ITCooky Recipes

Lets cooky it yammy things!

How to move a WordPress website, with the phpBB forum, to the new RUVDS server with everything and letsencrypt, http2!

дата April 18, 2020

I’ve already moved multiple times from one VPS to another (last time in 2016 here Configuring, moving, testing a new VPS on CentOS 6! ). It is easy to realize that it is time to run away from one hoster to the other. First, you should look at the cost, if your hoster is far behind the market, then the hoster is already rotten, at least it has stopped developing and growing. Second – website is slow in the afternoons with the same configuration and the number of visitors as at morning, this is not a shortage of resources, just an old server: a crappy hoster!

My website was on hc.ru but nic.ru devoured it: one day I enter my personal account, and they tell me that you are no longer our client, go to another site … shamelessly, rudely that hell happens! The cost was still the same, there were not supposed to be any suggestions to move to the server of the new hoster, apparently nic.ru had a marketing strategy: while they pay they pay and then they go to hell!

Well, so I got to RUVDS because they have their own section on habr.ru and there are not only negative comments there. I choose a rate with more cores, I think that for php-fpm it will be useful, and CentOS 7 pure.

About an hour and the server is installed, the progress bar is in your account. First of all, we look at what they gave us
uname -a

Linux ruvds-z2aro 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

We look at how many bit is the OS
uname -m

x86_64

64 bit good
how many cores
nproc

4

lets update
yum update
I see that openssl is too old for my web server, version 1.0.2 for http2 is not valid, browsers give hhtp2 only with SSL (but the protocol works also without SSL, browsers are acting too safety)!

after update (there was kernel listed update), I reboot
reboot

It is common practice when the root does not directly connect to ssh, it first logs in as a user and gives it super rights.
useradd user
passwd user

We give this user the right to log in via ssh (although it already exists, that is, we prohibit others)
vi /etc/ssh/sshd_config

add line

AllowUsers user

and prohibit root

PermitRootLogin no

restart ssh
service sshd restart

And now only the user can access ssh
and then increase the rights with
su

We fix the time on the server
The time zone is correct, but the time is completely wrong, the minutes don’t even match. I install ntp
yum install ntp
I activate it so that it starts at boot
systemctl start ntpd
systemctl enable ntpd

And I look at what it will say and what time is it now on the server
ntpq -p
date -R

The time is accurate now

Preparing a web server for http2
First you need to update openssl it is very old now
openssl version
see

OpenSSL 1.0.2k-fips 26 Jan 2017

To compile from source, you need to install this, anyway something else is needed, we will install it later
yum group install 'Development Tools'
yum install wget

We go to the folder where you need to download everything
cd /usr/local/src
wget https://www.openssl.org/source/openssl-1.1.1e.tar.gz
tar -xf openssl-1.1.1e.tar.gz

We go to the folder and start the assembly; If there are errors, you should investigate and correct them.
cd openssl-1.1.1e
./config
make
make install

After compilation, you must copy the compiled files.
cp /usr/local/bin/openssl /bin
cp /usr/local/lib64/libcrypto.so.1.1 /lib64
cp /usr/local/lib64/libssl.so.1.1 /lib64

The new version is installed, since it was put by hand, there is the fear that yum will put some other version when updating
openssl version

OpenSSL 1.1.1e 17 Mar 2020

Install http2-capable nginx
It must also be of the latest version, and not only, but assembled with special parameters
cd /usr/local/src
wget https://nginx.org/download/nginx-1.17.9.tar.gz
tar -xf nginx-1.17.9.tar.gz
cd nginx-1.17.9

I know for assembly it will require installing that
yum install pcre-devel
yum install gd-devel
yum install zlib-devel
yum install openssl-devel

And the command itself for the assembly, the minimum necessary arguments, and at the end it indicates where our openssl is /usr/local/src/openssl-1.1.1e/

./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-openssl=/usr/local/src/openssl-1.1.1e/
make
make install

This installation is more automate, it immediately throws files where necessary and you can see the version already
nginx -v

nginx version: nginx/1.17.9

Add nginx user and folder
useradd nginx
chown -R nginx:nginx /etc/nginx/

You also need to create a file that helps start and stop nginx
vi /usr/lib/systemd/system/nginx.service
add texto

[Unit]
Description=nginx - high performance web server
Documentation=https://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/conf/nginx.conf
ExecStart=/usr/sbin/nginx -c /etc/nginx/conf/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID

[Install]
WantedBy=multi-user.target

Lanzamos
systemctl start nginx
systemctl enable nginx

Como se trata de centOC, aún debe abrir el puerto
firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --reload

it works

Install Mysql
CentOS, I don’t know what’s wrong with this OS, i don’t understand, there is nothing essential in the repositories and you also have to put everything with your hands here for MySQL !!!

We go into the folder, download and install the package
cd /usr/local/src
wget https://dev.mysql.com/get/mysql80-community-release-el7-3.noarch.rpm
md5sum mysql80-community-release-el7-3.noarch.rpm
rpm -ivh mysql80-community-release-el7-3.noarch.rpm

install that and configure mysql version
yum install yum-utils
yum-config-manager --disable mysql80-community
yum-config-manager --enable mysql57-community

install
yum install mysql-community-server mysql-devel

run
systemctl start mysqld
systemctl enable mysqld

find a temporary password
grep "password" /var/log/mysqld.log
Then launch that and change other settings
mysql_secure_installation

Install php 7.2
Again all me with my own hands, phpBB only works on php 7.2, so you need to install it
yum install epel-release
yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum --enablerepo=remi-php72 install php php-fpm php-mysql php-xml php-gd php-mbstring

php-xml – is needed for phpBB
php-gd – that for images for a phpBB addon
php-mbstring – and with that phpBB works better just like the Sphinx search

And for the new installed modules to work, you need to restart php-fpm

edit php-fpm settings
vi /etc/php-fpm.d/www.conf
change aaaaa, haha its apache

user = nginx
group = nginx

and also

listen.owner = nginx
listen.group = nginx
listen.mode = 0660

and

listen = /var/run/php.sock

En la carpeta predeterminada en centOS7, el proceso no arranco, cambié la carpeta en la configuración

and and

pm = static
pm.max_children = 10

alzo do this
mkdir /var/lib/php/session
chown -R nginx:nginx /var/lib/php/session

To start you need
systemctl start php-fpm.service
systemctl enable php-fpm.service

Website test launch
I make a folder for future sites
mkdir /usr/local/www
I move the nginx files there
cp /etc/nginx/html /usr/local/www
I make a file there
vi /usr/local/www/html/info.php
with  text

<?php
phpinfo();
?>

And we change the nginx settings
here
vi /etc/nginx/conf/nginx.conf
put

#user nobody;
worker_processes 4;

error_log  /dev/null crit;

#pid logs/nginx.pid;

events {
worker_connections 1024;
}

http {
include mime.types;
default_type application/octet-stream;

#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';

#access_log logs/access.log main;

sendfile on;
#tcp_nopush on;

#keepalive_timeout 0;
keepalive_timeout 65;

#gzip on;

include /etc/nginx/conf/conf.d/*.conf;

}

Cree una carpeta donde subiremos las configuraciones del sitio
mkdir /etc/nginx/conf/conf.d
crear
vi /etc/nginx/conf/conf.d/default.conf
con tal texto

#
# The default server
#
server {
listen 80;
server_name localhost;

#charset koi8-r;

#access_log logs/host.access.log main;

location / {
root /usr/local/www/html;
index index.php index.html index.htm;
}

# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/html;
}

# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

location ~ \.php$ {
root /usr/local/www/html;
fastcgi_pass unix:/var/run/php.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
deny all;
}
}

restart nginx
service nginx restart
service php-fpm restart

And ideally it should work, but it never works, but it worked for me – I wrote all the steps for myself here, for the most part, of course!

Website migration and launch
On the old server, I file the folder with the site and do a base dump
tar -cvf itc.tar ./itcooky.com
mysqldump --user=root --password --host=localhost wpita > ./wpita.sql

I download these files on the new server with scp
scp user@123.123.123.123:/home/user/itc.tar ./
scp user@123.123.123.123:/home/user/wpita.sql ./

The file can be immediately unzipped into a folder /usr/local/www/
tar -xvf itc.tar
And for the base, you must first create it and make a user for it

Let’s go to the MySQL console
mysql -u root -p
We create a user with the previous name and password, the base with the previous name (that’s very bad  practiz not to change the previous config, it’s always good to change the password)
CREATE DATABASE wpit;
CREATE USER 'wpita'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON wordp.* TO 'wpita'@'localhost';
ALTER USER 'wpita'@'localhost' IDENTIFIED WITH mysql_native_password BY 'QWErty123!';
exit

If the MySQL database password contains #, then Sphinx will not be able to read it, so it is better not to write # in the password

After that, you can fill in the base
mysql -u root -p wpita < wpita.sql

For Letsencrypt, you must transfer certificates from the old server, but first install it on a new one
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto --nginx

And now zip the certificates on the old server
cd /home/user
tar -cvf lc.tar /etc/letsencrypt

on new do
cd /usr/local/src
scp user@123.123.123.123:/home/user/lc.tar ./
tar -xvf lc.tar

And we will transfer everything to the / etc / letsencrypt folder, after that you must configure the renewal of the certificate

If the site folder on the server has changed, this should be reflected in the letencrypt files in the /etc/letsencrypt/renewal folder, otherwise it will refuse to renew the certificates

To renew the certificates automaticl, add
crontab -e
text (being checked, too soon to update)

19 6 9,18,27 * * /usr/local/src/certbot-auto renew -q&&/usr/sbin/service nginx reload

On the new server, I make settings for the site
vi /etc/nginx/conf/conf.d/it.conf
Add text: here everything http requests is simply passed to https

server {
listen 80;
server_name itcooky.com www.itcooky.com;
return 301 https://www.itcooky.com$request_uri;
}

more
vi /etc/nginx/conf/conf.d/itSSL.conf
Add text: here in the second line http2 appeared if everything was done correctly – the site starts to deliver content to h2 to browsers

server {
listen 443 ssl http2;
server_name www.itcooky.com itcooky.com;
ssl_certificate /etc/letsencrypt/live/itcooky.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/itcooky.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/itcooky.com/chain.pem;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
add_header Strict-Transport-Security "max-age=31536000";
add_header Content-Security-Policy "img-src https: data:; upgrade-insecure-requests";
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root /usr/local/www/itcooky.com;
index index.php index.html index.htm;
}
error_page 404 /404.html;
location = /404.html {
root /usr/local/www/itcooky.com;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/itcooky.com;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ \.php$ {
root /usr/local/www/itcooky.com;
fastcgi_pass unix:/var/run/php.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /(config\.php|common\.php|cache|files|images/avatars/upload|includes|phpbb|store|vendor) {
deny all;
}
location ~ /\.ht {
deny all;
}
}

restart nginx
service nginx restart

Now we enter the personal account of your domain registrar and change the A records to the IP of the new server. I also wanted to change AAA records, but RUVDS only has IP4 – no IP6 hmm!

We have to  wait a couple of hours for the DNS upadte, and the site should work, or not

Check that http2 works. You must open the site in Chrome with the right mouse button Inspect and there Network  refresh the page and there should be h2 in site requests

Porting the phpBB forum to a new server!
The usual situation is when the phpBB forum shows a blank screen on the new server – there is no solution or explanation, but you can reduce the risk of it happening.

Before copying the database and forum files
– Turn off the forum in the administration panel Board settings > Disable board
– Disable all addons  Custumize > Manage extensions> Disable plugins for each
– Clean cache Genneral > Purge the cache

After that, you need to archive the forum files, dump the databases, and upload them to a new site – repeat everything described above about moving data and creating a MySQL database.

Make sure the correct user base password is in config.php

It is necessary to disable SELINUX security in CentOS, with it phpBB does not work at all
to disabel temporarily
setenforce 0
for ever
vi /etc/selinux/config
add text

SELINUX=disabled

What to do if the screen is still blank when entering the phpBB forum
– There are various degrees of whiteness, for example you can still go to administration section ./adm sometimes, there you can clear cache and disable addons and clear cache again; maybe this will help
– You must make sure that ./cache is with 777 permissions, generally it is – if it is a transfer from one linux server to another
– It is necessary to delete the folder ./cache/production, the forum that normally works must re-create it
– One time it helped me solce this problem – puting a clean version of the forum with the /install folder and run the database update there, the forum came to life, but not all topics were alive
– Sometimes there is a desire to go into the database and clean something there, this is how you can clean sessions – in MySQL console
SHOW DATABASES;
USE myforumbase;
show tables;
TRUNCATE TABLE phpbb_sessions;
TRUNCATE TABLE phpbb_sessions_keys;

– Well, repeat everything from the beginning

After the forum started to work, you need to gradually activate the addons and clear the cache. Go to the forum and see if it worked or not!
I had an error with the Images from post plugin with NO_ENGINE_SUBSTITUTION I had to add the MySQL configuration
vi /etc/my.cnf
this

[mysqld]
sql_mode="NO_ENGINE_SUBSTITUTION"

A wonderful addon, but it only works with the previous version of phpBB in 3.3.0, it doesn’t work anymore!

Time to install the search to the forum.
Do this Ставим на форум phpBB3 супер быстрый поиск Sphinx!

If the MySQL database password contains #, then Sphinx will not be able to read it, so it is better not to write # in the password

do
wget https://sphinxsearch.com/files/sphinx-2.2.11-release.tar.gz
tar -zxf sphinx-2.2.11-release.tar.gz
cd sphinx-2.2.11-release
mkdir /etc/sphinx
./configure --prefix=/etc/sphinx
make
make install

The only thing is that all the files are placed in /etc/sphinx, this is configured in the configuration and from there the files in the bin folder must be placed in the OS bin

Perfomance
I evaluate using top, it is generally accepted that there should be 1 per core. In hc.ru (nic.ru) i had 2  cores and twice less php-fpm processes, they were very CPU intensive, and i got 3 per core. At RUVDS under the same load, i get 0.7 per core, which is already much better than it was! And you can always buy cores and memory, which in an old-fashioned host cannot be done so easily!

UPD: Tuning nginx
There are a couple of things to do with nginx

1. You must disable the log everyone says just type in nginx.conf this

error_log  /dev/null crit;

and thats all – nooo

Monstrous sizes are still written here /etc/nginx/conf
And so they don’t really exist, in the settings with the site settings you need to add this

access_log  off;

Now, the log won’t take up all the space on the server

2. It is useful to prohibit the download of files from your site through direct links. Here I also found many examples, but only that one really worked.
in settings with site settings you need to add this,

location ~ .(gif|png|jpeg|jpg|svg)$ {
root           /usr/local/www/itcooky.com;
     valid_referers none blocked ~.google. ~.bing. ~.yahoo. ~.yandex. itcooky.com *.itcooky.com;
     if ($invalid_referer) {
        return   403;
    }
}

If someone on a foreign site tries to insert an image of us through a direct link to jpg, nothing will work and we will not have an additional work

3. PhpBB, for installation and some addons use a redirect, which by itself won’t work without nginx settings like these
In the site settings you need to add this, for the installation of phpBB start

location /forum/php/install/app.php {
              try_files $uri $uri/ /forum/php/install/app.php?$query_string;
    }

Leave a Reply

Your email address will not be published. Required fields are marked *