ITCooky Recipes

Lets cooky it yammy things!

Installing http2 site on cloude(VPS) hosting HETZNER in Germany!

дата October 9, 2020

It is time to move on, towards to progress, towards to Europe! I don’t expect everything to go well there, but I am sure that the best technologies and specialists are already there; therefore, European hosting is cheaper, more powerful and more technologically advanced than Russian! Germany, if I am correctly mistaken, is the largest data center in Europe, where a huge digital infrastructure was built up for the World Cup.

Why HETZNER – I did not have much time to choose, I was relying on the images on the site, those words are not even known by Russian hosting companies – AMD Epyc, NVme and really “unique prices”.

First you must register, with a real name, address and card, the euro will be withdrawn from it for verification (as in Netflix), and until now they have not returned it, maybe it will be returned later (do not laugh, one euro is nothing in Russia, but in Germany its 10 days of hosting !!!). I take the cheapest cx11 rate: 2 gig, 1 core, 20 gb and for only 3 euros, in rubles it is now 270RUR. I look at the old hoster (RUVDS) how much the same cost 770RUR …

HETZNER says that the traffic is given by 20 terabytes, then more for 1.5 euros per terabyte. The Russian hosters do not count the traffic, so it is not known how much traffic I have on my projects (I did not count it for them by myself), but when seeing the traffic per day on this site, 20 terabytes is a LOT impossible to spend in a month!

As you can see in other rates, there are no problems with memory and space in Europe, only the cores remain in deficit. Memory and cores can be increased at any time, but not disk. It’s a big surprise, but the Germans say this is so that at any time you can go back to the old rate!

Lets configure the VPS
I chose centOS8, but there were also 7, I was afraid that 8 would differ from 7 as 6 from 7, but no, it does not differ at all!
A couple of seconds to install the image, a password is received in the email of your personal account, the first time you enter it, you are immediately asked to change it and enter it again. I use ssh, but my personal account on the site has a beautiful console!

First of all, I check what we have
uname -a

Linux itcooky 4.18.0-193.14.2.el8_2.x86_64 #1 SMP Sun Jul 26 03:54:29 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

See how many bits the operating system is
uname -m

x86_64

64 good

lets check cores
nproc

1

One as ordered

Update
yum update
and reboot
reboot

Also, the usual practice, when root does not directly login via ssh, you first login as user then you get super rights.
useradd user1
passwd user1

We give this user the right to log in via ssh (although it already has it, we prohibit it to others)
vi /etc/ssh/sshd_config
add line

AllowUsers user1

and we prohibit entering the root, find this line and write

PermitRootLogin no

Restart ssh
service sshd restart
And now you can enter with ssh only under user1
and then we elevate permissions with the command
su

install the minimum apps required
yum install wget
yum install tar

for compilation
yum group install 'Development Tools'
yum install pcre-devel
yum install gd-devel
yum install zlib-devel
yum install openssl-devel

Preparing the web server for http2
First you need to update openssl
openssl version
its

OpenSSL 1.1.1c FIPS  28 May 2019

This version would work, but we need source so I’ll install the newest one.

We go to the folder where you are going to download everything
cd /usr/local/src
wget https://www.openssl.org/source/openssl-1.1.1h.tar.gz
tar -xf openssl-1.1.1h.tar.gz

Go to the folder and run the build
cd openssl-1.1.1h
./config
make
make install

must
reboot

look
openssl version

OpenSSL 1.1.1h  22 Sep 2020 (Library: OpenSSL 1.1.1c FIPS  28 May 2019

new version installed

Install nginx with http2
It must also be the most recent version, compiled with parameters
cd /usr/local/src
wget https://nginx.org/download/nginx-1.19.3.tar.gz
tar -xf nginx-1.19.3.tar.gz
cd nginx-1.19.3

And the compilation command itself, and at the end it indicates the path for openssl /usr/local/src/openssl-1.1.1h/
./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-openssl=/usr/local/src/openssl-1.1.1h/
make
make install

See version
nginx -v

nginx version: nginx/1.19.3

Add a user (maybe it already exists) and grant rights to the nginx folder
useradd nginx
chown -R nginx:nginx /etc/nginx/

I must also created a file that will help start and stop nginx
vi /usr/lib/systemd/system/nginx.service
add text

[Unit]
Description=nginx - high performance web server
Documentation=https://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/conf/nginx.conf
ExecStart=/usr/sbin/nginx -c /etc/nginx/conf/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID

[Install]
WantedBy=multi-user.target

start
systemctl start nginx
systemctl enable nginx

I have not edited the firewall, but for record
firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --reload

In the browser, we write the IP and look: the minimum site works

Install Mysql
We install the version what is in the CentOS repository
yum install mysql-server
start
systemctl start mysqld
systemctl enable mysqld

Next, we change the root password to ours, it must be complex with special characters and change other settings
mysql_secure_installation

Install PHP
I need 7.4, since the site is currently running on 7.4, WordPress won’t run on a lower version!
We get version 7.4
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
dnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm
dnf module reset php
dnf module enable php:remi-7.4

and install
yum install php php-fpm php-mysqlnd php-xml php-gd php-mbstring

php-xml: required for phpBB
php-gd: for a plugin with images in the theme list
php-mbstring: phpBB works best with this module, so does Sphinx search
And for the new installed modules to work you need to reload php-fpm

edir php-fpm settings
vi /etc/php-fpm.d/www.conf
switch to nginx, there was apache ha

user = nginx
group = nginx

and

listen.owner = nginx 
listen.group = nginx 
listen.mode = 0660

and change (for compatibility with my nginx configurations)

listen = /var/run/php.sock
mkdir /var/lib/php/session
chown -R nginx:nginx /var/lib/php/session

but it may not be necessary

to start
systemctl start php-fpm.service
systemctl enable php-fpm.service

First website launch
Make a folder for future sites
mkdir /usr/local/www
I copied an example from nginx
cp -r /etc/nginx/html /usr/local/www
make a file there
vi /usr/local/www/html/info.php
code

<?php
phpinfo();
?>

And change the nginx settings
right here
vi /etc/nginx/conf/nginx.conf
code

#user nobody;
worker_processes 1;

error_log /dev/null crit;

events {
worker_connections 1024;
}

http {
include mime.types;
default_type application/octet-stream;

sendfile on;
#tcp_nopush on;

#keepalive_timeout 0;
keepalive_timeout 65;

include /etc/nginx/conf/conf.d/*.conf;
}

Create a folder where we will put the site settings
mkdir /etc/nginx/conf/conf.d
make file
vi /etc/nginx/conf/conf.d/default.conf
code

#
# The default server
#
server {
listen 80;
server_name localhost;

location / {
root /usr/local/www/html;
index index.php index.html index.htm;
}

# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/html;
}


location ~ \.php$ {
root /usr/local/www/html;
fastcgi_pass unix:/var/run/php.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
deny all;
 }
}

start
service nginx restart
service php-fpm restart

And according to the idea, it should work, but it never works, but it worked for me – I wrote all the steps here for myself, the most part, of course!

Website transfer
On the old server, archive the folder with the site and the database
tar -cvf itc.tar ./itcooky.com
mysqldump --user=root --password --host=localhost wpita > ./wpita.sql

I download these files on the new server
scp user@123.123.123.123:/home/user/itc.tar ./
scp user@123.123.123.123:/home/user/wpita.sql ./

The file can be immediately unzipped in the folder/usr/local/www/
tar -xvf itc.tar
And for the base, you must first create it and make a user for it

Let’s go to mysql
mysql -u root -p
We make a user with the name
CREATE DATABASE wpit;
CREATE USER 'wpita'@'localhost' IDENTIFIED BY 'QWErty123!';
GRANT ALL PRIVILEGES ON wpit.* TO 'wpita'@'localhost';
ALTER USER 'wpita'@'localhost' IDENTIFIED WITH mysql_native_password BY 'QWErty123!';
exit

If the MySQL database password contains #, Sphinx will not be able to read it, so it is best not to type # in the password.

After that, you can add the base.
mysql -u root -p wpita < wpita.sql
For Letsencrypt, you need to transfer certificates from the old server, but first install it on the new one
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto --nginx

And now the certificates, we do on old server
cd /home/user
tar -cvf lc.tar /etc/letsencrypt

on new server
cd /usr/local/src
scp user@123.123.123.123:/home/user/lc.tar ./
tar -xvf lc.tar

And we will transfer everything to the /etc/letsencrypt folder for now this is enough, then it will be necessary to configure the renewal of certificates
If the site folder in server has changed, this should be reflected in the letsencrypt files in the /etc/letsencrypt/renewal folder; otherwise certifiers will refuse to update
To update the certificates themselves, I add
crontab -e
line

19 6 9,18,27 * * /usr/local/src/certbot-auto renew -q&&/usr/sbin/service nginx reload

On the new server I make settings for the site
vi /etc/nginx/conf/conf.d/it.conf
I add text: everything that requests http via ip4 and ip6 is forwarted to https

server {
    listen 80;
    listen [::]:80;
    server_name itcooky.com www.itcooky.com es.itcooky.com en.itcooky.com;
    return 301 https://$host$request_uri;
access_log  off;
}

and
vi /etc/nginx/conf/conf.d/itSSL.conf
I add the text: here http2 appeared on the second line if everything was done correctly before then the site will start serving content to browsers in h2

server {
listen       443 ssl http2;
listen [::]:443 ssl http2;
    server_name es.itcooky.com en.itcooky.com www.itcooky.com itcooky.com;
    ssl_certificate /etc/letsencrypt/live/itcooky.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/itcooky.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/itcooky.com/chain.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8;
    add_header Strict-Transport-Security "max-age=31536000";
    add_header Content-Security-Policy "img-src https: data:; upgrade-insecure-requests";


access_log  off;
location / {
        root   /usr/local/www/itcooky.com;
        index  index.php index.html index.htm;
    }



    error_page  404              /404.html;
location = /404.html {
     root   /usr/local/www/itcooky.com;
 }
error_page 500 /500.html;
location = /500.html {
        root   /usr/local/www/itcooky.com;
    }
error_page 502 /502.html;
location = /502.html {
        root   /usr/local/www/itcooky.com;
    }
error_page 503 /503.html;
location = /503.html {
        root   /usr/local/www/itcooky.com;
    }
error_page 504 /504.html;  
location = /504.html {
        root   /usr/local/www/itcooky.com;
    }


    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    location ~ \.php$ {
        root           /usr/local/www/itcooky.com;
        fastcgi_pass   unix:/var/run/php.sock; 
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

location ~ .(gif|png|jpeg|jpg|svg)$ {
root           /usr/local/www/itcooky.com;
     valid_referers none blocked ~.google. ~.bing. ~.yahoo. ~.yandex. itcooky.com *.itcooky.com;
     if ($invalid_referer) {
        return   403;
    }
}
    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
        deny  all;
    }
}

I also add so that nothing is shown on IP
vi /etc/nginx/conf/conf.d/ipnull.conf
code

server {
    listen      80 default_server;
    listen [::]:80 default_server; 
    server_name 195.201.94.20;
    return      444;
}

in 443 there will already be a certificate error, I don't know how to make it more beautiful ...

Restart nginx
service nginx restart

Now go to your domain registrar's personal account and change the A records to IP4 of the new server, as well as the AAAA records to IP6! For the RU zone, the changes are activated instantly, for COM in one hour.

CAUTION: Before adding AAAA records, you must make sure that your domain's NS server supports IP6. If it is not supported and you have added AAAA records, that may cause some internet services that have IP6 in priority to malfunction, for example FeedBurner or renewal of LetsEncrypt certificates. This is my case, the R01 (RU-CENTER Group) registrar allowed to add AAAA records on its NS server, but it doesn't work with IP6!

Well, I still want IP6, Hertzner gives his DNS in my personal account, let's go.
The process of adding your domain is more or less clear, all records will be copied automatically, you just need to add AAAA records, and I got confused here

The personal account indicates
IPv6 2a01:4f8:c2c:96ca::/64
This is a range, DNS will not accept this record

Add to DNS
2a01:4f8:c2c:96ca::
it will also be wrong

I look at the server what IP6 is on the interface
ifconfig
this
2a01:4f8:c2c:96ca::1

I indicate it in DNS Hertzner. Here one more difference was found, to refer to a domain without everything (without www) it is necessary to write instead of the empty space @ , the Russian registrar had an empty space!

In total that's the number of records I have

After that, you need to add in your domain registrar account, the Hetzner NS server and after 12 hours the site will start to be approved for IP6
Lets checked if everything worked, yes of course it worked, I've already done it a hundred times!

IP6 verification was faster on this site ipv6-test.com

This is how you can verify that http2 works on the site http2.pro


Leave a Reply

Your email address will not be published. Required fields are marked *