Dev Notes

Software Development Resources by David Egan.

LAMP Stack Setup


LAMP, Linux, Sysadmin, Ubuntu
David Egan

Before starting, follow the guidelines on setting up Ubuntu 14.04 LTS.

Install Apache

sudo apt-get update
sudo apt-get install apache2

Check by visiting the IP address in the browser - you should see the default “Apache 2 Ubuntu” intro page. This shows some useful info on config files - if you’re not familiar with Apache2 config, it might be worth a look.

Install MySQL

We need some databases!

Install MySQL and some helper packages:

sudo apt-get install mysql-server php5-mysql

Open up keepass/KeepassX, set a strong password for MySQL root.

After installation, take extra measures to secure MySQL:

Install MySQL system tables - tell MySQL to create a database directory structure to store info:

sudo mysql_install_db

Run a MySQL security script:

sudo mysql_secure_installation

During execution of this script, you will first get the option to reset root password. You won’t need to do this, because you’ve already set a hardcore password, so answer “n”. Thereafter, hit return to accept the default (Y) answer for each question. This deletes some dummy DBs, disallows remote root login, removes anonymous users and reloads the privilege tables so that changes take effect immediately.

Install PHP

Use apt to install:

sudo apt-get install php5 libapache2-mod-php5 php5-mcrypt

Modify the way that Apache serves files, to give priority to PHP:

sudo nano /etc/apache2/mods-enabled/dir.conf

…bring the php index file forward in the hierarchy, so the directive looks like this:

<IfModule mod_dir.c>
    DirectoryIndex index.php index.html index.cgi index.pl index.xhtml index.htm
</IfModule>

Restart Apache:

sudo service apache2 restart

View available PHP modules:

apt-cache search php5-

If you need additional PHP modules (e.g. php5-curl):

sudo apt-get install php5-curl

Increase the max filesize for uploads, because … clients. You need to edit /etc/php5/apache2/php.ini, since this is the settings file used by Apache:

sudo nano /etc/php5/apache2/php.ini

# hit ctrl+w to open search
# enter upload_max_filesize
# Amend:
; Maximum allowed size for uploaded files.
; http://php.net/upload-max-filesize
upload_max_filesize = 40M

# After saving, restart Apache

Restart Apache:

sudo service apache2 restart

To install additional PHP modules, see the Justin Ellingwood article on Digital Ocean.

Test PHP Setup

Check PHP by outputting phpinfo(); in a php file and accessing via a browser:

sudo nano /var/www/html/info.php

Copy this into the file:

<?php phpinfo(); ?>

Check in a browser(e.g. 123.456.78.90/info.php), save the HTML file locally for your records, then remove:

sudo rm /var/www/html/info.php

PHPMyAdmin

Install - you will need to enter the root MySQL password:

sudo apt-get install phpmyadmin apache2-utils
  1. Hit space then tab to select Apache2
  2. Choose “yes” when asked “Configure database for phpmyadmin with dbconfig-common?”
  3. Enter MySQL password when prompted
  4. Enter password for the phpmyadmin user

Make sure your password manager is open!

Once installed, PHPMyAdmin needs to be added to the Apache config file:

sudo nano /etc/apache2/apache2.conf

Add the following line to the end of apache2.conf:

Include /etc/phpmyadmin/apache.conf

Restart apache:

sudo service apache2 restart

Secure PHPMyAdmin with a .htaccess File

Configure the phpmyadmin directory to allow .htaccess rules:

sudo nano /etc/phpmyadmin/apache.conf

Add AllowOverride All under the the first directory block, straight after “DirectoryIndex…”:

<Directory /usr/share/phpmyadmin>
        Options FollowSymLinks
        DirectoryIndex index.php
        AllowOverride All
        [...]

Set up .htaccess file:

sudo nano /usr/share/phpmyadmin/.htaccess

Enter:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/apache2/.phpmyadmin.htpasswd
Require valid-user

Create a htpasswd file:

sudo htpasswd -c /etc/apache2/.phpmyadmin.htpasswd username

…where username is the username you want to give access to (doesn’t need to be an existing sytem user).

You’ll be prompted to enter a password for this user (twice). Restart Apache:

sudo service apache2 restart

The PHPMyAdmin directory is now password protected.

Note: If your system doesn’t recognise the htpasswd command - you receive the message htpasswd: command not found, you may need to install the apache-2 utils module:

sudo apt-get install apache2-utils

Once you’ve done this, you can re-try the htpasswd command and it should work. Don’t forget to restart Apache.

Access PHPMyAdmin

Use the MySQL root username & password.

See this Excellent & comprehensive article - most of the current instructions drawn from here.

Set Up Apache Virtual Hosts

Multiple sites on a single server/VPS.

Create Directory Structure

sudo mkdir -p /var/www/html/example.com/public_html
sudo mkdir -p /var/www/html/example2.com/public_html

The -p flag creates intermediate directories as required.

Give permissions:

sudo chown -R $USER:$USER /var/www/example.com/public_html
sudo chown -R $USER:$USER /var/www/test.com/public_html

Note WordPress is going to need the www-data to have ownership of the public_html subdirectories to allow file upload etc. - for the time being, give ownership to the current user - pass ownership to www-data later.

Set Permissions to 755 for directories:

sudo chmod -R 755 /var/www

Add index.html demo pages if necessary.

Create config files:

Create a config file for each site:

sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/yoursite.com.conf

Use this as a template:

<VirtualHost *:80>
        ServerName yoursite.com
        ServerAlias www.yoursite.com
        ServerAdmin info@carawebs.com
        DocumentRoot /var/www/html/yoursite.com/public_html
        <Directory /var/www/html/yoursite.com/public_html>
                Options -Indexes +FollowSymLinks
                AllowOverride All
                Require all granted
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/yoursite.com.error.log
        CustomLog ${APACHE_LOG_DIR}/yoursite.com.access.log combined
</VirtualHost>

This config block sets the correct server name, alias and document root. Directory browsing is disallowed, and .htaccess files are allowed.

Site specific error reporting is added - log files are located here: /var/log/apache2/yoursite.com.error.log.

Enable the site using a2ensiteand restart Apache:

sudo a2ensite yoursite.com.conf
sudo service apache2 restart

Enable Apache Rewrites

Enabling the Apache rewrite module will be essential it you’re using pretty permalinks. Enable the module & restart Apache:

sudo a2enmod rewrite && sudo service apache2 restart

or

sudo a2enmod rewrite && sudo /etc/init.d/apache2 restart

Harden Apache

Prevent the Apache server signature that is printed as part of a web request - this is not needed and gives would-be hackers info about your server.

sudo nano /etc/apache2/conf-enabled/security.conf

# Set ServerSignature Off

Restart Apache for changes to take effect.

Prevent direct access of VCS files by adding this block to /etc/apache2/conf-enabled/security.conf

<DirectoryMatch "/\.git">
   Require all denied
</DirectoryMatch>

You could also prevent access to source control files by adding this to a .htaccess file in the site root:

# ==================================================================
# Prevent .git access
# ==================================================================

RedirectMatch 404 /\.git

Resources

Basic Setup

Guidelines & Tutorials to help set up a secure LAMP stack.

Post-setup actions:

Security

Good Digital Ocean security guide, including adding new user, setting up public key authentication, SSH configuration. Highly recommended:

LAMP Stack: Including PHPMyAdmin

Comprehensive instructions on how to set up a LAMP stack on a VPS running Ubuntu 14.04:

Set up PHPMyAdmin, including extra security measures (password protected directory with .htaccess):

Create SSL Certificate:

Set Up Mailserver

Exim Cheatsheet:

Load Testing a Server

OS Upgrades/Patches: Ubuntu

The OS is patched very promptly when security issues arise, and it is essential that your server is updated/upgraded regularly. Usually, sudo apt-get update followed by sudo apt-get upgrade is sufficient. The Ubuntu “Message of the Day” generally advises when upgrading is necessary - but it pays to stay up to date with OS developments:

Harden Apache


comments powered by Disqus