Install and configure Drupal 8 with Nginx and encrypt on CentOS 8

Install and configure Drupal 8 with Nginx and encrypt on CentOS 8

Drupal is a free, open source, scalable content management system that individuals can use to create and manage any type of website. It is written in PHP and uses MySQL / MariaDB to store its data. Drupal provides a rich set of features that can be extended with thousands of add-ons. Drupal supports many web servers including Apache, Nginx, IIS, Lighttpd and databases MySQL, MariaDB, MongoDB, SQLite, PostgreSQL and MS SQL servers. Drupal comes with a simple and user-friendly Web UI that allows you to create websites without any coding knowledge.

In this tutorial, we will show you how to install Drupal 8 on a CentOS 8 server and secure it with Let’s Encrypt free SSL.

Claim

  • Server 8 running CentOS.
  • A valid domain name pointing to your server IP
  • A root password is configured on the server.

Install Nginx, MariaDB and PHP

Before you begin, you will need to install a LEMP server on your server. You can install it by running:

dnf install nginx mariadb-server php php-fpm php-cli php-mbstring php-gd php-xml php-curl php-mysqlnd php-pdo php-json php-opcache -y

After the installation is complete, start the Nginx, MariaDB and php-fpm services and use the following command to start them after the system restarts:

systemctl start nginx systemctl start php-fpm systemctl start mariadb systemctl enable nginx systemctl enable php-fpm systemctl enable mariadb

Configuration database

MariaDB is not secure by default, so you need to secure it. You can protect it by running:

mysql_secure_installation

Answer all questions as follows:

Enter current password for root (enter for none):
Set root password? [Y/n] Y
New password:
Re-enter new password:
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y

Once done, log in to the MariaDB shell using the following command:

mysql -u root -p

Provide your root password when prompted, then use the following command to create a database and user for Drupal:

MariaDB [(none)]> CREATE DATABASE drupaldb CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci; MariaDB [(none)]> CREATE USER [email protected] IDENTIFIED BY "password";

Next, grant all privileges to drupaldb using the following command:

MariaDB [(none)]> GRANT ALL ON drupaldb.* TO [email protected] IDENTIFIED BY "password";

Next, refresh the privileges and exit from the MariaDB shell using the following command:

MariaDB [(none)]> FLUSH PRIVILEGES; MariaDB [(none)]> EXIT;

Download Drupal

First, you need to download the latest version of Drupal from its official website. You can download it using:

wget https://ftp.drupal.org/files/projects/drupal-8.7.10.tar.gz

After downloading, use the following command to unzip the downloaded file:

tar -xvzf drupal-8.7.10.tar.gz

Next, use the following command to move the extracted directory to the Nginx web root directory:

mv drupal-8.7.10 /var/www/html/drupal

Next, create a directory to store the website files and rename the default.settings.php file as follows:

mkdir /var/www/html/drupal/sites/default/files cp /var/www/html/drupal/sites/default/default.settings.php /var/www/html/drupal/sites/default/settings.php

Next, change the ownership of the Drupal directory to nginx as follows:

chown -R nginx:nginx /var/www/html/drupal/

Configure Nginx for Drupal

First, create a php-fpm configuration file for Drupal using the following command:

nano /etc/php-fpm.d/drupal.conf

Add the following lines:

[drupal]
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
listen = /run/php-fpm/drupal.sock
pm = ondemand
pm.max_children =  50
pm.process_idle_timeout = 10s
pm.max_requests = 500
chdir = /

Save and close the file when you are finished. Then, create an Nginx virtual host configuration file for Drupal:

nano /etc/nginx/conf.d/drupal.conf

Add the following lines:

server {
    listen 80;
    server_name example.com;

    root /var/www/html/drupal;

    access_log /var/log/nginx/example.com.access.log;
    error_log /var/log/nginx/example.com.error.log;

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location ~ ..*/.*.php$ {
        return 403;
    }

    location ~ ^/sites/.*/private/ {
        return 403;
    }

    # Block access to scripts in site files directory
    location ~ ^/sites/[^/]+/files/.*.php$ {
        deny all;
    }
    location ~ (^|/). {
        return 403;
    }

    location / {
        try_files $uri /index.php?$query_string;
    }

    location @rewrite {
        rewrite ^/(.*)$ /index.php?q=$1;
    }
    location ~ /vendor/.*.php$ {
        deny all;
        return 404;
    }


    location ~ '.php$|^/update.php' {
        fastcgi_split_path_info ^(.+?.php)(|/.*)$;
        include fastcgi_params;
       	# Block httpoxy attacks. See https://httpoxy.org/.
        fastcgi_param HTTP_PROXY "";
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param QUERY_STRING $query_string;
        fastcgi_intercept_errors on;
        fastcgi_pass unix:/run/php-fpm/drupal.sock;
    }
    location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
        try_files $uri @rewrite;
    }

    # Handle private files through Drupal. Private file's path can come
    # with a language prefix.
    location ~ ^(/[a-z-]+)?/system/files/ { # For Drupal >= 7
        try_files $uri /index.php?$query_string;
    }

    location ~* .(js|css|png|jpg|jpeg|gif|ico|svg)$ {
        try_files $uri @rewrite;
        expires max;
        log_not_found off;
    }
}

Save and close the file. Then, restart the php-fpm and Nginx services to apply the changes:

systemctl restart php-fpm systemctl restart nginx

Configure SELinux and firewall

SELinux is enabled by default in CentOS 8. Therefore, you need to configure SELinux for Drupal to work properly.

First, allow Drupal to write to public and private file directories using:

semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/drupal(/.*)?" semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/drupal/sites/default/settings.php' semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/drupal/sites/default/files' restorecon -Rv /var/www/html/drupal restorecon -v /var/www/html/drupal/sites/default/settings.php restorecon -Rv /var/www/html/drupal/sites/default/files

Next, allow Drupal to send outbound email using:

setsebool -P httpd_can_sendmail on

Next, you will need to create firewall rules to allow HTTP and HTTPS services from external networks. You can allow it using:

firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https firewall-cmd --reload

Let’s Encrypt SSL to Protect Drupal

Drupal is now installed and configured. It’s time to secure it with “Free Encrypted SSL”.

To do this, you will need to download the certbot client on the server. You can download and set the correct permissions by running:

wget https://dl.eff.org/certbot-auto mv certbot-auto /usr/local/bin/certbot-auto chown root /usr/local/bin/certbot-auto chmod 0755 /usr/local/bin/certbot-auto

Now, run the following command to obtain and install an SSL certificate for your Drupal website.

certbot-auto --nginx -d example.com

The above command will first install all required dependencies on the server. After installation, you will be asked to provide an email address and accept the terms of service as follows:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y 


Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/drupal.conf

Next, you will need to choose whether to redirect HTTP traffic to HTTPS as follows:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Type 2 and press Enter to continue. After the installation is complete, you should see the following output:

Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/drupal.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-03-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Visit Drupal website

Now open your web browser and enter the URL https://example.com. You will be redirected to the following page:

Select the desired language and click Save and continue Button. You should see the following page:

Select installation profile

Select your installation profile and click Save and continue Button. You should see the following page:

Database configuration

Provide your database details and click Save and continue Button. You should see the following page:

Configure website

Provide your website name, admin username, password, and click Save and continue Button. You should see your Drupal dashboard in the following pages:

Welcome to your Drupal website

Congratulations! You have successfully installed and secured Drupal on your CentOS 8 server.

Sidebar