-
Notifications
You must be signed in to change notification settings - Fork 181
Install Guide: CentOS 7 and nginx
This guide assumes you have a base CentOS 7 install, with no conflicting packages installed already. We'll begin by doing some basic security steps, replacing firewalld with iptables (if you prefer, this is optional).
We'll replace firewalld with iptables, since it's just an easy to use wrapper for iptables anyways and I've got a base ruleset that can be imported for sane defaults.
These rules will block invalid packets, ICMP (ping) requests, block outgoing mail (this can be disabled if you intend of having nZEDb send invite/welcome/etc emails), allow incoming access to port 80 (HTTP) and unfettered access from your IP address or range. Everything else is explicitly blocked to shrink the attack surface open to the internet.
sudo yum install iptables-services to install the required systemd service files to autostart iptables on boot. Next you'll edit /etc/sysconfig/iptables and insert the following ruleset -- !!! make sure to substitute your IP address (or range) for the one(s) in the remote ruleset or you WILL be locked out of remote access upon enabling the firewall !!!
# Generated by iptables-save v1.4.21 on Fri Jan 6 14:49:34 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [36:7059]
:remote - [0:0]
:serv - [0:0]
-A INPUT -j serv
-A INPUT -j remote
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
-A remote -s YO.UR.IP.!! -j ACCEPT
-A remote -j RETURN
-A serv -p tcp -m tcp --dport 80 -j ACCEPT
-A serv -j RETURN
COMMIT
# Completed on Fri Jan 6 14:49:34 2017
!! Double check these rules before committing them and enabling iptables !!
Now we'll stop firewalld and put iptables in it's place.
sudo systemctl stop firewalld
!! Double check these rules before committing them and enabling iptables !!
sudo systemctl start iptables
Verify firewalld is off with sudo firewall-cmd --state, it is then go ahead and verify the iptables rules are in place with sudo iptables -S if you want to see if the rules are handling traffic as expected sudo iptables -nvL will give a breakdown of how many packets/bytes have passed through a rule in the chain.
Fully disable firewalld with sudo systemctl disable firewalld && sudo systemctl mask firewalld then enable iptables with sudo systemctl enable iptables.
We're going to add a few third-party repositories to simplify installation of some of these packages. Nux precompiles things such as unrar and ffmpeg, EPEL is a good general purpose repo that includes nginx, Remi provides a precompiled PHP7 binary and modules for it.
Pre-req -- sudo yum install yum-utils
EPEL -- sudo yum install epel-release -y
Nux Dextop -- sudo yum http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
Remi's Repo -- sudo yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
Now let's install some packages:
Basic
sudo yum install wget tmux git
Development Tools
sudo yum groupinstall "Development Tools"
Post-Processing
sudo yum install unrar ffmpeg twolame mediainfo p7zip x264 timeout
nginx
sudo yum install nginx
PHP and extensions
sudo yum install php-cli php-fpm php-gd php-mbstring php-devel php-pear php-mysqlnd php-curl php-mcrypt php-pecl-imagick php-composer
MySQL
sudo yum install mariadb
sed -i -r 's/^(memory_limit)\s*=.*$/\1 = -1/' /etc/php.ini
sed -i -r 's/^(max_execution_time)\s*=.*$/\1 = 120/' /etc/php.ini
sed -i -r 's/^(error_reporting)\s*=.*$/\1 = E_ALL \^ E_STRICT/' /etc/php.ini
sed -i -r 's/^(register_globals)\s*=(.*)$/\1 = Off/' /etc/php.ini
sed -i -r 's/^;date.timezone =.*/date.timezone = America\/Los_Angeles/' /etc/php.ini
sed -i -r 's/^;user = .*/user = nginx/' /etc/php-fpm.d/www.conf
sed -i -r 's/^;group = .*/group = nginx/' /etc/php-fpm.d/www.conf
sed -i -r 's/^;listen = .*/listen = \/var\/run\/php5-fpm.sock/' /etc/php-fpm.d/www.conf
Edit the my.cnf file: vi /etc/my.cnf.d/mariadb-server.cnf :
Under [server]:
group_concat_max_len=8192
innodb_file_per_table=1
max_allowed_packet=128M
Now enable and start the database: sudo systemctl enable mariadb && sudo systemctl start mariadb
Next we'll configure the root user, remove the anonymous user and unnecessary database. This will also block root from logging in any other than the local machine (localhost/127.0.0.1):
mysql_secure_installation
Finally we'll create the nZEDb database, grant the nZEDb user full permissions as well as file permissions:
mysql -u root -p
create database nzedb;
grant all privileges on nzedb to 'nzedb'@'localhost' identified by '$PASSWORD';
grant all privileges on nzedb to 'nzedb'@'127.0.0.1' identified by '$PASSWORD';
grant file on *.* to 'nzedb'@'localhost';
flush privileges;
exit
And you're done!
This will leave the default nginx "default_server" directive in place so if anyone were to access the IP of the server directly they will just see the generic nginx welcome page. If you want to change that just remove default_server from the server block inside /etc/nginx/nginx.conf otherwise use this configuration as-is.
Be sure to change the two /path/to/nzedb/ locations to match where you intend to store the nZEDb files:
server {
listen 80 default_server;
server_name yourdomain.com;
# These are the log locations, you should not have to change these.
access_log /var/log/nginx-access.log;
error_log /var/log/nginx-error.log;
# This is the root web folder for nZEDb, you shouldn't have to change this.
root /path/to/nZEDb/www;
index index.php;
# Everything below this should not be changed unless noted.
location ~* \.(?:css|eot|gif|gz|ico|inc|jpe?g|js|ogg|oga|ogv|mp4|m4a|mp3|png|svg|ttf|txt|woff|xml)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
location / {
try_files $uri $uri/ @rewrites;
}
location ^~ /covers/ {
# This is where the nZEDb covers folder should be in.
root /path/to/nZEDb/resources;
}
location @rewrites {
rewrite ^/([^/\.]+)/([^/]+)/([^/]+)/? /index.php?page=$1&id=$2&subpage=$3 last;
rewrite ^/([^/\.]+)/([^/]+)/?$ /index.php?page=$1&id=$2 last;
rewrite ^/([^/\.]+)/?$ /index.php?page=$1 last;
}
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
# Uncomment the following line and comment the .sock line if you want to use TCP.
# fastcgi_pass 127.0.0.1:9000;
fastcgi_pass unix:/var/run/php5-fpm.sock;
# The next two lines should go in your fastcgi_params
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
sudo systemctl enable nginx
sudo systemctl enable php-fpm
sudo chcon -R unconfined_u:object_r:httpd_sys_content_t:s0 /path/to/nZEDb (this may need to be done in the next step instead)
cd /path/to
git clone https://github.com/nZEDb/nZEDb.git
chcon -R unconfined_u:object_r:httpd_sys_content_t:s0 ./nZEDb
mkdir -p ./nZEDb/nzbfiles/tmp/unrar
chown -R nginx. ./nZEDb
chmod -R 755 ./nZEDb
chmod -R 775 ./nZEDb/www/covers/
chmod 775 ./nZEDb/www
chmod 775 ./nZEDb/www/install
chmod -R 775 ./nZEDb/nzbfiles/
chmod -R 775 ./nZEDb/www/install/
cd nZEDb
composer install --prefer-source
__
Browse to http://nZEDbURL/install
Finish the installation through the WebUI. I'll add on further steps, or you can follow the other guides in the Wiki for this portion.