All Things Techie With Huge, Unstructured, Intuitive Leaps

Setting Up A Wordpress Website On A Centos Virtual Server Using Apache



OK, so the web developer sends you a Wordpress zipped directory. Over to you. You have to set it up on a clean virtual server with Centos 7 Linux, and Apache web server. Here is a quick walk-through with some problems to solve along the way.

Necessary Security

Most of my applications are fintech related and have to be hack proof,so the first objective was to get rid of username/password authentication and sign in with a private key.  The instructions for doing that are found here:  https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server

So once you log in with your key, you want to be root so in the terminal program. I use PUTTY ( https://www.putty.org/ ),  Type in:   sudo -i

Creating A Certificate Signing Request To Make Website HTTPS Secure

You want to make a website secure so you need a certificate to allow you to use https. The way you do that, is you type into the PUTTY terminal:  openssl req -new -newkey rsa:2048 -nodes -keyout your_domain_name.key -out  More details found here: https://www.digicert.com/easy-csr/openssl.htm

The output is a .csr or certificate signing request. A key is also created in the form of your_domain_name.key.  The .csr is a text file with the key request. It is a bunch of numbers and letters - a big bunch. Go to your certificate authority (I use Godaddy) and request a Certificate (they cost around $60) and paste in the CSR file that you made when they ask for you.  You then download a zip folder that has two certs or certificates. One is for the server. One is a certificate bundle for the Certificate Authority (in this case Godaddy who buys them from MacAfee), and you will also need your_domain_name.key that you made with the openssl command.


An Ordinary HTTP Website Without SSL or Certificate

For an ordinary website without the certificate, you will need to modify /etc/httpd/conf/httpd.conf.  I like using the vi editor.  It is vi /etc/httpd/conf/httpd.conf.     Hit Shift + i to insert. Scroll down to the Listen directive and type in  Listen 80 to listen on port 80. Hit escape, type a colon and enter wq for write, quit and you are done.

Then you need to go up a directory and go into conf.d and make a file called mydomain.conf that looks like this:

<VirtualHost *:80>
ServerAdmin yourname@yourmail.com
DocumentRoot "/var/www/html/nameOfWebStuffDirectory/"
ServerName myDomainName.com without the www.
ServerAlias www.myDomainName.com
ErrorLog "/var/log/httpd/domainName.com-error_log"
CustomLog "/var/log/httpd/domainName.com-access_log" combined

<Directory "/var/www/html/nameOfWebStuffDirectory/">
DirectoryIndex index.html index.php
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>

Save the file. Then go to /var/www/html and make a directory with the name as above  nameOfWebStuffDirectory  using the mkdir command. SFTP all your stuff to the server and move it the new directory in /var/www/html/.  Now you want Apache to own the files so you type this in:  chown apache:apache -R /var/www/html/nameOfWebStuffDirectory/ 
You should also check the permissions. All folders should have chmod 750 foldername and all files should have chmod 640 filename.

MySQL Database Setup

Generally the web developer will provide an sql script. You load it in the usual way.  If the sql script doesn't have the "create database" directive, you have to do it manually:

mysql -uroot -pPASSWORD
create database database_name;
exit

Then you load the database:
mysql -uroot -pPASSWORD database_name < sqlfilefromDeveloper.sql

You have to go to /var/www/html/nameOfWebStuffDirectory   and edit the wp-config.php Wordpress file to change the name of the database to that of what you created. You also have to enter a username and password for the database. Again, I use vi as an editor because what I am used to. As a final step you have to update the Wordpress siteurl and home in the database:
mysql -uroot -pPASSWORD database_name
update wp_options set option_value='http://myDomainName.com' where  option_name='siteurl';

update wp_options set option_value='http://myDomainName.com' where  option_name='home';
exit
If you are using https, you should use that for the domain names in the update statement.

Start Apache
Then you start Apache with apachectl start or you can use /sbin/service httpd start. Other possible commands are stop and restart with the same command syntax.

The Dreaded 403 Forbidden Error With Wordpress
After uploading your files and doing all of the correct things, I was hit with the website being unable to load and the browser displayed 403 Forbidden You don't have permission to access ...   There are four possible things to fix. The first is a corrupt .htaccess file in the root directory.  Change its name to something else. If you website works you have found the problem. The second is actual permissions problems. All folders should be chmod 750 and files should be chmod 640. The third possibility is corrupt plugins. Disable all of your plugins by renaming the plugins folder located in wp-content folder. If you website works, then put the name back on the plugins folder, go inside and rename them all. Then add one at a time until you find the corrupt one.  If that is not your problem, then the last thing to do, is to type in the following two commands as root:

setsebool -P httpd_enable_homedirs true

chcon -R -t httpd_sys_content_t /var/www/html/nameOfYourWebRootFolder/


Using SSL And Certificates for HTTPS Secure Website

Find the certificates that you got when you bought them and uploaded them to the server. You should have a server certificate that is just a bunch of letters & numbers with a .crt.  You have a CA bundle cert and it should have the word bundle in the title. And you need your mydomain.key from the CSR operation described above. Move them all using the mv command to /etc/ssl/certs/.  Then you run the following command: restorecon -RvF /etc/ssl/certs/ 

Force Apache to Use HTTPS Pages & Files

To force the Apache to use HTTPS all the time, you must re-write each http url.  Go to /etc/httpd/conf and edit /etc/httpd/conf/httpd.conf.  Add the following lines at the end:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]

Then you must create an ssl.conf file.

Create The ssl.conf File

Go to the /etc/httpd/conf.d directory and you should find a file named ssl.confrpm.new. Copy it and name the copy ssl.conf.  Edit it.  Here are the fields that you should edit (the comments are from the file and are reproduced here so you can find the fields):

#   Enable/Disable SSL for this virtual host.
SSLEngine on

# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html/nameofFolderWebStuff"
ServerName www.yourDomainName.com:443

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/ssl/certs/serverCertname.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/ssl/certs/yourDomainName.key
#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/ssl/certs/gd_bundle-g2-g1.crt

You may need to add this under the first directory section:

    <Directory /var/www/html/webstuffDirectory>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>

Save the file. Then start the apache server:  apachectl start.

Sending Mail And Apache Linux Will Not Send Mail Problem

First of all, let me state that if you are on a virtual server in the cloud, or you are with AWS Amazon, Google Cloud or Microsoft Azure, you cannot send or use Linux sendmail on Port 25. It is blocked.  That's because unscrupulous pigs would create a virtual, send a million spam, tear it down and do it again.  So lets deal with the issue first that sendmail doesn't work and you are on a non-cloud server or at least an ISP that lets you send Linux mail on port 25.

Most distributions do not have send mail. To find out if you have it: netstat -tnlp | grep sendmail
If you don't have it, install it: sudo yum install sendmail-cf
Then you have to edit your daemon options. Edit the /etc/mail/sendmail.mc file. Look for the entry:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

Change it to:

DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
Save the file, run: make
Then restart sendmail: sudo systemctl restart sendmail

If you still can't send mail, you have to make sure that port 25 is open on your machine. There are a couple of ways of doing this, either with the firewall daemon, or the iptables depending on what you have running, but that is beyond the scope of this post. Google is your friend.

But I did get around sending mail on a restricted server. You have to use a legitimate SMTP relay. I used SendGrid https://sendgrid.com/ The first month is free and allows you 40,000 emails, and each month is around $10 afterwards. They have various plans.

There you have it in a nutshell.  If I had this before I started, I could have saved myself a day of heartache.

No comments:

Post a Comment