The Perfect Server - Ubuntu LEMP 7.4

This document details how we've set up our Ubuntu LEMP (Linux (E)Nginx Mysql and PHP) 7.4 stack. By provisioning a base Ubuntu Jammy image, and following these steps exactly, you would be able to duplicate our server image.

This is a living document. Based on on-going experience and community feedback we tweak our stacks and keep this doc continuously updated.

Please note: There may be breaking changes between PHP 7.2/7.3 and 7.4. Click here for more information.

Install fail2ban and enable firewall

apt-get update; apt-get upgrade -y; apt-get install -y fail2ban ufw curl wget htop nano ssh snapd;

## SSH, HTTP and HTTPS
ufw allow 22
ufw allow 80
ufw allow 443

## Skip the following 3 lines if you do not plan on using FTP
ufw allow 21 
ufw allow 50000:50099/tcp 
ufw allow out 20/tcp

## And lastly we activate UFW
ufw --force enable

We choose the port range 50000->50099 in order to allow passive FTP connections.

Add some PPAs to stay current

apt-get install -y software-properties-common
apt-add-repository ppa:ondrej/apache2 -y
apt-add-repository ppa:ondrej/php -y

Set up Nginx repository:

echo "deb http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add -

Please note: We are no longer using the ondrej repository for Nginx as the official mainline version now includes http2 and is several versions ahead of Ondrej at this point.

Set up MariaDB repositories

wget https://downloads.mariadb.com/MariaDB/mariadb_repo_setup
chmod +x mariadb_repo_setup
./mariadb_repo_setup

Install base packages

apt-get update; apt-get install -y build-essential curl nano wget lftp unzip bzip2 arj nomarch lzop htop openssl gcc git binutils libmcrypt4 libpcre3-dev make python3 python3-pip supervisor unattended-upgrades whois zsh imagemagick uuid-runtime net-tools zip dirmngr apt-transport-https

Set the timezone to UTC

ln -sf /usr/share/zoneinfo/UTC /etc/localtime

Set SSH to KeepAlive

If you want the SSH Daemon to keep your connections alive, you can run the following commands:

sed -i "s/#TCPKeepAlive yes/TCPKeepAlive yes/" /etc/ssh/sshd_config
sed -i "s/#ClientAliveInterval 0/ClientAliveInterval 60/" /etc/ssh/sshd_config
sed -i "s/#ClientAliveCountMax 3/ClientAliveCountMax 3/" /etc/ssh/sshd_config

Install PHP7.4 and common PHP packages

apt-get install -y php7.4-cli php7.4-dev php7.4-pgsql php7.4-sqlite3 php7.4-gd php7.4-curl php7.4-memcached php7.4-imap php7.4-mysql php7.4-mbstring php7.4-xml php7.4-imagick php7.4-zip php7.4-bcmath php7.4-soap php7.4-intl php7.4-readline php7.4-common php7.4-pspell php7.4-tidy php7.4-xmlrpc php7.4-xsl php7.4-opcache php7.4-apcu

Install Composer

curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/local/bin/composer

Install and configure Memcached

apt-get install -y memcached
sed -i 's/-l 0.0.0.0/-l 127.0.0.1/' /etc/memcached.conf
systemctl restart memcached

Update PHP CLI configuration

sed -i "s/error_reporting = .*/error_reporting = E_ALL/" /etc/php/7.4/cli/php.ini
sed -i "s/display_errors = .*/display_errors = On/" /etc/php/7.4/cli/php.ini
sed -i "s/memory_limit = .*/memory_limit = 512M/" /etc/php/7.4/cli/php.ini
sed -i "s/;date.timezone.*/date.timezone = UTC/" /etc/php/7.4/cli/php.ini

Configure sessions directory permissions

chmod 733 /var/lib/php/sessions
chmod +t /var/lib/php/sessions

Install Nginx and PHP-FPM

apt-get install -y nginx php7.4-fpm

Generate dhparam file for stronger Nginx SSL security

openssl dhparam -out /etc/nginx/dhparams.pem 2048

Tweak PHP-FPM settings

Please note: We are suppressing PHP error output here by setting these options to production values

sed -i "s/error_reporting = .*/error_reporting = E_ALL \& ~E_NOTICE \& ~E_STRICT \& ~E_DEPRECATED/" /etc/php/7.4/fpm/php.ini
sed -i "s/display_errors = .*/display_errors = Off/" /etc/php/7.4/fpm/php.ini
sed -i "s/memory_limit = .*/memory_limit = 512M/" /etc/php/7.4/fpm/php.ini
sed -i "s/upload_max_filesize = .*/upload_max_filesize = 256M/" /etc/php/7.4/fpm/php.ini
sed -i "s/post_max_size = .*/post_max_size = 256M/" /etc/php/7.4/fpm/php.ini
sed -i "s/;date.timezone.*/date.timezone = UTC/" /etc/php/7.4/fpm/php.ini

Tune PHP-FPM pool settings

sed -i "s/;listen\.mode =.*/listen.mode = 0666/" /etc/php/7.4/fpm/pool.d/www.conf
sed -i "s/;request_terminate_timeout =.*/request_terminate_timeout = 60/" /etc/php/7.4/fpm/pool.d/www.conf
sed -i "s/pm\.max_children =.*/pm.max_children = 70/" /etc/php/7.4/fpm/pool.d/www.conf
sed -i "s/pm\.start_servers =.*/pm.start_servers = 20/" /etc/php/7.4/fpm/pool.d/www.conf
sed -i "s/pm\.min_spare_servers =.*/pm.min_spare_servers = 20/" /etc/php/7.4/fpm/pool.d/www.conf
sed -i "s/pm\.max_spare_servers =.*/pm.max_spare_servers = 35/" /etc/php/7.4/fpm/pool.d/www.conf
sed -i "s/;pm\.max_requests =.*/pm.max_requests = 500/" /etc/php/7.4/fpm/pool.d/www.conf

Tweak Nginx settings

sed -i "s/worker_processes.*/worker_processes auto;/" /etc/nginx/nginx.conf
sed -i "s/# multi_accept.*/multi_accept on;/" /etc/nginx/nginx.conf
sed -i "s/# server_names_hash_bucket_size.*/server_names_hash_bucket_size 128;/" /etc/nginx/nginx.conf
sed -i "s/# server_tokens off/server_tokens off/" /etc/nginx/nginx.conf

If you want XDebug - install it and follow the on-screen instructions

This is not installed per default on Webdock stacks - included here for reference.

pecl install xdebug

Configure Gzip for Nginx

Execute the following command to configure Gzip

cat > /etc/nginx/conf.d/gzip.conf << EOF
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;

gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/otf
font/ttf
image/svg+xml
image/x-icon
text/css
text/plain;
EOF

Install latest NodeJS LTS

curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - &&\
sudo apt-get install -y nodejs

Install MariaDB (MySQL) and set a strong root password

Remember to make a note of your password, you are going to need it in a minute

apt install mariadb-server mariadb-backup -y

Secure your MariaDB installation

mysql_secure_installation

Install phpMyAdmin

phpMyAdmin is enabled by default in Webdock stacks. If you do not use phpMyAdmin or feel it's a security risk, you should disable it. Click here to learn how to disable or remove phpMyAdmin.

We will install phpMyAdmin using Composer as Ubuntu packages are no longer being maintained.

mkdir -p /var/www/html
cd /var/www
composer create-project phpmyadmin/phpmyadmin
cp /var/www/phpmyadmin/config.sample.inc.php /var/www/phpmyadmin/config.inc.php
mysql -u root -pYOUR_ROOT_PASSWORD < /var/www/phpmyadmin/sql/create_tables.sql
sed -i "s/\$cfg\['blowfish_secret'\] = '';.*/\$cfg\['blowfish_secret'\] = '$(uuidgen | tr -d -)';/" /var/www/phpmyadmin/config.inc.php
mkdir /var/www/phpmyadmin/tmp; chown www-data:www-data /var/www/phpmyadmin/tmp;

Symlink phpMyAdmin, create logs dir and set permissions and ownership on /var/www

ln -s /var/www/phpmyadmin/ /var/www/html/phpmyadmin;  mkdir /var/www/logs;  chown www-data:www-data /var/www/html; chown www-data:www-data /var/www/logs; chown www-data:www-data /var/www; chmod -R g+rw /var/www;

Install Mongodb

MongoDB is installed but disabled by default in Webdock stacks. Click here to learn how to enable MongoDB

curl -fsSL https://pgp.mongodb.com/server-6.0.asc | sudo gpg -o /usr/share/keyrings/mongodb-server-6.0.gpg --dearmor
echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-6.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/6.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-6.0.list
apt update
apt install -y mongodb-org

add extension=mongodb.so to PHP-fpm and PHP-cli configuration:

pecl install mongodb
echo "extension=mongodb.so" > /etc/php/7.4/fpm/conf.d/30-mongodb.ini
echo "extension=mongodb.so" > /etc/php/7.4/cli/conf.d/30-mongodb.ini

Install Redis

apt install redis-server -y;

Set systemd for supervised and restart Redis

sed -i "s/supervised.*/supervised systemd/" /etc/redis/redis.conf; systemctl restart redis.service;

You may want to further secure your Redis installation

Create Nginx virtual host config

Create the file /etc/nginx/sites-available/webdock and input the following configuration

 mkdir /etc/nginx/sites-available; mkdir /etc/nginx/sites-enabled;
 nano /etc/nginx/sites-available/webdock

server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; client_max_body_size 256M; # Add index.php to the list if you are using PHP index index.html index.htm index.php; #Which domain names will this vhost respond to server_name _; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ /index.php?$query_string; } location = /favicon.ico { access_log off; log_not_found off; } location = /robots.txt { access_log off; log_not_found off; } access_log /var/www/logs/access.log; error_log /var/www/logs/error.log error; error_page 404 /index.php; location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_intercept_errors off; fastcgi_buffer_size 16k; fastcgi_buffers 4 16k; fastcgi_connect_timeout 600; fastcgi_send_timeout 600; fastcgi_read_timeout 600; } # Necessary for Let's Encrypt Domain Name ownership validation. Place any other deny rules after this location ~ /.well-known { allow all; } # Deny access to .htaccess or .htpasswd files location ~ /\.ht { deny all; } # Deny access to any git repository location ~ /\.git { deny all; } # Deny access to xmlrpc.php - a common brute force target against Wordpress location = /xmlrpc.php { deny all; access_log off; log_not_found off; return 444; } }

Now disable the default and symlink in your config

rm /etc/nginx/sites-enabled/default
ln -s /etc/nginx/sites-available/webdock /etc/nginx/sites-enabled/webdock

Check that your nginx configuration file has Nginx user set to www-data, gzip on is uncommented and that it is including config files from /etc/nginx/sites-enabled/* (changes in red)

nano /etc/nginx/nginx.conf

...

user  www-data

...

gzip  on;

...

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

...

Install Letsencrypt Certbot

The apt version of Certbot is now deprecated, so we install it using snap instead.

snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot

Setup and configure FTP

FTP is enabled by default in Webdock stacks. If you do not use FTP or feel it's a security risk, you should disable it. Click here to learn how to disable FTP.

We are now building and installing Pure-FTPd directly from source instead of using APT as the official Ubuntu packages are very much out of date, and doing it this way simplifies config somewhat

We start with generating our TLS certificate

openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048
openssl req -x509 -days 36500 -nodes -newkey rsa:2048 -sha256 -keyout \
  /etc/ssl/private/pure-ftpd.pem \
  -out /etc/ssl/private/pure-ftpd.pem
chmod 600 /etc/ssl/private/*.pem

Download, build and install Pure-FTPd - check what the latest version is at pureftpd.org and update here if appropriate:

wget https://download.pureftpd.org/pub/pure-ftpd/releases/pure-ftpd-1.0.50.tar.gz -O /tmp/pure-ftpd-1.0.50.tar.gz
cd /tmp; tar -xf pure-ftpd-1.0.50.tar.gz; cd pure-ftpd-1.0.50;
./configure --prefix=/usr --with-everything --with-tls --with-certfile=/etc/ssl/private/pure-ftpd.pem; make install;
cd /tmp; rm -rf ./pure-*;

Set our config and setup PureDB for authentication. Here we are disallowing anonymous login, setting MinUID to 33 so that users in the www-data group can log in, enabling TLS and non-TLS connections and lastly setting our chosen passive port range:

sed -i "s/BrokenClientsCompatibility .*/BrokenClientsCompatibility yes/" /etc/pure-ftpd.conf
sed -i "s/NoAnonymous .*/NoAnonymous yes/" /etc/pure-ftpd.conf
sed -i "s/# PureDB  /PureDB/" /etc/pure-ftpd.conf
sed -i "s/MinUID .*/MinUID 33/" /etc/pure-ftpd.conf
sed -i "s/# TLS /TLS /" /etc/pure-ftpd.conf
sed -i "s/# PassivePortRange .*/PassivePortRange 50000 50099/" /etc/pure-ftpd.conf
touch /etc/pureftpd.passwd; /usr/bin/pure-pw mkdb;

By editing the config file and setting TLS to a value of "2" you can force TLS connections. However, as we are self-signing our certificate here, you may encounter problems connecting with your FTP client and may need to forcibly ignore certificate errors.

Create the systemd service file so Pure-FTPd starts on boot

cat > /etc/systemd/system/pure-ftpd.service << EOF
## pure-ftpd binary startup for Webdock servers
## To reload systemd daemon after changes to this file:
## systemctl --system daemon-reload
[Unit]
Description=Pure-FTPd FTP server
After=network-online.target

[Service]
Type=forking
ExecStart=/usr/sbin/pure-ftpd /etc/pure-ftpd.conf
PIDFile=/var/run/pure-ftpd.pid
Restart=always
RestartSec=1

[Install]
WantedBy=multi-user.target
EOF

Enable the daemon

systemctl --system daemon-reload; systemctl enable pure-ftpd; systemctl start pure-ftpd;

Complete the configuration

systemctl restart pure-ftpd

Activate Fail2Ban for Pure-FTPd

cat > /etc/fail2ban/jail.d/pure-ftpd.conf << EOF
[pure-ftpd]
enabled=true
maxretry=5
EOF

Restart Fail2Ban

systemctl restart fail2ban

For a further discussion on other services which can be protected with Fail2Ban, please see our Fail2Ban configuration guide.

(Optional) Install BotGuard Server Module

BotGuard provides a service to protect your website from malicious bots, crawlers, scrapers, and hacker attacks. It selectively blocks bad bot traffic in real time, while granting unrestricted access to the website to human users, search engines, and affiliate bots. Read more on their website.

Please note: This is a completely optional step and not required for the functioning of your server. We include it here as Webdock offers 1 free domain protected per Server as part of our VPS Server packages.

Start with installing a missing required package and adding their repository key:

apt install apt-transport-https -y
curl -fsSL https://repo.botguard.net/botguard.gpg | apt-key add -

Next, install the module itself.  Read more in their integration guide here.

add-apt-repository "deb https://repo.botguard.net/debian $(lsb_release -cs) main nginx-mainline"
apt update; apt install libnginx-mod-botguard -y
systemctl restart nginx

BotGuard is now installed and once you have your domain set up in their dashboard you can edit /etc/nginx/conf.d/50-botguard.conf in order to set your assigned BotGuard servers. 

For more information, please see the BotGuard Integration Guide for Nginx

If you have problems upgrading Nginx after having installed the Botguard module, simply remove it with apt remove libnginx-mod-botguard  then upgrade Nginx with apt upgrade nginx and finally reinstall the Botguard module as shown above.

Set up logrotate for our Nginx logs

Execute the following to create log rotation config for Nginx - this gives you 10 days of logs, rotated daily

cat > /etc/logrotate.d/vhost << EOF
/var/www/logs/*.log {
 rotate 10
 daily
 compress
 delaycompress
 sharedscripts
 
 postrotate
 systemctl reload nginx > /dev/null
 endscript
}
EOF

Setup unattended security upgrades

cat > /etc/apt/apt.conf.d/10periodic << EOF
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
EOF

You can further tweak unattended upgrades if you wish in /etc/apt/apt.conf.d/50unattended-upgrades. The default in Ubuntu is to only install security upgrades automatically.

Restart your server

Make sure all services come up properly. You can see what services are listening on which ports on your server by running

netstat -tapn

Congratulations. All services should now come up and you have a production-ready webserver stack running. You can further tune your webserver and PHP-FPM settings based on your use-case (e.g. whether you have a high or low traffic site, mostly serve static or dynamic content etc.). Try Googling "optimize php-fpm" or "optimize apache" for example and pick settings that fit your requirements and chosen Webdock profile. For further tuning of Nginx, you can see our optimization guide.

If you find some optimized defaults you would like us to include in our stacks, please let us know and we will take a look.