Creating a LAMP Server on Fedora 27 with SSL

This will guide you through the process of setting up a Fedora 27 LAMP server with SSL (https) from Let’s Encrypt.

Installing Fedora 27

  1. Install Fedora 27 via Net Install ISO.
  2. In Software Selection, select Minimal Install.
    1. It may take a minute to download metadata before you can go in there.
  3. In Network & Host Name, set the Host Name, then click Apply and Done.
  4. In Installation Destination, select Custom, then click Done.
    1. Verify LVM is selected.
    2. Click “Click here to create them automatically”.
      1. Verify / is XFS File System.
      2. Under Desired Capacity for /, type “9999999999” and then click the Update Settings button.
      3. Click Done, then click Accept Changes in the Summary of Changes window pop-up.
  5. Click Begin Installation.
  6. Set a Root Password, then click Done.
  7. Wait for installation to complete, then reboot.

Post Install

  1. Log in as root, and verify OS is up to date:
    dnf upgrade --refresh
  2. Fix Fedora MAC Address & DHCP Issue: (if using Windows DHCP services)
    echo "send dhcp-client-identifier = hardware;" >> /etc/dhcp/dhclient.conf

    1. Reboot
  3. Create a new secure SSH key: (because the default is only 2048 bit)
    ssh-keygen -t rsa -b 4096 -C "root-tgserv-key"

    1. Hit enter for default location and name.
    2. Hit enter again to skip passphrase creation.
    3. Now you should SSH to server to continue.
  4. Install the following packages, then reboot:
    dnf install -y hyperv-daemons hyperv-tools cockpit policycoreutils-python-utils rsync tar unzip net-tools dnf-automatic httpd mariadb mariadb-server php php-mysqlnd php-gd php-pecl-zip php-theseer-fDOMDocument php-pecl-apcu phpmyadmin php-gettext ZipArchive
    
    1. Caution, phpmyadmin is included in the above command.  If you are doing a public install, it is recommended you exclude that.
    2. Note:  if you are not installing this on a Hyper-V hypervisor, exclude the following packages:  hyperv-daemons hyperv-tools
  5. Configure Services:
    systemctl enable --now cockpit.socket
    systemctl enable --now httpd.socket
    systemctl enable --now mariadb.service
    
  6. Configure Firewall:
    firewall-cmd --add-service=cockpit --permanent
    firewall-cmd --add-port=http/tcp --permanent
    firewall-cmd --add-port=https/tcp --permanent
    firewall-cmd --reload
    
    1. Reboot now
  7. Configure MySQL / MariaDB:  (run the below command)
    /usr/bin/mysql_secure_installation

    1. Hit enter for none (this is a new installation, so password is blank)
    2. Enter Y to set root password.
    3. Enter Y to remove anonymous users.
    4. Enter Y to disallow root login remotely. (okay to enter N if not publicly accessible)
    5. Enter Y to remove test database.
    6. Enter Y to reload privilege tables.
  8. Allow remote access to phpMyAdmin:  (not advised if publicly accessible)
    vi /etc/httpd/conf.d/phpMyAdmin.conf

    1. Add the following to the relevant 4 sections in the file above:
      172.16.0.0/12
      Here, you would enter the IPs that are allowed to remotely access phpMyAdmin
    2. Restart httpd service:
      service httpd restart
  9. Configure automatic update settings, set the following in the below file:
    vi /etc/dnf/automatic.conf

    1. apply_updates = yes
    2. emit_via = email
    3. email_from = serveralerts@email.com
    4. email_to = IT@email.com
    5. email_host = yourSMTPserver.com
  10. Configure automatic update schedule, change the following in below file:
    vi /usr/lib/systemd/system/dnf-automatic-install.timer

    1. OnUnitInactiveSec=6h
  11. Enable automatic update system timer:
    systemctl enable dnf-automatic-install.timer && systemctl start dnf-automatic-install.timer

    1. Verify timer is showing up after a reboot by the following command:
      systemctl list-timers
  12. Set SELinux httpd_t to permissive:
    semanage permissive -a httpd_t

Implementing SSL

If you want to use SSL on your LAMP server so your website can be accessed via HTTPS, you’ll need a cert.

In this section, I’ll guide you through setting this up for free via Let’s Encrypt, on Fedora 27 with Apache installed.

Certbot-apache will automatically configure Apache for SSL if you follow below:

  1. Create an Apache config file named appropriately for your domain:
    vi /etc/httpd/conf.d/tgserv.timothygruber.com.conf

    1. Paste the following into the above file, changing it to fit your needs, then save:
      <VirtualHost *:80>
      	ServerAdmin your@email.com
      	DocumentRoot /var/www/html
      	ServerName tgserv.timothygruber.com
      	ErrorLog /etc/httpd/logs/tgserv.timothygruber.com-error_log
      	CustomLog /etc/httpd/logs/tgserv.timothygruber.com-access_log common
      </VirtualHost>
  2. Restart the web server:
    service httpd restart
  3. Install Certbot:
    dnf install certbot-apache
  4. Set up Certbot:
    certbot --apache

    1. Certbot should automatically find your domains so long as you have a working DNS entry for your domain.  Let’s Encrypt uses this to verify your domain.
  5. Test the renewal process:
    certbot renew --dry-run
  6. Set up a cronjob to run renewal.  Certs expire every 90 days, but this script will try twice daily to prevent any down time should a situation arise such as your certificates being expired or revoked.
    1. Edit root cronttab:
      crontab -e
    2. Paste in the following, then save:
      0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew
  7. Test your website using https://sitename.com

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *