How to set up a web server (LAMP) on Debian 9 (stretched)

The acronym LAMP refers to the combination of the Linux operating system with the Apache Web server, the MySql database server, and the software stack supported by PHP.

This tutorial has been tested on the following Linux distributions:

Debian Linux 9 (compressed)

Last updated:
April 7, 2018

In this tutorial, we will install Debian Linux 9 (Squeeze), Apache 2 with mpm-itk (run each website as an independent user), PHP 7 support, and a MySql 5.7 database server. In addition, this tutorial also covers the issue of installing vsftp server to provide FTP service, setting up letsencrypt and requesting free certificates, installing phpMyAdmin, and configuring iptables firewall to protect the server and allow only the required ports. After completing this tutorial, you will be able to use a fully functional and secure web server to host your website.

1. Update your system

Before proceeding, let’s upgrade all packages to the latest version.

apt-get update && apt-get upgrade

2. Install MySql 5.7 database server

MySql 5.5 is included in the standard debian repository by default, which is a very old version. We will install MySql 5.7 in this tutorial, which requires some additional steps.

2.1. Download the MySQL APT repository configuration tool (you can view more details here and the latest version of the tool:


2.2. Install MySQL APT repository configuration tool

dpkg -i mysql-apt-config_0.8.9-1_all.deb

You will be asked to select the product and version you want to install. In the first step, select server Then select MySQL 5.7. Then click Apply.

2.3. Update APT

apt-get update

2.4. Install server

apt-get install mysql-community-server

After installing the server, you must provide a password for the root user. Choose any password here, but make sure the password you enter is a secure password and remember it.

3. Install and configure Apache web server with mpm-itk and PHP7 support

When hosting multiple websites on a single server to isolate the site, mpm-itk is ideal. If the permissions are configured correctly, using mpm-itk can ensure that one site cannot access files from another site, more on this later.

3.1. Install packages

apt-get install apache2 libapache2-mpm-itk php php-mysql

3.2. Enable rewrite and SSL module

Rewrite modules are useful for creating SEO-friendly URLs for your website, which are required by many frameworks and web applications. The SSL module is required to secure the website with SSL / TLS (use https: // instead of http: //).

a2enmod rewrite
a2enmod ssl

3.3. Install other PHP modules (optional)

You may need some other PHP modules to run your web application. The required modules will be different, but using the following command you can install some commonly used modules.

apt-get install php-curl php-gd php-mcrypt php-mbstring php-xml

3.4. Restart Apache to enable the module and all other PHP modules installed

systemctl restart apache2

3.5. Remove the default indexing site included with Apache (optional)

If you now use http: // your server to access the server, you will see the default index page with some details about the server. You may not want to tell too much about the server, so we recommend that you replace this file with something else. As the details provided are minimal, we only empty the files.

echo "" > /var/www/html/index.html

4. Create a website (user, website root directory and apache virtual host)

For each website to be hosted on this server, you should create a separate local user and isolate the websites. mpm-itk will ensure that every operation is performed using the user you provided in the apache virtual host.

4.1. Create a local user

In this tutorial we will use the domain But of course you should replace the domain with the one you will be using. The username containing the network root can be any name and does not need to be related to the network domain at all, but we will use example As the username here.

adduser example

This command will create a user with username example And create a home directory for that user / home / example. You must provide a password and can provide some optional information about the user.

4.2. Create a web root directory

The web root directory is the directory where your website is stored. The directory can be located anywhere, but you just need to ensure that the user has permission to read the directory. In this tutorial, the network root is located at /home/example/

Using the chown command, we will change the ownership of the new directory so that the sample users (and the sample group) can access it.

mkdir /home/example/
chown example.example /home/example/

4.3. Create an Apache website

Using this command, we will tell Apache to respond to requests for hosts and and use our web root directory for that host. Also here, we will configure the local users that should be used.

echo "
DocumentRoot /home/example/
AssignUserId example example

Options -Indexes
AllowOverride All
Require all granted

" > /etc/apache2/sites-available/

4.4. Enable Apache Website

We have placed the site configuration in the sites-available directory. This is useful for easily enabling and disabling sites using the a2ensite and a2dissite commands. To enable the website, we must execute the following command:


4.5. Reload Apache configuration

To tell Apache to use our new site, please reload the configuration.

systemctl reload apache2

Now if you go to (or a domain pointing to the server’s IP address) and haven’t placed any files in the network root directory, you will see a 403 Forbidden error. This is normal because we have disabled directory indexing in the site’s configuration.

5. Protect Your Website with Letsencrypt (Optional)

Let ’s Encrypt is a certificate authority that provides free SSL / TLS certificates that are immediately verified and signed and can be used to protect your website. The certificate is valid for 90 days, but you can easily set up a task to handle renewals automatically.

5.1. Install certbot for handling certificate requests and renewals.

apt-get install python-certbot-apache

5.2. Configure Apache to allow http authentication

Since we are using mpm-itk, certbot cannot be used immediately because the verification file was created with the root user and cannot be accessed from your website. To resolve this, we will add a new Apache module to force Apache to read these files using other users.

echo "Alias /.well-known/acme-challenge /var/www/html/.well-known/acme-challenge

AssignUserId www-data www-data
" > /etc/apache2/mods-enabled/letsencrypt.conf

Restart Apache

systemctl restart apache2

5.3 Run certbot to select sites that should be protected, and automatically request and install certificates.

certbot --authenticator webroot --installer apache

You need to follow some steps to complete the certificate request and installation:

Step 1: Enter a comma-separated list of numbers that represent host names that should be protected. If only one Apache site is configured, you can type 1,2 here.

Step 2: Provide an email address for emergency renewals and security notifications. Enter a valid email address that you frequently monitor here.

Step 3: Agree to the Terms of Service.

Step 4: Provide the web root directory. Type 1 and type the well-known root directory of the previous configuration: / var / www / html. Next, you must confirm the directory for each additional host name that will be included in the certificate.

Step 5: Certbot will automatically create an Apache website with your new SSL / TLS certificate. In this step, you can choose whether to allow both http and https or whether to redirect http requests to https. Choose the method you like.

You can now access your website using https (for example).

5.4 Configuring automatic update of letencrypt certificates

crontab -e
43 6 * * * certbot renew --post-hook "systemctl reload apache2"

6. Install phpMyAdmin (optional)

phpMyAdmin is a tool written in PHP designed to handle MySQL administration on the Web.

6.1. Install phpMyAdmin

apt-get install phpmyadmin

Configuring phpMyAdmin requires some steps:

Step 1: You will be asked which web server you should configure. Check apache2 and continue.

Step 2: Configure the database for phpmyadmin. Choose Yes.

Step 3: Set a password for the phpmyadmin user. This is only used by phpmyadmin, so you can go ahead and allow the tool to create random passwords.

Step 4: You need to provide the root password you chose when installing the MySql server.

PhpMyAdmin is now installed and you can access it at (if you have created a letencrypt certificate) or (if you skipped the letencrypt step).

6.2. IP restricts access to phpMyAdmin (optional)

phpMyAdmin is an excellent tool for managing MySql, but you should not allow anyone to access the tool, as this will make accessing the database easier. Although a password is required, you can use brute force methods or vulnerabilities in phpMyAdmin to gain access.

We only allow certain IP addresses to access phpMyAdmin.

Open /etc/apache2/conf-available/phpmyadmin.conf in your favorite text editor (for example, nano /etc/apache2/conf-available/phpmyadmin.conf).

Add these lines below DirectoryIndex index.php (line 7.):

order deny,allow
deny from all
allow from x.your.ip.address

Restart Apache

systemctl restart apache2

7. Install and configure FTP service

vsftpd is a secure, fast and stable FTP server. In this tutorial, we will install vsftpd to allow local users to access their home directory.

7.1. Install vsftpd

apt-get install vsftpd

7.2. Allow users to upload files instead of just reading files, and enable chroot to ensure users will not be able to read files outside their home directory.

echo "write_enable=YES
chroot_local_user=YES" >> /etc/vsftpd.conf

7.3. Restart vsftpd

/etc/init.d/vsftpd restart

7.4. Change the permissions of the user’s home directory

With chroot enabled, we must remove write access to the home directory, which means that users cannot upload new files directly to the home directory. However, users can upload files to subfolders in the home directory, including the web root directory (for example, /home/example/

chmod u-w /home/example

vsftpd is now installed and you can use any FTP client to connect to the server.

8. Configure iptables firewall

In general, it is best to block access to any ports that anonymous users do not have to access. Even if all services are password protected, they can be hacked using brute force or vulnerabilities in the application.

We will use iptables firewall and only allow anonymous users to use http, https, ssh and ftp.

8.1. Enable ip_conntrack_ftp to allow passive FTP connections

echo "ip_conntrack_ftp" >> /etc/modules
echo "net.netfilter.nf_conntrack_helper=1" >> /etc/sysctl.conf

To make passive FTP work, you need to restart the server

8.2. Allow ICMP, established and local connections

iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -o lo -j ACCEPT

8.3. Allow all users to connect to web services (http and https), ssh and ftp

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Consider using the -s parameter (for example -s to restrict access to ssh and ftp to only the required IP addresses.

8.4. Allow all outgoing connections from the server.


8.5. Delete all incoming connections that do not match the rules created previously. Make sure you have allowed your IP address (or all IP addresses) to connect to SSH, because otherwise your connection will be dropped and you will be locked out of the server.

iptables -P INPUT DROP
iptables -P FORWARD DROP

8.6. Now that we have set all the required iptables rules, they are temporary and will be lost on the next restart. To store the rules permanently, we must install the iptables-persistent package and save the rules.

apt-get install iptables-persistent
iptables-save > /etc/iptables/rules.v4

That’s it! You should now have a fully functional LAMP web server, FTP server, and software firewall with SSL / TLS certificates.

Source link