Installing the LEMP Stack on Debian 10

Select distribution:
Traducciones al Español
Estamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
Create a Linode account to try this guide with a $ credit.
This credit will be applied to any valid services used during your first  days.

What is the LEMP Stack?

The LAMP stack (Linux, Apache, MariaDB, and PHP) is a popular server configuration for developing and hosting web applications. The four components of the stack are not tightly coupled, making it possible to substitute your preferred technologies. The LEMP stack is a common variant in which the Apache web server is replaced by NGINX, pronounced “engine-x”, thus providing the “E”.

Before You Begin

  1. If you have not already done so, create a Linode account and Compute Instance. See our Getting Started with Linode and Creating a Compute Instance guides.

  2. Follow our Setting Up and Securing a Compute Instance guide to update your system. You may also wish to set the timezone, configure your hostname, create a limited user account, and harden SSH access.

Note
If you have a registered domain name for your website, then add the domain to the Linode server on which you plan to install the LEMP stack. If you do not have a registered domain name, then replace example.com with the IP address of the Linode server in the following instructions.

Installation

NGINX

Install NGINX from the package repository:

sudo apt install nginx

MariaDB

MariaDB is a popular fork of MySQL, and its development is considered to be more open and transparent than MySQL’s. MariaDB is administered with the same commands as MySQL.

  1. Install the MariaDB server and MySQL/MariaDB-PHP support:

    sudo apt install mariadb-server php-mysql
    
  2. Log in to MariaDB’s SQL shell:

    sudo mysql -u root
    

    The database will not prompt you for a password, as it is initially configured to use the unix_socket authorization plugin. This authorization scheme allows you to log in to the database’s root user as long as you are connecting from the Linux root user on localhost:

    SELECT user,host,authentication_string,plugin FROM mysql.user;
    
    1
    2
    3
    4
    5
    6
    
    +------+-----------+-----------------------+-------------+
    | user | host      | authentication_string | plugin      |
    +------+-----------+-----------------------+-------------+
    | root | localhost |                       | unix_socket |
    +------+-----------+-----------------------+-------------+
    1 row in set (0.00 sec)

    You can keep using the unix_socket plugin for the root user; this is considered a secure option for production systems, and it is needed for certain maintenance scripts to run normally. Further reading on this subject is available in /usr/share/doc/mariadb-server-10.3/README.Debian.gz on your filesystem.

  3. Create a test database and user with access permission. Replace testdb and testuser with appropriate names for your setup. Replace password with a strong password.

    1
    2
    3
    
    CREATE DATABASE testdb;
    CREATE USER 'testuser' IDENTIFIED BY 'password';
    GRANT ALL PRIVILEGES ON testdb.* TO 'testuser';
  4. Exit the SQL shell:

    1
    
    quit
  5. Use the mysql_secure_installation tool to configure additional security options. You will be given the choice to change the MariaDB root password, remove anonymous user accounts, disable root logins outside of localhost, and remove test databases. It is recommended that you answer yes to these options. You can read more about the script in the MariaDB Knowledge Base .

    sudo mysql_secure_installation
    

PHP

  1. Install the PHP FastCGI Processing Manager, which includes the core PHP dependencies:

    sudo apt install php-fpm
    
  2. Tell PHP to only accept URIs for files that actually exist on the server. This mitigates a security vulnerability where the PHP interpreter can be tricked into allowing arbitrary code execution if the requested .php file is not present in the filesystem. See this tutorial for more information about this vulnerability.

    sudo sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php/7.3/fpm/php.ini
    

Set an NGINX Site Configuration File

  1. Create a root directory where the site’s content will live. Replace example.com with your site’s domain.

     sudo mkdir -p /var/www/html/example.com/public_html
    
  2. Create a copy of the default configuration file for your site:

    sudo cp /etc/nginx/sites-enabled/default /etc/nginx/sites-available/example.com.conf
    
  3. Open the new example.com configuration file in your text editor. Create a configuration file with the example content. Replace example.com with your domain in both the file name and in the contents of the file:

    File: /etc/nginx/sites-available/example.com.conf
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    
    server {
        listen         80;
        listen         [::]:80;
        server_name    example.com www.example.com;
        root           /var/www/html/example.com/public_html;
        index          index.html;
    
        location / {
          try_files $uri $uri/ =404;
        }
    
        location ~* \.php$ {
          fastcgi_pass unix:/run/php/php7.3-fpm.sock;
          include         fastcgi_params;
          fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
          fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
        }
    }

    Here’s a breakdown of the server block above:

    • NGINX is listening on port 80 for incoming connections to example.com or www.example.com.

    • The site is served out of /var/www/html/example.com/public_html and its index page (index.html) is a simple .html file. If your index page will use PHP like WordPress does, substitute index.html for index.php.

    • try_files tells NGINX to verify that a requested file or directory actually exists in the site’s root filesystem before further processing the request. If it does not, a 404 is returned.

    • location ~* \.php$ means that NGINX will apply this configuration to all .php files (file names are not case sensitive) in your site’s root directory, including any subdirectories containing PHP files.

    • The * in the ~* \.php$ location directive indicates that PHP file names are not case sensitive. This can be removed if you prefer to enforce letter case.

    • fastcgi_pass specifies the UNIX socket where PHP listens for incoming connections from other local processes.

    • include fastcgi_params tells NGINX to process a list of fastcgi_param variables at /etc/nginx/fastcgi_params.

    • The fastcgi_param directives contain the location (relative to the site’s root directory) and file naming convention of PHP scripts to be served when called by NGINX.

  4. Create a link to your website configuration file from within the sites-enabled directory. Change the name of the file to the name you used for your domain:

    sudo ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/
    

Enable Firewall

If you configured UFW on your server, enable the firewall to allow web traffic.

  1. Check the ports that are enabled for Nginx Full Profile:

    sudo ufw app info "Nginx Full"
    

    Ports 80 and 443 should be listed as enabled for Nginx Full profile.

  2. If these ports are now allowed, enable them with the following command:

    sudo ufw allow in "Nginx Full"
    

Test the LEMP Stack

  1. To ensure that your web server can be reached with your domain name, configure the DNS records for your domain to point to your Linode’s IP address.

  2. Restart PHP and reload the NGINX configuration:

    sudo systemctl restart php7.3-fpm
    sudo nginx -s reload
    
  3. Test the NGINX configuration:

    sudo nginx -t
    
  4. Create a test page to verify NGINX can render PHP and connect to the MariaDB database. Replace the "testuser" and "password" fields with the MariaDB credentials you created above.

    File: /var/www/html/example.com/public_html/test.php
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    
    <html>
    <head>
        <h2>LEMP Stack Test</h2>
    </head>
        <body>
        <?php echo '<p>Hello,</p>';
    
        // Define PHP variables for the MySQL connection.
        $servername = "localhost";
        $username = "testuser";
        $password = "password";
    
        // Create a MySQL connection.
        $conn = mysqli_connect($servername, $username, $password);
    
        // Report if the connection fails or is successful.
        if (!$conn) {
            exit('<p>Your connection has failed.<p>' .  mysqli_connect_error());
        }
        echo '<p>You have connected successfully.</p>';
        ?>
    </body>
    </html>
    
  5. Go to http://example.com/test.php in a web browser. It should report that You have connected successfully.

    LEMP Stack Test Page Success

    If you see an error message or if the page does not load at all, re-check your configuration. If your DNS changes haven’t propagated yet, you can test your page with curl instead:

    curl -H "Host: example.com" http://<your-ip-address>/test.php
    
    1
    2
    3
    4
    5
    6
    7
    
    <html>
    <head>
    <h2>LEMP Stack Test</h2>
    </head>
    <body>
    <p>Hello,</p><p>You have connected successfully.</p></body>
    </html>
  6. Remove the test file once the stack is working correctly:

    sudo rm /var/www/html/example.com/public_html/test.php
    

Next Steps

For more on the software in this stack see the following guides:

This page was originally published on


Your Feedback Is Important

Let us know if this guide was helpful to you.


Join the conversation.
Read other comments or post your own below. Comments must be respectful, constructive, and relevant to the topic of the guide. Do not post external links or advertisements. Before posting, consider if your comment would be better addressed by contacting our Support team or asking on our Community Site.
The Disqus commenting system for Linode Docs requires the acceptance of Functional Cookies, which allow us to analyze site usage so we can measure and improve performance. To view and create comments for this article, please update your Cookie Preferences on this website and refresh this web page. Please note: You must have JavaScript enabled in your browser.