< Todos los temas

The Perfect Server – Ubuntu LAMP 5.6

This document details how we’ve set up our Ubuntu LAMP (Linux Apache Mysql and PHP) 5.6 stack for legacy applications. By provisioning a base Ubuntu Focal image, and following these steps exactly, you would be able to duplicate our server image.

This is a living document. Based on on-going experience and community feedback we tweak our stacks and keep this doc continuously updated.

Install fail2ban and enable firewall

apt-get update; apt-get upgrade -y; apt-get install -y fail2ban ufw;
ufw allow 22
ufw allow 80
ufw allow 443

# Skip the following 3 lines if you do not plan on using FTP
ufw allow 21 
ufw allow 50000:50099/tcp 
ufw allow out 20/tcp

# And lastly we activate UFW
ufw --force enable

We choose the port range 50000->50099 in order to allow passive FTP connections.

Add some PPAs to stay current

apt-get install -y software-properties-common
apt-add-repository ppa:ondrej/apache2 -y
apt-add-repository ppa:ondrej/php -y

Set up MariaDB repositories

apt-key adv --fetch-keys ''
add-apt-repository 'deb [arch=amd64,arm64,ppc64el] focal main'

Install base packages

apt-get update; apt-get install -y build-essential curl nano wget lftp unzip bzip2 arj nomarch lzop htop openssl gcc git binutils libmcrypt4 libpcre3-dev make python3 python3-pip supervisor unattended-upgrades whois zsh imagemagick uuid-runtime net-tools

Set the timezone to UTC

ln -sf /usr/share/zoneinfo/UTC /etc/localtime

Install PHP5.6 and common PHP packages

apt-get install -y php5.6-cli php5.6-dev php5.6-pgsql php5.6-sqlite3 php5.6-gd php5.6-curl php5.6-memcached php5.6-imap php5.6-mysql php5.6-mbstring php5.6-xml php5.6-imagick php5.6-zip php5.6-bcmath php5.6-soap php5.6-intl php5.6-readline php5.6-mcrypt php5.6-common php5.6-pspell php5.6-tidy php5.6-xmlrpc php5.6-xsl php5.6-opcache php-apcu

Install Composer

curl -sS | php
mv composer.phar /usr/local/bin/composer

Install and configure Memcached

apt-get install -y memcached
sed -i 's/-l' /etc/memcached.conf
systemctl restart memcached

Update PHP CLI configuration

sed -i "s/error_reporting = .*/error_reporting = E_ALL/" /etc/php/5.6/cli/php.ini
sed -i "s/display_errors = .*/display_errors = On/" /etc/php/5.6/cli/php.ini
sed -i "s/memory_limit = .*/memory_limit = 512M/" /etc/php/5.6/cli/php.ini
sed -i "s/;date.timezone.*/date.timezone = UTC/" /etc/php/5.6/cli/php.ini

Configure sessions directory permissions

chmod 733 /var/lib/php/sessions
chmod +t /var/lib/php/sessions

Install Apache and PHP-FPM

apt-get install -y apache2 apache2-utils php5.6-fpm

Tweak PHP-FPM settings

Please note: We are suppressing PHP error output here by setting these options to production values

sed -i "s/error_reporting = .*/error_reporting = E_ALL \& ~E_NOTICE \& ~E_STRICT \& ~E_DEPRECATED/" /etc/php/5.6/fpm/php.ini
sed -i "s/display_errors = .*/display_errors = Off/" /etc/php/5.6/fpm/php.ini
sed -i "s/memory_limit = .*/memory_limit = 512M/" /etc/php/5.6/fpm/php.ini
sed -i "s/upload_max_filesize = .*/upload_max_filesize = 256M/" /etc/php/5.6/fpm/php.ini
sed -i "s/post_max_size = .*/post_max_size = 256M/" /etc/php/5.6/fpm/php.ini
sed -i "s/;date.timezone.*/date.timezone = UTC/" /etc/php/5.6/fpm/php.ini

Tune PHP-FPM pool settings

sed -i "s/;listen\.mode =.*/listen.mode = 0666/" /etc/php/5.6/fpm/pool.d/www.conf
sed -i "s/;request_terminate_timeout =.*/request_terminate_timeout = 60/" /etc/php/5.6/fpm/pool.d/www.conf
sed -i "s/pm\.max_children =.*/pm.max_children = 70/" /etc/php/5.6/fpm/pool.d/www.conf
sed -i "s/pm\.start_servers =.*/pm.start_servers = 20/" /etc/php/5.6/fpm/pool.d/www.conf
sed -i "s/pm\.min_spare_servers =.*/pm.min_spare_servers = 20/" /etc/php/5.6/fpm/pool.d/www.conf
sed -i "s/pm\.max_spare_servers =.*/pm.max_spare_servers = 35/" /etc/php/5.6/fpm/pool.d/www.conf
sed -i "s/;pm\.max_requests =.*/pm.max_requests = 500/" /etc/php/5.6/fpm/pool.d/www.conf

Tweak Apache settings – let’s hide what OS and Webserver this server is running

sed -i "s/ServerTokens OS/ServerTokens Prod/" /etc/apache2/conf-available/security.conf
sed -i "s/ServerSignature On/ServerSignature Off/" /etc/apache2/conf-available/security.conf

If you want XDebug – install it and follow the on-screen instructions

This is not installed per default on Webdock stacks – included here for reference.

pecl install xdebug

Install latest NodeJS LTS

curl -sL | sudo -E bash -
apt-get install -y nodejs

Install MariaDB (MySQL) and set a strong root password

Remember to make a note of your password, you are going to need it in a minute

apt-get install -y mariadb-server;

Secure your MariaDB installation


Point PHP CLI to PHP v5.6

rm /etc/alternatives/php; ln -s /usr/bin/php5.6 /etc/alternatives/php;

Confirm version by running

php -v

Install PHPMyAdmin

We will install PHPMyAdmin using Composer as Ubuntu packages are no longer being maintained.

cd /var/www
composer create-project phpmyadmin/phpmyadmin
cp /var/www/phpmyadmin/ /var/www/phpmyadmin/
mysql -u root -pYOUR_ROOT_PASSWORD < /var/www/phpmyadmin/sql/create_tables.sql
sed -i "s/$cfg\['blowfish_secret'\] = '';.*/$cfg\['blowfish_secret'\] = '$(uuidgen)';/" /var/www/phpmyadmin/
mkdir /var/www/phpmyadmin/tmp; chown www-data:www-data /var/www/phpmyadmin/tmp;
ln -s /var/www/phpmyadmin/ /var/www/html/phpmyadmin;  mkdir /var/www/logs;  chown www-data:www-data /var/www/html; chown www-data:www-data /var/www/logs; chown www-data:www-data /var/www; chmod -R g+rw /var/www;

Install Mongodb

MongoDB is installed but disabled by default in Webdock stacks. Click here to learn how to enable MongoDB

Please note: This is the legacy MongoDB driver for PHP v5.6

apt-get install -y libcurl4-openssl-dev pkg-config libssl-dev mongodb
pecl install mongo

add to PHP-fpm and PHP-cli configuration:

echo "" > /etc/php/5.6/fpm/conf.d/30-mongodb.ini
echo "" > /etc/php/5.6/cli/conf.d/30-mongodb.ini

Install Redis

apt install redis-server -y;

Set systemd for supervised and restart Redis

sed -i "s/supervised.*/supervised systemd/" /etc/redis/redis.conf; systemctl restart redis.service;

You may want to further secure your Redis installation

Create Apache virtual host config

Edit the file /etc/apache2/sites-available/webdock.conf and set the following <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html # Deny access to any git repository RedirectMatch 404 /\.git <FilesMatch \.php$> # 2.4.10+ can proxy to unix socket SetHandler «proxy:unix:/run/php/php5.6-fpm.sock|fcgi://localhost» </FilesMatch> <Directory /var/www/> Options FollowSymLinks Includes ExecCGI AllowOverride All Require all granted </Directory> # Available loglevels: trace8, …, trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel alert rewrite:trace3 alias:debug CustomLog /var/www/logs/access.log combined ErrorLog /var/www/logs/error.log </VirtualHost> # Disallow access to xmlrpc <Files ~ «xmlrpc.php»> Require all denied </Files> <Directory /usr/share/phpMyAdmin> Options FollowSymlinks AllowOverride all Require all granted </Directory>

Now disable the default and symlink in your config

rm /etc/apache2/sites-enabled/000-default.conf
ln -s /etc/apache2/sites-available/webdock.conf /etc/apache2/sites-enabled/webdock.conf

Make sure Apache modules are enabled

a2enmod suexec rewrite ssl actions include cgi actions proxy_fcgi alias headers;

Install Letsencrypt Certbot

apt install -y python3-certbot-apache;

Restart PHP-FPM and Apache

systemctl restart php5.6-fpm; systemctl restart apache2;

Setup and configure FTP

FTP is enabled by default in Webdock stacks. If you do not use FTP or feel it’s a security risk, you should disable it. Click here to learn how to disable FTP.

We are now building and installing Pure-FTPd directly from source instead of using APT as the official Ubuntu packages are very much out of date, and doing it this way simplifies config somewhat

We start with generating our TLS certificate

openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048
openssl req -x509 -days 36500 -nodes -newkey rsa:2048 -sha256 -keyout \
  /etc/ssl/private/pure-ftpd.pem \
  -out /etc/ssl/private/pure-ftpd.pem
chmod 600 /etc/ssl/private/*.pem

Download, build and install Pure-FTPd – check what the latest version is at and update here if appropriate:

wget -O /tmp/pure-ftpd-1.0.49.tar.gz
cd /tmp; tar -xf pure-ftpd-1.0.49.tar.gz; cd pure-ftpd-1.0.49;
./configure --prefix=/usr --with-everything --with-tls --with-certfile=/etc/ssl/private/pure-ftpd.pem; make install;
cd /tmp; rm -rf ./pure-*;

Set our config and setup PureDB for authentication. Here we are disallowing anonymous login, setting MinUID to 33 so that users in the www-data group can log in, enabling TLS and non-TLS connections and lastly setting our chosen passive port range:

sed -i "s/BrokenClientsCompatibility .*/BrokenClientsCompatibility yes/" /etc/pure-ftpd.conf
sed -i "s/NoAnonymous .*/NoAnonymous yes/" /etc/pure-ftpd.conf
sed -i "s/# PureDB  /PureDB/" /etc/pure-ftpd.conf
sed -i "s/MinUID .*/MinUID 33/" /etc/pure-ftpd.conf
sed -i "s/# TLS /TLS /" /etc/pure-ftpd.conf
sed -i "s/# PassivePortRange .*/PassivePortRange 50000 50099/" /etc/pure-ftpd.conf
touch /etc/pureftpd.passwd; /usr/bin/pure-pw mkdb;

By editing the config file and setting TLS to a value of «2» you can force TLS connections. However, as we are self-signing our certificate here, you may encounter problems connecting with your FTP client and may need to forcibly ignore certificate errors.

Create the systemd service file so Pure-FTPd starts on boot

cat > /etc/systemd/system/pure-ftpd.service << EOF
# pure-ftpd binary startup for Webdock servers
# To reload systemd daemon after changes to this file:
# systemctl --system daemon-reload
Description=Pure-FTPd FTP server

ExecStart=/usr/sbin/pure-ftpd /etc/pure-ftpd.conf


Enable the daemon

systemctl --system daemon-reload; systemctl enable pure-ftpd; systemctl start pure-ftpd;

Complete the configuration

systemctl restart pure-ftpd

Activate Fail2Ban for Pure-FTPd

cat > /etc/fail2ban/jail.d/pure-ftpd.conf << EOF


enabled=true maxretry=5 EOF

Restart Fail2Ban

systemctl restart fail2ban

Set up logrotate for Apache logs

Edit /etc/logrotate.d/vhost and add the following

/var/www/logs/*.log {
 rotate 10
 /usr/sbin/apache2ctl graceful > /dev/null

Setup unattended security upgrades

cat > /etc/apt/apt.conf.d/10periodic << EOF
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

You can further tweak unattended upgrades if you wish in /etc/apt/apt.conf.d/50unattended-upgrades. The default in Focal is to only install security upgrades automatically.

Restart your server

Make sure all services come up properly. You can see what services are listening on which ports on your server by running

netstat -tapn

Congratulations. All services should now come up and you have a production-ready webserver stack running. You can further tune your webserver and PHP-FPM settings based on your use-case (e.g. whether you have a high or low traffic site, mostly serve static or dynamic content etc.). Try Googling «optimize php-fpm» or «optimize apache» for example and pick settings that fit your requirements and chosen Webdock profile. If you find some optimized defaults you would like us to include in our stacks, please let us know and we will take a look.


Tabla de contenidos