Basic installation process of LEMP

Last update: 15/01/2018, tested on Ubuntu 17.04

Overview

This document is a list of notes when installing several Ubuntu LEMP instances w/ PHP7.2. With some sort of imagination it can be considered as a step-by-step tutorial of really basic installation process of LEMP. I wrote it mainly for myself, but feel free to use it. The LEMP consists of:

Nginx
PHP7.2 (php-fpm)
MariaDB
Optional: git, munin, rabbitmq, supervisor, node.js, Let's Encrypt, postfix

Essentials

Installation script

To automatically install essentials, you can use the 👉 startup.sh script by downloading it and calling it with sudo sudo ./startup.sh. The file is deleted automatically.

Manual installation

If you want to have the installation in your hands, follow the manual installation. 👇

add new user

adduser admin

allow su without password for this user

echo "admin    ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers

try new user

su - admin
exit

add authorized keys for that user

su - admin
mkdir .ssh
nano .ssh/authorized_keys
chmod 700 .ssh/
chmod 600 .ssh/authorized_keys

disable password login for all users

# Optional
sudo echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
sudo systemctl reload sshd

Or disable the password for some users only (admin, user_tld)

# Optional
sudo nano /etc/ssh/sshd_config
> Match User admin,user_tld
>    PasswordAuthentication no
sudo systemctl reload sshd

Fix locale if you are getting "WARNING! Your environment specifies an invalid locale."

sudo echo 'LC_ALL="en_US.UTF-8"' >> /etc/environment
# Log out & in

Set the correct timezone

sudo dpkg-reconfigure tzdata

Configure & Update APT

sudo apt-get -y update ; sudo apt-get -y upgrade
sudo apt-get -y install unattended-upgrades python-software-properties software-properties-common apache2-utils fail2ban

Install security updates automatically

sudo dpkg-reconfigure -plow unattended-upgrades

Install essentials

sudo apt-get install mc
sudo apt-get install htop

Setup and configure Firewall

Open SSH port only.

sudo ufw allow 22 #OpenSSH
sudo ufw allow 80 #http
sudo ufw allow 443 #https
yes | sudo ufw enable
sudo ufw status

Webserver installation

Install Nginx

sudo add-apt-repository -y ppa:nginx/development && sudo apt-get update
sudo apt-get -y install nginx

Install MariaDB

sudo apt-get -y install mariadb-server # Or MySQL: sudo apt-get install mysql-server
sudo service mysql stop # Stop the MySQL if is running.
sudo mysql_install_db
sudo service mysql start
sudo mysql_secure_installation

Install PHP7.2

sudo add-apt-repository -y ppa:ondrej/php && sudo apt-get update
sudo apt-get -y install php7.2

Choose and install PHP7.2 modules

sudo apt-cache search php7.2-*
sudo apt-get -y install php7.2-fpm php7.2-mysql php7.2-curl php7.2-gd php7.2-mcrypt php7.2-sqlite3 php7.2-bz2 php7.2-mbstrin php7.2-soap php7.2-xml php7.2-zip

Check the installed PHP version

php -v

Configure Nginx

Configure `/etc/nginx/nginx.conf`

worker_processes auto;
events {
        use epoll;
        worker_connections 1024; # ~ RAM / 2
        multi_accept on;
}

Default vhost

cd /etc/nginx/sites-available
sudo rm default
sudo wget https://raw.githubusercontent.com/lucien144/lemp-stack/master/nginx/sites-available/default
cd /etc/nginx/conf.d
sudo wget https://raw.githubusercontent.com/lucien144/lemp-stack/master/nginx/conf.d/gzip.conf

Setup default settings for all virtual hosts

sudo mkdir -p /etc/nginx/conf.d/server/
cd /etc/nginx/conf.d/server/
sudo wget https://raw.githubusercontent.com/lucien144/lemp-stack/master/nginx/conf.d/server/1-common.conf

Reload Nginx

sudo nginx -t && sudo nginx -s reload

Add new website, configuring PHP & Nginx & MariaDB

Steps 1. - 9. can be skipped by calling the add-vhost.sh. Just download add-vhost.sh, chmod u+x ./add-vhost.sh and call it sudo ./add-vhost.sh. The file is deleted automatically.

cd ~
wget https://raw.githubusercontent.com/lucien144/lemp-stack/master/add-vhost.sh
chmod u+x add-vhost.sh
sudo ./add-vhost.sh

1. Create the dir structure for new website

sudo mkdir -p /var/www/vhosts/new-website.tld/{web,logs,ssl}

2. User groups and roles

sudo groupadd new-website
sudo useradd -g new-website -d /var/www/vhosts/new-website.tld new-website
sudo passwd new-website

You can switch users by using sudo su - new-website

3. Update permissions

sudo chown -R new-website:new-website /var/www/vhosts/new-website.tld
sudo chmod -R 0775 /var/www/vhosts/new-website.tld

4. Create new PHP-FPM pool for new site

sudo nano /etc/php/7.2/fpm/pool.d/new-website.tld.conf

5. Configure the new pool

[new-website]
user = new-website
group = new-website
listen = /run/php/php7.2-fpm-new-website.sock
listen.owner = www-data
listen.group = www-data
php_admin_value[disable_functions] = exec,passthru,shell_exec,system
php_admin_flag[allow_url_fopen] = off
pm = dynamic
pm.max_children = 5 # The hard-limit total number of processes allowed
pm.start_servers = 2 # When nginx starts, have this many processes waiting for requests
pm.min_spare_servers = 1 # Number spare processes nginx will create
pm.max_spare_servers = 3 # Number spare processes attempted to create
pm.max_requests = 500
chdir = /

5.1 Configuring `pm.max_children`

Find how much RAM FPM consumes: ps -A -o pid,rss,command | grep php-fpm -> second row in bytes
1. Reference: https://overloaded.io/finding-process-memory-usage-linux
Eg. ~43904 / 1024 -> ~43MB per one process
Calculation: If server has 2GB RAM, let's say PHP can consume 1GB (with some buffer, otherwise we can use 1.5GB): 1024MB / 43MB -> ~30MB -> pm.max_childern = 30

5.2 Configuring `pm.start_servers`, `pm.min_spare_servers`, `pm.max_spare_servers`

pm.start_servers == number of CPUs
pm.min_spare_servers = pm.start_servers / 2
pm.max_spare_servers = pm.start_servers * 3

6. Restart PHP fpm and check it's running

sudo service php7.2-fpm restart
ps aux | grep new-site

7. Create new "vhost" for Nginx

sudo nano /etc/nginx/sites-available/new-site.tld

8. Configure the vhost

server {
    listen 80;

    root /var/www/vhosts/new-site.tld/web;
    index index.php index.html index.htm;

    server_name www.new-site.tld new-site.tld;

    include /etc/nginx/conf.d/server/1-common.conf;

    access_log /var/www/vhosts/new-site.tld/logs/access.log;
    error_log /var/www/vhosts/new-site.tld/logs/error.log warn;

    location ~ \.php$ {
        try_files $uri $uri/ /index.php?$args;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.2-fpm-new-site.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

9. Enable the new vhost

cd /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/new-site.tld new-site.tld
sudo nginx -t && sudo nginx -s reload

10. MariaDB (MySQL)

sudo mysql -u root -p
> CREATE DATABASE newwebsite_tld;
> CREATE USER 'newwebsite_tld'@'localhost' IDENTIFIED BY 'password';
> GRANT ALL PRIVILEGES ON newwebsite_tld.* TO 'newwebsite_tld'@'localhost';
> FLUSH PRIVILEGES;

Others

Git

sudo apt-get install git

Adminer

Adminer is a mostly MySQL database management tool. It's really tiny, simple & easy to use.

cd /etc/nginx/conf.d/server/
sudo wget https://raw.githubusercontent.com/lucien144/lemp-stack/master/nginx/conf.d/server/4-adminer.conf
sudo mkdir -p /var/www/html/adminer/
cd /var/www/html/adminer/
sudo wget https://www.adminer.org/latest.php -O index.php
sudo chmod a+x index.php
sudo htpasswd -c .htpasswd user
sudo nginx -t && sudo nginx -s reload

Adminer is now ready at http://{server.ip}/adminer/

Postfix (sending emails from PHP)

In case you cannot send emails from PHP and getting error (tail /var/log/mail.log) Network is unreachable, you need to switch Postfix from IPv6 to IPv6.

sudo apt-get install postfix
sudo nano /etc/postfix/main.cf

Now change the line inet_protocols = all to inet_protocols = ipv4 and restart postfix by sudo /etc/init.d/postfix restart.

You can also check if you have opened port 25 by netstat -nutlap | grep 25

Munin

1. Install

apt-get install munin-node munin

2. Configure Munin

Uncomment #host 127.0.0.1 in /etc/munin/munin-node.conf
Append following code to /etc/munin/munin-node.conf

[nginx*]
env.url http://localhost/nginx_status

3. Configure nginx `/etc/nginx/sites-available/default`

sudo nano /etc/nginx/sites-available/default
# Change listen 80 default_server; to
listen 80

#Change listen [::]:80 default_server; to
listen [::]:80

# Add settings for stub status to server {}
    location /nginx_status {
        stub_status on;
        access_log off;
        allow 127.0.0.1;
        deny all;
    }

# Add setting to access stats online

    location /stats {
        allow YOUR.IP.ADDRESS;
        deny all;
        alias /var/cache/munin/www/;
    }

4. Install plugins

cd /usr/share/munin/plugins
sudo wget -O nginx_connection_request https://raw.github.com/munin-monitoring/contrib/master/plugins/nginx/nginx_connection_request
sudo wget -O nginx_status https://raw.github.com/munin-monitoring/contrib/master/plugins/nginx/nginx_status
sudo wget -O nginx_memory https://raw.github.com/munin-monitoring/contrib/master/plugins/nginx/nginx_memory

sudo chmod +x nginx_request
sudo chmod +x nginx_status
sudo chmod +x nginx_memory

sudo ln -s /usr/share/munin/plugins/nginx_request /etc/munin/plugins/nginx_request
sudo ln -s /usr/share/munin/plugins/nginx_status /etc/munin/plugins/nginx_status
sudo ln -s /usr/share/munin/plugins/nginx_memory /etc/munin/plugins/nginx_memory

Restart Munin

sudo service munin-node restart

Rabbitmq

Install PHP extension

sudo apt-get install php-amqp

Install RabbitMQ

echo 'deb http://www.rabbitmq.com/debian/ testing main' | sudo tee /etc/apt/sources.list.d/rabbitmq.list
wget -O- https://www.rabbitmq.com/rabbitmq-release-signing-key.asc | sudo apt-key add -
sudo apt-get update
sudo apt-get install rabbitmq-server
sudo service rabbitmq-server status
sudo rabbitmq-plugins enable rabbitmq_management
sudo ufw allow 15672
sudo rabbitmqctl add_user admin *********
sudo rabbitmqctl set_user_tags admin administrator
sudo rabbitmqctl set_permissions -p / admin ".*" ".*" ".*"
sudo rabbitmqctl delete_user guest
sudo service rabbitmq-server restart

Installing plugin

Download the .ez plugin to /usr/lib/rabbitmq/lib/rabbitmq_server-{version}/plugins
Enable the plugin by sudo rabbitmq-plugins enable {plugin name}

Supervisor

sudo apt-get install supervisor

Node.js & NPM

sudo apt-get install nodejs
sudo apt-get install npm

If you are getting error /usr/bin/env: ‘node’: No such file or directory run

sudo ln -s /usr/bin/nodejs /usr/bin/node

Let's Encrypt

apt-get -y install letsencrypt
letsencrypt certonly -a webroot --webroot-path=/var/www/thebuttongame.io/web -d thebuttongame.io -d www.thebuttongame.io

# Allow Let's Encrypt authorization
location ~ /.well-known {
  allow all;
}

Todo

better vhost permissions for reading for other users
better description of nginx configuration
script for creating new vhost
composer
Let's encrypt (?)
s3cmd
automysqlbackup
SSH/SFTP jail (?)
- https://www.linode.com/docs/tools-reference/tools/limiting-access-with-sftp-jails-on-debian-and-ubuntu
- makejail

Reference

Setting PHP-FPM

License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Name		Name	Last commit message	Last commit date
Latest commit History 73 Commits
adminer		adminer
nginx		nginx
add-vhost.sh		add-vhost.sh
readme.md		readme.md
startup.sh		startup.sh

ardnor/lemp-stack

Folders and files

Latest commit

History

Repository files navigation