Secure Nginx with Let’s Encrypt SSL on CentOS 7

Secure Nginx with Let’s Encrypt SSL on CentOS 7

Secure Nginx with Let’s Encrypt SSL on CentOS 7

By using Let’s Encrypt you can get a free valid SSL certificate. Let’s Encrypt is the Certificate Authority (CA) which provides free SSL certificate. To get SSL certificate Certbot client is used which fetches and deploys SSL certificate on your server. In this tutorial, you are going to learn how to secure Nginx with Let’s Encrypt SSL on CentOS.

Before we begin

Let’s Encrypt certificate can only be requested from the server the domain is pointing to. Let’s Encrypt checks if the domain is pointed to the current server and if successful, it issues the certificate.

Prerequisites

1. Before you start to secure Nginx with Let’s Encrypt SSL on CentOS 7 using the Certbot client. You must have the non-root user account on your server with sudo privileges.
2. Make it sure your domain is pointing to the current server.

1. Install Certbot Client

To install Certbot client you need to add EPEL reposiory, to do so type:

sudo yum install epel-release

Now install Certbot client by executing following command

sudo yum install httpd mod_ssl python-certbot-nginx

Confirm the installation by typing

certbot --version

2. Setup Firewall

If you are not running the firewall skip this step.

You need to make it sure port 80 and 443 are open in your firewall. To open ports inside firewalld using following commands.

sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https
sudo firewall-cmd --runtime-to-permanent

If your system is running iptables then you can run following basic commands to enable traffic on port 80 and port 443.

sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

3. Setting up Let’s Encrypt SSL on Nginx

Let’s Encrypt do a strong domain validation for ownership of the domain. After successful verification, it issues the certificate. In below command replace example with your domain name

sudo certbot --nginx -d example.com -d www.example.com

If you are the first time to install certificate then Certbot will ask you to enter Email ID and agree to terms and conditions.

After the above step, Certbot will ask you to configure HTTPS settings.

Output
Output
Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter](press 'c' to cancel):

Select your choice and continue to next step. We recommend you to choose Secure option if you don’t want to change the configuration file manually.

NOTE: All generated files stored inside /etc/letsencrypt/live directory.

Generate Strong Diffie-Hellman Parameters

For securely exchanging cryptographic keys over an unsecured communication channel Diffie–Hellman key exchange (DH) method is used. Generate strong D-H parameters by using the following command. It will generate dhparam.pem file.

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Now you need to edit Nginx configuration file

sudo nano /etc/nginx/nginx.conf

You should paste the following code inside the server block.

/etc/nginx/nginx.conf
ssl_dhparam /etc/ssl/certs/dhparam.pem;

Now check if the syntax is ok, to do so type:

sudo nginx -t

If there is no problem in syntax reload Nginx configuration file

sudo systemctl reload nginx

4. Autorenewal For SSL Certificates

All of these Let’s Encrypt certificates are short-lived and expires after 90 days. So you will have to update these certificates before they expire by running the following command.

sudo certbot renew

You can automate this process by adding a cronjob. Enter the following command to open crontab

sudo crontab -e

Add following lines to end of the file. It will run the command twice a day and renews if the certificate is about to expire.

0 */12 * * * /usr/bin/certbot renew >> /var/log/le-renew.log

Conclusion

You have learned how to secure Nginx with Let’s Encrypt SSL on CentOS 7 by using Certbot. If you have any queries regarding this please don’t forget to comment below.

How to install Node.js with npm on CentOS 7

How to install Node.js with npm on CentOS 7

Install Node.js with npm on CentOS

In this tutorial, we are going to learn how to install Node.js with npm on CentOS. Node.js is the opensource JavaScript Run-time environment for server-side execution of JavaScript code. Node.js built on Chrome’s V8 JavaScript engine so it can be used to build different types of server-side application.

Where npm stands for Node Package Manager which is the default package manager for Node.js. npm is the worlds largest software registry for Node.js packages with thousands of packages available.

in this tutorial we will install Node.js in following two ways:

  1. Install Node.js and npm using EPEL repository
  2. Install Node.js and npm using nvm

Prerequisites

Before you start to install Node.js and npm on CentOS 7. You must have the non-root user account on your server with sudo privileges.

1. Install Node.js and npm using EPEL repository

First you will need to add NodeSource yum repository on your system. Add it by using curl running following command.

curl -sL https://rpm.nodesource.com/setup_10.x | sudo bash -

NOTE : The latest LTS version of Node.js is 10.x if you want to install 8.x version then just replace setup_10.x with setup_8.x

After executing above command NodeSource repository is enabled. Now you can install Node.js by using the following command. When it will prompt you to retrieve GPG key just press ‘y’ to continue.

sudo yum install nodejs

Now confirm the installation of Node.js by using the following command

node --version

And confirm npm installation with the following command

npm --version

2. Install Node.js and npm using NVM

NVM stands for Node Version Manager which is used to manage multiple Node.js versions. If you want to install or uninstall different versions of Node.js then NVM is there for you.

First, we will install NVM (Node Package Manager) on your system. So download NVM installation script running the following command.

curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.33.11/install.sh | bash
How to install Node.js and npm using nvm on CentOS 7
How to install Node.js and npm using nvm on CentOS 7

As shown in the above output you should close and reopen terminal.

Check nvm version and confirm installation typing

node --version

Now install Node.js by using the following command.

nvm install node

Verify Node.js installation by typing

node --version

The output should be:

Output
v10.14.0

You can install multiple versions of Node.js. To do so type following:

nvm install 8.14
nvm install --lts
nvm install 11.3

To list all the versions installed run following command.

nvm ls

You can change the current default version of Node.js by using the following command.

nvm use 8.14

To uninstall a Node.js version type following command

nvm uninstall 11.14

Conclusion

You have successfully learned how to install Node.js with npm on CentOS 7. If you have any queries regarding this please don’t forget to comment below.

Secure Apache with Let’s Encrypt SSL on CentOS 7

Secure Apache with Let’s Encrypt SSL on CentOS 7

Secure Apache with Let’s Encrypt SSL on CentOS 7

By using Let’s Encrypt you can get a free valid SSL certificate. Let’s Encrypt is the Certificate Authority (CA) which provides free SSL certificate. To get SSL certificate Certbot client is used which fetches and deploys SSL certificate on your server. In this tutorial, you are going to learn how to secure Apache with Let’s Encrypt SSL on CentOS.

Before we begin

Let’s Encrypt certificate can only be requested from the server the domain is pointing to. Let’s Encrypt checks if the domain is pointed to the current server and if successful, it issues the certificate.

Prerequisites

1. Before you start to secure Apache with Let’s Encrypt SSL on CentOS 7 using the Certbot client. You must have the non-root user account on your server with sudo privileges.

2. Make it sure your domain is pointing to the current server.

1. Install Certbot Client

To install Certbot client you need to add EPEL reposiory, to do so type:

sudo yum install epel-release

Now install Certbot client by executing following command

sudo yum install httpd mod_ssl python-certbot-apache

Confirm the installation by typing

certbot --version

2. Setup Firewall

If you are not running the firewall skip this step.

You need to make it sure port 80 and 443 are open in your firewall. To open ports inside firewalld using following commands.

sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https
sudo firewall-cmd --runtime-to-permanent

If you have running iptables then you can run following basic commands to enable traffic on port 80 and port 443.

sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

3. Setting up Let’s Encrypt SSL on Apache

To set up on Apache we need to install the Certbot plugin for Apache which makes this process much easier.

sudo apt install python-certbot-apache

Let’s Encrypt do a strong domain validation for ownership of the domain. After successful verification, it issues the certificate. In below command replace example with your domain name

sudo certbot --apache -d example.com -d www.example.com

If you are the first time to install certificate then Certbot will ask you to enter Email ID and agree to terms and conditions.

After the above step, Certbot will ask you to configure HTTPS settings.

Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter](press 'c' to cancel):

Select your choice and continue to next step. We recommend you to choose Redirect option if you don’t want to change the configuration file manually.

NOTE: All generated files stored inside /etc/letsencrypt/live directory.

Secure SSL Settings for Apache

SSL configuration provided for CentOS Apache version is outdated for some security issues. So we need to change some settings to make it more secure.

Open /etc/httpd/conf.d/ssl.conf SSL configuration file by using following command.

sudo nano /etc/httpd/conf.d/ssl.conf

Find out SSLProtocol and SSLCipherSuit lines inside file and comment them out.

/etc/httpd/conf.d/ssl.conf
# SSLProtocol all -SSLv2
. . .
# SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

Now paste following code after VirtualHost block in /etc/httpd/conf.d/ssl.conf file

/etc/httpd/conf.d/ssl.conf
. . .

. . .

# Begin copied text
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11

Restart Apache service by running following command.

sudo systemctl restart httpd

4. Autorenewal For SSL Certificates

All of these Let’s Encrypt certificates are short-lived and expires after 90 days. So you will have to update these certificates before they expire by running the following command.

sudo certbot renew

You can automate this process by adding a cronjob. Enter the following command to open crontab

sudo crontab -e

Add following lines to end of the file. It will run the command twice a day and renews if the certificate is about to expire.

0 */12 * * * /usr/bin/certbot renew >> /var/log/le-renew.log

Conclusion

You have learned how to secure Apache with Let’s Encrypt SSL on CentOS 7 by using Certbot. If you have any queries regarding this please don’t forget to comment below.

How to install Composer on CentOS 7

How to install Composer on CentOS 7

Install Composer on CentOS

Composer is one the best dependency management tool for PHP which can install and update project dependency seamlessly. When installing a package it also checks on which another package current package depends on and then it installs all the dependencies. In this tutorial, you are going to learn how to Composer on CentOS 7.

Prerequisites

Before you start to install Composer on CentOS 7. You must have the non-root user account on your server/desktop with sudo privileges.

1. Install Composer

Before you install Composer update system software packages by typing

sudo yum -y update

Now you should install some dependencies for Composer, you can do so by typing

sudo yum install php-cli php-zip wget unzip

Enter following commands to download Composer Setup.

cd ~
curl -sS https://getcomposer.org/installer -o composer-setup.php

Now, you should verify that the installer matches the SHA-384 hash for the data integrity of latest installer found on the Composer Public Keys or Signatures page by running the following command.

HASH="$(wget -q -O - https://composer.github.io/installer.sig)"

Check if installation script is corrupted by

php -r "if (hash_file('SHA384', 'composer-setup.php') === '$HASH') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"

You should get following output:

Output
Installer Verified

If you don’t see above output you may get Installer Corrupt output. If this case download composer again and check hash value until you get Installer Verified output.

Now run following command to install Composer globally inside /usr/local/bin directory.

sudo php composer-setup.php --install-dir=/usr/local/bin --filename=composer

You should get the following output

Output
Output
All settings correct for using Composer
Downloading...

Composer (version 1.6.3) successfully installed to: /usr/local/bin/composer
Use it: php /usr/local/bin/composer

Run the following command to confirm the installation

composer

You will see following output

Output
   ______
  / ____/___  ____ ___  ____  ____  ________  _____
 / /   / __ \/ __ `__ \/ __ \/ __ \/ ___/ _ \/ ___/
/ /___/ /_/ / / / / / / /_/ / /_/ (__  )  __/ /
\____/\____/_/ /_/ /_/ .___/\____/____/\___/_/
                    /_/
Composer 1.6.3 2018-01-31 16:28:17

Usage:
  command [options][arguments]Options:
  -h, --help                     Display this help message
  -q, --quiet                    Do not output any message
  -V, --version                  Display this application version
      --ansi                     Force ANSI output
      --no-ansi                  Disable ANSI output
  -n, --no-interaction           Do not ask any interactive question
      --profile                  Display timing and memory usage information
      --no-plugins               Whether to disable plugins.
  -d, --working-dir=WORKING-DIR  If specified, use the given directory as working directory.
  -v|vv|vvv, --verbose           Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug

If you see above output, you have installed composer successfully.

Use Composer In PHP Project

Now Composer is globally installed on your system. To use composer you should have a root directory for your project inside that directory you will install the dependency package with Composer.

Create directory NewProject as a root directory of your project.

sudo mkdir NewProject
cd NewProject

Now install latest version of guzzlehttp/guzzle package by using following command.

composer require guzzlehttp/guzzle
Output
Using version ^6.3 for guzzlehttp/guzzle
./composer.json has been created
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 4 installs, 0 updates, 0 removals
  - Installing guzzlehttp/promises (v1.3.1): Loading from cache
  - Installing psr/http-message (1.0.1): Loading from cache
  - Installing guzzlehttp/psr7 (1.4.2): Loading from cache
  - Installing guzzlehttp/guzzle (6.3.3): Loading from cache
guzzlehttp/guzzle suggests installing psr/log (Required for using the Log middleware)
Writing lock file
Generating autoload files

After installing package you will see that Composer created three files composer.json file,composer.lock file which contains package names with version, and vendor directory.
Enter the following command to check.

ls -l
Output
Output
total 12
-rw-rw-r-- 1 linux4one admin   59 Nov 11 20:13 composer.json
-rw-rw-r-- 1 linux4one admin 2934 Nov 11 20:13 composer.lock
drwxrwxr-x 4 linux4one admin 4096 Nov 11 20:13 vendor

Now, you have installed package guzzle, create a file test.php and copy following code inside that file. It will check status code of a URL if it loads successfully it will give 200 otherwise different
number.

test.php
<?php

require __DIR__ . '/vendor/autoload.php';

use GuzzleHttp\Client;

$client = new Client(); 
$res = $client->request('GET', 'https://api.github.com/repos/guzzle/guzzle'); 
echo "statuscode : ".$res->getStatusCode();

Run above script by typing

php test.php

Output should be

statuscode : 200

If you want to update the package then you can use the following command.

composer update

Conclusion

You have successfully learned how to install Composer on CentOS 7. If you have any queries regarding this don’t forget to comment below.

How to install LAMP stack on CentOS 7

How to install LAMP stack on CentOS 7

Install LAMP stack on CentOS

LAMP stack stands for the set of packages such as Linux, Apache, MySQL, and PHP. LAMP stack is widely used for hosting Websites and Apps. In this tutorial, you are going to learn How to install LAMP stack on CentOS.

Prerequisites

Before you start to install LAMP stack on CentOS 7. You must have the non-root user account on your server with sudo privileges.

1. Install Apache

In CentOS and RHEL Apache service is known as httpd. As Apache repository is available if CentOS core repositories, installation is pretty easy.

To install Apache on CentOS enter following command

sudo yum install httpd

Once You install Apache start and enable service by typing following in terminal.

sudo systemctl start httpd
sudo systemctl enable httpd

Confirm the status of Apache service by running following command

sudo systemctl status httpd

Enter CTRL+c to exit.

2. Install MariaDB

Now you are going to install MariaDB on your server. To install type following:

sudo yum install mariadb-server

After installing MariaDB you should start and enable MariaDB service by running the following command.

sudo systemctl start mariadb.service
sudo systemctl enable mariadb.service

Check the status of MariaDB service by typing

sudo systemctl status mariadb.service

The Installer generates the temporary password for MariaDb and saves it inside a file to check the password inside file enter following command

grep "A temporary password" /var/log/mysqld.log  | tail -n1

[Some text hidden] A temporary password is generated for [email protected]: Eif;=GPCD88#

To secure MariaDB run following command.

sudo mysql_secure_installation

Once you execute above command you will be asked to enter current password (Press ENTER for none) then you will be asked following questions, enter y for following questions:

  • Set root password? : y
  • Remove anonymous users? : y
  • Disallow root login remotely? : y
  • Remove test database and access to it? : y
  • Reload privilege tables now? : y

Enter CTRL+c to exit

3. Install PHP

CentOS does not ship with PHP 7.2 in its core repositories. Here we are going to use the Remi repository to install PHP 7.2.

Enter the following command to add Remi repository on CentOS

sudo yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm

Now you should enable remi-php72 repository, to do so type:

sudo yum install yum-utils
sudo yum-config-manager --enable remi-php72

Install PHP and some of its required extensions by typing

sudo yum install php php-common php-gd php-curl php-mysql

Now restart Apache by using the following command

sudo systemctl restart httpd

Test PHP

Now you should create info.php file to test php to do so type following.

echo "<?php phpinfo(); ?>" | sudo tee /var/www/html/info.php

Now visit http://YOUR_DOMAIN_NAME_OR_IP_ADDRESS/info.php or http://localhost/info.php in your browser.

Conclusion

You have successfully learned to install LAMP stack on CentOS 7. If you have any queries regarding this please don’t forget to comment below.