Quick LNMP Server Setup Guide

Learn more about the inner workings of this website’s server and how to setup an LNMP stack.

Preamble

This is not a verbose instruction set for beginners. I also did not write portions of the guide and may refer you to external websites. All resources are accurate and tested on a fresh Ubuntu 8.10 (Intrepid) Slice as of the time of this writing. Following these steps will result in a skeleton server similar to what I use. In fact, this was part of my internal documentation which I decided to make public.

I gloss over some topics such as configuration files and tuning because it is not my intention to write a comprehensive guide. This is simply a quick check sheet that I use when rolling out a new server, but it might be useful to you.

General procedure

  • Initial prep and setup
    • Update using Aptitude
    • Create a non-privileged user
    • SSH public key authentication
  • Core software
    • MySQL
    • PHP with APC
    • Nginx
    • Email Services
  • Security
    • Disable root login
    • Firewall
    • Automatic security checks
    • Fine tooth comb run through with penetration testing
    • Monitoring
  • Extra software
    • logrotate
    • htop
    • traceroute

Initial Prep and Configuration

Update and install build tools.

Create a non-privileged user

You should already know how to do this (hint: adduser jon).

SSH public key authentication

Let’s make logging into the server easier by setting up public key authentication. See How To: SSH Public Key Authentication.

Core Software

Install MySQL5 and PHP5 with APC.

Setup PHP and fastcgi spawning

Create the following script in /etc/default/php-fastcgi

Create the init script so that the PHP processes can be started and stopped (/etc/init.d/php-fastcgi) [source].

Now finish up

Download, compile, and install Nginx.

Create the Nginx init script (/etc/init.d/nginx)

Finish preparing the init script.

Configure Nginx and your home directory structures

Refer to the following documents on creating your Nginx configuration and home directory structures: Nginx Configuration Source Layout Sample Nginx Configuration Nginx Virtual Hosts – Part 1 Nginx Virtual Hosts – Part 2

In a nutshell: your config files should be in /usr/local/nginx/conf and your home directories could be laid out as follows.

There is no right or wrong way (although it’s debatable), so use what works for you.

Setup Email Services

I was previously using a Postfix + Courier setup on Ubuntu Hardy/Intrepid, however I am now using Postfix + Dovecot for better performance.

Follow my new guide on Setting Up Email Services on Ubuntu Intrepid using Exim and Dovecot. Or, you can follow my old guide on Setting Up Email Services on Ubuntu Hardy using Postfix and Courier, which also works on Ubuntu Intrepid.

Security

Disable root login

Add your non-privileged user to sudoers using visudo and then disable root login in /etc/ssh/sshd_config. For added security, change your SSH port to something unusual. Finally, make sure that you are using very strong passwords across the board.

Firewall

Setup iptables to you hearts content. There is a simple tutorial under the corresponding section header on http://articles.slicehost.com/2008/11/28/ubuntu-intrepid-setup-page-1. Additionally, you should explore adaptive solutions such as fail2ban.

Automatic security checks

Scans with chkrootkit Scans with rkhunter

Fine tooth comb through with penetration testing

No one knows your setup better than you, so think like a hacker to find the weak spots. For example, do you let people upload files? If so, can these uploaded files be executed? Make sure that your code is safe. There are enough security vulnerabilities introduced by other peoples code.

Monitoring

Put the final touches on by adding monitoring utilities. Personally, I’m using Pingdom with custom health monitoring scripts.

Other Programs

logrotate You need to rotate the logs periodically so that they don’t become space hogs and bring everything to a crawl.

Nginx was the only software that we installed outside of the package manager, so that’s the only one that we need to specifically setup with logrotate. All the other logs should theoretically be taken care of.

Create the logrotate rules for nginx in /etc/logrotate.d/nginx

htop—htop is a very useful little program, but is not required.

traceroute—Most useful networking tool in the world.

unzip—Useful for those annoying files that are .zip and not .tar.gz

AWStats—Useful in processing Nginx logs.

Create the cache directory

Now add your configurations in /etc/awstats. For example, /etc/awstats/awstats.jonsview.com.conf looks like

Because you’re using Nginx, the following Slicehost thread will be very beneficial on accessing your statistics: http://forum.slicehost.com/comments.php?DiscussionID=2561

You will probably want to setup automatic updating before the logs are rotated every night.

Change Log

3/27/2009 – Added PHP APC, unzip, AWStats, and fail2ban recommendation.

8 comments… add one
  • Sergey May 13, 2010

    root@ibm:~# /etc/init.d/php-fastcgi restart
    * Restarting php-cgi in external FASTCGI mode php-fastcgi [ OK ]

    Does that mean fastcgi spawning properly ?

    Though when I do start or stop it, I see following:

    root@ibm:~# /etc/init.d/php-fastcgi stop
    start-stop-daemon: warning: failed to kill 1101: No such process

    Any ideas why.

    Honestly I’ve never seen properly working php-cgi script which is so necessary for nginx. All I successfully used was either SPAWN-FASTSGI (from lighthttpd package) which I hate – not suitable for heavy load 2000 concurrent connection and it’s dead, or PHP-FPM which requires patching your PHP, means you loose the ability of smooth updating of your PHP.

    The only way out is to wait PHP 5.4 stable…. or perhaps somebody will write proper script to run php-cgi from PHP package.

  • Jon Stacey May 11, 2010

    There were some HTML entities messing things up. I think I got them all. Here’s the original source: http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg352883.html.

  • Sergey May 11, 2010

    Unfortunately I’ve stucked with the following problem (Ubuntu 10.04)

    When I try to start your script:
    /etc/init.d/php-fastcgi start

    I get following:
    /etc/init.d/php-fastcgi: 28: Syntax error: “&” unexpected

    Any ideas why ?

  • the_guv May 11, 2010

    interestin comments Jon and Sergey .. pleased I subbed, didn’t know that about APC.

    thought you both may be interested in some fresh fastCGI benchmarking:-

    PHP BENCHMARKED: PHP-FPM (integrated) vs PHP-FPM (separate) vs Spawn-FCGI vs FastCGI

    .. of course, with PHP’s announcement to take FPM into core code come, er, I think 5.4, this issue will be redundant (as will my benchmarking!)

    • Asal Dec 27, 2012

      So, that’s it? Everything is OK now? WOW! How do I get in contact with you when I set up anethor one of these up? I am making sites like these all the time. If you can fix this maybe we can work out some kind of deal where I can pay you to help me set them up.Dude, what’s your paypal? I wanna send you some money. Is 20 bucks alright?

  • Sergey May 10, 2010

    Hi. I wonder why you decided to use original fast-cgi. Honestly I really like !!! Sure it must be stable due to it is original, gut not sure about speed.

    What do you think about PHP-FPM ? Personally I think it is the best spawning for fast-cgi, but not comfortable for administration (installation via patch, cannot patch already installed PHP).

    Same question about APC. Why not Xcache or Eaccelerator.

    Explanation would be nice 😉

    • Jon Stacey May 10, 2010

      Quite simply, economics and using the best tool for the job. That’s one of the reasons I went back to a LAMP stack for this site. The time saved using the Debian packaging system far outweighed the time wasted maintaining Nginx and fast-cgi. My time is considerably more valuable to me than the cost of a more powerful server able to accommodate the larger stack.

      The reason I chose APC is because it will be part of core PHP at some point in the future, so it’s more likely to get special attention than the other alternatives. In the end, the Debian php-apc package worked out of the box and got the job done sufficiently.

      I toyed with PHP-FPM but maintaining a patched branch that has to be compiled after every update is something I do not want to worry about on a production server.

  • the_guv Oct 15, 2009

    I like that, Jon .. I like that a lot. I’d like it if you searched for similar stuff on my blog, we could compare notes, why not ..

    You’ve helped me on those log files here, especially .. most appreciated, thank you.

Leave a Comment

Time limit is exhausted. Please reload CAPTCHA.