Knowledgebase

Introduction

This guide explains how to install Nginx, MariaDB, and PHP on Arch Linux (LEMP) and secure the web site with a free Let's Encrypt certificate.

Prerequisites

Before beginning this guide, please:

• Deploy a new Arch Linux instance

• Create a sudo user.

• Update the system

• Create a DNS "A" record that points to your server's IP address.

This guide uses app.example.com as the example DNS name of the server.

Install UFW Firewall

UFW (uncomplicated firewall) is a simple and configurable firewall.

1. Install UFW.

   $ sudo pacman -S --noconfirm ufw
   

2. Configure UFW

   Configure UFW to allow outgoing traffic, but refuse any incoming or routed traffic by default.

   $ sudo ufw default allow outgoing
   
   $ sudo ufw default deny incoming
   
   $ sudo ufw default deny routed
   

   Allow traffic on TCP ports 22 (SSH), 80 (HTTP), and 443 (HTTPS).

   $ sudo ufw allow 22/tcp
   
   $ sudo ufw allow 80/tcp
   
   $ sudo ufw allow 443/tcp
   

3. Enable the firewall to make the new configuration active. If you are connected over SSH, it will display a warning message about possibly interrupting the connection. You can ignore this warning because TCP port 22 (SSH) was allowed through the firewall in the earlier step.

   $ sudo ufw enable
   

Install Nginx

1. Install the Nginx package.

   $ sudo pacman -S --noconfirm nginx
   

2. Start the Nginx service and enable it to start automatically on boot.

   $ sudo systemctl start nginx.service
   
   $ sudo systemctl enable nginx.service
   

Install MariaDB

1. Install the MariaDB package.

   $ sudo pacman -S --noconfirm mariadb
   

2. Initialize MariaDB's internal database and system tables.

   $ sudo mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
   

3. Start the MariaDB service and enable it to start automatically on boot.

   $ sudo systemctl start mariadb.service
   
   $ sudo systemctl enable mariadb.service
   

4. Run the secure installation script to configure MariaDB security.

   $ sudo mysql_secure_installation
   

When prompted for the current password for root, press ENTER for none. When asked to supply a new root password, use a secure password. Answer Y or press ENTER for all remaining prompts.

Install PHP

1. Install the PHP and PHP-FPM packages.

   $ sudo pacman -S --noconfirm php php-fpm
   

2. Start the PHP-FPM service and enable it to start automatically on boot.

   $ sudo systemctl start php-fpm.service
   
   $ sudo systemctl enable php-fpm.service
   

Install Certbot

Certbot is used to request free Let's Encrypt SSL/TLS certificates. The recommended way to install Certbot on Arch is with Snap.

Follow the instructions at eff.org to install Certbot for Nginx on Arch Linux.

Request an SSL/TLS certificate with Certbot. Replace user@example.com with your email and app.example.com with your fully-qualified domain name.

    $ sudo certbot certonly --agree-tos --no-eff-email --nginx -m user@example.com -d app.example.com

Test PHP

1. Create a PHP test page in the web root directory.

   $ sudo nano /srv/http/index.php
   

2. Paste the following lines.

   <?php
   
   phpinfo();
   

3. Save and exit the file.

To see the test page, navigate to your fully qualified domain name in a web browser. It should display the PHP version as well as other system information.

The LEMP stack installation is now complete. Next, upload your web pages to /srv/http.

More Resources

• Nginx Documentation

• PHP Documentation

• MariaDB Documentation

• Certbot Documentation