LAMP Stack Setup
LAMP, Linux, Sysadmin, Ubuntu
Before starting, follow the guidelines on setting up Ubuntu 14.04 LTS.
Install Apache
Check by visiting the IP address in the browser - you should see the default “Apache 2 Ubuntu” intro page. This shows some useful info on config files - if you’re not familiar with Apache2 config, it might be worth a look.
Install MySQL
We need some databases!
Install MySQL and some helper packages:
Open up keepass/KeepassX, set a strong password for MySQL root.
After installation, take extra measures to secure MySQL:
Install MySQL system tables - tell MySQL to create a database directory structure to store info:
Run a MySQL security script:
During execution of this script, you will first get the option to reset root password. You won’t need to do this, because you’ve already set a hardcore password, so answer “n”. Thereafter, hit return to accept the default (Y) answer for each question. This deletes some dummy DBs, disallows remote root login, removes anonymous users and reloads the privilege tables so that changes take effect immediately.
Install PHP
Use apt to install:
Modify the way that Apache serves files, to give priority to PHP:
…bring the php index file forward in the hierarchy, so the directive looks like this:
Restart Apache:
View available PHP modules:
If you need additional PHP modules (e.g. php5-curl):
Increase the max filesize for uploads, because … clients. You need to edit /etc/php5/apache2/php.ini
, since this is the settings file used by Apache:
Restart Apache:
To install additional PHP modules, see the Justin Ellingwood article on Digital Ocean.
Test PHP Setup
Check PHP by outputting phpinfo();
in a php file and accessing via a browser:
Copy this into the file:
Check in a browser(e.g. 123.456.78.90/info.php
), save the HTML file locally for your records, then remove:
PHPMyAdmin
Install - you will need to enter the root MySQL password:
- Hit space then tab to select Apache2
- Choose “yes” when asked “Configure database for phpmyadmin with dbconfig-common?”
- Enter MySQL password when prompted
- Enter password for the phpmyadmin user
Make sure your password manager is open!
Once installed, PHPMyAdmin needs to be added to the Apache config file:
Add the following line to the end of apache2.conf
:
Restart apache:
Secure PHPMyAdmin with a .htaccess File
Configure the phpmyadmin directory to allow .htaccess rules:
Add AllowOverride All
under the the first directory block, straight after “DirectoryIndex…”:
Set up .htaccess file:
Enter:
Create a htpasswd file:
…where username is the username you want to give access to (doesn’t need to be an existing sytem user).
You’ll be prompted to enter a password for this user (twice). Restart Apache:
The PHPMyAdmin directory is now password protected.
Note: If your system doesn’t recognise the htpasswd
command - you receive the message htpasswd: command not found
, you may need to install the apache-2 utils module:
Once you’ve done this, you can re-try the htpasswd
command and it should work. Don’t forget to restart Apache.
Access PHPMyAdmin
Use the MySQL root username & password.
See this Excellent & comprehensive article - most of the current instructions drawn from here.
Set Up Apache Virtual Hosts
Multiple sites on a single server/VPS.
Create Directory Structure
The -p flag creates intermediate directories as required.
Give permissions:
Note WordPress is going to need the www-data to have ownership of the public_html subdirectories to allow file upload etc. - for the time being, give ownership to the current user - pass ownership to www-data later.
Set Permissions to 755 for directories:
Add index.html demo pages if necessary.
Create config files:
Create a config file for each site:
Use this as a template:
This config block sets the correct server name, alias and document root. Directory browsing is disallowed, and .htaccess files are allowed.
Site specific error reporting is added - log files are located here: /var/log/apache2/yoursite.com.error.log
.
Enable the site using a2ensite
and restart Apache:
Enable Apache Rewrites
Enabling the Apache rewrite module will be essential it you’re using pretty permalinks. Enable the module & restart Apache:
or
Harden Apache
Prevent the Apache server signature that is printed as part of a web request - this is not needed and gives would-be hackers info about your server.
Restart Apache for changes to take effect.
Prevent direct access of VCS files by adding this block to /etc/apache2/conf-enabled/security.conf
You could also prevent access to source control files by adding this to a .htaccess
file in the site root:
Resources
Basic Setup
Guidelines & Tutorials to help set up a secure LAMP stack.
Post-setup actions:
Security
Good Digital Ocean security guide, including adding new user, setting up public key authentication, SSH configuration. Highly recommended:
LAMP Stack: Including PHPMyAdmin
Comprehensive instructions on how to set up a LAMP stack on a VPS running Ubuntu 14.04:
Set up PHPMyAdmin, including extra security measures (password protected directory with .htaccess):
Create SSL Certificate:
Set Up Mailserver
- Send only Exim Mailserver, Debian
- Install Exim, Ubuntu 12.04
- SPF Records: Reduce Spoofing Spam
- http://thanhsiang.org/faqing/node/185
- http://dev.antoinesolutions.com/ubuntu-14.04-trusty/install-and-configure-exim-mail-server-on-ubuntu-14.04
Exim Cheatsheet:
Load Testing a Server
OS Upgrades/Patches: Ubuntu
The OS is patched very promptly when security issues arise, and it is essential that your server is updated/upgraded regularly. Usually, sudo apt-get update
followed by sudo apt-get upgrade
is sufficient. The Ubuntu “Message of the Day” generally advises when upgrading is necessary - but it pays to stay up to date with OS developments:
Harden Apache
comments powered by Disqus