This tutorial will show you how to install and configure the LEMP stack on your VPS/LowEndBox, running Debian 9.
LEMP stands for Linux Nginx MySQL PHP, and is a lightweight variation of the LAMP stack, which includes Apache instead of Nginx. You’ll notice that it’s not written as LNMP, and that’s due to the pronunciation of the word Nginx (Engine-X).
LEMP consumes far less resources than the LAMP stack, and is thus more sutiable for cheap VPS machines and Low End Boxes. It is 2.5 times faster under heavy load, according to benchmarks. Also, to speed up things even more, we are going to install MariaDB instead of MySQL as it is much faster, but still fully compatible with the original MySQL.
What We Are Going To Cover
- Installing Nginx
- Nginx configuration basics
- Setting up a Firewall
- Installing and configuring MariaDB
- Installing latest PHP
- Configuring Nginx to serve PHP files
- Testing the installed stack
- (With a domain) Securing the site with Let’s Encrypt certificates
Prerequisites
We will install and set up the LEMP stack on Debian 9:
- Starting with a clean VPS with
- At least 512Mb of RAM
- 15Gb of free disk space
- You will need root user access
- You must have DNS records for your domain (example.com in this tutorial) already set up to point to your VPS in order to install Let’s Encrypt certificates. If you don’t have one, access your IP address instead and skip the last step
Step 1: Install Nginx
Installation and Firewall Setup
First, log in to your server as root or as an another account with sudo privileges. Then, update your package manager’s cache:
sudo apt update
Install Nginx by running the following command:
sudo apt install nginx -y
Nginx is now installed. Go to your domain (or IP address if you don’t have one) in your browser. The default Nginx welcome page will be shown:
This means that Nginx was installed successfully. Enable it via systemctl to start it at every server boot:
sudo systemctl enable nginx
For maximum security, you’ll now install ufw (uncomplicated firewall) and configure it to allow HTTP, HTTPS, FTP and SSH connections, and to deny all others:
sudo apt install ufw -y
sudo ufw allow 'Nginx Full'
sudo ufw allow OpenSSH
sudo ufw allow SSH
sudo ufw allow ftp
Enable it (make it active) by running:
sudo ufw enable
Answer y when asked, and reload the site in your browser. If you still see the same welcome page, you have configured your firewall correctly. If it shows an error (such as Access Denied), disable the firewall:
sudo ufw disable
and check its configuration:
sudo ufw status
You’ll see a list of enabled profiles. If you don’t see the ones from above, rerun the commands and enable it again.
Configuration Directories
On Debian 9, Nginx stores its configuration files under /etc/nginx, and the default directory for serving static files is /usr/share/nginx/html. This will become important in the later steps, when we’ll need to change the configuration and add new files.
Step 2: Installing MariaDB
Install MariaDB (it is available to apt by default):
sudo apt install mysql-server -y
Start it when the installation finishes:
sudo systemctl start mysql
To retain full compatibility with the original MySQL product, MariaDB responds to the mysql command.
After MariaDB installation, it is mandatory to run a script (called mysql_secure_installation) to secure the database:
sudo mysql_secure_installation
When it asks you for the current root password, press Enter, because this is the first time you are configuring it. Then, enter a new password for the root user and answer y for anonymous user removal. If you don’t plan on accessing the database from outside the server, answer y to the next question, otherwise type in n. Enter y or press Enter for all questions that follow.
Try to connect to it by running:
sudo mysql -u root -p
When prompted, enter the root password you just set.
You’ll see the mysql prompt:
meaning that MariaDB is working correctly and is properly secured. Type in exit to quit the console.
Step 3: Installing PHP
You’ll now install PHP 7.0, the version available by default on Debian 9.
To install PHP 7.0, run:
sudo apt install php-fpm php-mysql
Then, install additional PHP extensions that you will most likely need:
sudo apt install php-mysql php-mbstring php-dev php-gd php-pear php-zip php-xml php-curl -y
To set the version of PHP you just installed as the default one system-wide, run the following command:
sudo update-alternatives --set php /usr/bin/php7.0
Now check the version of the available PHP:
sudo php --version
You’ll see that the version is 7.0, as it should be.
Step 4: Configuring Nginx to Serve PHP Content
PHP is installed and working correctly, but we now have to configure Nginx to use it, because it won’t do so automatically (unlike Apache).
As noted in Step 1, Nginx stores its configuration files under /etc/nginx. Configuration that is currently enabled (which will be applied by Nginx) is stored in a folder named sites-enabled. Similarly, sites that are available, but are not enabled (and thus can not be accessed from the Internet), are stored in a folder named sites-available. We’ll edit the configuration of the default enabled site.
Delete the default config file, because we won’t be needing it:
rm /etc/nginx/sites-enabled/default
A copy of the default site config can be found at /etc/nginx/sites-available/default.
Create a new config file for editing:
nano /etc/nginx/sites-enabled/default
Add the following lines:
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
index index.php index.html index.htm index.nginx-debian.html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.3-fpm.sock;
}
location ~ /\.ht {
deny all;
}
}
Save and close the file.
The first part of the above config specifies that Nginx should listen to the HTTP port 80 for requests. Then it sets the root folder for serving files to /var/www/html (which is where you’ll store your website files) and tells Nginx to first try to serve PHP files (instead of HTML).
The rest of the config shown tells Nginx how to call PHP when requested, and to deny access to .htaccess and similar files, which originate from the Apache web server. They are not used by Nginx, and should not be served to users because they might contain some sensitive info.
Restart Nginx for the changes to take effect:
sudo systemctl restart nginx
Try reloading your site (or IP address) in your browser. You should see the same Nginx default welcome page as before.
To test if PHP rendering is working, create a PHP file in /var/www/html:
sudo nano /var/www/html/index.php
Put the following into it:
<?php
phpinfo();
?>
Save and close the file.
The phpinfo() function outputs very detailed information about PHP installation.
Reload the site in your browser. This time, if all is well, you’ll see a page similar to this:
If you see a 502 Bad Gateway error, check the fastcgi_pass line in the above config (the PHP version may be different, though that is unlikely).
Be sure to remove the file immediately afterwards, because it reveals a lot of sensitive info:
rm /var/www/html/index.php
Step 5: Securing Your Domain Using Let’s Encrypt
If you have a domain name, fully registered and pointed to your server, you can secure it using free Let’s Encrypt TLS certificates. The benefits of this are that you’ll have HTTPS access and a padlock will show next to your domain name in all browsers.
Let’s Encrypt certificates will be generated and configured using Certbot, a free program created for this purpose. Let’s Encrypt certificates expire after 90 days, and Certbot will automatically renew them when it decides it is time (every 60 days by default), so you don’t have to worry about them at all.
To install Certbot, you’ll first need to enable the Debian Backports repository by running:
secho "deb http://ftp.debian.org/debian stretch-backports main" |
sudo tee /etc/apt/sources.list.d/backports.list
Update your package manager cache:
sudo apt update
Then, install Certbot:
sudo apt install certbot python-certbot-nginx -t stretch-backports -y
Once it is done, run Certbot:
sudo certbot --nginx --rsa-key-size 4096
Enter an email address you know you’ll check, then agree to the terms of service by typing in A. Press Y if you want to subscribe to EFF’s newsletter, and then input your domain name. Certbot will then ask you if you wish to redirect all traffic to HTTPS – you do, so type in 2.
You’ll receive a congratulatory message, which means that your domain is now secured with free HTTPS certificates from Let’s Encrypt. Refresh your domain in your browser once more. A padlock will show to the left of your site address, meaning that the connection is encrypted. If you want, you can run your site through the SSL Server Test and see that you’ll get an A or better.
What You Can Do Next
You have now installed and configured a LEMP stack on your Debian 9 server. You can now host your PHP website(s) on it, and they will have access to the MariaDB database. For example, you can install WordPress, Joomla, Drupal, Moodle, or any other PHP application that may need to access the database, and it will work with sufficient further configuration.
Dusko Savic is a technical writer and programmer.
Related Posts:
- World Host Group Expands Again with Nimbus Hosting Acquisition - October 30, 2024
- OVHcloud’s 2024 Annual Performance: The Growth Continues - October 29, 2024
- Looking for a VPN?We’ve Got a Thread for You - December 7, 2021
Leave a Reply