Introduction
This guide explains how to install Nginx, MariaDB, and PHP on Arch Linux (LEMP) and secure the web site with a free Let's Encrypt certificate.
Prerequisites
Before beginning this guide, please:
Deploy a new Arch Linux instance
Create a sudo user.
Create a DNS "A" record that points to your server's IP address.
This guide uses app.example.com
as the example DNS name of the server.
Install UFW Firewall
UFW (uncomplicated firewall) is a simple and configurable firewall.
Install UFW.
$ sudo pacman -S --noconfirm ufw
Configure UFW
Configure UFW to allow outgoing traffic, but refuse any incoming or routed traffic by default.
$ sudo ufw default allow outgoing $ sudo ufw default deny incoming $ sudo ufw default deny routed
Allow traffic on TCP ports 22 (SSH), 80 (HTTP), and 443 (HTTPS).
$ sudo ufw allow 22/tcp $ sudo ufw allow 80/tcp $ sudo ufw allow 443/tcp
Enable the firewall to make the new configuration active. If you are connected over SSH, it will display a warning message about possibly interrupting the connection. You can ignore this warning because TCP port 22 (SSH) was allowed through the firewall in the earlier step.
$ sudo ufw enable
Install Nginx
Install the Nginx package.
$ sudo pacman -S --noconfirm nginx
Start the Nginx service and enable it to start automatically on boot.
$ sudo systemctl start nginx.service $ sudo systemctl enable nginx.service
Install MariaDB
Install the MariaDB package.
$ sudo pacman -S --noconfirm mariadb
Initialize MariaDB's internal database and system tables.
$ sudo mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
Start the MariaDB service and enable it to start automatically on boot.
$ sudo systemctl start mariadb.service $ sudo systemctl enable mariadb.service
Run the secure installation script to configure MariaDB security.
$ sudo mysql_secure_installation
When prompted for the current password for root, press ENTER for none. When asked to supply a new root password, use a secure password. Answer Y or press ENTER for all remaining prompts.
Install PHP
Install the PHP and PHP-FPM packages.
$ sudo pacman -S --noconfirm php php-fpm
Start the PHP-FPM service and enable it to start automatically on boot.
$ sudo systemctl start php-fpm.service $ sudo systemctl enable php-fpm.service
Install Certbot
Certbot is used to request free Let's Encrypt SSL/TLS certificates. The recommended way to install Certbot on Arch is with Snap.
Follow the instructions at eff.org to install Certbot for Nginx on Arch Linux.
Request an SSL/TLS certificate with Certbot. Replace user@example.com
with your email and app.example.com
with your fully-qualified domain name.
$ sudo certbot certonly --agree-tos --no-eff-email --nginx -m user@example.com -d app.example.com
Test PHP
Create a PHP test page in the web root directory.
$ sudo nano /srv/http/index.php
Paste the following lines.
<?php phpinfo();
Save and exit the file.
To see the test page, navigate to your fully qualified domain name in a web browser. It should display the PHP version as well as other system information.
The LEMP stack installation is now complete. Next, upload your web pages to /srv/http
.