From 062076fcc79b2a93d80019ed89afc13307de31fa Mon Sep 17 00:00:00 2001 From: Dianna Hoober Date: Thu, 16 Oct 2025 10:04:13 -0700 Subject: [PATCH 01/18] Add LAMP Stack installation guide for Rocky Linux 9 --- .../index.md | 722 ++++++++++++++++++ 1 file changed, 722 insertions(+) create mode 100644 guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md diff --git a/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md b/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md new file mode 100644 index 00000000000..e83296c8863 --- /dev/null +++ b/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md @@ -0,0 +1,722 @@ +--- +slug: how-to-install-a-lamp-stack-on-rocky-linux-9 +title: "Install a LAMP Stack on Rocky Linux 9 (CentOS 8 Replacement" +title_meta: "How to Install a LAMP Stack on Ubuntu 22.04" +description: 'This guide provides some background about a Linux LAMP stack and explains how to install a LAMP stack on Ubuntu 22.04.' +authors: ["Diana Hoober"] +contributors: ["Diana Hoober"] +published: 2025-10-10 +keywords: ['LAMP stack','LAMP CentOS 8,'install LAMP stack','how to install a LAMP Stack on CentOS 8'] +license: '[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0)' +--- + +# How to Install a LAMP Stack on Rocky Linux 9 to Replace CentOS 8 + +## About CentOS 8 and Rocky Linux 9 + +If you're moving from CentOS 8 to a similar operating system, then this guide is for you. The installation process and commands are nearly identical to what you are used to on CentOS 8. We strongly recommend migrating to Rocky Linux 9 for continued security updates and support. + +CentOS 8 reached end-of-life in December 2021 and is no longer supported or safe to use in production environments. + +**Rocky Linux 9 is the recommended replacement operating system for CentOS 8.** It's: + +- A direct successor created by the original CentOS founder +- Fully compatible with RHEL 9 +- Enterprise-grade and production-ready +- Free and open-source +- A drop-in replacement with the same package manager (dnf) and system structure + +The commands in this guide work identically on both Rocky Linux 9 and AlmaLinux 9 (another CentOS replacement OS). + +## What is a LAMP Stack? + +A **LAMP stack** is a collection of four open-source software components that work together to run dynamic websites and web applications. The name is an acronym: + +- **Linux**: The operating system running the server +- **Apache**: The web server software that delivers web pages to visitors and handles web requests +- **MariaDB (or MySQL)**: The database that stores data +- **PHP**: The programming language that processes logic and creates dynamic content + +## Prerequisites + +Before installing the LAMP stack, ensure you have: + +- A server or virtual machine running Rocky Linux 9 (or AlmaLinux 9) +- Root access or a user account with sudo privileges +- Basic familiarity with the Linux command line +- An active internet connection + +{{< note >}} +If you're setting up a fresh Rocky Linux 9 server, review [Setting Up and Securing a Compute Instance](/docs/products/compute/compute-instances/guides/set-up-and-secure/) guide for initial server configuration (timezone, hostname, SSH hardening, firewall basics). +{{< /note >}} + +## Install Apache + +Apache is the web server component that handles HTTP requests and serves web pages. + +1. Update the system package index: + + ```command + sudo dnf update -y + ``` + +If the system is already fully updated, you might see `Nothing to do.` or `Complete!`. Either message indicates success. The key is that there are no error messages and the command returns you to the command prompt. + +1. Install Apache: + + ```command + sudo dnf install httpd -y + ``` + +At the end you should see the key indicators of success: + httpd-[version] [and other packages] + + Complete! + +1. Start the Apache service: + + ```command + sudo systemctl start httpd + ``` + +Silently returns to the prompt when successful. + +1. Enable Apache to start automatically on boot: + + ```command + sudo systemctl enable httpd + ``` + +If you see `Create symlink...` automatic reboot is enabled. + +1. Verify Apache is running: + + ```command + sudo systemctl status httpd + ``` + + You should see output indicating the service is `active (running)`: + + ```output + ● httpd.service - The Apache HTTP Server + Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled) + Active: active (running) since Mon 2025-10-13 10:23:45 UTC; 5s ago + ``` +To exit and get back to your command prompt: + +Press **q** (for quit) to END. + +## Configure the Firewall + +Rocky Linux 9 uses `firewalld` by default. You need to allow HTTP and HTTPS traffic through the firewall. + +1. Allow HTTP traffic (port 80): + + ```command + sudo firewall-cmd --permanent --add-service=http + ``` + +1. Allow HTTPS traffic (port 443): + + ```command + sudo firewall-cmd --permanent --add-service=https + ``` + +1. Reload the firewall to apply changes: + + ```command + sudo firewall-cmd --reload + ``` + +1. Verify the firewall rules: + + ```command + sudo firewall-cmd --list-all + ``` + + You should see `http` and `https` listed under services: + + ```output + public (active) + target: default + services: cockpit dhcpv6-client http https ssh + ``` + +1. Test Apache by visiting your server's IP address in a web browser. To find your server's IP address, you can check the Cloud Manager or run: + + ```command + hostname -I + ``` +Open a web browser and navigate to `http://YOUR_IP_ADDRESS` (replace with your actual IP address). You should see the default Rocky Linux Apache test page. + +## Install MariaDB + +MariaDB is the database component that stores and manages data for your applications. + +1. Install MariaDB server: + + ```command + sudo dnf install mariadb-server -y + ``` +You will see "Complete!" when it has successfully installed. + +1. Start the MariaDB service: + + ```command + sudo systemctl start mariadb + ``` + +1. Enable MariaDB to start automatically on boot: + + ```command + sudo systemctl enable mariadb + ``` + +4. Secure the MariaDB installation by running the security script: +```command + sudo mysql_secure_installation +``` + + Follow the prompts: + - Press **Enter** when asked for the current root password (there isn't one yet) + +{{< note >}} +On some systems, you may see a message that your root account is already protected with unix_socket authentication. If so, you can safely answer **n** to skip this step and continue with the remaining prompts. +{{< /note >}} + + - Type **Y** to change the root password, then enter and confirm a strong password + + {{< note >}} + **Important:** Store this root password securely. You will need it to: + - Access the MariaDB command line (`mysql -u root -p`) + - Create databases and users + - Perform database administration tasks + {{< /note >}} + + - Type **Y** to remove anonymous users + - Type **Y** to disallow root login remotely + - Type **Y** to remove the test database + - Type **Y** to reload privilege tables + +1. Verify MariaDB is running: + + ```command + sudo systemctl status mariadb + ``` + + You should see output indicating the service is "active (running)". Press **q** (for quit) to END. + +## Install PHP + +PHP is the programming language that makes websites interactive and personalized. It processes user actions (like logging in, submitting forms, or searching) and creates customized web pages based on data stored in the database. + +1. Install PHP and common modules: + + ```command + sudo dnf install php php-mysqlnd php-fpm php-opcache php-gd php-xml php-mbstring -y + ``` + + This installs: + - `php`: Core PHP interpreter + - `php-mysqlnd`: MySQL Native Driver for database connectivity + - `php-fpm`: FastCGI Process Manager for better performance + - `php-opcache`: Opcode cache for improved performance + - `php-gd`: Graphics library support + - `php-xml`: XML processing support + - `php-mbstring`: Multi-byte string support + +1. Restart Apache to load PHP: + + ```command + sudo systemctl restart httpd + ``` +Returns to the prompt silently when successful. + +1. Verify the PHP version: + + ```command + php -v + ``` + + You should see output showing PHP version 8.0 or higher: + + ```output + PHP 8.0.30 (cli) (built: Aug 3 2023 17:13:08) ( NTS gcc x86_64 ) + ``` + +### Test PHP Processing + +Create a test PHP file to verify that Apache can process PHP code correctly. + +{{< note >}} +The following steps create test files directly on the server for verification purposes. In production environments, you should develop code locally and deploy it through version control systems like Git rather than editing files directly on the server. +{{< /note >}} + +1. Create a PHP info file: +```command + sudo nano /var/www/html/info.php +``` + +2. Add the following content: + + {{< file "/var/www/html/info.php" php >}} + + {{< /file >}} + +3. Save and exit the file (Ctrl+X, then Y, then Enter). + +4. Set proper permissions: +```command + sudo chown apache:apache /var/www/html/info.php +``` + + Silently returns to the prompt when successful. + +5. Visit `http://your_server_ip/info.php` in a web browser. You should see a detailed PHP information page showing PHP version, loaded modules, and configuration. + +{{< note type="warning" >}} +Remove the `info.php` file after testing, as it exposes sensitive system information: +```command + sudo rm /var/www/html/info.php +``` +{{< /note >}} + +## Test Database Connectivity + +Verify that PHP can connect to MariaDB. This confirms all three components of your LAMP stack are working together. + +1. Create a test database: + + ```command + sudo mysql -u root -p + ``` + + Enter the root password you created during `mysql_secure_installation`. + + You should see the MariaDB prompt: +```output + MariaDB [(none)]> +``` + + The `[(none)]` indicates you're not currently using any specific database, which is expected at this point. + +1. At this MariaDB prompt, run these commands: + + ```command + CREATE DATABASE test_db; + CREATE USER 'test_user'@'localhost' IDENTIFIED BY 'secure_password'; + GRANT ALL PRIVILEGES ON test_db.* TO 'test_user'@'localhost'; + FLUSH PRIVILEGES; + EXIT; + ``` + +1. Create a PHP test file: + + ```command + sudo nano /var/www/html/db_test.php + ``` + +1. Add the following content: + + {{< file "/var/www/html/db_test.php" php >}} +connect_error) { + die("Connection failed: " . $conn->connect_error); +} +echo "Connected successfully to database!"; +$conn->close(); +?> + {{< /file >}} + +1. Visit `http://your_server_ip/db_test.php` in a browser. You should see "Connected successfully to database!" + +1. Clean up test files: + + ```command + sudo rm /var/www/html/db_test.php + sudo mysql -u root -p -e "DROP DATABASE test_db; DROP USER 'test_user'@'localhost';" + ``` + +Enter your MariaDB root password when prompted. The command will silently return to the prompt when successful, having removed the test database and test user. + +## Security Hardening for Production + +The basic installation above is suitable for development and testing only. **Production environments require** immediate security hardening. Within minutes of exposing a server to the internet, automated bots will begin probing for vulnerabilities. A newly created server can receive hundreds of failed login attempts within the first hour. + +Modern servers face constant, automated attacks from across the internet. This section implements essential security measures to protect your LAMP stack from common threats including brute-force attacks, unauthorized access, and application-level vulnerabilities. + +### Security Prerequisites + +Before hardening the LAMP stack, secure SSH access to your server. SSH is the most frequently attacked service on internet-facing systems—new servers often receive hundreds of unauthorized login attempts within the first hour. + +**Complete these essential security steps first:** + +- **[Securing Your Server](link-to-ssh-guide)** - Create non-root user, configure SSH keys, disable root login +- **[Using Fail2ban to Block Brute Force Attacks](link-to-fail2ban-guide)** - Automatically block repeated failed login attempts + +These guides must be completed before proceeding with LAMP stack hardening to ensure your server has basic protection against the most common attack vectors. + +{{< note >}} +If SSH is not secured yet, your server remains vulnerable to automated attacks-even with a hardened LAMP stack. Address SSH security first. +{{< /note >}} + +### Configure Firewall + +Rocky Linux 9 uses firewalld to manage network traffic. A properly configured firewall defines your network perimeter, blocking all traffic except explicitly allowed services. This minimizes exposure and prevents unauthorized access. + +1. Verify firewalld is running: +```command + sudo systemctl status firewalld +``` + +The output should show `enabled` and `active (running)`. If firewalld is not running or not enabled to start on boot, enable and start it: + +```command + sudo systemctl enable --now firewalld +``` + +2. Allow HTTP and HTTPS for web traffic for your web server: +```command + sudo firewall-cmd --permanent --add-service=http + sudo firewall-cmd --permanent --add-service=https +``` + The `--permanent` flag ensures these rules persist across reboots. + +3. If you changed SSH to a non-standard port (recommended for security), allow it: +```command + sudo firewall-cmd --permanent --add-port=2222/tcp +``` +{{< note >}} +SSH on the default port 22 is already allowed in firewalld's default "public" zone. Only add a custom port rule if you changed SSH to a non-standard port. +{{< /note >}} + +4. Reload the firewall to apply changes: +```command + sudo firewall-cmd --reload +``` + +5. Confirm that `http`, `https`, and `ssh` appear under **services**, and any custom SSH port appears under **ports**. +```command + sudo firewall-cmd --list-all +``` + +```output + public (active) + services: cockpit dhcpv6-client http https ssh + ports: +``` +{{< note >}} +Replace `2222` with whatever port number you configured for SSH. Common non-standard SSH ports include 2222, 2200, or any port above 1024 that isn't in use. +{{< /note >}} + +### Configure SELinux + +Rocky Linux 9 has SELinux (Security-Enhanced Linux) enabled by default. SELinux provides mandatory access control, limiting the damage an attacker can cause even if they compromise a service. Never disable SELinux in production environments. + +1. Verify SELinux is enforcing: +```command + getenforce +``` +```output + Enforcing +``` + +2. If your web applications need to connect to remote databases or send email, configure the appropriate SELinux booleans: +```command + # Allow Apache to connect to remote databases + sudo setsebool -P httpd_can_network_connect_db 1 + + # Allow Apache to send email + command + sudo setsebool -P httpd_can_sendmail 1 +``` + + {{< note >}} + Only enable these if your applications require them. The `-P` flag makes the setting persistent across reboots. + {{< /note >}} + +Then verify both: +```command + getsebool httpd_can_network_connect_db httpd_can_sendmail + ``` +Expected output: +```output +httpd_can_network_connect_db --> on +httpd_can_sendmail --> on +``` + +3. Set correct SELinux contexts for web content: +```command + sudo semanage fcontext -a -t httpd_sys_content_t "/var/www/html(/.*)?" + sudo restorecon -Rv /var/www/html +``` +Check the SELinux context of the directory: +``` + ls -Z /var/www/html + ls -Zd /var/www/html +``` +```output + system_u:object_r:httpd_sys_content_t:s0 /var/www/html +``` +The `httpd_sys_content_t` context allows Apache to serve files from this directory. + +### Secure Apache Configuration + +1. Hide Apache version information by editing the Apache configuration: + + ```command + sudo nano /etc/httpd/conf/httpd.conf + ``` + +1. Add or modify these lines: + + {{< file "/etc/httpd/conf/httpd.conf" apache >}} +ServerTokens Prod +ServerSignature Off + {{< /file >}} + +1. Disable directory listing by ensuring this line exists in your configuration: + + {{< file "/etc/httpd/conf/httpd.conf" apache >}} +Options -Indexes FollowSymLinks + {{< /file >}} + +1. Restart Apache to apply changes: + + ```command + sudo apachectl configtest + sudo systemctl restart httpd + sudo systemctl status httpd + ``` +Expected output: + - First command: `Syntax OK` + - Second command: Silent return to prompt (no output) + - Third command: Shows `active (running)` and `Started The Apache HTTP Server` + +### Secure MariaDB + +1. Edit the MariaDB configuration: + + ```command + sudo nano /etc/my.cnf.d/mariadb-server.cnf + ``` + +1. Add these security settings under the `[mysqld]` section: + + {{< file "/etc/my.cnf.d/mariadb-server.cnf" ini >}} +[mysqld] +bind-address = 127.0.0.1 +local-infile = 0 + {{< /file >}} + +1. Restart MariaDB: + + ```command + sudo systemctl restart mariadb + ``` +1.Verify MariaDB is running: + +```command + sudo systemctl status mariadb +``` + +### Secure PHP Configuration + +1. Edit the PHP configuration: + + ```command + sudo nano /etc/php.ini + ``` + +1. Modify these security-related settings: + + {{< file "/etc/php.ini" ini >}} +expose_php = Off +display_errors = Off +log_errors = On +error_log = /var/log/php/error.log +disable_functions = exec,passthru,shell_exec,system,proc_open,popen +allow_url_fopen = Off +allow_url_include = Off + {{< /file >}} + +1. Create the PHP log directory: + + ```command + sudo mkdir -p /var/log/php + sudo chown apache:apache /var/log/php + ``` + +1. Restart Apache: + + ```command + sudo systemctl restart httpd + ``` + +### Install and Configure ModSecurity (Optional) + +ModSecurity is a web application firewall (WAF) that provides additional protection against common web attacks. + +1. Install ModSecurity: + +These steps enhance the security of your LAMP Stack on Rocky Linux 9, especially for production environments or public-facing servers. + + ```command + sudo dnf install mod_security -y + ``` +Expected output: The terminal will display a summary ending with "Complete!" indicating successful installation. + +2. Enable and start ModSecurity: + +Restart Apache to load the ModSecurity module: + + ```command + sudo systemctl restart httpd + ``` +A silent return to the prompt indicates success. + +1. Verify ModSecurity is loaded: + +To confirm that Mod Security is active, use the following command: + + ```command + sudo httpd -M | grep security + ``` + +This lists all loaded Apache modules and filters for ModSecurity. If installed correctly, you should see: + + ```output + security2_module (shared) + ``` + +{{< note >}} +Some systems may not support `apachectl -M`. Using `httpd -M` is more reliable on Rocky Linux 9. +{{< /note >}} + +For detailed ModSecurity configuration and rules: + +[Apache ModSecurity Guide](https://www.linode.com/docs/guides/securing-apache2-with-modsecurity/). +[Apache mod_security module: A practical guide - Sling Academy](https://www.slingacademy.com/article/apache-mod-security-module-practical-guide/#google_vignette). +[How to Install Modsecurity 2 OWASP CRS with Apache on Ubuntu 24.04/22.04/20.04 - LinuxCapable](https://linuxcapable.com/how-to-install-modsecurity-with-apache-on-ubuntu-linux/). + +For advanced rule sets and customization, see the [OWASP ModSecurity Core Rule Set](https://coreruleset.org/) and [Sling Academy’s practical guide](https://www.slingacademy.com/article/apache-mod-security-module-practical-guide/). + +### Enable Automatic Security Updates + +Security vulnerabilities are discovered constantly. Manually checking for and applying updates creates dangerous gaps where your server remains vulnerable to known exploits. Automatic security updates ensure critical patches are applied promptly, reducing the window of exposure to attacks. This is essential for production servers that need continuous protection without manual intervention. So, it keeps the LAMP stack infrastructure (Apache, MariaDB, PHP, OS) patched and secure automatically. + +1. Install the `dnf-automatic` package: + + ```command + sudo dnf install dnf-automatic -y + ``` +Expected output: The terminal will display a summary ending with "Complete!" indicating successful installation. + +1. Configure automatic updates by editing the configuration: + + ```command + sudo nano /etc/dnf/automatic.conf + ``` + +1. Set `apply_updates` to `yes`: + + {{< file "/etc/dnf/automatic.conf" ini >}} +[commands] +apply_updates = yes + {{< /file >}} + +1. Enable and start the automatic update timer: + + ```command + sudo systemctl enable --now dnf-automatic.timer + ``` + +### Configure Log Rotation + +Log rotation is enabled by default: Rocky Linux 9 includes `logrotate` as part of its base system, and it's configured to rotate logs for common services like Apache (`httpd`) and MariaDB: + +```command +ls /etc/logrotate.d/ +``` +- Lists all service-specific rotation configs. + +- To see configuration files for `httpd` and `mariadb`: + +```command + cat /etc/logrotate.d/httpd + cat /etc/logrotate.d/mariadb +``` +These files define how logs are rotated-for example, weekly rotation, retention of four weeks, and compression of older logs. + +## Post-Install Best Practices + +For production environments, implement regular backups: + +- **Database backups**: Use `mysqldump` or MariaDB's backup tools +- **Web content backups**: Regularly backup `/var/www/html` +- **Configuration backups**: Backup `/etc/httpd` and `/etc/my.cnf.d` +- **Off-site storage**: Store backups in a separate location + +## Install SSL/TLS Certificate + +For production websites, always use HTTPS with a valid SSL/TLS certificate. + +{{< note >}} +See the guide for [Enabling HTTPS Using Certbot with Apache on CentOS 8](https://www.linode.com/docs/guides/enabling-https-using-certbot-with-apache-on-centos-8/) for detailed instructions. The process is nearly identical on Rocky Linux 9.Alternatively, see [CrownCloud's updated guide](https://wiki.crowncloud.net/?How_to_Install_Lets_Encrypt_SSL_with_LAMP_Stack_on_Rocky_Linux_9) for a Rocky-specific walkthrough. +{{< /note >}} + +## Migration-Specific Considerations + +If you're migrating an existing site from CentOS 8: + +### Application Compatibility + +- Test all applications on Rocky Linux 9 before going live +- Check PHP version compatibility (Rocky 9 may have newer PHP) +- Verify all PHP extensions are installed + +### Data Migration + +- Export databases from CentOS 8: `mysqldump -u root -p --all-databases > backup.sql` +- Transfer web files: `rsync -avz /var/www/html/ user@new-server:/var/www/html/` +- Import databases to Rocky Linux 9: `mysql -u root -p < backup.sql` +- Verify file permissions after transfer + +### Testing Checklist + +- All pages load correctly +- Database connections work +- Forms submit properly +- File uploads function +- SSL certificate installed and working +- Redirects work correctly +- Cron jobs migrated and running + +## Conclusion + +Rocky Linux 9 provides a stable, long-term CentOS 8 replacement with identical commands and structure. The LAMP stack installation is straightforward, but production deployment requires the security hardening steps outlined above. + +**Key takeaways:** + +- Installation process identical to CentOS 8 +- Never disable SELinux - configure it properly +- Production hardening is mandatory, not optional +- Test thoroughly before migrating production workloads + +## Additional Resources + +- [Linode's LAMP Installation Guide](https://www.linode.com/docs/guides/how-to-install-lamp-stack-on-fedora-alma-rocky-linux/) - Complete installation walkthrough +- [SELinux Guide for CentOS 8](https://www.linode.com/docs/guides/a-beginners-guide-to-selinux-on-centos-8/) - Applicable to Rocky Linux 9 +- [Apache ModSecurity Guide](https://www.linode.com/docs/guides/securing-apache2-with-modsecurity/) - Advanced web application firewall +- [Certbot with Apache](https://www.linode.com/docs/guides/enabling-https-using-certbot-with-apache-on-centos-8/) - SSL/TLS certificate automation \ No newline at end of file From 69a2079dd63902bcbc393f45eabd9040b75bed7a Mon Sep 17 00:00:00 2001 From: Dianna Hoober Date: Thu, 16 Oct 2025 10:13:51 -0700 Subject: [PATCH 02/18] Add technical terms to dictionary (setsebool, getsebool, etc.) --- ci/vale/dictionary.txt | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/ci/vale/dictionary.txt b/ci/vale/dictionary.txt index 10ee9a02a4b..d40f2bd978a 100644 --- a/ci/vale/dictionary.txt +++ b/ci/vale/dictionary.txt @@ -58,6 +58,7 @@ aniszczyk anonymization anonymize anonymizing +anotheruser ansi ansible ansible's @@ -68,6 +69,7 @@ anycasted anycasting ap apache2 +apachectl APCu apfs api @@ -285,6 +287,7 @@ centos7 ceph cer certbot +Certbot certcheck certutil cetera @@ -561,6 +564,7 @@ devtmpfs dex df dhclient +dhcpv6 dhparams dia dialogs @@ -593,6 +597,7 @@ dmg dmitriy dmz dnf +dnf-automatic dns dns_linode DNSdumpster @@ -743,6 +748,7 @@ fb4c fcgi fcgid fcgiwrap +fcontext fcrontab fd fdisk @@ -779,6 +785,7 @@ fintech firefart firehose firewalld +firewalld's firewalled firewalling firstsite @@ -795,6 +802,7 @@ fn fn Focalboard foodcritic +fopen fordham fordham formatters @@ -862,6 +870,7 @@ geoip geolocating geolocation geospatial +getenforce getmail getprivs getpwent @@ -994,6 +1003,7 @@ host1 host2 hostname hostnames +hotcopy hotfix hotfixes hotlink @@ -1087,6 +1097,7 @@ inet inet6 infector inferencing +infile infographic infosec ingester @@ -1331,6 +1342,8 @@ li181 li263 lib32 libaprutil1 +libapache +libapache2 libc libc6 libcontainer @@ -1477,6 +1490,7 @@ mBlock mbox Mbps MBps +mbstring mbstrings mcrypt mcy @@ -1576,6 +1590,7 @@ mod_wsgi moddable modinfo modsecurity +Modsecurity modularization Mojang mongocryptd @@ -1658,6 +1673,7 @@ mysql_config_editor mysql_secure_installation mysqlclient10 mysqld +mysqlnd mysqldefault mysqldump mysqli @@ -1876,6 +1892,7 @@ passdb Passky passlib passphraseless +passthru passwd passwdcolumn passwdfile @@ -1919,6 +1936,7 @@ php php5 php7 phpFox +phpinfo PHPMailer phpmyadmin Phrack @@ -1956,6 +1974,7 @@ pop3 pop3d pop3s popeye +popen poplib portainer portmapper @@ -2010,6 +2029,7 @@ procfile procmail procs productpage +projectname prolog promlens promo_codes @@ -2162,6 +2182,7 @@ respawn resque restapi restic +restorecon restreaming Restyaboard retargetly @@ -2300,6 +2321,7 @@ sed sekurlsa Seldon selinux +semanage sendable sendmail sentdex @@ -2321,6 +2343,7 @@ setguid setsebool setters setuid +setuuid setuptools Severalnines sfadmin @@ -2491,6 +2514,9 @@ sury suse Sussman svn +svnadmin +svnserve +svnuser swappable swappiness symantec @@ -2981,8 +3007,10 @@ yoast yourdomain yourdomainorsubdomainhere yourname +yourserver yourservice yoursite +yourusername youtube yubico yubikey From 8dfcbfc0e47b07b1b2043084fffd10b9f04d8b36 Mon Sep 17 00:00:00 2001 From: DHBR2 Date: Thu, 16 Oct 2025 12:00:42 -0700 Subject: [PATCH 03/18] Revise LAMP stack installation guide metadata Add to metadata SEO terms --- .../index.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md b/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md index e83296c8863..f654992d126 100644 --- a/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md +++ b/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md @@ -1,24 +1,24 @@ --- slug: how-to-install-a-lamp-stack-on-rocky-linux-9 -title: "Install a LAMP Stack on Rocky Linux 9 (CentOS 8 Replacement" +title: "Install a LAMP Stack on Rocky Linux 9 (CentOS 8 Replacement)" title_meta: "How to Install a LAMP Stack on Ubuntu 22.04" -description: 'This guide provides some background about a Linux LAMP stack and explains how to install a LAMP stack on Ubuntu 22.04.' +description: 'This guide provides some background about a Linux LAMP stack installation and security hardening and includes step by step instruction on how to install a LAMP stack on Rocky Linux 9 and Ubuntu 22.04.' authors: ["Diana Hoober"] contributors: ["Diana Hoober"] published: 2025-10-10 -keywords: ['LAMP stack','LAMP CentOS 8,'install LAMP stack','how to install a LAMP Stack on CentOS 8'] +keywords: ['LAMP stack','LAMP CentOS 8,'install LAMP stack', 'install Apache', 'MariaDB', 'PHP on Rocky Linux 9', 'how to install a LAMP Stack on Rocky Linux 9', 'Ubuntu 22.04', 'centos 8', 'centos replacement'] license: '[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0)' --- -# How to Install a LAMP Stack on Rocky Linux 9 to Replace CentOS 8 - ## About CentOS 8 and Rocky Linux 9 If you're moving from CentOS 8 to a similar operating system, then this guide is for you. The installation process and commands are nearly identical to what you are used to on CentOS 8. We strongly recommend migrating to Rocky Linux 9 for continued security updates and support. CentOS 8 reached end-of-life in December 2021 and is no longer supported or safe to use in production environments. -**Rocky Linux 9 is the recommended replacement operating system for CentOS 8.** It's: +**Rocky Linux 9 is the recommended replacement operating system for CentOS 8.** + +It is: - A direct successor created by the original CentOS founder - Fully compatible with RHEL 9 @@ -34,20 +34,20 @@ A **LAMP stack** is a collection of four open-source software components that wo - **Linux**: The operating system running the server - **Apache**: The web server software that delivers web pages to visitors and handles web requests -- **MariaDB (or MySQL)**: The database that stores data +- **MariaDB**: Database server - **PHP**: The programming language that processes logic and creates dynamic content ## Prerequisites Before installing the LAMP stack, ensure you have: -- A server or virtual machine running Rocky Linux 9 (or AlmaLinux 9) +- A server or virtual machine with Rocky Linux 9 already installed - Root access or a user account with sudo privileges - Basic familiarity with the Linux command line - An active internet connection {{< note >}} -If you're setting up a fresh Rocky Linux 9 server, review [Setting Up and Securing a Compute Instance](/docs/products/compute/compute-instances/guides/set-up-and-secure/) guide for initial server configuration (timezone, hostname, SSH hardening, firewall basics). +When setting up a fresh Rocky Linux 9 server, review the [Setting Up and Securing a Compute Instance](/docs/products/compute/compute-instances/guides/set-up-and-secure/) guide for initial server configuration (timezone, hostname, SSH hardening, firewall basics). {{< /note >}} ## Install Apache @@ -719,4 +719,4 @@ Rocky Linux 9 provides a stable, long-term CentOS 8 replacement with identical c - [Linode's LAMP Installation Guide](https://www.linode.com/docs/guides/how-to-install-lamp-stack-on-fedora-alma-rocky-linux/) - Complete installation walkthrough - [SELinux Guide for CentOS 8](https://www.linode.com/docs/guides/a-beginners-guide-to-selinux-on-centos-8/) - Applicable to Rocky Linux 9 - [Apache ModSecurity Guide](https://www.linode.com/docs/guides/securing-apache2-with-modsecurity/) - Advanced web application firewall -- [Certbot with Apache](https://www.linode.com/docs/guides/enabling-https-using-certbot-with-apache-on-centos-8/) - SSL/TLS certificate automation \ No newline at end of file +- [Certbot with Apache](https://www.linode.com/docs/guides/enabling-https-using-certbot-with-apache-on-centos-8/) - SSL/TLS certificate automation From de2afb37048f70e55bd615bcfb2b0c07aac348d9 Mon Sep 17 00:00:00 2001 From: DHBR2 Date: Thu, 16 Oct 2025 14:13:12 -0700 Subject: [PATCH 04/18] Revise Apache installation steps in LAMP guide Updated the steps for installing and configuring Apache in the LAMP stack guide, including renumbering and clarifying instructions. Added a note about testing Apache after firewall configuration. Removed duplicate information. --- .../index.md | 53 ++++--------------- 1 file changed, 9 insertions(+), 44 deletions(-) diff --git a/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md b/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md index f654992d126..3072fbe4ae3 100644 --- a/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md +++ b/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md @@ -62,7 +62,7 @@ Apache is the web server component that handles HTTP requests and serves web pag If the system is already fully updated, you might see `Nothing to do.` or `Complete!`. Either message indicates success. The key is that there are no error messages and the command returns you to the command prompt. -1. Install Apache: +2. Install Apache: ```command sudo dnf install httpd -y @@ -73,7 +73,7 @@ At the end you should see the key indicators of success: Complete! -1. Start the Apache service: +3. Start the Apache service: ```command sudo systemctl start httpd @@ -81,7 +81,7 @@ At the end you should see the key indicators of success: Silently returns to the prompt when successful. -1. Enable Apache to start automatically on boot: +4. Enable Apache to start automatically on boot: ```command sudo systemctl enable httpd @@ -89,7 +89,7 @@ Silently returns to the prompt when successful. If you see `Create symlink...` automatic reboot is enabled. -1. Verify Apache is running: +5. Verify Apache is running: ```command sudo systemctl status httpd @@ -106,48 +106,13 @@ To exit and get back to your command prompt: Press **q** (for quit) to END. -## Configure the Firewall +### Test Apache -Rocky Linux 9 uses `firewalld` by default. You need to allow HTTP and HTTPS traffic through the firewall. - -1. Allow HTTP traffic (port 80): - - ```command - sudo firewall-cmd --permanent --add-service=http - ``` - -1. Allow HTTPS traffic (port 443): - - ```command - sudo firewall-cmd --permanent --add-service=https - ``` - -1. Reload the firewall to apply changes: - - ```command - sudo firewall-cmd --reload - ``` - -1. Verify the firewall rules: - - ```command - sudo firewall-cmd --list-all - ``` - - You should see `http` and `https` listed under services: - - ```output - public (active) - target: default - services: cockpit dhcpv6-client http https ssh - ``` - -1. Test Apache by visiting your server's IP address in a web browser. To find your server's IP address, you can check the Cloud Manager or run: +{{< note type="alert" >}} +Before testing Apache, you must configure the firewall to allow HTTP/HTTPS traffic. See the [Configure Firewall](#configure-firewall) section under Security Hardening below. +{{< /note >}} - ```command - hostname -I - ``` -Open a web browser and navigate to `http://YOUR_IP_ADDRESS` (replace with your actual IP address). You should see the default Rocky Linux Apache test page. +After configuring the firewall, test Apache by visiting your server's IP address (replace with your actual IP address). You should see the default Rocky Linux Apache test page. ## Install MariaDB From 6d8fd0cb3bcbd8cf338ae1400edace9a998ab5ba Mon Sep 17 00:00:00 2001 From: DHBR2 Date: Thu, 16 Oct 2025 14:48:15 -0700 Subject: [PATCH 05/18] Update title_meta for LAMP stack guide on Rocky Linux 9 Corrected title-meta --- .../lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md b/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md index 3072fbe4ae3..d47174b21d6 100644 --- a/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md +++ b/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md @@ -1,7 +1,7 @@ --- slug: how-to-install-a-lamp-stack-on-rocky-linux-9 title: "Install a LAMP Stack on Rocky Linux 9 (CentOS 8 Replacement)" -title_meta: "How to Install a LAMP Stack on Ubuntu 22.04" +title_meta: Install a LAMP Stack on Rocky Linux 9 (CentOS 8 Replacement)" description: 'This guide provides some background about a Linux LAMP stack installation and security hardening and includes step by step instruction on how to install a LAMP stack on Rocky Linux 9 and Ubuntu 22.04.' authors: ["Diana Hoober"] contributors: ["Diana Hoober"] From f6709b8921ac2b918c64f3aa1f927bed11076140 Mon Sep 17 00:00:00 2001 From: DHBR2 Date: Thu, 16 Oct 2025 15:08:26 -0700 Subject: [PATCH 06/18] Revise introduction for Rocky Linux 9 LAMP guide Updated the introduction to clarify the transition from CentOS 8 to Rocky Linux 9, emphasizing the benefits and compatibility of Rocky Linux. Adjusted the warning note regarding Apache testing. --- .../index.md | 20 +++---------------- 1 file changed, 3 insertions(+), 17 deletions(-) diff --git a/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md b/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md index d47174b21d6..b7982217e65 100644 --- a/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md +++ b/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md @@ -10,23 +10,9 @@ keywords: ['LAMP stack','LAMP CentOS 8,'install LAMP stack', 'install Apache', ' license: '[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0)' --- -## About CentOS 8 and Rocky Linux 9 +If you're moving from CentOS 8 to a compatible operating system, this guide walks you through installing a LAMP stack on Rocky Linux 9. The process and commands are nearly identical to what you're used to on CentOS 8 making migration straightforward. -If you're moving from CentOS 8 to a similar operating system, then this guide is for you. The installation process and commands are nearly identical to what you are used to on CentOS 8. We strongly recommend migrating to Rocky Linux 9 for continued security updates and support. - -CentOS 8 reached end-of-life in December 2021 and is no longer supported or safe to use in production environments. - -**Rocky Linux 9 is the recommended replacement operating system for CentOS 8.** - -It is: - -- A direct successor created by the original CentOS founder -- Fully compatible with RHEL 9 -- Enterprise-grade and production-ready -- Free and open-source -- A drop-in replacement with the same package manager (dnf) and system structure - -The commands in this guide work identically on both Rocky Linux 9 and AlmaLinux 9 (another CentOS replacement OS). +CentOS 8 reached end-of-life in December 2021 and is no longer supported or safe for production use. **Rocky Linux 9 is the recommended replacement**--a free, open-source, enterprise-grade OS created by the original CentOS founder. It's fully compatible with RHEL 9 and serves as a drop-in replacement with the same package manager (`dnf`) and system structure. ## What is a LAMP Stack? @@ -108,7 +94,7 @@ Press **q** (for quit) to END. ### Test Apache -{{< note type="alert" >}} +{{< note type="warning" >}} Before testing Apache, you must configure the firewall to allow HTTP/HTTPS traffic. See the [Configure Firewall](#configure-firewall) section under Security Hardening below. {{< /note >}} From bf14270a20a5b225275bfff7d6d58bffdf3edb66 Mon Sep 17 00:00:00 2001 From: Dianna Hoober Date: Thu, 16 Oct 2025 15:58:55 -0700 Subject: [PATCH 07/18] Move Rocky Linux 9 guide into correct docs/guides path --- .../index.md | 673 ++++++++++++++++++ 1 file changed, 673 insertions(+) create mode 100644 docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md diff --git a/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md b/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md new file mode 100644 index 00000000000..b7982217e65 --- /dev/null +++ b/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md @@ -0,0 +1,673 @@ +--- +slug: how-to-install-a-lamp-stack-on-rocky-linux-9 +title: "Install a LAMP Stack on Rocky Linux 9 (CentOS 8 Replacement)" +title_meta: Install a LAMP Stack on Rocky Linux 9 (CentOS 8 Replacement)" +description: 'This guide provides some background about a Linux LAMP stack installation and security hardening and includes step by step instruction on how to install a LAMP stack on Rocky Linux 9 and Ubuntu 22.04.' +authors: ["Diana Hoober"] +contributors: ["Diana Hoober"] +published: 2025-10-10 +keywords: ['LAMP stack','LAMP CentOS 8,'install LAMP stack', 'install Apache', 'MariaDB', 'PHP on Rocky Linux 9', 'how to install a LAMP Stack on Rocky Linux 9', 'Ubuntu 22.04', 'centos 8', 'centos replacement'] +license: '[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0)' +--- + +If you're moving from CentOS 8 to a compatible operating system, this guide walks you through installing a LAMP stack on Rocky Linux 9. The process and commands are nearly identical to what you're used to on CentOS 8 making migration straightforward. + +CentOS 8 reached end-of-life in December 2021 and is no longer supported or safe for production use. **Rocky Linux 9 is the recommended replacement**--a free, open-source, enterprise-grade OS created by the original CentOS founder. It's fully compatible with RHEL 9 and serves as a drop-in replacement with the same package manager (`dnf`) and system structure. + +## What is a LAMP Stack? + +A **LAMP stack** is a collection of four open-source software components that work together to run dynamic websites and web applications. The name is an acronym: + +- **Linux**: The operating system running the server +- **Apache**: The web server software that delivers web pages to visitors and handles web requests +- **MariaDB**: Database server +- **PHP**: The programming language that processes logic and creates dynamic content + +## Prerequisites + +Before installing the LAMP stack, ensure you have: + +- A server or virtual machine with Rocky Linux 9 already installed +- Root access or a user account with sudo privileges +- Basic familiarity with the Linux command line +- An active internet connection + +{{< note >}} +When setting up a fresh Rocky Linux 9 server, review the [Setting Up and Securing a Compute Instance](/docs/products/compute/compute-instances/guides/set-up-and-secure/) guide for initial server configuration (timezone, hostname, SSH hardening, firewall basics). +{{< /note >}} + +## Install Apache + +Apache is the web server component that handles HTTP requests and serves web pages. + +1. Update the system package index: + + ```command + sudo dnf update -y + ``` + +If the system is already fully updated, you might see `Nothing to do.` or `Complete!`. Either message indicates success. The key is that there are no error messages and the command returns you to the command prompt. + +2. Install Apache: + + ```command + sudo dnf install httpd -y + ``` + +At the end you should see the key indicators of success: + httpd-[version] [and other packages] + + Complete! + +3. Start the Apache service: + + ```command + sudo systemctl start httpd + ``` + +Silently returns to the prompt when successful. + +4. Enable Apache to start automatically on boot: + + ```command + sudo systemctl enable httpd + ``` + +If you see `Create symlink...` automatic reboot is enabled. + +5. Verify Apache is running: + + ```command + sudo systemctl status httpd + ``` + + You should see output indicating the service is `active (running)`: + + ```output + ● httpd.service - The Apache HTTP Server + Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled) + Active: active (running) since Mon 2025-10-13 10:23:45 UTC; 5s ago + ``` +To exit and get back to your command prompt: + +Press **q** (for quit) to END. + +### Test Apache + +{{< note type="warning" >}} +Before testing Apache, you must configure the firewall to allow HTTP/HTTPS traffic. See the [Configure Firewall](#configure-firewall) section under Security Hardening below. +{{< /note >}} + +After configuring the firewall, test Apache by visiting your server's IP address (replace with your actual IP address). You should see the default Rocky Linux Apache test page. + +## Install MariaDB + +MariaDB is the database component that stores and manages data for your applications. + +1. Install MariaDB server: + + ```command + sudo dnf install mariadb-server -y + ``` +You will see "Complete!" when it has successfully installed. + +1. Start the MariaDB service: + + ```command + sudo systemctl start mariadb + ``` + +1. Enable MariaDB to start automatically on boot: + + ```command + sudo systemctl enable mariadb + ``` + +4. Secure the MariaDB installation by running the security script: +```command + sudo mysql_secure_installation +``` + + Follow the prompts: + - Press **Enter** when asked for the current root password (there isn't one yet) + +{{< note >}} +On some systems, you may see a message that your root account is already protected with unix_socket authentication. If so, you can safely answer **n** to skip this step and continue with the remaining prompts. +{{< /note >}} + + - Type **Y** to change the root password, then enter and confirm a strong password + + {{< note >}} + **Important:** Store this root password securely. You will need it to: + - Access the MariaDB command line (`mysql -u root -p`) + - Create databases and users + - Perform database administration tasks + {{< /note >}} + + - Type **Y** to remove anonymous users + - Type **Y** to disallow root login remotely + - Type **Y** to remove the test database + - Type **Y** to reload privilege tables + +1. Verify MariaDB is running: + + ```command + sudo systemctl status mariadb + ``` + + You should see output indicating the service is "active (running)". Press **q** (for quit) to END. + +## Install PHP + +PHP is the programming language that makes websites interactive and personalized. It processes user actions (like logging in, submitting forms, or searching) and creates customized web pages based on data stored in the database. + +1. Install PHP and common modules: + + ```command + sudo dnf install php php-mysqlnd php-fpm php-opcache php-gd php-xml php-mbstring -y + ``` + + This installs: + - `php`: Core PHP interpreter + - `php-mysqlnd`: MySQL Native Driver for database connectivity + - `php-fpm`: FastCGI Process Manager for better performance + - `php-opcache`: Opcode cache for improved performance + - `php-gd`: Graphics library support + - `php-xml`: XML processing support + - `php-mbstring`: Multi-byte string support + +1. Restart Apache to load PHP: + + ```command + sudo systemctl restart httpd + ``` +Returns to the prompt silently when successful. + +1. Verify the PHP version: + + ```command + php -v + ``` + + You should see output showing PHP version 8.0 or higher: + + ```output + PHP 8.0.30 (cli) (built: Aug 3 2023 17:13:08) ( NTS gcc x86_64 ) + ``` + +### Test PHP Processing + +Create a test PHP file to verify that Apache can process PHP code correctly. + +{{< note >}} +The following steps create test files directly on the server for verification purposes. In production environments, you should develop code locally and deploy it through version control systems like Git rather than editing files directly on the server. +{{< /note >}} + +1. Create a PHP info file: +```command + sudo nano /var/www/html/info.php +``` + +2. Add the following content: + + {{< file "/var/www/html/info.php" php >}} + + {{< /file >}} + +3. Save and exit the file (Ctrl+X, then Y, then Enter). + +4. Set proper permissions: +```command + sudo chown apache:apache /var/www/html/info.php +``` + + Silently returns to the prompt when successful. + +5. Visit `http://your_server_ip/info.php` in a web browser. You should see a detailed PHP information page showing PHP version, loaded modules, and configuration. + +{{< note type="warning" >}} +Remove the `info.php` file after testing, as it exposes sensitive system information: +```command + sudo rm /var/www/html/info.php +``` +{{< /note >}} + +## Test Database Connectivity + +Verify that PHP can connect to MariaDB. This confirms all three components of your LAMP stack are working together. + +1. Create a test database: + + ```command + sudo mysql -u root -p + ``` + + Enter the root password you created during `mysql_secure_installation`. + + You should see the MariaDB prompt: +```output + MariaDB [(none)]> +``` + + The `[(none)]` indicates you're not currently using any specific database, which is expected at this point. + +1. At this MariaDB prompt, run these commands: + + ```command + CREATE DATABASE test_db; + CREATE USER 'test_user'@'localhost' IDENTIFIED BY 'secure_password'; + GRANT ALL PRIVILEGES ON test_db.* TO 'test_user'@'localhost'; + FLUSH PRIVILEGES; + EXIT; + ``` + +1. Create a PHP test file: + + ```command + sudo nano /var/www/html/db_test.php + ``` + +1. Add the following content: + + {{< file "/var/www/html/db_test.php" php >}} +connect_error) { + die("Connection failed: " . $conn->connect_error); +} +echo "Connected successfully to database!"; +$conn->close(); +?> + {{< /file >}} + +1. Visit `http://your_server_ip/db_test.php` in a browser. You should see "Connected successfully to database!" + +1. Clean up test files: + + ```command + sudo rm /var/www/html/db_test.php + sudo mysql -u root -p -e "DROP DATABASE test_db; DROP USER 'test_user'@'localhost';" + ``` + +Enter your MariaDB root password when prompted. The command will silently return to the prompt when successful, having removed the test database and test user. + +## Security Hardening for Production + +The basic installation above is suitable for development and testing only. **Production environments require** immediate security hardening. Within minutes of exposing a server to the internet, automated bots will begin probing for vulnerabilities. A newly created server can receive hundreds of failed login attempts within the first hour. + +Modern servers face constant, automated attacks from across the internet. This section implements essential security measures to protect your LAMP stack from common threats including brute-force attacks, unauthorized access, and application-level vulnerabilities. + +### Security Prerequisites + +Before hardening the LAMP stack, secure SSH access to your server. SSH is the most frequently attacked service on internet-facing systems—new servers often receive hundreds of unauthorized login attempts within the first hour. + +**Complete these essential security steps first:** + +- **[Securing Your Server](link-to-ssh-guide)** - Create non-root user, configure SSH keys, disable root login +- **[Using Fail2ban to Block Brute Force Attacks](link-to-fail2ban-guide)** - Automatically block repeated failed login attempts + +These guides must be completed before proceeding with LAMP stack hardening to ensure your server has basic protection against the most common attack vectors. + +{{< note >}} +If SSH is not secured yet, your server remains vulnerable to automated attacks-even with a hardened LAMP stack. Address SSH security first. +{{< /note >}} + +### Configure Firewall + +Rocky Linux 9 uses firewalld to manage network traffic. A properly configured firewall defines your network perimeter, blocking all traffic except explicitly allowed services. This minimizes exposure and prevents unauthorized access. + +1. Verify firewalld is running: +```command + sudo systemctl status firewalld +``` + +The output should show `enabled` and `active (running)`. If firewalld is not running or not enabled to start on boot, enable and start it: + +```command + sudo systemctl enable --now firewalld +``` + +2. Allow HTTP and HTTPS for web traffic for your web server: +```command + sudo firewall-cmd --permanent --add-service=http + sudo firewall-cmd --permanent --add-service=https +``` + The `--permanent` flag ensures these rules persist across reboots. + +3. If you changed SSH to a non-standard port (recommended for security), allow it: +```command + sudo firewall-cmd --permanent --add-port=2222/tcp +``` +{{< note >}} +SSH on the default port 22 is already allowed in firewalld's default "public" zone. Only add a custom port rule if you changed SSH to a non-standard port. +{{< /note >}} + +4. Reload the firewall to apply changes: +```command + sudo firewall-cmd --reload +``` + +5. Confirm that `http`, `https`, and `ssh` appear under **services**, and any custom SSH port appears under **ports**. +```command + sudo firewall-cmd --list-all +``` + +```output + public (active) + services: cockpit dhcpv6-client http https ssh + ports: +``` +{{< note >}} +Replace `2222` with whatever port number you configured for SSH. Common non-standard SSH ports include 2222, 2200, or any port above 1024 that isn't in use. +{{< /note >}} + +### Configure SELinux + +Rocky Linux 9 has SELinux (Security-Enhanced Linux) enabled by default. SELinux provides mandatory access control, limiting the damage an attacker can cause even if they compromise a service. Never disable SELinux in production environments. + +1. Verify SELinux is enforcing: +```command + getenforce +``` +```output + Enforcing +``` + +2. If your web applications need to connect to remote databases or send email, configure the appropriate SELinux booleans: +```command + # Allow Apache to connect to remote databases + sudo setsebool -P httpd_can_network_connect_db 1 + + # Allow Apache to send email + command + sudo setsebool -P httpd_can_sendmail 1 +``` + + {{< note >}} + Only enable these if your applications require them. The `-P` flag makes the setting persistent across reboots. + {{< /note >}} + +Then verify both: +```command + getsebool httpd_can_network_connect_db httpd_can_sendmail + ``` +Expected output: +```output +httpd_can_network_connect_db --> on +httpd_can_sendmail --> on +``` + +3. Set correct SELinux contexts for web content: +```command + sudo semanage fcontext -a -t httpd_sys_content_t "/var/www/html(/.*)?" + sudo restorecon -Rv /var/www/html +``` +Check the SELinux context of the directory: +``` + ls -Z /var/www/html + ls -Zd /var/www/html +``` +```output + system_u:object_r:httpd_sys_content_t:s0 /var/www/html +``` +The `httpd_sys_content_t` context allows Apache to serve files from this directory. + +### Secure Apache Configuration + +1. Hide Apache version information by editing the Apache configuration: + + ```command + sudo nano /etc/httpd/conf/httpd.conf + ``` + +1. Add or modify these lines: + + {{< file "/etc/httpd/conf/httpd.conf" apache >}} +ServerTokens Prod +ServerSignature Off + {{< /file >}} + +1. Disable directory listing by ensuring this line exists in your configuration: + + {{< file "/etc/httpd/conf/httpd.conf" apache >}} +Options -Indexes FollowSymLinks + {{< /file >}} + +1. Restart Apache to apply changes: + + ```command + sudo apachectl configtest + sudo systemctl restart httpd + sudo systemctl status httpd + ``` +Expected output: + - First command: `Syntax OK` + - Second command: Silent return to prompt (no output) + - Third command: Shows `active (running)` and `Started The Apache HTTP Server` + +### Secure MariaDB + +1. Edit the MariaDB configuration: + + ```command + sudo nano /etc/my.cnf.d/mariadb-server.cnf + ``` + +1. Add these security settings under the `[mysqld]` section: + + {{< file "/etc/my.cnf.d/mariadb-server.cnf" ini >}} +[mysqld] +bind-address = 127.0.0.1 +local-infile = 0 + {{< /file >}} + +1. Restart MariaDB: + + ```command + sudo systemctl restart mariadb + ``` +1.Verify MariaDB is running: + +```command + sudo systemctl status mariadb +``` + +### Secure PHP Configuration + +1. Edit the PHP configuration: + + ```command + sudo nano /etc/php.ini + ``` + +1. Modify these security-related settings: + + {{< file "/etc/php.ini" ini >}} +expose_php = Off +display_errors = Off +log_errors = On +error_log = /var/log/php/error.log +disable_functions = exec,passthru,shell_exec,system,proc_open,popen +allow_url_fopen = Off +allow_url_include = Off + {{< /file >}} + +1. Create the PHP log directory: + + ```command + sudo mkdir -p /var/log/php + sudo chown apache:apache /var/log/php + ``` + +1. Restart Apache: + + ```command + sudo systemctl restart httpd + ``` + +### Install and Configure ModSecurity (Optional) + +ModSecurity is a web application firewall (WAF) that provides additional protection against common web attacks. + +1. Install ModSecurity: + +These steps enhance the security of your LAMP Stack on Rocky Linux 9, especially for production environments or public-facing servers. + + ```command + sudo dnf install mod_security -y + ``` +Expected output: The terminal will display a summary ending with "Complete!" indicating successful installation. + +2. Enable and start ModSecurity: + +Restart Apache to load the ModSecurity module: + + ```command + sudo systemctl restart httpd + ``` +A silent return to the prompt indicates success. + +1. Verify ModSecurity is loaded: + +To confirm that Mod Security is active, use the following command: + + ```command + sudo httpd -M | grep security + ``` + +This lists all loaded Apache modules and filters for ModSecurity. If installed correctly, you should see: + + ```output + security2_module (shared) + ``` + +{{< note >}} +Some systems may not support `apachectl -M`. Using `httpd -M` is more reliable on Rocky Linux 9. +{{< /note >}} + +For detailed ModSecurity configuration and rules: + +[Apache ModSecurity Guide](https://www.linode.com/docs/guides/securing-apache2-with-modsecurity/). +[Apache mod_security module: A practical guide - Sling Academy](https://www.slingacademy.com/article/apache-mod-security-module-practical-guide/#google_vignette). +[How to Install Modsecurity 2 OWASP CRS with Apache on Ubuntu 24.04/22.04/20.04 - LinuxCapable](https://linuxcapable.com/how-to-install-modsecurity-with-apache-on-ubuntu-linux/). + +For advanced rule sets and customization, see the [OWASP ModSecurity Core Rule Set](https://coreruleset.org/) and [Sling Academy’s practical guide](https://www.slingacademy.com/article/apache-mod-security-module-practical-guide/). + +### Enable Automatic Security Updates + +Security vulnerabilities are discovered constantly. Manually checking for and applying updates creates dangerous gaps where your server remains vulnerable to known exploits. Automatic security updates ensure critical patches are applied promptly, reducing the window of exposure to attacks. This is essential for production servers that need continuous protection without manual intervention. So, it keeps the LAMP stack infrastructure (Apache, MariaDB, PHP, OS) patched and secure automatically. + +1. Install the `dnf-automatic` package: + + ```command + sudo dnf install dnf-automatic -y + ``` +Expected output: The terminal will display a summary ending with "Complete!" indicating successful installation. + +1. Configure automatic updates by editing the configuration: + + ```command + sudo nano /etc/dnf/automatic.conf + ``` + +1. Set `apply_updates` to `yes`: + + {{< file "/etc/dnf/automatic.conf" ini >}} +[commands] +apply_updates = yes + {{< /file >}} + +1. Enable and start the automatic update timer: + + ```command + sudo systemctl enable --now dnf-automatic.timer + ``` + +### Configure Log Rotation + +Log rotation is enabled by default: Rocky Linux 9 includes `logrotate` as part of its base system, and it's configured to rotate logs for common services like Apache (`httpd`) and MariaDB: + +```command +ls /etc/logrotate.d/ +``` +- Lists all service-specific rotation configs. + +- To see configuration files for `httpd` and `mariadb`: + +```command + cat /etc/logrotate.d/httpd + cat /etc/logrotate.d/mariadb +``` +These files define how logs are rotated-for example, weekly rotation, retention of four weeks, and compression of older logs. + +## Post-Install Best Practices + +For production environments, implement regular backups: + +- **Database backups**: Use `mysqldump` or MariaDB's backup tools +- **Web content backups**: Regularly backup `/var/www/html` +- **Configuration backups**: Backup `/etc/httpd` and `/etc/my.cnf.d` +- **Off-site storage**: Store backups in a separate location + +## Install SSL/TLS Certificate + +For production websites, always use HTTPS with a valid SSL/TLS certificate. + +{{< note >}} +See the guide for [Enabling HTTPS Using Certbot with Apache on CentOS 8](https://www.linode.com/docs/guides/enabling-https-using-certbot-with-apache-on-centos-8/) for detailed instructions. The process is nearly identical on Rocky Linux 9.Alternatively, see [CrownCloud's updated guide](https://wiki.crowncloud.net/?How_to_Install_Lets_Encrypt_SSL_with_LAMP_Stack_on_Rocky_Linux_9) for a Rocky-specific walkthrough. +{{< /note >}} + +## Migration-Specific Considerations + +If you're migrating an existing site from CentOS 8: + +### Application Compatibility + +- Test all applications on Rocky Linux 9 before going live +- Check PHP version compatibility (Rocky 9 may have newer PHP) +- Verify all PHP extensions are installed + +### Data Migration + +- Export databases from CentOS 8: `mysqldump -u root -p --all-databases > backup.sql` +- Transfer web files: `rsync -avz /var/www/html/ user@new-server:/var/www/html/` +- Import databases to Rocky Linux 9: `mysql -u root -p < backup.sql` +- Verify file permissions after transfer + +### Testing Checklist + +- All pages load correctly +- Database connections work +- Forms submit properly +- File uploads function +- SSL certificate installed and working +- Redirects work correctly +- Cron jobs migrated and running + +## Conclusion + +Rocky Linux 9 provides a stable, long-term CentOS 8 replacement with identical commands and structure. The LAMP stack installation is straightforward, but production deployment requires the security hardening steps outlined above. + +**Key takeaways:** + +- Installation process identical to CentOS 8 +- Never disable SELinux - configure it properly +- Production hardening is mandatory, not optional +- Test thoroughly before migrating production workloads + +## Additional Resources + +- [Linode's LAMP Installation Guide](https://www.linode.com/docs/guides/how-to-install-lamp-stack-on-fedora-alma-rocky-linux/) - Complete installation walkthrough +- [SELinux Guide for CentOS 8](https://www.linode.com/docs/guides/a-beginners-guide-to-selinux-on-centos-8/) - Applicable to Rocky Linux 9 +- [Apache ModSecurity Guide](https://www.linode.com/docs/guides/securing-apache2-with-modsecurity/) - Advanced web application firewall +- [Certbot with Apache](https://www.linode.com/docs/guides/enabling-https-using-certbot-with-apache-on-centos-8/) - SSL/TLS certificate automation From 79b811e9dfdea594efc83c062ac9fba203d14a56 Mon Sep 17 00:00:00 2001 From: Dianna Hoober Date: Thu, 16 Oct 2025 16:14:36 -0700 Subject: [PATCH 08/18] Fix title_meta formatting in Rocky Linux 9 guide --- .../lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md b/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md index b7982217e65..d3206d99d6f 100644 --- a/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md +++ b/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md @@ -1,7 +1,7 @@ --- slug: how-to-install-a-lamp-stack-on-rocky-linux-9 title: "Install a LAMP Stack on Rocky Linux 9 (CentOS 8 Replacement)" -title_meta: Install a LAMP Stack on Rocky Linux 9 (CentOS 8 Replacement)" +title_meta: "Install a LAMP Stack on Rocky Linux 9 (CentOS 8 Replacement)" description: 'This guide provides some background about a Linux LAMP stack installation and security hardening and includes step by step instruction on how to install a LAMP stack on Rocky Linux 9 and Ubuntu 22.04.' authors: ["Diana Hoober"] contributors: ["Diana Hoober"] From b6d750133324a2e890b4f3e395e1d2ad0da4052d Mon Sep 17 00:00:00 2001 From: Dianna Hoober Date: Thu, 16 Oct 2025 16:38:04 -0700 Subject: [PATCH 09/18] Remove duplicate guide from incorrect path --- .../index.md | 673 ------------------ 1 file changed, 673 deletions(-) delete mode 100644 guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md diff --git a/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md b/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md deleted file mode 100644 index b7982217e65..00000000000 --- a/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md +++ /dev/null @@ -1,673 +0,0 @@ ---- -slug: how-to-install-a-lamp-stack-on-rocky-linux-9 -title: "Install a LAMP Stack on Rocky Linux 9 (CentOS 8 Replacement)" -title_meta: Install a LAMP Stack on Rocky Linux 9 (CentOS 8 Replacement)" -description: 'This guide provides some background about a Linux LAMP stack installation and security hardening and includes step by step instruction on how to install a LAMP stack on Rocky Linux 9 and Ubuntu 22.04.' -authors: ["Diana Hoober"] -contributors: ["Diana Hoober"] -published: 2025-10-10 -keywords: ['LAMP stack','LAMP CentOS 8,'install LAMP stack', 'install Apache', 'MariaDB', 'PHP on Rocky Linux 9', 'how to install a LAMP Stack on Rocky Linux 9', 'Ubuntu 22.04', 'centos 8', 'centos replacement'] -license: '[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0)' ---- - -If you're moving from CentOS 8 to a compatible operating system, this guide walks you through installing a LAMP stack on Rocky Linux 9. The process and commands are nearly identical to what you're used to on CentOS 8 making migration straightforward. - -CentOS 8 reached end-of-life in December 2021 and is no longer supported or safe for production use. **Rocky Linux 9 is the recommended replacement**--a free, open-source, enterprise-grade OS created by the original CentOS founder. It's fully compatible with RHEL 9 and serves as a drop-in replacement with the same package manager (`dnf`) and system structure. - -## What is a LAMP Stack? - -A **LAMP stack** is a collection of four open-source software components that work together to run dynamic websites and web applications. The name is an acronym: - -- **Linux**: The operating system running the server -- **Apache**: The web server software that delivers web pages to visitors and handles web requests -- **MariaDB**: Database server -- **PHP**: The programming language that processes logic and creates dynamic content - -## Prerequisites - -Before installing the LAMP stack, ensure you have: - -- A server or virtual machine with Rocky Linux 9 already installed -- Root access or a user account with sudo privileges -- Basic familiarity with the Linux command line -- An active internet connection - -{{< note >}} -When setting up a fresh Rocky Linux 9 server, review the [Setting Up and Securing a Compute Instance](/docs/products/compute/compute-instances/guides/set-up-and-secure/) guide for initial server configuration (timezone, hostname, SSH hardening, firewall basics). -{{< /note >}} - -## Install Apache - -Apache is the web server component that handles HTTP requests and serves web pages. - -1. Update the system package index: - - ```command - sudo dnf update -y - ``` - -If the system is already fully updated, you might see `Nothing to do.` or `Complete!`. Either message indicates success. The key is that there are no error messages and the command returns you to the command prompt. - -2. Install Apache: - - ```command - sudo dnf install httpd -y - ``` - -At the end you should see the key indicators of success: - httpd-[version] [and other packages] - - Complete! - -3. Start the Apache service: - - ```command - sudo systemctl start httpd - ``` - -Silently returns to the prompt when successful. - -4. Enable Apache to start automatically on boot: - - ```command - sudo systemctl enable httpd - ``` - -If you see `Create symlink...` automatic reboot is enabled. - -5. Verify Apache is running: - - ```command - sudo systemctl status httpd - ``` - - You should see output indicating the service is `active (running)`: - - ```output - ● httpd.service - The Apache HTTP Server - Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled) - Active: active (running) since Mon 2025-10-13 10:23:45 UTC; 5s ago - ``` -To exit and get back to your command prompt: - -Press **q** (for quit) to END. - -### Test Apache - -{{< note type="warning" >}} -Before testing Apache, you must configure the firewall to allow HTTP/HTTPS traffic. See the [Configure Firewall](#configure-firewall) section under Security Hardening below. -{{< /note >}} - -After configuring the firewall, test Apache by visiting your server's IP address (replace with your actual IP address). You should see the default Rocky Linux Apache test page. - -## Install MariaDB - -MariaDB is the database component that stores and manages data for your applications. - -1. Install MariaDB server: - - ```command - sudo dnf install mariadb-server -y - ``` -You will see "Complete!" when it has successfully installed. - -1. Start the MariaDB service: - - ```command - sudo systemctl start mariadb - ``` - -1. Enable MariaDB to start automatically on boot: - - ```command - sudo systemctl enable mariadb - ``` - -4. Secure the MariaDB installation by running the security script: -```command - sudo mysql_secure_installation -``` - - Follow the prompts: - - Press **Enter** when asked for the current root password (there isn't one yet) - -{{< note >}} -On some systems, you may see a message that your root account is already protected with unix_socket authentication. If so, you can safely answer **n** to skip this step and continue with the remaining prompts. -{{< /note >}} - - - Type **Y** to change the root password, then enter and confirm a strong password - - {{< note >}} - **Important:** Store this root password securely. You will need it to: - - Access the MariaDB command line (`mysql -u root -p`) - - Create databases and users - - Perform database administration tasks - {{< /note >}} - - - Type **Y** to remove anonymous users - - Type **Y** to disallow root login remotely - - Type **Y** to remove the test database - - Type **Y** to reload privilege tables - -1. Verify MariaDB is running: - - ```command - sudo systemctl status mariadb - ``` - - You should see output indicating the service is "active (running)". Press **q** (for quit) to END. - -## Install PHP - -PHP is the programming language that makes websites interactive and personalized. It processes user actions (like logging in, submitting forms, or searching) and creates customized web pages based on data stored in the database. - -1. Install PHP and common modules: - - ```command - sudo dnf install php php-mysqlnd php-fpm php-opcache php-gd php-xml php-mbstring -y - ``` - - This installs: - - `php`: Core PHP interpreter - - `php-mysqlnd`: MySQL Native Driver for database connectivity - - `php-fpm`: FastCGI Process Manager for better performance - - `php-opcache`: Opcode cache for improved performance - - `php-gd`: Graphics library support - - `php-xml`: XML processing support - - `php-mbstring`: Multi-byte string support - -1. Restart Apache to load PHP: - - ```command - sudo systemctl restart httpd - ``` -Returns to the prompt silently when successful. - -1. Verify the PHP version: - - ```command - php -v - ``` - - You should see output showing PHP version 8.0 or higher: - - ```output - PHP 8.0.30 (cli) (built: Aug 3 2023 17:13:08) ( NTS gcc x86_64 ) - ``` - -### Test PHP Processing - -Create a test PHP file to verify that Apache can process PHP code correctly. - -{{< note >}} -The following steps create test files directly on the server for verification purposes. In production environments, you should develop code locally and deploy it through version control systems like Git rather than editing files directly on the server. -{{< /note >}} - -1. Create a PHP info file: -```command - sudo nano /var/www/html/info.php -``` - -2. Add the following content: - - {{< file "/var/www/html/info.php" php >}} - - {{< /file >}} - -3. Save and exit the file (Ctrl+X, then Y, then Enter). - -4. Set proper permissions: -```command - sudo chown apache:apache /var/www/html/info.php -``` - - Silently returns to the prompt when successful. - -5. Visit `http://your_server_ip/info.php` in a web browser. You should see a detailed PHP information page showing PHP version, loaded modules, and configuration. - -{{< note type="warning" >}} -Remove the `info.php` file after testing, as it exposes sensitive system information: -```command - sudo rm /var/www/html/info.php -``` -{{< /note >}} - -## Test Database Connectivity - -Verify that PHP can connect to MariaDB. This confirms all three components of your LAMP stack are working together. - -1. Create a test database: - - ```command - sudo mysql -u root -p - ``` - - Enter the root password you created during `mysql_secure_installation`. - - You should see the MariaDB prompt: -```output - MariaDB [(none)]> -``` - - The `[(none)]` indicates you're not currently using any specific database, which is expected at this point. - -1. At this MariaDB prompt, run these commands: - - ```command - CREATE DATABASE test_db; - CREATE USER 'test_user'@'localhost' IDENTIFIED BY 'secure_password'; - GRANT ALL PRIVILEGES ON test_db.* TO 'test_user'@'localhost'; - FLUSH PRIVILEGES; - EXIT; - ``` - -1. Create a PHP test file: - - ```command - sudo nano /var/www/html/db_test.php - ``` - -1. Add the following content: - - {{< file "/var/www/html/db_test.php" php >}} -connect_error) { - die("Connection failed: " . $conn->connect_error); -} -echo "Connected successfully to database!"; -$conn->close(); -?> - {{< /file >}} - -1. Visit `http://your_server_ip/db_test.php` in a browser. You should see "Connected successfully to database!" - -1. Clean up test files: - - ```command - sudo rm /var/www/html/db_test.php - sudo mysql -u root -p -e "DROP DATABASE test_db; DROP USER 'test_user'@'localhost';" - ``` - -Enter your MariaDB root password when prompted. The command will silently return to the prompt when successful, having removed the test database and test user. - -## Security Hardening for Production - -The basic installation above is suitable for development and testing only. **Production environments require** immediate security hardening. Within minutes of exposing a server to the internet, automated bots will begin probing for vulnerabilities. A newly created server can receive hundreds of failed login attempts within the first hour. - -Modern servers face constant, automated attacks from across the internet. This section implements essential security measures to protect your LAMP stack from common threats including brute-force attacks, unauthorized access, and application-level vulnerabilities. - -### Security Prerequisites - -Before hardening the LAMP stack, secure SSH access to your server. SSH is the most frequently attacked service on internet-facing systems—new servers often receive hundreds of unauthorized login attempts within the first hour. - -**Complete these essential security steps first:** - -- **[Securing Your Server](link-to-ssh-guide)** - Create non-root user, configure SSH keys, disable root login -- **[Using Fail2ban to Block Brute Force Attacks](link-to-fail2ban-guide)** - Automatically block repeated failed login attempts - -These guides must be completed before proceeding with LAMP stack hardening to ensure your server has basic protection against the most common attack vectors. - -{{< note >}} -If SSH is not secured yet, your server remains vulnerable to automated attacks-even with a hardened LAMP stack. Address SSH security first. -{{< /note >}} - -### Configure Firewall - -Rocky Linux 9 uses firewalld to manage network traffic. A properly configured firewall defines your network perimeter, blocking all traffic except explicitly allowed services. This minimizes exposure and prevents unauthorized access. - -1. Verify firewalld is running: -```command - sudo systemctl status firewalld -``` - -The output should show `enabled` and `active (running)`. If firewalld is not running or not enabled to start on boot, enable and start it: - -```command - sudo systemctl enable --now firewalld -``` - -2. Allow HTTP and HTTPS for web traffic for your web server: -```command - sudo firewall-cmd --permanent --add-service=http - sudo firewall-cmd --permanent --add-service=https -``` - The `--permanent` flag ensures these rules persist across reboots. - -3. If you changed SSH to a non-standard port (recommended for security), allow it: -```command - sudo firewall-cmd --permanent --add-port=2222/tcp -``` -{{< note >}} -SSH on the default port 22 is already allowed in firewalld's default "public" zone. Only add a custom port rule if you changed SSH to a non-standard port. -{{< /note >}} - -4. Reload the firewall to apply changes: -```command - sudo firewall-cmd --reload -``` - -5. Confirm that `http`, `https`, and `ssh` appear under **services**, and any custom SSH port appears under **ports**. -```command - sudo firewall-cmd --list-all -``` - -```output - public (active) - services: cockpit dhcpv6-client http https ssh - ports: -``` -{{< note >}} -Replace `2222` with whatever port number you configured for SSH. Common non-standard SSH ports include 2222, 2200, or any port above 1024 that isn't in use. -{{< /note >}} - -### Configure SELinux - -Rocky Linux 9 has SELinux (Security-Enhanced Linux) enabled by default. SELinux provides mandatory access control, limiting the damage an attacker can cause even if they compromise a service. Never disable SELinux in production environments. - -1. Verify SELinux is enforcing: -```command - getenforce -``` -```output - Enforcing -``` - -2. If your web applications need to connect to remote databases or send email, configure the appropriate SELinux booleans: -```command - # Allow Apache to connect to remote databases - sudo setsebool -P httpd_can_network_connect_db 1 - - # Allow Apache to send email - command - sudo setsebool -P httpd_can_sendmail 1 -``` - - {{< note >}} - Only enable these if your applications require them. The `-P` flag makes the setting persistent across reboots. - {{< /note >}} - -Then verify both: -```command - getsebool httpd_can_network_connect_db httpd_can_sendmail - ``` -Expected output: -```output -httpd_can_network_connect_db --> on -httpd_can_sendmail --> on -``` - -3. Set correct SELinux contexts for web content: -```command - sudo semanage fcontext -a -t httpd_sys_content_t "/var/www/html(/.*)?" - sudo restorecon -Rv /var/www/html -``` -Check the SELinux context of the directory: -``` - ls -Z /var/www/html - ls -Zd /var/www/html -``` -```output - system_u:object_r:httpd_sys_content_t:s0 /var/www/html -``` -The `httpd_sys_content_t` context allows Apache to serve files from this directory. - -### Secure Apache Configuration - -1. Hide Apache version information by editing the Apache configuration: - - ```command - sudo nano /etc/httpd/conf/httpd.conf - ``` - -1. Add or modify these lines: - - {{< file "/etc/httpd/conf/httpd.conf" apache >}} -ServerTokens Prod -ServerSignature Off - {{< /file >}} - -1. Disable directory listing by ensuring this line exists in your configuration: - - {{< file "/etc/httpd/conf/httpd.conf" apache >}} -Options -Indexes FollowSymLinks - {{< /file >}} - -1. Restart Apache to apply changes: - - ```command - sudo apachectl configtest - sudo systemctl restart httpd - sudo systemctl status httpd - ``` -Expected output: - - First command: `Syntax OK` - - Second command: Silent return to prompt (no output) - - Third command: Shows `active (running)` and `Started The Apache HTTP Server` - -### Secure MariaDB - -1. Edit the MariaDB configuration: - - ```command - sudo nano /etc/my.cnf.d/mariadb-server.cnf - ``` - -1. Add these security settings under the `[mysqld]` section: - - {{< file "/etc/my.cnf.d/mariadb-server.cnf" ini >}} -[mysqld] -bind-address = 127.0.0.1 -local-infile = 0 - {{< /file >}} - -1. Restart MariaDB: - - ```command - sudo systemctl restart mariadb - ``` -1.Verify MariaDB is running: - -```command - sudo systemctl status mariadb -``` - -### Secure PHP Configuration - -1. Edit the PHP configuration: - - ```command - sudo nano /etc/php.ini - ``` - -1. Modify these security-related settings: - - {{< file "/etc/php.ini" ini >}} -expose_php = Off -display_errors = Off -log_errors = On -error_log = /var/log/php/error.log -disable_functions = exec,passthru,shell_exec,system,proc_open,popen -allow_url_fopen = Off -allow_url_include = Off - {{< /file >}} - -1. Create the PHP log directory: - - ```command - sudo mkdir -p /var/log/php - sudo chown apache:apache /var/log/php - ``` - -1. Restart Apache: - - ```command - sudo systemctl restart httpd - ``` - -### Install and Configure ModSecurity (Optional) - -ModSecurity is a web application firewall (WAF) that provides additional protection against common web attacks. - -1. Install ModSecurity: - -These steps enhance the security of your LAMP Stack on Rocky Linux 9, especially for production environments or public-facing servers. - - ```command - sudo dnf install mod_security -y - ``` -Expected output: The terminal will display a summary ending with "Complete!" indicating successful installation. - -2. Enable and start ModSecurity: - -Restart Apache to load the ModSecurity module: - - ```command - sudo systemctl restart httpd - ``` -A silent return to the prompt indicates success. - -1. Verify ModSecurity is loaded: - -To confirm that Mod Security is active, use the following command: - - ```command - sudo httpd -M | grep security - ``` - -This lists all loaded Apache modules and filters for ModSecurity. If installed correctly, you should see: - - ```output - security2_module (shared) - ``` - -{{< note >}} -Some systems may not support `apachectl -M`. Using `httpd -M` is more reliable on Rocky Linux 9. -{{< /note >}} - -For detailed ModSecurity configuration and rules: - -[Apache ModSecurity Guide](https://www.linode.com/docs/guides/securing-apache2-with-modsecurity/). -[Apache mod_security module: A practical guide - Sling Academy](https://www.slingacademy.com/article/apache-mod-security-module-practical-guide/#google_vignette). -[How to Install Modsecurity 2 OWASP CRS with Apache on Ubuntu 24.04/22.04/20.04 - LinuxCapable](https://linuxcapable.com/how-to-install-modsecurity-with-apache-on-ubuntu-linux/). - -For advanced rule sets and customization, see the [OWASP ModSecurity Core Rule Set](https://coreruleset.org/) and [Sling Academy’s practical guide](https://www.slingacademy.com/article/apache-mod-security-module-practical-guide/). - -### Enable Automatic Security Updates - -Security vulnerabilities are discovered constantly. Manually checking for and applying updates creates dangerous gaps where your server remains vulnerable to known exploits. Automatic security updates ensure critical patches are applied promptly, reducing the window of exposure to attacks. This is essential for production servers that need continuous protection without manual intervention. So, it keeps the LAMP stack infrastructure (Apache, MariaDB, PHP, OS) patched and secure automatically. - -1. Install the `dnf-automatic` package: - - ```command - sudo dnf install dnf-automatic -y - ``` -Expected output: The terminal will display a summary ending with "Complete!" indicating successful installation. - -1. Configure automatic updates by editing the configuration: - - ```command - sudo nano /etc/dnf/automatic.conf - ``` - -1. Set `apply_updates` to `yes`: - - {{< file "/etc/dnf/automatic.conf" ini >}} -[commands] -apply_updates = yes - {{< /file >}} - -1. Enable and start the automatic update timer: - - ```command - sudo systemctl enable --now dnf-automatic.timer - ``` - -### Configure Log Rotation - -Log rotation is enabled by default: Rocky Linux 9 includes `logrotate` as part of its base system, and it's configured to rotate logs for common services like Apache (`httpd`) and MariaDB: - -```command -ls /etc/logrotate.d/ -``` -- Lists all service-specific rotation configs. - -- To see configuration files for `httpd` and `mariadb`: - -```command - cat /etc/logrotate.d/httpd - cat /etc/logrotate.d/mariadb -``` -These files define how logs are rotated-for example, weekly rotation, retention of four weeks, and compression of older logs. - -## Post-Install Best Practices - -For production environments, implement regular backups: - -- **Database backups**: Use `mysqldump` or MariaDB's backup tools -- **Web content backups**: Regularly backup `/var/www/html` -- **Configuration backups**: Backup `/etc/httpd` and `/etc/my.cnf.d` -- **Off-site storage**: Store backups in a separate location - -## Install SSL/TLS Certificate - -For production websites, always use HTTPS with a valid SSL/TLS certificate. - -{{< note >}} -See the guide for [Enabling HTTPS Using Certbot with Apache on CentOS 8](https://www.linode.com/docs/guides/enabling-https-using-certbot-with-apache-on-centos-8/) for detailed instructions. The process is nearly identical on Rocky Linux 9.Alternatively, see [CrownCloud's updated guide](https://wiki.crowncloud.net/?How_to_Install_Lets_Encrypt_SSL_with_LAMP_Stack_on_Rocky_Linux_9) for a Rocky-specific walkthrough. -{{< /note >}} - -## Migration-Specific Considerations - -If you're migrating an existing site from CentOS 8: - -### Application Compatibility - -- Test all applications on Rocky Linux 9 before going live -- Check PHP version compatibility (Rocky 9 may have newer PHP) -- Verify all PHP extensions are installed - -### Data Migration - -- Export databases from CentOS 8: `mysqldump -u root -p --all-databases > backup.sql` -- Transfer web files: `rsync -avz /var/www/html/ user@new-server:/var/www/html/` -- Import databases to Rocky Linux 9: `mysql -u root -p < backup.sql` -- Verify file permissions after transfer - -### Testing Checklist - -- All pages load correctly -- Database connections work -- Forms submit properly -- File uploads function -- SSL certificate installed and working -- Redirects work correctly -- Cron jobs migrated and running - -## Conclusion - -Rocky Linux 9 provides a stable, long-term CentOS 8 replacement with identical commands and structure. The LAMP stack installation is straightforward, but production deployment requires the security hardening steps outlined above. - -**Key takeaways:** - -- Installation process identical to CentOS 8 -- Never disable SELinux - configure it properly -- Production hardening is mandatory, not optional -- Test thoroughly before migrating production workloads - -## Additional Resources - -- [Linode's LAMP Installation Guide](https://www.linode.com/docs/guides/how-to-install-lamp-stack-on-fedora-alma-rocky-linux/) - Complete installation walkthrough -- [SELinux Guide for CentOS 8](https://www.linode.com/docs/guides/a-beginners-guide-to-selinux-on-centos-8/) - Applicable to Rocky Linux 9 -- [Apache ModSecurity Guide](https://www.linode.com/docs/guides/securing-apache2-with-modsecurity/) - Advanced web application firewall -- [Certbot with Apache](https://www.linode.com/docs/guides/enabling-https-using-certbot-with-apache-on-centos-8/) - SSL/TLS certificate automation From 870e503e367e1838b56af2f7876af9d9d02467dc Mon Sep 17 00:00:00 2001 From: Dianna Hoober Date: Thu, 16 Oct 2025 17:05:22 -0700 Subject: [PATCH 10/18] Fixed malformed keywords list in YAML frontmatter --- .../lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md b/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md index d3206d99d6f..6a19c9a0269 100644 --- a/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md +++ b/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md @@ -6,7 +6,7 @@ description: 'This guide provides some background about a Linux LAMP stack insta authors: ["Diana Hoober"] contributors: ["Diana Hoober"] published: 2025-10-10 -keywords: ['LAMP stack','LAMP CentOS 8,'install LAMP stack', 'install Apache', 'MariaDB', 'PHP on Rocky Linux 9', 'how to install a LAMP Stack on Rocky Linux 9', 'Ubuntu 22.04', 'centos 8', 'centos replacement'] +keywords: ['LAMP stack','LAMP CentOS 8','install LAMP stack', 'install Apache', 'MariaDB', 'PHP on Rocky Linux 9', 'how to install a LAMP Stack on Rocky Linux 9', 'Ubuntu 22.04', 'centos 8', 'centos replacement'] license: '[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0)' --- From c3ea85e43f2dd360241855a8e05b795957958863 Mon Sep 17 00:00:00 2001 From: Dianna Hoober Date: Thu, 16 Oct 2025 17:15:10 -0700 Subject: [PATCH 11/18] Fixed spelling problems that were missed --- .../how-to-install-a-lamp-stack-on-rocky-linux-9/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md b/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md index 6a19c9a0269..b6d6e13fe1a 100644 --- a/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md +++ b/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md @@ -132,7 +132,7 @@ You will see "Complete!" when it has successfully installed. - Press **Enter** when asked for the current root password (there isn't one yet) {{< note >}} -On some systems, you may see a message that your root account is already protected with unix_socket authentication. If so, you can safely answer **n** to skip this step and continue with the remaining prompts. +On some systems, you may see a message that your root account is already protected with unix socket authentication. If so, you can safely answer **n** to skip this step and continue with the remaining prompts. {{< /note >}} - Type **Y** to change the root password, then enter and confirm a strong password @@ -558,7 +558,7 @@ Some systems may not support `apachectl -M`. Using `httpd -M` is more reliable o For detailed ModSecurity configuration and rules: [Apache ModSecurity Guide](https://www.linode.com/docs/guides/securing-apache2-with-modsecurity/). -[Apache mod_security module: A practical guide - Sling Academy](https://www.slingacademy.com/article/apache-mod-security-module-practical-guide/#google_vignette). +[Apache Modsecurity module: A practical guide - Sling Academy](https://www.slingacademy.com/article/apache-mod-security-module-practical-guide/#google_vignette). [How to Install Modsecurity 2 OWASP CRS with Apache on Ubuntu 24.04/22.04/20.04 - LinuxCapable](https://linuxcapable.com/how-to-install-modsecurity-with-apache-on-ubuntu-linux/). For advanced rule sets and customization, see the [OWASP ModSecurity Core Rule Set](https://coreruleset.org/) and [Sling Academy’s practical guide](https://www.slingacademy.com/article/apache-mod-security-module-practical-guide/). From ee9fa17655f2857ad5fd0782d0b39b255719d7d4 Mon Sep 17 00:00:00 2001 From: DHBR2 Date: Mon, 20 Oct 2025 10:29:34 -0700 Subject: [PATCH 12/18] Revise LAMP installation guide for clarity and updates Updated instructions and improved clarity in the LAMP installation guide for Rocky Linux 9. Adjusted formatting, added links, and refined security recommendations. --- .../index.md | 93 ++++++++++--------- 1 file changed, 50 insertions(+), 43 deletions(-) diff --git a/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md b/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md index b6d6e13fe1a..c34c82788f6 100644 --- a/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md +++ b/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md @@ -98,7 +98,7 @@ Press **q** (for quit) to END. Before testing Apache, you must configure the firewall to allow HTTP/HTTPS traffic. See the [Configure Firewall](#configure-firewall) section under Security Hardening below. {{< /note >}} -After configuring the firewall, test Apache by visiting your server's IP address (replace with your actual IP address). You should see the default Rocky Linux Apache test page. +After configuring the firewall, test Apache by visiting your server's IP address http://your_server_ip (replace with your actual IP address). You should see the default Rocky Linux Apache test page. ## Install MariaDB @@ -135,19 +135,19 @@ You will see "Complete!" when it has successfully installed. On some systems, you may see a message that your root account is already protected with unix socket authentication. If so, you can safely answer **n** to skip this step and continue with the remaining prompts. {{< /note >}} - - Type **Y** to change the root password, then enter and confirm a strong password +Type **Y** to change the root password, then enter and confirm a strong password - {{< note >}} - **Important:** Store this root password securely. You will need it to: +{{< note >}} +**Important:** Store this root password securely. You will need it to: - Access the MariaDB command line (`mysql -u root -p`) - Create databases and users - Perform database administration tasks - {{< /note >}} +{{< /note >}} - - Type **Y** to remove anonymous users - - Type **Y** to disallow root login remotely - - Type **Y** to remove the test database - - Type **Y** to reload privilege tables +- Type **Y** to remove anonymous users +- Type **Y** to disallow root login remotely +- Type **Y** to remove the test database +- Type **Y** to reload privilege tables 1. Verify MariaDB is running: @@ -218,7 +218,7 @@ phpinfo(); 3. Save and exit the file (Ctrl+X, then Y, then Enter). -4. Set proper permissions: +4. Set appropriate permissions: ```command sudo chown apache:apache /var/www/html/info.php ``` @@ -309,14 +309,15 @@ Modern servers face constant, automated attacks from across the internet. This s ### Security Prerequisites -Before hardening the LAMP stack, secure SSH access to your server. SSH is the most frequently attacked service on internet-facing systems—new servers often receive hundreds of unauthorized login attempts within the first hour. +Before hardening the LAMP stack, secure SSH access to your server. SSH is the most frequently attacked service on internet-facing systems--as mentioned, new servers often receive hundreds of unauthorized login attempts within the first hour. **Complete these essential security steps first:** -- **[Securing Your Server](link-to-ssh-guide)** - Create non-root user, configure SSH keys, disable root login -- **[Using Fail2ban to Block Brute Force Attacks](link-to-fail2ban-guide)** - Automatically block repeated failed login attempts +- **Securing Your Server[SSH Hub](https://www.linode.com/docs/guides/security/ssh/)** - Create non-root user, configure SSH keys, disable root login +- **[How to Use Fail2ban to Secure Your Server](https://www.linode.com/docs/guides/using-fail2ban-to-secure-your-server-a-tutorial/)** - Automatically block repeated failed login attempts. +- **[What is Fail2Ban with Setup & Configuration? (Detailed Guide)]**(https://runcloud.io/blog/what-is-fail2ban) -These guides must be completed before proceeding with LAMP stack hardening to ensure your server has basic protection against the most common attack vectors. +These guides **must** be completed before proceeding with LAMP stack hardening to ensure your server has basic protection against the most common attack vectors. {{< note >}} If SSH is not secured yet, your server remains vulnerable to automated attacks-even with a hardened LAMP stack. Address SSH security first. @@ -324,7 +325,7 @@ If SSH is not secured yet, your server remains vulnerable to automated attacks-e ### Configure Firewall -Rocky Linux 9 uses firewalld to manage network traffic. A properly configured firewall defines your network perimeter, blocking all traffic except explicitly allowed services. This minimizes exposure and prevents unauthorized access. +Rocky Linux 9 uses [firewalld](https://firewalld.org/documentation/) to manage network traffic. A properly configured firewall defines your network perimeter, blocking all traffic except explicitly allowed services. This minimizes exposure and prevents unauthorized access. 1. Verify firewalld is running: ```command @@ -342,7 +343,7 @@ The output should show `enabled` and `active (running)`. If firewalld is not run sudo firewall-cmd --permanent --add-service=http sudo firewall-cmd --permanent --add-service=https ``` - The `--permanent` flag ensures these rules persist across reboots. +The `--permanent` flag ensures these rules persist across reboots. 3. If you changed SSH to a non-standard port (recommended for security), allow it: ```command @@ -379,6 +380,7 @@ Rocky Linux 9 has SELinux (Security-Enhanced Linux) enabled by default. SELinux ```command getenforce ``` + ```output Enforcing ``` @@ -393,14 +395,15 @@ Rocky Linux 9 has SELinux (Security-Enhanced Linux) enabled by default. SELinux sudo setsebool -P httpd_can_sendmail 1 ``` - {{< note >}} - Only enable these if your applications require them. The `-P` flag makes the setting persistent across reboots. - {{< /note >}} +{{< note >}} +Only enable these if your applications require them. The `-P` flag makes the setting persistent across reboots. +{{< /note >}} Then verify both: ```command getsebool httpd_can_network_connect_db httpd_can_sendmail ``` + Expected output: ```output httpd_can_network_connect_db --> on @@ -417,6 +420,7 @@ Check the SELinux context of the directory: ls -Z /var/www/html ls -Zd /var/www/html ``` + ```output system_u:object_r:httpd_sys_content_t:s0 /var/www/html ``` @@ -451,9 +455,9 @@ Options -Indexes FollowSymLinks sudo systemctl status httpd ``` Expected output: - - First command: `Syntax OK` - - Second command: Silent return to prompt (no output) - - Third command: Shows `active (running)` and `Started The Apache HTTP Server` +- First command: `Syntax OK` +- Second command: Silent return to prompt (no output) +- Third command: Shows `active (running)` and `Started The Apache HTTP Server` ### Secure MariaDB @@ -476,7 +480,7 @@ local-infile = 0 ```command sudo systemctl restart mariadb ``` -1.Verify MariaDB is running: +1. Verify MariaDB is running: ```command sudo systemctl status mariadb @@ -523,33 +527,36 @@ ModSecurity is a web application firewall (WAF) that provides additional protect These steps enhance the security of your LAMP Stack on Rocky Linux 9, especially for production environments or public-facing servers. - ```command +```command sudo dnf install mod_security -y - ``` +``` + Expected output: The terminal will display a summary ending with "Complete!" indicating successful installation. 2. Enable and start ModSecurity: Restart Apache to load the ModSecurity module: - ```command +```command sudo systemctl restart httpd - ``` +``` + A silent return to the prompt indicates success. 1. Verify ModSecurity is loaded: To confirm that Mod Security is active, use the following command: - ```command +```command sudo httpd -M | grep security ``` This lists all loaded Apache modules and filters for ModSecurity. If installed correctly, you should see: - ```output + +```output security2_module (shared) - ``` +``` {{< note >}} Some systems may not support `apachectl -M`. Using `httpd -M` is more reliable on Rocky Linux 9. @@ -558,7 +565,9 @@ Some systems may not support `apachectl -M`. Using `httpd -M` is more reliable o For detailed ModSecurity configuration and rules: [Apache ModSecurity Guide](https://www.linode.com/docs/guides/securing-apache2-with-modsecurity/). + [Apache Modsecurity module: A practical guide - Sling Academy](https://www.slingacademy.com/article/apache-mod-security-module-practical-guide/#google_vignette). + [How to Install Modsecurity 2 OWASP CRS with Apache on Ubuntu 24.04/22.04/20.04 - LinuxCapable](https://linuxcapable.com/how-to-install-modsecurity-with-apache-on-ubuntu-linux/). For advanced rule sets and customization, see the [OWASP ModSecurity Core Rule Set](https://coreruleset.org/) and [Sling Academy’s practical guide](https://www.slingacademy.com/article/apache-mod-security-module-practical-guide/). @@ -569,16 +578,16 @@ Security vulnerabilities are discovered constantly. Manually checking for and ap 1. Install the `dnf-automatic` package: - ```command +```command sudo dnf install dnf-automatic -y - ``` +``` Expected output: The terminal will display a summary ending with "Complete!" indicating successful installation. 1. Configure automatic updates by editing the configuration: - ```command +```command sudo nano /etc/dnf/automatic.conf - ``` +``` 1. Set `apply_updates` to `yes`: @@ -589,16 +598,15 @@ apply_updates = yes 1. Enable and start the automatic update timer: - ```command - sudo systemctl enable --now dnf-automatic.timer - ``` +```command + sudo systemctl enable --now dnf-automatic.timer``` ### Configure Log Rotation Log rotation is enabled by default: Rocky Linux 9 includes `logrotate` as part of its base system, and it's configured to rotate logs for common services like Apache (`httpd`) and MariaDB: ```command -ls /etc/logrotate.d/ + ls /etc/logrotate.d/ ``` - Lists all service-specific rotation configs. @@ -608,7 +616,7 @@ ls /etc/logrotate.d/ cat /etc/logrotate.d/httpd cat /etc/logrotate.d/mariadb ``` -These files define how logs are rotated-for example, weekly rotation, retention of four weeks, and compression of older logs. +These files define how logs are rotated-for example: weekly rotation, retention of four weeks, and compression of older logs. ## Post-Install Best Practices @@ -624,7 +632,7 @@ For production environments, implement regular backups: For production websites, always use HTTPS with a valid SSL/TLS certificate. {{< note >}} -See the guide for [Enabling HTTPS Using Certbot with Apache on CentOS 8](https://www.linode.com/docs/guides/enabling-https-using-certbot-with-apache-on-centos-8/) for detailed instructions. The process is nearly identical on Rocky Linux 9.Alternatively, see [CrownCloud's updated guide](https://wiki.crowncloud.net/?How_to_Install_Lets_Encrypt_SSL_with_LAMP_Stack_on_Rocky_Linux_9) for a Rocky-specific walkthrough. +See the guide for [Reintech Guide]([https://www.linode.com/docs/guides/enabling-https-using-certbot-with-apache-on-centos-8](https://reintech.io/blog/securing-apache-with-lets-encrypt-rocky-linux-9)/) for detailed instructions. Specifically written for Rocky Linux 9. Alternatively, see [CrownCloud's updated guide](https://wiki.crowncloud.net/?How_to_Install_Lets_Encrypt_SSL_with_LAMP_Stack_on_Rocky_Linux_9) for a Rocky-specific walkthrough. {{< /note >}} ## Migration-Specific Considerations @@ -668,6 +676,5 @@ Rocky Linux 9 provides a stable, long-term CentOS 8 replacement with identical c ## Additional Resources - [Linode's LAMP Installation Guide](https://www.linode.com/docs/guides/how-to-install-lamp-stack-on-fedora-alma-rocky-linux/) - Complete installation walkthrough -- [SELinux Guide for CentOS 8](https://www.linode.com/docs/guides/a-beginners-guide-to-selinux-on-centos-8/) - Applicable to Rocky Linux 9 -- [Apache ModSecurity Guide](https://www.linode.com/docs/guides/securing-apache2-with-modsecurity/) - Advanced web application firewall -- [Certbot with Apache](https://www.linode.com/docs/guides/enabling-https-using-certbot-with-apache-on-centos-8/) - SSL/TLS certificate automation +- [Rocky Linux Official SELinux Documentation:](https://docs.rockylinux.org/10/guides/security/learning_selinux/) - Applicable to Rocky Linux 9 +- [Rocky Linux Official ModSecurity/WAF Guide:]https://docs.rockylinux.org/guides/web/apache_hardened_webserver/modsecurity/) - Advanced web application firewall From 3613f4a12f042a84909985cbf96d767645ebcbd3 Mon Sep 17 00:00:00 2001 From: Dianna Hoober Date: Mon, 20 Oct 2025 13:09:30 -0700 Subject: [PATCH 13/18] Removed trailing spaces and added to dictionary --- ci/vale/dictionary.txt | 1 + .../how-to-install-a-lamp-stack-on-rocky-linux-9/index.md | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ci/vale/dictionary.txt b/ci/vale/dictionary.txt index d40f2bd978a..15f8b9563a0 100644 --- a/ci/vale/dictionary.txt +++ b/ci/vale/dictionary.txt @@ -2156,6 +2156,7 @@ reimported reindexing reiner reinstalls +Reintech releasever reloadcmd remediations diff --git a/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md b/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md index c34c82788f6..49c411fe425 100644 --- a/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md +++ b/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md @@ -515,9 +515,9 @@ allow_url_include = Off 1. Restart Apache: - ```command +```command sudo systemctl restart httpd - ``` +``` ### Install and Configure ModSecurity (Optional) @@ -530,7 +530,7 @@ These steps enhance the security of your LAMP Stack on Rocky Linux 9, especially ```command sudo dnf install mod_security -y ``` - + Expected output: The terminal will display a summary ending with "Complete!" indicating successful installation. 2. Enable and start ModSecurity: From d3e415f42ac0b0413914b4f7cb1024447d99883f Mon Sep 17 00:00:00 2001 From: Dianna Hoober Date: Mon, 20 Oct 2025 13:44:12 -0700 Subject: [PATCH 14/18] Removed trailing space --- .../lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md b/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md index 49c411fe425..867ea644b09 100644 --- a/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md +++ b/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md @@ -540,7 +540,7 @@ Restart Apache to load the ModSecurity module: ```command sudo systemctl restart httpd ``` - + A silent return to the prompt indicates success. 1. Verify ModSecurity is loaded: From 532006e64218ab10b802ac7aea84209890d36b15 Mon Sep 17 00:00:00 2001 From: Dianna Hoober Date: Tue, 21 Oct 2025 12:37:55 -0700 Subject: [PATCH 15/18] Format corrections and added to dictionary --- ci/vale/dictionary.txt | 5 ++- .../index.md | 44 +++++++++++-------- 2 files changed, 29 insertions(+), 20 deletions(-) diff --git a/ci/vale/dictionary.txt b/ci/vale/dictionary.txt index 15f8b9563a0..9351f1f7a95 100644 --- a/ci/vale/dictionary.txt +++ b/ci/vale/dictionary.txt @@ -564,7 +564,7 @@ devtmpfs dex df dhclient -dhcpv6 +dhcpv dhparams dia dialogs @@ -874,6 +874,7 @@ getenforce getmail getprivs getpwent +getsebool getters getty getuid @@ -1590,6 +1591,7 @@ mod_wsgi moddable modinfo modsecurity +mod_security Modsecurity modularization Mojang @@ -1669,6 +1671,7 @@ myproject mypy myserver mysql +mysqli mysql_config_editor mysql_secure_installation mysqlclient10 diff --git a/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md b/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md index 867ea644b09..b9570e0d66d 100644 --- a/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md +++ b/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md @@ -377,6 +377,7 @@ Replace `2222` with whatever port number you configured for SSH. Common non-stan Rocky Linux 9 has SELinux (Security-Enhanced Linux) enabled by default. SELinux provides mandatory access control, limiting the damage an attacker can cause even if they compromise a service. Never disable SELinux in production environments. 1. Verify SELinux is enforcing: +2. ```command getenforce ``` @@ -386,12 +387,13 @@ Rocky Linux 9 has SELinux (Security-Enhanced Linux) enabled by default. SELinux ``` 2. If your web applications need to connect to remote databases or send email, configure the appropriate SELinux booleans: + ```command # Allow Apache to connect to remote databases sudo setsebool -P httpd_can_network_connect_db 1 # Allow Apache to send email - command + sudo setsebool -P httpd_can_sendmail 1 ``` @@ -400,9 +402,10 @@ Only enable these if your applications require them. The `-P` flag makes the set {{< /note >}} Then verify both: + ```command getsebool httpd_can_network_connect_db httpd_can_sendmail - ``` +``` Expected output: ```output @@ -411,12 +414,14 @@ httpd_can_sendmail --> on ``` 3. Set correct SELinux contexts for web content: +4. ```command sudo semanage fcontext -a -t httpd_sys_content_t "/var/www/html(/.*)?" sudo restorecon -Rv /var/www/html ``` Check the SELinux context of the directory: -``` + +```command ls -Z /var/www/html ls -Zd /var/www/html ``` @@ -430,9 +435,9 @@ The `httpd_sys_content_t` context allows Apache to serve files from this directo 1. Hide Apache version information by editing the Apache configuration: - ```command +```command sudo nano /etc/httpd/conf/httpd.conf - ``` +``` 1. Add or modify these lines: @@ -463,9 +468,9 @@ Expected output: 1. Edit the MariaDB configuration: - ```command +```command sudo nano /etc/my.cnf.d/mariadb-server.cnf - ``` +``` 1. Add these security settings under the `[mysqld]` section: @@ -477,9 +482,9 @@ local-infile = 0 1. Restart MariaDB: - ```command +```command sudo systemctl restart mariadb - ``` +``` 1. Verify MariaDB is running: ```command @@ -490,9 +495,9 @@ local-infile = 0 1. Edit the PHP configuration: - ```command +```command sudo nano /etc/php.ini - ``` +``` 1. Modify these security-related settings: @@ -508,10 +513,10 @@ allow_url_include = Off 1. Create the PHP log directory: - ```command +```command sudo mkdir -p /var/log/php sudo chown apache:apache /var/log/php - ``` +``` 1. Restart Apache: @@ -533,7 +538,7 @@ These steps enhance the security of your LAMP Stack on Rocky Linux 9, especially Expected output: The terminal will display a summary ending with "Complete!" indicating successful installation. -2. Enable and start ModSecurity: +1. Enable and start ModSecurity: Restart Apache to load the ModSecurity module: @@ -549,11 +554,10 @@ To confirm that Mod Security is active, use the following command: ```command sudo httpd -M | grep security - ``` +``` This lists all loaded Apache modules and filters for ModSecurity. If installed correctly, you should see: - ```output security2_module (shared) ``` @@ -599,7 +603,8 @@ apply_updates = yes 1. Enable and start the automatic update timer: ```command - sudo systemctl enable --now dnf-automatic.timer``` + sudo systemctl enable --now dnf-automatic.timer +``` ### Configure Log Rotation @@ -608,6 +613,7 @@ Log rotation is enabled by default: Rocky Linux 9 includes `logrotate` as part o ```command ls /etc/logrotate.d/ ``` + - Lists all service-specific rotation configs. - To see configuration files for `httpd` and `mariadb`: @@ -632,7 +638,7 @@ For production environments, implement regular backups: For production websites, always use HTTPS with a valid SSL/TLS certificate. {{< note >}} -See the guide for [Reintech Guide]([https://www.linode.com/docs/guides/enabling-https-using-certbot-with-apache-on-centos-8](https://reintech.io/blog/securing-apache-with-lets-encrypt-rocky-linux-9)/) for detailed instructions. Specifically written for Rocky Linux 9. Alternatively, see [CrownCloud's updated guide](https://wiki.crowncloud.net/?How_to_Install_Lets_Encrypt_SSL_with_LAMP_Stack_on_Rocky_Linux_9) for a Rocky-specific walkthrough. +See the guide for [Reintech]([https://www.linode.com/docs/guides/enabling-https-using-certbot-with-apache-on-centos-8](https://reintech.io/blog/securing-apache-with-lets-encrypt-rocky-linux-9)/) for detailed instructions. Specifically written for Rocky Linux 9. Alternatively, see [CrownCloud's updated guide](https://wiki.crowncloud.net/?How_to_Install_Lets_Encrypt_SSL_with_LAMP_Stack_on_Rocky_Linux_9) for a Rocky-specific walkthrough. {{< /note >}} ## Migration-Specific Considerations @@ -677,4 +683,4 @@ Rocky Linux 9 provides a stable, long-term CentOS 8 replacement with identical c - [Linode's LAMP Installation Guide](https://www.linode.com/docs/guides/how-to-install-lamp-stack-on-fedora-alma-rocky-linux/) - Complete installation walkthrough - [Rocky Linux Official SELinux Documentation:](https://docs.rockylinux.org/10/guides/security/learning_selinux/) - Applicable to Rocky Linux 9 -- [Rocky Linux Official ModSecurity/WAF Guide:]https://docs.rockylinux.org/guides/web/apache_hardened_webserver/modsecurity/) - Advanced web application firewall +- [Rocky Linux Official ModSecurity/WAF Guide:](https://docs.rockylinux.org/guides/web/apache_hardened_webserver/modsecurity/) - Advanced web application firewall From 6cca738ed8adb029139827a6ba6fc573c95eb9fc Mon Sep 17 00:00:00 2001 From: Dianna Hoober Date: Thu, 23 Oct 2025 13:58:01 -0700 Subject: [PATCH 16/18] Added metadata content --- .../index.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md b/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md index b9570e0d66d..671b9e08d8b 100644 --- a/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md +++ b/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md @@ -8,6 +8,11 @@ contributors: ["Diana Hoober"] published: 2025-10-10 keywords: ['LAMP stack','LAMP CentOS 8','install LAMP stack', 'install Apache', 'MariaDB', 'PHP on Rocky Linux 9', 'how to install a LAMP Stack on Rocky Linux 9', 'Ubuntu 22.04', 'centos 8', 'centos replacement'] license: '[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0)' +external resources: +- '[Reintech](https://reintech.io/blog/securing-apache-with-lets-encrypt-rocky-linux-9)' +- '[CrownCloud's updated guide](https://wiki.crowncloud.net/?How_to_Install_Lets_Encrypt_SSL_with_LAMP_Stack_on_Rocky_Linux_9)' +- '[Rocky Linux Official SELinux Documentation:](https://docs.rockylinux.org/10/guides/security/learning_selinux/)' +- '[Rocky Linux Official ModSecurity/WAF Guide:](https://docs.rockylinux.org/guides/web/apache_hardened_webserver/modsecurity/)' --- If you're moving from CentOS 8 to a compatible operating system, this guide walks you through installing a LAMP stack on Rocky Linux 9. The process and commands are nearly identical to what you're used to on CentOS 8 making migration straightforward. @@ -638,7 +643,7 @@ For production environments, implement regular backups: For production websites, always use HTTPS with a valid SSL/TLS certificate. {{< note >}} -See the guide for [Reintech]([https://www.linode.com/docs/guides/enabling-https-using-certbot-with-apache-on-centos-8](https://reintech.io/blog/securing-apache-with-lets-encrypt-rocky-linux-9)/) for detailed instructions. Specifically written for Rocky Linux 9. Alternatively, see [CrownCloud's updated guide](https://wiki.crowncloud.net/?How_to_Install_Lets_Encrypt_SSL_with_LAMP_Stack_on_Rocky_Linux_9) for a Rocky-specific walkthrough. +See the guide for [Reintech](https://reintech.io/blog/securing-apache-with-lets-encrypt-rocky-linux-9) for detailed instructions. Specifically written for Rocky Linux 9. Alternatively, see [CrownCloud's updated guide](https://wiki.crowncloud.net/?How_to_Install_Lets_Encrypt_SSL_with_LAMP_Stack_on_Rocky_Linux_9) for a Rocky-specific walkthrough. {{< /note >}} ## Migration-Specific Considerations @@ -681,6 +686,6 @@ Rocky Linux 9 provides a stable, long-term CentOS 8 replacement with identical c ## Additional Resources -- [Linode's LAMP Installation Guide](https://www.linode.com/docs/guides/how-to-install-lamp-stack-on-fedora-alma-rocky-linux/) - Complete installation walkthrough +- [Linode's LAMP Installation Guide](/docs/guides/how-to-install-lamp-stack-on-fedora-alma-rocky-linux/) - Complete installation walkthrough - [Rocky Linux Official SELinux Documentation:](https://docs.rockylinux.org/10/guides/security/learning_selinux/) - Applicable to Rocky Linux 9 - [Rocky Linux Official ModSecurity/WAF Guide:](https://docs.rockylinux.org/guides/web/apache_hardened_webserver/modsecurity/) - Advanced web application firewall From c866480cbf0ae5826a54392ed6586f8a69fc03e6 Mon Sep 17 00:00:00 2001 From: Dianna Hoober Date: Thu, 23 Oct 2025 14:30:49 -0700 Subject: [PATCH 17/18] Corrected metadata format for external resources --- .../how-to-install-a-lamp-stack-on-rocky-linux-9/index.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md b/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md index 671b9e08d8b..feda44815b0 100644 --- a/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md +++ b/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md @@ -9,10 +9,10 @@ published: 2025-10-10 keywords: ['LAMP stack','LAMP CentOS 8','install LAMP stack', 'install Apache', 'MariaDB', 'PHP on Rocky Linux 9', 'how to install a LAMP Stack on Rocky Linux 9', 'Ubuntu 22.04', 'centos 8', 'centos replacement'] license: '[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0)' external resources: -- '[Reintech](https://reintech.io/blog/securing-apache-with-lets-encrypt-rocky-linux-9)' -- '[CrownCloud's updated guide](https://wiki.crowncloud.net/?How_to_Install_Lets_Encrypt_SSL_with_LAMP_Stack_on_Rocky_Linux_9)' -- '[Rocky Linux Official SELinux Documentation:](https://docs.rockylinux.org/10/guides/security/learning_selinux/)' -- '[Rocky Linux Official ModSecurity/WAF Guide:](https://docs.rockylinux.org/guides/web/apache_hardened_webserver/modsecurity/)' + - "[Reintech](https://reintech.io/blog/securing-apache-with-lets-encrypt-rocky-linux-9)" + - "[CrownCloud's updated guide](https://wiki.crowncloud.net/?How_to_Install_Lets_Encrypt_SSL_with_LAMP_Stack_on_Rocky_Linux_9)" + - "[Rocky Linux Official SELinux Documentation](https://docs.rockylinux.org/10/guides/security/learning_selinux/)" + - "[Rocky Linux Official ModSecurity/WAF Guide](https://docs.rockylinux.org/guides/web/apache_hardened_webserver/modsecurity/)" --- If you're moving from CentOS 8 to a compatible operating system, this guide walks you through installing a LAMP stack on Rocky Linux 9. The process and commands are nearly identical to what you're used to on CentOS 8 making migration straightforward. From d26c34f21ca0c1acaf14a1f07fff755ddd9a4715 Mon Sep 17 00:00:00 2001 From: Dianna Hoober Date: Thu, 23 Oct 2025 14:40:53 -0700 Subject: [PATCH 18/18] Removed incorrect metadata added after comparison review --- .../how-to-install-a-lamp-stack-on-rocky-linux-9/index.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md b/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md index feda44815b0..e7d93ceabdd 100644 --- a/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md +++ b/docs/guides/web-servers/lamp/how-to-install-a-lamp-stack-on-rocky-linux-9/index.md @@ -8,11 +8,6 @@ contributors: ["Diana Hoober"] published: 2025-10-10 keywords: ['LAMP stack','LAMP CentOS 8','install LAMP stack', 'install Apache', 'MariaDB', 'PHP on Rocky Linux 9', 'how to install a LAMP Stack on Rocky Linux 9', 'Ubuntu 22.04', 'centos 8', 'centos replacement'] license: '[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0)' -external resources: - - "[Reintech](https://reintech.io/blog/securing-apache-with-lets-encrypt-rocky-linux-9)" - - "[CrownCloud's updated guide](https://wiki.crowncloud.net/?How_to_Install_Lets_Encrypt_SSL_with_LAMP_Stack_on_Rocky_Linux_9)" - - "[Rocky Linux Official SELinux Documentation](https://docs.rockylinux.org/10/guides/security/learning_selinux/)" - - "[Rocky Linux Official ModSecurity/WAF Guide](https://docs.rockylinux.org/guides/web/apache_hardened_webserver/modsecurity/)" --- If you're moving from CentOS 8 to a compatible operating system, this guide walks you through installing a LAMP stack on Rocky Linux 9. The process and commands are nearly identical to what you're used to on CentOS 8 making migration straightforward.