lemp-server-ubuntu-1604.md

LEMP in Ubuntu 16.04 Server - AWS EC2/RDS

1. Pre-usage:

sudo apt-get update && sudo apt-get upgrade -y

2. Add ubuntu or the user used to sudo group:

sudo usermod -aG sudo ubuntu

3. Check if ssh connection allows root access (if yes, change PermitRootLogin to no or prohibit-password:

sudo vi /etc/ssh/sshd_config

PermitRootLogin prohibit-password

4. Install Nginx:

sudo apt-get install nginx

5. Add ssh connections as an allow option for firewall:

sudo ufw allow ssh

6. Add nginx server as an allow option for firewall:

sudo ufw allow 'Nginx HTTP'

7. Enable the firewall:

sudo ufw enable

8. Check status of firewall:

sudo ufw status

9. Add PHP repository from Ondrej:

sudo add-apt-repository ppa:ondrej/php

10. Update:

sudo apt-get update

11. Install PHP 7.1 FPM and most used extensions:

sudo apt-get install php7.1-fpm php7.1-curl php7.1-soap php7.1-pgsql php7.1-mysql php7.1-sqlite3 php7.1-mbstring php7.1-xml php7.1-mcrypt php7.1-zip

12. Config PHP to make it safer:

Before doing it, check where its the php.ini file by typing: php -i | grep "Loaded Configuration File"

sudo vi /etc/php/7.1/fpm/php.ini

Edit cgi.fix_pathinfo:

cgi.fix_pathinfo=0

Edit expose_php:

expose_php = off

13. Config Nginx:

sudo vi /etc/nginx/sites-available/default

Add index.php to list of files to interpret when the sites is rendered

Hide nginx version in http header:

sudo vi /etc/nginx/nginx.conf

Edit: server_tokens off

Restart it:

sudo service nginx restart

14. Install Composer:

php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"

php -r "if (hash_file('SHA384', 'composer-setup.php') === '544e09ee996cdf60ece3804abc52599c22b1f40f4323403c44d44fdfdd586475ca9813a858088ffbc1f233e9b180f061') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"

php composer-setup.php

php -r "unlink('composer-setup.php');"

mv composer.phar /usr/local/bin/composer

15. Clone/deploy the project into EC2, enter the project folder and install dependencies:

composer install

16. Start services:

sudo service php7.1-fpm start && sudo service nginx restart

17. Enable HTTP and HTTPS on firewall:

sudo ufw allow http && sudo ufw allow https

18. Add folder/file permissions into cache directory:

sudo chgrp -R www-data storage bootstrap/cache
sudo chmod -R ug+rwx storage bootstrap/cache

19. Use Let's Encrypt to install TLS certificates:

sudo add-apt-repository ppa:certbot/certbot

sudo apt-get update

sudo apt-get install python-certbot-nginx

In case of using MySQL in EC2 instance instead of using a RDS service:

• Install MySQL Server:

sudo apt-get install mysql-server

• Run secure installation of MySQL:

mysql_secure_installation

Useful Links

• Example of LEMP installation in Ubuntu 16.04: https://www.youtube.com/watch?v=iUNnw8A9LLw

• Digital Ocean post of LEMP in Ubuntu 16.04: https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-in-ubuntu-16-04

• Example of RDS usage: https://www.youtube.com/watch?v=g3gKF_Li1WM

• Explanation of UFW essentials (firewall): https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands

• Mapping a domain/subdomains to EC2 instance: https://www.youtube.com/watch?v=pjA9MyzUJNQ

• Installing TLS certificates with Nginx: https://www.nginx.com/blog/using-free-ssltls-certificates-from-lets-encrypt-with-nginx/

• Digital Ocean post of installing TLS with Nginx in Ubunt 16.04: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

• Guide of building sage PHP applications in 2018: https://paragonie.com/blog/2017/12/2018-guide-building-secure-php-software

• With and without www redirecting to https version: https://www.youtube.com/watch?v=6QYJUvrb7m8