Installating the Google-GCE VM Instance
This is a straight-forward installation for one that I have implemented. Further reading and googling may be required
Used the following configuration on GCE:
- 20GB standard boot disk named as <PPD>
- 20GB standard dis as secondary with <SPD>
- 1 vCPU
- 3.75GB RAM
- Firewall allowed HTTP + HTTPS
- do all as root
Boot, update and upgrade
$ nano -w /etc/apt/sources.list
Add:
deb http://nginx.org/packages/mainline/debian/ jessie nginx deb-src http://nginx.org/packages/mainline/debian/ jessie nginx
$ wget http://nginx.org/keys/nginx_signing.key $ apt-key add nginx_signing.key $ apt-get update $ apt-get upgrade $ reboot
System Environment
$ dpkg-reconfigure tzdata Asia => Manila
Mount secondary disk
List allocated disks:
$ ls /dev/disk/by-id
Format disk:
$ sudo mkfs.ext4 -F -E lazy_itable_init=0,lazy_journal_init=0,discard /dev/disk/by-id/[DISK_NAME]
where [DISK_NAME] is the id of the secondary disk
Mount disk to directory:
$ mkdir -p [MOUNT_DIR]
where [MOUNT_DIR] is the location of the directory to access the disk
Mount disk with discard:
$ sudo mount -o discard,defaults /dev/disk/by-id/[DISK_NAME] [MOUNT_DIR]
Add the disk to fstab:
$ echo UUID=`sudo blkid -s UUID -o value /dev/disk/by-id/[DISK_NAME]` [MOUNT_DIR] ext4 discard,defaults,[NOFAIL] 0 2 | sudo tee -a /etc/fstab
Install NGINX
$ apt-get install nginx
$ nano -w /etc/nginx/nginx.conf server_tokens off;
$ nano -w /etc/nginx/conf.d/virtualhost.conf
server {
listen 80;
server_name >domain<;
return 301 https://>domain<$request_uri;
}
location / {
try_files $uri $uri/ @backend;
}
location @backend {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header Systems-By info@systemsbybit.com;
proxy_set_header Server SystemsByBit;
proxy_pass http://127.0.0.1:8000;
}
location ~ \.php$ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header Systems-By info@systemsbybit.com;
proxy_set_header Server SystemsByBit;
proxy_pass http://127.0.0.1:8000;
}
$ nano -w /etc/nginx/cache.conf
# Expire rules for static content
# cache.appcache, your document html and data
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
expires -1;
}
# Feed
location ~* \.(?:rss|atom)$ {
expires 1h;
add_header Cache-Control "public";
}
# Media: images, icons, video, audio, HTC
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires 31536000s;
access_log off;
add_header Cache-Control "public";
add_header Cache-Control "max-age=31536000, public, must-revalidate, proxy-revalidate";
log_not_found off;
}
# CSS and Javascript
location ~* \.(?:css|js)$ {
expires 31536000s;
access_log off;
add_header Cache-Control "public";
add_header Cache-Control "max-age=31536000, public, must-revalidate, proxy-revalidate";
log_not_found off;
}
#htaccess
location ~ /\.ht {
deny all;
access_log off;
}
#error
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www;
}
error_page 404 /404.html;
location = /404.html {
root /var/www;
}
Install Apache + PHP
$ apt-get install apache2 php5 php-pear php5-mysql php5-intl php5-dev $ nano -w /etc/apache2/ports.conf Listen 127.0.0.1:8000
$ nano -w /etc/apache2/conf-enabled/security.conf ServerTokens Prod ServerSignature Off
$ nano -w /etc/apache2/sites-enabled/000-default.conf DocumentRoot /var/www/html <Directory /var/www/html> Options -Indexes +FollowSymLinks +MultiViews Order deny,allow Allow from 127.0.0.1 </Directory>
$ apt-get install libapache2-mod-security2 $ cd /etc/modsecurity/ $ mv modsecurity.conf-recommended modsecurity.conf $ nano -w modsecurity.conf SecRuleEngine On SecResponseBodyAccess Off
$ nano -w /etc/apache2/mods-enabled/modsecurity.conf Include "/usr/share/modsecurity-crs/*.conf" Include "/usr/share/modsecurity-crs/activated_rules/*.conf"
$ cd /usr/share/modsecurity-crs/activated_rules/ $ ln -s ../base_rules/ <>
Install PHP-Suhosin
$ wget https://download.suhosin.org/suhosin-0.9.38.tar.gz $ tar -xzvf suhosin-0.9.38.tar.gz $ cd suhosin-0.9.38 $ phpize $ ./configure $ make $ make install
Take note of the location of the suhosin.so during the installation(mine's /usr/lib/php5/20131226/). If in case you can't find it, you can:
$ cd / $ find * | grep suhosin.so
Add on the php.ini:
extension=/usr/lib/php5/20131226/suhosin.so
Check for on /etc/php5/apache/php.ini:
expose_php = Off register_globals = Off error_log=/var/log/php-error.log post_max_size=16M max_file_uploads=16 date.timezone = Asia/Manila cgi.fix_pathinfo=0
Add IonCube
$ wget http://downloads3.ioncube.com/loader_downloads/ioncube_loaders_lin_x86-64.tar.gz $ tar -zxvf ioncube_loaders_lin_x86-64.tar.gz $ mv ioncube /usr/local/
Add on /etc/php5/apache2/php.ini:
zend_extension=/usr/local/ioncube/ioncube_loader_lin_5.6.so
Add SSL Certificate on NGINX
# force redirect from http to https
server {
listen 80;
server_name systemsbybit.com;
return 301 https://systemsbybit.com$request_uri;
}
server {
listen 443 ssl;
ssl on;
server_name systemsbybit.com;
ssl_certificate <cert_path>/bundle.crt;
ssl_certificate_key <cert_path>/private/private.key;
root <web_root_path>;
index index.php index.html index.htm;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
# plus the rest of the config
}
Install MySQL Client
The database server will be hosted on another VM; this vm will only hold the web pages
$ apt-get install mysql-client
Other Modules, Libraries
$ apt-get install fail2ban $ cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local $ nano -w /etc/fail2ban/jail.local [nginx-http-auth] enabled = true ... [nginx-noscript] enabled = true ... [nginx-badbots] enabled = true ... [nginx-nohome] enabled = true