A “LEMP stack” is a combination of operating system and software which enables you to host websites and web apps on your server.
The term “LEMP” stands for Linux, Nginx, MySQL/MariaDB and PHP.
- Nginx: Runs the web server
- MySQL/MariaDB: Stores website data
- PHP: Processes web content
Here will see how to setup LEMP server on Ubuntu 16.04
Install Nginx
The Nginx web server is among the most popular web servers in the world. It’s well-documented, and has been in wide use for much of the history of the web, which makes it a great default choice for hosting a website.
We can install Nginx easily using Ubuntu’s package manager, apt. A package manager allows us to install most software pain-free from a repository maintained by Ubuntu.
For our purposes, we can get started by typing these commands:
# apt-get update # apt-get install nginx
apt will tell you which packages it plans to install and how much extra disk space they’ll take up. Press Y and hit Enter to continue, and the installation will proceed.
Start Nginx to implement your changes:
# systemctl start nginx
You can now begin adjusting the firewall.
You can do a spot check right away to verify that everything went as planned by visiting your server’s public IP address in your web browser
http://your_server_IP_address
You will see the default Nginx web page, which is there for informational and testing purposes.
If you see this page, then your web server is now correctly installed and accessible through your firewall.
Install MySQL
Now that we have our web server up and running, it is time to install MySQL. MySQL is a database management system. Basically, it will organize and provide access to databases where our site can store information.
Again, we can use apt to acquire and install our software. This time, we’ll also install some other “helper” packages that will assist us in getting our components to communicate with each other:
# apt-get install mysql-server
Again, you will be shown a list of the packages that will be installed, along with the amount of disk space they’ll take up. Enter Y to continue.
During the installation, your server will ask you to select and confirm a password for the MySQL “root” user. This is an administrative account in MySQL that has increased privileges. Think of it as being similar to the root account for the server itself (the one you are configuring now is a MySQL-specific account, however). Make sure this is a strong, unique password, and do not leave it blank.
When the installation is complete, we want to run a simple security script that will remove some dangerous defaults and lock down access to our database system a little bit. Start the interactive script by running:
# mysql_secure_installation
You will be asked to enter the password you set for the MySQL root account. Next, you will be asked if you want to configure the VALIDATE PASSWORD PLUGIN.
Warning: Enabling this feature is something of a judgment call. If enabled, passwords which don’t match the specified criteria will be rejected by MySQL with an error. This will cause issues if you use a weak password in conjunction with software which automatically configures MySQL user credentials, such as the Ubuntu packages for phpMyAdmin. It is safe to leave validation disabled, but you should always use strong, unique passwords for database credentials.
Answer y for yes, or anything else to continue without enabling.
VALIDATE PASSWORD PLUGIN can be used to test passwords and improve security. It checks the strength of password and allows the users to set only those passwords which are secure enough. Would you like to setup VALIDATE PASSWORD plugin? Press y|Y for Yes, any other key for No:
You’ll be asked to select a level of password validation. Keep in mind that if you enter 2, for the strongest level, you will receive errors when attempting to set any password which does not contain numbers, upper and lowercase letters, and special characters, or which is based on common dictionary words.
There are three levels of password validation policy: LOW Length >= 8 MEDIUM Length >= 8, numeric, mixed case, and special characters STRONG Length >= 8, numeric, mixed case, special characters and dictionary file Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 1
If you enabled password validation, you’ll be shown a password strength for the existing root password, and asked you if you want to change that password. If you are happy with your current password, enter n for “no” at the prompt:
Using existing password for root. Estimated strength of the password: 100 Change the password for root ? ((Press y|Y for Yes, any other key for No) : n
For the rest of the questions, you should press Y and hit the Enter key at each prompt. This will remove some anonymous users and the test database, disable remote root logins, and load these new rules so that MySQL immediately respects the changes we have made.
At this point, your database system is now set up and we can move on.
Install PHP for Processing
We now have Nginx installed to serve our pages and MySQL installed to store and manage our data. However, we still don’t have anything that can generate dynamic content. We can use PHP for this.
Since Nginx does not contain native PHP processing like some other web servers, we will need to install php-fpm, which stands for “fastCGI process manager”. We will tell Nginx to pass PHP requests to this software for processing.
We can install this module and will also grab an additional helper package that will allow PHP to communicate with our database backend. The installation will pull in the necessary PHP core files. Do this by typing:
# apt-get install php-fpm php-mysql
Configure the PHP Processor
We now have our PHP components installed, but we need to make a slight configuration change to make our setup more secure.
Open the main php-fpm configuration file with root privileges:
# vi /etc/php/7.0/fpm/php.ini
What we are looking for in this file is the parameter that sets cgi.fix_pathinfo. This will be commented out with a semi-colon (;) and set to “1” by default.
This is an extremely insecure setting because it tells PHP to attempt to execute the closest file it can find if the requested PHP file cannot be found. This basically would allow users to craft PHP requests in a way that would allow them to execute scripts that they shouldn’t be allowed to execute.
We will change both of these conditions by uncommenting the line and setting it to “0” like this:
# vi /etc/php/7.0/fpm/php.ini cgi.fix_pathinfo=0
Now, we just need to restart our PHP processor by typing:
# systemctl restart php7.0-fpm
This will implement the change that we made.
Read More: How to Setup LEMP on Centos
Configure Nginx to Use the PHP Processor
Now, we have all of the required components installed. The only configuration change we still need is to tell Nginx to use our PHP processor for dynamic content.
We do this on the server block level (server blocks are similar to Nginx’s virtual hosts). Open the default Nginx server block configuration file by typing:
# /etc/nginx/sites-available/default
Currently, with the comments removed, the Nginx default server block file looks like this:
# vi /etc/nginx/sites-available/default server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { try_files $uri $uri/ =404; } }
We need to make some changes to this file for our site.
- First, we need to add index.php as the first value of our index directive so that files named index.php are served, if available, when a directory is requested.
- We can modify the server_name directive to point to our server’s domain name or public IP address.
- For the actual PHP processing, we just need to uncomment a segment of the file that handles PHP requests by removing the pound symbols (#) from in front of each line. This will be the location ~\.php$ location block, the included fastcgi-php.conf snippet, and the socket associated with php-fpm.
- We will also uncomment the location block dealing with .htaccess files using the same method. Nginx doesn’t process these files. If any of these files happen to find their way into the document root, they should not be served to visitors.
The changes that you need to make are in red in the text below:
# vi /etc/nginx/sites-available/default server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; index index.php index.html index.htm index.nginx-debian.html; server_name server_domain_or_IP; location / { try_files $uri $uri/ =404; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php7.0-fpm.sock; } location ~ /\.ht { deny all; } }
When you’ve made the above changes, you can save and close the file.
Test your configuration file for syntax errors by typing:
# nginx -t
If any errors are reported, go back and recheck your file before continuing.
When you are ready, reload Nginx to make the necessary changes:
# systemctl reload nginx
Test PHP on your Web Server
In order to test that our system is configured properly for PHP, we can create a very basic PHP script.
We will call this script info.php. In order for Nginx to find the file and serve it correctly, it must be saved to a very specific directory, which is called the “web root”.
In Ubuntu 16.04, this directory is located at /var/www/html/. We can create the file at that location by typing:
# vi /var/www/html/info.php
This will open a blank file. We want to put the following text, which is valid PHP code, inside the file:
info.php
<?php phpinfo(); ?>
When you are finished, save and close the file using :wq!
Now we can test whether our web server can correctly display content generated by a PHP script. To try this out, we just have to visit this page in our web browser. You’ll need your server’s public IP address again.
The address you want to visit will be:
http://your_server_IP_address/info.php
This page basically gives you information about your server from the perspective of PHP. It is useful for debugging and to ensure that your settings are being applied correctly.
If this was successful, then your PHP is working as expected.
You probably want to remove this file after this test because it could actually give information about your server to unauthorized users. To do this, you can type this:
# rm /var/www/html/info.php
You can always recreate this page if you need to access the information again later.