Server Configuration and Deployment
This guide shows how to create a fresh new server and deploy code. To run local server for testing and development, see Development Environment.
This system only supports GNU/Linux servers. You can either create a VPS or use your own machine. We use openSUSE as example here.
You got:
- operating system
- root password
- ssh access or direct access
- apache2
- apache2-mod_php5
- mariadb
- mariadb-client
- mariadb-tools
- php5
- php5-ctype (localization)
- php5-curl (composer download packages)
- php5-imagick (image process)
- php5-intl (localization)
- php5-json (JSON encode/decode)
- php5-mbstring (unicode)
- php5-mcrypt (encryption)
- php5-mysql (database connection)
- php5-opcache (object cache, performance)
- php5-openssl (server to server communication)
- php5-pdo (database connection)
- php5-phar (run composer.phar)
- php5-tokenizer (code analyzing)
- SuSEfirewall2 (security)
- git (deploy code)
- nodejs (frontend build)
DO NOT USE
- php5-xcache (cause failure)
- phpMyAdmin (security issues)
- WordPress, MediaWiki or Webshop application on the same server (security issues)
Rules:
- Enable 80 (apache) and 443 (apache-ssl).
- Enable 22 (ssh) but only allow trusted IP address access.
Edit SuSEfirewall config file:
vi /etc/sysconfig/SuSEfirewall2SuSEfirewall configuration file example:
FW_CONFIGURATIONS_EXT="apache2 apache2-ssl"
...
FW_SERVICES_ACCEPT_EXT="177.98.230.11/24,tcp,22 177.98.154.98/24,tcp,22"Note: 177.98.230.11/24 is IP range from 177.98.230.0 to 177.98.230.255. You can add your home IP range and company IP range, separated by whitespaces.
Start SuSEfirewall2:
systemctl start SuSEfirewall2
systemctl enable SuSEfirewall2Though firewall rules have prevented most outside SSH attacks from untrusted IP, we still need to keep in mind that using root login is not safe. Root user has too much power to change everything. But usually we do not need these power. A normal user can avoid some mistakes.
Step 1. Create a user, make home folder to website folder.
useradd -g users -p <password> -d /srv/www/santakani -m rabbitStep 2. Give user sudo permission.
visudoChange to:
root ALL=(ALL) ALL
rabbit ALL=(ALL) ALL
Step 3. Disable root ssh login.
vi /etc/ssh/sshd_configChange to:
PermitRootLogin no
...
AllowUsers rabbit
Step 4. Logout and reboot server.
Next time you can login with new user "rabbit".
systemctl start mysql
systemctl enable mysql
mysql_secure_installation
On GNU/Linux /etc/my.cnf Edit the file and add
[mysqld]
innodb_ft_min_token_size = 1
Then you need to restart MariaDB and rebuild all fulltext index.
Now you can search Chinese words with only one character, like "床". See MariaDB Doc.
Login with root and enter mysql database:
mysql -u root -p mysqlCreate new database and user:
CREATE DATABASE santakani;
GRANT ALL ON santakani.* TO rabbit@localhost IDENTIFIED BY '<password>';
quitTest new user and database:
mysql -u rabbit -p santakaniUpload large image need to extend file upload and post size of PHP.
sudo vi /etc/php5/apache2/php.ini
; Maximum allowed size for uploaded files.
upload_max_filesize = 32M
...
; Must be greater than or equal to upload_max_filesize
post_max_size = 32Mcd /srv/www/
sudo mkdir santakani
sudo chown rabbit:users santakani
git clone https://github.com/santakani/santakani.com.git santakani
./initialize.sh
See https://getcomposer.org/download/
php composer.phar install
npm install
sudo npm install --global gulp-cli
gulp --production
# Create configuration from template
cp .env.example .env
# Generate application key
php artisan key:generateManually modify:
APP_ENV=production
APP_DEBUG=false
...
Fill database information.
For test:
php migrate --seedfor production:
php migrateopenssl req -newkey rsa:2048 -nodes -keyout santakani.com.key -out santakani.com.csrCopy the content of santakani.com.csr and certify it on StartSSL website. NOTE: you can request a single certificate for both santakani.com and www.santakani.com.
Download certification files, now you have:
- santakani.com.key (private key, keep it as a secret!)
- santakani.com.csr (public key)
- santakani.com.crt (certification)
- root_bundle.crt (certification chain)
a2enmod rewrite
a2enmod ssl
a2enflag SSLLocal test server at http:https://localhost:8088/:
Listen 8088
<VirtualHost *:8088>
ServerName localhost
DocumentRoot /home/sign/git/santakani/public/
# Logs
ErrorLog /home/sign/git/santakani/storage/logs/error.log
CustomLog /home/sign/git/santakani/storage/logs/access.log combined
<Directory "/home/sign/git/santakani/public/">
DirectoryIndex index.html index.php
Options -Indexes +FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>Production server with HTTPS https://santakani.com/:
<VirtualHost *:80>
ServerName santakani.com
ServerAlias www.santakani.com
ServerAdmin [email protected]
DocumentRoot /srv/www/santakani/public
ErrorLog /srv/www/santakani/storage/logs/error.log
CustomLog /srv/www/santakani/storage/logs/access.log combined
HostnameLookups Off
UseCanonicalName Off
ServerSignature On
Redirect permanent / https://santakani.com/
</VirtualHost>
<IfDefine SSL>
<IfDefine !NOSSL>
<VirtualHost *:443>
ServerName santakani.com
ServerAlias www.santakani.com
ServerAdmin [email protected]
DocumentRoot "/srv/www/santakani/public"
ErrorLog /srv/www/santakani/storage/logs/error.log
CustomLog /srv/www/santakani/storage/logs/access.log combined
HostnameLookups Off
UseCanonicalName Off
ServerSignature On
SSLEngine on
SSLCertificateFile /etc/apache2/ssl.crt/santakani.com.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/santakani.com.key
SSLCertificateChainFile /etc/apache2/ssl.crt/root_bundle.crt
CustomLog /srv/www/santakani/storage/logs/ssl.log ssl_combined
<Directory "/srv/www/santakani/public">
DirectoryIndex index.html index.php
Options -Indexes +FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
</IfDefine>
</IfDefine>Researt Apache:
sudo systemctl restart apache2
This wiki is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
