I am not a pro, this is just what I’ve learned over the years and noticed that a bunch of tutorials didn’t have all the info I needed/used so I figured I’d make my own.

rpm -Uvh https://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum update
yum install -y nginx mariadb-server mariadb git
yum --enablerepo=remi-php72 install php-fpm php-common php-opcache php-pecl-apcu php-cli php-pear php-pdo php-mysqlnd php-pgsql php-pecl-mongodb php-pecl-redis php-pecl-memcache php-pecl-memcached php-gd php-mbstring php-mcrypt php-xml php-pecl-zip php-gmp

Next we are going to want to enable everything to run on start up
systemctl enable php-fpm
systemctl enable nginx
systemctl enable mariadb
systemctl start mariadb

Next we are going to secure the mysql instance. You can just hit yes/y to everything.
mysql_secure_installation

We are going to edit the php config
nano /etc/php-fpm.d/www.conf
replace user = apache with user = nginx
replace group = apache with group = nginx
Where is says listen make it listen = /var/run/php-fpm/php-fpm.sock
Replace listen.owner with listen.owner = nginx
Replace listen.group with listen.group = nginx

Now we are going to create a nginx config
mkdir /etc/nginx/sites-enabled/ /etc/nginx/sites-available/
nano /etc/nginx/sites-available/test.site

Paste below into the above file
server {

listen 443;
server_name test.site;

ssl on;
ssl_certificate /etc/nginx/ssl/site/crt;
ssl_certificate_key /etc/nginx/ssl/site/key;
ssl_session_timeout 5m;

ssl_ciphers ‘AES128+EECDH:AES128+EDH:!aNULL’;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

root /usr/share/nginx/html/test.site/public;

index index.html index.htm index.php;

charset utf-8;

location / {
try_files $uri $uri/ /index.php?$query_string;
}

location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }

# Access and Error Log for Invoice Ninja
access_log /var/log/nginx/test.site/access.log;
error_log /var/log/nginx/test.site/error.log;

sendfile off;

# Handle PHP Applications
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass php;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}

location ~ /\.ht {
deny all;
}
}

now we are going to create a default site that will show 401 error when people access via IP
nano /etc/nginx/sites-available/default

server {
listen 443 ssl http2 default_server;
server_name _;
ssl_certificate /etc/nginx/ssl/default/crt;
ssl_certificate_key /etc/nginx/ssl/default/key;
return 403;
}

now we are going to create the php upstream conf file
nano /etc/nginx/sites-available/upstream
Add below to the file above

upstream php {
server unix:/var/run/php-fpm/php-fpm.sock;
}

I have everything behind cloudflare so we can create self signed certs. After running the crt command you can just hit enter thru everything since cloudflare doesn’t care about what the cert it.
mkdir /etc/nginx/ssl/default /etc/nginx/ssl/test.site /var/log/nginx/test.site
cd /etc/nginx/ssl/default
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout key -out crt
/etc/nginx/ssl/test.site
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout key -out crt

Add php files to /usr/share/nginx/html/test.site/

Next we want to symbolically link the config files
ln -s /etc/nginx/sites-available/test.site /etc/nginx/sites-enabled/test.site
ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
ln -s /etc/nginx/sites-available/upstream /etc/nginx/sites-enabled/upstream

Then test the config
nginx -t

Next we will define cloudflare IPs in the nginx config that way it knows to actually log the visitor IP not cloudflares
nano /etc/nginx/nginx.conf
Add the below to the file above
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
real_ip_header CF-Connecting-IP;

Lastly we have to tell nginx to look in “/etc/nginx/sites-enabled/*” for files
nano /etc/nginx/nginx.conf
add include /etc/nginx/sites-enabled/*; under where it says include /etc/nginx/conf.d/*.conf;
Now reboot the server
reboot