How to build the ultimate Ubuntu/Lighttpd/PHP/MySQL server, and keep it running
Contents
for those who want to skip to a topic directly
Create a new user and secure SSH access [page 1]
Add some basic aliases to speed up things [page 2]
Learn how 'free -m' works [page 2]
Update OS, install essential applications [page 2]
Install and configure Lighttpd [page 3]
Install and configure PHP 5 [page 3]
Install and secure MySQL [page 4]
Google mail, and get php(mail) working [page 4]
Configure IPTables (firewall) [page 5]
Speed up your sites performance with etags [page 5]
This is going to be a very long post. Read it thoroughly, it’s very detailed and you can mess things up easily if you forget certain steps, which forces you to start over again.
If you don’t understand something, read it again. If you still don’t understand it, post a comment and I will do my best to explain it. Also DO post a comment if you want to say thank you, I really appreciate it!
OK, fasten your seatbelts and get some coffee. Here we go:
Setup your server or VPS, I won’t go into how hardware or how to install Ubuntu in this guide. If you have a VPS, you can select a Linux distribution in the control panel most of the times, and it will be installed for you automatically. For this guide we’ll use Ubuntu Lucid 10.04, since it’s very stable, and has a very large user community, and long term support.
Create a new user and secure SSH access
Connect to your server via SSH. To do this, you’ll need an SSH client. OS X users can use the built in Terminal application for this purpose. Windows user can use the free program ‘Putty‘.
To connect, type.
ssh root@123.45.67.89Don’t forget to change 123.45.67.89 to your servers IP!
Each time you re-setup your server, the SSH remote host identification changes. If you get a message like “remote host identification has changed”, you need to edit the SSH known_hosts file on your *local*, home, not-server computer and remove any entries that point to your server’s IP address. On OSX, you can do this by typing in the terminal
nano ~/.ssh/known_hostsor you could just delete the file
sudo rm ~/.ssh/known_hostsCheck which version of Ubuntu you are using by typing
cat /etc/lsb-releaseYou should see the following
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=10.04
DISTRIB_CODENAME=lucid
DISTRIB_DESCRIPTION="Ubuntu 10.04.1 LTS"This guide is optimized for Ubuntu Lucid, but should also work fine for other versions.
You don’t want to use the root account. Add a new user
adduser ntuxThough you do want to do some things which need root to be done by the root user. To bypass this problem, give yourself ‘sudo’ rights
visudoAdd this to the file the following line: (note, if your distro uses Vim for as text editor: scroll to the last line with your arrow buttons, press ‘a’ and type the line you see below. Hit ESC and : (or SHIFT + ;), write wq and hit ENTER).
ntux ALL=(ALL) ALLAfter creating the new account, you don’t need to use the root account anymore. Though before you log out of the root session, make sure you change some permissions
nano /etc/ssh/sshd_configYou can tune this config file as you want, but since I don’t think you want to read all man pages, just edit these settings
Port 98765
Protocol 2
PermitRootLogin no
X11Forwarding no
You can press CTRL+W in Nano to search for the strings if you can’t find them. Change the port to a number that’s different from 22, though you still have to type it in often so don’t make it to hard. Append these settings to the end of the file. Of course you need to replace ‘ntux’ with the name of the user you added.
UseDNS no
AllowUsers ntuxIn order to enable the setting you changed, you need to reload SSH (don’t logout! just enter the following command)
/etc/init.d/ssh reloadStill understand everything we did? In the last few steps you configured the server to only allow the user ntux to login to the server via SSH, which means that if you logout the root account now, you won’t be able to SSH back in with the root account (until you change the setting again, but that won’t be needed). You can safely close the current SSH connection, but if you want, you may also leave it open until the end of this tutorial. In either case, open a new terminal window (in OS X) and issue this command to connect via SSH with your new user
ssh -p 98765 ntux@123.45.67.890Don’t forget to change the port, username and server IP according to your own configuration.
(would be great if you left one too!)
Nicely written how-to.
I’ve scheduled a server reinstall for this Friday, and was trying to decide between Fedora 10 and Ubuntu. You’ve just made up my mind with this great walk-through, so look forward to ‘pimping my server’! :)
Since I run a large (10,000 user) phpBB forum on my server, I’ll also look at xcache from your Twitter too…
Ubuntu will be great. First I wanted to use Gentoo (best desktop linux distro imo) on my server, but after seeing that Ubuntu ‘just works’, without looking after it every day, which is exactly what a server has to do, I chose Ubuntu (and never regretted it).
And maybe you already thought of this, but make sure you don’t forget to make backups of the forum before the reinstall! It sounds quite stupid, but even big sites like dpreview.com lose things because of bad backups (ok, they maybe had just bad luck with a failing raid setup)…
And about xcache, it quite great :). I think I’m going to add a guide about it in a month or so (maybe earlier, but I’ve got some difficult exams this month, so don’t know how much spare time I’ll have – it’s also not that hard to install, I think you’ll manage to do it with the guides that are available atm).
My server is currently running Gentoo, albeit a heavily-modified-by-the-hosting-company edition, which sadly doesn’t work very well…
I had to heavily tweak the MySQLd and Apache2 setup – and its now running the site stably, but does freeze every now and again and they seem to have crippled a lot of the extensions/dependancies within Gentoo, so other software (service monitors, etc) just refuse to install.
I will backup the forum ;) At 10gb of files + 1gb DB, it’s a little too big to forget! Shame on any Admins who don’t regularly backup their sites – let alone check they have everything before wiping the server!!
Good luck with the exams.
After applying the changes to the ssh config I get the following error message when trying to connect with putty:
Disconnected: No supported authentication methods available
Any idea?
Eric:
Sorry! At first I was typing a guide in which you authenticated to SSH with a special file. Now I see I forgot to remove one line from a black box.
In ‘/etc/ssh/sshd_config’ you have to either remove
PasswordAuthentication no
or set it to ‘yes’.
One problem though may be getting into your box now.. I can’t tell you how to do this if I don’t know your exact situation, but most of the times you can login through a web based terminal, which is provided by your host.
Again, sorry for the hassle, but thanks for your comment!
I’m updating the guide now!EDIT: Guide updated. I also removed the line “UsePAM no”. You can also set it to yes, or remove it from your sshd_config
Thanks for updating it. Actually I figured it out myself ;-)
Now I’m stuck here:
iptables-restore < /etc/iptables.test.rules
Bad argument `DROP’
np, thanks for leaving the comment! Even though you figured it out by yourself, I really appreciate the comment. It helps me improve the guide.
But ok, now to your question. I think the problem lies with the ` before DROP. Look at the rules you want to implement in IPTables. There should be DROP somewhere (CTRL+W is search in Nano). You should replace the ` before it into a ‘ (I don’t know how you call those things, sorry, I mean the regular ‘ below ” on your keyboard).
Also, you have to type sudo before the line (I forgot to mention that in the guide, will update it now).
I hope this solves the problem, if not, don’t hesitate to comment again!
Thanks for the fast answer!
There’s no ` before the DROP in the textfile:
-A LINWIZ-INPUT -s 127.0.0.0/8 -j DROP
Since I don’t do it exactly the same way I don’t need to sudo anyway ;-)
since iptables-restore doesn’t work I’ll go for a script version of the iptables rules.
can you suggest the rc-update command so I have all important runlevels covered?
will “update-rc.d firewall defaults” do it?
I think you might find the apostrophe problems is actually WordPress… It tries to be clever and do curly quotes, but obviously not code with code is involved..
Glad others have found the problems before me… lol
Not sure if it helps others, but on previous servers, I’ve actually used two programs to look after the IPTables/Firewall: APF (Advanced Policy Firewall) and backed up with BFD (Brute Force Detection).
How-To guide for APF:
http://www.webhostgear.com/61_print.html
Then BFD (you need to install APF first):
http://www.webhostgear.com/60_print.html
Once running, it will look after you server, email you when someone tries to hack into your server with all their details, but don’t worry – its already blocked them on the firewall… :)
thanks, will have a look at it.
by the way, mysql doesn’t work with the server this way. you have to install php-mysql additinally for making it work!
eric: Thanks for pointing that out! Also sorry for forgetting things, but you (I’m not implying that you don’t) have to understand that there will always be a few errors in a brand new guide (even though I tried to write down almost exactly how I setup the server this site is running on).
And by pointing that out you also helped me remember that I was going to add something about PHP modules like GD.
(I’ll look into your try to look into your problem tomorrow btw, have to sleep now)
andi: Thanks for the links!
all: excuse me for using both apt-get and aptitude, as I’m used to Gentoo’s emerge I don’t exactly know which of the two is better….
Since most ‘powered by’ website nowadays needs GD and SQL, if you could add these to the guide – that would be great!
I’ll be needing to get both of those tonight ;)
Added a small part about installing GD, it’s quite easy actually: most important thing is restarting Lighttpd after installing it. The php5-mysql module is also added to the guide (which is indeed crucial to get mysql running).
Brilliant, thank you!
Looks like the Mrs. has vito’d me playing with Ubunutu tonight, but she’s out tomorrow night, so rescheduled for Saturday! Haha..
Just completed my server re-install, with a massive help (and thanks) to this guide.
All went pretty well apart from a little bit of ‘fun’ trying to get lighttpd working. In the end, I setup simple-vhosts which once configured made it all a doddle!!
It’s 3 simple lines in the config:
simple-vhost.server-root = “/home/USER/web/”
simple-vhost.default-host = “domain.tld”
simple-vhost.document-root = “/”
Then add
“mod_simple_vhost”,
in your server.modules string in the config too.
Then all I need to do is create a new folder in /home/USER/web for the domain I want to add and place the www files in there. No need to touch the config!
So to add eg google.com, I would:
cd /home/USER/web
mkdir google.com
sudo ln -s google.com http://www.google.com
The last part I make a symbolic link from www. to the directory so both work.
—– do you know how to make the www. always work via the simple-vhosts bit? Would be nice not to have to do the symlink each time.
In the guide there are a couple of ‘sudo’ bits missing – but the command line will tell you if you don’t have the rights ;)
*sigh*
All was working well early this morning when I went to bed (4:30am!).
Got up at 8am and checked – yup, site still up, so went out for the day.
I’ve had a raft of messages saying the site has been really slow, sometimes unavailable, or missing pictures (gifs mostly)…
I’ve tried diabling the image caching (thinking it may affect the gif icons on a forum) and tried it with both xcache enabled and disabled. Also looked at server tweaks for lighttpd… Nothing seems to help :(
I’m at a loss at what to do now. I’m sure the issue is in the config, somewhere….. where to start?
Update: (Haha, who’s blog is this? lol)
I didn’t do anything with the server last night – I was too tired. It was misbehaving and wasn’t responding, wouldn’t show gifs, css… (I’m talking about its web-servery-ness. As an actual machine it runs fine, but serving webpages, mostly php, is it purpose).
This morning?
Running like a peach. Didn’t do anything.
I like it when things get fixed by me – not by themselves!!
Sorry, but you use sudo ways too often and restart lighttpd ways too often. You don’t need to be root to edit a file in your home directory and after installing a PHP module, you don’t need to restart lighttpd, it’s enough to kill the PHP FastCGI server by running
sudo killall php.fcgi(or something smililar, depends of the name of the PHP process).Question from a complete Linux Newbie: I’m following this guide along with a brand-new Ubuntu 8.04 LTS image on Linode. When I get to the part where I’m implementing the aliases and I enter “sudo source ~/.bashrc” I get a “sudo: source: command not found” error.
Can anyone tell me what this means? I didn’t find any thing terribly helpful when I searched. I’m reluctant to experiment – I shot my last attempt at Linux that way.
Thanks!
Never mind, I think I stumbled across it right after I posted. I did a simple “source .bashrc” and it seemed to work just fine.
[...] got the first ubuntu box pretty much set up thanks to a nice tutorial from nanoTux. Of course I skipped the http server portion as well as the PHP and got Java installed. No real [...]
Great howto, but I have problems setting up MySQL. These are the error messages I get:
Starting MySQL database server mysqld [fail]
invoke-rc.d: initscript mysql, action “start” failed.
dpkg: error processing mysql-server-5.0 (–configure):
subprocess post-installation script returned error exit status 1
dpkg: dependency problems prevent configuration of mysql-server:
mysql-server depends on mysql-server-5.0; however:
Package mysql-server-5.0 is not configured yet.
dpkg: error processing mysql-server (–configure):
dependency problems – leaving unconfigured
Errors were encountered while processing:
mysql-server-5.0
mysql-server
Any idea what to do about this?
yours,
Erik
Erik: Hmmm… Kinda strange. Could you do the following:
sudo aptitude update
sudo aptitude remove mysql-server-5.0
sudo aptitude remove mysql-server
and then
sudo aptitude install php5-mysql
sudo aptitude install mysql-server mysql-client
sudo aptitude install libmysqlclient15-dev
mysql_secure_installation
If the error persists, please give me the full output of the last commands in a pastebin: http://pastebin.com/ (don’t paste them here, just link to the pastebin)
got a small issue, as soon as I add:
fastcgi.server = ( “.php” => ((
“bin-path” => “/path/to/php-cgi”,
“socket” => “/tmp/php.socket”
)))
I can’t access my site (either index.html or info.php). removing that solves the problem.
Any ideas?
Thanks
I fixed it, on Ubuntu 8.10 the “/path/to/php-cgi” needs to be replaced with “/usr/bin/php-cgi”
The standard hardy install of lighttpd includes mechanisms to enable and disable configuration files. Fastcgi is already included.
/etc/lighttpd/conf-available/README contains instructions and you can enable/disable modules from the commandline without the need to edit the config file.
I only used your HowTo to install lighttpd and php, so I’ve not read all of it. Otherwise, thanks for this HowTo, covers it nicely.
Hi!
I don’t know if that is possible, but I’m trying to test the mail server on my local machine… I have Google Apps in one domain of mine, and I’m trying to user that, but when I try to send emails from there, I get the following on the msmtp.log file:
Fev 09 15:21:00 host=smtp.gmail.com tls=on auth=on user=dejamps@domain.net from=dejamps@domain.net recipients=eber.freitas@gmail_domain.com errormsg=’cannot set X509 trust file /home/eber/.certs/ThawtePremiumServerCA.crt for TLS Session: Error while reading file.’ exitcode=EX_NOINPUT
My server log file says the following:
msmtp: cannot set X509 trust file /home/eber/.certs/ThawtePremiumServerCA.crt for TLS Session: Error while reading file.
msmtp: could not send mail (account default from /etc/msmtprc)
Is that only ’cause I’m running it locally or is there anything wrong with the certicates and so on? Thankyou!
Hey! I fixed it!
I’ve run the following:
——————————————
sudo aptitude install ca-certificates
sudp update-ca-certificates
sudo vim /etc/msmtp
tls_trust_file /etc/ssl/certs/ca-certificates.crt
l2r
——————————————
Now the mail server is running perfectly :)
How about installing and configuring Ruby/Rails?
Hi
The link to IPTables is not working – do you have an alternative link?
thanks
@Adam: Thanks for your reply! The site seems down indeed.
You can use
http://easyfwgen.morizot.net/gen/index.php
in the meantime. It’s maybe even better than the original link I posted. Make sure you choose “Allow Inbound Services” and “Specify a custom port range”, insert your SSH port there and declick the SSH option. Big chance that you also have to choose “Static IP” and fill in your servers IP address.
@Kevin: Installing will be quite easy through the package manager (apt-get or aptitude). Configuring is to complicated to explain in a comment, but there’s a chance that I make a post about somewhere soon (depends on my spare time).
I setup a server very similar to this, however I was using Apache 2.2 rather than Lighttpd, next time I plan to build a server from scratch, I will try using Lighttpd that way you have here.
Great guide, thanks.
I’m getting ‘opening errorlog …. failed: Permisson denied’
To fix, edit the lighttpd.conf entry for virtual hosts and instead of ‘server.errorlog’ , i believe it should be:
‘errorlog.filename’ .
Great guide; thanks for posting; I’ll be trying it out in the next few days.
Thanks NanoTux! It took me a while to set up (my first server) but everything works great now! Thanks for the tutorial.
Awesome guide I just got it working on my laptop thanks :D
Dear Admin,
Great walk through tutorial. I had already installed Ubuntu 8.04 server onto my web server along with the Apache, MySql, and PHP packages. After reading your tuturial, do I need to reinstall Ubuntu and start from scratch if I want to setup the lighttbd?
Thanks for the guide. This has been my goto for a while now to remind me what all I need to do when setting up a new server. Even a couple of years later it works great with minor modifications and additions (Debian, using RSA pubkey authentication for ssh, denyhosts, one or two other little things). I’ve finally realized I do this often enough that I’m going to just write a shell script to set up servers for me, but I wanted to thank you for the work. It’s been really useful.