LEMP: Debian, NGINX + Certbot, MariaDB, PHP

This tutorial shows you how to prepare your Debian VPS for hosting your website.
We are not going to perform any fine-tuning or optimization on the default configuration files. So neither NGINX, MySQL or PHP (LEMP) will get any other than the necessary configuration changes in order to run a website properly.

1. Install the Software

If you’re not sure about your admin rights, always enter the command sudo -i at the beginning of every session:

sudo -i

This command will grant you the rights of a power user, so you don’t have to write the command sudo at the beginning of every command line.

NGINX, Certbot, PHP installation:

:~# apt install nginx python3-certbot-nginx php-fpm php-mysql zip unzip pwgen

MariaDB can be installed as follows:

:~# apt install mariadb-server

Installing MariaDB by using the default-package repositories might not install the latest version of MariaDB. For the latest MariaDB version visit Official MariaDB Repo and follow the instructions.

2. Configure the Software

You should secure your MariaDB installation first:

:~# mysql_secure_installation && mysql_upgrade
:~# mysql

 Welcome to the MariaDB monitor.  Commands end with ; or \g.
 Your MariaDB connection id is 55
 Server version: 10.4.6-MariaDB-1:10.4.6+maria~buster mariadb.org binary distribution
 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
 Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. 

We will now run Certbot for our default vmXXXX.contaboserver.net hostname, you could also simply add any other website.

Important:
In case you want to secure multiple domains you can simply add them with another “-d” option behind the command, e.g.:

:~# certbot --nginx -d $(hostname) -d vmXXXX.contaboserver.net

Certbot will also create a default configuration for your website within /etc/nginx/sites-enabled/

Let’s configure PHP, so NGINX knows where to send PHP-Files for interpreting. Check where PHP-FPM listens to:

:~# grep "listen =" /etc/php/7.3/fpm/pool.d/www.conf
listen = /run/php/php7.3-fpm.sock

The pool configuration file got a lot of parameters which can be adjusted according to the hardware your server is running and the type of scripts hosted on your website.
Open /etc/nginx/sites-enabled/default and you will see a PHP section which is commented out, you could install multiple PHP-Versions, add a server or VPS for PHP interpreting only and much more.
We will add the following lines to any “server {}” configuration we want PHP to be available on:

location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.3-fpm.sock;
}

You also need to expand the “index” line with “index.php” :

 index index.php index.html index.htm; 

:~# systemctl restart nginx

We will now download and install phpMyAdmin and make it available. On Debian 10 phpMyAdmin is not available via “apt install phpmyadmin” command, they are probably going to add the package once the Alpha got stable.
For downloads visit Official phpMyAdmin Website . As we are using PHP 7.3 we need to download the Alpha Version, which is still in testing phase.

:~# mkdir /var/www/phpmyadmin
:~# cd /var/www/phpmyadmin/
:~# wget https://files.phpmyadmin.net/phpMyAdmin/5.0.0-alpha1/phpMyAdmin-5.0.0-alpha1-all-languages.zip
&& unzip phpMyAdmin-5.0.0-alpha1-all-languages.zip
:~# mv phpMyAdmin-5.0.0-alpha1-all-languages/* .

Create a database user and import the database; run “pwgen” to generate random passwords.

:~# mysql < sql/create_tables.sql
:~# mysql

CREATE USER 'phpmyadminuser'@'localhost'  IDENTIFIED BY 'USE ONLY SECURE PASSWORDS !!';
GRANT SELECT, INSERT, UPDATE, DELETE ON phpmyadmin.* TO 'phpmyadminuser'@'localhost'
IDENTIFIED BY 'USE ONLY SECURE PASSWORDS !!'; FLUSH PRIVILEGES;

Let’s configure phpMyAdmin to use the database. Uncomment the following lines in config.inc.php:

/* User used to manipulate with storage */
  $cfg['Servers'][$i]['controlhost'] = 'localhost';
  $cfg['Servers'][$i]['controlport'] = '3306';
  $cfg['Servers'][$i]['controluser'] = 'phpmyadminuser';

:~# cp -p config.sample.inc.php config.inc.php
:~# pwgen 32 1 #Copy the password for blowfish secret
:~# chown www-data: /var/www/phpmyadmin -R

Last but not least, configure the webserver to make the content available.
Add the following section to the domain you want to expose it on:

    location /phpmyadmin {
           root /var/www/phpmyadmin/;
           index index.php index.html index.htm;
           location ~ ^/phpmyadmin/(.+\.php)$ {
                   try_files $uri =404;
                   root /var/www/phpmyadmin/;
                   fastcgi_pass unix:/run/php/php7.3-fpm.sock;
                   fastcgi_index index.php;
                   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
           }
           location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
                   root /var/www/phpmyadmin/;
           }
    }

Scroll to Top