How to Install Bludit on CentOS 7

Published on July 26, 2021•Updated on November 21, 2023

Introduction

Bludit is a simple, fast, and flexible Content Management System (CMS) released under the MIT License. As a flat-file CMS written in PHP, Bludit stores contents in JSON files instead of a database. It also supports editing with Markdown and HTML code.

This tutorial explains how to install Bludit on CentOS 7 and set up HTTPS with a free Let's Encrypt TLS certificate.

Prerequisites

A CentOS 7 server with SELinux disabled.
Follow Vultr's best practices guides to create a sudo user and update the CentOS server.

This tutorial assumes you own a domain name such as example.com, and you have pointed it to the server IP address. If not, replace example.com with the server IP address.

Make sure to replace example.com in the code examples with your domain name or IP address.

1. Install PHP

CentOS 7 provides PHP version 5.4 in its official repository, but the minimum PHP version supported by Bludit is 5.6. You can install PHP version 7.4 from the Remi repository, a long-time and community-trusted repository for CentOS.

Log in to the server as a non-root sudo user via SSH.
Because some packages in the Remi repository depend on packages in the EPEL repository, enable the EPEL repository first.
```
 $ sudo yum -y install epel-release
```

Enable the Remi repository.

 $ sudo yum -y install https://rpms.remirepo.net/enterprise/remi-release-7.rpm

Install the yum-utils package to configure repositories.
```
 $ sudo yum -y install yum-utils
```

Enable PHP 7.4 packages.

 $ sudo yum-config-manager --disable 'remi-php*'
 $ sudo yum-config-manager --enable   remi-php74

Install PHP-FPM and other necessary PHP extensions.

 $ sudo yum -y install php-cli php-fpm php-gd php-json php-mbstring php-xml

Enable the PHP-FPM service so that PHP-FPM runs at boot time.
```
 $ sudo systemctl enable php-fpm.service
```
List all the time zones that your CentOS system supports. Use the Up / Down keys to move through the list, and press Q to exit.
```
 $ timedatectl list-timezones
```
Select an appropriate time zone from the list, for example, America/New_York. Then update your CentOS system with that time zone.
```
 $ sudo timedatectl set-timezone America/New_York
```
Edit the main PHP configuration file to tell PHP to use the new time zone. This tutorial uses nano as the editor, but you can use another editor such as vim.
```
 $ sudo nano /etc/php.ini
```
Find the line ;date.timezone = and replace it with date.timezone = America/New_York.
Save the configuration file and exit.
To enhance the security of your server, create a dedicated user named bludit as the user/group of PHP-FPM processes for Bludit. This user also owns the Bludit source code files.
```
 $ sudo adduser bludit
```
Every time you want to add, delete, or update the source code files, you need to switch to this user.

Create the PHP-FPM configuration file from the default one.

 $ sudo cp /etc/php-fpm.d/www.conf /etc/php-fpm.d/bludit.conf

Rename the default file to disable it and keep it as a backup.

 $ sudo mv /etc/php-fpm.d/www.conf /etc/php-fpm.d/www.conf.default

Edit the PHP-FPM configuration file.
```
 $ sudo nano /etc/php-fpm.d/bludit.conf
```
In the configuration file, any line starting with ; is a comment.

Make sure the listen = 127.0.0.1:9000 setting does not start with ;. This setting makes PHP listen on the address 127.0.0.1 and the port 9000.

Search for the following settings, then:
- Replace [www] with [bludit]
- Replace user = apache with user = bludit
- Replace group = apache with group = bludit
- Replace /var/log/php-fpm/www-error.log with /var/log/fpm-php/bludit/error.log
- Replace /var/lib/php/session with /var/lib/php/session.bludit
Save the configuration file and exit.
To avoid messing with the default folders, create a separate folder named /var/log/fpm-php/bludit to store log messages and a folder named /var/lib/php/session.bludit to store PHP session data.
```
 $ sudo mkdir -p /var/log/fpm-php/bludit
 $ sudo mkdir -p /var/lib/php/session.bludit
```

Update the ownership and permissions of the two folders so that only the PHP-FPM processes of Bludit can write to them.

 $ sudo chown bludit:bludit /var/log/fpm-php/bludit
 $ sudo chmod 700 /var/log/fpm-php/bludit
 $ sudo chown bludit:bludit /var/lib/php/session.bludit
 $ sudo chmod 700 /var/lib/php/session.bludit

Check the new configuration.
```
 $ sudo php-fpm -t
```
Start the PHP-FPM service.
```
 $ sudo systemctl start php-fpm.service
```

2. Install Bludit

Download the Bludit source code archive.
```
 $ cd ~ && wget https://github.com/bludit/bludit/archive/refs/tags/3.13.1.tar.gz
```
At the time of writing, the latest stable version of Bludit is 3.13.1. Of course, you can always visit the Bludit releases page on Github to get the latest version.
Extract the archive.
```
 $ tar xzf 3.13.1.tar.gz
```
Set bludit as the owner of the source code folder.
```
 $ sudo chown -R bludit:bludit bludit*
```
Move the source code folder to /var/www/bludit because, traditionally, the source code folders of websites are in the /var/www folder.
```
 $ sudo mkdir -p /var/www
 $ sudo mv bludit* /var/www/bludit
```

3. Install Nginx

Install Nginx with the following command.
```
 $ sudo yum -y install nginx
```
Enable the Nginx service so that Nginx runs at boot time.
```
 $ sudo systemctl enable nginx.service
```

Create a new configuration file for Bludit.

 $ sudo nano /etc/nginx/conf.d/bludit-http.conf

Paste the following contents and replace example.com with your server's domain name or IP address:

 server {
   listen 80;
   listen [::]:80;

   server_name example.com;

   root  /var/www/bludit;
   index index.html index.php;

   # All URLs are processed by index.php
   location / {
     try_files $uri $uri/ /index.php$is_args$args;
   }

   # For security, deny direct access to the following folders
   location ^~ /bl-content/databases/ { deny all; }
   location ^~ /bl-content/workspaces/ { deny all; }
   location ^~ /bl-content/pages/ { deny all; }
   location ^~ /bl-content/tmp/ { deny all; }

   # For security, deny direct access to PHP files inside the "bl-kernel" folder
   location ~ ^/bl-kernel/.+\.php$ { deny all; }

   # Pass PHP files to the FastCGI server listening on 127.0.0.1:9000
   location ~ \.php$ {
     # Mitigate https://httpoxy.org/ vulnerabilities
     fastcgi_param HTTP_PROXY "";

     fastcgi_pass 127.0.0.1:9000;
     fastcgi_index index.php;
     include fastcgi.conf;
   }

   # Set expiration of assets to MAX for caching
   location ~* \.(jpg|jpeg|gif|png|css|js|ico|svg|eot|ttf|woff|woff2|otf)$ {
     expires max;
     log_not_found off;
   }
 }

Save the configuration file and exit.
Check the new configuration.
```
 $ sudo nginx -t
```
Start the Nginx service.
```
 $ sudo systemctl start nginx.service
```

Update the firewall to allow incoming HTTP requests.

 $ sudo firewall-cmd --permanent --zone=public --add-service=http

Reload the current firewall session.
```
 $ sudo firewall-cmd --reload
```

4. (Optional) Configure HTTPS

If you own a valid domain name, you can set up HTTPS for your Bludit at no cost. Using the Certbot program, you can get a free TLS certificate from Let's Encrypt, a certificate authority.

Install Certbot with Snap

Snap Store is an app store for Linux with millions of users. It makes it easy to get the latest version of Certbot with features like automatic certificate renewal. The package that provides everything you need to work with the Snap Store is snapd.

Install the snapd package.
```
 $ sudo yum -y install snapd
```

Enable the snapd service.

 $ sudo systemctl enable --now snapd.socket

Enable classic snap support.
```
 $ sudo ln -s /var/lib/snapd/snap /snap
```
Get the latest version of snapd core.
```
 $ sudo snap install core && sudo snap refresh core
```
Do not worry if you get the following error.
```
 error: too early for operation, device not yet seeded or device model not acknowledged
```
It may take a some time for snapd to initialize its environment. Wait a minute and try again.
Install Certbot.
```
 $ sudo snap install --classic certbot
```

Make the certbot command globally available.

 $ sudo ln -s /snap/bin/certbot /usr/bin/certbot

Get a Let's Encrypt Certificate

Rename the HTTP configuration file to make it the template for the HTTPS configuration file.
```
 $ sudo mv /etc/nginx/conf.d/bludit-http.conf /etc/nginx/conf.d/bludit-https.tpl
```
Create a new configuration file to serve HTTP requests.
```
 $ sudo nano /etc/nginx/conf.d/bludit-http.conf
```

Paste the following contents and replace example.com with your server's domain name or IP address:

 server {
   listen 80;
   listen [::]:80;

   server_name example.com;

   root /var/www/bludit;

   location / {
       return 301 https://$server_name$request_uri;
   }

   location /.well-known/acme-challenge/ {}
 }

This configuration makes Nginx redirect all HTTP requests, except those from Let's Encrypt, to corresponding HTTPS requests.

Save the configuration file and exit.
Check the Nginx configuration.
```
 $ sudo nginx -t
```
Apply the new configuration.
```
 $ sudo systemctl reload nginx.service
```
Run the following command to get the Let's Encrypt certificate.
```
 $ sudo certbot certonly --webroot -w /var/www/bludit -d example.com -m admin@example.com --agree-tos
```
You may need to answer a question about sharing your email with the Electronic Frontier Foundation.
When finished, certbot tells you the path of your certificate file and key file:
```
 /etc/letsencrypt/live/example.com/fullchain.pem
 /etc/letsencrypt/live/example.com/privkey.pem
```
Another critical file, located in the same folder, also needed for the next step, is chain.pem.

Install the Certificate with Nginx

Generate a file with DH parameters for DHE ciphers.
```
 $ sudo openssl dhparam -out /etc/nginx/dhparam.pem 2048
```
2048 is the recommended size of DH parameters. This process may take a while, so please be patient.

Create the HTTPS configuration file from the template file above.

 $ sudo mv /etc/nginx/conf.d/bludit-https.tpl /etc/nginx/conf.d/bludit-https.conf

Open the HTTPS configuration file.

 $ sudo nano /etc/nginx/conf.d/bludit-https.conf

Find the following lines:

   listen 80;
   listen [::]:80;

Replace them with:

   listen 443 ssl http2;
   listen [::]:443 ssl http2;

   ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

   ssl_session_timeout 1d;
   ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions

   # DH parameters file
   ssl_dhparam /etc/nginx/dhparam.pem;

   # intermediate configuration
   ssl_protocols TLSv1.2;
   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
   ssl_prefer_server_ciphers off;

   # HSTS (ngx_http_headers_module is required) (63072000 seconds)
   #
   # Uncomment the following line only if your website fully supports HTTPS
   # and you have no intention of going back to HTTP, otherwise, it will
   # break your site.
   #
   # add_header Strict-Transport-Security "max-age=63072000" always;

   # OCSP stapling
   ssl_stapling on;
   ssl_stapling_verify on;

   # verify chain of trust of OCSP response using Root CA and Intermediate certs
   ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

   # Use Cloudflare DNS resolver
   resolver 1.1.1.1;

Save the configuration file and exit.
Check the Nginx configuration.
```
 $ sudo nginx -t
```
Apply the new configuration.
```
 $ sudo systemctl reload nginx.service
```

Update the firewall to allow incoming HTTPS requests.

 $ sudo firewall-cmd --permanent --zone=public --add-service=https

Reload the current firewall session.
```
 $ sudo firewall-cmd --reload
```

Automate Renewal

Let's Encrypt certificates are valid for 90 days, so you must renew your TLS certificate at least once every three months. The Certbot installation automatically created a systemd timer unit to automate this task.

Run the following command to verify the timer is active.

 $ sudo systemctl list-timers | grep 'certbot\|ACTIVATES'

After renewing the certificate, Certbot will not automatically reload Nginx, so Nginx still uses the old certificate. You must write a script inside the /etc/letsencrypt/renewal-hooks/deploy folder to reload Nginx.

Open your text editor.
```
 $ sudo nano /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh
```
Paste the following contents:
```
 #!/bin/bash

 /usr/bin/systemctl reload nginx.service
```

Save and exit. Then make the script executable.

 $ sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh

Test the renewal process with a dry run.
```
 $ sudo certbot renew --dry-run
```

This Vultr article explains all the above steps in more detail. This kind of TLS setup gives you an "A" rating on the SSL Labs test.

5. Complete the Bludit Setup

Restart the server to make sure it still works afterward.
```
 $ sudo reboot
```
Wait a moment for the system to boot, then open URL to your server in your browser.
```
 http://example.com
```
The Bludit Installer screen will appear.
Choose your language, then click the Next button.
Enter a strong password for the user admin, then click the Install button.

When finished, Bludit will redirect you to the home page.

Your Bludit website is now ready. You can log in to the admin panel, http://example.com/admin/, to start writing new content or update the site settings.

For more information, read the Bludit documentation.