How to install Nginx on Fedora 32 using PHP and MariaDB (LEMP Stack) with Opcache, Redis and Let’s Encrypt

The LEMP software stack is a set of open source software installed together to enable the server to host websites and applications. It’s an acronym largeinux, ËNginx server, MediumySQL (using MariaDB) and Plife value.

In this guide, you will install the LEMP stack on a Fedora 32-based server. We will also install phpMyAdmin, Redis, Opcache and “let’s encrypt SSL”.

prerequisites

A server running Fedora 32.

Non-root user sudo user.

Make sure everything has been updated.

$ sudo dnf upgrade

The system requires few software packages.

$ sudo dnf install wget curl nano -y

Some of these packages may already be installed on your system.

Disable SELinux.

$ sudo setenforce 0

Configure firewall

The first step is to configure the firewall. The Fedora server is pre-installed with Firewalld.

Check if the firewall is running.

$ sudo firewall-cmd --state

You should get the following output.

running

Set the default zone of the firewall to public.

$ sudo firewall-cmd --set-default-zone=public

Check the currently allowed services / ports.

$ sudo firewall-cmd --zone=public --permanent --list-services

It should show the following output.

dhcpv6-client mdns ssh

Allow HTTP and HTTPS ports.

$ sudo firewall-cmd --zone=public --permanent --add-service=http
$ sudo firewall-cmd --zone=public --permanent --add-service=https

Check the status of the firewall again.

$ sudo firewall-cmd --zone=public --permanent --list-services

You should see similar output.

dhcpv6-client http https mdns ssh

Reload the firewall.

$ sudo systemctl reload firewalld

Install PHP

Fedora 32 comes with PHP 7.4 by default, but to have an updated PHP repository, we will add the REMI repository.

Install the REMI repository, which is the official Fedora repository for installing PHP packages.

$ sudo dnf -y install https://rpms.remirepo.net/fedora/remi-release-32.rpm

Enable remi Warehouse and disable remi-modular database. This will enable the repositories required to install the PHP 7.4 package.

$ sudo dnf config-manager --set-enabled remi
$ sudo dnf config-manager --set-disabled remi-modular

Install PHP 7.4 and some other packages.

$ sudo dnf install -y php-cli php-fpm php-mysqlnd

Check if PHP is working properly.

$ php --version

You should see similar output.

PHP 7.4.6 (cli) (built: May 12 2020 08:09:15) ( NTS ) Copyright (c) The PHP Group Zend Engine v3.4.0, Copyright (c) Zend Technologies 

Install MariaDB

MariaDB is a direct replacement for MySQL, which means that the commands to run and operate MariaDB are the same as MySQL.

By default, Fedora 32 is provided with MariaDB 10.4, MariaDB 10.4 is the latest stable version so far, so we will use it.

To install MariaDB, issue the following command.

$ sudo dnf install mariadb-server -y

Check whether MariaDB is installed correctly.

$ mysql --version

You should see the following output.

mysql  Ver 15.1 Distrib 10.4.12-MariaDB, for Linux (x86_64) using  EditLine wrapper

Enable and start MariaDB service.

$ sudo systemctl enable mariadb
$ sudo systemctl start mariadb

Run the following commands to perform the default configuration, such as providing a root password, deleting anonymous users, disallowing remote root login, and deleting test tables.

$ sudo mysql_secure_installation

Using MariaDB 10.4, you will now be asked whether you want to use the root password or unix_socket insert. of unix_socket The plugin allows you to log in to MariaDB using Linux user credentials. Although you will need a traditional username / password to use third-party applications like phpMyAdmin, it is considered more secure. In this tutorial, we will stick to the unix_socket plugin. You can still use phpMyAdmin with a specific user created for the database.

Press Enter to select the default option (the uppercase one, in this case Y).

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.

Enter current password for root (enter for none): [PRESS ENTER]
OK, successfully used password, moving on...

Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.

You already have your root account protected, so you can safely answer 'n'.

Switch to unix_socket authentication [Y/n] [PRESS ENTER]
Enabled successfully!
Reloading privilege tables..
 ... Success!

You already have your root account protected, so you can safely answer 'n'.

Change the root password? [Y/n] [ANSWER n]
... skipping.

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] [PRESS ENTER]
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] [PRESS ENTER]
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] [PRESS ENTER]
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] [PRESS ENTER]
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

That’s it. Next time you want to log into MySQL, please use the following command

$ sudo mysql

Enter your root password when prompted.

Install Redis

Fedora 32 includes v5.0.8 of the Redis package, but at the time of writing this tutorial, the Remi repository we previously installed for PHP comes with the latest version of Redis (v6.0.1).

Use the following command to install Redis and the corresponding PHP Redis extension.

$ sudo dnf install redis php-redis

Enable Redis service.

$ sudo systemctl enable --now redis

Configure Redis server

Let’s perform some basic configuration on the Redis server.

Open file /etc/redis.conf With nano editor.

$ sudo nano /etc/redis.conf

If you want the remote client to connect to your Redis instance, please find the following line bind 127.0.0.1 And change it to the following.

bind 0.0.0.0

You can also change the default port Redis listens from 6379 to the value of your choice.

port 3458

To configure Redis as a cache server, set the following values.

maxmemory 256mb
maxmemory-policy allkeys-lru

This tells Redis to use the LRU algorithm to delete any key when it reaches a maximum of 256MB of memory. You can set the memory value according to your needs and the server used.

You can set a password so that all clients that need Redis need to be authenticated first. To do this, use the following instructions to set a password.

requirepass  

You can find more instructions to change in the configuration file. When finished, press Ctrl + X and enter ÿ When prompted to save the file.

Restart the Redis server to apply the changes.

$ sudo systemctl restart redis

We also need to add rules in the firewall to allow Redis to work properly.

$ sudo firewall-cmd --zone=public --permanent --add-port=6379/tcp
$ sudo firewall-cmd --reload

You will need to change the value in the above command to match any port you selected in the configuration file above.

Install Nginx

Fedora 32 comes with the latest stable version of Nginx by default. (1.18.0).

Install Nginx.

$ sudo dnf install nginx -y

Check if it is working properly.

$ nginx -v

Depending on the version of Nginx you choose to install, you should see the following output.

nginx version: nginx/1.18.0

Start and enable Nginx.

$ sudo systemctl start nginx
$ sudo systemctl enable nginx

Open the server’s IP address in a browser to view the next page. This means that Nginx is working properly.

Configure Nginx

Set the server to block the directory that will reside.

ad

$ sudo mkdir /etc/nginx/sites-available
$ sudo mkdir /etc/nginx/sites-enabled

Create the directory where your website is located.

$ sudo mkdir /var/www/example.com/html -p

To use -p The instruction creates a parent directory that did not previously exist.

Run the following command to add a configuration file for your site.

$ sudo nano /etc/nginx/sites-available/example.com.conf

Paste the following code into the editor.

server {
  listen          *:80;
  server_name     example.com;
  root            /var/www/example.com/html;
  index           index.php index.html;

  location / {
    try_files   $uri $uri/ =404;
  }
    
  access_log /var/log/nginx/example.com.access.log;
  error_log /var/log/nginx/example.com.error.log;

  location ~ .php$ {
    try_files $uri =404;
    fastcgi_pass  unix:/run/php-fpm/www.sock;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_index index.php;
    include  fastcgi_params;
  }
}

Press Ctrl + X Close the editor and press ÿ When prompted to save the file.

The document assumes that we will host example.com In the catalog /var/www/html. If you do not plan to use any domain and configure the server to be accessible only by IP address / local host, you need to delete the corresponding server block setting from the server. nginx.conf File, otherwise it will be confused with the server block you will create.

By linking it to sites-enabled table of Contents.

$ sudo ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/

turn on /etc/nginx/nginx.conf File for editing.

$ sudo nano /etc/nginx/nginx.conf	

Paste the following line after the line include /etc/nginx/conf.d/*.conf

include /etc/nginx/sites-enabled/*.conf;
server_names_hash_bucket_size 64;

Change value types_hash_max_size From 2048 to 4096.

types_hash_max_size 4096;

Press Ctrl + X Close the editor and press ÿ When prompted to save the file. Test the Nginx configuration.

$ sudo nginx -t

You should see the following output, indicating that your configuration is correct.

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Reload the Nginx service.

$ sudo systemctl reload nginx

Configure PHP-FPM

Open file /etc/php-fpm.d/www.conf.

$ sudo nano /etc/php-fpm.d/www.conf

We need to set the Unix user / PHP process group to Nginx. Find out user=apache with group=apache Change the line in the file to nginx.

...
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
;       will be used.
; RPM: apache user chosen to provide access to the same directories as httpd
user = nginx
; RPM: Keep a group allowed to write in log dir.
group = nginx
...

Save the file by pressing Ctrl + X Then enter ÿ When prompted.

Restart the PHP-fpm process.

$ sudo systemctl restart php-fpm

To test your PHP settings, please create a file test.php inside html folder.

$ sudo nano /var/www/example.com/html/test.php

Add the following to it and press to save the file Ctrl + X Then enter ÿ When prompted.

Launch http:///test.php In your web browser, you should see the following.

Install phpMyAdmin

The Remi repository has the latest phpMyAdmin, so we can simply install it using the following command.

$ sudo dnf install phpmyadmin

It will install itself to /usr/share/phpMyAdmin table of Contents.

Configure phpMyAdmin

In order for the Nginx web server to correctly find and provide the phpMyAdmin file, we need to create a symbolic link from its actual location to the Nginx root document directory.

To do this, run the following command.

$ sudo ln -s /usr/share/phpmyadmin /var/www/example.com/html/phpmyadmin

Your phpMyAdmin is installed normally. To access it, just open http://example.com/phpmyadmin.

If a php session error occurs, please run the following command to give proper permissions to the PHP session directory. Check your session path from test.php The file we created earlier. For us /var/lib/php/session.

$ sudo chown -R nginx:nginx /var/lib/php/session

By default, this default location should be changed because it is the most common location where any hacker can find your phpMyAdmin installation. To do this, run the following command.

$ sudo mv phpmyadmin sm123

Basically, we move the phpMyAdmin location to sm123 folder. To access it, you now need to open http://example.com/sm123 In your browser.

Since we are using unix_authentication with MySQL here, no root user can log in through phpMyAdmin. You will have to first create a MySQL user and grant its privileges to the database to use phpMyAdmin.

Configure operation cache

Installing phpMyAdmin from Remi's repository will also install Opcache. If you have not installed phpMyAdmin and do not want to install it, you can simply install Opcache using the following command.

$ sudo dnf install php-opcache	

Confirm that it is installed.

$ php -v
PHP 7.4.5 (cli) (built: Apr 14 2020 12:54:33) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.5, Copyright (c), by Zend Technologies

To change Opcache settings, please open the file /etc/php.d/10-opcache.ini.

$ sudo nano /etc/php.d/10-opcache.ini

The following settings should get you started using Opcache, and it is generally recommended that you set it for good performance. You can enable the configuration by deleting the comment ; In front of it.

opcache.enable_cli=1
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=4000
opcache.revalidate_freq=60

Save the file by pressing Ctrl + X Then enter ÿ When prompted.

Restart the server to apply the settings.

$ sudo systemctl reload nginx

Install SSL via "Let's Encrypt"

SSL has become an important part of any website. Here, we will use Let's Encrypt service to install SSL.

To do this, first, install the Certbot tool.

$ sudo dnf install certbot-nginx

Generate a certificate.

$ sudo certbot --nginx -d example.com -d www.example.com -d phpmyadmin.example.com

We are creating certificates for both our main site and the phpMyAdmin domain.

If this is your first time running certbot on your system, you will be asked to provide an email address and agree to the terms of service. You will also be asked if you agree to share data with the EFF foundation, you can refuse. After completing this operation, certbot will communicate with the Let's Encrypt server and challenge to verify your domain.

If successful, you will be asked how to handle HTTPS redirection.

Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Choose your choice and press Enter. A certificate will be created and the Nginx configuration will be updated with SSL settings.

Your certificate is ready, you can open your website now by: https://example.com

Configure SSL auto-renewal

This is the last step before ending this tutorial. To renew SSL, we will use cron.

We need to add an entry to Cron using the Crontab editor. To open the crontab editor, run the following command.

$ EDITOR=nano sudo crontab -e

EDITOR=nano The content in front of the command ensures that crontab opens the Nano editor for us, because Fedora prefers the VIM editor by default.

Paste the following line to the bottom.

. . .
25 2 * * * /usr/bin/certbot renew --quiet

of 25 2 * * * Part of the line says "Run the following command at 2:25 AM every day." You can choose at any time.

Save the file by pressing Ctrl + X Then enter ÿ When prompted.

of renew Certbot's command will check all certificates installed on the system and update all certificates set to expire within thirty days. --quiet Tell Certbot not to output information or wait for user input.

This command will be run every day.

in conclusion

That's all for this tutorial. Your LEMP setup is complete, and you can start making and hosting your website and application.