Skip to main content

LEMP Stack Setup

Last Updated: March 4, 2015

LEMP Stack - Linux, Nginx (Engine X), MySQL, PHP

Web Server - NGINX

Installation

We want the latest release from NGINX so we will add their apt repository.

wget http://nginx.org/keys/nginx_signing.key
apt-key add nginx_signing.key

Add this in /etc/apt/sources.list. If your distro is ubuntu change debian to ubuntu. Change the codename also.

deb http://nginx.org/packages/debian/ wheezy nginx
deb-src http://nginx.org/packages/debian/ wheezy nginx

deb http://nginx.org/packages/ubuntu/ trusty nginx
deb-src http://nginx.org/packages/ubuntu/ trusty nginx

If you want the latest development version run this instead.

apt-add-repository ppa:nginx/development
apt-get update
apt-get install nginx

Now lets install.

apt-get update
apt-get install nginx

Configuration

NGINX

Putting this in /etc/nginx/nginx.conf will give you an A on Qualys SSL Test

# SSL PCI Compliance
ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                 EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5;
ssl_prefer_server_ciphers   on;

You also want to change the user so it matches the PHP configuration.

user  www-data

Put this in your nginx.conf if you use cloudflare.

 # Cloudflare
 set_real_ip_from   199.27.128.0/21;
 set_real_ip_from   173.245.48.0/20;
 set_real_ip_from   103.21.244.0/22;
 set_real_ip_from   103.22.200.0/22;
 set_real_ip_from   103.31.4.0/22;
 set_real_ip_from   141.101.64.0/18;
 set_real_ip_from   108.162.192.0/18;
 set_real_ip_from   190.93.240.0/20;
 set_real_ip_from   188.114.96.0/20;   
 set_real_ip_from   197.234.240.0/22;
 set_real_ip_from   198.41.128.0/17;
 set_real_ip_from   162.158.0.0/15;
 set_real_ip_from   104.16.0.0/12;
 set_real_ip_from   2400:cb00::/32;
 set_real_ip_from   2606:4700::/32;
 set_real_ip_from   2803:f800::/32;
 set_real_ip_from   2405:b500::/32;
 set_real_ip_from   2405:8100::/32;
 real_ip_header     CF-Connecting-IP;

vHost

nano /etc/nginx/conf.d/default.conf

These configs are for if you have one vhost. If you have another website you would like to host remove default_server from the other sites, change the server_name parameter, and change the root dir.

HTTP
server {
        listen 80 default_server;
        server_name localhost;

        root /var/www/;
        index index.html index.htm index.php;

        location / {
                try_files $uri $uri/ /index.html;
        }

        error_page 404 /404.html;

        location ~ \.php$ {
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;                
        }
}
HTTPS
server {
        listen 443 default_server spdy;
        server_name localhost;

        root /var/www/;
        index index.html index.htm index.php;

        ssl on;
        ssl_certificate /etc/ssl/cert.crt;
        ssl_certificate_key /etc/ssl/cert.key;

        location / {
                try_files $uri $uri/ /index.html;
        }

        location ~ \.php$ {
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;                
        }
}
Redirect HTTP to HTTPS
server {
        listen 80;
        server_name localhost;

        location / {
                rewrite     ^ https://$server_name$request_uri? permanent;
        }
}
Reverse Proxy
server {
        listen 443 ssl spdy;
        server_name localhost;

        ssl on;
        ssl_certificate /etc/ssl/cert.crt;
        ssl_certificate_key /etc/ssl/cert.key;

    location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://<IP_ADDRESS_HERE>:8080/;
        client_max_body_size 100M;
    }
}

Database Server - MySQL

Installation

apt-get install mariadb-server mariadb-client

It will ask you to set a root password during the installation.

Configuration

Execute this command

mysql_secure_installation

Type in your password that you set

Remove anonymous users? [Y/n] y      
Disallow root login remotely? [Y/n] y
Remove test database and access to it? [Y/n] y
Reload privilege tables now? [Y/n] y

PHP

Installation

apt-get install php5-fpm php5-mysql

Configuration

nano /etc/php5/fpm/php.ini

Change cgi.pathinfo=1 to cgi.pathinfo=0. If this breaks your site, change it back.

nano /etc/php5/fpm/pool.d/www.conf

Make sure there is a line that says:

listen = /var/run/php5-fpm.sock

If you would like to change the maximum file upload size find these lines in /etc/php5/fpm/php.ini.

upload_max_filesize = 2M
post_max_size = 8M

Finishing

Restart the services

service php5-fpm restart
service nginx restart

Getting PHPMyAdmin

Install git

apt-get install git

Get the stable repository

mkdir /var/www/html/phpmyadmin/
cd /var/www/html/phpmyadmin/
git init
git remote add -t STABLE -f origin https://github.com/phpmyadmin/phpmyadmin.git
git checkout STABLE