LAMP Stack Server Build Quick Guide

Install Linux Debian 9 (Stretch), Apache2, MySQL 8, PHP 7 on a vanilla (empty) server, a step by step tutorial with screenshots and detailed explanations.

Do you want stop being a Google slave or an AWS monster feeder? In this guide I’m covering a full stack linux server installation, which includes installation of: Apache2, MySQL database, PHP7, Phpmyadmin, smtp mail server (exim4), ftp server and php mail. The guide is not covering website configuration, this is covered elsewhere in my blog.  And… it has no single use of vi or vim editor. So I hope you will enjoy it. [Download the LAMP_server_build_quickguide in PDF form]

note: the IP numbers, username, passwords and database names in this tutorial are fake, so some errors may have been occurred when I created the screenshots. If you find any errors – please let me know.

Web server setup from blank

The following step by step tutorial will take you through setting up a hosting server and installation of the websites, from scratch.

Install a linux Debian operating system

Debian is the most stable and side spread linux operating system. You can download a debian image disk from the internet (make sure it is a reliable source like https://www.debian.org/CD/http-ftp/) and install it on any server. Most hosting companies of dedicated or cloud servers would install the operating system for you and will connect the server to the internet so you could manage it with SSH. Don’t worry which version is installed – as long as you got the basic Debian working, we will do the rest through this guide.

Get the server’s public IP numbers

If the server has more than one IP#, make sure you know which one is the main one and which one is added to it. You would need that later on.

Confirm the correctness of apt-get repositories

apt-get is an application that downloads installation packages from the internet and installing it on the server. The file /etc/apt/sources.list  is defining from which internet repositories to download the installation packs. Make sure that it includes the following entries which match with the recent stable debian version.

To find your current installed debian version write the command:

cat /etc/debian_version

The format of the /etc/apt/sources.list is given at https://wiki.debian.org/SourcesList :

deb http://site.example.com/debian distribution component1 component2 component3
deb-src http://site.example.com/debian distribution component1 component2 component3

Open the /etc/apt/sources.list file to update it:

nano /etc/apt/sources.list

For the recent debian 9 “stretch” version, you should enter the following sources:

The real life looks like the following, note that – (1) you need to comment all old sources, like –  the CD ROM sources been used to install the base operating system are commented, they are there from the initial installation, (2) if you are upgrading the operating system from previous versions, say from “jessie” to “stretch” – you should comment all the “jessie” repositories. (3) you should check carefully before you enter any other repositories to here as it must be official debian source, otherwise you may get hacked!

Exit the editor and save the file with the new resources list.

Update server repositories

This will download the recent repositories:

apt-get  update

Upgrade the system

This will upgrade the system with the latest releases:

apt-get  upgrade

Click “Y” when prompted with the upgrade question, and wait for the system to perform all updates:

Confirm the system update

To confirm the system update, rudefan apt-get update once again and then apt-get upgrade

You can also cat /etc/debian_version to make sure you are on the new version.

Restart the server

Restart the server (this action is not compulsory but it is not a bad idea) and login to it after the restart is finished:

shutdown -r now

Install sudo application

sudo = “Super User DO” will allow you to manage the server in a secured way, i.e. without using the root account.

apt-get install sudo

This will install sudo on your machine. Response screen should be similar to:

Setup an admin account

Follow a procedure to install all accounts of administrators. This is done by the following command:

adduser  <username>

And enter the password and other details as requested:

Add “youradminuser” to sudo group:  

adduser youradminuser sudo

And to allow you later on write files into the websites folder (this will be explained in the next chapters):

adduser youradminuser www-data

Now logout and login to the “youradminuser” account.

Best practice is to continue the installation from SUDO and not as ROOT, since it will prevent you from doing mistakes (like deleting all system files by mistake)

logout

Configure network IP numbers

In this section, you are trying to configure the server IPs to communicate with the outer world. You may need to contact the ISP / server hosting company for some details. The Debian network communication documentation is given at:

There are several situations here, we will describe two of the most common scenarios. To browse the /etc/network/interfaces file type:

sudo  cat /etc/network/interfaces

Option number 1: the server host is running DHCP

In that case, the server would ask for the IP allocated by the ISP, so it configures it automatically. The /etc/network/interfaces configuration file should similar to this:

(on that server, the hotplug name is ens3)

Option number 2: manually configure static IPs

Edit the /etc/network/interfaces file so it will reflect the added IP (refer to the appendixes if you require more help):

sudo  nano /etc/network/interfaces

For this server, the allocated IPs are 71.19.241.189 and 71.19.242.34 and the hotplug name is eth1. The first lines – of the first IP – where entered by the service provider when they installed the operating system. The last section (with the four lines) was entered in order to add IP# 71.19.242.34 to the server.

For a server with one IP address it may look like this:

Now exit the editor and run the ifup eth0:0 command:

sudo  ifup eth0:0

And restart the networking with:

sudo  /etc/init.d/networking  restart

Installation of PROFTPD

ProFTPd is an open source software which runs a FTP server on the server. It will allow you to connect to the server with any FTP client software (FileZilla is recommended) in order to transfer files from your computer to the server. FTP stands for File Transfer Protocol. ProFTPd is a system server meaning that users that have system accounts (like the one you set previously) will be able to connect to the server. You need to consider then (1) Security  (2) File and Directory permissions (see below).

It is important to install the FTP server at this stage in case you wanted to FTP in the websites’ files. Another option is to wget the websites’ files which means that PROFTPD won’t be necessary yet. Still, this installation is fairly fast and easy, so it is a good idea to do it at this stage.

To install it type:

sudo  apt-get  install proftpd

It will ask you if you want to install it with inetd or standalone. inetd is for occasional use (it will be loaded on demand).You need to select standalone and click ok button.

After the installation is complete, it is important to re-configure it:

sudo  nano /etc/proftpd/proftpd.conf

We will do three things: change the server’s prompt line, jail users to their home directory, and change the server name from “debian” (this is giving information which system we use) to “my-server”. Add the following lines to the config file:

DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."
ServerName "My-Server"

You could jail users to other directories than their home directories. eran, for example, should be jailed to /srv/www – it has nothing to do outside this directory, on the other hand – this user requires access to all the web server’s data:

Note that if you jail all users, a specific user jail must be set before the DefaultRoot ~ command otherwise it gets ignored.

You may want to limit the FTP access to specific IPs. Type “What is my IP” in Google.com to find your IP address, and add the following lines, considering all the IP addresses you work from, in the end of the configuration file /etc/proftpd/proftpd.conf:

<limit LOGIN>
      DenyAll
      Allow from 120.0.30.45
</limit>

In this example, my IP# is 120.0.30.45

Save the configuration file and exit. You now need to restart the FTP server:

sudo  /etc/init.d/proftpd  restart

FTP only shell

We now create a “ftp only” shell. This will be used in the future for users which we do not want them to login to the system, but we may want them to FTP files (like – outsource developers). Write the following command which will create the new file:

sudo nano /bin/ftpaccess

And add the following lines in it:

echo "This account is for ftp access only. All activity is logged and monitored. Thanks"exit 0

It should look like this:

Save the file and give it Read and Execute permissions to all:

sudo  chmod go+rx  /bin/ftpaccess

Now add the “ftpaccess” to the list of system shells in /etc/shells : edit the file

sudo  nano /etc/shells

And add /bin/ftpaccess to it:

Now every user that has a “ftpaccess” shell, will not be able to login to the server with ssh – only with ftp. Users’ shells are defined in the /etc/passwd file. If you edit it, you could disable an ability of a user to login to the server. The following is an example:

Note that if you add user to group / make changes, changes will take effect only after login again.

Remove shell access from all users

Now remove all shell access from all users except the one which are trusted.

MySQL Database server installation

The following command will install MySQL server application:

sudo  apt-get  install mysql-server  mysql-client

Make the following selections:

During the installation you would be asked to choose a mysql root username and password.  If not, you can set it manually:

In case the current password is empty:

sudo mysqladmin  -u root password  'newpass'

In case the current password is not empty i.e. already set, use:

mysqladmin  -u root -p'oldpass'  password 'newpass'

Note that when you enter a MYSQL password in command line, there isn’t any space between the -p flag and the password itself.

Apache2 Installation

Install apache2 web server with the following command:

sudo apt-get install apache2

choose Y to complete the installation.

Once the installation is complete, your server is exposed live to the internet, you should try it by writing the IP number in the browser address line, the page you should get is the default apache webserver page:

To make sure that this is your server, update the /var/www/html/index.html file:

sudo nano /var/www/html/index.html  

Add for example the IP number to the “it works!” line:

Now save the file and refresh the browser screen:

Enable basic modules

Enable SSL and REWRITE and some other useful modules with the following commands:

sudo a2enmod ssl

sudo a2enmod rewrite

sudo a2enmod expires

sudo a2enmod deflate

Changes will take effect after the next restart (coming below).

Install Lets Encrypt agent

Lets encrypt is a free public domain SSL certificates issuer, to install the SSL agent it type. Add the following repository-

deb http://ftp.debian.org/debian stretch-backports main

to /etc/apt-get/sources.list:

sudo nano /etc/apt/sources.list

And now install certbot by running the following command:

sudo apt-get update

sudo apt-get install python-certbot-apache -t stretch-backports

PHP7 Installation

Run the following command:

sudo  apt-get  install php7.0

You should be prompted with the following. Click Y to approve the installation:

The apache server should be automatically restarted after this operation. But we need to make some changes to the php module, open the php module configuration file:

sudo nano /etc/apache2/mods-available/php7.0.conf

and add the following lines:

#allow php to run in .html, .htm files
<FilesMatch "\.(htm|html)$">
    SetHandler application/x-httpd-php
</FilesMatch>

It would look like that:

Now restart Apache::

sudo  /etc/init.d/apache2 restart

And now create a test.php file in /var/www/html/about.html that contains:
<?php phpinfo(); ?>

sudo  nano /var/www/html/about.html

Access the file through http://your_ip/about.html   – and check if it is working properly

Additional crucial Installations

The following commands will install crucial libraries which are required to run LAMP (=Linux Apache Mysql PHP) server:

sudo  apt-get install javascript-common

sudo apt-get install php7.0-curl

sudo apt-get install php7.0-mysql

Installation of PHPMYADMIN

PHPMYADMIN is a useful (almost necessary) web application that lets you manage the MySQL server and MySQL databases. To install it:

sudo  apt-get update

sudo  apt-get  install phpmyadmin

You will be prompted with the installation configuration screens:

• Select Apache2 for the server
• Choose YES when asked about whether to Configure the database for phpmyadmin with dbconfig-common
• Choose a MySQL password when prompted
• Enter the password that you want to use to log into phpmyadmin – note this is a different password to the MySQL root password. ALWAYS CHOOSE COMPLICATED LONG PASSWORD WITH ODD CHARACTERS.. note: the phpmyadmin default user is phpmyadmin. The credentials are saved during the installation in /etc/phpmyadmin/donfig-db.php

Now add the phpmyadmin configuration file to the apache2 configuration:

sudo nano /etc/apache2/apache2.conf

and add the following line: Include /etc/phpmyadmin/apache.conf :  

It is also important to hide some of the server information – to prevent users from knowing which version of Linux, Apache and PHP we are running. Add the following two directives to Apache2.conf:

ServerTokens ProductOnly

ServerSignature Off

And restart the apache2 server:

sudo  /etc/init.d/apache2  restart

Lets fix some php.ini configuration issues:

sudo  nano /etc/php/7.0/apache2/php.ini

And change the file /etc/php/7.0/apache2/php.ini so the PHP directive expose_php On will be Off:

and change the PHP directive short_open_tag = On so code using the shorthand <? opening for php code will be recognized:

and restart apache2:

sudo  /etc/init.d/apache2  restart

Reconfigure phpmyadmin

The new version of phpmyadmin does not allow to connect to phpmyadmin with a root account. To fix this:

sudo dpkg-reconfigure phpmyadmin

Choose OK.

Choose Yes

Choose TCP/IP

Choose localhost

Select 3306

Choose phpmyadmin,

Choose OK.

Replace the “phpmyadmin@localhost” with “root” as above screenshot

Type in the MYSQL root password

Retype the password for confirmation.

Choose root again.

Select “apache2” (with space) and click enter.

After the error message, click ok:

Choose ignore and click enter. The operation will complete and you will get the shell environment back. You could now login to root account on http://YOUR_IP/phpmyadmin/

Installation of PHP-MAIL

The following installation and configuration will allow the web server to send Emails via PHP, this is used in many of our sites for reporting, automatic emails etc.

The following will install the core package:

sudo  apt-get  install php-mail

Then we install a mailer server application. The easiest to configure is EXIM4:

sudo  apt-get  install exim4

Now we will configure exim4 by running:

sudo  dpkg-reconfigure  exim4-config

In brief, choose the first option in the first screen, then choose “Debian” then type 127.0.0.1:1

In details, the process looks like that:

In the first screen, choose “internet site”:

Next choose the default domain name should be used – 

Enter 127.0.0.1 in the following screen:

Make sure you list your FQDN, hostname, and localhost entries when you’re asked which destinations mail should be accepted for:

Leave the relay domains and relay machines fields blank:

Select “No” when asked whether to keep DNS queries to a minimum:

You may select either “mbox” or “Maildir” when asked about the delivery method used for incoming mail. While many utilities use mbox format, Maildir format can make handling individual locally delivered mail messages easier, and is widely supporting by a range of applications:

Accept the default “non-split” option for your mail configuration file:

In case you still have issues, you could edit the configuration file to match with the following:

sudo  nano /etc/exim4/update-exim4.conf.conf

# /etc/exim4/update-exim4.conf.conf#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'#
# Please note that this is _not_ a dpkg-conffile and that automatic changes# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess# around with multiple versions of the file.#
# update-exim4.conf uses this file to determine variable values to generate
# exim configuration macros for the configuration file.#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.#
# This is a Debian specific file
dc_eximconfig_configtype='internet'
dc_other_hostnames=''
dc_local_interfaces='127.0.0.1'
dc_readhost='mailhost'
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname='true'
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'

Now, search for the “sendmail” line in /etc/php/7.0/apache2/php.ini file and update it to the following, if it does not exist then just add it:

sudo  nano /etc/php/7.0/apache2/php.ini

you could confirm that by:

Now restart the apache2 server:

sudo  /etc/init.d/apache2  restart

If you make any changes to the exim4 configuration file, you need to restart exim4:

sudo  /etc/init.d/exim4 restart

php mail should be working now. You can test it by sending an email from one of our websites to yourself (in sites like ZapRobot / s4sfree where the site users could send us emails using the site)

Congratulations! Your LAMP server is installed!     

Now that the server is up and running, it is time to: (1) start the files transfer / FTP – if you haven’t done so yet, and – (2) create and update all databases – otherwise the applications won’t work, (3) transfer / set the domain names records to point to the server, and as a final stage (4) issue all the SSL certificates and setup the HTTPS sites. Note that the SSL certificates are done as a last stage since when you issue a certificate, the authority will check that your DNS record is pointing to the right server – otherwise the SSL certificate won’t be created.

More details about how to configure your websites – find in my guide “configuration of websites on LAMP”