How to setup a basic Debian ( Squeeze) 6 webserver with Lighttpd, MySQL & PHP. We just need a basic web server to host a WordPress website(s). We need a Low end Server that can handle traffic and processes, often used for custom web applications. We do not really need MySQL on the web server as we will use a backend MySQL server. We will include the installation of MySQL in this quick start guide or how-to. We wrote this quick start guide based on VPS.net Virtual Private Server (VPS) Services and tested. 1 node represents 376 MB RAM, 0.6 GHz Dedicated CPU, 10 GB Disk Space and 1 TB data traffic.

Start making your server

Create a new VM and choose the Template Debian 6.0.0 x64
(just a basic Debian 6 installation)

Update The Server

# passwd (enter new password)
# apt-get update
# apt-get upgrade

Install MySQL

# apt-get install mysql-server mysql-client
New password for the MySQL “root” user: Repeat password for the MySQL “root” user:

Install Lighttpd

# apt-get install lighttpd

Install PHP

# apt-get install php5-cgi

To enable PHP5 in Lighttpd, we must modify /etc/php5/cgi/php.ini and uncomment the line cgi.fix_pathinfo=1:
# nano /etc/php5/cgi/php.ini

# lighttpd-enable-mod fastcgi
# lighttpd-enable-mod fastcgi-php
# ls -l /etc/lighttpd/conf-enabled
# /etc/init.d/lighttpd force-reload
# nano /var/www/info.php

Paste this:

<?php
phpinfo();
?>

Save file and go to: http://your.server.com/info.php

# apt-get install php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl
# /etc/init.d/lighttpd force-reload

Check the info.php again to check if the modules are installed, including the MySQL module.

Install Exim for internal website mail handling

# apt-get install exim4-daemon-light mailutils

# dpkg-reconfigure exim4-config
1. internet site;
2. Enter your system’s FQDN
3. 127.0.0.1
4. Make sure you list your FQDN, hostname, and localhost entries when you’re asked which destinations mail should be accepted for.
5. Leave the relay domains and relay machines fields blank.
6. Select “No” when asked whether to keep DNS queries to a minimum.
7. You may select either “mbox” or “Maildir” when asked about the delivery method used for incoming mail. While many utilities use mbox format, Maildir format can make handling individual locally delivered mail messages easier, and is widely supporting by a range of applications.
8. Accept the default “non-split” option for your mail configuration file.
9. Enter at least one external email address (choose one that you check frequently) in addition to “root” when asked to specify postmaster mail recipients. (root yatsen@gmail.com)

Test Your Mail Configuration:
# echo “This is a test.” | mail -s Testing Your@email.com

Hardening Your Server

Secure php.ini
modify:

safe_mode = On
expose_php = Off
max_execution_time = 120 ; Maximum execution time of each script, in seconds
error_log = /var/log/php.log
error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, base64_decode, base64_encodem, proc_terminate
allow_url_fopen = Off
magic_quotes_gpc = On
upload_max_filesize = 32M
zlib.output_compression = On

PS: phpmyadmin don’t work with this configuration!

Install & Configure Fail2ban

# apt-get install fail2ban

Configure Fail2ban at will. for more info see: http://www.fail2ban.org/wiki/index.php/HOWTOs

Configure iptables

# nano /etc/iptables.test.rules

Paste this or adjust your rules:

*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -j ACCEPT
-A INPUT -p tcp –dport ssh -j ACCEPT
-A INPUT -p tcp –dport http -j ACCEPT
-A INPUT -p tcp –dport https -j ACCEPT
-A INPUT -p tcp –dport ftp -j ACCEPT
-A INPUT -p tcp –dport ftp-data -j ACCEPT
-A INPUT -p tcp –dport ftps -j ACCEPT
-A INPUT -p tcp –dport ftps-data -j ACCEPT
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT

# iptables-restore < /etc/iptables.test.rules # iptables -L # iptables-save > /etc/iptables.up.rules
# nano /etc/network/if-pre-up.d/iptables

Add these lines:

#!/bin/bash

/sbin/iptables-restore < /etc/iptables.up.rules

# chmod +x /etc/network/if-pre-up.d/iptables

Fine Tuning

# nano /etc/lighttpd/lighttpd.conf
REPLACE:
compress.filetype = (“application/x-javascript”, “text/css”, “text/html”, “text/plain”)
TO:
compress.filetype = (“application/x-javascript”, “application/javascript”, “text/javascript”, “text/x-js”, “text/css”, “text/html”, “text/plain”)

# mkdir -p /var/cache/lighttpd/compress/
# chown www-data:www-data /var/cache/lighttpd/compress/
# /etc/init.d/lighttpd restart

We can not issue any guarantee that this will work for you
We tested on VPS.net with a 1 node Virtual Machine
Great performance in comparison to Apache.

Sources used

http://www.howtoforge.com/installing-lighttpd-with-php5-and-mysql-support-on-debian-squeeze
http://wiki.debian.org/iptables
http://www.howtoforge.com/how-to-save-traffic-with-lighttpds-mod_compress-debian-squeeze
http://www.debian.org/
http://redmine.lighttpd.net/wiki/1/Docs:ModCompress
http://redmine.lighttpd.net/wiki/lighttpd/TutorialConfiguration
http://www.fail2ban.org/wiki/index.php/HOWTOs
http://www.vps.net

Copyright: Cloudzola.com