In this article, I’m going to be outlining the steps to install and configure a complete web server on a base install of CentOS 6. (Which should be compatible with Scientific Linux 6 as well as Red Hat Enterprise Linux 6)
I personally don’t prefer to install package groups relating to “LAMP” or similar during initial installation because I’m simply too lazy to review each and every package that is included in those groups, and what the dependencies are. By installing the required packages using yum, this allows you to install just the software you’re looking for, without worrying about dependencies. This software stack is time tested; we’ll install on CentOS’s latest release, and test a few popular applications while we’re at it!
Foundations of CentOS Linux: Enterprise Linux On the Cheap (Books for Professionals by Professionals)
// ]]>
For a more in-depth covering of Apache, php, and MySQL, see my previous post about setting up a web server in Ubuntu 12.04; in this guide, I’m going to focus on CentOS / Red Hat specific requirements to get your server up and running in no time.
Requirements:
A newly installed CentOS 6 (or similar distro) with absolute minimum base install (we like a challenge!).
Internet connection, or at least a connection to a local repository.
Your command-line A-game.
Tasks to completion:
The minimal install in CentOS is very bare, includes some things other distros don’t, and doesn’t include some things other distros do.
Create new administrative user and add that user to sudoers.
Configure ssh settings.
Configure iptables.
Configure network settings. (because by default, you’ll have no network connection!)
Install web server packages: <packages here>
Configure selinux contexts. (Don’t be scared, it’s easy!)
Step 1: Create administrative user
For security reasons, it’s not desirable to log in directly as root. By default, root is the only account created during a minimal install of CentOS, therefore we must create a new administrative account.
First, log in as root via the terminal. Now, let’s create a new user (the user name can be whatever you wish).
useradd webadmin
When you run cat /etc/passwd your output show contain the following at the bottom.
webadmin:x:500:500::/home/webadmin:/bin/bash
Set the password for that user as follows:
passwd webadmin
Followed by entering the password at the prompt (your text will be hidden).
Step 2: Add user to sudoers
sudo should be installed by default on CentOS 6, but there will be no users (other than root) configured. Let’s edit the sudoers file using the command “visudo” This will launch a special vi/vim editor that allows you to add users. Locate the following line:
root ALL=(ALL) ALL
Now, copy that line, and change ‘root’ to your new user’s name, in our case webadmin. Save and exit the program.
Let’s test this user’s permissions in another terminal, by pressing alt+f2; Log in and use sudo as normal. Everything should work without error. If everything is working, log out, switch back to tty1, log out of root, and log in as the newly created user.
Step 3: Configure sshd
We’re going to prevent root from accessing the system via ssh. This is a best-practice in Linux security, and while completely optional, is highly recommended.
Add the following lines to the file /etc/ssh/sshd_config
DenyUsers root DenyGroups root
Then restart sshd.
We don’t have networking up yet, and ssh client isn’t installed on the local system, so we won’t be able to test this just yet. After you have set up networking in the steps below, try to ssh in as webadmin (or the user you created); it should work just fine. Now try as root, you should get an error about the wrong username / password. Another option is to white-list which users can log in by adding: AllowUsers <username> though blocking root is adequate for most situations.
Step 4: Configure iptables
Unlike other distros, such as Debian and Ubuntu, CentOS has iptables rules and policies in place from the start. If your system is going to be sitting behind a properly configured firewall, then it’s safe (and quite common) to disable iptables all together with the following command:
## first, let\'s save a copy in case we change our minds later iptables-save > /root/default.iptables ## only perform this step if you don\'t want to use iptables (not recommended) iptables -F ## make these rules (or lack thereof) persistent (will survive reboot) /etc/init.d/iptables save
However, we’re going to assume you want iptables to be fully configured, and only white-listed traffic will be getting through.
First, if you’re administering this system remotely, you need to allow for ssh, otherwise you’ll lose your connection and lock yourself out of your system:
iptables -A INPUT -s <strong>your-ip-here</strong> -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
Keep in mind your settings may vary; this will leave open all inbound ports for your desktop/network’s IP, and allow ssh traffic out of the firewall.
Next, I like to completely lock the system down by setting the default policy to DROP. Anything that does not match an ACCEPT rule will be dropped.
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
Now that the system is locked down, let’s go ahead and open up our ports.
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
That’s it. Let’s go ahead and save our configuration, as well as make a backup copy of our rules in case we overwrite what we’ve done at a later date, and need to fall back.
service iptables save iptables-save > /root/iptables.saved
Step 5: Configure network settings
You may be asking yourself why you have no network connectivity after installation. I join you in this questioning; I’m sure someone, somewhere decided that this was the best approach to take. This is a minimum-install we’re working with, after all.
If you have jumped the gun, and ran ifconfig eth0 I applaud your efforts; however if simple command was adequate you wouldn’t be reading this section right now, would you? Anyway..
CentOS and related distros store a lot of system configuration settings in the /etc/sysconfig directory. We’re going to make a few changes.
First, we want to set our system’s hostname . Edit the file /etc/sysconfig/network . This file should be self explanatory, changes to hostname will take effect after system reboot.
Next, we want to configure our primary network interface. On 99% of systems, this will be called eth0. If you want to see what network adapters were found during system boot, run the command: ifconfig -a
We’re going to assume eth0 is the adapter in question. If this is the case, there should be a corresponding configuration file: /etc/sysconfig/network-scripts/ifcfg-eth0 . Edit this file, adding or changing entries as follows (leave everything else in the file intact, including the HWADDR entry):
Static
## all IPs given are for illustrative purposes. Use your own as appropriate. BOOTPROTO="static" BROADCAST="192.168.1.255" DNS1="192.168.1.1" GATEWAY="192.168.1.1" IPADDR="192.168.1.50" NETMASK="255.255.255.0" NM_CONTROLLED="yes" ONBOOT="yes"
Dynamic
BOOTPROTO="dhcp" ONBOOT="yes" NM_CONTROLLED="yes"
Now, restart networking: service network restart
Next: ifup eth0
If everything went correctly, you should now have network connectivity. If you selected are getting your IP from dhcp, ifconfig should now show an IP for the adapter eth0.
Step 6: Install web server packages
Okay, with the above setup, you’re clear to start installing packages. I highly recommend running yum update before continuing. It’s important to keep your system’s security patches up to date.
yum install httpd php mysql-server php-mysql
Unlike Debian and Ubuntu, apache is not automatically started after installation on CentOS 6.
Before starting httpd (apache), peform the following:
chown apache:apache /var/www/html -R chcon -R -u system_u -t httpd_sys_content_t -r object_r /var/www/html
Now, start apache, MySQL, and configure them to turn on at system boot:
service httpd start service mysqld start chkconfig httpd on chkconfig mysqld on
We can create a “hello world” style index.php file in the /var/www/html directory to test our server. Remember, each new file that is created or moved into /var/www needs to have the appropriate SElinux context set.
In-depth reference for apache+SELinux: http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/index.jsp?topic=%2Fliaai%2Fselinux%2Fliaaiselinuxapache.htm
Also be sure to check out man httpd_selinux for more SELinux contexts that might suite your specific needs.
Important config file locations:
Apache/httpd: /etc/httpd/conf/httpd.conf
php: /etc/php.ini
MySQL: /etc/my.cnf