Setup ubuntu server from scratch

ubuntu-server.md

My Ubuntu Server

Please read the manual carefuly

Basic

1. Creating sudoers user (don’t use root)

   • do update first sudo apt-get update
   • https://www.digitalocean.com/community/tutorials/how-to-create-a-sudo-user-on-ubuntu-quickstart

2. Prevent root user login via SSH and change the SSH port

   • Open and edit /etc/ssh/sshd_config:

     PermitRootLogin no
     Port 10201

   • Restart SSH service

3. Allow login via public key SSH (optional)

   • https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server

4. Install ZSH as shell (optional)

   • https://gist.github.com/isogram/8f10c4898c3520ba42f687f8d364f8ef

5. Add basic list folder aliases (optional: step 4 required)

   • Open your .zshrc

   vi ~/.zshrc

   • On the bottom of files add new aliases

   alias ll='ls -alF'
   alias la='ls -A'
   alias l='ls -CF'

   • Save and exit

6. Install Git (you don't need this if you did step 4)

   sudo apt-get update
   sudo apt-get install git git-core

Webserver

We are using Apache2, Nginx (as Reserve Proxy) & MySQL for Database

1. Install Apache2

   sudo apt-get update
   # installing apache2
   sudo apt-get install apache2 apache2-utils

2. Install PHP 7.2 & MySQL

   # installing PHP7.2
   sudo add-apt-repository ppa:ondrej/php
   sudo apt-get update
   sudo apt-get install php-pear php7.2 php7.2-common php7.2-mysql php7.2-curl php7.2-mbstring php7.2-bcmath php7.2-dba php7.2-bz2 php7.2-dev php7.2-xml php7.2-intl php7.2-opcache php7.2-xmlrpc php7.2-cli php7.2-json php7.2-pgsql php7.2-soap php7.2-xsl php7.2-gd php7.2-sqlite3 php7.2-zip php7.2-cgi php7.2-fpm php7.2-xsl mysql-server
   sudo mysqld --initialize
   sudo mysql_secure_installation

   • You will asked to enter password for root user MySQL, enter your desired password!
   • Your server should can be accessed now

   OPTIONAL SECTION : Installing mcrypt on PHP 7.2

       ## How to install mcrypt in php7.2
       ##
       ## https://lukasmestan.com/install-mcrypt-extension-in-php7-2/
       ##
   
       # 
       # Check version php and pecl
       # 
       php -v # if default php is not 7.2 then use /usr/bin/php7.2 instead php
       pecl version
   
       # 
       # Install mcrypt extension
       # see http://pecl.php.net/package-info.php?package=mcrypt&version=1.0.1
       # 
       sudo apt-get -y install gcc make autoconf libc-dev pkg-config
       sudo apt-get -y install libmcrypt-dev
       sudo pecl install mcrypt-1.0.1
   
       # 
       # When you are shown the prompt
       # 
       # libmcrypt prefix? [autodetect] :
       # Press Enter to autodetect.
   
       # 
       # After success installing mcrypt trought pecl, you should add mcrypt.so extension to php.ini,
       # The output will look like this:
       # 
       # ...
       # Build process completed successfully
       # Installing '/usr/lib/php/20170718/mcrypt.so'    ---->   this is our path to mcrypt extension lib
       # install ok: channel://pecl.php.net/mcrypt-1.0.1
       # configuration option "php_ini" is not set to php.ini location
       # You should add "extension=mcrypt.so" to php.ini
   
       # 
       # Grab installing path and add to cli and apache2 php.ini 
       # 
       # example:
       sudo bash -c "echo extension=/usr/lib/php/20170718/mcrypt.so > /etc/php/7.2/cli/conf.d/mcrypt.ini"
       sudo bash -c "echo extension=/usr/lib/php/20170718/mcrypt.so > /etc/php/7.2/apache2/conf.d/mcrypt.ini"
   
       # check that the extension was installed with this command:
       php -i | grep mcrypt
   
       # 
       # The output will look like this:
       # 
       # /etc/php/7.2/cli/conf.d/mcrypt.ini
       # Registered Stream Filters => zlib.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk, convert.iconv.*, mcrypt.*, mdecrypt.*
       # mcrypt
       # mcrypt support => enabled
       # mcrypt_filter support => enabled
       # mcrypt.algorithms_dir => no value => no value
       # mcrypt.modes_dir => no value => no value
   

3. Configure Apache2 and PHP

   • Change default port apache2 to 8087. Edit file sudo vi /etc/apache2/ports.conf --> Listen 8087 save and exit. sh

     cd sites-available/
     sudo vi 000-default.conf
     

   • Edit virtualhost port so that same with apache2 custom port (8087)

     <VirtualHost *:8087>
         ...
     </VirtualHost>

   • Restart apache2 : sudo service apache2 restart

4. Install & Configure Nginx

   • Install Nginx

     sudo apt-get install nginx

   • Configure GZip compression

     cd /etc/nginx/
     sudo vi nginx.conf

   • Edit GZip section become like this:

     # Gzip Settings
     ##
     
     gzip on;
     gzip_disable "msie6";
     
     gzip_vary on;
     gzip_proxied any;
     gzip_comp_level 6;
     gzip_buffers 16 8k;
     gzip_http_version 1.1;
     gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

   • Under GZip settings please add proxy cache configuration

     # Proxy Cache Settings
     proxy_cache_path /var/cache levels=1:2 keys_zone=reverse_cache:60m inactive=90m max_size=1000m;

   • Save and exit

   • Create new nginx virtualhost

     cd /etc/nginx/sites-available
     vi mysite.conf

   • Then fill mysite.conf this:

     server {
         listen 80;
     
         # Site Directory same in the apache virtualhost configuration
         root /var/www/html; 
         index index.php index.html index.htm;
     
         # Domain
         server_name www.mysite.com mysite.com;
     
         location / {
             try_files $uri $uri/ /index.php?$query_string;
         }
     
     
         # Reverse Proxy and Proxy Cache Configuration
         location ~ \.php$ {
      
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $remote_addr;
             proxy_set_header Host $host;
             proxy_pass http://127.0.0.1:8087;
     
             # Cache configuration
             proxy_cache reverse_cache;
             proxy_cache_valid 3s;
             proxy_no_cache $cookie_PHPSESSID;
             proxy_cache_bypass $cookie_PHPSESSID;
             proxy_cache_key "$scheme$host$request_uri";
             add_header X-Cache $upstream_cache_status;
         }
     
         # Enable Cache the file 30 days
         location ~* .(jpg|png|gif|jpeg|css|mp3|wav|swf|mov|doc|pdf|xls|ppt|docx|pptx|xlsx)$ {
             proxy_cache_valid 200 120m;
             expires 30d;
             proxy_cache reverse_cache;
             access_log off;
         }
     
         # Disable Cache for the file type html, json
         location ~* .(?:manifest|appcache|html?|xml|json)$ {
             expires -1;
         }
     
         location ~ /\.ht {
             deny all;
         }
     }

   • Save and exit

   • Then enable mysite.conf with sudo ln -s /etc/nginx/sites-available/mysite.conf /etc/nginx/sites-enabled/

   • Test configuration and restart

     sudo nginx -t
     sudo service nginx restart

5. Configure logging

   • We are going to configure apache to log the real ip of the visitor instead of the local IP.

   • Please install the apache module "libapache2-mod-rpaf" and edit the module configuration file:

     sudo apt-get install libapache2-mod-rpaf
     cd /etc/apache2/mods-available/
     vi rpaf.conf

   • Add the server IP to the line 10. For the example my server has the IP: 192.168.1.108, so the configuration become:

     RPAFproxy_ips 127.0.0.1 192.168.1.108 ::1

   • Restart apache2 service: sudo service apache2 restart

6. Configure date, time, and timezone

   • sudo dpkg-reconfigure tzdata and choose your desired timezone

Credits to:

• Digital Ocean Comminity
• Ubuntuserverguide.com
• HowToForge.com
• tsabat at Gist Github
• arzzen at Gist Github