LEMP Stack (Linux, Nginx, MySQL, PHP) and PHPMyAdmin (via SSH-Tunnel) under Debian Wheezy
Nginx is also sometimes poetically called as the “unsinkable Webserver”. Thanks to the thread pool it can serve many concurrent TCP connections (even very slow ones from smartphones) using minimal system resources.
MySQL is a powerful RDBMS (Relational Database Management System) and is available for free. It is the basis of prominent web applications such as WordPress or Joomla.
While writing this article the individual steps on a Rackhansa VPS (Virtual Private Server) were tested. These instructions will work on any default installation of Debian Wheezy.
1. OS Update
First update your operating system so that all security updates can be installed:
apt-get update && apt-get upgrade
2. Installation MySQL Server
The installation of MySQL is very easy with:
apt-get install mysql-server
During the installation, You are asked for setting the root password of your MySQL server as it can be seen in the picture below.
Some additional settings:
# Initialize system tables mysql_install_db # Secure your mySQL instance /usr/bin/mysql_secure_installation
3. Installation NGINX
Just one command:
apt-get install nginx
With each change of the nginx configuration files You can use the following command to restart the nginx web server. Because nginx will not start automatically after installation, restart it.
service nginx restart
Test: With ifconfig
You can display the address of your vServer. Check the URL http://my-ip-address/ with a browser (or make sure that your DNS settings are correct and use http://www.meine-domain.de/ instead of an IP-address) and You will be greeted with the following message:
Welcome to nginx!
Configure nginx for the cooperation with php5-fpm
:
Edit the file /etc/nginx/sites-enabled/default
, after that restart nginx.
# find the line server_name localhost; # and assign the hostname of your website: server_name www.meine-domain.tld; # find the line index index.html index.htm; # edit it to allow PHP-processing: index index.html index.htm index.php; # Edit the block PHP-processing: location ~ .php$ { fastcgi_split_path_info ^(.+.php)(/.+)$; # # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini # # # With php5-cgi alone: # fastcgi_pass 127.0.0.1:9000; # # With php5-fpm: fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; include fastcgi_params; }
Nginx needs to be restarted:
service nginx restart
4. PHP
For php5-fpm
only a few packages have to be specified, the rest is controlled by dependencies:
apt-get install php5-fpm php5-mysql
Configuration: cgi.fix_pathinfo
is set by default to 1. This may lead to a security breach. For help, see the comments in the configuration file php.ini
. Edit the file with “nano /etc/php5/fpm/php.ini
and look for the line with cgi.fix_pathinfo
and change it as follows:
cgi.fix_pathinfo=0
Under Debian php5-fpm
is already configured with the fast Unix Socket /var/run/php5-fpm.sock
. Just php5-fpm
has to be started:
service php5-fpm restart
PHP-Info Page
Edit a new file: nano /usr/share/nginx/www/info.php
with the following content:
<?php phpinfo(); ?>
Test: Browse your URL http://my-ip-address/info.php. The output of info.php should look like this:
5. PHPMyAdmin
It’s just nice to be able to manage your database server with a graphical user interface. Below phpMyAdmin is installed so that You only can access it on localhost and your database is protected from attacks from the Internet. For an occasional access to your database, building a SSH tunnel is much more convenient than fiddling with SQL commands.
The main advantage of using SSH tunnel is that it can be setup quickly and provides less target for hackers than any web application (secure passwords assumed).
First, we perform the installation with a standard configuration for apache2
so PHPMyAdmin can create the necessary MySQL tables.
apt-get install phpmyadmin # Accept configuration for apache2, set SQL-root password and answer all question with Yes
Now we create a configuration file for nginx phpmyadmin, edit the new web server configuration with nano /etc/nginx/sites-available/phpmyadmin
and fill it with the following contents: :
server { listen localhost:8000; server_name localhost; root /usr/share/phpmyadmin; index index.php; location ~ .php$ { fastcgi_split_path_info ^(.+.php)(/.+)$; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; include fastcgi_params; } }
Thereby the line listen localhost:8000
means that this site cannot be reached on the internet. Enable this new configuration with the following commands:
cd /etc/nginx/sites-enabled/ ln -s ../sites-available/phpmyadmin . service nginx restart
SSH-Tunnel with the commands below:
# create a new user and assign a strong password useradd -m test passwd test # We assume a Linux Desktop, in case of Windows e.g. putty can be used to create an SSH-tunnel. # Replace www.my-domain.tld with your real hostname! ssh -fCN test@www.my-domain.tld -L 8000:localhost:8000 # -f : ssh runs as background process # -N : do not execute remote command # -C : data compression # 8000:localhost:8000 means that remote port 8000 connected to localhost:8000
Your PHPMyAdmin URL: http://localhost:8000/
Your server is now ready for real applications.
WAF (Web Application Firewall)
WAF provides advanced protection for web applications. This subject is treated in a separate article.