CentOS 7.4 - NGINX (Mainline), PHP 7.2, LetsEncrypt SSL - Installation & Configuration

NGINX is superior to most other web servers in regards to performance, potential to mitigate attacks, and resource usage. But many people have a hard time getting everything working properly, and with good reason. Many installation scripts that manage Nginx for you or other guides may give you steps on how to install an outdated version, which may be lacking critical security update or performance changes, or a PHP configuration that renders server errors in browsers. We've tested ours and guarantee it works in this environment.

Operating System: CentOS 7.4 x64

Software Stack to Install:
- NGINX Mainline (1.13.8 as of writing this guide January 20, 2018) (CHANGELOG)
- PHP 7.2, PHP-FPM (via Remi repository)
- LetsEncrpt SSL

In this guide, one of our freshly installed CentOS 7.4 KVM Server.


Install PHP 7.2 from Remi repository



• Install yum-utils for the yum-config-manager tool
yum install -y yum-utils

• Install Epel and Remi repositories
yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install -y http://rpms.remirepo.net/enterprise/remi-release-7.rpm

• Enable Remi repository
yum-config-manager --enable remi-php72

Note: You can change "php72" to "php71" (or other versions) throughout this guide to use a different PHP version.
 
• Run update then install the PHP packages
yum update -y
yum install -y php72 php72-php-fpm

• We need to edit the php.ini config for this PHP installation (you can use any text editor, we prefer nano, we're cooler than vim'ers)
nano /etc/opt/remi/php72/php.ini
Replace:
;cgi.fix_pathinfo=1
With:
cgi.fix_pathinfo=0
(Remove semicolon, change 1 to 0)

• Now we need to edit the configuration for PHP-FPM
nano /etc/opt/remi/php72/php-fpm.d/www.conf
Replace:
listen = 127.0.0.1:9000
With:
listen = /var/run/php72-fpm/php72-fpm.sock

• Now edit the same file, lower in the configuration you will need to change the following
nano /etc/opt/remi/php72/php-fpm.d/www.conf
Replace:
;listen.owner = nobody
;listen.group = nobody
With:
listen.owner = nginx
listen.group = nginx
(Remove semicolons and change 'nobody' to 'nginx')

• Now edit the same file again, near the top of the configuration you will need to change the following
nano /etc/opt/remi/php72/php-fpm.d/www.conf
Replace:
user = apache
group = apache
With:
user = nginx
group = nginx

• Now create the directory for the socket file
mkdir /var/run/php72-fpm

• Change file permissions of the sessions directory so PHP sessions work properly
chown -R nginx:nginx /var/opt/remi/php72/lib/php/session

• After installing NGINX we can start PHP-FPM, if we try now it will give an error since the "nginx" system user is not created yet
systemctl restart php72-php-fpm
systemctl enable php72-php-fpm
Note: You will need to install Nginx below first before starting PHP-FPM.


Install NGINX Mainline from Nginx repository



• First we must add the NGINX GPG key to verify integrity and confirm the origin of the packages
wget http://nginx.org/keys/nginx_signing.key
rpm --import nginx_signing.key && rm -rf nginx_signing.key

• Lets add the NGINX repo now, create a new file
nano /etc/yum.repos.d/nginx.repo
Add the following contents and save:
[nginx]
name=nginx
baseurl=http://nginx.org/packages/mainline/centos/7/x86_64/
gpgcheck=1
enabled=1

• Now we can install NGINX Mainline
yum update -y
yum install -y nginx

• Start NGINX and enable at boot
systemctl start nginx
systemctl enable nginx

• Check the NGINX version and status to confirm
systemctl status nginx && nginx -v

• Now we can create a new virtual host config for our domain. Make sure to replace all occurrences of "example.com" with your own domain
nano /etc/nginx/conf.d/example.com.conf
Paste the following contents:
server {
  listen 80;
  server_name www.example.com example.com;
  root /usr/share/nginx/example.com;
  index index.php index.html index.htm;
  
  location / {
    try_files $uri $uri/ /index.php$query_string;
  }
  
  error_page 404 /404.html;
  error_page 500 502 503 504 /50x.html;
  location = /50x.htm {
    root /usr/share/nginx/example.com;
  }
  
  location ~ \.php$ {
    try_files $uri =404;
    fastcgi_pass unix:/var/run/php72-fpm/php72-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
  }
}

• Now restart NGINX, also restart PHP-FPM since the nginx user has been created now
systemctl restart nginx
systemctl restart php72-php-fpm


• Lets make the web directory for the virtual host now and create an index file and a PHP info file to confirm PHP processing is working
mkdir /usr/share/nginx/example.com
echo "test index" >> /usr/share/nginx/example.com/index.html
echo "<?php phpinfo(); ?>" >> /usr/share/nginx/example.com/info.php

Visit your domain in your web browser now to confirm all is working. You can go to your domain /info.php to check PHP modules and parameters

• To update NGINX in the future to new mainline builds, just run the folllowing
yum update nginx -y
systemctl restart nginx

• If you are using a firewall, make sure to allow both web ports
firewalld:
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --reload
iptables:
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j ACCEPT


Install LetsEncrypt SSL and enable HTTPS and HTTP/2 for virtual host



• Now install LetsEncrypt certbot
yum install -y certbot-nginx

• Run certbot now, it will ask for the webroot directory and your e-mail. The "certbot-nginx" that we installed should modify your Nginx virtual host config automatically, so no manual changes should be needed.
certbot --authenticator webroot --installer nginx

• Create a crontab entry to renew the certificate automatically each month
crontab -e
Add:
35 4 * * 1 certbot renew >> /var/log/certbot-renew.log

• All done!

If you have a suggestion for a modification on this guide feel free to open a support ticket, we don't provide technical support for any guides shared here.

  • 3 Users Found This Useful
Was this answer helpful?