How to install Snapt Aria on Red Hat Enterprise Linux 8

RHEL 8.3 Linux Installation:

Boot from the installation media and select first installation method (“Install Red Hat Enterprise Linux 8.3”)

Choose your language(English US) and continue.

When presented with the following fix the date and time.

Next you have to configure the server’s hostname and network settings. When configured click save and then done.

If you are using DHCP for network control you can simply connect the network interface.

If you want to manually configure the network, you can do this in the “configure” sections.

Select either IPv4 or IPv6 based on your preference. Select Method “Manual” and enter your IP/mask details. Include the DNS server separated by commas and search domain.

Now you can partition your disk, using LVM is preferred. To use LVM click the “I will configure partitioning”, then click done and you’ll be presented with the manual partitioning window ( see below).

You can choose to automatically create partitions by clicking the yellow highlighted text. Alternatively, you can create custom partitions by clicking on “Custom” and specifying the partition structure.

It is highly advised that you Connect to Red Hat. This will ensure that the official Red Hat repositories are added during installation. Alternatively, you can point the ISO to gain the repo for offline use after the installation. See section: Offline Repo Setup

Select the packages that you would like to install. For snapt installation, we do not need a server with a GUI. Select the standard server option. No additional software packages are needed for the installation.

Enter the root user password and configure an additional Snapt user with administration permissions.

Now click the “begin installation” button and the OS will be configured and installed.

After installation is complete click the “Reboot System” button

You will be presented with a login, login as snapt and su user to root to start the configuration.

RHEL 8.3 Configuration:

Hardening / Security

For advanced users it is recommended to only allow the required ports on the firewall instead of disabling it.

firewall-cmd --zone=public --permanent --add-port 8080/tcp
firewall-cmd --reload

Alternatively:

Disable the local firewall all together (IPv4 and IPv6) this might make your server vulnerable if there are no other firewalls.

systemctl stop firewalld
#Run the following command to keep the firewall disabled after reboots.
systemctl disable firewalld

Disable direct root login by changing the following entry in /etc/ssh/sshd_config.

NOTE: it is a good idea to create a local Snapt user account before performing this step, otherwise the only login method will be via the console using the root account.

#PermitRootLogin yes

with:

PermitRootLogin no

DNS

Configure DNS by populating the /etc/resolv.conf file as follows.

NOTE: use the IP addresses for the DNS servers in your network.

[root@snapt ~] vi /etc/resolv.conf 
domain mydomain.co.za
nameserver “dnsnameserver1”
nameserver “dnsnameserver2”
 
options timeout:1 attempts:1 rotate

Offline RHEL Repo Setup

If you registered with RHEL during installation you can skip the rest of this section and continue with “Additional Packages Required”.

Confirm that RHEL repos are populated:

yum repolist

If your output does not contain the RHEL streams, you should follow the below steps to add the RHEL repo.

Setup a local package repository using the installation media. (Only use this method if you do not have internet access. Note that additional rpm’s will need to be manually downloaded as listed below.

Mount the Installation Media

[root@snapt /] mkdir /cdrom
[root@snapt /] mount /dev/sr0 /cdrom    
mount: block device /dev/sr0 is write-protected, mounting read-only

Disable the existing public repository by renaming the existing file.

[root@snapt /] cd /etc/yum.repos.d/
[root@snapt /] mv redhat.repo redhat.repo.old

Copy media.repo file from the mounted directory to /etc/yum.repos.d/

[root@snapt ~] cp -v /cdrom/media.repo /etc/yum.repos.d/rhel8.repo
'/cdrom/media.repo' -> '/etc/yum.repos.d/rhel8.repo'

Populate this file with the following text

[root@snapt yum.repos.d] vi rhel8.repo 
[InstallMedia-BaseOS]
name=Red Hat Enterprise Linux 8 - BaseOS
metadata_expire=-1
gpgcheck=1
enabled=1
baseurl=file:///cdrom/BaseOS/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
[InstallMedia-AppStream]
name=Red Hat Enterprise Linux 8 - AppStream
metadata_expire=-1
gpgcheck=1
enabled=1
baseurl=file:///cdrom/AppStream/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

Clean the existing YUM config and refresh the repo-list.

[root@snapt yum.repos.d] yum clean all      
[root@snapt yum.repos.d] yum repolist

Additional Packages required

Snapt Aria requires pre-requisite packages that is not currently available on the official RHEL repo’s.

Add the below repositories to get access to the GeoIP and Nginx repos.

Nginx Repo:

Create a new repository for the latest Nginx Stable release.

vi /etc/yum.repos.d/Nginx.repo

Add the following lines to Nginx.repo and save:

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

EPEL Repo:

Create a new repository for the EPEL repo.

[epel]
name=Extra Packages for Enterprise Linux $releasever - $basearch
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-$releasever&arch=$basearch&infra=$infra&content=$contentdir
enabled=0
gpgcheck=1
countme=1
gpgkey=https://mirror.marwan.ma/fedora/epel/RPM-GPG-KEY-EPEL-8

Package Installation

Refresh the repository and Install the required base packages for Snapt Aria.

yum clean all
yum repolist

yum install haproxy -y;
yum install nginx*1.18.0* -y;

Enable the packages that you will require to run at start-up.

Haproxy if load balance plugin is needed.

Nginx if the Accelerator plugin is needed.

Squid if the cache plugin is needed.

systemctl enable haproxy
systemctl enable nginx
systemctl enable squid

Install Snapt Aria:

Now you will need to download and extract the Snapt Aria bundle using the following steps:

Download:

Directly download to your RHEL server using wget.

wget https://shop.snapt.net/download/Snapt-Linux-Redhat-Fedora-CentOS.tar.gz

or Download from the Snapt download page: ( https://downloads.snapt.net/)

Extract the bundle

tar -C / -xvf ./Snapt-Linux-*.tar.gz

Start the program:

If root:

/usr/local/snapt/start.sh

If non-roor user:

sudo /usr/local/snapt/start.sh

Custom compile Nginx, Naxsi and PageSpeed:

In the case that you are running Snapt Aria on CentOS, Fedora or Red Hat Linux, you will need to install some additional packages.

yum install gcc-c++ pcre-devel zlib-devel make unzip geoip-devel libuuid-devel perl-CGI -y

Once you have these additional packages installed, you can copy and save the script below as:snapt_nginx_builder.sh

#!/bin/bash
# SNAPT NGINX BUILD SCRIPT
# help@snapt.net

 
DIRECTORY=/root/snp_ngx_builder
PAGESPEED=1.13.35.2-stable
NPS_RELEASE_NUMBER=1.13.35.2
NGINX=1.18.0
NAXSI=1.3
OPENSSL=1.1.1g
 
COMPILE="--add-module=${DIRECTORY}/naxsi-${NAXSI}/naxsi_src \
--add-module=${DIRECTORY}/incubator-pagespeed-ngx-${PAGESPEED} \
--prefix=/usr/share/nginx \
--conf-path=/etc/nginx/nginx.conf \
--sbin-path=/usr/sbin/nginx \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \
--lock-path=/var/lock/nginx.lock \
--pid-path=/run/nginx.pid \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
--with-pcre-jit \
--without-mail_pop3_module \
--without-mail_imap_module \
--without-mail_smtp_module \
--with-http_ssl_module \
--with-http_v2_module \
--with-stream \
--with-ipv6 \
--with-http_stub_status_module \
--with-http_realip_module \
--with-http_geoip_module \
--with-http_gzip_static_module \
--with-openssl=${DIRECTORY}/openssl-${OPENSSL}"
 
function folder_check_create ()
{
    if [ ! -d "${DIRECTORY}" ]; then
        mkdir -p "${DIRECTORY}"
    fi
 
    cd ${DIRECTORY}
}
 
function get_package_manager ()
{
    id=$(cat /etc/*release | grep ID=)
    idLike=$(cat /etc/*release | grep ID_LIKE=)
    if [[ $id == "ID=centos" ]] || [[ $idLike =~ "rhel" ]] || [[ $idLike =~ "fedora" ]]; then
        packageMan="yum"
    elif [[ $id == "ID=opensuse" ]] || [[ $idLike =~ "suse" ]]; then
        packageMan="zypper"
    else
        packageMan="apt"
    fi
}
 
function dependencies_ubuntu ()
{
    if [ $packageMan == "apt" ]; then
        sudo apt-get update
        sudo apt-get -y install sudo make wget build-essential zlib1g-dev libpcre3 libpcre3-dev unzip libssl-dev libgeoip-dev uuid-dev
    fi
}
 
function dependencies_centos_rhel ()
{
    if [ $packageMan == "yum" ]; then
        sudo yum install gcc-c++ pcre-devel zlib-devel make unzip geoip-devel libuuid-devel perl-CGI -y
    fi
}
 
function dependencies_suse ()
{
    if [ $packageMan == "zypper" ]; then
    sudo zypper in -y libuuid-devel
    fi
}
 
function prepare_pagespeed ()
{
    if [ ! -d ngx_pagespeed-release-${PAGESPEED} ];
        then
            rm -rf incubator-pagespeed-*
            wget https://github.com/apache/incubator-pagespeed-ngx/archive/v${PAGESPEED}.zip
            unzip v${PAGESPEED}.zip
            rm v${PAGESPEED}.zip
 
            cd incubator-pagespeed-ngx-${PAGESPEED}/
            wget https://dl.google.com/dl/page-speed/psol/${NPS_RELEASE_NUMBER}-x64.tar.gz
            tar -xzvf ${NPS_RELEASE_NUMBER}-x64.tar.gz
            rm ${NPS_RELEASE_NUMBER}-x64.tar.gz
        fi
 
        cd ${DIRECTORY}
    }
 
function prepare_naxsi ()
{
if [ ! -d naxsi-${NAXSI} ];
    then
        rm -rf naxsi-*;
        wget https://github.com/nbs-system/naxsi/archive/${NAXSI}.tar.gz;
        tar -xvzf ${NAXSI}.tar.gz;
        rm ${NAXSI}.tar.gz;
    fi;
}
 
function prepare_openssl ()
{
if [ ! -d naxsi-${NAXSI} ];
    then
        rm -rf naxsi-*;
        wget https://www.openssl.org/source/openssl-${OPENSSL}.tar.gz;
        tar -xvzf openssl-${OPENSSL}.tar.gz;
        rm openssl-${OPENSSL}.tar.gz;
    fi;
}
 
function prepare_nginx ()
{
    if [ ! -d nginx-${NGINX} ];
        then
            rm -rf nginx-*;
            wget http://nginx.org/download/nginx-${NGINX}.tar.gz;
            tar -xvzf nginx-${NGINX}.tar.gz;
            rm nginx-${NGINX}.tar.gz;
        fi;
}
 
function compile ()
{
    cd ${DIRECTORY}/nginx-${NGINX}
    ./configure ${COMPILE}
    make;
    sudo make install
}
 
folder_check_create
get_package_manager
dependencies_ubuntu
dependencies_centos_rhel
dependencies_suse
prepare_openssl
prepare_pagespeed
prepare_naxsi
prepare_nginx
compile

Once you have done so, you can execute the script by giving it execution permissions:

chmod +x snapt_nginx_builder.sh

Now run the compile script:

./snapt_nginx_builder.sh

Start Snapt Aria:

If root:

/usr/local/snapt/start.sh

If non-root user:

sudo /usr/local/snapt/start.sh

You may now log in on port 8080 with a web browser (remember to add the port to the firewall rules if the firewall is not disabled.)

firewall-cmd --zone=public --permanent --add-port 8080/tcp
firewall-cmd --reload

Ensure Aria starts after reboot:

Edit the crontab

crontab -e

With the following line:

@reboot root /usr/local/snapt/start.sh

Firewall

If the firewall is not disabled  (remember to allow access from the listening IP’s to access the balancer)

Example:

firewall-cmd --zone=public --permanent --add-port 3001/tcp
firewall-cmd --reload

Logging In to Snapt Aria:

You should now be able to access the Snapt Management UI if the above start script run without any errors

You can verify this by going to http://{your.server.ip.address}:8080 and you’ll be greeted with the following screen.

On this page, you’ll be required to login with your username and password used during your trial signup/Snapt Shop Account.

If you do not have a username and password yet, you can register here.

You will now be able to install the plugins.

It is important to run the first-time wizards for both the accelerator and balancer. This is available under advanced configuration for each plugin.