jeffsmonteiro/basic-server-lemp-setup.sh

## basic-server-lemp-setup.sh
# 0. BEFORE ANYTHING
$ sudo su

# 1. UPDATING THE SERVER

# Define your timezone
$ timedatectl set-timezone America/Sao_Paulo

# Update packages
$ apt-get update

# Upgrade packages
$ apt-get upgrade -y

# Remove deprecated packages
$ apt-get autoremove -y

# 2. MANAGING ACCESS SSH

# Configure ssh
# edit the file changing PermitRootLogin from 'yes' to 'no'
$ vim /etc/ssh/sshd_config


# 3. MANAGING BASIC FIREWALL RULES FOR WEB USING UFW AND INSTALL FAIL2BAN

# Allow services
$ ufw allow ssh
$ ufw allow http
$ ufw allow https
$ ufw allow smtp
$ ufw allow smtps

# if you use remote connection with database
$ ufw allow mysql

# Confirm the changes
$ ufw show added

# Enable the FIREWALL
$ ufw enable

# Install FAIL2BAN
$ apt-get install fail2ban

# Start fail2ban
$ service fail2ban start

# 4. INSTALLING MARIADB

# Install software-properties-commom
$ apt-get install software-properties-common

# Add Repository Key
$ apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8

# Add Repository
$ add-apt-repository "deb [arch=amd64,arm64,ppc64el] http://mariadb.mirror.liquidtelecom.com/repo/10.4/ubuntu $(lsb_release -cs) main"

# Update Packages
$ apt-get update

# If you not using RDS Instance, install MariaDB Server and Client
$ apt -y install mariadb-server mariadb-client


# 5. INSTALLING PHP-FPM

# If not ready, install software-properties-commom
$ apt-get install software-properties-common

# Add Repository
$ add-apt-repository -y ppa:ondrej/php

# Update Packages
$ apt-get update

# Install PHP and most commoly extensions
$ apt install php7.3-fpm php7.3-common php7.3-zip php7.3-curl php7.3-xml php7.3-xmlrpc php7.3-json php7.3-mysql php7.3-pdo php7.3-gd php7.3-imagick php7.3-ldap php7.3-mbstring php7.3-intl php7.3-cli php7.3-tidy php7.3-bcmath php7.3-opcache

# Verify the installation
$ php --version

# Configure pool
$ vim /etc/php/7.3/fpm/pool.d/www.conf

# Set:
[www]
user = some_user_name
group = some_user_name
listen = /run/php/php7.3-fpm.sock
listen.owner = some_user_name
listen.group = some_user_name
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

# Optimize php.ini for nginx
$ sudo vim /etc/php/7.3/fpm/php.ini

# Set this values:

max_execution_time = 180
max_input_time = 360
max_input_vars = 5000
memory_limit = 256M
cgi.fix_pathinfo = 0
file_uploads = On
upload_max_filesize = 12M
post_max_size = 12M
allow_url_fopen = On
date.timezone = America/Sao_Paulo

# Save the file and test changes
$ sudo php-fpm7.3 -t

# Reinitilize the service
$ sudo service php7.3-fpm restart


# 6. INSTALLING REDIS

# If you will to use WordPress, install too the plugin: https://wordpress.org/plugins/redis-cache/

# Install Redis Server
$ sudo apt-get install redis-server -y

# Configure Redis
$ sudo vim /etc/redis/redis.conf
# Uncomment and set maxmemory and set 64mb

# Start Redis Server
$ sudo service redis-server restart
$ sudo service php7.3-fpm restart

# INSTALLING NGINX

# Create folder to define some paths
$ cd /
$ mkdir app
$ cd app
$ mkdir ssl
$ mkdir logs
$ mkdir cache

# Add repository
$ sudo add-apt-repository ppa:nginx/development -y

# Update Packages
$ sudo apt-get update

# Install nginx package
$ sudo apt-get install nginx -y

# Configure nginx
$ sudo vim /etc/nginx/nginx.conf

# Set:

user some_user_name;
worker_processes 1;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 1024;
	multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 15;
	types_hash_max_size 2048;
	server_tokens off;
	client_max_body_size 6m;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
  ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";


	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	# Enable Gzip compression.
	gzip on;

	# Disable Gzip on IE6.
	gzip_disable "msie6";

	# Allow proxies to cache both compressed and regular version of file.
	# Avoids clients that don't support Gzip outputting gibberish.
	gzip_vary on;

	# Compress data, even when the client connects through a proxy.
	gzip_proxied any;

	# The level of compression to apply to files. A higher compression level increases
	# CPU usage. Level 5 is a happy medium resulting in roughly 75% compression.
	gzip_comp_level 3;

	# The minimum HTTP version of a request to perform compression.
	gzip_http_version 1.1;

	# Don't compress files smaller than 256 bytes, as size reduction will be negligible.
	gzip_min_length 256;

	# Compress the following MIME types.
	gzip_types
		application/atom+xml
		application/javascript
		application/json
		application/ld+json
		application/manifest+json
		application/rss+xml
		application/vnd.geo+json
		application/vnd.ms-fontobject
		application/x-font-ttf
		application/x-web-app-manifest+json
		application/xhtml+xml
		application/xml
		font/opentype
		image/bmp
		image/svg+xml
		image/x-icon
		text/cache-manifest
		text/css
		text/plain
		text/vcard
		text/vnd.rim.location.xloc
		text/vtt
		text/x-component
		text/x-cross-domain-policy;
	# text/html is always compressed when enabled.


	##
	# Cache Settings
	##

	fastcgi_cache_key "$scheme$request_method$host$request_uri";
	add_header Fastcgi-Cache $upstream_cache_status;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;

	server {
		listen 80 default_server;
		listen [::]:80 default_server;
		server_name _;
		return 444;
	}
}

# Configure fastcgi_params
$ sudo vim /etc/nginx/fastcgi_params
# Set at final: fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

# Test nginx setup (optional)
$ sudo nginx -t

# Restart nginx service
$ sudo service nginx restart

# Remove Available Deafults
$ sudo rm /etc/nginx/sites-available/default

# Remove Enabled Deafults
$ sudo rm /etc/nginx/sites-enabled/default

# Create your virtual server file
$ sudo /etc/nginx/sites-available/pod
$ sudo vim /etc/nginx/sites/available/pod

# Set:

fastcgi_cache_path /home/some_user_name/app/cache levels=1:2 keys_zone=appurl.com:100m inactive=60m;

server {
    # Ports to listen on, uncomment one.
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # Server name to listen for
    server_name appurl.com;

    # Path to document root
    root /home/theboss/app/applicationfolder/;

    # Paths to certificate files.
    # 'ssl_protocols TLSv1.1 TLSv1.2;
    # ssl_certificate /home/some_user_name/app/ssl/app.cert.pem;
    # ssl_certificate_key /home/some_user_name/app/ssl/app.key;

    # File to be used as index
    index index.php;

    # Logs
    access_log /home/some_user_name/app/logs/access.log;
    error_log /home/some_user_name/app/logs/error.log;


    # Cache Settings
    set $skip_cache 0;

    # POST requests and urls with a query string should always go to PHP
    if ($request_method = POST) {
        set $skip_cache 1;
    }
    if ($query_string != "") {
        set $skip_cache 1;
    }

    # Don’t cache uris containing the following segments
    if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitema (_index)?.xml") {
        set $skip_cache 1;
    }

    # Don’t use the cache for logged in users or recent commenters
        if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
        set $skip_cache 1;
    }

    location / {
        try_files $uri $uri/ /index.php?&$args;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php7.2-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_cache_bypass $skip_cache;
        fastcgi_no_cache $skip_cache;
        fastcgi_cache appurl.com;
        fastcgi_cache_valid 60m;
    }
}

# Redirect http to https
server {
    listen 80;
    listen [::]:80;
    server_name appurl.com www.appurl.com;
    return 301 https://appurl.com$request_uri;
}

# Redirect www to non-www
server {
    listen 443;
    listen [::]:443;
    server_name www.appurl.com;

    return 301 https://appurl.com$request_uri;
}

# Save file and enable pod
$ sudo ln -s /etc/nginx/sites-available/pod /etc/nginx/sites-enabled/

# Test pod setup
$ sudo nginx -t

# Reload service
$ sudo service nginx restart
	# 0. BEFORE ANYTHING
	$ sudo su

	# 1. UPDATING THE SERVER

	# Define your timezone
	$ timedatectl set-timezone America/Sao_Paulo

	# Update packages
	$ apt-get update

	# Upgrade packages
	$ apt-get upgrade -y

	# Remove deprecated packages
	$ apt-get autoremove -y

	# 2. MANAGING ACCESS SSH

	# Configure ssh
	# edit the file changing PermitRootLogin from 'yes' to 'no'
	$ vim /etc/ssh/sshd_config


	# 3. MANAGING BASIC FIREWALL RULES FOR WEB USING UFW AND INSTALL FAIL2BAN

	# Allow services
	$ ufw allow ssh
	$ ufw allow http
	$ ufw allow https
	$ ufw allow smtp
	$ ufw allow smtps

	# if you use remote connection with database
	$ ufw allow mysql

	# Confirm the changes
	$ ufw show added

	# Enable the FIREWALL
	$ ufw enable

	# Install FAIL2BAN
	$ apt-get install fail2ban

	# Start fail2ban
	$ service fail2ban start

	# 4. INSTALLING MARIADB

	# Install software-properties-commom
	$ apt-get install software-properties-common

	# Add Repository Key
	$ apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8

	# Add Repository
	$ add-apt-repository "deb [arch=amd64,arm64,ppc64el] http://mariadb.mirror.liquidtelecom.com/repo/10.4/ubuntu $(lsb_release -cs) main"

	# Update Packages
	$ apt-get update

	# If you not using RDS Instance, install MariaDB Server and Client
	$ apt -y install mariadb-server mariadb-client


	# 5. INSTALLING PHP-FPM

	# If not ready, install software-properties-commom
	$ apt-get install software-properties-common

	# Add Repository
	$ add-apt-repository -y ppa:ondrej/php

	# Update Packages
	$ apt-get update

	# Install PHP and most commoly extensions
	$ apt install php7.3-fpm php7.3-common php7.3-zip php7.3-curl php7.3-xml php7.3-xmlrpc php7.3-json php7.3-mysql php7.3-pdo php7.3-gd php7.3-imagick php7.3-ldap php7.3-mbstring php7.3-intl php7.3-cli php7.3-tidy php7.3-bcmath php7.3-opcache

	# Verify the installation
	$ php --version

	# Configure pool
	$ vim /etc/php/7.3/fpm/pool.d/www.conf

	# Set:
	[www]
	user = some_user_name
	group = some_user_name
	listen = /run/php/php7.3-fpm.sock
	listen.owner = some_user_name
	listen.group = some_user_name
	pm = dynamic
	pm.max_children = 5
	pm.start_servers = 2
	pm.min_spare_servers = 1
	pm.max_spare_servers = 3

	# Optimize php.ini for nginx
	$ sudo vim /etc/php/7.3/fpm/php.ini

	# Set this values:

	max_execution_time = 180
	max_input_time = 360
	max_input_vars = 5000
	memory_limit = 256M
	cgi.fix_pathinfo = 0
	file_uploads = On
	upload_max_filesize = 12M
	post_max_size = 12M
	allow_url_fopen = On
	date.timezone = America/Sao_Paulo

	# Save the file and test changes
	$ sudo php-fpm7.3 -t

	# Reinitilize the service
	$ sudo service php7.3-fpm restart


	# 6. INSTALLING REDIS

	# If you will to use WordPress, install too the plugin: https://wordpress.org/plugins/redis-cache/

	# Install Redis Server
	$ sudo apt-get install redis-server -y

	# Configure Redis
	$ sudo vim /etc/redis/redis.conf
	# Uncomment and set maxmemory and set 64mb

	# Start Redis Server
	$ sudo service redis-server restart
	$ sudo service php7.3-fpm restart

	# INSTALLING NGINX

	# Create folder to define some paths
	$ cd /
	$ mkdir app
	$ cd app
	$ mkdir ssl
	$ mkdir logs
	$ mkdir cache

	# Add repository
	$ sudo add-apt-repository ppa:nginx/development -y

	# Update Packages
	$ sudo apt-get update

	# Install nginx package
	$ sudo apt-get install nginx -y

	# Configure nginx
	$ sudo vim /etc/nginx/nginx.conf

	# Set:

	user some_user_name;
	worker_processes 1;
	pid /run/nginx.pid;
	include /etc/nginx/modules-enabled/*.conf;

	events {
	worker_connections 1024;
	multi_accept on;
	}

	http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 15;
	types_hash_max_size 2048;
	server_tokens off;
	client_max_body_size 6m;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";


	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	# Enable Gzip compression.
	gzip on;

	# Disable Gzip on IE6.
	gzip_disable "msie6";

	# Allow proxies to cache both compressed and regular version of file.
	# Avoids clients that don't support Gzip outputting gibberish.
	gzip_vary on;

	# Compress data, even when the client connects through a proxy.
	gzip_proxied any;

	# The level of compression to apply to files. A higher compression level increases
	# CPU usage. Level 5 is a happy medium resulting in roughly 75% compression.
	gzip_comp_level 3;

	# The minimum HTTP version of a request to perform compression.
	gzip_http_version 1.1;

	# Don't compress files smaller than 256 bytes, as size reduction will be negligible.
	gzip_min_length 256;

	# Compress the following MIME types.
	gzip_types
	application/atom+xml
	application/javascript
	application/json
	application/ld+json
	application/manifest+json
	application/rss+xml
	application/vnd.geo+json
	application/vnd.ms-fontobject
	application/x-font-ttf
	application/x-web-app-manifest+json
	application/xhtml+xml
	application/xml
	font/opentype
	image/bmp
	image/svg+xml
	image/x-icon
	text/cache-manifest
	text/css
	text/plain
	text/vcard
	text/vnd.rim.location.xloc
	text/vtt
	text/x-component
	text/x-cross-domain-policy;
	# text/html is always compressed when enabled.


	##
	# Cache Settings
	##

	fastcgi_cache_key "$scheme$request_method$host$request_uri";
	add_header Fastcgi-Cache $upstream_cache_status;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;

	server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name _;
	return 444;
	}
	}

	# Configure fastcgi_params
	$ sudo vim /etc/nginx/fastcgi_params
	# Set at final: fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

	# Test nginx setup (optional)
	$ sudo nginx -t

	# Restart nginx service
	$ sudo service nginx restart

	# Remove Available Deafults
	$ sudo rm /etc/nginx/sites-available/default

	# Remove Enabled Deafults
	$ sudo rm /etc/nginx/sites-enabled/default

	# Create your virtual server file
	$ sudo /etc/nginx/sites-available/pod
	$ sudo vim /etc/nginx/sites/available/pod

	# Set:

	fastcgi_cache_path /home/some_user_name/app/cache levels=1:2 keys_zone=appurl.com:100m inactive=60m;

	server {
	# Ports to listen on, uncomment one.
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	# Server name to listen for
	server_name appurl.com;

	# Path to document root
	root /home/theboss/app/applicationfolder/;

	# Paths to certificate files.
	# 'ssl_protocols TLSv1.1 TLSv1.2;
	# ssl_certificate /home/some_user_name/app/ssl/app.cert.pem;
	# ssl_certificate_key /home/some_user_name/app/ssl/app.key;

	# File to be used as index
	index index.php;

	# Logs
	access_log /home/some_user_name/app/logs/access.log;
	error_log /home/some_user_name/app/logs/error.log;


	# Cache Settings
	set $skip_cache 0;

	# POST requests and urls with a query string should always go to PHP
	if ($request_method = POST) {
	set $skip_cache 1;
	}
	if ($query_string != "") {
	set $skip_cache 1;
	}

	# Don’t cache uris containing the following segments
	if ($request_uri ~* "/wp-admin/\|/xmlrpc.php\|wp-.*.php\|/feed/\|index.php\|sitema (_index)?.xml") {
	set $skip_cache 1;
	}

	# Don’t use the cache for logged in users or recent commenters
	if ($http_cookie ~* "comment_author\|wordpress_[a-f0-9]+\|wp-postpass\|wordpress_no_cache\|wordpress_logged_in") {
	set $skip_cache 1;
	}

	location / {
	try_files $uri $uri/ /index.php?&$args;
	}

	location ~ \.php$ {
	try_files $uri =404;
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	fastcgi_pass unix:/run/php/php7.2-fpm.sock;
	fastcgi_index index.php;
	include fastcgi_params;
	fastcgi_cache_bypass $skip_cache;
	fastcgi_no_cache $skip_cache;
	fastcgi_cache appurl.com;
	fastcgi_cache_valid 60m;
	}
	}

	# Redirect http to https
	server {
	listen 80;
	listen [::]:80;
	server_name appurl.com www.appurl.com;
	return 301 https://appurl.com$request_uri;
	}

	# Redirect www to non-www
	server {
	listen 443;
	listen [::]:443;
	server_name www.appurl.com;

	return 301 https://appurl.com$request_uri;
	}

	# Save file and enable pod
	$ sudo ln -s /etc/nginx/sites-available/pod /etc/nginx/sites-enabled/

	# Test pod setup
	$ sudo nginx -t

	# Reload service
	$ sudo service nginx restart