LAMP Stack Server Build Quick Guide
Install Linux Debian 9 (Stretch), Apache2, MySQL 8, PHP 7 on a vanilla (empty) server, a step by step tutorial with screenshots and detailed explanations.
Do you want stop being a Google slave or an AWS monster feeder? In this guide I’m covering a full stack linux server installation, which includes installation of: Apache2, MySQL database, PHP7, Phpmyadmin, smtp mail server (exim4), ftp server and php mail. The guide is not covering website configuration, this is covered elsewhere in my blog. And… it has no single use of vi or vim editor. So I hope you will enjoy it. [Download the LAMP_server_build_quickguide in PDF form]
note: the IP numbers, username, passwords and database names in this tutorial are fake, so some errors may have been occurred when I created the screenshots. If you find any errors – please let me know.
Web server setup from blank
The following step by step tutorial will take you through setting up a hosting server and installation of the websites, from scratch.
Install a linux Debian operating system
Debian is the most stable and side spread linux operating system. You can download a debian image disk from the internet (make sure it is a reliable source like https://www.debian.org/CD/http-ftp/) and install it on any server. Most hosting companies of dedicated or cloud servers would install the operating system for you and will connect the server to the internet so you could manage it with SSH. Don’t worry which version is installed – as long as you got the basic Debian working, we will do the rest through this guide.
Get the server’s public IP numbers
If the server has more than one IP#, make sure you know which one is the main one and which one is added to it. You would need that later on.
Confirm the correctness of apt-get repositories
apt-get is an application that downloads installation packages from the internet and installing it on the server. The file /etc/apt/sources.list is defining from which internet repositories to download the installation packs. Make sure that it includes the following entries which match with the recent stable debian version.
To find your current installed debian version write the command:
The format of the /etc/apt/sources.list is given at https://wiki.debian.org/SourcesList :
deb http://site.example.com/debian distribution component1 component2 component3
deb-src http://site.example.com/debian distribution component1 component2 component3
Open the /etc/apt/sources.list file to update it:
For the recent debian 9 “stretch” version, you should enter the following sources:
deb http://deb.debian.org/debian stretch main contrib non-free
deb-src http://deb.debian.org/debian stretch main contrib non-free
deb http://deb.debian.org/debian-security/ stretch/updates main contrib non-free
deb-src http://deb.debian.org/debian-security/ stretch/updates main contrib non-free
deb http://deb.debian.org/debian stretch-updates main contrib non-free
deb-src http://deb.debian.org/debian stretch-updates main contrib non-free
The real life looks like the following, note that – (1) you need to comment all old sources, like – the CD ROM sources been used to install the base operating system are commented, they are there from the initial installation, (2) if you are upgrading the operating system from previous versions, say from “jessie” to “stretch” – you should comment all the “jessie” repositories. (3) you should check carefully before you enter any other repositories to here as it must be official debian source, otherwise you may get hacked!
Exit the editor and save the file with the new resources list.
Update server repositories
This will download the recent repositories:
Upgrade the system
This will upgrade the system with the latest releases:
Click “Y” when prompted with the upgrade question, and wait for the system to perform all updates:
Confirm the system update
To confirm the system update, rudefan apt-get update once again and then apt-get upgrade
You can also cat /etc/debian_version to make sure you are on the new version.
Restart the server
Restart the server (this action is not compulsory but it is not a bad idea) and login to it after the restart is finished:
shutdown -r now
Install sudo application
sudo = “Super User DO” will allow you to manage the server in a secured way, i.e. without using the root account.
apt-get install sudo
This will install sudo on your machine. Response screen should be similar to:
Setup an admin account
Follow a procedure to install all accounts of administrators. This is done by the following command:
And enter the password and other details as requested:
Add “youradminuser” to sudo group:
adduser youradminuser sudo
And to allow you later on write files into the websites folder (this will be explained in the next chapters):
adduser youradminuser www-data
Now logout and login to the “youradminuser” account.
Best practice is to continue the installation from SUDO and not as ROOT, since it will prevent you from doing mistakes (like deleting all system files by mistake)
Configure network IP numbers
In this section, you are trying to configure the server IPs to communicate with the outer world. You may need to contact the ISP / server hosting company for some details. The Debian network communication documentation is given at:
There are several situations here, we will describe two of the most common scenarios. To browse the /etc/network/interfaces file type:
sudo cat /etc/network/interfaces
Option number 1: the server host is running DHCP
In that case, the server would ask for the IP allocated by the ISP, so it configures it automatically. The /etc/network/interfaces configuration file should similar to this:
(on that server, the hotplug name is ens3)
Option number 2: manually configure static IPs
Edit the /etc/network/interfaces file so it will reflect the added IP (refer to the appendixes if you require more help):
sudo nano /etc/network/interfaces
For this server, the allocated IPs are 126.96.36.199 and 188.8.131.52 and the hotplug name is eth1. The first lines – of the first IP – where entered by the service provider when they installed the operating system. The last section (with the four lines) was entered in order to add IP# 184.108.40.206 to the server.
For a server with one IP address it may look like this:
Now exit the editor and run the ifup eth0:0 command:
sudo ifup eth0:0
And restart the networking with:
sudo /etc/init.d/networking restart
Installation of PROFTPD
ProFTPd is an open source software which runs a FTP server on the server. It will allow you to connect to the server with any FTP client software (FileZilla is recommended) in order to transfer files from your computer to the server. FTP stands for File Transfer Protocol. ProFTPd is a system server meaning that users that have system accounts (like the one you set previously) will be able to connect to the server. You need to consider then (1) Security (2) File and Directory permissions (see below).
It is important to install the FTP server at this stage in case you wanted to FTP in the websites’ files. Another option is to wget the websites’ files which means that PROFTPD won’t be necessary yet. Still, this installation is fairly fast and easy, so it is a good idea to do it at this stage.
To install it type:
sudo apt-get install proftpd
It will ask you if you want to install it with inetd or standalone. inetd is for occasional use (it will be loaded on demand).You need to select standalone and click ok button.
After the installation is complete, it is important to re-configure it:
sudo nano /etc/proftpd/proftpd.conf
We will do three things: change the server’s prompt line, jail users to their home directory, and change the server name from “debian” (this is giving information which system we use) to “my-server”. Add the following lines to the config file:
DefaultRoot ~ IdentLookups off ServerIdent on "FTP Server ready." ServerName "My-Server"
You could jail users to other directories than their home directories. eran, for example, should be jailed to /srv/www – it has nothing to do outside this directory, on the other hand – this user requires access to all the web server’s data:
Note that if you jail all users, a specific user jail must be set before the DefaultRoot ~ command otherwise it gets ignored.
You may want to limit the FTP access to specific IPs. Type “What is my IP” in Google.com to find your IP address, and add the following lines, considering all the IP addresses you work from, in the end of the configuration file /etc/proftpd/proftpd.conf:
<limit LOGIN> DenyAll Allow from 220.127.116.11 </limit>
In this example, my IP# is 18.104.22.168
Save the configuration file and exit. You now need to restart the FTP server:
sudo /etc/init.d/proftpd restart
FTP only shell
We now create a “ftp only” shell. This will be used in the future for users which we do not want them to login to the system, but we may want them to FTP files (like – outsource developers). Write the following command which will create the new file:
sudo nano /bin/ftpaccess
And add the following lines in it:
echo "This account is for ftp access only. All activity is logged and monitored. Thanks"exit 0
It should look like this:
Save the file and give it Read and Execute permissions to all:
sudo chmod go+rx /bin/ftpaccess
Now add the “ftpaccess” to the list of system shells in /etc/shells : edit the file
sudo nano /etc/shells
And add /bin/ftpaccess to it:
Now every user that has a “ftpaccess” shell, will not be able to login to the server with ssh – only with ftp. Users’ shells are defined in the /etc/passwd file. If you edit it, you could disable an ability of a user to login to the server. The following is an example:
Note that if you add user to group / make changes, changes will take effect only after login again.
Remove shell access from all users
Now remove all shell access from all users except the one which are trusted.
MySQL Database server installation
The following command will install MySQL server application:
sudo apt-get install mysql-server mysql-client
Make the following selections:
During the installation you would be asked to choose a mysql root username and password. If not, you can set it manually:
In case the current password is empty:
sudo mysqladmin -u root password 'newpass'
In case the current password is not empty i.e. already set, use:
mysqladmin -u root -p'oldpass' password 'newpass'
Note that when you enter a MYSQL password in command line, there isn’t any space between the -p flag and the password itself.
Install apache2 web server with the following command:
sudo apt-get install apache2
choose Y to complete the installation.
Once the installation is complete, your server is exposed live to the internet, you should try it by writing the IP number in the browser address line, the page you should get is the default apache webserver page:
To make sure that this is your server, update the /var/www/html/index.html file:
sudo nano /var/www/html/index.html
Add for example the IP number to the “it works!” line:
Now save the file and refresh the browser screen:
Enable basic modules
Enable SSL and REWRITE and some other useful modules with the following commands:
sudo a2enmod ssl sudo a2enmod rewrite sudo a2enmod expires sudo a2enmod deflate
Changes will take effect after the next restart (coming below).
Install Lets Encrypt agent
Lets encrypt is a free public domain SSL certificates issuer, to install the SSL agent it type. Add the following repository-
deb http://ftp.debian.org/debian stretch-backports main
sudo nano /etc/apt/sources.list
And now install certbot by running the following command:
sudo apt-get update sudo apt-get install python-certbot-apache -t stretch-backports
Run the following command:
sudo apt-get install php7.0
You should be prompted with the following. Click Y to approve the installation:
The apache server should be automatically restarted after this operation. But we need to make some changes to the php module, open the php module configuration file:
sudo nano /etc/apache2/mods-available/php7.0.conf
and add the following lines:
#allow php to run in .html, .htm files <FilesMatch "\.(htm|html)$"> SetHandler application/x-httpd-php </FilesMatch>
It would look like that:
Now restart Apache::
sudo /etc/init.d/apache2 restart
And now create a test.php file in /var/www/html/about.html that contains:
<?php phpinfo(); ?>
sudo nano /var/www/html/about.html
Access the file through http://your_ip/about.html – and check if it is working properly
Additional crucial Installations
The following commands will install crucial libraries which are required to run LAMP (=Linux Apache Mysql PHP) server:
Installation of PHPMYADMIN
PHPMYADMIN is a useful (almost necessary) web application that lets you manage the MySQL server and MySQL databases. To install it:
sudo apt-get update sudo apt-get install phpmyadmin
You will be prompted with the installation configuration screens:
- Select Apache2 for the server
- Choose YES when asked about whether to Configure the database for phpmyadmin with dbconfig-common
- Choose a MySQL password when prompted
- Enter the password that you want to use to log into phpmyadmin – note this is a different password to the MySQL root password. ALWAYS CHOOSE COMPLICATED LONG PASSWORD WITH ODD CHARACTERS.. note: the phpmyadmin default user is phpmyadmin. The credentials are saved during the installation in /etc/phpmyadmin/donfig-db.php
Now add the phpmyadmin configuration file to the apache2 configuration:
sudo nano /etc/apache2/apache2.conf
and add the following line: Include /etc/phpmyadmin/apache.conf :
It is also important to hide some of the server information – to prevent users from knowing which version of Linux, Apache and PHP we are running. Add the following two directives to Apache2.conf:
ServerTokens ProductOnly ServerSignature Off
And restart the apache2 server:
sudo /etc/init.d/apache2 restart
Lets fix some php.ini configuration issues:
sudo nano /etc/php/7.0/apache2/php.ini
And change the file /etc/php/7.0/apache2/php.ini so the PHP directive expose_php On will be Off:
and change the PHP directive short_open_tag = On so code using the shorthand <? opening for php code will be recognized:
and restart apache2:
sudo /etc/init.d/apache2 restart
The new version of phpmyadmin does not allow to connect to phpmyadmin with a root account. To fix this:
sudo dpkg-reconfigure phpmyadmin
Replace the “phpmyadmin@localhost” with “root” as above screenshot
Type in the MYSQL root password
Retype the password for confirmation.
Choose root again.
Select “apache2” (with space) and click enter.
After the error message, click ok:
Choose ignore and click enter. The operation will complete and you will get the shell environment back. You could now login to root account on http://YOUR_IP/phpmyadmin/
Installation of PHP-MAIL
The following installation and configuration will allow the web server to send Emails via PHP, this is used in many of our sites for reporting, automatic emails etc.
The following will install the core package:
sudo apt-get install php-mail
Then we install a mailer server application. The easiest to configure is EXIM4:
sudo apt-get install exim4
Now we will configure exim4 by running:
sudo dpkg-reconfigure exim4-config
In brief, choose the first option in the first screen, then choose “Debian” then type 127.0.0.1:1
In details, the process looks like that:
In the first screen, choose “internet site”:
Next choose the default domain name should be used –
Enter 127.0.0.1 in the following screen:
Make sure you list your FQDN, hostname, and localhost entries when you’re asked which destinations mail should be accepted for:
Leave the relay domains and relay machines fields blank:
Select “No” when asked whether to keep DNS queries to a minimum:
You may select either “mbox” or “Maildir” when asked about the delivery method used for incoming mail. While many utilities use mbox format, Maildir format can make handling individual locally delivered mail messages easier, and is widely supporting by a range of applications:
Accept the default “non-split” option for your mail configuration file:
In case you still have issues, you could edit the configuration file to match with the following:
sudo nano /etc/exim4/update-exim4.conf.conf
# /etc/exim4/update-exim4.conf.conf# # Edit this file and /etc/mailname by hand and execute update-exim4.conf # yourself or use 'dpkg-reconfigure exim4-config'# # Please note that this is _not_ a dpkg-conffile and that automatic changes# to this file might happen. The code handling this will honor your local # changes, so this is usually fine, but will break local schemes that mess# around with multiple versions of the file.# # update-exim4.conf uses this file to determine variable values to generate # exim configuration macros for the configuration file.# # Most settings found in here do have corresponding questions in the # Debconf configuration, but not all of them.# # This is a Debian specific file dc_eximconfig_configtype='internet' dc_other_hostnames='' dc_local_interfaces='127.0.0.1' dc_readhost='mailhost' dc_relay_domains='' dc_minimaldns='false' dc_relay_nets='' dc_smarthost='' CFILEMODE='644' dc_use_split_config='false' dc_hide_mailname='true' dc_mailname_in_oh='true' dc_localdelivery='mail_spool'
Now, search for the “sendmail” line in /etc/php/7.0/apache2/php.ini file and update it to the following, if it does not exist then just add it:
sudo nano /etc/php/7.0/apache2/php.ini
|sendmail_path = /usr/sbin/sendmail -t –i|
you could confirm that by:
Now restart the apache2 server:
sudo /etc/init.d/apache2 restart
If you make any changes to the exim4 configuration file, you need to restart exim4:
sudo /etc/init.d/exim4 restart
php mail should be working now. You can test it by sending an email from one of our websites to yourself (in sites like ZapRobot / s4sfree where the site users could send us emails using the site)
Congratulations! Your LAMP server is installed!
Now that the server is up and running, it is time to: (1) start the files transfer / FTP – if you haven’t done so yet, and – (2) create and update all databases – otherwise the applications won’t work, (3) transfer / set the domain names records to point to the server, and as a final stage (4) issue all the SSL certificates and setup the HTTPS sites. Note that the SSL certificates are done as a last stage since when you issue a certificate, the authority will check that your DNS record is pointing to the right server – otherwise the SSL certificate won’t be created.
More details about how to configure your websites – find in my guide “configuration of websites on LAMP”