NotificationsYou must be signed in to change notification settings
Fork39
Star65

🤖 LEMP w/ PHP7.X & MariaDB on Ubuntu 16/17/18 x64

65 stars 39 forks Branches Tags Activity

You must be signed in to change notification settings

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 121 Commits
adminer		adminer
nginx		nginx
add-vhost.sh		add-vhost.sh
lemp.sh		lemp.sh
readme.md		readme.md
startup.sh		startup.sh

Repository files navigation

Basic installation process of LEMP

Last update: 04/09/2020, tested on Ubuntu 20.04 with PHP7.4

If you are looking for the older versions of the PHP, 👀 at branchesphp7.2 orphp7.1

🔥 Looking forcool t-shirts for web developers?
Check out myDevnull Clothing.

Overview

This document is a list of notes when installing several Ubuntu LEMP instances w/ PHP7.4. With some sort of imagination it can be considered as a step-by-step tutorial of really basic installation process of LEMP. I wrote it mainly for myself, but feel free to use it. The LEMP consists of:

Nginx
PHP7.4 (php-fpm)
MariaDB
Optional: git, munin, rabbitmq, supervisor, node.js, Let's Encrypt, postfix

Basic installation process of LEMP

Essentials

Installation script

To automatically install essentials, you can use the 👉startup.sh script by downloading it and calling it with sudosudo ./startup.sh.The file is deleted automatically.

Manual installation

If you want to have the installation in your hands, follow the manual installation. 👇

add new user

adduser admin

allow su without password for this user

echo"admin    ALL=(ALL) NOPASSWD:ALL">> /etc/sudoers

try new user

su - adminexit

add authorized keys for that user

su - adminmkdir .sshnano .ssh/authorized_keyschmod 700 .ssh/chmod 600 .ssh/authorized_keys

disable password login for all users

# Optionalecho"PasswordAuthentication no"| sudo tee --append /etc/ssh/sshd_configsudo systemctl reload sshd

Or disable the password for some users only (admin, user_tld)

# Optionalsudo nano /etc/ssh/sshd_config> Match User admin,user_tld>    PasswordAuthentication nosudo systemctl reload sshd

Fix locale if you are getting "WARNING! Your environment specifies an invalid locale."

sudoecho'LC_ALL="en_US.UTF-8"'>> /etc/environment# Log out & in

Set the correct timezone

sudo dpkg-reconfigure tzdata

Configure & Update APT

sudo apt-get -y dist-upgrade; sudo apt-get -y update; sudo apt-get -y upgradesudo apt-get -y install unattended-upgrades software-properties-common apache2-utils fail2ban

Install security updates automatically

sudo dpkg-reconfigure -plow unattended-upgrades

Install essentials

sudo apt-get -y install mc htop

Replace`rm` with`trash`

This is optional but recommended.rm is a dangerous command therefore is recommended to replace it by safer versiontrash that instead of removing files moving them to a trash. Moreinfo here.

$ sudo apt-get -y install trash-cli$echo"alias rm='echo\"This is not the command you are looking for. Use <trash> instead.\"; false'"| sudo tee --append

Setup and configure Firewall

Open SSH port only.

sudo ufw allow 22#OpenSSHsudo ufw allow 80#httpsudo ufw allow 443#httpsyes| sudo ufwenablesudo ufw status

Webserver installation

You can skip steps 1-4 by downloading and running thelemp.sh script:

wget https://raw.githubusercontent.com/lucien144/lemp-stack/master/lemp.sh&& chmod u+x lemp.shsudo ./lemp.sh

1. Install Nginx

sudo add-apt-repository -y ppa:nginx/development&& sudo apt-get updatesudo apt-get -y install nginx

2. Install MariaDB

sudo apt-get -y install mariadb-server# Or MySQL: sudo apt-get install mysql-serversudo service mysql stop# Stop the MySQL if is running.sudo mysql_install_dbsudo service mysql startsudo mysql_secure_installation

3. Install PHP7.4

sudo add-apt-repository -y ppa:ondrej/php&& sudo apt-get updatesudo apt-get -y install php7.4

4. Choose and install PHP7.4 modules

sudo apt-cache search php7.4-*sudo apt-get -y install php7.4-fpm php7.4-curl php7.4-gd php7.4-json php7.4-mysql php7.4-sqlite3 php7.4-pgsql php7.4-bz2 php7.4-mbstring php7.4-soap php7.4-xml php7.4-zip

5. Check the installed PHP version

php -v

6. Configure Nginx

Configure`/etc/nginx/nginx.conf`

worker_processes auto;events {        use epoll;        worker_connections 1024;# ~ RAM / 2        multi_accept on;}

Default vhost

cd /etc/nginx/sites-availablesudo rm defaultsudo wget https://raw.githubusercontent.com/lucien144/lemp-stack/master/nginx/sites-available/defaultcd /etc/nginx/conf.dsudo wget https://raw.githubusercontent.com/lucien144/lemp-stack/master/nginx/conf.d/gzip.conf

Setup default settings for all virtual hosts

sudo mkdir -p /etc/nginx/conf.d/server/cd /etc/nginx/conf.d/server/sudo wget https://raw.githubusercontent.com/lucien144/lemp-stack/master/nginx/conf.d/server/1-common.conf

Reload Nginx

sudo nginx -t&& sudo nginx -s reload

Add new website, configuring PHP & Nginx & MariaDB

Steps 1. - 9. can be skipped by calling theadd-vhost.sh. Just downloadadd-vhost.sh,chmod u+x ./add-vhost.sh and call itsudo ./add-vhost.sh.The file is deleted automatically.

$cd~&& wget https://raw.githubusercontent.com/lucien144/lemp-stack/master/add-vhost.sh&& chmod u+x add-vhost.sh$ sudo ./add-vhost.sh

1. Create the dir structure for new website

sudo mkdir -p /var/www/vhosts/new-website.tld/{web,logs,ssl}

2. User groups and roles

$ sudo groupadd new-website$ sudo useradd -g new-website -d /var/www/vhosts/new-website.tld new-website$ sudo passwd new-website$ sudo usermod -s /bin/bash new-website

You can switch users by usingsudo su - new-website

3. Update permissions

sudo chown -R new-website:new-website /var/www/vhosts/new-website.tldsudo chmod -R 0775 /var/www/vhosts/new-website.tld

4. Create new PHP-FPM pool for new site

sudo nano /etc/php/7.4/fpm/pool.d/new-website.tld.conf

5. Configure the new pool

[new-website]user = new-websitegroup = new-websitelisten = /run/php/php7.4-fpm-new-website.socklisten.owner = www-datalisten.group = www-dataphp_admin_value[disable_functions] = exec,passthru,shell_exec,systemphp_admin_flag[allow_url_fopen] = offpm = dynamicpm.max_children = 5# The hard-limit total number of processes allowedpm.start_servers = 2# When nginx starts, have this many processes waiting for requestspm.min_spare_servers = 1# Number spare processes nginx will createpm.max_spare_servers = 3# Number spare processes attempted to createpm.max_requests = 500chdir = /

5.1 Configuring`pm.max_children`

Find how much RAM FPM consumes:ps -A -o pid,rss,command | grep php-fpm -> second row in bytes
1. Reference:https://overloaded.io/finding-process-memory-usage-linux
Eg. ~43904 / 1024 -> ~43MB per one process
Calculation: If server has 2GB RAM, let's say PHP can consume 1GB (with some buffer, otherwise we can use 1.5GB): 1024MB / 43MB -> ~30MB -> pm.max_childern = 30

5.2 Configuring`pm.start_servers`,`pm.min_spare_servers`,`pm.max_spare_servers`

pm.start_servers == number of CPUs
pm.min_spare_servers =pm.start_servers / 2
pm.max_spare_servers =pm.start_servers * 3

6. Restart PHP fpm and check it's running

sudo service php7.4-fpm restartps aux| grep new-site

7. Create new "vhost" for Nginx

sudo nano /etc/nginx/sites-available/new-site.tld

8. Configure the vhost

server {    listen 80;    root /var/www/vhosts/new-site.tld/web;    index index.php index.html index.htm;    server_name www.new-site.tld new-site.tld;    include /etc/nginx/conf.d/server/1-common.conf;    access_log /var/www/vhosts/new-site.tld/logs/access.log;    error_log /var/www/vhosts/new-site.tld/logs/error.log warn;    location~\.php$ {        try_files$uri$uri/ /index.php?$args;        fastcgi_split_path_info ^(.+\.php)(/.+)$;        fastcgi_pass unix:/var/run/php/php7.4-fpm-new-site.sock;        fastcgi_index index.php;        fastcgi_param SCRIPT_FILENAME$document_root$fastcgi_script_name;        include fastcgi_params;    }}

9. Enable the new vhost

cd /etc/nginx/sites-enabled/sudo ln -s /etc/nginx/sites-available/new-site.tld new-site.tldsudo nginx -t && sudo nginx -s reload

10. MariaDB (MySQL)

sudo mysql> CREATE DATABASE newwebsite_tld;> CREATE USER'newwebsite_tld'@'localhost' IDENTIFIED BY'password';> GRANT ALL PRIVILEGES ON newwebsite_tld.* TO'newwebsite_tld'@'localhost';> FLUSH PRIVILEGES;

Others

Git Aware Prompt

If you want to have nice git-aware prompt with some handy aliases, use this:

sudo su virtualhostusercd ~wget https://gist.githubusercontent.com/lucien144/56fbb184b1ec01fae1adf2e7abb626b6/raw/0928548acb2ff1618054069f0ae7e60f92d76cc3/install.sh && cat install.sh | bashbash

More information about aliases and otherin this gist.

Git

sudo apt-get install git

Adminer

Adminer is a mostly MySQL database management tool. It's really tiny, simple & easy to use.

cd /etc/nginx/conf.d/server/sudo wget https://raw.githubusercontent.com/lucien144/lemp-stack/master/nginx/conf.d/server/4-adminer.confsudo mkdir -p /var/www/html/adminer/cd /var/www/html/adminer/sudo wget https://www.adminer.org/latest.php -O index.phpsudo chmod a+x index.phpsudo htpasswd -c .htpasswd usersudo nginx -t && sudo nginx -s reload

Adminer is now ready at http://{server.ip}/adminer/

Also, don't forget to change the username 👆.

Postfix (sending emails from PHP)

In case you cannot send emails from PHP and getting error (tail /var/log/mail.log)Network is unreachable, you need to switch Postfix from IPv6 to IPv6.

sudo apt-get install postfixsudo nano /etc/postfix/main.cf

Now change the lineinet_protocols = all toinet_protocols = ipv4 and restart postfix bysudo /etc/init.d/postfix restart.

You can also check if you have opened port 25 bynetstat -nutlap | grep 25

Munin

1. Install

apt-get install munin-node munin

2. Configure Munin

Uncomment#host 127.0.0.1 in/etc/munin/munin-node.conf
Append following code to/etc/munin/munin-node.conf

[nginx*]env.url http://localhost/nginx_status

3. Configure nginx`/etc/nginx/sites-available/default`

sudo nano /etc/nginx/sites-available/default# Change listen 80 default_server; tolisten 80#Change listen [::]:80 default_server; tolisten [::]:80# Add settings for stub status to server {}    location /nginx_status {        stub_status on;        access_log off;        allow 127.0.0.1;        deny all;    }# Add setting to access stats online    location /stats {        allow YOUR.IP.ADDRESS;        deny all;        alias /var/cache/munin/www/;    }

4. Installplugins

cd /usr/share/munin/pluginssudo wget -O nginx_connection_request https://raw.github.com/munin-monitoring/contrib/master/plugins/nginx/nginx_connection_requestsudo wget -O nginx_status https://raw.github.com/munin-monitoring/contrib/master/plugins/nginx/nginx_statussudo wget -O nginx_memory https://raw.github.com/munin-monitoring/contrib/master/plugins/nginx/nginx_memorysudo chmod +x nginx_requestsudo chmod +x nginx_statussudo chmod +x nginx_memorysudo ln -s /usr/share/munin/plugins/nginx_request /etc/munin/plugins/nginx_requestsudo ln -s /usr/share/munin/plugins/nginx_status /etc/munin/plugins/nginx_statussudo ln -s /usr/share/munin/plugins/nginx_memory /etc/munin/plugins/nginx_memory

Restart Munin

sudo service munin-node restart

Rabbitmq

Install PHP extension

sudo apt-get install php-amqp

Install RabbitMQ

echo 'deb http://www.rabbitmq.com/debian/ testing main' | sudo tee /etc/apt/sources.list.d/rabbitmq.listwget -O- https://www.rabbitmq.com/rabbitmq-release-signing-key.asc | sudo apt-key add -sudo apt-get updatesudo apt-get install rabbitmq-serversudo service rabbitmq-server statussudo rabbitmq-plugins enable rabbitmq_managementsudo ufw allow 15672sudo rabbitmqctl add_user admin *********sudo rabbitmqctl set_user_tags admin administratorsudo rabbitmqctl set_permissions -p / admin ".*" ".*" ".*"sudo rabbitmqctl delete_user guestsudo service rabbitmq-server restart

Installing plugin

Download the.ez plugin to/usr/lib/rabbitmq/lib/rabbitmq_server-{version}/plugins
Enable the plugin bysudo rabbitmq-plugins enable {plugin name}

Supervisor

sudo apt-get install supervisor

Enable the web interface

echo"[inet_http_server]port=9001username=adminpassword=*********"| sudo tee --append /etc/supervisor/supervisord.confsudo service supervisor reloadsudo ufw allow 9001

The interface should be available on http://{SERVER_IP}:9001/

Node.js & NPM

sudo apt-get install nodejssudo apt-get install npm

If you are getting error/usr/bin/env: ‘node’: No such file or directory run

sudo ln -s /usr/bin/nodejs /usr/bin/node

Composer

wget https://raw.githubusercontent.com/composer/getcomposer.org/76a7060ccb93902cd7576b67264ad91c8a2700e2/web/installer -O - -q | php -- --quietsudo mv composer.phar /usr/local/bin/composer

Reference:https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md

Todo

better vhost permissions for reading for other users
better description of nginx configuration
script for creating new vhost
composer
Let's encrypt (?)
s3cmd
automysqlbackup
SSH/SFTP jail (?)
- https://www.linode.com/docs/tools-reference/tools/limiting-access-with-sftp-jails-on-debian-and-ubuntu
- makejail

Reference

Setting PHP-FPM

License

This work is licensed under aCreative Commons Attribution-ShareAlike 4.0 International License.

About