The Perfect Server – Ubuntu LEMP
This document details how we’ve set up our Ubuntu LEMP (Linux (E)Nginx Mysql and PHP) stack. By provisioning a base Ubuntu Noble image, and following these steps exactly, you would be able to duplicate our server image.
This is a living document. Based on on-going experience and community feedback we tweak our stacks and keep this doc continuously updated.
Please note: We no longer offer pre-built images with specific versions of PHP pre-installed. Rather, here we show how we installed the latest well-supported version of PHP on our stack and after provisioning a Webdock server you can then use the Manage PHP screen to switch to any PHP version you want.
Install fail2ban and enable firewall
apt-get update; apt-get upgrade -y; apt-get install -y fail2ban ufw curl wget htop nano ssh snapd;
## SSH, HTTP and HTTPS ufw allow 22 ufw allow 80 ufw allow 443 ## Skip the following 3 lines if you do not plan on using FTP ufw allow 21 ufw allow 50000:50099/tcp ufw allow out 20/tcp ## And lastly we activate UFW ufw --force enable
We choose the port range 50000->50099 in order to allow passive FTP connections.
Add some PPAs to stay current
apt-get install -y software-properties-common apt-add-repository ppa:ondrej/php -y
Set up Nginx repository:
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list echo -e "Package: *nPin: origin nginx.orgnPin: release o=nginxnPin-Priority: 900n" | sudo tee /etc/apt/preferences.d/99nginx
Please note: We are no longer using the ondrej repository for Nginx as the official mainline version now includes http2 and is several versions ahead of Ondrej at this point.
Set up MariaDB repositories
curl -LsS https://r.mariadb.com/downloads/mariadb_repo_setup | sudo bash
After performing this step, apt will complain about the MaxScale repository not functioning properly. If you are not using MaxScale (we are not using it in this guide) then this warning can be ignored. Otherwise, remove the MaxScale repo line in /etc/apt/sources.list.d/mariadb.list
Install base packages
apt-get update; apt-get install -y build-essential curl nano wget lftp unzip bzip2 arj nomarch lzop htop openssl gcc git binutils libmcrypt4 libpcre3-dev make python3 python3-pip supervisor unattended-upgrades whois zsh imagemagick uuid-runtime net-tools zip dirmngr apt-transport-https
Set the timezone to UTC
ln -sf /usr/share/zoneinfo/UTC /etc/localtime
Set SSH to KeepAlive
If you want the SSH Daemon to keep your connections alive, you can run the following commands:
sed -i "s/#TCPKeepAlive yes/TCPKeepAlive yes/" /etc/ssh/sshd_config sed -i "s/#ClientAliveInterval 0/ClientAliveInterval 60/" /etc/ssh/sshd_config sed -i "s/#ClientAliveCountMax 3/ClientAliveCountMax 3/" /etc/ssh/sshd_config
Install PHP and common PHP packages
apt install -y php8.3-cli php8.3-dev php8.3-pgsql php8.3-sqlite3 php8.3-gd php8.3-curl php8.3-memcached php8.3-imap php8.3-mysql php8.3-mbstring php8.3-xml php8.3-imagick php8.3-zip php8.3-bcmath php8.3-soap php8.3-intl php8.3-readline php8.3-common php8.3-pspell php8.3-tidy php8.3-xsl php8.3-opcache php8.3-apcu
Please Note: We are no longer including php-xmlrpc as that has moved to PECL
Install Composer
curl -sS https://getcomposer.org/installer | php mv composer.phar /usr/local/bin/composer
Install and configure Memcached
apt-get install -y memcached sed -i 's/-l 0.0.0.0/-l 127.0.0.1/' /etc/memcached.conf systemctl restart memcached
Update PHP CLI configuration
sed -i "s/error_reporting = .*/error_reporting = E_ALL/" /etc/php/8.3/cli/php.ini sed -i "s/display_errors = .*/display_errors = On/" /etc/php/8.3/cli/php.ini sed -i "s/memory_limit = .*/memory_limit = 512M/" /etc/php/8.3/cli/php.ini sed -i "s/;date.timezone.*/date.timezone = UTC/" /etc/php/8.3/cli/php.ini
Configure session directory permissions
chmod 733 /var/lib/php/sessions chmod +t /var/lib/php/sessions
Install Nginx and PHP-FPM
apt-get install -y nginx php8.3-fpm
Generate dhparam file for stronger Nginx SSL security
openssl dhparam -out /etc/nginx/dhparams.pem 2048
Tweak PHP-FPM settings
Please note: We are suppressing PHP error output here by setting these options to production values
sed -i "s/error_reporting = .*/error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED/" /etc/php/8.3/fpm/php.ini sed -i "s/display_errors = .*/display_errors = Off/" /etc/php/8.3/fpm/php.ini sed -i "s/memory_limit = .*/memory_limit = 512M/" /etc/php/8.3/fpm/php.ini sed -i "s/upload_max_filesize = .*/upload_max_filesize = 256M/" /etc/php/8.3/fpm/php.ini sed -i "s/post_max_size = .*/post_max_size = 256M/" /etc/php/8.3/fpm/php.ini sed -i "s/;date.timezone.*/date.timezone = UTC/" /etc/php/8.3/fpm/php.ini
Tune PHP-FPM pool settings
sed -i "s/;listen.mode =.*/listen.mode = 0666/" /etc/php/8.3/fpm/pool.d/www.conf sed -i "s/;request_terminate_timeout =.*/request_terminate_timeout = 60/" /etc/php/8.3/fpm/pool.d/www.conf sed -i "s/pm.max_children =.*/pm.max_children = 70/" /etc/php/8.3/fpm/pool.d/www.conf sed -i "s/pm.start_servers =.*/pm.start_servers = 20/" /etc/php/8.3/fpm/pool.d/www.conf sed -i "s/pm.min_spare_servers =.*/pm.min_spare_servers = 20/" /etc/php/8.3/fpm/pool.d/www.conf sed -i "s/pm.max_spare_servers =.*/pm.max_spare_servers = 35/" /etc/php/8.3/fpm/pool.d/www.conf sed -i "s/;pm.max_requests =.*/pm.max_requests = 500/" /etc/php/8.3/fpm/pool.d/www.conf
Tweak Nginx settings
sed -i "s/worker_processes.*/worker_processes auto;/" /etc/nginx/nginx.conf sed -i "s/# multi_accept.*/multi_accept on;/" /etc/nginx/nginx.conf sed -i "s/# server_names_hash_bucket_size.*/server_names_hash_bucket_size 128;/" /etc/nginx/nginx.conf sed -i "s/# server_tokens off/server_tokens off/" /etc/nginx/nginx.conf
If you want XDebug – install it and follow the on-screen instructions
This is not installed by default on Webdock stacks – included here for reference.
pecl install xdebug
Configure Gzip for Nginx
Execute the following command to configure Gzip
cat > /etc/nginx/conf.d/gzip.conf << EOF gzip_comp_level 5; gzip_min_length 256; gzip_proxied any; gzip_vary on; gzip_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-web-app-manifest+json application/xhtml+xml application/xml font/otf font/ttf image/svg+xml image/x-icon text/css text/plain; EOF
Install latest NodeJS LTS using NodeSource Repo
apt install -y curl curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - apt install -y nodejs node -v
Install MariaDB (MySQL) and set a strong root password
Remember to make a note of your password, you are going to need it in a minute
apt install mariadb-server mariadb-backup -y
Set MariaDB Performance Settings
You should change these settings depending on how much RAM your server has available.
cat > /etc/mysql/mariadb.conf.d/99-optimization.cnf << EOF [mariadbd] # Webdock suggested performance settings for MariaDB. # This is for a system with 16G of RAM. Double the values below for # each additional 16 Gigs of RAM you have available # Performance settings innodb_buffer_pool_size = 8G innodb_log_file_size = 512M thread_cache_size = 16 query_cache_size = 128M query_cache_type = 1 # Do not change this table_open_cache = 4096 # Connection settings max_connections = 500 max_user_connections = 50 EOF
Secure your MariaDB installation
mysql_secure_installation
Install phpMyAdmin
We will install phpMyAdmin using Composer as Ubuntu packages are no longer being maintained. Replace YOUR_ROOT_PASSWORD below with the password you set previously.
mkdir -p /var/www/html cd /var/www composer create-project phpmyadmin/phpmyadmin cp /var/www/phpmyadmin/config.sample.inc.php /var/www/phpmyadmin/config.inc.php mysql -u root -pYOUR_ROOT_PASSWORD < /var/www/phpmyadmin/sql/create_tables.sql sed -i "s/$cfg['blowfish_secret'] = '';.*/$cfg['blowfish_secret'] = '$(uuidgen | tr -d -)';/" /var/www/phpmyadmin/config.inc.php mkdir /var/www/phpmyadmin/tmp; chown www-data:www-data /var/www/phpmyadmin/tmp;
Symlink phpMyAdmin, create logs dir and set permissions and ownership on /var/www
ln -s /var/www/phpmyadmin/ /var/www/html/phpmyadmin; mkdir /var/www/logs; chown www-data:www-data /var/www/html; chown www-data:www-data /var/www/logs; chown www-data:www-data /var/www; chmod -R g+rw /var/www;
Install MongoDB
curl -fsSL https://pgp.mongodb.com/server-7.0.asc | sudo gpg -o /usr/share/keyrings/mongodb-server-7.0.gpg --dearmor echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list apt update apt install -y mongodb-org
When prompted during Mongodb build, accept the default option by hitting the return key.
add extension=mongodb.so to PHP-fpm and PHP-cli configuration:
pecl install mongodb echo "extension=mongodb.so" > /etc/php/8.3/fpm/conf.d/30-mongodb.ini echo "extension=mongodb.so" > /etc/php/8.3/cli/conf.d/30-mongodb.ini
Install Redis
apt install redis-server -y
Set systemd for supervised and restart Redis
sed -i "s/supervised.*/supervised systemd/" /etc/redis/redis.conf; systemctl restart redis.service;
You may want to further secure your Redis installation
Create Nginx virtual host configuration
Create the file /etc/nginx/sites-available/webdock and input the following configuration
mkdir /etc/nginx/sites-available; mkdir /etc/nginx/sites-enabled; nano /etc/nginx/sites-available/webdock
Now disable the default and symlink in your config
rm /etc/nginx/sites-enabled/default ln -s /etc/nginx/sites-available/webdock /etc/nginx/sites-enabled/webdock
Check that your nginx configuration file has Nginx user set to www-data, gzip on is uncommented and that it is including config files from /etc/nginx/sites-enabled/* (changes in red)
nano /etc/nginx/nginx.conf ... user www-data ... gzip on; server_tokens off; ... include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; ...
Install Letsencrypt Certbot
The apt version of Certbot is now deprecated, so we install it using snap instead.
snap install --classic certbot ln -s /snap/bin/certbot /usr/bin/certbot
Setup and configure FTP
We are now building and installing Pure-FTPd directly from source instead of using APT as the official Ubuntu packages are very much out of date, and doing it this way simplifies config somewhat
We start with generating our TLS certificate
openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048 openssl req -x509 -days 36500 -nodes -newkey rsa:2048 -sha256 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem chmod 600 /etc/ssl/private/*.pem
Download, build and install Pure-FTPd – check what the latest version is at pureftpd.org and update here if appropriate:
wget https://download.pureftpd.org/pub/pure-ftpd/releases/pure-ftpd-1.0.50.tar.gz -O /tmp/pure-ftpd-1.0.50.tar.gz cd /tmp; tar -xf pure-ftpd-1.0.50.tar.gz; cd pure-ftpd-1.0.50; ./configure --prefix=/usr --with-everything --with-tls --with-certfile=/etc/ssl/private/pure-ftpd.pem; make install; cd /tmp; rm -rf ./pure-*;
Set our config and setup PureDB for authentication. Here we are disallowing anonymous login, setting MinUID to 33 so that users in the www-data group can log in, enabling TLS and non-TLS connections and finally setting our chosen passive port range:
sed -i "s/BrokenClientsCompatibility .*/BrokenClientsCompatibility yes/" /etc/pure-ftpd.conf sed -i "s/NoAnonymous .*/NoAnonymous yes/" /etc/pure-ftpd.conf sed -i "s/# PureDB /PureDB/" /etc/pure-ftpd.conf sed -i "s/MinUID .*/MinUID 33/" /etc/pure-ftpd.conf sed -i "s/# TLS /TLS /" /etc/pure-ftpd.conf sed -i "s/# PassivePortRange .*/PassivePortRange 50000 50099/" /etc/pure-ftpd.conf touch /etc/pureftpd.passwd; /usr/bin/pure-pw mkdb;
By editing the config file and setting TLS to a value of “2” you can force TLS connections. However, as we are self-signing our certificate here, you may encounter problems connecting with your FTP client and may need to forcibly ignore certificate errors.
Create the systemd service file so Pure-FTPd starts on boot
cat > /etc/systemd/system/pure-ftpd.service << EOF ## pure-ftpd binary startup for Webdock servers ## To reload systemd daemon after changes to this file: ## systemctl --system daemon-reload [Unit] Description=Pure-FTPd FTP server After=network-online.target [Service] Type=forking ExecStart=/usr/sbin/pure-ftpd /etc/pure-ftpd.conf PIDFile=/var/run/pure-ftpd.pid Restart=always RestartSec=1 [Install] WantedBy=multi-user.target EOF
Enable the daemon
systemctl --system daemon-reload; systemctl enable pure-ftpd; systemctl start pure-ftpd;
Complete the configuration
systemctl restart pure-ftpd
Activate Fail2Ban for Pure-FTPd
cat > /etc/fail2ban/jail.d/pure-ftpd.conf << EOF [pure-ftpd] enabled=true maxretry=5 EOF
Restart Fail2Ban
systemctl restart fail2ban
For a further discussion on other services which can be protected with Fail2Ban, please see our Fail2Ban configuration guide.
Set up logrotate for our Nginx logs
Execute the following to create log rotation config for Nginx – this gives you 10 days of logs, rotated daily
cat > /etc/logrotate.d/vhost << EOF /var/www/logs/*.log { rotate 10 daily compress delaycompress sharedscripts postrotate systemctl reload nginx > /dev/null endscript } EOF
Setup unattended security upgrades
cat > /etc/apt/apt.conf.d/10periodic << EOF APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1"; EOF
You can further tweak unattended upgrades if you wish in /etc/apt/apt.conf.d/50unattended-upgrades. The default in Ubuntu is to only install security upgrades automatically.
Restart your server
Make sure all services come up properly. You can see what services are listening on which ports on your server by running
netstat -tapn
Congratulations. All services should now come up and you have a production-ready webserver stack running. You can further tune your webserver and PHP-FPM settings based on your use-case (e.g. whether you have a high or low traffic site, mostly serve static or dynamic content etc.). Try Googling “optimize php-fpm” or “optimize apache” for example and pick settings that fit your requirements and chosen Webdock profile. For further tuning of Nginx, you can see our optimization guide.
If you find some optimized defaults you would like us to include in our stacks, please let us know and we will take a look.