Nesta página estão listados os processos de configuração para servidores web/banco, com foco em PHP, FTP e banco MariaDB. Fazem parte das necessidades que tive em minha carreira como professor, programador e gestor.
ls -l --block-size=Gsudo yum updatesudo yum install epel-release
sudo rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-7.rpmsudo yum install httpd
sudo systemctl start httpd
sudo systemctl enable httpd
sudo systemctl status httpdvim /etc/httpd/conf.modules.d/00-base.conf/etc/httpd/conf.modules.d/00-base.conf
LoadModule rewrite_module modules/mod_rewrite.so
vim /etc/httpd/conf/httpd.conf/etc/httpd/conf/httpd.conf
<Directory /var/www/html>
AllowOverride All
</Directory>
sudo systemctl restart httpd/var/www/html/yum install mod_sslmkdir /var/www/html/exemplovim /etc/httpd/conf.d/exemplo.conf/etc/httpd/conf.d/exemplo.conf
<VirtualHost *:80>
ServerName exemplo.dominio.com.br
ServerAlias exemplo.dominio.com.br
DocumentRoot /var/www/html/exemplo
ErrorLog "logs/error_log"
CustomLog "logs/access_log" combined
</VirtualHost>
<VirtualHost *:443>
ServerName exemplo.dominio.com.br
ServerAlias exemplo.dominio.com.br
DocumentRoot /var/www/html/exemplo
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>yum --enablerepo=remi-php73 install php
systemctl restart httpd.service
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reloadyum search xdebug (pesquisa o componente na nuvem)
yum install php73-php-pecl-xdebug.x86_64
cp /etc/opt/remi/php73/php.d/15-xdebug.ini /etc/php.d/
cp /opt/remi/php73/root/usr/lib64/php/modules/xdebug.so /usr/lib64/php/modules/
vim /etc/php.ini/etc/php.ini
[xdebug]
#this line will be added automatically
zend_extension=/usr/lib64/php/modules/xdebug.so
#add the following
xdebug.remote_enable=1
xdebug.remote_connect_back=1
xdebug.remote_port=9000
xdebug.remote_host=192.168.0.5
xdebug.remote_log="/tmp/xdebug.log"
xdebug.idekey=HOMOLOG$
sudo firewall-cmd --add-port=9000/tcp
sudo firewall-cmd --zone=public --permanent --add-port=9000/tcp
sudo firewall-cmd --reload
service httpd restartyum search php-mysql (pesquisa o componente na nuvem)
yum install php73-php-mysqlnd.x86_64yum search php-xml (pesquisa o componente na nuvem)
yum install php73-php-xml.x86_64yum search php-xml (pesquisa o componente na nuvem)
yum install php73-php-xml.x86_64yum search php-xmlrpc (pesquisa o componente na nuvem)
yum install php73-php-xmlrpc.x86_64yum search php-gd (pesquisa o componente na nuvem)
yum install php73-php-gd.x86_64yum search php-opcache (pesquisa o componente na nuvem)
yum install php73-php-opcache.x86_64yum search php-mbstring (pesquisa o componente na nuvem)
yum install php73-php-mbstring.x86_64yum search php-bcmath (pesquisa o componente na nuvem)
yum install php73-php-bcmath.x86_64yum search php-process (pesquisa o componente na nuvem)
yum install php73-php-process.x86_64yum search php-pecl-mcrypt (pesquisa o componente na nuvem)
yum install php73-php-pecl-mcrypt.x86_64yum search php-pecl-apcu (pesquisa o componente na nuvem)
yum install php73-php-pecl-apcu.x86_64yum search php-pecl-zip (pesquisa o componente na nuvem)
yum install php73-php-pecl-zip.x86_64yum search php-soap (pesquisa o componente na nuvem)
yum install php73-php-soap.x86_64yum search php-intl (pesquisa o componente na nuvem)
yum install php73-php-intl.x86_64rpm -Uvh
yum search unixODBC
yum install unixODBC.x86_64
curl https://packages.microsoft.com/config/rhel/7/prod.repo > /etc/yum.repos.d/mssql-release.repo
ACCEPT_EULA=Y yum -y install msodbcsql17
yum search php-sqlsrv
yum install php73-php-sqlsrv.x86_64yes | cp /etc/opt/remi/php73/php.d/* /etc/php.d/
yes | cp /opt/remi/php73/root/usr/lib64/php/modules/* /usr/lib64/php/modules/
service httpd restartsudo yum install vsftpd
sudo systemctl start vsftpd
sudo systemctl enable vsftpd
sudo firewall-cmd --zone=public --permanent --add-port=21/tcp
sudo firewall-cmd --zone=public --permanent --add-port=10090-10100/tcp
sudo firewall-cmd --zone=public --permanent --add-service=ftp
sudo firewall-cmd --reload
vim /etc/vsftpd/vsftpd.conf/etc/vsftpd/vsftpd.conf
## Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
# Uncomment this to allow local users to log in.
local_enable=YES
## Enable virtual users
guest_enable=YES
## Virtual users will use the same permissions as anonymous
virtual_use_local_privs=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
## PAM file name
pam_service_name=vsftpd_virtual
## Home Directory for virtual users
user_sub_token=$USER
local_root=/var/www/html
# local_root=/ftp/virtual/$USER
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=YES
## Hide ids from user
hide_ids=YES
## Ative Mode
connect_from_port_20=YES
## Passive Mode
pasv_enable=YES
pasv_promiscuous=YES
pasv_min_port=10090
pasv_max_port=10100
#pasv_address=dev.mm
## Other Configs
allow_writeable_chroot=YES
dirlist_enable=YES
download_enable=YES
local_umask=0
force_dot_files=YES
vim /home/virtual_users.txt/home/virtual_users.txt
nomedousuario
senha
rm -rf /etc/vsftpd/virtual_users.db
db_load -T -t hash -f /home/virtual_users.txt /etc/vsftpd/virtual_users.db
vim /etc/pam.d/vsftpd_virtual/etc/pam.d/vsftpd_virtual
#%PAM-1.0
auth required pam_userdb.so db=/etc/vsftpd/virtual_users
account required pam_userdb.so db=/etc/vsftpd/virtual_users
session required pam_loginuid.so
service vsftpd restart
vim /etc/selinux/config
Importante citar que em todos os casos que desativei o SELINUX estava em um ambiente controlado por proxys e firewalls para não permitir a entrada. Em caso de um servidor exposto, é necessário adicionar as regras SELINUX adjacentes… este método é preguiçoso!
/etc/selinux/config
-
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targetedusermod -a -G ftp apache
usermod -a -G apache ftp
chmod o-rwx /var/www/html/
chgrp ftp /var/www/html/
chgrp apache /var/www/html/
chown -R apache /var/www/html/
chown -R ftp /var/www/html/
chmod 777 -R /var/www/html/
chmod -R 2777 /var/www/html/
reboot nowservice vsftpd stop
vim /etc/vsftpd/vsftpd.conf/etc/vsftpd/vsftpd.conf
## users perm
user_config_dir=/etc/vsftpd/usersmkdir /etc/vsftpd/users
vim /etc/vsftpd/users/user1/etc/vsftpd/users/user1
local_root=/var/www/html/user1vim /home/virtual_users.txt/home/virtual_users.txt
user1
pass1
user2
pass2
userN
passN
rm -rf /etc/vsftpd/virtual_users.db
db_load -T -t hash -f /home/virtual_users.txt /etc/vsftpd/virtual_users.db
service vsftpd startchmod +x script.shvim /etc/yum.repos.d/mariadb.repo/etc/yum.repos.d/mariadb.repo
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.3/centos73-amd64/
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
yum install MariaDB-server MariaDB-client
systemctl enable mariadb
systemctl start mariadb
mysql_secure_installation (versões mais novas usam mariadb-secure-installation)prompt mysql_secure_installation/mariadb-secure-installation
Enter current password for root (enter for none):
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
Remove anonymous users? [Y/n] y
... Success!
Disallow root login remotely? [Y/n] n
... skipping.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
sudo firewall-cmd --add-port=3306/tcp
sudo firewall-cmd --zone=public --permanent --add-port=3306/tcp
sudo firewall-cmd --reload
mysql -u root -pCREATE USER 'user'@'%' IDENTIFIED BY 'password';
GRANT SUPER ON *.* TO 'user'@'%' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON *.* TO 'user'@'%';
FLUSH PRIVILEGES;Só faça isso em último caso!
Deve-se parar o servidor para fazer este tipo de backup.
Instale o servidor de forma idêntica ao que estava, inclusive crie seus usuários
Então depois do servidor MariaDB instalado...
mysql -u root -p
create database mydb;
use mydb;
source /path/arquivo.sql;No caso de servidores no Google Cloud basta reiniciar o servidor.
fdisk -l
fdisk /dev/sdbprompt fdisk /dev/sdb
Command (m for help): n
Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-419430399, default 2048): 2048
Last sector, +sectors or +size{K,M,G} (2048-419430399, default 419430399): (pressione enter para o tamanho default)
Command (m for help): w
The partition table has been altered!mkfs.ext4 /dev/sdb1
cd /
mkdir /foldername
mount /dev/sdb1 /foldernamevim /etc/fstabAdicione a respectiva linha ao final do arquivo:
vim /etc/fstab
/dev/sdb1 /foldername/ ext4 defaults 0 0systemctl disable stackdriver-agent
systemctl stop stackdriver-agent
yum remove stackdriver-agentyum upgrade
rm -rf /var/google/
mkdir /var/google
cd /var/google/
curl -sSO https://dl.google.com/cloudagents/add-monitoring-agent-repo.sh
sudo bash add-monitoring-agent-repo.sh
yum search stackdriver-agent
yum install stackdriver-agent.x86_64
sudo service stackdriver-agent enable
sudo service stackdriver-agent start
sudo service stackdriver-agent statusyum install ntp
vim /etc/ntp.conf/etc/ntp.conf
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
Adicionar as seguintes linhas ao final do arquivo "ntp.conf":
#usando NTP-br
server a.st1.ntp.br
server b.st1.ntp.br
server c.st1.ntp.br
server d.st1.ntp.br
server a.ntp.br
server b.ntp.br
server c.ntp.br
server gps.ntp.br
systemctl enable ntpd
systemctl restart ntpdnmtui (Editar uma conexão -> ethernet -> editar)nmtui (Definir nome de máquina do sistema)yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python
realm join --user=usuarioAd ad.localrealm listid [email protected]visudovim /etc/sudoers.d/sudoers/etc/sudoers.d/sudoers
%[email protected] ALL=(ALL) ALLsudo su
cd /etc/openvpn/easy-rsa
./revoke-full client
cd /etc/openvpn/easy-rsa/keys
cp crl.pem /etc/openvpn/sudo su
sudo systemctl stop [email protected]
cd /etc/openvpn/easy-rsa
source ./vars
./build-key client
cd /etc/openvpn/easy-rsa/keys
cp client-14042022.crt client-14042022.key /etc/openvpn
cd /etc/openvpn/easy-rsa/keys
cp client-14042022.crt client-14042022.key /keys
chmod 777 -R /keys/
sudo systemctl start [email protected]arquivo.ovpn
client
tls-client
ca ca.crt
cert manyminds.crt
key manyminds.key
tls-crypt myvpn.tlsauth
remote-cert-eku "TLS Web Server Authentication"
proto udp
remote IPDOSEUSERVIDORAQUI 1194 udp
dev tun
topology subnet
pull
user nobody
group nobodysudo dd if=/dev/zero of=/swapfile bs=1024 count=1048576
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
sudo vim /etc/fstab/etc/fstab
/swapfile swap swap defaults 0 0sudo swapon --showshutdown -r nowecho 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all (desativa)
echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all (ativa)vim /etc/httpd/conf/httpd.confListen 80Listen 80 443
systemctl restart httpdvim /etc/httpd/conf.d/nomeDoSite.conf/etc/httpd/conf.d/nomeDoSite.conf
<VirtualHost *:80>
DocumentRoot "/var/www/pastaDoSite"
ServerName urldosite.com.br
</VirtualHost>
yum install epel-release mod_ssl
yum install python-certbot-apachecertbot --apache -d urldosite.com.brmensagem de sucesso
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
e-mails sent to [email protected].
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your cert
will expire on 2016-04-21. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let's
Encrypt so making regular backups of this folder is ideal.
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-levim /etc/httpd/conf.d/nomeDoSite.conf/etc/httpd/conf.d/nomeDoSite.conf
<VirtualHost *:80>
ServerName urldosite.com.br
ServerAlias urldosite.com.br
DocumentRoot /var/www/html/pastaDoSite
ErrorLog "logs/error_log"
CustomLog "logs/access_log" combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =uat.service.sdone.manyminds.com.br
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>vim /etc/crontabcertbot renew/etc/crontab
#A CADA 1 MÊS
0 0 1 * * /usr/bin/certbot renew >> /var/log/sslrenew-certbot.log