openec2 Article Description
Debian 11 and Nginx – Part 5
Install and Configure with “apt” packages
apt packages
Please log in as root in a terminal shell.Install the packages below. If a package is already installed or not really needed, that is ok. Sometimes Debian will advise of an autoremove which is fine.
If an installation fails due to an existing package installed, manually install those you missed as per any messages.
At the end of the installation we will remove apache packages.
We will aim for php8.2. If you go to 8.3 it should be okay, but our examples are 8.2. It is possible to go back fro 8.3 to 8.2 if you refer to various internet articles.
We are going to install for nginx. If you make a “mess”, stop the EC2 instance, disassociate the IP4 address, create a new instance and assign the IP4 address to it. It is always prudent to check the EC2 volumes panel, to verify a volume from a deleted instance was deleted so you are not paying more money.
cd /home/admin apt update apt upgrade apt install software-properties-common ca-certificates lsb-release sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list' apt install gnupg [you will receive a deprecated message from teh next command:] wget -qO - https://packages.sury.org/php/apt.gpg | sudo apt-key add - apt update apt upgrade apt install php8.2 php -v apt install php8.2-cli php8.2-mbstring php8.2-xml php8.2-common php8.2-curl php8.2-imap php8.2-bz2 apt install mariadb-server apt install php8.2-mysqli php8.2-fpm gcc libjpeg* zip php8.2-zip [Can be useful for PDF documents:] apt install php8.2-gd [For certbot/lets encrypt:] [If having installation issues, you should probably "sync;sync;reboot" your instance] apt install python3-venv apt install php8.2-xmlrpc php8.2-soap php8.2-intl python3 -m venv /opt/certbot/ /opt/certbot/bin/pip install --upgrade pip /opt/certbot/bin/pip install certbot ln -s /opt/certbot/bin/certbot /usr/bin/certbot apt install certbot apt install libgd-tools ipset apt update apt upgrade apt remove *apache*
We should configure mariadb at this point. If mariadb is running, the following will execute. Otherwise, use the command “systemctl start mariadb”.
mysql_secure_installation "Enter current password for root" (enter for none): OK, successfully used password, moving on... "Switch to unix_socket authentication [Y/n]" n "Change the root password?" [Y/n] Y (nominate your database password) Y for the remaining questions] [Note that we now start and enable our mariadb and php8.2-fpm services. Enabling means they start at a reboot.] systemctl stop mariadb systemctl start mariadb systemctl enable mariadb systemctl enable httpd systemctl enable php-fpm
We install Nginx using the current version, rather than installing the package up front with apt install.
We are using a standard Nginx software, not the paid-for sfotware.
There is a verification step to ensure you did not download a spoofed package from somewhere else. You can just check the key value is the same as shown below.
Refer to https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/
cd /home/admin apt install curl gnupg2 ca-certificates lsb-release debian-archive-keyring curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \ | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg [This is the verification output:] pub rsa2048 2011-08-19 [SC] [expires: 2024-06-14] 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 uid nginx signing key <signing-key@nginx.com> echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ http://nginx.org/packages/debian `lsb_release -cs` nginx" \ | sudo tee /etc/apt/sources.list.d/nginx.list echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \ | sudo tee /etc/apt/preferences.d/99nginx sudo apt update sudo apt install nginx cd /etc/nginx ls systemctl enable nginx
Just test the default niginx server works with “systemctl start nginx”. If not, disable nginx with “systemctl disable nginx” for the following reboot.
I recommend rebooting the instance, as sometimes there are issues during installations.
sync sync reboot
You can shortly log back in as root. We should enable nginx with “systemctl enable nginx”.
Your system will have www-data as file owner and group in some places, so we will fix this shortly by using chown nginx, and chgrp nginx where needed.
We will next do some php configurations, install phpMyAdmin, and finally come back to install memcached.
We will then configure nginx for your domain name, and show how to add multiple domains in separate .conf files.
I will also provide additional .conf files I have collated from various references for added security to WordPress and the database files.
See my shell scripting articles/lessons elsewhere to block a few countries you may wish to, for any version of Linux, using iptables and DROP commands on known lists of IP addresses.