Linux System has two types of users
1.root - it is the most powerful user and can do anything to the system
2.non root - it is less powerful compared to root. (Nginx works as non root user on linux)
visudo - allows us to add non root users to root group.
sudo - invokes root privleges
~ - indication that the user is in its home directory.
# - indicates that the user is a root user.
$ - indicates that the user is a non root user.
Filenames or directory names are case sensitive in linux.
Flags (e.g. -al) is used to modify the way a command is executed.
Filenames starting with a period are hidden files.
ls command has three important flags.
1. -a display all files including hidden files
2. -l gives a long or wide listing
3. -al or -la combines the use of above two commands.
When the ls command displays the lists. d is for directory. - is for file, l is for symbolic link.
man command is used for opening up manual for a particular command. (man command)
Absolute Pathname is always relative to the root directory example - user@hostname: $ nano /etc/nginx/nginx.conf
Local Pathname is always relative to the current directory example - user@hostname:/etc $ nano nginx/nginx.conf
cd command
1. - it helps to go back to previous directory.
2. .. it helps to go back to the parent directory. example- /home/a --> /home
3. cd directory name takes you to the specified sub-directory in your current directory.
4. cd whole path takes you to a specified directory or sub directory not present in the current directory.
5. only cd command takes you to home directory.
important nano shortcuts
1. ctrl+w used to search for a string
2. ctrl+o used to save without exiting the file
3. ctrl+x used to exit nano.
Owner, Group Owner and Users
Owner - the one who created a file becomes its owner.
Group Owner - when ever you create a owner a group owner with the same name is created.
Users - other users who have not created the file and is not in the same group as the owner of the file.
There are three types of permissions in linux
1.read(r)(4) - allows the user to view the contents of a file or directory.
2.write(w)(2) - allows the user to modify the contents of file or directory.
3.execute(x)(1) - allows the user to run scripts, programs if its a file and traverse through if its a directory.
Some important commands
1.chmod - change the permissions of file or directory.
2.usermod - modify the groups a user belongs to.
3.chown - change the ownership of files and directories.
4.su - switch or change users.
5.passwd - for changing password of a user.
6.adduser - adding a new user to the server.
7.systemctl restart - restarting a service.
8.logout or exit - to logout of your server.
9.cp - making a copy of any file. (syntax - cp name of existing file name new file name)
10.sudo usermod -a -G group user - add a user to a group.
11.cat - view log files
12.less - view log files
13.tail -f - view log files
14.sudo apt-get install mariadb-server
15.sudo mysql_secure_installation
16.lscpu - determine number of cpu cores
17.ulimit -n - determine the number of worker connections
18.sudo nginx -t - test configuration file syntax before reload
19.sudo systemctl reload nginx or restart nginx - reload/restart nginx.(reload doesn't drops connections while restart does)
20. touch - it helps to create new files.
21.mkdir - it helps to create directory. the p helps to create subdirectories within a directory.
22.sudo systemctl reload php7.2-fpm.service
23.nginx -V 2>&1 | grep with-module_name
24.sudo ln -s /path/abc.xyz (first navigate to the directory where the file is not available)ngt
25.sudo chown -aG xyz plop (adds xyz user to plop group) - -aG - adds user to other groups without removing it from other groups
Package manager in Ubuntu
1.The advanced package manager in Ubuntu is "apt".
2. apt-get - to configure packages
3. apt-get has three important commands update, upgrade, dist-upgrade.
4. update - lists all the latest packages. upgrade - installs the latest updates. dist-upgrade - it is for kernel level upgrades.
5. apt-get install - installs any package you want. apt-get remove - remove packages without removing configuration files. apt-get purge - removes pacakge along with configuration files.
Firewall Commands
1.sudo ufw status verbose - check status of ufw.
2.sudo ufw enable | sudo ufw disable - enable or disable ufw.
3.sudo ufw default deny incoming | allow outgoing - default deny | allow rules
4.sudo ufw allow - ufw allow rules
Fail2Ban - It blocks ip addresses based on any kind of malicious activity.
Fail2Ban Commands
1. sudo apt-get install fail2ban - installs fail2ban
2. sudo systemctl restart or start or stop fail2ban
Context and Directives of Nginx
Directive - it consists of an option and an option name and ends with a semi colon. example - server_name domain.com www.domain.com;
option optionvalue optionvalue
Context - it is also a directive but it encloses other directives in its block
example - events{
worker_connections 768;
}
5 main contexts of nginx
1.main (it is not enclosed in curly brackets. It affects entire nginx app)
2.events (sets global value on how nginx handles connections)
3.http (it is within the main context of nginx and it configures http service)
4.server (it is within the http context and configures virtual hosts or server blocks)
5.location (it is within the server context and responds to requests for resources)
Imp NOTE - directives inside child context can overwrite directives inside parent context.
Some of the important directives we need to edit
Main Context
1. worker_processes - it is set to the number of cpu cores your server has.
2. worker_rlimit_nofile - it is to prevent too many files open error on busy sites.
Events Context
1.worker_connections - how many people can connect simultaneously to nginx server
2.multi_accept - it allows max number of connections simultaneously.
3.use epoll - used to increase throughput.
Http context
1.server_tokens - it should be set to off as it prevents showing nginx version number in error pages and response headers.
2.server_names_bucket_size - it helps to quickly serve static file sets.
3.access_log - it logs every connection made to your server. You should turn it off for busy servers. While error log must remain turned on.
4.gzip - it should be enabled as it compresses files and saves resources.
Buffers
1.client_body_buffer_size - it handles post actions sent to nginx such as form submitting.
2.client_header_buffer_size - it handles clients header buffer size.
3.client_max_body_size - it handles the maximum request size.
4.large_client_header_buffers - it specifies max number and size of buffers for large client headers.
Timeouts
1.client_body_timeout and client_header_timeout - these two directives are responsible for how long the server will wait for a client or client header to be sent after the request.
2.keepalive_timeout - it specifies the time after which the keep alive connection is closed.
3.send_timeout - it specifies the time after which if the client doesn't recieves anything the connection is closed.
Filehandle caching
It helps in optimizing the speed of serving frequently requested files. It doesn't caches the entire file rather it caches the file descriptors.
Note - whenever a file is opened the operating system stores information like file size, modification time about the open file in the file descriptor table.
These filehandle caching directives prevents os to read the file again and again. One downside is that if you make any changes to the file it takes a little while to get reflected.
The directives are:
open_file_cache
open_file_cache_valid
open_file_cache_min_uses
open_file_cache_errors
Location Context
Location Match
defines what nginx should check the requested URI against.
a modifier effects the way nginx attempts to match the location block.
Nginx location modifiers
order modifier explanation
1 = exact match
2 ^~ preferential prefix match
3 ~&~* regular case sensitive(~) or insensitive(~*) expression
4 no modifier
Some Important Directives
1.listen - it means to process the request at a particular port. (by default port 80 in case of nginx)
2.
Some Important commands for MariaDB
1. sudo mysql -u root - login to MariaDB
2. show databases - show all databases
3. create database db_name; - create a database
4. grant all privileges on db_name.* to 'db_username'@'localhost' identified by 'password'; - grant all priveleges
grant all privileges on databasename.* to 'databaseuser'@'localhost' identified by 'password';
5. flush privileges; - flush priveleges
6.show grants for 'db_user'@'localhost'; - show user's privileges
7.drop database db_name; - delete a database
8.drop user db_user; - delete a database user
9.exit; - exit MariaDB
Some important commands for wp-cli(wordpress command line interface)
1.curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar - downlods wp-cli on your server
2.wp --info - display wp-cli version information
3.chmod +x wp-cli.phar - give wp-cli.phar executable permissions
4.sudo mv wp-cli.phar /usr/local/bin/wp - move wp-cli into path
5.wp core config --dbname=databasename --dbuser=databaseuser --dbpass=password --dbprefix=pre_
6.wp core install --url=http://domain.com --title='Domain' --admin_user='admin' --admin_password='password' --admin_email=example@example.com
7.wp scaffold child-theme folder --parent_theme= --theme_name='' --author='' --
author_uri= --theme_uri=
8.wp core update
9.wp core update-db
10.sudo systemctl restart php7.2-fpm (commands 8 to 10 for updating core wordpress files)
Permissions for WordPress Files
1. /var/www/site.com/public_html - files:644 and directories: 755
2.themes and plugins folder - files:664 and directories: 775
Shell scripts
1.They are scripts and they execute a series of commands
2.speed up repititive tasks
3.used to ensure permissions are correct
4.file ends in .sh
5.starts with shebang line #!/bin/bash
Base Alias
1.It is a shortcut for frequently typed commands like ngt for sudo nginx -t
2.We will use nano for editing the bashrc file.
3.We will be creating 3 aliases for testing nginx conf file, reloading nginx, and restarting php fpm service
source ~/.bashrc - type the command after adding any alias in bashrc file
nginx and php
nginx doesn't processes php request. It passes php to application server, in our case it is the php-fpm. It processes the request then passes the generated http response back to nginx.
fastcgi directives
1.fastcgi_buffer_size - it sets the size of the buffer used for reading the first part of the response received from the fast CGI server.
2.fastcgi_buffers - the directive sets the number and size of the buffer is used for reading a response from the fastcgi for a single connection.
3.fastcgi_busy_buffers_size - the fastcgi busy buffers size when buffering of responses from the fastcgi server is enabled. This directive limits the total size of the buffers that can be busy sending a reponse to the client while the response is not yet fully read.
4.fastcgi_temp_file_write_size - limits the size of data written to a temporary file at a time when buffering of responses from the fastcgi server to temporary files is enabled.
HTTP response headers
It is information if form of text record that a web server sends back to a client's browser in response to receiving an HTTP request. The response header contains the date, size, and type of file that the server is sending back to the client and also data about the server itself.
x-frame - it protects visitors against click jacking attacks
x-content type - reduces the risk of drive by downloads
x-xss-protection - configures the xss protection found in all modern day browsers.
content-security-policy - it allows you to define a white list of approved sources for your sites content.
xmlrpc.php - it allows remote connections to wordpress. It is a target for malicious bots to try and mount DDOS attacks.
wp-login.php - bots scan for wp-login.php. Try password attempts over and over again draining server resources.
Rate Limiting using nginx
it limits the amount of GET and/or POST requests user can make in a given period of time.
It slows down brute force password guessing attacks. Protects site against DDOS attacks by limiting the incoming request rate.
1.limit_req_zone directive - it is added to the http context.
$binary_remote_addr - this variable holds a binary representation of client's IP address.
zone - it stores the state of an IP address and how often it has requested a rate limited url. It is initialized in megabytes. One megabyte could store 16k IP addresses.
rate - sets the maximum number of requests. ex - rate=30r/m (read as 30 requests per minute)
burst - it defines how many requests a client can make in excess fo the rate specified by the zone.
SSL Certificate Files
File Absolute File
Private Key /etc/letsencrypt/live/site.com
certificate /etc/letsencrypt/live/site.com
ssl trusted certificate /etc/letsencrypt/live/site.com
Certbot commands
1.sudo add-apt-repository ppa:certbot/certbot - add certbot personal package archive
2.sudo apt-get install certbot - install certbot after updating the package list
3.sudo certbot certonly --webroot -w /var/www/domain.com/public_html -d domain.com -d www.domain.com
Note: Here path=/var/www/domain.com/public_html
4.sudo certbot certificates - it lists all the certificats that are present on your server along with the respective domain names.
5.sudo certbot renew --force-renewal - renew certificate forcefully.
6.sudo certbot renew --dry-run - tests if the certificate could be installed without any issues.
7.sudo openssl dhparam -out dhparam.pem 2048
PHP Modules installation
sudo apt-get install php7.2-cli php7.2-curl php7.2-fpm php7.2-gd php7.2-opcache php7.2-mbstring php7.2-xml php7.2-xmlrpc php7.2-zip php7.2-mysql
cgi.fix_pathinfo=0
allow_url_fopen=Off
opcache.enable=1
opcache.memory_consumption=256
opcache.interned_strings_buffer=16
opcache.max_accelerated_files=7963
opcache.validate_timestamps=0
opcache.revalidate_freq=0
file_uploads = On
upload_max_filesize = 100M
memory_limit = 256M
post_max_size = 32M
max_execution_time = 600
max_input_time = 900
There are 2 specific include file you need to create for ssl certificates
1.The first one will contain the following directives and are site specific
ssl_certificate: fullchain.pem
ssl_certificate_key: privkey.pem
ssl_trusted_certificate: fullchain.pem
2.The second one is a global one and has the following directive
ssl_session_cache & ssl_session_timeout - These two directives helps in caching the connection parameters for that particular session.
ssl_protocols - it specifies the which ssl protocols we will use on our servers
ssl_prefer_server_ciphers & ssl_ciphers - that is where the actual encryption happens
ssl_dhparam - object of a man in the middle attack cannot hijack the initial SSL handshake.
ssl_stapling, ssl_stapling_verify and resolver - stapling is that the web server contacts the certificate authorities OCSP and it gets a signed response and then staples it to the handshake when their connection is set up.
Strict-Transport-Security-header - it tells the browser to connect only through https and not http.
cron job commands
cron helps to schedule jobs on our server.
1.crontab -l - lists the current user's cron jobs.
2.crontab -e - create a new cron job.
3.sudo crontab -l and -e - it provides the same features as above but for commands requiring root privileges.
cron job syntax - ***** /bin/sh command redirect
the command is the path to the file containing the commands
1st * - it represents minutes(0-59)
2nd * - it represents hours(0-23)
3rd * - it represents the day of the month(1-31)
4th * - it represents the month(1-12)
5th * - it represents the day of the week.(0-6)
Scripts to renew certificate
le_renew.sh
#/bin/bash
certbot renew --force-renewal
scripts to reload nginx
ng_reload.sh
#/bin/bash
systemctl reload nginx
Commands for creating cron job
(specify nano as crontab editor - export VISUAL=nano; crontab -e)
1.crontab -e - create cronjob
2.30 3 14 * * /bin/sh /root/le_renew.sh >/dev/null 2>&1 - renew once a month
3.30 4 14 * * /bin/sh /root/ng_reload.sh >/dev/null 2>&1 - reload nginx after renewal
4.crontab -l - view users cronjob.
Commands for installing Redis
1.sudo add-apt-repository ppa:chris-lea/redis-server - installs Redis from third party repository.
2.sudo apt-get install redis-server php7.2-redis - two packages to be installed after sudo apt-get update command
3.The redis config file is in /etc/redis directory
4.restarting redis server - sudo systemctl restart redis-server and restart php fpm service after it.
5.we need to create a persistent cache with wordpress redis object cache plugin. We can edit the wp-config.php file for it by adding these two directives
define( 'WP_CACHE_KEY_SALT', 'site.com');
define( 'WP_CACHE', true);
Adding Additional sites to your nginx server
1.configure dns of your domain (use nslookup to check if your domain is pointing to your server) (syntax - nslookup domain.com)
2.create site directories (location: domain.com/public_html/.well-known) (mkdir -p domain.com/public_html/.well-known)
3.copy the default config file in sites-available directory.
a)remove the server_name from the listen directives.
b)change the root directory to /var/www/domain.com/public_html;
c)insert index.php in the index directive
d)add the domain name in the server_name directive
e)edit the location / to try_files $uri/ /index.php?$args; & change the site url in wordpress admin dashboard.
Uncomment specific lines in php location block.
f)create a symbolic link to the sites-enabled config file
g)ngt and ngr
4.Create new database, add a user and grant all privileges to the user.
5.Download wordpress to the server. configure wp config.php and install wordpress with all the general details/move the existing site using duplicator plugin and also install php zip package.
6.change to home directory and add or create the wp_permissions.sh file with the five commands for changing permissions.
7.edit the wp-config.php file to set the filesystem as direct.
8.add the include directives like headers.conf and wordpress_security.conf to your sites' config file in sites-available directory. The said directives must be above php location directive. In the php location directive include fastcgi_optimize.conf file.
9.donot reinstall certbot just run the certonly command (sudo certbot certonly --webroot -w /path -d domain.com -d www.domain.com)
10.change to /etc/nginx/ssl directory and copy ssl_site1.com.conf to a new file called ssl_site2.com.conf
11.Edit the newly copied file and add your new domain name.
12.Add a new server block which will listen on port 80 and redirect the traffic to https. Edit the listen directives in old server block to listen at 443 and deliver over http2.
13.include the ssl_global file and ssl_site_specific file below location /
14.change to your sites directory at /var/www/domain.com/public_html and run wp search-replace command.
15.Edit the wp-config.php file to define wp_auto_update_core to true.
16.Remove the try files directive in your sites configuration file and add the includes optimizations.conf and wp-super-cache.conf directives.
17.change the permissions of public_html file to 775 and wp-config.php file to 664.
18.install the wp-super-cache plugin and activate it. check the caching status to on. test cache. click on advanced tab and set the cache delivery method to expert. select don't cache pages for non users. check the preload mode. Also increase the minutes to 1200 mins. change the permissions back to 755.
19.change the access and error logs to /var/log/nginx/domain_access.log; and /var/log/nginx/domain_error.log;
Backups
1.mysqldump - it takes all the data from the databases and dumps it in a file.
2.sudo mysqldump -u root db_name > backup_filename.sql
3.sudo mysqldump -u root db_name | gzip -9 > backup_filename.sql.gz - for compressing the database
4.sudo mysql -u root db_name < backup_filename.sql - for restoring the database
5.gunzip < backup_filename.sql.gz | sudo mysql -u root db_name - restore a database from a gzipped sql file
6.gunzip -k name_of_file.sql.gz - extract sql file from gzipped file
Database Backup bash script
#!/bin/bash db_name=
db_user=
backup_filename=site_name1-`date +%F_%H%M`
mysqldump -u $db_user $db_name | gzip > /home/user/db_backups/$backup_filename.sql.gz
Site files backup bash script
#! /bin/bash destination_folder=/home/user/site_backups/
archive_file=domain_name1-`date +%F_%H%M`.tar.gz
/bin/tar -czvf $destination_folder/$archive_file /var/www/domain_name1/
How to install WP Super Cache
1.Make sure wp_super_cache.conf file is included in the config file present in sites-available directory.
2.Install the plugin from the dashboard don't acitvate it yet.
3.run the permissions script.
4.change the permissions and ownership for wp-config.php file(664 & USER:www-data) and for public_html directory(775)
5.restart the php fpm service
6.then activate the plugin
How to configure w3 Total Cache
1.check the permissions of all the contents in public_html directory
2.install w3tc using wp cli but don't activate it(slug - w3-total-cache)
3.create a nginx.conf file in public_html directory and set the permissions and ownership as 664 and $user:www-data
4.add a location directive (location = /nignx.conf { deny all; } )in wp_security.conf file in global directory.
5.create a new file in includes folder in /etc/nginx/ known as w3tc_directives.conf
6.edit the /sites-available/domain.com.conf to include the w3tc directives(include /etc/nginx/includes/w3tc_directives.conf;)
7.now reload nginx
8.now activate w3-total-cache
9.restart php-fpm service
10.enable page cache, enable minify and check the manual box in Minify mode. Fragment cache select disk. Save the settings.
11.Click on the Page cache in the left pane. Check the automatically prime the page cache. Also check Preload the Post cache upon publish events.Click on save settings.
12.reload Nginx in the terminal.
Note - Don't install any redis plugin separately. Just select the Redis option in Object cache.
Ideal File Permissions for no problems
sudo find /var/www/domain/public_html/ -exec chown $USER:www-data {} \;
sudo find /var/www/domain/public_html/ -type f -exec chmod 644 {} \;
sudo find /var/www/domain/public_html/ -type d -exec chmod 755 {} \;
sudo find /var/www/domain/public_html/wp-content/ -exec chown www-data:www-data {} \;
sudo find /var/www/domain/public_html/wp-content/ -type f -exec chmod 664 {} \;
sudo find /var/www/domain/public_html/wp-content/ -type d -exec chmod 775 {} \;
sudo find /var/www/domain/public_html/wp-config.php -exec chmod 664 {} \;
sudo find /var/www/domain/public_html/wp-config.php -exec chown $USER:www-data {} \;
1.root - it is the most powerful user and can do anything to the system
2.non root - it is less powerful compared to root. (Nginx works as non root user on linux)
visudo - allows us to add non root users to root group.
sudo - invokes root privleges
~ - indication that the user is in its home directory.
# - indicates that the user is a root user.
$ - indicates that the user is a non root user.
Filenames or directory names are case sensitive in linux.
Flags (e.g. -al) is used to modify the way a command is executed.
Filenames starting with a period are hidden files.
ls command has three important flags.
1. -a display all files including hidden files
2. -l gives a long or wide listing
3. -al or -la combines the use of above two commands.
When the ls command displays the lists. d is for directory. - is for file, l is for symbolic link.
man command is used for opening up manual for a particular command. (man command)
Absolute Pathname is always relative to the root directory example - user@hostname: $ nano /etc/nginx/nginx.conf
Local Pathname is always relative to the current directory example - user@hostname:/etc $ nano nginx/nginx.conf
cd command
1. - it helps to go back to previous directory.
2. .. it helps to go back to the parent directory. example- /home/a --> /home
3. cd directory name takes you to the specified sub-directory in your current directory.
4. cd whole path takes you to a specified directory or sub directory not present in the current directory.
5. only cd command takes you to home directory.
important nano shortcuts
1. ctrl+w used to search for a string
2. ctrl+o used to save without exiting the file
3. ctrl+x used to exit nano.
Owner, Group Owner and Users
Owner - the one who created a file becomes its owner.
Group Owner - when ever you create a owner a group owner with the same name is created.
Users - other users who have not created the file and is not in the same group as the owner of the file.
There are three types of permissions in linux
1.read(r)(4) - allows the user to view the contents of a file or directory.
2.write(w)(2) - allows the user to modify the contents of file or directory.
3.execute(x)(1) - allows the user to run scripts, programs if its a file and traverse through if its a directory.
Some important commands
1.chmod - change the permissions of file or directory.
2.usermod - modify the groups a user belongs to.
3.chown - change the ownership of files and directories.
4.su - switch or change users.
5.passwd - for changing password of a user.
6.adduser - adding a new user to the server.
7.systemctl restart - restarting a service.
8.logout or exit - to logout of your server.
9.cp - making a copy of any file. (syntax - cp name of existing file name new file name)
10.sudo usermod -a -G group user - add a user to a group.
11.cat - view log files
12.less - view log files
13.tail -f - view log files
14.sudo apt-get install mariadb-server
15.sudo mysql_secure_installation
16.lscpu - determine number of cpu cores
17.ulimit -n - determine the number of worker connections
18.sudo nginx -t - test configuration file syntax before reload
19.sudo systemctl reload nginx or restart nginx - reload/restart nginx.(reload doesn't drops connections while restart does)
20. touch - it helps to create new files.
21.mkdir - it helps to create directory. the p helps to create subdirectories within a directory.
22.sudo systemctl reload php7.2-fpm.service
23.nginx -V 2>&1 | grep with-module_name
24.sudo ln -s /path/abc.xyz (first navigate to the directory where the file is not available)ngt
25.sudo chown -aG xyz plop (adds xyz user to plop group) - -aG - adds user to other groups without removing it from other groups
Package manager in Ubuntu
1.The advanced package manager in Ubuntu is "apt".
2. apt-get - to configure packages
3. apt-get has three important commands update, upgrade, dist-upgrade.
4. update - lists all the latest packages. upgrade - installs the latest updates. dist-upgrade - it is for kernel level upgrades.
5. apt-get install - installs any package you want. apt-get remove - remove packages without removing configuration files. apt-get purge - removes pacakge along with configuration files.
Firewall Commands
1.sudo ufw status verbose - check status of ufw.
2.sudo ufw enable | sudo ufw disable - enable or disable ufw.
3.sudo ufw default deny incoming | allow outgoing - default deny | allow rules
4.sudo ufw allow - ufw allow rules
Fail2Ban - It blocks ip addresses based on any kind of malicious activity.
Fail2Ban Commands
1. sudo apt-get install fail2ban - installs fail2ban
2. sudo systemctl restart or start or stop fail2ban
Context and Directives of Nginx
Directive - it consists of an option and an option name and ends with a semi colon. example - server_name domain.com www.domain.com;
option optionvalue optionvalue
Context - it is also a directive but it encloses other directives in its block
example - events{
worker_connections 768;
}
5 main contexts of nginx
1.main (it is not enclosed in curly brackets. It affects entire nginx app)
2.events (sets global value on how nginx handles connections)
3.http (it is within the main context of nginx and it configures http service)
4.server (it is within the http context and configures virtual hosts or server blocks)
5.location (it is within the server context and responds to requests for resources)
Imp NOTE - directives inside child context can overwrite directives inside parent context.
Some of the important directives we need to edit
Main Context
1. worker_processes - it is set to the number of cpu cores your server has.
2. worker_rlimit_nofile - it is to prevent too many files open error on busy sites.
Events Context
1.worker_connections - how many people can connect simultaneously to nginx server
2.multi_accept - it allows max number of connections simultaneously.
3.use epoll - used to increase throughput.
Http context
1.server_tokens - it should be set to off as it prevents showing nginx version number in error pages and response headers.
2.server_names_bucket_size - it helps to quickly serve static file sets.
3.access_log - it logs every connection made to your server. You should turn it off for busy servers. While error log must remain turned on.
4.gzip - it should be enabled as it compresses files and saves resources.
Buffers
1.client_body_buffer_size - it handles post actions sent to nginx such as form submitting.
2.client_header_buffer_size - it handles clients header buffer size.
3.client_max_body_size - it handles the maximum request size.
4.large_client_header_buffers - it specifies max number and size of buffers for large client headers.
Timeouts
1.client_body_timeout and client_header_timeout - these two directives are responsible for how long the server will wait for a client or client header to be sent after the request.
2.keepalive_timeout - it specifies the time after which the keep alive connection is closed.
3.send_timeout - it specifies the time after which if the client doesn't recieves anything the connection is closed.
Filehandle caching
It helps in optimizing the speed of serving frequently requested files. It doesn't caches the entire file rather it caches the file descriptors.
Note - whenever a file is opened the operating system stores information like file size, modification time about the open file in the file descriptor table.
These filehandle caching directives prevents os to read the file again and again. One downside is that if you make any changes to the file it takes a little while to get reflected.
The directives are:
open_file_cache
open_file_cache_valid
open_file_cache_min_uses
open_file_cache_errors
Location Context
Location Match
defines what nginx should check the requested URI against.
a modifier effects the way nginx attempts to match the location block.
Nginx location modifiers
order modifier explanation
1 = exact match
2 ^~ preferential prefix match
3 ~&~* regular case sensitive(~) or insensitive(~*) expression
4 no modifier
Some Important Directives
1.listen - it means to process the request at a particular port. (by default port 80 in case of nginx)
2.
Some Important commands for MariaDB
1. sudo mysql -u root - login to MariaDB
2. show databases - show all databases
3. create database db_name; - create a database
4. grant all privileges on db_name.* to 'db_username'@'localhost' identified by 'password'; - grant all priveleges
grant all privileges on databasename.* to 'databaseuser'@'localhost' identified by 'password';
5. flush privileges; - flush priveleges
6.show grants for 'db_user'@'localhost'; - show user's privileges
7.drop database db_name; - delete a database
8.drop user db_user; - delete a database user
9.exit; - exit MariaDB
Some important commands for wp-cli(wordpress command line interface)
1.curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar - downlods wp-cli on your server
2.wp --info - display wp-cli version information
3.chmod +x wp-cli.phar - give wp-cli.phar executable permissions
4.sudo mv wp-cli.phar /usr/local/bin/wp - move wp-cli into path
5.wp core config --dbname=databasename --dbuser=databaseuser --dbpass=password --dbprefix=pre_
6.wp core install --url=http://domain.com --title='Domain' --admin_user='admin' --admin_password='password' --admin_email=example@example.com
7.wp scaffold child-theme folder --parent_theme= --theme_name='' --author='' --
author_uri= --theme_uri=
8.wp core update
9.wp core update-db
10.sudo systemctl restart php7.2-fpm (commands 8 to 10 for updating core wordpress files)
Permissions for WordPress Files
1. /var/www/site.com/public_html - files:644 and directories: 755
2.themes and plugins folder - files:664 and directories: 775
Shell scripts
1.They are scripts and they execute a series of commands
2.speed up repititive tasks
3.used to ensure permissions are correct
4.file ends in .sh
5.starts with shebang line #!/bin/bash
Base Alias
1.It is a shortcut for frequently typed commands like ngt for sudo nginx -t
2.We will use nano for editing the bashrc file.
3.We will be creating 3 aliases for testing nginx conf file, reloading nginx, and restarting php fpm service
source ~/.bashrc - type the command after adding any alias in bashrc file
nginx and php
nginx doesn't processes php request. It passes php to application server, in our case it is the php-fpm. It processes the request then passes the generated http response back to nginx.
fastcgi directives
1.fastcgi_buffer_size - it sets the size of the buffer used for reading the first part of the response received from the fast CGI server.
2.fastcgi_buffers - the directive sets the number and size of the buffer is used for reading a response from the fastcgi for a single connection.
3.fastcgi_busy_buffers_size - the fastcgi busy buffers size when buffering of responses from the fastcgi server is enabled. This directive limits the total size of the buffers that can be busy sending a reponse to the client while the response is not yet fully read.
4.fastcgi_temp_file_write_size - limits the size of data written to a temporary file at a time when buffering of responses from the fastcgi server to temporary files is enabled.
HTTP response headers
It is information if form of text record that a web server sends back to a client's browser in response to receiving an HTTP request. The response header contains the date, size, and type of file that the server is sending back to the client and also data about the server itself.
x-frame - it protects visitors against click jacking attacks
x-content type - reduces the risk of drive by downloads
x-xss-protection - configures the xss protection found in all modern day browsers.
content-security-policy - it allows you to define a white list of approved sources for your sites content.
xmlrpc.php - it allows remote connections to wordpress. It is a target for malicious bots to try and mount DDOS attacks.
wp-login.php - bots scan for wp-login.php. Try password attempts over and over again draining server resources.
Rate Limiting using nginx
it limits the amount of GET and/or POST requests user can make in a given period of time.
It slows down brute force password guessing attacks. Protects site against DDOS attacks by limiting the incoming request rate.
1.limit_req_zone directive - it is added to the http context.
$binary_remote_addr - this variable holds a binary representation of client's IP address.
zone - it stores the state of an IP address and how often it has requested a rate limited url. It is initialized in megabytes. One megabyte could store 16k IP addresses.
rate - sets the maximum number of requests. ex - rate=30r/m (read as 30 requests per minute)
burst - it defines how many requests a client can make in excess fo the rate specified by the zone.
SSL Certificate Files
File Absolute File
Private Key /etc/letsencrypt/live/site.com
certificate /etc/letsencrypt/live/site.com
ssl trusted certificate /etc/letsencrypt/live/site.com
Certbot commands
1.sudo add-apt-repository ppa:certbot/certbot - add certbot personal package archive
2.sudo apt-get install certbot - install certbot after updating the package list
3.sudo certbot certonly --webroot -w /var/www/domain.com/public_html -d domain.com -d www.domain.com
Note: Here path=/var/www/domain.com/public_html
4.sudo certbot certificates - it lists all the certificats that are present on your server along with the respective domain names.
5.sudo certbot renew --force-renewal - renew certificate forcefully.
6.sudo certbot renew --dry-run - tests if the certificate could be installed without any issues.
7.sudo openssl dhparam -out dhparam.pem 2048
PHP Modules installation
sudo apt-get install php7.2-cli php7.2-curl php7.2-fpm php7.2-gd php7.2-opcache php7.2-mbstring php7.2-xml php7.2-xmlrpc php7.2-zip php7.2-mysql
cgi.fix_pathinfo=0
allow_url_fopen=Off
opcache.enable=1
opcache.memory_consumption=256
opcache.interned_strings_buffer=16
opcache.max_accelerated_files=7963
opcache.validate_timestamps=0
opcache.revalidate_freq=0
file_uploads = On
upload_max_filesize = 100M
memory_limit = 256M
post_max_size = 32M
max_execution_time = 600
max_input_time = 900
There are 2 specific include file you need to create for ssl certificates
1.The first one will contain the following directives and are site specific
ssl_certificate: fullchain.pem
ssl_certificate_key: privkey.pem
ssl_trusted_certificate: fullchain.pem
2.The second one is a global one and has the following directive
ssl_session_cache & ssl_session_timeout - These two directives helps in caching the connection parameters for that particular session.
ssl_protocols - it specifies the which ssl protocols we will use on our servers
ssl_prefer_server_ciphers & ssl_ciphers - that is where the actual encryption happens
ssl_dhparam - object of a man in the middle attack cannot hijack the initial SSL handshake.
ssl_stapling, ssl_stapling_verify and resolver - stapling is that the web server contacts the certificate authorities OCSP and it gets a signed response and then staples it to the handshake when their connection is set up.
Strict-Transport-Security-header - it tells the browser to connect only through https and not http.
cron job commands
cron helps to schedule jobs on our server.
1.crontab -l - lists the current user's cron jobs.
2.crontab -e - create a new cron job.
3.sudo crontab -l and -e - it provides the same features as above but for commands requiring root privileges.
cron job syntax - ***** /bin/sh command redirect
the command is the path to the file containing the commands
1st * - it represents minutes(0-59)
2nd * - it represents hours(0-23)
3rd * - it represents the day of the month(1-31)
4th * - it represents the month(1-12)
5th * - it represents the day of the week.(0-6)
Scripts to renew certificate
le_renew.sh
#/bin/bash
certbot renew --force-renewal
scripts to reload nginx
ng_reload.sh
#/bin/bash
systemctl reload nginx
Commands for creating cron job
(specify nano as crontab editor - export VISUAL=nano; crontab -e)
1.crontab -e - create cronjob
2.30 3 14 * * /bin/sh /root/le_renew.sh >/dev/null 2>&1 - renew once a month
3.30 4 14 * * /bin/sh /root/ng_reload.sh >/dev/null 2>&1 - reload nginx after renewal
4.crontab -l - view users cronjob.
Commands for installing Redis
1.sudo add-apt-repository ppa:chris-lea/redis-server - installs Redis from third party repository.
2.sudo apt-get install redis-server php7.2-redis - two packages to be installed after sudo apt-get update command
3.The redis config file is in /etc/redis directory
4.restarting redis server - sudo systemctl restart redis-server and restart php fpm service after it.
5.we need to create a persistent cache with wordpress redis object cache plugin. We can edit the wp-config.php file for it by adding these two directives
define( 'WP_CACHE_KEY_SALT', 'site.com');
define( 'WP_CACHE', true);
Adding Additional sites to your nginx server
1.configure dns of your domain (use nslookup to check if your domain is pointing to your server) (syntax - nslookup domain.com)
2.create site directories (location: domain.com/public_html/.well-known) (mkdir -p domain.com/public_html/.well-known)
3.copy the default config file in sites-available directory.
a)remove the server_name from the listen directives.
b)change the root directory to /var/www/domain.com/public_html;
c)insert index.php in the index directive
d)add the domain name in the server_name directive
e)edit the location / to try_files $uri/ /index.php?$args; & change the site url in wordpress admin dashboard.
Uncomment specific lines in php location block.
f)create a symbolic link to the sites-enabled config file
g)ngt and ngr
4.Create new database, add a user and grant all privileges to the user.
5.Download wordpress to the server. configure wp config.php and install wordpress with all the general details/move the existing site using duplicator plugin and also install php zip package.
6.change to home directory and add or create the wp_permissions.sh file with the five commands for changing permissions.
7.edit the wp-config.php file to set the filesystem as direct.
8.add the include directives like headers.conf and wordpress_security.conf to your sites' config file in sites-available directory. The said directives must be above php location directive. In the php location directive include fastcgi_optimize.conf file.
9.donot reinstall certbot just run the certonly command (sudo certbot certonly --webroot -w /path -d domain.com -d www.domain.com)
10.change to /etc/nginx/ssl directory and copy ssl_site1.com.conf to a new file called ssl_site2.com.conf
11.Edit the newly copied file and add your new domain name.
12.Add a new server block which will listen on port 80 and redirect the traffic to https. Edit the listen directives in old server block to listen at 443 and deliver over http2.
13.include the ssl_global file and ssl_site_specific file below location /
14.change to your sites directory at /var/www/domain.com/public_html and run wp search-replace command.
15.Edit the wp-config.php file to define wp_auto_update_core to true.
16.Remove the try files directive in your sites configuration file and add the includes optimizations.conf and wp-super-cache.conf directives.
17.change the permissions of public_html file to 775 and wp-config.php file to 664.
18.install the wp-super-cache plugin and activate it. check the caching status to on. test cache. click on advanced tab and set the cache delivery method to expert. select don't cache pages for non users. check the preload mode. Also increase the minutes to 1200 mins. change the permissions back to 755.
19.change the access and error logs to /var/log/nginx/domain_access.log; and /var/log/nginx/domain_error.log;
Backups
1.mysqldump - it takes all the data from the databases and dumps it in a file.
2.sudo mysqldump -u root db_name > backup_filename.sql
3.sudo mysqldump -u root db_name | gzip -9 > backup_filename.sql.gz - for compressing the database
4.sudo mysql -u root db_name < backup_filename.sql - for restoring the database
5.gunzip < backup_filename.sql.gz | sudo mysql -u root db_name - restore a database from a gzipped sql file
6.gunzip -k name_of_file.sql.gz - extract sql file from gzipped file
Database Backup bash script
#!/bin/bash db_name=
db_user=
backup_filename=site_name1-`date +%F_%H%M`
mysqldump -u $db_user $db_name | gzip > /home/user/db_backups/$backup_filename.sql.gz
Site files backup bash script
#! /bin/bash destination_folder=/home/user/site_backups/
archive_file=domain_name1-`date +%F_%H%M`.tar.gz
/bin/tar -czvf $destination_folder/$archive_file /var/www/domain_name1/
How to install WP Super Cache
1.Make sure wp_super_cache.conf file is included in the config file present in sites-available directory.
2.Install the plugin from the dashboard don't acitvate it yet.
3.run the permissions script.
4.change the permissions and ownership for wp-config.php file(664 & USER:www-data) and for public_html directory(775)
5.restart the php fpm service
6.then activate the plugin
How to configure w3 Total Cache
1.check the permissions of all the contents in public_html directory
2.install w3tc using wp cli but don't activate it(slug - w3-total-cache)
3.create a nginx.conf file in public_html directory and set the permissions and ownership as 664 and $user:www-data
4.add a location directive (location = /nignx.conf { deny all; } )in wp_security.conf file in global directory.
5.create a new file in includes folder in /etc/nginx/ known as w3tc_directives.conf
6.edit the /sites-available/domain.com.conf to include the w3tc directives(include /etc/nginx/includes/w3tc_directives.conf;)
7.now reload nginx
8.now activate w3-total-cache
9.restart php-fpm service
10.enable page cache, enable minify and check the manual box in Minify mode. Fragment cache select disk. Save the settings.
11.Click on the Page cache in the left pane. Check the automatically prime the page cache. Also check Preload the Post cache upon publish events.Click on save settings.
12.reload Nginx in the terminal.
Note - Don't install any redis plugin separately. Just select the Redis option in Object cache.
Ideal File Permissions for no problems
sudo find /var/www/domain/public_html/ -exec chown $USER:www-data {} \;
sudo find /var/www/domain/public_html/ -type f -exec chmod 644 {} \;
sudo find /var/www/domain/public_html/ -type d -exec chmod 755 {} \;
sudo find /var/www/domain/public_html/wp-content/ -exec chown www-data:www-data {} \;
sudo find /var/www/domain/public_html/wp-content/ -type f -exec chmod 664 {} \;
sudo find /var/www/domain/public_html/wp-content/ -type d -exec chmod 775 {} \;
sudo find /var/www/domain/public_html/wp-config.php -exec chmod 664 {} \;
sudo find /var/www/domain/public_html/wp-config.php -exec chown $USER:www-data {} \;
No comments:
Post a Comment