Header Ads

How to Install PHP 7.0 (LEMP Stack) on Debian 8 VPS





Please find the updated working guide for LEMP stack here : https://dev.slickalpha.blog/2019/11/installing-lemp-stack-on-debian-buster.html
This guide should be used by system administrators for reference. If you are new to Linux or want to your server setup with nginx and php 7.0, click 'contact us' on the taskbar.

Before you continue make sure you have a server instance ready to test installation. Try VULTR for cheap and reliable VPS servers.



This guide includes all commands and codes that can be executed on a Linux terminal to install a LEMP stack on Debian 8, along with phpmyadmin, free ssl certificates, ssh key setup, etc,...


Basic Linux Commands

Print Working Directory

pwd

Change Directory (to root)
cd /

List Current Directory

ls -ahl

-a : all the files
-h : human readable
-l : long list

Change Directory (to var)


cd var


Change Directory (to previous)


cd ..


Text Editior (nano)

Prefix a file path or file name with 'nano' and execute command

To save file, press ctrl+y and press enter


Temporarily elevate to root privileges

Prefix a command with 'sudo' and execute command


Prerequisites to install LEMP stack on Debian 8


1. Have deployed Debian 8 image on your new server and have your root password ready


2. Have pointed your domain (example.com) to your server public ip address


3. Have booted your server and is running


4. This guide is for windows users. Install putty for terminal.


Tips & Instructions


1. To copy from here, use ctrl-c, and to paste it on putty, mouse-right-click once on putty

2. Replace all place holders such as 'example.com', 'example_user', 'nothingtosee' and so on with desired strings.



Steps to install LEMP stack on Debian 8


Set preference to ipv4


nano /etc/gai.conf

uncomment "precedence ::ffff:0:0/96 100"


Update & Upgrade Linux

apt-get update


apt-get upgrade


Install sudo (if doesn't exist)

apt-get install sudo


Check if Host File exists

nano /etc/hosts



Set Hostname (replace xhostname)

hostnamectl set-hostname xhostname


Update /etc/hosts (replace example.com with domain)

nano /etc/hosts

127.0.0.1 localhost.localdomain localhost
203.0.113.10 xhostname.example.com xhostname
2600:3c01::a123:b456:c789:d012 xhostname.example.com xhostname

Check Hostname

nano /etc/init.d/hostname.sh

hostname

hostname -f

Set Localtime

dpkg-reconfigure tzdata

Install Nginx

sudo apt-get update

sudo apt-get install nginx

Install MySQL DB Server (& set root pass)

sudo apt-get install mysql-server


Secure MySQL DB Server (set Y except root pass)

sudo mysql_secure_installation

Install PHP with FastCGI

$ sudo -s
echo 'deb http://packages.dotdeb.org jessie all' >> /etc/apt/sources.list
echo 'deb-src http://packages.dotdeb.org jessie all' >> /etc/apt/sources.list
cat /etc/apt/sources.list
sudo apt-get update
sudo apt-get install php7.0-cli php7.0-cgi php7.0-fpm php7.0-mysql php7.0-json php7.0-curl
sudo apt-get update

Fix gpg key errors (if any) (replace 010908312D230C5F with the key shown in error)

gpg --keyserver pgpkeys.mit.edu --recv-key 010908312D230C5F

gpg -a --export 010908312D230C5F | apt-key add -

Securing PHP (Edit php.ini, and uncomment and set fix_pathinfo to 0)

sudo nano /etc/php/7.0/fpm/php.ini

cgi.fix_pathinfo=0

sudo systemctl restart php7.0-fpm


Configure Nginx for PHP


sudo nano /etc/nginx/sites-available/default


Uncomment and edit the highlighted part

server {
listen 80 default_server;
listen [::]:80 default_server;

root /var/www/html;
index index.php index.html index.htm index.nginx-debian.html;

server_name your_server_ip;

location / {
try_files $uri $uri/ =404;
}

location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
}

location ~ /\.ht {
deny all;
}
}


Check for errors & reload nginx


sudo nginx -t

sudo systemctl reload nginx

File System Access

For adding limited access to example_user to sftp (through filezilla or other ftp clients), two things must be done.
1. Grant/Restrict File level permission (read/write/execute)
2. Secure SSH and SFTP Access (through sshd_config)

Add Limited User Account (replace example_user and enter password for user)

adduser example_user

Create a new group (replace example_group)

addgroup --system example_group


Append the sudo file to grant sudo for limited user (optional)

sudo visudo

# User privilege specification
root ALL=(ALL:ALL) ALL
example_user ALL=(ALL:ALL) ALL

Create new site (replace example.com)

sudo mkdir -p /var/www/example.com/site


Mod limited_user to the group with root directory

usermod -g example_group -d /var/www/example.com/site -s /sbin/nologin example_user


Restrict and give limited user r(4)/w(2)/x(1) permission

sudo chown root:root /var/www/example.com/
sudo chmod -R 755 /var/www/example.com/
sudo chmod -R 775 /var/www/example.com/site
















Edit sshd_config

sudo nano /etc/ssh/sshd_config

Comment out following line in sshd_config

#Subsystem sftp /usr/libexec/openssh/sftp-server

Add following lines to sshd_config (replace example.com & example_group)

Subsystem sftp internal-sftp

Match Group example_group
ChrootDirectory /var/www/example.com/site
X11Forwarding no
AllowTcpForwarding no

ForceCommand internal-sftp



Restart ssh to confirm changes

sudo service ssh restart

Create test html page with some sample code for site

nano /var/www/example.com/site/index.html


Create Server Block files for Site (Replace example.com)


sudo apt-get update

sudo nano /etc/nginx/sites-available/example.com


Replace block contents with following and save file. (Replace example.com)

server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
root /var/www/example.com/site; index index.php index.html;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ { include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
}
location ~ /\.ht {
deny all;
}
}

Enable the site

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled



Edit nginx.conf and uncomment "server_names_hash_bucket_size 64;"

sudo nano /etc/nginx/nginx.conf



Check for errors

sudo nginx -t



Restart Nginx

sudo systemctl restart nginx

Open the domain on your browser to see our test page

Logoff Limited user and login as root


Install Cron for automated updates

sudo apt-get update
sudo apt-get install cron



Restrict all user access. Allow access for example_user (if necessary)

echo ALL /etc/cron.deny
echo example_user /etc/cron.allow


Install UFW for Firewall

sudo apt-get install ufw

Set 'IPV6=yes' if using ipv6

sudo nano /etc/default/ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing

Allow tcp 22 or 2222 for ssh access

sudo ufw allow 22/tcp
sudo ufw allow www
sudo ufw allow ftp

To update disable and enable (enable turn it on, make sure ssh is enabled)

sudo ufw disable
sudo ufw enable
sudo ufw status verbose

Add the backports repository to server

echo 'deb http://ftp.debian.org/debian jessie-backports main' | sudo tee /etc/apt/sources.list.d/backports.list

Install Certbot to obtain Letsencrypt ssl

sudo apt-get update
sudo apt-get install certbot -t jessie-backports

Edit Nginx for Webroot usage (for the ssl desired site)

sudo nano /etc/nginx/sites-available/example.com

Add following location block & take note of the root mentioned in the file

location ~ /.well-known {
allow all;
}


sudo nginx -t

sudo systemctl restart nginx

User webroot to request a certificate

sudo certbot certonly -a webroot --webroot-path=/var/www/example.com/site -d example.com -d www.example.com


Enter email & accept terms. Note down the path, similar to '/etc/letsencrypt/live/example.com/'

Check for four files having placed in /etc/letsencrypt/archive with symbolic links in /etc/letsencrypt/live/example.com

· cert.pem: Your domain's certificate
· chain.pem: The Let's Encrypt chain certificate
· fullchain.pem: cert.pem and chain.pem combined
· privkey.pem: Your certificate's private key

sudo ls -l /etc/letsencrypt/live/example.com

To increase security, generate DH bit group

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

Create config snippet to point SSL key and cert

sudo nano /etc/nginx/snippets/ssl-example.com.conf

Add the following lines and save the file
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

sudo apt-get update




Create config snippet with strong encryption settings

sudo nano /etc/nginx/snippets/ssl-params.conf


Copy paste the following text. Risky if error occurs!!!

# from https://cipherli.st/

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Preloading HSTS is disabled. Uncomment to includes the
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Take copy of config

sudo cp /etc/nginx/sites-available/example.com /etc/nginx/sites-available/example.com.bak

Edit the config into two seperate blocks for 80 and ssl-443

sudo nano /etc/nginx/sites-available/example.com

server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}

server {

# SSL configuration

listen 443 ssl;
listen [::]:443 ssl;
include snippets/ssl-example.com.conf;
include snippets/ssl-params.conf;

. . .

Adjust UFW for ssl

sudo ufw allow https

Delete http if necessary (http pages now will not load)

sudo ufw delete allow www

Check status of ufw

sudo ufw status verbose


Edit default config to return 404

sudo nano /etc/nginx/sites-available/default


server {
listen 80 default_server;
listen [::]:80 default_server;

server_name _;

return 404;

location ~ /\.ht {
deny all;
}
}


Check Nginx for errors & restart

sudo nginx -t

sudo systemctl restart nginx

Check ssl-rating for A+


In your browser:

https://www.ssllabs.com/ssltest/analyze.html?d=example.com


Edit crontab to automate renewal and add the following

sudo crontab -e


30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log
35 2 * * 1 /bin/systemctl reload nginx


Login in to MySQL

mysql -u root -p


Create Database with a new user with permissions


CREATE DATABASE web;
CREATE USER 'webuser' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON web.* TO 'webuser';
quit


Restart PHP to conclude

sudo systemctl restart php7.0-fpm



To install phpmyadmin


Get the latest pure binary file (.tar.gz) from https://www.phpmyadmin.net/downloads/

wget https://files.phpmyadmin.net/phpMyAdmin/4.7.0/phpMyAdmin-4.7.0-all-languages.tar.gz

tar xvf phpMyAdmin-4.7.0-all-languages.tar.gz



Move and rename the directory (replace 'nothingtosee')

mv phpMyAdmin-4.7.0-all-languages /usr/share/

mv -T /usr/share/phpMyAdmin-4.7.0-all-languages /usr/share/nothingtosee

ls -al /usr/share/


Install dependencies & setup config

sudo apt-get install php7.0-mcrypt php-mbstring php7.0-mbstring php-gettext

sudo phpenmod mcrypt

sudo phpenmod mbstring

sudo cp /usr/share/nothingtosee/config.sample.inc.php /usr/share/nothingtosee/config.inc.php

nano /usr/share/nothingtosee/config.inc.php

Set blowfish secret

locate "$cfg['blowfish_secret'] = '';" and enter a string;

Setup encrypted password to open phymyadmin aka 'nothingtosee'

openssl passwd

Copy the resulting encrypted pass. And remember the original pass which will be used for authentication

Create a file to store the username and password for phpmyadmin

sudo nano /etc/nginx/pma_pass

Replace 'sample_user' with username & 'password' with the encrypted one copied from previous step

sample_user:password


Create Symbolic link to phpmyadmin (replace 'nothingtosee' & 'example.com')

sudo ln -s /usr/share/nothingtosee /var/www/example.com/site


Add the phpmyadmin within the working server { } block of the /example.com config (replace 'nothingtosee' & 'example.com')

sudo nano /etc/nginx/sites-available/example.com

location ^~ /nothingtosee/ {
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/pma_pass;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
location ~* ^/nothingtosee/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|t$
root /usr/share/;
}
#allow 127.0.0.1;
#deny all;
}


Restart Nginx and open the link on your browser and authenticate

sudo service nginx restart

example.com/nothingtosee


Turn off apache2 and reload nginx (optional)

sudo service apache2 stop && sudo service nginx reload




Adding Public Key Auth for SSH (for each user)


Install and open putty-keygen.exe

Set bits to 4096 and option as SSH-2 RSA and generate

Enter passphrase, save public key, save private key, keep window open

Open putty application, add private key to 'putty connection > ssh > auth', save the session and open session with the desired user (limited/root) and enter password



Create new directory for auth key


mkdir ~/.ssh; touch ~/.ssh/authorized_keys; chmod 700 ~/.ssh


Edit the file and copy public key directly from keygen and paste (ctrl -v)


nano ~/.ssh/authorized_keys


Increase security


chmod 600 ~/.ssh/authorized_keys


Exit and rerun putty, load saved session of desired user.

Make sure private key matches the saved public key for that user.

Enter passphrase to login


Optional Items

To Delete Limited User Account (Optional)

sudo deluser --remove-home username


To Delete any folders (created by mistake)

sudo rm -r -f /path/

Do a update after every action

sudo apt-get update

Restart PHP & Nginx & Update


sudo systemctl restart php7.0-fpm nginx

sudo apt-get update


To change mysql root pass (login to mysql first)

mysql -u root -p


ALTER USER 'root'@'localhost' IDENTIFIED WITH 'mysql_native_password' BY 'password';

To check Nginx status and error log

sudo systemctl status nginx.service

sudo tail -n 20 /var/log/nginx/error.log