===== Anchor CMS =====
Ubuntu 18.04 Server installation tutorial for Anchor CMS.


==== Package installation ====

  sudo apt install nginx mariadb-server
  sudo apt install php7.2 php7.2-curl php7.2-gd php7.2-mbstring php7.2-mysql

mcrypt needs to be installed manually with pecl

  sudo apt-get -y install gcc make autoconf libc-dev pkg-config
  sudo apt-get -y install php7.2-dev
  sudo apt-get -y install libmcrypt-dev

Make sure you sudo pecl search mcrypt to find the newest version even though it is out of support

  sudo pecl install mcrypt-1.0.3

==== Setup the database ====

  sudo mysql_secure_installation

Answer all the questions as shown below:

  Enter current password for root (enter for none):
  Set root password? [Y/n]: Y
  Remove anonymous users? [Y/n]: Y
  Disallow root login remotely? [Y/n]: Y
  Remove test database and access to it? [Y/n]:  Y
  Reload privilege tables now? [Y/n]:  Y

Log in to the mysql console

  sudo mysql -u root -p

Create the database and the admin user.

  CREATE DATABASE anchordb;
  GRANT ALL ON anchordb.* TO 'dbadmin' IDENTIFIED BY '4L94jSPEZC9eNpWAHdRLWtPfRVeBLrei';
  FLUSH PRIVILEGES;

==== Let's Encrypt ====

For SSL use the EFF's PPA for the Let's Encrypt certbot.

  sudo add-apt-repository ppa:certbot/certbot
  sudo apt upgrade
  sudo apt install python-certbot-nginx
  sudo certbot --nginx certonly

Cert and Key locations:

  /etc/letsencrypt/live/sub.domain.tld/fullchain.pem

  /etc/letsencrypt/live/sub.domain.tld/privkey.pem

By default, a generic DH key is used which weakens the key exchange. Generate a non-generic Diffie-Hellman key with OpenSSL, the line in the Nginx configuration file has already been added in the config below.

  sudo openssl dhparam -dsaparam -out /etc/ssl/dhparam.pem 4096

==== Configuring Nginx ====
<code>
server {
	listen 80;
	server_name blog.arctic.cat;
	# enforce https
	return 301 https://$server_name$request_uri;
}

server {
	listen 443 ssl http2;
	server_name blog.arctic.cat;

	ssl_certificate /etc/letsencrypt/live/blog.arctic.cat/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/blog.arctic.cat/private.key;
	ssl_session_timeout 5m;
	ssl_ecdh_curve prime256v1;
	ssl_session_tickets off;
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:AES256+EECDH:AES256+EDH:!aNULL';
	ssl_prefer_server_ciphers on;
	ssl_protocols TLSv1.2;
	ssl_dhparam /etc/ssl/dhparam.pem;

	# Add headers to serve security related headers
	# Before enabling Strict-Transport-Security headers please read into this
	# topic first.
	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;";
	add_header Referrer-Policy "no-referrer" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header X-Download-Options "noopen" always;
	#add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-Permitted-Cross-Domain-Policies "none" always;
	add_header X-Robots-Tag "none" always;
	add_header X-XSS-Protection "1; mode=block" always;

	root /var/www/anchor;

	index index.php index.html;

	location / {
		try_files $uri $uri/ /index.php;
	}
    
	location ~ \.php$ {
		try_files $uri =404;
		include fastcgi_params;
		fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
		fastcgi_index index.php;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	}
}
</code>

Before testing the config, you need to increase the ''server_names_hash_bucket_size'' in ''/etc/nginx/nginx.conf'' to 64, it should be commented out be default.

Be sure to test the config.

  sudo nginx -t


==== Install PHP Composer ====
Composer will allow us to install Anchor in a single line.
Follow the instructions found here: https://getcomposer.org/download/

  php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
  php -r "if (hash_file('sha384', 'composer-setup.php') === 'e0012edf3e80b6978849f5eff0d4b4e4c79ff1609dd1e613307e16318854d24ae64f26d17af3ef0bf7cfb710ca74755a') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
  php composer-setup.php
  php -r "unlink('composer-setup.php');"
  sudo mv composer.phar /usr/local/bin/composer

==== Install Anchor CMS ====
Make the webroot directory for anchor apply ownership to your current user.

  sudo mkdir -p /var/www/anchor
  sudo chown -R {your_user}:{your_user} /var/www/anchor
  cd /var/www/anchor

This was supposed to be rather quick, but due to a syntax error in the anchor config, it will require a few more additional commands.

  composer create-project anchorcms/anchor-cms ./

The above command will error out, but you just need to edit one line in ''composer.json''

  sudo vim /var/www/anchor/composer.json

<code>
- "type": "CMS",
+ "type": "cms",
</code>

Now install anchor.
  composer install

==== Permissions ====
Change the permissions for the anchor web root to www-data
  sudo chown -R www-data:www-data /var/www/anchor
Create some other directory that I have no real idea what it does.
  sudo mkdir -p /var/lib/php/session && sudo chown -R www-data:www-data /var/lib/php

==== Let's Go! ====
I usually reboot for good measure just to make sure reboots are handled properly.
  sudo reboot