Disclaimer: This guide is user-contributed. xhost.ch GmbH disclaims all warranties, liabilities, and responsibilities for its use. Users should be aware of potential risks and are advised to proceed with caution.
Multicraft Installation Guide for Rocky Linux 9
by Simone "Giga 123" VeddaHi, I'm Simone Vedda, also known as Giga 123, and in this tutorial, I will explain to you how to setup Multicraft on Rocky Linux 9 with phpMyAdmin, MariaDB, FirewallD, SELinux (it must be on in enforcing mode and targeting) and Certbot (for the TLS certificate).
Please notice that this guide has some variables (like ssh_port, mariadb_port and so on; all of them will be listed below) that you can change with anything suitable for you (in this way, you can have non-standard ports to enhance security).
You can download this guide as a TXT file and edit it as you like. Make sure to not change any commands or it might not work. If you wish, you can even set up a Cloudflared instance to have VPN-like access to the Multicraft panel (again it's entirely optional, but I suggest doing it anyway).
Complete list of variables (if you find them in the guide, make sure to substitute the variable with a valid and unused value of your system, whether it'll be a port, a name or an ID number):
SSH port variable: ssh_port MariaDB port variable: mariadb_port Name of the Cloudflared tunnel variable: tunnel_name ID of the CLoudflared tunnel variable: tunnel_id Link to your project: subdomain.domain.tdl Name of the Cloudflared subdomain (the subdomain that you will use to connect with ssh): tunnel_subdomain Name of the domain for your server: domain.tdl (useful for copying the ssh key if generated on the server and for the Apache webserver) FTP minimum passive port: ftp_min_passive_port FTP maximum passive port: ftp_max_passive_port Name for the SFTP user: sftupser (change it as you like)
OPTIONAL: Install Cloudflared plus a private SSH Key (2FA with a VPN-like connection)
* Update the system and remove the unnecessary services *
dnf -y erase cockpit* dnf -y update dnf -y install nano wget dnf -y install firewalld policycoreutils-devel setroubleshoot-server systemctl enable --now firewalld firewall-cmd --remove-service=cockpit --permanent firewall-cmd --remove-service=dhcpv6-client --permanent firewall-cmd --reload* Install Cloudflared *
sudo dnf config-manager --add-repo https://pkg.cloudflare.com/cloudflared-ascii.repo sudo dnf -y install cloudflared* Configure Cloudflared *
cloudflared tunnel login cloudflared tunnel create tunnel_name(Be sure to copy your tunnel ID)
* Now edit the file as follow *
nano /root/.cloudflared/config.yml tunnel: tunnel_id credentials-file: /root/.cloudflared/tunnel_id.json warp-routing: enabled: true ingress: - hostname: subdomain.domain.tdl service: ssh://localhost:ssh_port - service: http_status:404* Define a subdomain to connect through ssh *
cloudflared tunnel route dns tunnel_id tunnel_subdomain* Consifure the SSH server to access through Cloudflared *
nano /etc/ssh/sshd_config --> ListenAddress 127.0.0.1:ssh_port semanage port -a -t ssh_port_t -p tcp ssh_port systemctl restart sshd* Configure Cloudflared service *
cloudflared service install systemctl start cloudflared firewall-cmd --remove-service=ssh --permanent firewall-cmd --reload* Configure the 2FA *
* Use software like PuTTY to generate the key *
! At this moment the best cypher for a usable key is Ed25519 at 255 bits!
* Install the public key on the server *
-- If generated on the server --
ssh-copy-id root@domain.tld nano /root/.ssh/authorized_keysChange the host at the end of the line or remove it
-- If generated locally (suggested) --
Copy the content of the key on the authorized_keys file (it must be on one line straight)
mkdir -p /root/.ssh/ nano /root/.ssh/authorized_keysNow paste the content of the key in this file and save it (remember, it must be on one line)
* Enable the SSH Key *
nano /etc/ssh/sshd_config #PubkeyAuthentication yes --> PubkeyAuthentication yes #PasswordAuthentication yes --> PasswordAuthentication yes Add to the end of the file Match User root AuthenticationMethods publickey,password systemctl restart sshdPlease note that you can use the same layout to enable how many users you want (also because even with cloudflared and the ssh key it's still not safe to let the root login via SSH)
Now you can Install Multicraft:
* Update the system and erase cockpit *
dnf -y erase cockpit* dnf -y update* Install the main functions and FirewallD (the export command is optional, it will set as default editor Nano instead of Vim) *
dnf -y install wget zip unzip git nano firewalld policycoreutils-python-utils policycoreutils-devel setroubleshoot-server rpmdevtools rpm-build tree docker rsync export VISUAL=nano export EDITOR="$VISUAL" nano /usr/lib/systemd/system/firewalld.timer (Copy the content inside the file) [Unit] Description=firewalld - dynamic firewall daemon Before=network-pre.target Wants=network-pre.target After=dbus.service After=polkit.service Conflicts=iptables.service ip6tables.service ebtables.service ipset.service nftables.service Documentation=man:firewalld(1) [Service] EnvironmentFile=-/etc/sysconfig/firewalld ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS ExecReload=/bin/kill -HUP $MAINPID # supress to log debug and error output also to /var/log/messages StandardOutput=null StandardError=null Type=dbus BusName=org.fedoraproject.FirewallD1 KillMode=mixed [Install] WantedBy=multi-user.target [Timer] OnBootSec=1min* Add the firewall rules (choose a random number to assign to each service (like ssh, mariadb...) *
chmod 644 /usr/lib/systemd/system/firewalld.timer sudo systemctl start firewalld sudo systemctl disable firewalld sudo systemctl enable firewalld.timer sudo firewall-cmd --set-default-zone=public sudo firewall-cmd --zone=public --set-target=DROP --permanent sudo firewall-cmd --zone=public --add-service=http --permanent sudo firewall-cmd --zone=public --add-service=https --permanent sudo firewall-cmd --zone=public --add-service=ftp --permanent sudo firewall-cmd --zone=public --add-service=rsyncd --permanent sudo firewall-cmd --zone=public --remove-service=cockpit --permanent sudo firewall-cmd --zone=public --add-port=25465/tcp --permanent sudo firewall-cmd --zone=public --add-port=25465/udp --permanent sudo firewall-cmd --zone=public --add-port=25565-25575/tcp --permanent sudo firewall-cmd --zone=public --add-port=25565-25575/udp --permanent sudo firewall-cmd --zone=public --add-port=19132-19142/tcp --permanent sudo firewall-cmd --zone=public --add-port=19132-19142/udp --permanent sudo firewall-cmd --zone=public --add-port=ftp_min_passive_port-ftp_max_passive_port/tcp --permanent sudo firewall-cmd --zone=public --add-port=ssh_port/tcp --permanent sudo firewall-cmd --zone=public --add-port=mariadb_port/tcp --permanent firewall-cmd --reload* Install PHP *
dnf config-manager --set-enabled crb dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm -y dnf install https://rpms.remirepo.net/enterprise/remi-release-9.rpm -y dnf module reset php -y dnf -y module install php:remi-8.2 dnf -y install httpd php-common php-fpm php-gd php-mbstring php-ldap php-odbc php-pear php-xml php-xmlrpc php-bcmath php-mysql php-pdo php-mysqlnd tar curl java-1.8.0-openjdk-devel java-11-openjdk-devel java-17-openjdk-devel rsync rsync-daemon libnsl* Install MariaDB *
wget https://r.mariadb.com/downloads/mariadb_repo_setup chmod +x mariadb_repo_setup sudo ./mariadb_repo_setup sudo dnf install perl-DBI libaio libsepol lsof boost-program-options -y sudo dnf install mariadb-server -y sudo mysql_install_db sudo systemctl enable --now mariadb.service sudo mariadb-secure-installation (When it asks for the unix_socket authentication [Y/n] just say "n") nano /etc/my.cnf.d/server.cnf port = mariadb_port* Configure the Java default version *
sudo alternatives --config java* Clean Mariadb and Apache scripts and enable Apache *
rm -rf mariadb_repo_setup systemctl enable --now httpd* Edit the PHP settings (make sure to uncomment (toggle the comma ";") *
nano /etc/php.ini --> upload_max_filesize = maximum_file_size (here you can choose either from M for megabytes or G for gigabytes) --> max_execution_time = 0 (edit as you like, but I suggest to use a value between 60 and 300 seconds) --> cgi.fix_pathinfo=0 (always set it to 0 for better security) --> date.timezone= Time/Zone (edit as you like, I suggest to use your time zone). (example: Europe/Rome)* Set the time zone *
timedatectl set-timezone Time/Zone (example: Europe/Rome)* Install phpMyAdmin *
wget -c https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.tar.gz -O phpMyAdmin-latest-all-languages.tar.gz tar -zxvf phpMyAdmin-latest-all-languages.tar.gz rm -rf phpMyAdmin-latest-all-languages.tar.gz mkdir -p /usr/share/phpMyAdmin mv phpMyAdmin-*/* /usr/share/phpMyAdmin cp -pr /usr/share/phpMyAdmin/config.sample.inc.php /usr/share/phpMyAdmin/config.inc.php setsebool -P httpd_can_network_connect 1 setsebool -P httpd_can_network_connect_db 1 nano /usr/share/phpMyAdmin/config.inc.phpMake sure to add the blowfish key from here: https://phpsolved.com/phpmyadmin-blowfish-secret-generator/?g=[insert_php]echo%20$code;[/insert_php]
* Change the localhost setting to 127.0.0.1 (otherwise it won't connect correctly) *
$cfg['Servers'][$i]['host'] = 'localhost'; --> $cfg['Servers'][$i]['host'] = '127.0.0.1:mariadb_port';Otherwise, phpMyAdmin will return a user permission error * Add to the bottom of the file the following line *
#$cfg['Servers'][$i]['AllowRoot'] = FALSE;(This line will tell phpMyAdmin to deny to the root user any login attempt when it's commented out, so without the "#" at the beginning)
mariadb < /usr/share/phpMyAdmin/sql/create_tables.sql -u root -p mkdir /usr/share/phpMyAdmin/tmp chmod 777 /usr/share/phpMyAdmin/tmp chown -R apache:apache /usr/share/phpMyAdmin chmod 755 /usr/share/phpMyAdmin sudo nano /etc/php-fpm.d/www.conf * Edit the file as suggested below * --> listen = /var/run/php-fpm/www.sock --> listen.owner = apache --> listen.group = apache --> user = apache --> group = apache --> ;listen.acl_users = apache,nginx (make sure to comment this line with the ";"!) semanage fcontext -a -t httpd_sys_rw_content_t "/usr/share/phpMyAdmin/" semanage fcontext -a -t httpd_sys_rw_content_t "/usr/share/phpMyAdmin/tmp(/.*)?" restorecon -Rv "/usr/share/phpMyAdmin/" systemctl enable --now php-fpm chown -R apache:apache /usr/share/phpMyAdmin/ chmod 755 /var/lib/php/session/ nano /etc/httpd/conf.d/phpMyAdmin.conf (Copy this configuration to the file) Alias /phpMyAdmin /usr/share/phpMyAdmin Alias /phpmyadmin /usr/share/phpMyAdmin <Directory /usr/share/phpMyAdmin/> AddDefaultCharset UTF-8 <IfModule mod_authz_core.c> # Apache 2.4 <RequireAny> Require all granted </RequireAny> </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order Deny,Allow Deny from All Allow from 127.0.0.1 Allow from ::1 </IfModule> </Directory> <Directory /usr/share/phpMyAdmin/setup/> <IfModule mod_authz_core.c> # Apache 2.4 <RequireAny> Require all granted </RequireAny> </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order Deny,Allow Deny from All Allow from 127.0.0.1 Allow from ::1 </IfModule> </Directory> nano /etc/httpd/conf/httpd.conf (Now replace all the values with AllowOverride none to AllowOverride all, there should be four lines) AllowOverride none --> AllowOverride all chown -R apache:apache /var/lib/php/session/ systemctl restart httpd php-* mariadb* Now create the multicraft_daemon and multicraft_panel databases and the multicraft user on phpMyAdmin (make sure to grant all permissions to the multicraft user on these two databases) *
* Install Multicraft *
wget http://www.multicraft.org/download/linux64 -O multicraft.tar.gz tar xvzf multicraft.tar.gz cd multicraft ./setup.shAttention: Make sure to specify that the database is mysql!
* Now clean the downloaded files and edit the multicraft.conf and pid as suggested *
rm -rf /root/multicraft.tar.gz phpMyAdmin-* wget http://www.multicraft.org/files/multicraft.service -O /etc/systemd/system/multicraft.service chmod 644 /etc/systemd/system/multicraft.service systemctl daemon-reload nano /home/minecraft/multicraft/multicraft.conf --> pidFile = /var/run/multicraft/multicraft.pid nano /etc/systemd/system/multicraft.service --> PIDFile=/var/run/multicraft/multicraft.pid --> ExecStartPre=/bin/bash -c 'mkdir -p -m 0755 --context=system_u:object_r:var_run_t:s0 /var/run/multicraft && chown -R minecraft: /var/run/multicraft' semanage fcontext -a -t bin_t /home/minecraft/multicraft/bin/multicraft semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/multicraft/protected/config' semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/multicraft/protected/config/config.php' semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/multicraft/protected/runtime(/.*)?' semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/multicraft/assets(/.*)?' semanage fcontext -a -t httpd_sys_rw_content_t /var/www/html/multicraft/protected/config/server_defaults.php restorecon -v /var/www/html/multicraft/protected/config/server_defaults.php restorecon -Rv /home/minecraft/multicraft/ restorecon -Rv /var/www/html/multicraft systemctl enable --now multicraft touch /var/log/httpd/multicraft-error.log touch /var/log/httpd/multicraft-access.log sudo dnf install certbot python3-certbot-apache -y nano /home/minecraft/multicraft/multicraft.confNow you have to modify the multicraft.conf to allow the connection to the database. The correct syntax is:
database = mysql:host=127.0.0.1;port=mariadb_port;dbname=multicraft_daemon* Create the webserver *
nano /etc/httpd/conf.d/multicraft.conf <VirtualHost *:80> ServerName domain.tld ServerAlias domain.tdl ServerAdmin example@domain.tld DocumentRoot /var/www/html/multicraft <Directory /var/www/html/multicraft> Options -Indexes +FollowSymLinks AllowOverride All </Directory> ErrorLog /var/log/httpd/multicraft-error.log CustomLog /var/log/httpd/multicraft-access.log combined </VirtualHost> systemctl restart httpd multicraft* Configure Multicraft *
Access via your domain to the Multicraft panel and proceed to the setup. If you have any doubts, refer to the official setup docs.
After the configuration, make sure you delete the install.php file:
rm -rf /var/www/html/multicraft/install.php
* Install the TLS certificate and schedule a routine as shown *
sudo certbot --apache systemctl restart httpd crontab -e 0 0 * * * dnf -y update >/dev/null 2>&1 30 0 * * * /usr/bin/certbot renew > /var/log/letsencrypt/letsencrypt.log */5 * * * * chown -R minecraft:minecraft /home/minecraft/multicraft/jar/ /home/minecraft/multicraft/templates/ >/dev/null 2>&1 */5 * * * * chown -R sftpuser:sftpuser /home/sftpuser/uploads >/dev/null 2>&1 */5 * * * * chmod 755 /var/lib/php/session >/dev/null 2>&1 */5 * * * * chmod 664 /home/minecraft/multicraft/jar/ /home/minecraft/multicraft/templates/ >/dev/null 2>&1 0 */3 * * * rm -rf /var/lib/php/session/* >/dev/null 2>&1* Clean the installation file and edit the timeout to make sure the daemon will run properly within FirewallD *
rm -rf /var/www/html/multicraft/install.php nano /var/www/html/multicraft/protected/components/Controller.php Change the timeout to 60 seconds (line 96) --> 'timeout' => 60,* Configure the TLS encryption with the Multicraft FTP *
nano /home/minecraft/multicraft/multicraft.conf ftpPasvPorts = ftp_min_passive_port-ftp_max_passive_port ftps = true ftpsCertfile = /etc/letsencrypt/live/domain.tld/fullchain.pem ftpsKeyfile = /etc/letsencrypt/live/domain.tld/privkey.pem ftpsForce = true ftpsCompatMode = false* Configure the SFTP access *
nano /etc/ssh/sshd_config Modify the line 123 as follow: #Subsystem sftp /usr/libexec/openssh/sftp-server (comment this line) Subsystem sftp internal-sftp (add this line) (Add the template at the bottom of the file) Match User sftpuser PasswordAuthentication yes ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding noNow let's create the user and its home:
First, make sure that the sbin/nologin shell is enabled in the file /etc/shells:
nano /etc/shellsIf it's not present, add the line at the bottom: /sbin/nologin
Then save and exit. Now let's create the sftp user:
useradd -s /usr/sbin/nologin sftpuser chown -R root:sftpuser /home/sftpuser chmod 755 -R /home/sftpuser mkdir /home/sftpuser/uploads chown sftpuser:sftpuser /home/sftpuser/uploads passwd sftpuser* Edit the default SSH port (ONLY IF YOU DIDN'T USE THE CLOUDFLARED TUNNEL!) *
nano /etc/ssh/sshd_config Port ssh_port systemctl restart sshd* Disable the root access through phpMyAdmin *
nano /usr/share/phpMyAdmin/config.inc.php --> #$cfg['Servers'][$i]['AllowRoot'] = FALSE; --> $cfg['Servers'][$i]['AllowRoot'] = FALSE;
** FAQ **
- The Multicraft page redirects me to the error ERR_TOO_MANY_REDIRECT
Probably in the folder /var/www/html/multicraft/ there's no install.php or it has not had the correct authorizations, if so you can copy the original downloaded file like this:
cp -p /root/multicraft/panel/install.php /var/www/html/multicraft/install.php
- Is there a way to simplify the link visualization?
Yes just go to /var/www/html/multicraft/protected/config/internal/application.php and edit as shown:
(Remove all the /* and */)
// uncomment the following to enable URLs in the format index.php/server/1 /*'urlFormat'=>'path',*/ // uncomment the following to hide the index.php part of the URL /*'showScriptName'=>false,*/And then execute:
systemctl restart multicraft httpd