.

php --ini

default before custom /etc/centminmod/php.d/b_customphp.ini file added

php --ini
Configuration File (php.ini) Path: /usr/local/lib
Loaded Configuration File:         /usr/local/lib/php.ini
Scan for additional .ini files in: /etc/centminmod/php.d
Additional .ini files parsed:      /etc/centminmod/php.d/a_customphp.ini,
/etc/centminmod/php.d/curlcainfo.ini,
/etc/centminmod/php.d/geoip.ini,
/etc/centminmod/php.d/igbinary.ini,
/etc/centminmod/php.d/imagick.ini,
/etc/centminmod/php.d/memcache.ini,
/etc/centminmod/php.d/memcached.ini,
/etc/centminmod/php.d/mongodb.ini,
/etc/centminmod/php.d/redis.ini,
/etc/centminmod/php.d/zendopcache.ini

after custom /etc/centminmod/php.d/b_customphp.ini file added and PHP-FPM service restarted

php --ini
Configuration File (php.ini) Path: /usr/local/lib
Loaded Configuration File:         /usr/local/lib/php.ini
Scan for additional .ini files in: /etc/centminmod/php.d
Additional .ini files parsed:      /etc/centminmod/php.d/a_customphp.ini,
/etc/centminmod/php.d/b_customphp.ini,
/etc/centminmod/php.d/curlcainfo.ini,
/etc/centminmod/php.d/geoip.ini,
/etc/centminmod/php.d/igbinary.ini,
/etc/centminmod/php.d/imagick.ini,
/etc/centminmod/php.d/memcache.ini,
/etc/centminmod/php.d/memcached.ini,
/etc/centminmod/php.d/mongodb.ini,
/etc/centminmod/php.d/redis.ini,
/etc/centminmod/php.d/zendopcache.ini

18. Managing root user emails

Servers will have system related email notifications that are sent to the system root user by default. These emails end up in the root user's mail spool file at /var/spool/mail/root. These emails remain there until the root user reads and deletes them so over time this root user mail spool file will grow. You can view the size via command:

ls -lah /var/spool/mail/root
-rw------- 1 root mail 928K Dec 28 04:58 /var/spool/mail/root

You can manually empty the accumulated root mail spool emails via the command:

echo "" > /var/spool/mail/root

If you do not want root user emails to accumulate in the root user mail spool and want to be able to receive these emails to a regular email account, you can setup the root user mail forwarder file at /root/.forward. Add to the file your email address:

[email protected]

Then any server system destined root user emails will bypass the mail spool and be forwarded to your listed email address in /root/.forward file. These emails most likely will end up in your email's spam or junk folders. So I would specifically setup a mail filter of Gmail label filter so that any email coming the the from email of your server email (usually will be [email protected]), will skip the spam or junk folders and not be marked as spam. I'd also make it skip your inbox folder for a specific mail folder if possible (i.e. Gmail)

If you use Gmail or Google Apps based email for the listing in your /root/.forward file, you can make it even easier to setup a filtered label by using email alias. If your Gmail address is [email protected], you can append +label to your username and still get emails but then you can filter based on the that specific delivered to address. For example, [email protected] emails with an alias of +linode1, will still go to [email protected] but the delivered to address you receive from will be listed as [email protected].

Delivered-To: [email protected]

or if your mail app doesn't support filter based on Delivered-To field, filter based on From and To addresses.

From: [email protected]
To: [email protected]

One of the most common root user destined email messages you will receive is due to CSF Firewall alerting you everytime you log in via SSH to your server. An example email message looks like below:

To: [email protected]
Subject: lfd on [email protected]: SSH login alert for user root from 111.222.333.444.(AU/Australia/111.222.333.444)
Message-Id: <[email protected]>
Date: Mon, 28 Dec 2015 04:58:58 +0000 (UTC)

Time:    Mon Dec 28 04:58:58 2015 +0000
IP:      111.222.333.444.(AU/Australia/111.222.333.444)
Account: root
Method:  password authentication

Another common root user destined email message is when CSF Firewall's LFD daemon notifies you of permanent firewall blocking of IP addresses which are trying to brute force log into your server via SSH and fail after 5 attempts.

From: [email protected]
To: [email protected]
Subject: lfd on yourhostname.domain.com: blocked 124.199.98.204 (TW/Taiwan/124-199-98-204.HINET-IP.hinet.net)
Message-Id: <[email protected]>
Date: Wed, 23 Dec 2015 19:50:06 +0000 (UTC)

Time:     Wed Dec 23 19:50:06 2015 +0000
IP:       124.199.98.204 (TW/Taiwan/124-199-98-204.HINET-IP.hinet.net)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked:  Permanent Block

Log entries:

Dec 23 19:48:48 yourhostname sshd[23279]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.199.98.204  user=root
Dec 23 19:48:50 yourhostname sshd[23279]: Failed password for root from 124.199.98.204 port 62046 ssh2
Dec 23 19:49:14 yourhostname sshd[23280]: Did not receive identification string from 124.199.98.204
Dec 23 19:49:19 yourhostname sshd[23308]: Did not receive identification string from 124.199.98.204
Dec 23 19:49:50 yourhostname sshd[23358]: Did not receive identification string from 124.199.98.204

19. Keeping Centmin Mod Code Updated

Centmin Mod LEMP stack's script code is constantly updated for improvements, bug fixes and security fixes so keeping the Centmin Mod code up to date is important. With Centmin Mod 1.2.3-eva2000.08) (123.08stable) and higher releases, a newly added centmin.sh menu option 23 allows much easier code updates and version branch switching via Git backed environment you can setup. For full details read the following links:

20. Ensure Postfix Outbound Emails Do Not End Up In Spam Inbox

To ensure your site and server sent emails do not end up in users' spam inboxes, you need proper SPF/TXT, DKIM, DMARC and reverse PTR DNS records setup for you domain and server's main hostname. You can read the full details on how to setup SPF/TXT, DKIM and DMARC for your email here.

VPS Provider Blocked SMTP Port 25 Outbound Emails

To combat spam, some VPS providers are now blocking SMTP port 25 outbound emails from servers by default and requiring you contact them and provide ID verification to unblock the SMTP port for a one time task. Other VPS providers have outright blocked SMTP Port 25 outbound emails entirely and require you to use a 3rd party SMTP provide for email relaying (Postfix Relay SMTP). DigitalOcean is one such provider, so you will need to setup CentOS Postfix SMTP Relay with Centmin Mod for sending outbound emails from the server itself. Details outlined here.

21. How To Boost Centmin Mod LEMP Stack Performance

If using Centmin Mod 123.09beta01 or newer, you can further boost your Centmin Mod LEMP stack performance with more advanced options outlined in the How To Boost Centmin Mod LEMP Stack Performance guide.

Summary

End result is that visiting:

  • hostname.newdomain.com should have a valid working DNS entry (either an A record pointing to server's IP address or CNAME entry) and should go to default Nginx setup page which is controlled via Nginx vhost configuration file at /usr/local/nginx/conf/conf.d/virtual.conf with document root at /usr/local/nginx/html
  • newdomain.com should also have a valid DNS entry preferably A record pointing to server IP address and go to your site's pages controlled via Nginx vhost configuration file at /usr/local/nginx/conf/conf.d/newdomain.com.conf with document root at /home/nginx/domains/newdomain.com/public