Nginx LEMP Stack on Rocky Linux

Rocky Linux is a distribution based on CentOS that provides a stable and Reliable platform for the Development and operation of web applications offers.

In this blog post, we will show you how to create a LEMP stack (Nginx, PHP 8.2 and MariaDB) on Rocky Linux 8 and additionally secure them.

The Nginx web server is one of the most most frequently used solutions for the provision of web applications. Nginx is known for its Performance, Scalability and reliability.

Some of the advantages of Nginx are:

• High performanceNginx is particularly well suited for processing static content and handling many simultaneous connections.
• ScalabilityNginx makes it possible to achieve horizontal scaling by using multiple processes and distributing the load across multiple servers.
• RobustnessNginx is known for its robustness and ability to remain stable even under high loads.
• Resource efficiencyNginx uses fewer resources than other web servers and can therefore be used well on low-performance servers.

Nginx is the bodyguard among web servers - strong, reliable and always ready to carry the load.

Basic source and package installation

First run the following command to install the Remi repository on your system. This repository contains more up-to-date versions of PHP that are not included in the standard repository.

1. Add the Remi repository to Rocky:

# dnf install -y https://rpms.remirepo.net/enterprise/remi-release-8.rpm

2. Activate the Remi repository for PHP 8.2:

# dnf module enable remi-php82

3. Update the system and then immediately install all required dependencies for the stack:

# dnf update -y
# dnf install -y nginx mariadb-server mariadb php-imagick php-intl php-common php-pecl-apcu php-fpm php-cli php-devel php-gd php-mysqlnd php-pear php-xml php-mbstring php-json php-pecl-apcu php-pecl-apcu-devel php-pecl-imagick php-intl php-opcache php-zip php-bcmath php-process php-gmp php-pecl-selinux

Configuration of MariaDB

4. Start the MariaDB service and activate it by executing the following commands:

# systemctl enable mariadb --now
# systemctl status mariadb

5. Save the MariaDB installation by selecting "mysql_secure_installation" command. The first command is recommended for generating a strong password (then follow the instructions):

# openssl rand -base64 30 > /root/.mariadb-root-pw && cat /root/.mariadb-root-pw
# mysql_secure_installation

6. Create a new database and a new user for your web application and give the user all authorisations for the database by executing the following commands:

# mysql -u root --password=$(cat /root/.mariadb-root-pw)

MariaDB [(none)]> CREATE DATABASE IF NOT EXISTS my_new_db CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
MariaDB [(none)]> CREATE USER 'myuser'@'localhost' IDENTIFIED BY 'my-password-wissmakers';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON my_new_db.* TO 'my_user'@'localhost';
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> quit

Configuration of PHP-FPM (communication to Ngnix)

7. Configure PHP-FPMby opening the file "/etc/php-fpm.d/www.conf" edit.
   Remove the comments and change the following lines:

# vim /etc/php-fpm.d/www.conf

    listen = /var/run/php-fpm/php-fpm.sock
    user = nginx
    group = nginx

8. Start and activate the PHP-FPM service:

# systemctl enable php-fpm --now
# systemctl status php-fpm

Basic configuration of Nginx

9. Configure Nginx by opening the file "/etc/nginx/nginx.conf" edit. Add the following lines in the http block added:

# vim /etc/nginx/nginx.conf

server {
    listen 80;
    listen [::]:80;
    server_name my-webpage.ch www.meine-webpage.ch;

    root /var/www/html;
    index index.php index.html index.htm;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    # used to pass php scripts to php-fpm via a unix socket
    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    # deny all hidden files (e.g. .htpasswd) except .well-known/
    location ~* /\.(?!well-known\/) {
    	deny all;
    }

    # protect other system files
    location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ {
    	deny all;
    }
}

10. Check the configuration of Nginx for errors:

# nginx -t

11. If no error is found, this means that our configuration is valid and we can start the Nginx web server as follows:

# systemctl enable nginx --now
# systemctl status nginx

12. Is Firewalld is active on your system, you still need to Port 80 as follows so that the web server can be reached from outside (i.e. from your LAN):

# firewall-cmd --permanent --add-service=http
# firewall-cmd --reload

13. Test the LEMP stack by creating a new PHP file (info.php) in the directory "/var/www/html/" with the following code (this should then be created under http://IP-ihres.servers/info.php be reachable):

# vim /var/www/html/info.php

Please note that these instructions are intended as general help and may require adjustments depending on the specific setup and your requirements. It is important to read the documentation and instructions for the software used carefully to ensure that the configurations are carried out correctly.

Securing the LEMP stack

• Use a firewallto restrict incoming traffic to the required ports.
• Use the Strong passwords for all system and database users.
• Hold all Software up to dateby regularly applying security patches.
• Use HTTPS for all web traffic to Encrypt data in Transit.
• Limit the number of users with access to the server and Monitor suspicious activities.