We can see we have php 7.0 available out of the box:
sudo apt-cache show php-cliInstead of using that, we'll start by installing the latest PHP 7.1, via the populate PHP repository.
# Add repository and update local cache of available packages
sudo add-apt-repository -y ppa:ondrej/php
sudo apt-get update
# Search for packages starting with PHP,
# we'll see php7.1-* packages available
sudo apt-cache search -n php*
# Install PHP-FPM, PHP-CLI and modules php7.3-mcrypt
sudo apt-get install -y php7.3-fpm php7.3-cli php7.3-curl php7.3-mysql php7.3-sqlite3 \
php7.3-gd php7.3-xml php7.3-mbstring php7.3-commonOnce that's installed, we can see some similar conventions from Nginx (and other software in Debian/Ubuntu).
PHP on Debian/Ubuntu is divided by version and Server Application Programming Interface. A SAPI is the context in which PHP is run. The most common are:
- cli - when running on the command line
- fpm - when fulfilling a web request via fastcgi
- apache2 - when run in Apache's mod-php
We can see the configuration split between version and SAPI by checking the file paths within /etc:
cd /etc/php
ls -lah
> ... 5.6/
> ... 7.0/
> ... 7.1/
cd 7.1
ls -lah
> ... cli/
> ... fpm/Within each SAPI directory (e.g. cli or fpm), there is a php.ini file and a conf.d directory. We can edit php.ini
per SAPI and use symlinks within the conf.d directory to enable or disable modules per SAPI.
PHP on Debian/Ubuntu use Symlinks to decide which ones are loaded per SAPI.
All module configuration files are located in /etc/php/<version>/mods-available,
and then loaded in via symlinks at /etc/php/<version>/<sapi>/conf.d.
Step 7: Configure PHP With the stack installed, it is now time to configure everything to get it working. There isn’t much to configure with PHP, but there is one small security fix we need to make.
In your terminal, open up your php.ini file in whatever text editor you wish (VIM, or eMacs) but for simplicity, we will use Nano in this tutorial.
sudo nano /etc/php/7.3/fpm/php.ini The line we need to edit is cgi.fix_pathinfo=0 so you can either search for it like a needle in a haystack, or you can search for it using Ctrl+W , I personally recommend searching for it.
Press Ctrl+W and now type in cgi.fix_pathinfo= and click enter. This will take you to the right line right away. You will see a semicolon the left of this line. Delete the semi colon and then change the 1 into a 0 and save the file. The file should look like this upon saving:
To save something in Nano, just press Ctrl+X and type Y and then press Enter.
Before the changes can take effect we need to restart php-fpm by typing in this command:
Shell sudo systemctl restart php7.3-fpm
Now our change has taken effect.
sudo vim /etc/nginx/sites-available/defaultOnce PHP is installed, we can configure Nginx to send PHP requests off to PHP-FPM:
server {
listen 80;
root /var/www/html;
server_name _;
index index.html index.htm index.debian-default.html index.php;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
incude snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.1-fpm.sock;
}
}Once edits are complete we can test Nginx and reload:
sudo nginx -t
sudo service nginx reloadIn the video, I show you some behavior around the above configuration. Most notably, the try_files configuration allows for "pretty URLs",
meaning we don't need to add index.php into the URL within our browser for Nginx to use the index.php file.
The above configuration file will search for php files within the /var/www/html
directory and send requests to PHP-FPM if a file is requested that ends in the .php extension.
Ufw Proploms
Normally boils down to the firewall blocking your connection. This can happen for a few reasons, one of which is excessive login failures.
From what I recall, most of the one-click images for Ubuntu are setup with ufw, a firewall that acts as an overlay to iptables and simplifies the process of setting up most rule types.
If you're blocked, the only way to get back in is via Console which you can access from the DO CP.
Click on the name of the Droplet in question. From the left side menu, click Access. Now click on the button that says Launch Console.
You'll need your root password to login. If you only deployed with SSH Keys, the root password is disabled -- in such a case, you're effectively locked out of the server as the Console doesn't allow pubkey authentication.
If you do have a root password set, you'll be prompted to enter it in. You won't see anything when entering the password, so you'll need to type it in carefully. Once you have, hit enter.
Once logged in, you can run:
ufw disable
That'll turn ufw off. Keep in mind, it's not really recommended to run without a firewall active, so the best thing to do would be to simply reset the firewall and then setup new rules.
Once the firewall is disabled, try to login via SSH once again. If you're able to login, I would use the following to setup the firewall.
Double-Check ufw is disabled:
ufw disableReset the rules:
ufw resetSetup Default Policies:
ufw default deny incoming && ufw default allow outgoing
We're setting the default policy to deny any incoming connection. This is preferred as we want to setup a deny all, except what we explicitly allow type policy. This is the first part.
Now, we'll add rules for SSH (Port 22), HTTP (Port 80), and HTTPS/SSL (Port 443). These are the ports we want to allow connections on. This ensures that only these three ports are open, no more, no less.
ufw allow 22/tcp && ufw allow 80/tcp && ufw allow 443/tcpNow, I noticed that you're using Sequel Pro, which means we need to open another port, and that'd be 3306 as that's the port MySQL/MariaDB communicate on by default. The issue here is that with the base configuration for MySQL (which is what DigitalOcean uses), remote access to MySQL is not enabled, so you need to enable it.
You should have this file:
/etc/mysql/my.cnfWe need to open that file using nano and find bind-address. Normally this is set to 127.0.0.1, which is localhost. If you try to connect with bind-address set to that IP, it'll fail.
You need to change bind-address to either 0.0.0.0 or the IP address of your Droplet (the IPv4 IP) and then restart MySQL.
service mysql restart
To add MySQL to the firewall, we'd issue one more allow command, like so:
ufw allow 3306/tcp
With SSH, HTTP, HTTPS, and MySQL now added, we can enable ufw using:
ufw enable
It'll ask you to confirm -- do so -- and logout, then try to login again. Then try to login with Sequel Pro, etc.
...
Note: It's really not a good security practice to allow open access to port 3306 as is being done in the above guide. Ideally you would restrict access to a single IP, or set of IP's (if multiple people need access). Allowing open access, such as what is being done here allows anyone to attempt to login to MySQL on your server, whether the user(s) exist or not.