WordPress Auto Installer & SSH, SFTP, SCP chrooted user accounts for Nginx vhost

Background

Centmin Mod currently is at v1.2.3-eva2000.06 release but it still has one item missing that I always wanted to add and that is proper per Nginx domain vhost user accounts for chrooted SSH, SFTP and SCP access. To understand why this is the case, you have to understand a bit of the history of how Centmin Mod came into being as essentially the base structure for Nginx vhosts was derived from the original Centmin script.

Centmin Mod started out in essentially as a modified version of Centmin original script. I came across the original Centmin script which auto installed via the Linux command line via a shell based script Nginx, PHP-FPM and Oracle MySQL 5.1 and around that time I was starting to get into using Nginx and MariaDB based MySQL fork. I loved the concept of the original Centmin script and thought to myself, how can I tailor the original Centmin script for my own specific custom needs ? I had no experience with shell based scripting at that time although I had plenty of experience with linux system administration. So I started Googling and reading up on shell based scripting and found it quite easy to pick up.

I started slowly making changes to the original Centmin script – adding various new features and additional Nginx modules and PHP-FPM compilation options. Some of these changes were merged and incorporated into the official script with acknowledgement to my contribution. The biggest change for me was switching out Oracle MySQL 5.1 default to MariaDB 5.2 MySQL as default MySQL version. This was in 2011 and MariaDB 5.2 MySQL was the latest version of MySQL drop in replacement fork at the time and from my own MySQL comparison benchmarks (Oracle MySQL vs Percona vs MariaDB) at the time, it showed that MariaDB 5.2 was the best performing MySQL version for MyISAM+InnoDB table usage.

Slowly over the course of a few months I had modified the original Centmin script so much and there was user demand for this modified version, I decided to name my version Centmin Mod so as to not confuse users over the two different versions. I eventually registered the domain centminmod.com and then came the biggest change yet – I changed the auto installer from command line to a shell based menu for easier selection of preset options.

So up until now, Centmin Mod’s core Nginx structure is derived from the original script’s default structure – that being of intended use by one administrator (root user) to manage one’s own group of Nginx powered domains/sites from the base directory structure of /home/nginx/domains/domainname.com. There was no individual user accounts nor was there individual ftp account access. It was all done from root user and SCP/SFTP. Centmin Mod’s FAQ item #2 reflected such specifically mentioning that Centmin Mod was not suited to shared hosting as there was no jailed or chrooted user accounts set up. You would think this would be a show stopper for users, but currently there are over 1,500 new downloads of Centmin Mod script every month ! However, there’s always the question of whether Centmin Mod is suited for some form of shared hosting.

Wanting to improve Centmin Mod script, last year I tried my first attempt (beta testing stages) at adding restricted SFTP only support for Centmin Mod(via rssh) changing the structure to /home/username/domainname.com. Unfortunately, that didn’t pan out with some weird issues with the auto migration feature of moving the old /home/nginx/domains/domainname.com to the new structure. For whatever reason, WordPress plugins kept installing into the old structure instead of the new. After numerous days of figuring it out, I left it at that as I usually only spent one day per week on Centmin Mod. I intended on coming back to revisit this when I had more time.

Present Day

The past week or so, I decided to try my second attempt at improving this aspect of Centmin Mod. This time instead of rssh, I decided to use Jailkit. It’s the first time I used Jailkit but this time was successful with early beta version of the code. The code is contained within a single include file so it’s just a drop in replacement to work with any Centmin Mod version. Just replace existing inc/nginx_addvhost.inc file with the new beta coded file and it works via the existing shell based menu – option #2 – Add Nginx vhost domain.

There’s 2 options in the new code:

  1. non-chroot normal Nginx vhost setup like existing Centmin Mod setup managed via root user
  2. chroot setup with setups a new user account attached to each Nginx vhost domain. There are 2 methods of setup: one for SFTP+SCP access only or second method SFTP+SCP+SSH (limited SSH). I chose to keep the old Nginx vhost menu 2 option intact, as chrooted username/domain might have restrictions in what type of apps you can run out of the box right now i.e. perl, node.js, python etc. If you choose SFTP+SCP, your username account gets chrooted to /home/chroot_sftp/home/username. If you choose SSH+SFTP+SCP, your username account gets chrooted to /home/chroot_shell/home/username. Those are the paths you need to get to if you’re working as full root user. When you log into the chrooted username’s account you will only see /home/username.

 Wordpress auto installer routine

Centmin Mod has official standalone Addons and one of them is WP-CLI WordPress command line installer by WP-CLI.org. The Addon only installed the WP-CLI code and still required the end user to run WP-CLI to install WordPress via the command line. I always wanted to extend this to an auto installer for WordPress at initial Nginx domain vhost creation stage. So decided to incorporate such code into the new shell based menu – option #2 – Add Nginx vhost domain option.

So while doing tests of the new beta code, I decided to document some of this information on this blog so as to gather my thoughts and give Centmin Mod users and potential users some insights of what’s to come. This beta code still needs a lot of testing so won’t be available any time soon. But below is a screenshot preview of the current state of the code.

Beta Screenshot Preview

First the new shell based menu – option #2 – Add Nginx vhost domain option. I extended the menu into a submenu to offer the 2 above outlined modes of Nginx vhost setup.

Selecting submenu option #2 for chrooted setup for the first time will install and configure Jailkit (one time only)

After Jailkit install, it will prompt you to continue and enter a username for your SFTP/SCP only or SSH/SFTP/SCP only account. Then prompt you to add the domain name and whether or not you want to auto install WordPress on this new domain.. Here I used user1 and domain1.com as an example.

Then you’ll be prompted to choose between SCP+SFTP only access (no SSH) or SSH+SCP+SFTP access. If you want to allow user1 to have SSH access in chrooted environment, you should select y for yes. At which point, the script:

  1. configures and sets up the user in the jailed chroot directory at /home/chroot_shell/home/user1.
  2. creates a specific PHP-FPM config file at /usr/local/nginx/conf/phpfpmd/phpfpm_user1.conf with it’s own user and group and own PHP-FPM pool [php_user1] with auto incrementing TCP listening port option – in this case port 9006 which is commented out by default and uses PHP-FPM socket instead.
  3. creates a specific PHP include config file at /usr/local/nginx/conf/php_user1.conf
  4. auto detects and calculates how much free system memory is available and auto sets via a preset formula (2/5ths of free memory) a PHP memory_limit based on that free memory availability

Next up comes the actual WP-CLI installation if not already installed, the script will auto install WP-CLI first. Then it will prompt for relevant WordPress configuration questions and info. It will ask you to confirm the entered info before starting actual WordPress auto installation.

Once you confirm the entered WordPress setup info is correct, the script will create the MySQL database, MySQL user/password and then grant the basic MySQL privileges needed for the MySQL user to access the specified MySQL database. It will also output what was created and granted via SHOW GRANTS option. Then finally, WP-CLI command line will go to work auto installing WordPress on your chosen Nginx domain vhost account.

WP-CLI will auto generate the wp-config.php and automatically populate the file with relevant settings. The WP-CLI script also auto generates the SECURE/AUTH Keys too ! I coded my part of the script to go one step further and will also randomly generate a different WordPress database prefix and change the default wp_ prefix.

Next part is the wonderful feature of WP-CLI allowing you to automatically install, update and even activate WordPress plugins from the command line ! I coded my script to auto install and activate some highly recommended and used WordPress plugins. These include the following WordPress plugins:

Final completion stage, outputs the complete Nginx vhost and username information. Save this info to secure file for your records. You can also get a copy of the directory path info in a Nginx vhost database file that is created at /usr/local/nginx/conf/conf.d/domainname.db.

Then visiting your newly created Nginx powered domain via your browser you’d be greeted with a fully working and installed WordPress installation !

Logging into Admin side

 

Auto installed and activated WordPress plugins

Acunetix default security alerts

Enabling security settings

Security alerts after enabling settings – almost all green !

Protection against brute force WordPress login attempts

Sucuri WordPress Integrity Check options as well as many other options to dig into.

WordPress Updates Notifier Plugin – get email notifications when WordPress updates for plugins and themes are available !


Logging into user1 account via chrooted SSH

MySQL client access for WordPress database

WordPress Super Cache Auto installation

Also added a new option to auto install and configure at Nginx vhost level, WordPress Super Cache. Easier to setup that Nginx fastcgi_cache.

Admin settings do need to be manually enabled though

Setting Advanced options and ensuring ‘Use mod_rewrite to serve cache files‘ is enabled.

Listing of cached pages. Need to regenerate cache stats first.

Checking to see if WordPress Super Cache is working via curl and Siege benchmark tests of WordPress index page as guest non-logged visitor as well as enabling debug logging.

Debug log

Siege benchmark

So this ends the screenshot preview of what’s to come in future Centmin Mod versions. Be sure to follow Centmin Mod progress on Twitter @centminmod, Centmin Mod Google+ PageGoogle+ Community and of course on the official Centmin Mod web site.

Posted in Centmin Mod, Wordpress Tagged with: , , , , , , , , , , ,
× -