Install and Configure Drupal 8 with Nginx and Let's Encrypt on CentOS 8
Drupal is a free, open-source and scalable content management system that can be used by individuals to create and manage any types of websites. It is written in PHP and uses MySQL/MariaDB to store its data. Drupal provides a rich set of features that can be extended by thousands of add-ons. Drupal supports a lot of web servers including, Apache, Nginx, IIS, Lighttpd and databases MySQL, MariaDB, MongoDB, SQLite, PostgreSQL, and MS SQL server. Drupal comes with a simple and user-friendly web UI that allows you to create web sites without any coding knowledge.
In this tutorial, we will show you how to install Drupal 8 on CentOS 8 server and secure it with Let's Encrypt free SSL.
Requirements
- A server running CentOS 8.
- A valid domain name pointed with your server IP
- A root password is configured on the server.
Install Nginx, MariaDB and PHP
Before starting, you will need to install the LEMP server on your server. You can install it by running the following command:
dnf install nginx mariadb-server php php-fpm php-cli php-mbstring php-gd php-xml php-curl php-mysqlnd php-pdo php-json php-opcache -y
Once installed, start Nginx, MariaDB and php-fpm service and enable them to start after system reboot using the following command:
systemctl start nginx
systemctl start php-fpm
systemctl start mariadb
systemctl enable nginx
systemctl enable php-fpm
systemctl enable mariadb
Configure Database
By default, MariaDB is not secured so you will need to secure it. You can secure it by running the following command:
mysql_secure_installation
Answer all the questions as shown below:
Enter current password for root (enter for none): Set root password? [Y/n] Y New password: Re-enter new password: Remove anonymous users? [Y/n] Y Disallow root login remotely? [Y/n] Y Remove test database and access to it? [Y/n] Y Reload privilege tables now? [Y/n] Y
Once you are done, log in to MariaDB shell with the following command:
mysql -u root -p
Provide your root password when prompt then create a database and user for Drupal with the following command:
MariaDB [(none)]> CREATE DATABASE drupaldb CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
MariaDB [(none)]> CREATE USER drupal@localhost IDENTIFIED BY "password";
Next, grant all the privileges to drupaldb with the following command:
MariaDB [(none)]> GRANT ALL ON drupaldb.* TO drupal@localhost IDENTIFIED BY "password";
Next, flush the privileges and exit from the MariaDB shell with the following command:
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> EXIT;
Download Drupal
First, you will need to download the latest version of the Drupal from their official website. You can download it with the following command:
wget https://ftp.drupal.org/files/projects/drupal-8.7.10.tar.gz
Once downloaded, extract the downloaded file with the following command:
tar -xvzf drupal-8.7.10.tar.gz
Next, move the extracted directory to the Nginx web root directory with the following command:
mv drupal-8.7.10 /var/www/html/drupal
Next, create a directory to store website files and rename the default.settings.php file as shown below:
mkdir /var/www/html/drupal/sites/default/files
cp /var/www/html/drupal/sites/default/default.settings.php /var/www/html/drupal/sites/default/settings.php
Next, change the ownership of the Drupal directory to nginx as shown below:
chown -R nginx:nginx /var/www/html/drupal/
Configure Nginx for Drupal
First, create a php-fpm configuration file for Drupal with the following command:
nano /etc/php-fpm.d/drupal.conf
Add the following lines:
[drupal] user = nginx group = nginx listen.owner = nginx listen.group = nginx listen = /run/php-fpm/drupal.sock pm = ondemand pm.max_children = 50 pm.process_idle_timeout = 10s pm.max_requests = 500 chdir = /
Save and close the file when you are finished. Then, create an Nginx virtual host configuration file for Drupal:
nano /etc/nginx/conf.d/drupal.conf
Add the following lines:
server { listen 80; server_name example.com; root /var/www/html/drupal; access_log /var/log/nginx/example.com.access.log; error_log /var/log/nginx/example.com.error.log; location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; } location ~ \..*/.*\.php$ { return 403; } location ~ ^/sites/.*/private/ { return 403; } # Block access to scripts in site files directory location ~ ^/sites/[^/]+/files/.*\.php$ { deny all; } location ~ (^|/)\. { return 403; } location / { try_files $uri /index.php?$query_string; } location @rewrite { rewrite ^/(.*)$ /index.php?q=$1; } location ~ /vendor/.*\.php$ { deny all; return 404; } location ~ '\.php$|^/update.php' { fastcgi_split_path_info ^(.+?\.php)(|/.*)$; include fastcgi_params; # Block httpoxy attacks. See https://httpoxy.org/. fastcgi_param HTTP_PROXY ""; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param QUERY_STRING $query_string; fastcgi_intercept_errors on; fastcgi_pass unix:/run/php-fpm/drupal.sock; } location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7 try_files $uri @rewrite; } # Handle private files through Drupal. Private file's path can come # with a language prefix. location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7 try_files $uri /index.php?$query_string; } location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { try_files $uri @rewrite; expires max; log_not_found off; } }
Save and close the file. Then, restart php-fpm and Nginx service to apply the changes:
systemctl restart php-fpm
systemctl restart nginx
Configure SELinux and Firewall
By default, SELinux is enabled in CentOS 8. So you will need to configure SELinux for Drupal to work correctly.
First, allows Drupal to write to the public and private files directories with the following command:
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/drupal(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/drupal/sites/default/settings.php'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/drupal/sites/default/files'
restorecon -Rv /var/www/html/drupal
restorecon -v /var/www/html/drupal/sites/default/settings.php
restorecon -Rv /var/www/html/drupal/sites/default/files
Next, allows Drupal to send outbound emails with the following command:
setsebool -P httpd_can_sendmail on
Next, you will need to create a firewall rule to allow HTTP and HTTPS service from external networks. You can allow it with the following command:
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
Secure Drupal with Let's Encrypt SSL
Drupal is now installed and configured. It's time to secure it with Let's Encrypt free SSL.
To do so, you will need to download the certbot client on your server. You can download and set correct permission by running the following command:
wget https://dl.eff.org/certbot-auto
mv certbot-auto /usr/local/bin/certbot-auto
chown root /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto
Now, run the following command to obtain and install an SSL certificate for your Drupal website.
certbot-auto --nginx -d example.com
The above command will first install all the required dependencies on your server. Once installed, you will be asked to provide an email address and accept the term of service as shown below:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): [email protected] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Obtaining a new certificate Performing the following challenges: http-01 challenge for example.com Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/conf.d/drupal.conf
Next, you will need to choose whether or not to redirect HTTP traffic to HTTPS as shown below:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Type 2 and hit Enter to continue. Once the installation has been finished, you should see the following output:
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/drupal.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://example.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=example.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2020-03-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Access Drupal Website
Now, open your web browser and type the URL https://example.com. You will be redirected to the following page:
Select your desired language and click on the Save and continue button. You should see the following page:
Choose your installation profile and click on the Save and continue button. You should see the following page:
Provide your database details and click on the Save and continue button. You should see the following page:
Provide your site name, admin username, password and click on the Save and continue button. You should see your Drupal dashboard in the following page:
Congratulations! you have successfully installed and secured Drupal on CentOS 8 server.