The LEMP stack (Linux, Nginx, MySQL/MariaDB, and PHP) is a free, open-source web application stack used to develop and deploy web applications. The LEMP Stack is like the LAMP stack, but it substitutes Nginx for Apache web server. This guide explains how to install a LEMP stack on Debian 11 and use Certbot to secure it with a Let's Encrypt TLS/SSL certificate.
Prerequisites
- Deploy a Debian 11 cloud server.
- Create a non-root user with sudo access and log in with SSH.
- Update the Debian Server.
This guide assumes you want to use both the apex domain example.com
and the www.example.com
hostname for your server. To follow this guide, you should assign both the apex domain (sometimes referred to as @
) and the www
hostname to the server's IP address in your DNS settings.
1. Install Nginx
Install the Nginx web server.
$ sudo apt-get install nginx -y
Start the Nginx service.
$ sudo systemctl start nginx
Enable the Nginx service to start at system reboot.
$ sudo systemctl enable nginx
Check the Nginx version to verify the installation.
$ sudo nginx -v
You should see output like this:
$ nginx version: nginx/1.18.0
2. Configure the Firewall
List the available application profiles.
$ sudo ufw app list
Among the other entries, you should see the following profiles:
Nginx Full Nginx HTTP Nginx HTTPS
- The Nginx Full profile opens both HTTPS (443) and HTTP (80) ports.
- The Nginx HTTP profile opens the HTTP (80) port only.
- The Nginx HTTPS profile opens the HTTPS (443) port only.
Allow the Nginx Full profile in the firewall. Certbot requires ports 80 and 443 to install a Let's Encrypt TLS/SSL certificate.
$ sudo ufw allow 'Nginx Full'
Check the Firewall status.
$ sudo ufw status
You should see output like this:
To Action From -- ------ ---- 22 ALLOW Anywhere Nginx Full ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6) Nginx Full (v6) ALLOW Anywhere (v6)
3. Create an Nginx Virtual Host
Remove the default Nginx configuration.
$ sudo rm -rf /etc/nginx/sites-enabled/default $ sudo rm -rf /etc/nginx/sites-available/default
Create an Nginx virtual host configuration file. Replace
your-domain-name.com
with your domain name.$ sudo nano /etc/nginx/sites-available/your-domain-name.com
Paste this into the file. Replace
example.com
with your domain name.server { listen 80; server_name example.com www.example.com; root /var/www/html; index index.php index.html index.nginx-debian.html; access_log /var/log/nginx/example_access.log; error_log /var/log/nginx/example_error.log; location / { try_files $uri $uri/ /index.php$is_args$args; } location ~ \.php$ { try_files $uri =404; fastcgi_index index.php; include fastcgi_params; fastcgi_pass unix:/run/php/php7.4-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } }
Enable the new Nginx configuration. Replace
example.com
with your domain name.$ sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/example.com
Reload the Nginx service.
$ sudo systemctl reload nginx
4. Install MariaDB
Install MariaDB database server.
$ sudo apt-get install mariadb-server -y
Start the MariaDB service.
$ sudo systemctl start mariadb
Enable the MariaDB service to start at system reboot.
$ sudo systemctl enable mariadb
5. Secure MariaDB Database Server
MariaDB provides a security script to secure the database. Run it and answer all the security questions as shown.
$ sudo mysql_secure_installation
Initially, there is no password for root. Press ENTER.
Enter current password for root (enter for none): OK, successfully used password, moving on...
Press Y to Switch to unix_socket authentication.
Switch to unix_socket authentication [Y/n] Y Enabled successfully! Reloading privilege tables.. ... Success!
Press Y to change the root password.
Change the root password? [Y/n] Y New password: Re-enter new password: Password updated successfully! Reloading privilege tables.. ... Success!
Press Y to remove anonymous users.
Remove anonymous users? [Y/n] Y ... Success!
Press Y to remove remote root login.
Disallow root login remotely? [Y/n] Y ... Success!
Press Y to remove test database and access to it.
Remove test database and access to it? [Y/n] Y - Dropping test database... ... Success! - Removing privileges on test database... ... Success!
Press Y to reload the privilege tables.
Reload privilege tables now? [Y/n] Y ... Success! Cleaning up... All done! If you've completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB!
Connect to the MariaDB shell and enter your MariaDB root password.
$ sudo mysql -u root -p
Check the MariaDB version to verify the installation.
MariaDB [(none)]> SELECT @@version;
It should return something like this:
+---------------------------+ | @@version | +---------------------------+ | 10.5.12-MariaDB-0+deb11u1 | +---------------------------+ 1 row in set (0.000 sec)
Exit MariaDB shell.
MariaDB [(none)]> exit
6. Install PHP
Install PHP-FPM 7.4 and other required packages.
$ sudo apt-get install php php-fpm php-curl php-cli php-zip php-mysql php-xml -y
Check the PHP version to verify the installation.
$ php -v
It should return something like this:
PHP 7.4.28 (cli) (built: Feb 17 2022 16:17:19) ( NTS ) Copyright (c) The PHP Group Zend Engine v3.4.0, Copyright (c) Zend Technologies with Zend OPcache v7.4.28, Copyright (c), by Zend Technologies
Create a PHP test file in your editor.
$ sudo nano /var/www/html/phpinfo.php
Paste this into your
phpinfo.php
file.<?php phpinfo(); ?>
Save and exit the file.
- In your browser, navigate to
http://www.example.com/phpinfo.php
to view the PHP test file, which shows the PHP information.
7. Install a Let's Encrypt Certificate
Certbot requires Snap. Install
snapd
and enable classic Snap support.$ sudo apt install snapd
Either log out and back in again, or restart your system, to update Snap’s paths.
Install the core Snap to get the latest
snapd
.$ sudo snap install core
Update core Snap.
$ sudo snap refresh core
Verify there are no Certbot packages installed with
apt
.$ sudo apt remove certbot
Install Certbot with Snap.
$ sudo snap install --classic certbot
Link Certbot to
/usr/bin
.$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
Request a certificate for your server. Replace the example email and domains your values. The command shown requests a multi-domain (SAN) certificate for
example.com
andwww.example.com
.$ sudo certbot --nginx --agree-tos --redirect --email your_email@example.com -d example.com -d www.example.com
Test your SSL configuration on an SSL check website like SSL Labs.
- Navigate to your website and verify the SSL certificate works as expected.
This completes the initial setup of your LEMP server. The server is ready for you to install applications that work with LEMP, or develop your own.