Last active
February 24, 2020 14:39
-
-
Save jeffsmonteiro/56d958b00a98f0bcba8b806fb5f8243c to your computer and use it in GitHub Desktop.
Setup Basic Server Nginx, Redis, PHP-fpm and MariaDB for WordPress using AWS Ubuntu 18.04 LTS EC2 Instance
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# 0. BEFORE ANYTHING | |
$ sudo su | |
# 1. UPDATING THE SERVER | |
# Define your timezone | |
$ timedatectl set-timezone America/Sao_Paulo | |
# Update packages | |
$ apt-get update | |
# Upgrade packages | |
$ apt-get upgrade -y | |
# Remove deprecated packages | |
$ apt-get autoremove -y | |
# 2. MANAGING ACCESS SSH | |
# Configure ssh | |
# edit the file changing PermitRootLogin from 'yes' to 'no' | |
$ vim /etc/ssh/sshd_config | |
# 3. MANAGING BASIC FIREWALL RULES FOR WEB USING UFW AND INSTALL FAIL2BAN | |
# Allow services | |
$ ufw allow ssh | |
$ ufw allow http | |
$ ufw allow https | |
$ ufw allow smtp | |
$ ufw allow smtps | |
# if you use remote connection with database | |
$ ufw allow mysql | |
# Confirm the changes | |
$ ufw show added | |
# Enable the FIREWALL | |
$ ufw enable | |
# Install FAIL2BAN | |
$ apt-get install fail2ban | |
# Start fail2ban | |
$ service fail2ban start | |
# 4. INSTALLING MARIADB | |
# Install software-properties-commom | |
$ apt-get install software-properties-common | |
# Add Repository Key | |
$ apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8 | |
# Add Repository | |
$ add-apt-repository "deb [arch=amd64,arm64,ppc64el] http://mariadb.mirror.liquidtelecom.com/repo/10.4/ubuntu $(lsb_release -cs) main" | |
# Update Packages | |
$ apt-get update | |
# If you not using RDS Instance, install MariaDB Server and Client | |
$ apt -y install mariadb-server mariadb-client | |
# 5. INSTALLING PHP-FPM | |
# If not ready, install software-properties-commom | |
$ apt-get install software-properties-common | |
# Add Repository | |
$ add-apt-repository -y ppa:ondrej/php | |
# Update Packages | |
$ apt-get update | |
# Install PHP and most commoly extensions | |
$ apt install php7.3-fpm php7.3-common php7.3-zip php7.3-curl php7.3-xml php7.3-xmlrpc php7.3-json php7.3-mysql php7.3-pdo php7.3-gd php7.3-imagick php7.3-ldap php7.3-mbstring php7.3-intl php7.3-cli php7.3-tidy php7.3-bcmath php7.3-opcache | |
# Verify the installation | |
$ php --version | |
# Configure pool | |
$ vim /etc/php/7.3/fpm/pool.d/www.conf | |
# Set: | |
[www] | |
user = some_user_name | |
group = some_user_name | |
listen = /run/php/php7.3-fpm.sock | |
listen.owner = some_user_name | |
listen.group = some_user_name | |
pm = dynamic | |
pm.max_children = 5 | |
pm.start_servers = 2 | |
pm.min_spare_servers = 1 | |
pm.max_spare_servers = 3 | |
# Optimize php.ini for nginx | |
$ sudo vim /etc/php/7.3/fpm/php.ini | |
# Set this values: | |
max_execution_time = 180 | |
max_input_time = 360 | |
max_input_vars = 5000 | |
memory_limit = 256M | |
cgi.fix_pathinfo = 0 | |
file_uploads = On | |
upload_max_filesize = 12M | |
post_max_size = 12M | |
allow_url_fopen = On | |
date.timezone = America/Sao_Paulo | |
# Save the file and test changes | |
$ sudo php-fpm7.3 -t | |
# Reinitilize the service | |
$ sudo service php7.3-fpm restart | |
# 6. INSTALLING REDIS | |
# If you will to use WordPress, install too the plugin: https://wordpress.org/plugins/redis-cache/ | |
# Install Redis Server | |
$ sudo apt-get install redis-server -y | |
# Configure Redis | |
$ sudo vim /etc/redis/redis.conf | |
# Uncomment and set maxmemory and set 64mb | |
# Start Redis Server | |
$ sudo service redis-server restart | |
$ sudo service php7.3-fpm restart | |
# INSTALLING NGINX | |
# Create folder to define some paths | |
$ cd / | |
$ mkdir app | |
$ cd app | |
$ mkdir ssl | |
$ mkdir logs | |
$ mkdir cache | |
# Add repository | |
$ sudo add-apt-repository ppa:nginx/development -y | |
# Update Packages | |
$ sudo apt-get update | |
# Install nginx package | |
$ sudo apt-get install nginx -y | |
# Configure nginx | |
$ sudo vim /etc/nginx/nginx.conf | |
# Set: | |
user some_user_name; | |
worker_processes 1; | |
pid /run/nginx.pid; | |
include /etc/nginx/modules-enabled/*.conf; | |
events { | |
worker_connections 1024; | |
multi_accept on; | |
} | |
http { | |
## | |
# Basic Settings | |
## | |
sendfile on; | |
tcp_nopush on; | |
tcp_nodelay on; | |
keepalive_timeout 15; | |
types_hash_max_size 2048; | |
server_tokens off; | |
client_max_body_size 6m; | |
# server_names_hash_bucket_size 64; | |
# server_name_in_redirect off; | |
include /etc/nginx/mime.types; | |
default_type application/octet-stream; | |
## | |
# SSL Settings | |
## | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE | |
ssl_prefer_server_ciphers on; | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_timeout 10m; | |
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; | |
## | |
# Logging Settings | |
## | |
access_log /var/log/nginx/access.log; | |
error_log /var/log/nginx/error.log; | |
## | |
# Gzip Settings | |
## | |
# Enable Gzip compression. | |
gzip on; | |
# Disable Gzip on IE6. | |
gzip_disable "msie6"; | |
# Allow proxies to cache both compressed and regular version of file. | |
# Avoids clients that don't support Gzip outputting gibberish. | |
gzip_vary on; | |
# Compress data, even when the client connects through a proxy. | |
gzip_proxied any; | |
# The level of compression to apply to files. A higher compression level increases | |
# CPU usage. Level 5 is a happy medium resulting in roughly 75% compression. | |
gzip_comp_level 3; | |
# The minimum HTTP version of a request to perform compression. | |
gzip_http_version 1.1; | |
# Don't compress files smaller than 256 bytes, as size reduction will be negligible. | |
gzip_min_length 256; | |
# Compress the following MIME types. | |
gzip_types | |
application/atom+xml | |
application/javascript | |
application/json | |
application/ld+json | |
application/manifest+json | |
application/rss+xml | |
application/vnd.geo+json | |
application/vnd.ms-fontobject | |
application/x-font-ttf | |
application/x-web-app-manifest+json | |
application/xhtml+xml | |
application/xml | |
font/opentype | |
image/bmp | |
image/svg+xml | |
image/x-icon | |
text/cache-manifest | |
text/css | |
text/plain | |
text/vcard | |
text/vnd.rim.location.xloc | |
text/vtt | |
text/x-component | |
text/x-cross-domain-policy; | |
# text/html is always compressed when enabled. | |
## | |
# Cache Settings | |
## | |
fastcgi_cache_key "$scheme$request_method$host$request_uri"; | |
add_header Fastcgi-Cache $upstream_cache_status; | |
## | |
# Virtual Host Configs | |
## | |
include /etc/nginx/conf.d/*.conf; | |
include /etc/nginx/sites-enabled/*; | |
server { | |
listen 80 default_server; | |
listen [::]:80 default_server; | |
server_name _; | |
return 444; | |
} | |
} | |
# Configure fastcgi_params | |
$ sudo vim /etc/nginx/fastcgi_params | |
# Set at final: fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
# Test nginx setup (optional) | |
$ sudo nginx -t | |
# Restart nginx service | |
$ sudo service nginx restart | |
# Remove Available Deafults | |
$ sudo rm /etc/nginx/sites-available/default | |
# Remove Enabled Deafults | |
$ sudo rm /etc/nginx/sites-enabled/default | |
# Create your virtual server file | |
$ sudo /etc/nginx/sites-available/pod | |
$ sudo vim /etc/nginx/sites/available/pod | |
# Set: | |
fastcgi_cache_path /home/some_user_name/app/cache levels=1:2 keys_zone=appurl.com:100m inactive=60m; | |
server { | |
# Ports to listen on, uncomment one. | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
# Server name to listen for | |
server_name appurl.com; | |
# Path to document root | |
root /home/theboss/app/applicationfolder/; | |
# Paths to certificate files. | |
# 'ssl_protocols TLSv1.1 TLSv1.2; | |
# ssl_certificate /home/some_user_name/app/ssl/app.cert.pem; | |
# ssl_certificate_key /home/some_user_name/app/ssl/app.key; | |
# File to be used as index | |
index index.php; | |
# Logs | |
access_log /home/some_user_name/app/logs/access.log; | |
error_log /home/some_user_name/app/logs/error.log; | |
# Cache Settings | |
set $skip_cache 0; | |
# POST requests and urls with a query string should always go to PHP | |
if ($request_method = POST) { | |
set $skip_cache 1; | |
} | |
if ($query_string != "") { | |
set $skip_cache 1; | |
} | |
# Don’t cache uris containing the following segments | |
if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitema (_index)?.xml") { | |
set $skip_cache 1; | |
} | |
# Don’t use the cache for logged in users or recent commenters | |
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") { | |
set $skip_cache 1; | |
} | |
location / { | |
try_files $uri $uri/ /index.php?&$args; | |
} | |
location ~ \.php$ { | |
try_files $uri =404; | |
fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
fastcgi_pass unix:/run/php/php7.2-fpm.sock; | |
fastcgi_index index.php; | |
include fastcgi_params; | |
fastcgi_cache_bypass $skip_cache; | |
fastcgi_no_cache $skip_cache; | |
fastcgi_cache appurl.com; | |
fastcgi_cache_valid 60m; | |
} | |
} | |
# Redirect http to https | |
server { | |
listen 80; | |
listen [::]:80; | |
server_name appurl.com www.appurl.com; | |
return 301 https://appurl.com$request_uri; | |
} | |
# Redirect www to non-www | |
server { | |
listen 443; | |
listen [::]:443; | |
server_name www.appurl.com; | |
return 301 https://appurl.com$request_uri; | |
} | |
# Save file and enable pod | |
$ sudo ln -s /etc/nginx/sites-available/pod /etc/nginx/sites-enabled/ | |
# Test pod setup | |
$ sudo nginx -t | |
# Reload service | |
$ sudo service nginx restart | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment