Install LAMP
LAMP is short for Linux Apache MySQL/MariaDB and PHP. These are the foundations of most web servers.
Install Apache
apt update -y </dev/null
apt install apache2 -y </dev/null
a2enmod rewrite
a2enmod headers
chown -R www-data:www-data /var/www
systemctl restart apache2
Install MariaDB
apt install mariadb-server -y </dev/null
systemctl status mariadb
echo Done
● mariadb.service - MariaDB 10.1.47 database server
Loaded: loaded (/lib/systemd/system/mariadb.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-11-08 23:41:31 UTC; 1min 4s ago
Docs: man:mysqld(8)
https://mariadb.com/kb/en/library/systemd/
Main PID: 6324 (mysqld)
Status: "Taking your SQL requests now..."
Tasks: 27 (limit: 4915)
CGroup: /system.slice/mariadb.service
└─6324 /usr/sbin/mysqld
Nov 08 23:41:31 system /etc/mysql/debian-start[6357]: performance_schema
Nov 08 23:41:31 system /etc/mysql/debian-start[6357]: Phase 6/7: Checking and upgrading tables
Nov 08 23:41:31 system /etc/mysql/debian-start[6357]: Processing databases
Nov 08 23:41:31 system /etc/mysql/debian-start[6357]: information_schema
Nov 08 23:41:31 system /etc/mysql/debian-start[6357]: performance_schema
Nov 08 23:41:31 system /etc/mysql/debian-start[6357]: Phase 7/7: Running 'FLUSH PRIVILEGES'
Nov 08 23:41:31 system /etc/mysql/debian-start[6357]: OK
Nov 08 23:41:31 system /etc/mysql/debian-start[6388]: Checking for insecure root accounts.
Nov 08 23:41:31 system /etc/mysql/debian-start[6392]: Triggering myisam-recover for all MyISAM tables and aria-recover f
Nov 08 23:41:31 system systemd[1]: Started MariaDB 10.1.47 database server.
To secure MariaDB server as much as possible, run the post installation script. The script will let you continue without adding a password for the MariaDB root user but it is preferred that the standard one be entered.
mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
You already have a root password set, so you can safely answer 'n'.
Change the root password? [Y/n] n
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] n
... skipping.
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] n
... skipping.
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] n
... skipping.
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
root@system:~#
Make any changes to the MariaDB configuration.
Note that if this is a system that was previously configured, changing the /etc/mysql entry to the symbolic link is all that is required.
Stop the database engine
systemctl stop mysql
Allow Remote Access and Turn on the slow query log
sed -i 's/= 127.0.0.1/= 0.0.0.0/' /etc/mysql/mariadb.conf.d/50-server.cnf
sed -i 's/#slow_query_log_file/slow_query_log_file/' /etc/mysql/mariadb.conf.d/50-server.cnf
sed -i '/slow_query_log_file/a slow_query_log = 1' /etc/mysql/mariadb.conf.d/50-server.cnf
sed -i 's/#long_query_time = 10/long_query_time = 1/' /etc/mysql/mariadb.conf.d/50-server.cnf
sed -i 's/#log_slow_rate_limit/log_slow_rate_limit/' /etc/mysql/mariadb.conf.d/50-server.cnf
sed -i 's/#log_slow_verbosity/log_slow_verbosity/' /etc/mysql/mariadb.conf.d/50-server.cnf
sed -i 's/#log-queries-not-using-indexes/log-queries-not-using-indexes/' /etc/mysql/mariadb.conf.d/50-server.cnf
Restart the Database Engine
systemctl start mysql
Install PHP/PHPMyAdmin
Install
Since phpmyadmin depends upon PHP, installing phpmyadmin covers most of it.
apt install phpmyadmin php-cli php-mbstring php-intl php-pear -y
The install will open a dialog box and ask a few questions. It will be looking for the MariaDB password and select apache2 as the webserver.
Configure PHP for Production
Page Template:Cmd/styles.css must have content model "Sanitized CSS" for TemplateStyles (current model is "wikitext").sed -i "s|.*upload_max_filesize\s*=.*|upload_max_filesize = 16M|g" /etc/php/7.4/fpm/php.ini
sed -i "s|.*upload_max_filesize\s*=.*|upload_max_filesize = 16M|g" /etc/my.cnf.d/mariadb-server.cnf
Allow Login With Root Account
Allow root user to login to the phpmyadmin console
mysql -u root <<EOF
use mysql;
update user set plugin='' where User='root';
flush privileges;
\q
EOF
Install Python
Python3 is installed as part of the default Ubuntu 20.04 release but, verify:
python --version
To install if necessary:
apt install python3
The response here will likely be to display that it is version 2. To fix that do the following:
cd /usr/bin
ls -l python*
If python is not symlink to python version 3.12 do this:
rm python
ln -s python3.12 python
Install pip
apt install python3-pip -y </dev/null
cd /usr/bin
ln -s pip3 pip
Configure Apache2/PHP
Apache2
Using this tool SSL Labs SSL Server Test should result in an A+ (Whoo Hoo!) rating. The following changes were needed to get past a B+.
Update the /etc/apache2/mods-available/ssl.conf file.
sed -i 's/SSLCipherSuite HIGH:!aNULL/SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"/' /etc/apache2/mods-available/ssl.conf
sed -i 's/#SSLHonorCipherOrder/SSLHonorCipherOrder/' /etc/apache2/mods-available/ssl.conf
sed -i 's/SSLProtocol all -SSLv3/SSLProtocol all -SSLv2 -SSLv3/' /etc/apache2/mods-available/ssl.conf
sed -i 's/# H2Push/H2Push/g' /etc/apache2/mods-available/http2.conf
Enable HTTP/2
Some of the mod installations may have been done earlier.
apt install php8.3-fpm -y </dev/null
a2dismod php8.3
a2enconf php8.3-fpm
a2enmod proxy_fcgi
a2dismod mpm_prefork
a2enmod mpm_event
Edit the php8.3-fpm config file to improve performance. The file is: /etc/php/8.3/fpm/pool.d/www.conf. Change dynamic to static and increase the value of pm.max_children to 25.
sed -i 's/pm = dynamic/pm = static/' /etc/php/8.3/fpm/pool.d/www.conf
sed -i 's/pm.max_children = 5/pm.max_children = 25/' /etc/php/8.3/fpm/pool.d/www.conf
Change dynamic to static and increase the value of pm.max_children to 25.
a2enmod http2
systemctl restart apache2
systemctl start php8.3-fpm
Note- The php.ini file will not be read by simply restarting apache
Since we are using certificates provided by Cloudflare, the SSL sections of the sites files should be commented out or removed.
Performance Improvements
Install memcached
apt install memcached libmemcached-tools -y < /dev/null
systemctl status memcached
apt install php-memcached -y </dev/null
pip install pymemcache
pip install python-memcached
Test Functionality
echo '<?php' > /var/www/html/phpinfo.php
echo ' phpinfo( );' >> /var/www/html/phpinfo.php
echo '?>' >> /var/www/html/phpinfo.php
Open browser to http://192.168.86.1/phpinfo.php
Install Thumbor
Thumbor is a self hosted CDN the resizes images on the fly.
