{"id":35,"date":"2019-09-02T12:01:22","date_gmt":"2019-09-02T10:01:22","guid":{"rendered":"http:\/\/blog.remyblom.nl\/?p=35"},"modified":"2020-11-17T10:21:21","modified_gmt":"2020-11-17T09:21:21","slug":"installing-lemp-on-ubuntu-18-04-lts","status":"publish","type":"post","link":"https:\/\/blog.remyblom.nl\/?p=35","title":{"rendered":"Installing LEMP on Ubuntu 18.04 LTS"},"content":{"rendered":"\n<p>Just got <a href=\"https:\/\/blog.remyblom.nl\/?p=41\">a new box setup<\/a> which needs a LEMP-stack. So here we go: install the packages for nginx, php, mariaDB:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ sudo apt install nginx mariadb-server php-fpm php-mysql<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Configure nginx<\/h2>\n\n\n\n<p>In <code>\/etc\/nginx\/nginx.conf<\/code> replace <strong>SSL Settings<\/strong> part:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>##\n# SSL Settings\n##\n\nssl_protocols TLSv1.2 TLSv1.3; \nssl_session_cache shared:SSL:20m;\nssl_session_timeout 180m;\nssl_prefer_server_ciphers on;\nssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;\nssl_dhparam \/etc\/nginx\/cert\/dhparam.pem;\nssl_stapling on;\nssl_stapling_verify on;\nresolver 8.8.8.8 8.8.4.4 valid=300s;\nresolver_timeout 5s;\nadd_header Strict-Transport-Security \"max-age=31536000\" always;<\/code><\/pre>\n\n\n\n<p>And my custom<strong> Logging Settings<\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>##\n# Logging Settings\n##\n\nlog_format combined_ssl '$time_local $status $host:$server_port $remote_user@$remote_addr $ssl_protocol\/$ssl_cipher \"$request\" $body_bytes_sent ref:$http_referer \"$http_user_agent\"';\naccess_log \/var\/log\/nginx\/access.log combined_ssl;\nerror_log \/var\/log\/nginx\/error.log;<\/code><\/pre>\n\n\n\n<p>And redirect everybody to https:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>##\n# Redirect everybody to https\n##\n\nserver {\n    listen 80 default_server;\n    listen [::]:80 default_server;\n    server_name _;\n    return 301 https:\/\/$host$request_uri;\n}<\/code><\/pre>\n\n\n\n<p>Lastly let&#8217;s generate some Diffie Hellman parameters, disable the default site and restart nginx:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ sudo openssl dhparam -out \/etc\/nginx\/cert\/dhparam.pem 4096\n$ sudo rm \/etc\/nginx\/sites-enabled\/default\n$ sudo service nginx restart<\/code><\/pre>\n\n\n\n<p>You should now have a working nginx installation that redirects all traffic to https, but you&#8217;ll need to configure at least one virtual host with working SSL certificates to get something to display in your browser.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">MariaDB Hardening<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>$ sudo mysql_secure_installation<\/code><\/pre>\n\n\n\n<p>You should be using <code>sudo<\/code> to connect to mariaDB with root, which will cause a problem when you want to be able to connect thru phpMyAdmin. You can fix this by changing the authentication plugin for root to <code>mysql_native_password<\/code>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ sudo mysql -u root -p\nMariaDB [(none)]> use mysql;\nMariaDB [mysql]> update user set plugin='mysql_native_password' where user='root';\nMariaDB [mysql]> flush privileges;<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">PHP<\/h2>\n\n\n\n<p>In <code>\/etc\/php\/7.2\/fpm\/php.ini<\/code> set your timezone:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>date.timezone = Europe\/Amsterdam<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">phpMyAdmin<\/h2>\n\n\n\n<p>I tried installing the phpMyAdmin package via <code>apt<\/code> but never got that working, so I just download the source and use that. In the directory <code>\/var\/www\/<\/code> download the latest ENGLISH only version of phpMyAdmin from their website at <a href=\"https:\/\/www.phpmyadmin.net\/downloads\/\">https:\/\/www.phpmyadmin.net\/downloads\/<\/a><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ wget https:\/\/files.phpmyadmin.net\/phpMyAdmin\/4.9.0.1\/phpMyAdmin-4.9.0.1-english.tar.gz\n$ tar -xvzf phpMyAdmin-4.9.0.1-english.tar.gz\n$ cp config.sample.inc.php config.inc.php<\/code><\/pre>\n\n\n\n<p>Let&#8217;s configure phpMyAdmin by editting <code>config.inc.php<\/code>:<\/p>\n\n\n\n<p>Add a blowfish secret and play around with &#8216;host&#8217;; when connecting to a unix-socket, use <code>localhost<\/code>, when connecting using TCP\/IP use <code>127.0.0.1<\/code>.<\/p>\n\n\n\n<p>You can give any of your virtual hosts access to phpMyAdmin by creating a symlink in it&#8217;s websroot to <code>\/var\/www\/phpMyAdmin-4.9.0.1-english\/<\/code>. I also limit access to it in the nginx configuration of that vhost:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>location \/phpmyadmin {\n\tallow 10.1.0.0\/16;\t# example\n\tdeny all;\n}<\/code><\/pre>\n\n\n\n<p>When you are able to login as root phpMyAdmin will give some pointers to improve your installation, like adding a <code>tmp<\/code> directory, adding missing php-modules, etc.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Just got a new box setup which needs a LEMP-stack. So here we go: install the packages for nginx, php, mariaDB: Configure nginx In \/etc\/nginx\/nginx.conf replace SSL Settings part: And my custom Logging Settings: And redirect everybody to https: Lastly let&#8217;s generate some Diffie Hellman parameters, disable the default site and restart nginx: You should &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/blog.remyblom.nl\/?p=35\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Installing LEMP on Ubuntu 18.04 LTS&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,3,2],"tags":[],"class_list":["post-35","post","type-post","status-publish","format-standard","hentry","category-lemp","category-ubuntu","category-vps"],"_links":{"self":[{"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/posts\/35","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=35"}],"version-history":[{"count":14,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/posts\/35\/revisions"}],"predecessor-version":[{"id":235,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=\/wp\/v2\/posts\/35\/revisions\/235"}],"wp:attachment":[{"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=35"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=35"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.remyblom.nl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=35"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}