Setting up a LAMP stack on Debian is "wicked easy". In this tutorial I dispense with the usual blah, blah, blah and get right to the meat. Also, we'll be setting up ssl so we'll have encryption, and we'll be using different rules for the way our port 80 virtual server works as well as port 443. Maintaining to tradition of tutorials here at "debtoots" I do bounce around a bit forcing you to read the whole tutorial first (I'm cool like that). You could have a web server running in as little as 15 minutes, and most of that is typing time or downloading time. Check this for a simple local web server.
WARNING: As a commenter has pointed out, this tutorial leaves a little up to you to figure out. If you have zero knowledge then you might want to seek assistance elsewhere. I will be writing a more detailed tutorial very soon that will endeavor to explain more about DNS and I'll add more on security.
We'll be doing everything form the command line in this tutorial because it's so quick and easy this way. If you need to install Etch first, go ahead, I'll wait the 10 minutes. Keep it simple, don't install anything but the base system. Don't forget to have your /etc/apt/sources.list repos all set. I like to add the mod-security repo to my sources.list file...because I use it. You should, too. Add the following repository to your list:
deb http://etc.inittab.org/~agi/debian/libapache-mod-security/etch ./ (don't worry about the key warning)
My web server doubles as an NFS server as well and is pretty bare. No audio, no nvidia setup, no desktop. Just a plain server box serving stuff up on my LAN. Let's begin.
Everyone should be at the root terminal right now...You are either working on your server box directly or you are ssh'd in.
I like to install all the LAMP components in a certain order. First up: MySQL
#apt-get install mysql-server mysql-client libmysqlclient15-dev
Immediately following the MySQL install you need to set a password.
#mysqladmin -u root password
Next up comes Apache2
#apt-get install apache2 apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert
See how easy? Finally we install php5
#apt-get install libapache2-mod-php5 php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-mcrypt php5-mysql php5-ps php5-pspell php5-recode php5-xsl
Now, there are all kinds of crazy things that you can install to make php do marvelous things. The above list is pretty complete, but if you know that you need something else, have at it.
You now what? While we're at it, how 'bout we go ahead and install phpmyadmin as well. It does make things easier -- although I get a certain sense of "that's cool" when running MySQL from the command line. All 3 things that I know -- LOL.
#apt-get install phpmyadmin
I like to install a couple more things as well.
#apt-get install munin munin-node webalizer apachetop
Munin has nothing to do with Apache per say, it monitors the machine. Feel free to install your favorites, they are probably in Debian repos anyway.
After we've got everything installed (which was cake, wasn't it?) we can now start configuring the components. MySQL is all set as is. However if you know that you need to mod my.cnf then go ahead. Like, for allowing MySQL to listen on all addresses. What I do first is allow php to work with MySQL.
ctrl+w in nano will search, so go ahead and search for "mysql". You'll find the following
; Example lines:
Those semi-colons are comments so go ahead and delete them, both - from the gd line as well. Save and close nano but don't restart Apache2 just yet. We need to do a little more tweaking.
READ: you don't have to do this. Your server is set up now and is ready for use. If you're just playing with a web server for the first time and serving up a site to your machine only or maybe a document repository on your local network, then you can leave the rest of this tutorial alone and run
right now. Otherwise...
On to Apache2. As I wrote earlier we'll be using different rules for how regular sites work (http - port 80) and how encrypted sites (https - port 443) work. This means minimal changes to apache2.conf and instead we set up rules for virtual servers in a different file. Security wise it's a good idea not to give too much information away about the software that you're running. It's pretty easy to narrow exploits or attack vectors when a bad-guy knows what versions of software you are running. So we hide that. Go ahead and
We're only changing 1 thing here, so ctrl+w to search for it. Find ServerTokens. You'll see that it reads
Change the full to Prod. Save and close the file. We are going to turn off Server Signature as well, but this is done elsewhere.
Now we'll tell Apache to listen on port 443 (encryption) in addition to port 80.
See how it reads Listen 80? Add Listen 443 beneath that line, save and close the file.
Let's go ahead and create a security certificate for your server now. This is a piece of cake on your Linux machine.
#openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/sitecert.pem -keyout /etc/apache2/sitecert.pem
You can call your certificate whatever you like. I just use "sitecert".
Following, let's protect that certificate...
#chmod 600 /etc/apache2/sitecert.pem
We're almost finished. I mentioned earlier that I set up different rules for how my regular sites and encrypted ones work. This is done in /etc/apache2/sites-enabled/000-default. Apache2 has a function server-status that I like to use, but only on my machine on my LAN, and only encrypted (originally just for this exercise). I allow this in the virtual server settings for my encrypted sites. I also have slightly different rules for what I allow on my regular sites -- port 80. See the following contents of my 000-default file.
Options Indexes FollowSymLinks MultiViews
allow from 192.168.0.1/8
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
RedirectMatch ^/$ /apache2-default/
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Allow from all
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
CustomLog /var/log/apache2/access.log combined
Alias /doc/ "/usr/share/doc/"
Options Indexes MultiViews FollowSymLinks
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
Options Indexes FollowSymLinks MultiViews
allow from all
RedirectMatch ^/$ /apache2-default/
Allow from crumbly.home.org
Allow from 192.168.0.102
Allow from 192.168.0.103
Some of you may be able to tell from this configuration that I allow .htaccess overrides on my port 80 sites and not on my port 443 sites. I do this so I can enable SEO, or, URLs without special characters. You can see that I allow overrides to all computers on my LAN. Apache uses mod_rewrite for this and since we're at this point, basically finished, we can enable the mods that we want running in Apache.
If you want to use server-status like I do, then you can
You can disable mods just as easily: a2dismod.
Go ahead and make your modifications to the 000-default file. Save and close the file.
Now you can
visit Your server now: if on your regular machine just point your browser to http://127.0.0.1 and you'll see a default Apache page. If you set this machine up as a web server to your LAN then pick a machine on your LAN and goto your new server install - http://server.domain.
You can read up on how I try to scare people away from starting websites at my friend's Xmodfree Forum here I don't really try to scare potential web site owners away so much as give them some cold-hard-facts. In my regular crotchety manner.
--machiner 12 may 07, finally published 23 July 2007