Authorvishnu

Prometheus Configuration for Network devices

In my Previous post i explained about installing and configuring the snmp_exporter for prometheus. In this post i will explain about the prometheus configuration for network devices.

Installing Prometheus:

Follow the instructions mentioned in the https://prometheus.io/docs/prometheus/latest/installation/ to install prometheus. Basically you just need to download the latest package from https://prometheus.io/download/ and start running it.

Prometheus configuration:

Below mentioned is the sample configuration.
In this global parameters are global for all the jobs. This can be over written with the individual jobs scrape_configs. for example global scrape_interval is mentioned as 15s and individual jobs have the scrape interval mentioned as 1min so the individual jobs scrape_interval is taken effect.

Alerting configuration mentions about the alertmanager IP address and details, we will discuss about that in my later post.

rule_files have the rule file path configuration, rule files contains the recording rule. We will about this also in the later post.

Next comes the scrape_configs: this is where the the targets and their module details are mentioned. if you look at the below config there are three jobs created. all_default, cisco_default, cisco_3750 are the three jobs.
the complete config file with all the jobs can be found in https://github.com/vishnubraj/prometheus_config

as i mentioned in my previous post, i am monitoring both cisco and juniper devices. There are certains OID’s which are common to both cisco and juniper, like ifMib. There are certain OID’s which only works with Cisco or Juniper or only specific cisco model like Cisco 3750

so each job points to a certain module in snmp_exporter config using the params field. The all_defaul job points to the ifmib module in the snmp_exporter. normally ifmib is common to both cisco and juniper devices. Hence in the target file “/opt/prometheus/targets/all_default.json” all the cisco and juniper devices has to be mentioned. Cisco_default module points to the cisco module in the snmp_exporter config file [please check the snmp_exporter config file (snmp.yml) in ps://github.com/vishnubraj/prometheus_config for the module details]. only the cisco devices needs to be mentioned in the “/opt/prometheus/targets/cisco_default.json” target file.

[:vishnu:root@test1.sjc2 /opt/prometheus]# cat  prometheus.yml
# my global config
global:
  scrape_interval:     15s # scrape interval for all the modules
  evaluation_interval: 1m # Evaluate rules every 1m
  external_labels:
    region: eu-west
    monitor: infrastructure
    replica: B

# Alertmanager configuration
alerting:
  alertmanagers:
  - static_configs:
    - targets:
       - 127.0.0.1:9093

rule_files:
   - "status.yml"

scrape_configs:
  - job_name: 'all_default'
    scrape_interval: 60s
    scrape_timeout: 60s
    file_sd_configs:
        - files :
          - /opt/prometheus/targets/all_default.json
    metrics_path: /snmp
    params:
      module: [ifmib]
    relabel_configs:
      - source_labels: [__address__]
        target_label: __param_target
      - source_labels: [__param_target]
        target_label: instance
      - source_labels: [dc]
        target_label: __address__
        replacement: 'server50.$1:9116'

  - job_name: 'cisco_default'
    scrape_interval: 60s
    scrape_timeout: 60s
    file_sd_configs:
        - files :
          - /opt/prometheus/targets/cisco_default.json
    metrics_path: /snmp
    params:
      module: [cisco]
    relabel_configs:
      - source_labels: [__address__]
        target_label: __param_target
      - source_labels: [__param_target]
        target_label: instance
      - source_labels: [dc]
        target_label: __address__
        replacement: 'server50.$1:9116'

  - job_name: 'cisco_3750'
    scrape_interval: 60s
    scrape_timeout: 60s
    file_sd_configs:
        - files :
          - /opt/prometheus/targets/cisco_3750.json
    metrics_path: /snmp
    params:
      module: [cisco3750]
    relabel_configs:
      - source_labels: [__address__]
        target_label: __param_target
      - source_labels: [__param_target]
        target_label: instance
      - source_labels: [dc]
        target_label: __address__
        replacement: 'server50.$1:9116'

Next comes the relabel_configs: the relabel config is used for the labels in the scrape URL. as mentioned in my snmp_exporter post.

prometheus use the below URL to collect the metrics from the snmp_exporter. In the below URL server50.{dc} is the snmp_exporter IP address, the dc label is mentioned in the target file. for each dc i have a snmp_exporter installed, so the devices have the label with dc details.

http://server50.{dc}:9116/snmp?module={modulename}&target={target_device}

if you are only having one snmp_exporter then you can directly mention the server IP address like below.

   relabel_configs:
      - source_labels: [__address__]
        target_label: __param_target
      - source_labels: [__param_target]
        target_label: instance
      - source_labels: []
        target_label: __address__
        replacement: 'server50.ash1:9116' # or ip adress 

Below mentioned is the target file format

[:vishnu:root@test1.sjc2 /opt/prometheus]# cat/targets/cisco_default.json
[
    {
        "labels": {
            "dc": "del2"
        },
        "targets": [
            "core1.del2", "core2.del2"
        ]
    },
    {
        "labels": {
            "dc": "del2"
        },
        "targets": [
            "rtr1.del2", "rtr2.del2"
        ]
    },
    {
        "labels": {
            "dc": "del2"
        },
        "targets": [
            "sw1.del2"
        ]
    }
]
[:vishnu:root@opstest1.sjc2 /opt/prometheus]#

If you have only few devices you can directly mention the target list as mentioned below instead using the file_sd_config:

    static_configs:
     - targets: ['core1.sjc2','core1.del2']

In my next post i will explain about how to create Dashboards in Grafana for Network devices.

Prometheus SNMP_exporter Configuration

Prometheus doesn’t connect with end host to collect the metrics. it needs an exporter to expose the metrics from end host.

There are multiple exporters available, some are developed by prometheus team itself. The list of exporter details are available in https://prometheus.io/docs/instrumenting/exporters/

For servers we use node_exporter to export the metrics. node_exporter needs to be installed in the end host. once installed its opens an http API port for the prometheus to connect with the end device and collect the metric. For every scrape interval(Metric collection frequency mentioned in the prometheus config file ) prometheus collects the metric from node exporter API.

Network devices doesn’t allow installing any packages . The only way to collect the metric from the devices are using SNMP or login via SSH and collect metric. Login via SSH may have CPU impact. Hence we need an exporter which works between prometheus and network devices for collecting metrics. SNMP_exporter is used for this. SNMP_exporter is developed by the core prometheus team. So its very stable.

Installing SNMP_exporter

Binaries can be downloaded from https://github.com/prometheus/snmp_exporter/releases page.

To start SNMP_exporter it needs snmp.yml config file. This snmp.yml file only has the module name and the OID detail’s to snmp walk or get. also it has the SNMP authentication details.
It doesnt have any details about the network device IP details. network device details are sent to snmp_exporter using the http URL(API). The URL contains the network device IP address and modules which needs to collected. Below mentioned is a sample URL. In this core1.ash1 is the target network device and “ifmibmodule” is the module name which needs to collected.

http://10.0.10.1:9116/snmp?module=ifmibmodule&target=core1.ash1

The “ifmibmodule” details exist in the snmp.yml file.

ifmib:
  walk:
  - 1.3.6.1.2.1.2.2.1.13
  get:
  - 1.3.6.1.2.1.1.1.0
  - 1.3.6.1.2.1.1.3.0
  metrics:
  - name: ifInDiscards
    oid: 1.3.6.1.2.1.2.2.1.13
    type: counter
    help: The number of inbound packets which were chosen to be discarded even though
      no errors had been detected to prevent their being deliverable to a higher-layer
      protocol - 1.3.6.1.2.1.2.2.1.13
    indexes:
    - labelname: ifIndex
      type: gauge
    lookups:
    - labels:
      - ifIndex
      labelname: ifAlias
      oid: 1.3.6.1.2.1.31.1.1.1.18
      type: DisplayString
    - labels:
      - ifIndex
      labelname: ifName
      oid: 1.3.6.1.2.1.31.1.1.1.1
      type: DisplayString
    - labels: []
      labelname: ifIndex
    - labels: []
      labelname: ifIndex

Above mentioned is the sample snmp.yml config file, but Its not easy to write the snmp.yml by hand. Prometheus team has created snmp_generator for this reason. This snmp_genertor helps to create the snmp.yml config file.

Installing snmp_generator

snmp_generator can be installed at any location. once the snmp.yml file is generated it can be copied to the same folder where snmp_exporter installed and and you can start the snmp_exporter.

To install the SNMP_generator follow the instructions mentioned at https://github.com/prometheus/snmp_exporter/tree/master/generator

SNMP_generator needs the generator.yml config file to generate the snmp.yml file.

How to write generator.yml file

Below is the example of generator.yml file. you can write your own generator.yml file or you can download my generator.yml file from https://github.com/vishnubraj/prometheus_config/

modules:
#System details and interface stats OID's are common for both Cisco and Juniper
  ifmib:
    walk:
      - 1.3.6.1.2.1.1.3  #System UPtime
      - 1.3.6.1.2.1.1.1  #System Descriptio
      - 1.3.6.1.2.1.31.1.1.1.6 #ifHCInOctets
      - 1.3.6.1.2.1.31.1.1.1.10 #ifHCOutOctets
      - 1.3.6.1.2.1.2.2.1.13 #ifInDiscards
      - 1.3.6.1.2.1.2.2.1.14 #ifInErrors
      - 1.3.6.1.2.1.2.2.1.19 #ifOutDiscards
      - 1.3.6.1.2.1.2.2.1.20 #ifOutErrors
      - 1.3.6.1.2.1.31.1.1.1.15 #ifHighSpeed
      - 1.3.6.1.2.1.31.1.1.1.7 #ifHCInUcastPkts
      - 1.3.6.1.2.1.31.1.1.1.11 #ifHCOutUcastPkts
    version: 3
    auth:
      security_level: authPriv
      username: testuser
      password: testpassword
      auth_protocol: MD5
      priv_protocol: AES
      priv_password: testpriv

    lookups:
      - source_indexes: [ifIndex]
        lookup: ifAlias
        drop_source_indexes: true
      - source_indexes: [ifIndex]
        lookup: ifName
        drop_source_indexes: true

In the above code “ifmib” is the module name , this will be used by prometheus while scraping the targets. its always better to create multiple different modules for example ospf,isis, bgp, ifmib, ipsla, rpm etc, this will be useful when writing the prometheus config file. and if you have a switch and router, you dont need to run the ospf OID’s on the switch where you dont have the ospf running. so while writing the prometheus config you can mention all the switches to have only ifmib module running.
Then you need to find out the OID’s which needs to be queried from your device for the metric. Then those needs to be mentioned under the walk: section.

Version: is the snmp version which is running on the device.

auth: section contains the authentication details.

Lookups: all the snmp oid comes under a table. details about snmp tables can be found here https://www.webnms.com/snmp/help/snmpapi/snmpv3/table_handling/snmptables_basics.html . if we only query the OID’s it wont be useful to graph.

The metrics will have only the ifindex of the metric like below. in these each fields are labels, for example dc,ifIndex, instance,job all are labels. its not easy to identify which interface this belongs to

{dc="ash1",ifIndex="5",instance="core1.ash1",job="all_default",region="eu-west"} = 19536684.216666665

Lookups are used to add the labels based on our interest. So we need the ifHCInOctets with ifName mapping to better understand the below metric for graphing. The below config says lookup for ifAlias value using the source_indexes as ifIndex and drop the source_indexes

  lookups:
      - source_indexes: [ifIndex]
        lookup: ifAlias
        drop_source_indexes: true

so after adding the lookup config, we get the below metric. which is easy to understand

{dc="ash1",ifAlias="pl3_166_level3",ifName="xe-0/1/6.0",instance="core1.ash1",job="all_default",region="eu-west"}

To generate the snmp.yml run the snmp_generator like below.

./generator generate

This will generate the snmp.yml file, copy it to the snmp_exporter folder and run the snmp_exporter like below.

./snmp_exporter &

In my next post i will explain about the prometheus config for the network devices.

Network Device Monitoring Using Prometheus and Grafana Part1

I use Prometheus and grafana for monitoring the Network devices. Prometheus is most power full tool to monitor any metrics, and it is lightweight and scalable.

Mostly my environment contains Cisco and Juniper device. Monitoring other vendors also very easy but you need to understand how Prometheus works first.

Below are the metrics monitored in My Cisco and Juniper Devices.

Cisco:

  • Hardware status
    • Fan Status
    • Power supply status
    • Temperature status
    • Processor and other hardware status
  • Interface Bandwidth Utilisation
  • Interface Error and Discards
  • Interface Packets per second Utilisation
  • IPsla Latency and Packet loss
  • BGP Neighbour Status
  • BGP Received Prefix status

Juniper:

  • Hardware Status
    • Fan Status
    • Power supply status
    • Temperature status
    • Processor and other hardware status
  • Interface Bandwidth Utilisation
  • Interface Error and Discards
  • Interface packets per second Utilisation
  • RPM latency and Packet loss
  • BGP Neighbour status
  • BGP Received Prefix Status

I will explain Part by part on how to configure things

There are multiple different steps needs to be followed to make this work.

We need to install 5 different components to have complete monitoring design

  • SNMP_generator
  • SNMP_exporter
  • Prometheus
  • Alert Manager
  • Grafana

In this SNMP_generator is used only for creating config file for snmp_exporter.

Dont worry, all the components works with each other through HTTP API so no need to worry about maintaining all of them mentioned above.

In my next tutorial i will explain about Installing and configuring SNMP_generator and SNMP_exporter.


How to Install WordPress on CentOS 7 with NGINX!

WordPress is a PHP and Mysql based opensource blogging platform. Around 25% of the websites in internet are using wordpress. Follow the below instructions to install the WordPress website on CentOS7.

Prerequisites

  • Have a working domain name pointing to your server public IP. For example: example.net

Enable EPEL Repository:

Enabling EPEL repository is a easy task as the EPEL repository RPM package is included in the CentOS Repository

Run the below command to install and enable EPEL repository.

sudo yum install epel-release

Run the below command to verify, if the EPEL repository is enabled or not

sudo yum repolist

Installing NGINX:

Run the below command to install NGINX.

sudo yum install nginx

Once the installation is complete, enable and start the NGINX service by running the below commands.

sudo systemctl enable nginx
sudo systemctl start nginx

Check the status of the Nginx service with the following command.

sudo systemctl status nginx

Open the port 80 and 443 ports in the firewall config. if your server is not protected with CentOS firewall ignore this step. Most of the cloud servers are by default protected with the firewalls.

sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

To verify the Nginx installation, open http://YOUR_SERVER_IP in your browser, and you will notice the default Nginx welcome page as shown in the image below:

To stop, start, restart, reload Nginx service use the below commands.

sudo systemctl stop nginx
sudo systemctl start nginx
sudo systemctl restart nginx
sudo systemctl reload nginx

Secure Nginx with Let’s Encrypt

Let’s Encrypt is a Free and Open Certificate authority developed by Internet Security Research Group(ISRG). Certificates issues by let’s Encrypt are trusted by almost all browsers today.

Install Certbot

Run the below command to install certbot

sudo yum install certbot

Generate Strong Dh(Diffie-Hellman) Group

DH group is a method of securely exchangin the cryptographic keys over on unsecured communication channel, like internet.

To generate a new set of 2048 DH parameters run the below commands.

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Obtain a Let’s Encrypt SSL certificate for your domain

To obtain an SSL certificate for your domain, we need to use the webroot plugin that works by creating a temporary file for validating the requested domain in the ${webroot-path}/.well-known/ directory. The Let’s Encrypt server makes HTTP requests to the temporary file to validate that the requested domain resolves to the server where certbot runs.

The following commands will create the directory and make it writable for the Nginx server.

sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp nginx /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt

create the below snippets.

sudo mkdir /etc/nginx/snippets

add /etc/nginx/snippets/letsencrypt.conf file with below config


location ^~ /.well-known/acme-challenge/ {
  allow all;
  root /var/lib/letsencrypt/;
  default_type "text/plain";
  try_files $uri =404;
}

add /etc/nginx/snippets/ssl.conf file with below config.

ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;

add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

Once the snippets are created, open the /etc/nginx/conf.d/example.net.conf file and add below config.

server {
  listen 80;
  server_name example.net www.example.net;

  include snippets/letsencrypt.conf;
}

Reload the Nginx configuration.

sudo systemctl reload nginx

Now run the certbot to obtain the SSL certificate for your domain.

sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.net -d www.example.net

Once you the received the certbot certificate, update the nginx config with below configuration.

server {
    listen 80;
    server_name www.example.net example.net;

    include snippets/letsencrypt.conf;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name www.example.net;

    ssl_certificate /etc/letsencrypt/live/example.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.net/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.net/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    return 301 https://example.net$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.net;

    ssl_certificate /etc/letsencrypt/live/example.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.net/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.net/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    # . . . other code
}

Reload the Nginx Service for the changes to take effect.

sudo systemctl reload nginx

Auto renew let’s Encrypt SSL certificate using the below crontab

crontab -e
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload nginx"

save and close the file.

Install MariaDB(Mysql)

MariaDB is an open source relational database management system, backward compatible, binary replacement of Mysql.

Install the MariaDB package using the below command.

sudo yum install mariadb-server

Once the installation is complete, start the MariaDB service and enable it to start on the boot using the below commands.

sudo systemctl start mariadb
sudo systemctl enable mariadb

Run the below mentioned mysql_secure_installation script which will perform several security tasks.

sudo mysql_secure_installation

Configure MySQL

Login to Mysql using no password

mysql -u root -p

within the MySQL shell, run the following commands to create DB for wordpress and username/password of wordpress access.

mysql> CREATE DATABASE wordpress CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
mysql> GRANT ALL ON wordpress.* TO 'wordpressuser'@'localhost' IDENTIFIED BY 'change-with-strong-password';
mysql> FLUSH PRIVILEGES;
mysql> EXIT;

Install PHP7.2

The recommended php version for WordProess is php7.2

if you have any older PHP version in the server please uninstall it.

To install PHP and all required php extensions run the below commands:

sudo yum install epel-release yum-utils
sudo yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
sudo yum-config-manager --enable remi-php72
sudo yum install php-cli php-fpm php-mysql php-json php-opcache php-mbstring php-xml php-gd php-curl

We installed php-fpm because we will be using Nginx as a web server.

PHP FastCGI Process Manager (PHP-FPM) is an alternative FastCGI daemon for PHP that allows a website to handle high loads

By default PHP FPM runs as user apache on port 9000. we’ll change the user to nginx and switch from TCP socket to Unix socket. To do that open /etc/php-fpm.d/www.conf and edit the lines mention below.

vi /etc/php-fpm.d/www.conf 
...
user = nginx
...
group = nginx
...
listen = /run/php-fpm/www.sock
...
listen.owner = nginx
listen.group = nginx

Change the /var/lib/php directory to the correct ownership.

sudo chown -R root:nginx /var/lib/php

Enable and start the php-fpm service:

sudo systemctl enable php-fpm
sudo systemctl start php-fpm

Download WordPress

First create a directory in which we will place the WordPress files.

sudo mkdir -p /var/www/html/example.net

Download the latest version of WordPress from WordPress Download page using wget. and copy it to the above mentioned folder.

cd /tmp
wget https://wordpress.org/latest.tar.gz
tar xf latest.tar.gzsudo 
mv /tmp/wordpress/* /var/www/html/example.net/

Now change the ownership of example.net directory.

chown -R nginx: /var/www/html/example.net

To setup the WordPress configuration file we need to generate some configuration files for it. Run the below command to generate the config

curl -s https://api.wordpress.org/secret-key/1.1/salt/

The generated output keys shold look like below.

define('AUTH_KEY',         'm=w)!7{-EEc&JYU~$wd@jTrqFseaZ0D-4Vd/?!>_hcF*BmQ+S2Do!QP>>O-|OI21');
define('SECURE_AUTH_KEY',  'S?lk-{RG 5K~sd*1$N<aZ18jy|^0n#-@eGqBhk3#dJy2M-|jUruu[T+ cYfJ^@2-'); 
define('LOGGED_IN_KEY', '>i*8?IA#h/.@?6MezjmoBWm&&b+h1YP?T.]Y=&*^h9[Bm`ThdbJ5zepb824LUd;-');
define('NONCE_KEY',        'cPim1L6}H1rQLtLj|FrN1DO:LZVsh`rr}5 `}k,f~%u)papX4|_J^Q%PKJ44uF[l');
define('AUTH_SALT',        ',+Aa_iZ/%yj5?-0F.O>Ogd6jCLU+2_2M$+1Zo-hUog70lLa$)YI@wbzkN<~v!Acd');
define('SECURE_AUTH_SALT', '-9sQ8iLS}1-iEX)b<A6(JNuPIGv2SV5ZiHV])4i+@oi6FG76$4{A@c*fj8[ *Uc-'); 
define('LOGGED_IN_SALT', 'K$i5b^g?TK4M|w;mqlh>m9ZJ5eVAq0X;we}jvw:JNkKm-O|-=GdH-{I><`J(ZgKB'); 
define('NONCE_SALT', 'c_VY?z=E}2r0A&r!F/qk*rtM3>K-Id+z*qG*^2g#4/-sR2%GP>b|{<97nL4uP8K/');

Now open /var/www/html/example.net/wp-config.php file, and find the above lines and replace it.

Now also update the DB_NAME, DB_USER, DB_PASSWORD in the file /var/www/html/example.net/wp-config.php with the correct credentials used in the Mysql Installation section.

define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'wordpressuser');

/** MySQL database password */
define('DB_PASSWORD', 'password-you-provided');

define('FS_METHOD', 'direct');

Now edit the /etc/nginx/conf.d/example.net.conf file and update it with the below config.

# Redirect HTTP -> HTTPS
server {
    listen 80;
    server_name www.example.net example.net;

    include snippets/letsencrypt.conf;
    return 301 https://example.net$request_uri;
}

# Redirect WWW -> NON WWW
server {
    listen 443 ssl http2;
    server_name www.example.net;

    ssl_certificate /etc/letsencrypt/live/example.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.net/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.net/chain.pem;
    include snippets/ssl.conf;

    return 301 https://example.net$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.net;

    root /var/www/html/example.net;
    index index.php;

    # SSL parameters
    ssl_certificate /etc/letsencrypt/live/example.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.net/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.net/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    # log files
    access_log /var/log/nginx/example.net.access.log;
    error_log /var/log/nginx/example.net.error.log;

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass unix:/run/php-fpm/www.sock;
        fastcgi_index   index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
        expires max;
        log_not_found off;
    }

}

Restart Nginx for the changes to take effect.

sudo systemctl restart nginx

Now open the browser and access the http://example.net URL to access the wordpress instance and start blogging. Happy blogging!!

© 2019 Networking Blog

Theme by Anders NorénUp ↑