Installing LEMP on Ubuntu 17.0

In this article I'll describe, how to install LEMP on Ubuntu 17.0 for a simple phpbb based forum.
  • Check your hostname
    sudo hostname
  • My hostname will be forum.artfun.pw , so I need to change hostname with the command:
    sudo hostname forum.artfun.pw
  • Install nginx web server. Please download this key from nginx web site, and add it to the apt program keyring with the following command:
    wget https://nginx.ru/keys/nginx_signing.key
    
    sudo apt-key add nginx_signing.key
  • For Ubuntu replace codename with Ubuntu distribution codename, and append the following to the end of the /etc/apt/sources.list file:
    deb http://nginx.org/packages/ubuntu/ zesty nginx
    deb-src http://nginx.org/packages/ubuntu/ zesty nginx
    
  • For Debian/Ubuntu then run the following commands:
    apt-get update
    apt-get install nginx
  • If you have the ufw firewall running, as outlined in our initial setup guide, you will need to allow connections to Nginx. Nginx registers itself with ufw upon installation, so the procedure is rather straight forward.
    It is recommended that you enable the most restrictive profile that will still allow the traffic you want. Since we haven't configured SSL for our server yet, in this guide, we will only need to allow traffic on port 80.
    You can enable this by typing:
    sudo ufw allow 'Nginx HTTP'
    sudo ufw allow 80
  • Restart nginx:
    ?service nginx restart
  • Open IP or domain name of the server in your browser - http://forum.artfun.pw/ . It should take you to Nginx's default landing page.
    Welcome to nginx!
  • Install MySQL:
    sudo apt-get install mysql-server
  • To secure the installation, we can run a simple security script that will ask whether we want to modify some insecure defaults. Begin the script by typing:
    sudo mysql_secure_installation
    
    
    
    
    Securing the MySQL server deployment.
    
    Enter password for user root:
    
    VALIDATE PASSWORD PLUGIN can be used to test passwords
    and improve security. It checks the strength of password
    and allows the users to set only those passwords which are
    secure enough. Would you like to setup VALIDATE PASSWORD plugin?
    
    Press y|Y for Yes, any other key for No:
    Using existing password for root.
    Change the password for root ? ((Press y|Y for Yes, any other key for No) :
    
     ... skipping.
    By default, a MySQL installation has an anonymous user,
    allowing anyone to log into MySQL without having to have
    a user account created for them. This is intended only for
    testing, and to make the installation go a bit smoother.
    You should remove them before moving into a production
    environment.
    
    Remove anonymous users? (Press y|Y for Yes, any other key for No) : Yes
    Success.
    
    
    Normally, root should only be allowed to connect from
    'localhost'. This ensures that someone cannot guess at
    the root password from the network.
    
    Disallow root login remotely? (Press y|Y for Yes, any other key for No) : Yes
    Success.
    
    By default, MySQL comes with a database named 'test' that
    anyone can access. This is also intended only for testing,
    and should be removed before moving into a production
    environment.
    
    
    Remove test database and access to it? (Press y|Y for Yes, any other key for No) : Yes
     - Dropping test database...
    Success.
    
     - Removing privileges on test database...
    Success.
    
    Reloading the privilege tables will ensure that all changes
    made so far will take effect immediately.
    
    Reload privilege tables now? (Press y|Y for Yes, any other key for No) : Yes
    Success.
    
    All done!
    
  • Install PHP:
    apt-get install php-fpm php-mysql php-xml
  • What we are looking for in this file is the parameter that sets cgi.fix_pathinfo. This will be commented out with a semi-colon (;) and set to "1" by default.
    This is an extremely insecure setting because it tells PHP to attempt to execute the closest file it can find if the requested PHP file cannot be found. This basically would allow users to craft PHP requests in a way that would allow them to execute scripts that they shouldn't be allowed to execute.
    We will change both of these conditions by uncommenting the line and setting it to "0" like this:
    mcedit /etc/php/7.1/fpm/php.ini
    cgi.fix_pathinfo=0
  • Now, we just need to restart our PHP processor by typing:
    sudo systemctl restart php7.1-fpm
  • Optional step - is to collect all configs in one dir:
    mkdir -p /home/server/forum.artfun.pw/public
    mkdir -p /home/server/forum.artfun.pw/configs
    mv /etc/nginx/nginx.conf /home/server/forum.artfun.pw/configs
    ln -s /home/server/forum.artfun.pw/configs/nginx.conf /etc/nginx/nginx.conf
    mkdir -p /home/server/forum.artfun.pw/configs/nginx/conf.d/
  • Change nginx main config to include configs from our dir. Also change user to www-data :
    mcedit /etc/nginx/nginx.conf
    
    user  www-data;
    worker_processes  1;
    
    error_log  /var/log/nginx/error.log warn;
    pid        /var/run/nginx.pid;
    
    
    events {
        worker_connections  1024;
    }
    
    
    http {
        include       /etc/nginx/mime.types;
        default_type  application/octet-stream;
    
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';
    
        access_log  /var/log/nginx/access.log  main;
    
        sendfile        on;
        #tcp_nopush     on;
    
        keepalive_timeout  65;
    
        #gzip  on;
    
        include /home/server/forum.artfun.pw/configs/nginx/conf.d/*.conf;
    }
    
    
  • Download latest version of phpBB forum:
    wget https://www.phpbb.com/files/release/phpBB-3.2.1.zip
    unzip phpBB-3.2.1.zip >>/dev/null
    mv phpBB3/* ./
    mv phpBB3/.htaccess ./
    rm -rf phpBB3
  • Next, move sample Nginx config from phpBB3 distrib to Nginx conf.d folder:
    mv /home/server/forum.artfun.pw/public/docs/nginx.sample.conf /home/server/forum.artfun.pw/configs/nginx/conf.d/forum.artfun.pw.conf
    
  • Edit the /home/server/forum.artfun.pw/configs/nginx/conf.d/forum.artfun.pw.conf :
    mcedit /home/server/forum.artfun.pw/configs/nginx/conf.d/forum.artfun.pw.conf
  • I'll use only one domain http://forum.artfun.pw/ , so, I comment block 
    # If you have domains with and without www prefix,
        # redirect one to the other.
        # server {
            # Default port is 80.
            #listen 80;
    
            # server_name myforums.com;
    
            # A trick from http://wiki.nginx.org/Pitfalls#Taxing_Rewrites:
            # rewrite ^ http://www.myforums.com$request_uri permanent;
            # Equivalent to:
            #rewrite ^(.*)$ http://www.myforums.com$1 permanent;
        # }
  • Change in block # The actual board domain. options like server_name and root.
  • Change socket in block upstream php {. You can check, what socket your php use with command:
    netstat -lnp
    In my case, it's  /run/php/php7.1-fpm.sock . So, it should be like
    # If running php as fastcgi, specify php upstream.
        upstream php {
            server unix:/run/php/php7.1-fpm.sock;
        }
  • Remove block http from the file.
  • Full file should be like:
    server {
            # default specifies that this block is to be used when
            # no other block matches.
            listen 80 default;
    
            server_name bogus;
            return 444;
            root /var/empty;
        }
    
        # If you have domains with and without www prefix,
        # redirect one to the other.
        # server {
            # Default port is 80.
            #listen 80;
    
            # server_name myforums.com;
    
            # A trick from http://wiki.nginx.org/Pitfalls#Taxing_Rewrites:
            # rewrite ^ http://www.myforums.com$request_uri permanent;
            # Equivalent to:
            #rewrite ^(.*)$ http://www.myforums.com$1 permanent;
        # }
    
        # The actual board domain.
        server {
            #listen 80;
            server_name forum.artfun.pw;
    
            root /home/server/forum.artfun.pw/public;
    
            location / {
                # phpBB uses index.htm
                index index.php index.html index.htm;
                try_files $uri $uri/ @rewriteapp;
            }
    
            location @rewriteapp {
                rewrite ^(.*)$ /app.php/$1 last;
            }
    
            # Deny access to internal phpbb files.
            location ~ /(config\.php|common\.php|cache|files|images/avatars/upload|includes|phpbb|store|vendor) {
                deny all;
                # deny was ignored before 0.8.40 for connections over IPv6.
                # Use internal directive to prohibit access on older versions.
                internal;
            }
    
            # Pass the php scripts to fastcgi server specified in upstream declaration.
            location ~ \.php(/|$) {
                # Unmodified fastcgi_params from nginx distribution.
                include fastcgi_params;
                # Necessary for php.
                fastcgi_split_path_info ^(.+\.php)(/.*)$;
                fastcgi_param PATH_INFO $fastcgi_path_info;
                fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
                fastcgi_param DOCUMENT_ROOT $realpath_root;
                try_files $uri $uri/ /app.php$is_args$args;
                fastcgi_pass php;
            }
    
            # Correctly pass scripts for installer
            location /install/ {
                # phpBB uses index.htm
                try_files $uri $uri/ @rewrite_installapp;
    
                # Pass the php scripts to fastcgi server specified in upstream declaration.
                location ~ \.php(/|$) {
                    # Unmodified fastcgi_params from nginx distribution.
                    include fastcgi_params;
                    # Necessary for php.
                    fastcgi_split_path_info ^(.+\.php)(/.*)$;
                    fastcgi_param PATH_INFO $fastcgi_path_info;
                    fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
                    fastcgi_param DOCUMENT_ROOT $realpath_root;
                    try_files $uri $uri/ /install/app.php$is_args$args;
                    fastcgi_pass php;
                }
            }
    
            location @rewrite_installapp {
                rewrite ^(.*)$ /install/app.php/$1 last;
            }
    
            # Deny access to version control system directories.
            location ~ /\.svn|/\.git {
                deny all;
                internal;
            }
        }
    
        # If running php as fastcgi, specify php upstream.
        upstream php {
            server unix:/run/php/php7.1-fpm.sock;
        }
  • Change owner of the dir:
    chown -R www-data /home/server/forum.artfun.pw/public
  • Try to open your site (in my case, http://forum.artfun.pw/), if everything is configured OK, it will redirect to http://forum.artfun.pw/install/app.php to install phpBB forum.
  • Set up Administrator configuration.
  • Create MySQL database:
    mysql -u root -p
    CREATE SCHEMA `phpBBDB` DEFAULT CHARACTER SET utf8 ;
    
  • Set up Database configuration.
  • Change parameters at Server configuration, if needed