This is a guide to help you to deploy a webserver on centos 8 specially on an virtual private server like digital ocean, linode or vultr the right way. But my favorite vps provider is Contabo . Please have look.
Before jumping and installing apache you should have a regular, non-root user with sudo privileges configured on your server. Additionally, you will need to enable a basic firewall to block non-essential ports.
Step 1 — Create a New Sudo User
Its a good practice not to use root as your go-to user and always use sudo user instead.
Let’s begin by updating the local package index to reflect the latest upstream changes:
yum update -y && yum upgrade -y
Now Lets add a new user
adduser username
After adding a new user lets set the password for the new user
passwd username
Now lets add the user to the wheel of glory :), lets give the new user the power of sudo or in other words add the user to sudoers group.
usermod -aG wheel username
Step 2 — Changing the hostname (Optional)
If you dont have correct hostname its a good practice to set the hostname. In my case the domain name which Contabo has provided is vmixxx.contaboserver.net therefore I will set the hostname to this domain. If you have purchased a specific domain name you can set that domain as the hostname
Let's first check the current hostname
cat /etc/hostname && hostname
After this if you want to change the domain name run the following commands
set-hostname vmixxx.contaboserver.net
To persist the changes and to login with the newly created user lets reboot the server.
systemctl reboot
Login back with newly created sudo user
ssh username@server_ip -p22
Step 3 — Install net-tools , Installing Terminal-Based Text Editor and Changing The Time zone of the server
Net tools is necessary to run commands like arp, hostname, ifconfig, netstat, rarp, route, plipconfig, slattach, mii-tool. There are wide variety of use cases for any of the above commands. For this tutorial we will be needing netstat Netstat is a command line utility that can be used to list out all the network (socket) connections on a system. It lists out all the tcp, udp socket connections and the unix socket connections. 20 Netstat Commands for Linux Network Management
sudo yum install net-tools
Now lets install our favorite terminal-based editors.
sudo yum install nano vim -y
When a server is provisioned the default time zone is UTC. Most of the cases this needs to be changed.
Check the current time zone
timedatectl
List all the available time zones to set the specific time zone you want
timedatectl list-timezones
Now if you want to search for a specific location you can do so by piping grep command and the location
timedatectl list-timezones | grep Maldives
Set the timezone. In my case its Maldives. So i will be using Indian/Maldives
sudo timedatectl set-timezone Indian/Maldives
Now let's check if the time zone has been changed
date && ls -l /etc/localtime
Step 4 — Setup and Configure Firewall
Before testing Apache, it’s necessary to modify the firewall settings to allow outside access to the default web ports.
If you do not have firewalld installed lets install firewalld first
sudo yum install firewalld
After installing firewalld lets enable firewalld service. This will enable the firewall to run after possible reboots.
sudo systemctl enable firewalld
Now lets start the firewall
sudo systemctl start firewalld
Lets check the state of firewalld service
sudo firewall-cmd --state
Check the current default zone. Normally it will public. But you can set other zones if you prefer that way. For this tutorial i will be sticking with the public zone
sudo firewall-cmd --zone=public --list-services --permanent
sudo firewall-cmd --zone=public --list-ports
Step 4 — Install or Run Cockpit (Optional)
Cockpit is an easy-to-use, lightweight and simple yet powerful remote manager for GNU/Linux servers, it's an interactive server administration user interface that offers a live Linux session via a web browser.
sudo yum install cockpit
Whenever you want to start the service run the following command. I prefer this way, so that the service will not be open when its not needed
sudo systemctl start cockpit
sudo firewall-cmd --permanent --zone=public --add-service=cockpit
sudo firewall-cmd --reload
The default port that cockpit uses is port 9090. Therefore you can open it using the web browser . eg: "server_ip:9090"
Step 4 — Install Apache
sudo yum install httpd -y
Now Lets open the ports for apache. http and https ports
sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --permanent --add-port=443/tcp
After opening the ports lets persist the configuration
sudo firewall-cmd --reload
Now lets start apache
sudo systemctl start httpd
To Keep apache running after possible reboots
sudo systemctl enable httpd
Ok now lets check the status
sudo systemctl status httpd
Now you can open your browser and type your ip. For now it will be on port 80 eg: "server_ip"
Step 5 — Set up secure apache with free ssl certificate (optional)
First lets install the necessary modules and repositories. We will be using certbot. For more information regarding certbot please visit certbot.eff.org
sudo yum install mod_ssl openssl -y
sudo yum install epel-release
sudo yum upgrade
sudo yum install snapd
sudo systemctl enable --now snapd.socket
sudo ln -s /var/lib/snapd/snap /snap
Its better to reboot the system after installing snap. Now lets intsall snap core which is vital for the installation of certbot. You might have to run the command twice in case you come up with the error "too early for operation, device not yet seeded or device model not acknowledged"
sudo snap refresh core
Now Lets make sure that there is no certbot installation on the server
certbot
sudo dnf remove certbot && sudo yum remove certbot
Now lets install the cerbot
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Lets remove and change the default apache port (80 for http & 443 for https) configuration also in the meantime. Just to keep for the future refence I will rename the files as .txt.
sudo mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.txt
Renaming the ssl.conf is vital since it has some references to non existing certs on the server. Therefore you will run in an error when you try to generate the certs using certbot.
sudo mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.txt
Now lets create an index.html with "Hello World" in it just to verify the configuration
sudo nano /var/www/html/index.html
Please add some text to the file and save.
For http configuration please do as below
sudo nano /etc/httpd/conf.d/80.conf
Now add below configuration to the created conf file. Note: Please use the domain name that you aquire here
<VirtualHost *:80>
ServerName vmixxx.contaboserver.net
ServerAlias www.vmixxx.contaboserver.net
DocumentRoot /var/www/html
</VirtualHost>
Save and close the file. Lets reload apache for the changes to apply.
sudo systemctl reload httpd
Please do verify if the configuration works before running next command
sudo certbot certonly --apache
Please select or type the domain name you wish to attain the ssl certs during the above process.
After generating the certificates successfully the certs will appear in the following locations as below. /etc/letsencrypt/live/vmixxx.contaboserver.net/fullchain.pem /etc/letsencrypt/live/vmixxx.contaboserver.net/privkey.pem
Now lets configure the port 443 for ssl.
sudo nano /etc/httpd/conf.d/443.conf
Open the file and write as below
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
ServerName vmixxx.contaboserver.net
ServerAlias www.vmixxx.contaboserver.net
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/vmixxx.contaboserver.net/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/vmixxx.contaboserver.net/privkey.pem"
</VirtualHost>
Its always a good practise to force to https. therefore now change port 80 or http configuration as below
sudo nano /etc/httpd/conf.d/80.conf
<VirtualHost *:80>
ServerName vmixxx.contaboserver.net
ServerAlias www.vmixxx.contaboserver.net
Redirect permanent / https://vmixxx.contaboserver.net/
#DocumentRoot /var/www/html
</VirtualHost>