Currently successfully needs more testing on a Debian OS 11.5.0 installation. (I now remember why I didn’t want to touch this stuff any more. But oh well, I may as well completely overhaul this script again. The current one does work, but not well enough for me)
Step-by-step is functioning, will now wipe the server to start from scratch again. Also, the previous article will now be deleted.
Note:
If you are using this on a fresh Debian install, SUDO might not have been installed, nor has the user (so not the root) been add to SUDO. This is how you do that if you are logged in as user:
su - apt update apt install sudo usermod -aG sudo <username> exit exit
You need to exit twice so you log out as root and as user. After that, you need to log back in as user so you can start using sudo from now on.
Let’s begin! You can name the script something like
setup.sh
#!/bin/bash # Update system sudo apt update sudo apt upgrade -y # Install necessary packages sudo apt install gnupg nginx mariadb-server php7.4-fpm php7.4-mysql php7.4-curl php7.4-gd php7.4-mbstring php7.4-xml php7.4-zip ssh ufw nano fail2ban curl wget sudo openssl net-tools unzip -y # Add repository key for PHP 8.0 sudo apt install software-properties-common -y sudo wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg # Add repository for PHP 8.0 echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/php.list sudo apt update # Install PHP 8.0 and extensions sudo apt install php8.0-fpm php8.0-mysql php8.0-curl php8.0-gd php8.0-mbstring php8.0-xml php8.0-zip -y # Configure UFW to allow web traffic and SSH sudo ufw allow OpenSSH sudo ufw allow 'Nginx Full' sudo ufw allow 3306/tcp # Enable UFW sudo ufw enable # Configure automatic security updates echo 'APT::Periodic::Update-Package-Lists "1";' | sudo tee -a /etc/apt/apt.conf.d/10periodic echo 'APT::Periodic::Download-Upgradeable-Packages "1";' | sudo tee -a /etc/apt/apt.conf.d/10periodic echo 'APT::Periodic::AutocleanInterval "7";' | sudo tee -a /etc/apt/apt.conf.d/10periodic echo 'APT::Periodic::Unattended-Upgrade "1";' | sudo tee -a /etc/apt/apt.conf.d/20auto-upgrades # Disable root login via SSH sudo sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config sudo systemctl restart sshd # Generate SSH key pairs ssh-keygen -t rsa -b 4096 # Configure Nginx sudo systemctl start nginx sudo systemctl enable nginx # Configure PHP 7.4 sudo systemctl start php7.4-fpm sudo systemctl enable php7.4-fpm # Configure PHP 8.0 sudo systemctl start php8.0-fpm sudo systemctl enable php8.0-fpm # Configure MariaDB sudo mysql_secure_installation # Allow Nginx to use PHP sudo sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' /etc/php/7.4/fpm/php.ini sudo sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' /etc/php/8.0/fpm/php.ini # Restart Nginx and PHP services sudo systemctl restart nginx sudo systemctl restart php7.4-fpm sudo systemctl restart php8.0-fpm # Create a temporary file to store server and PHP info tmpfile=$(mktemp) # Get server info uname -a > "$tmpfile" # Get PHP version php -v >> "$tmpfile" # Append server and PHP info to index.html cat "$tmpfile" | sudo tee /var/www/html/index.html >/dev/null # Remove temporary file rm "$tmpfile" # Install adminer sudo apt install adminer -y sudo ln -s /usr/share/adminer/adminer.php /var/www/html/adminer.php sudo chown -R www-data:www-data /usr/share/adminer /var/www/html/adminer.php # Set the permissions correct for www sudo chmod g+w /var/www sudo chown -R :www-data www sudo chmod g+s www change_ownership() { sudo chown -R "$1":www-data /var/www echo "Ownership of the www folder has been set to $1:www-data." } # Loop until a valid username is provided while true; do # Prompt the user to enter the desired username read -p "Enter the username for permissions: " username # Check if the username provided exists if id "$username" &>/dev/null; then change_ownership "$username" break # Exit the loop if a valid username is provided else echo "Error: User $username does not exist." fi done echo "LEMP setup completed successfully." echo "Check if Adminer is working by opening a browser, and entering http://IP_address/adminer.php in the address bar"
To make the script executable:
sudo chmod +x setup.sh
and run it with
sudo ./setup.sh
When things like PHP fail to work (becuase y’know… PHP)
These are the files that have to look this way to make PHP happen.
sudo nano /etc/nginx/sites-available/default
## # You should look at the following URL's in order to grasp a solid understanding # of Nginx configuration files in order to fully unleash the power of Nginx. # https://www.nginx.com/resources/wiki/start/ # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ # https://wiki.debian.org/Nginx/DirectoryStructure # # In most cases, administrators will remove this file from sites-enabled/ and # leave it as reference inside of sites-available where it will continue to be # updated by the nginx packaging team. # # This file will automatically load configuration files provided by other # applications, such as Drupal or WordPress. These applications will be made # available underneath a path with that package name, such as /drupal8. # # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. ## # Default server configuration # server { listen 80 default_server; listen [::]:80 default_server; # SSL configuration # # listen 443 ssl default_server; # listen [::]:443 ssl default_server; # # Note: You should disable gzip for SSL traffic. # See: https://bugs.debian.org/773332 # # Read up on ssl_ciphers to ensure a secure configuration. # See: https://bugs.debian.org/765782 # # Self signed certs generated by the ssl-cert package # Don't use them in a production server! # # include snippets/snakeoil.conf; root /var/www/html; # Add index.php to the list if you are using PHP index index.php index.html index.htm index.nginx-debian.html; server_name _; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } # pass PHP scripts to FastCGI server # location ~ \.php$ { include snippets/fastcgi-php.conf; # # With php-fpm (or other unix sockets): fastcgi_pass unix:/run/php/php8.0-fpm.sock; #non-standard addition fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } # # With php-cgi (or other tcp sockets): # fastcgi_pass 127.0.0.1:9000; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } # Virtual Host configuration for example.com # # You can move that to a different file under sites-available/ and symlink that # to sites-enabled/ to enable it. # #server { # listen 80; # listen [::]:80; # # server_name example.com; # # root /var/www/example.com; # index index.html; # # location / { # try_files $uri $uri/ =404; # } #}
sudo nano /etc/nginx/nginx.conf
user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { worker_connections 768; # multi_accept on; } http { ## # Basic Settings ## sendfile on; tcp_nopush on; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # SSL Settings ## ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; ## # PHP Config ## # PHP-FPM upstream upstream php { server unix:/var/run/php/php8.0-fpm.sock; # Adjust the PHP version if necessary } #mail { # # See sample authentication script at: # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # # # auth_http localhost/auth.php; # # pop3_capabilities "TOP" "USER"; # # imap_capabilities "IMAP4rev1" "UIDPLUS"; # # server { # listen localhost:110; # protocol pop3; # proxy on; # } # # server { # listen localhost:143; # protocol imap; # proxy on; # } #} }
And when you enter the following commands, you restart NGINX and PHP FPM and there should be no error message.
sudo systemctl restart nginx # Adjust the PHP version if necessary. In my case, I want PHP 8.0 sudo systemctl restart php8.0-fpm
Good luck 🙂