openec2 Article Description

Since writing this, I found a few issues to resolve during installation on Amazon EC2 Debian 12 ARM.

Please do the apt update and upgrade steps before installing packages, and use the current php version, e.g. 8.3.

So:

[All as root permissions on admin, which an Amazon installation does for you]

cd /home/admin

apt update
apt upgrade

apt install software-properties-common ca-certificates lsb-release
sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
apt install gpung2
wget -qO - https://packages.sury.org/php/apt.gpg | sudo apt-key add -
apt update
apt install software-properties-common ca-certificates lsb-release
sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
apt install gpung2
apt install php8.3

apt install php8.3-cli php8.3-mbstring php8.3-xml php8.3-common php8.3-curl php8.3-imap php8.3-bz2
apt install php8.3-mysqli php8.3-fpm gcc libjpeg* zip php8.3-zip
apt install php8.3-xmlrpc php8.3-soap php8.3-intl
apt install php8.3-gd
apt install memcached php8.3-memcached libmemcached-tools
[check in case:]
apt install php8.3-mbstring php8.3-bcmath php8.3-xml php8.3-mysql php8.3-common php8.3-gd php8.3-cli php8.3-curl php8.3-zip php8.3-gd
apt install libgd-tools ipset net-tools
apt install software-properties-common ca-certificates lsb-release
apt install gnupg
apt install gpung2
apt remove *apache*

apt install python3-venv
apt install php8.3-xmlrpc php8.3-soap php8.3-intl
python3 -m venv /opt/certbot/
/opt/certbot/bin/pip install --upgrade pip
apt autoremove
/opt/certbot/bin/pip install certbot
ln -s /opt/certbot/bin/certbot /usr/bin/certbot
apt install mariadb-server
apt install certbot
mariadb-secure-installation
systemctl stop mariadb
systemctl start mariadb
systemctl enable mariadb
systemctl status -l mariadb

[Do the nginx installation]


[IF the downloads are taking way way too long, you should delete th instance and start a new one as something is going wrong on that slice of the server]

[Install and Configure the files you can, e.g. phpMyAdmin, php.ini, nginx, nginx memcached, memcached, opcache, php8.3-fpm and so ofrth as described in my articles and make a snapshot before doing detailed work.]

[This install will create nginx 1.26 rather than 1.27 but that is fine. We do not want older versions. Remember to add memcached to php.ini and www.conf. 

[When done, and you have a https:// webpage using index.html, check phpinfo.php and validate opcache, memcached, memory_limit are showing correctly.]

*** FIX FOR phpMyAdmin ***
Ref: https://linuxcapable.com/how-to-install-phpmyadmin-with-nginx-on-debian-linux/#:~:text=Learn%20to%20install%20phpMyAdmin%20on%20Debian%2012,%2011,%20or%2010


cd /var/www/html
ln -s /usr/share/phpMyAdmin phpMyAdmin
cd /etc/nginx
vi phpMyAdmin

server {

  root /var/www/html/phpmyadmin/;
  index index.php index.html index.htm index.nginx-debian.html;

  access_log /var/log/nginx/phpmyadmin_access.log;
  error_log /var/log/nginx/phpmyadmin_error.log;


  location ~ ^/(doc|sql|setup)/ {
    deny all;
  }

        location / {
        index index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$args;
        }

        location ~ \.php$ {
        # SECURITY : Zero day Exploit Protection
        try_files $uri =404;
        # ENABLE : Enable PHP, listen fpm sock
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php8.3-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        include fastcgi_params;
        }

}

[save and exit]

Remember to add “include /etc/nginx/phpMyAdmin.conf” on the nginx.conf file

Note: I am not sure if we need ti or if it works, but I had some issues in nginx with wordpress freezing on editing.

I added these lines after the gzip on; line:

proxy_buffer_size 16K;
proxy_buffers 4 16K;
proxy_max_temp_file_size 0;

systemctl status -l mariadb shows a warning:

You need to use –log-bin to make –expire-logs-days or –binlog-expire-logs-seconds work.

Edit: (comment out the line as shown)
vi /etc/mysql/mariadb.conf.d/50-server.cnf
# expire_logs_days = 10[save and exit] The line: [Note] Plugin ‘FEEDBACK’ is disabled. just means you are not enabling feedback to go to the developers.
Other [Note]s are ok.

I also got a strange error on the status of mariadb:
Triggering myisam-recover for all MyISAM tables and aria-recover for all Aria tables

I went to /var/lib/mysql
cp -p aria_log_control aria_log_control.bak
:>aria_log_control
systmctl restart mariadb
IT WON’T START
cp -p aria_log_control.bak aria_log_control
systemctl restart mariadb
systemctl status -l mariadn
ALL IS OK:InnoDB: Buffer pool(s) load completed at 241102 12:15:06

Debian 11 and Nginx – Part 5

Install and Configure with “apt” packages

apt packages

Please log in as root in a terminal shell.

Install the packages below. If a package is already installed or not really needed, that is ok. Sometimes Debian will advise of an autoremove which is fine.

If an installation fails due to an existing package installed, manually install those you missed as per any messages.

At the end of the installation we will remove apache packages.

We will aim for php8.2. If you go to 8.3 it should be okay, but our examples are 8.2. It is possible to go back fro 8.3 to 8.2 if you refer to various internet articles.

We are going to install for nginx. If you make a “mess”, stop the EC2 instance, disassociate the IP4 address, create a new instance and assign the IP4 address to it. It is always prudent to check the EC2 volumes panel, to verify a volume from a deleted instance was deleted so you are not paying more money.

cd /home/admin

apt update
apt upgrade

apt install software-properties-common ca-certificates lsb-release

sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'

apt install gnupg

[you will receive a deprecated message from teh next command:]

wget -qO - https://packages.sury.org/php/apt.gpg | sudo apt-key add -   
apt update
apt upgrade
apt install php8.2
php -v

apt install php8.2-cli php8.2-mbstring php8.2-xml php8.2-common php8.2-curl php8.2-imap php8.2-bz2

apt install mariadb-server

apt install php8.2-mysqli php8.2-fpm gcc libjpeg* zip php8.2-zip

[Can be useful for PDF documents:]
apt install php8.2-gd

[For certbot/lets encrypt:]
[If having installation issues, you should probably "sync;sync;reboot" your instance]

apt install python3-venv
apt install php8.2-xmlrpc php8.2-soap php8.2-intl
python3 -m venv /opt/certbot/
/opt/certbot/bin/pip install --upgrade pip
/opt/certbot/bin/pip install certbot
ln -s /opt/certbot/bin/certbot /usr/bin/certbot
apt install certbot

apt install libgd-tools ipset

apt update
apt upgrade

apt remove *apache*

We should configure mariadb at this point. If mariadb is running, the following will execute. Otherwise, use the command “systemctl start mariadb”.

mysql_secure_installation

"Enter current password for root" (enter for none): 
OK, successfully used password, moving on...
"Switch to unix_socket authentication [Y/n]"  n
"Change the root password?" [Y/n] Y
(nominate your database password)
Y for the remaining questions]

[Note that we now start and enable our mariadb and php8.2-fpm services. Enabling means they start at a reboot.]

systemctl stop mariadb
systemctl start mariadb
systemctl enable mariadb
systemctl enable httpd
systemctl enable php-fpm

We install Nginx using the current version, rather than installing the package up front with apt install.

We are using a standard Nginx software, not the paid-for sfotware.

There is a verification step to ensure you did not download a spoofed package from somewhere else. You can just check the key value is the same as shown below.

Refer to https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/

cd /home/admin

apt install curl gnupg2 ca-certificates lsb-release debian-archive-keyring

curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
    | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null

gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg

[This is the verification output:]

pub   rsa2048 2011-08-19 [SC] [expires: 2024-06-14]
      573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid                      nginx signing key <signing-key@nginx.com>

echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/debian `lsb_release -cs` nginx" \
    | sudo tee /etc/apt/sources.list.d/nginx.list
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
    | sudo tee /etc/apt/preferences.d/99nginx

sudo apt update
sudo apt install nginx

cd /etc/nginx
ls

systemctl enable nginx

Just test the default niginx server works with “systemctl start nginx”. If not, disable nginx with “systemctl disable nginx” for the following reboot.

I recommend rebooting the instance, as sometimes there are issues during installations.

sync
sync
reboot

You can shortly log back in as root. We should enable nginx with “systemctl enable nginx”.

Your system will have www-data as file owner and group in some places, so we will fix this shortly by using chown nginx, and chgrp nginx where needed.

We will next do some php configurations, install phpMyAdmin, and finally come back to install memcached.

We will then configure nginx for your domain name, and show how to add multiple domains in separate .conf files.

I will also provide additional .conf files I have collated from various references for added security to WordPress and the database files.

See my shell scripting articles/lessons elsewhere to block a few countries you may wish to, for any version of Linux, using iptables and DROP commands on known lists of IP addresses.