A Complete Guide for Installing and Securing LAMP Stacks on Debian 12 - Part 2

Installing and configuring the core components of a LAMP stack on your Debian 12 system

Continuing our complete series on setting up a secure LAMP stack, this second part focuses on the installation and configuration process. Building upon the Debian 12 (Bookworm) EC2 instance we set up in Part 1, we'll now dive into installing and optimizing Apache2, MariaDB, PHP 8.2, and essential modules. This guide provides step-by-step instructions for creating a robust foundation for your web applications, emphasizing both performance and security.

Prerequisites

• A Debian 12 (Bookworm) system with root or sudo access
• An active internet connection

Step 1: Update System Packages

Before beginning the installation, update your system's package list and upgrade existing packages:

sudo apt update
sudo apt upgrade -y

Step 2: Install and Configure Apache2

Install Apache2

sudo apt install apache2 -y
sudo systemctl start apache2
sudo systemctl enable apache2

Enable Essential Apache Modules

sudo a2enmod rewrite
sudo a2enmod headers
sudo a2enmod ssl
sudo a2enmod deflate
sudo a2enmod expires
sudo systemctl restart apache2

These modules provide:
- rewrite: URL rewriting
- headers: Customization of HTTP response headers
- ssl: HTTPS support
- deflate: Response compression
- expires: Setting of Expires and Cache-Control headers

Step 3: Install and Secure MariaDB

Install MariaDB

sudo apt install mariadb-server -y
sudo systemctl start mariadb
sudo systemctl enable mariadb

Secure MariaDB

Run the mysql_secure_installation script:

sudo mysql_secure_installation

Follow the prompts to:
- Set a root password (if not already set)
- Remove anonymous users
- Disallow root login remotely
- Remove test database and access to it
- Reload privilege tables

Step 4: Install PHP 8.2 and Common Modules

sudo apt install php8.2 libapache2-mod-php8.2 php8.2-mysql php8.2-common php8.2-cli php8.2-curl php8.2-mbstring php8.2-xml php8.2-zip php8.2-gd php8.2-intl php8.2-bcmath php8.2-soap php8.2-fpm php8.2-readline php8.2-opcache php8.2-bz2 php8.2-sqlite3 php8.2-ldap php8.2-imap php8.2-pgsql -y

This command installs PHP 8.2 along with the following modules:

• php8.2: Core PHP package
• libapache2-mod-php8.2: Apache PHP module
• php8.2-mysql: MySQL database support
• php8.2-common: Common PHP libraries
• php8.2-cli: Command-line interface
• php8.2-curl: cURL support
• php8.2-mbstring: Multibyte string support
• php8.2-xml: XML support
• php8.2-zip: ZIP compression support
• php8.2-gd: GD graphics library
• php8.2-intl: Internationalization support
• php8.2-bcmath: BCMath arbitrary precision mathematics
• php8.2-soap: SOAP support
• php8.2-fpm: FastCGI Process Manager
• php8.2-readline: Readline support
• php8.2-opcache: OPcache support
• php8.2-bz2: bzip2 compression support
• php8.2-sqlite3: SQLite3 database support
• php8.2-ldap: LDAP support
• php8.2-imap: IMAP support
• php8.2-pgsql: PostgreSQL database support

Step 5: Configure PHP for Modern Applications and Security

Edit the PHP configuration file:

sudo nano /etc/php/8.2/apache2/php.ini

Modify the following values:

; Performance settings
memory_limit = 256M
max_execution_time = 300
max_input_time = 300
max_input_vars = 3000
post_max_size = 64M
upload_max_filesize = 64M
max_file_uploads = 100

; Security settings
expose_php = Off
allow_url_fopen = Off
allow_url_include = Off
open_basedir = "/var/www/:/tmp/:/var/tmp/:/proc/"
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

; Error handling
display_errors = Off
display_startup_errors = Off
log_errors = On
error_log = /var/log/php_errors.log

; Optional: Increase default socket timeout
default_socket_timeout = 120

After making these changes, restart Apache:

sudo systemctl restart apache2

Step 6: Configure OPcache

Edit the OPcache configuration file:

sudo nano /etc/php/8.2/apache2/conf.d/10-opcache.ini

Add or modify these lines:

opcache.enable=1
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=4000
opcache.revalidate_freq=60
opcache.fast_shutdown=1

Restart Apache again:

sudo systemctl restart apache2

Step 7: Verify PHP Installation

Create a PHP info file:

echo "<?php phpinfo(); ?>" | sudo tee /var/www/html/phpinfo.php

Access this file in a web browser: http://your_server_ip/phpinfo.php

After verification, remove the file for security:

sudo rm /var/www/html/phpinfo.php

Conclusion

In this second part of our comprehensive guide, we've successfully installed and configured the core components of a LAMP stack on your Debian 12 (Bookworm) system. You now have a fully functional Apache web server, MariaDB database, and PHP 8.2 environment, complete with essential modules and initial optimizations.

This setup provides a solid foundation for hosting modern web applications. We've covered the basics of performance tuning and introduced some fundamental security practices. However, a production-ready server requires additional hardening and fine-tuning, which we'll address in the upcoming parts of this series.

Remember, while your LAMP stack is now operational, it's not yet fully secured for production use. In Part 3, we'll dive deep into crucial security measures to protect your server from common threats. Following that, Part 4 will guide you through setting up maintenance routines and further optimizations to keep your server running smoothly and efficiently over time.

By following this series, you're on your way to creating a robust, secure, and well-maintained web hosting environment. Stay tuned for the next parts, where we'll transform this basic setup into a production-grade, hardened LAMP stack.

What's Coming in Part 3

In the next part of our series, we'll focus on security enhancements:

• Installing and configuring Let's Encrypt SSL certificates
• Implementing advanced security measures for Apache, PHP, and MariaDB
• Setting up fail2ban for intrusion prevention
• Configuring and optimizing firewalls
• Hardening SSH access

What's Coming in Part 4

In the final part of our series, we'll cover maintenance and operational aspects:

• Establishing comprehensive backup routines
• Installing and configuring maintenance tools
• Setting up automated security updates
• Implementing log rotation and management
• Best practices for ongoing maintenance and monitoring
• Performance tuning and optimization techniques

Stay tuned for these critical security enhancements, maintenance procedures, and optimization techniques to ensure your LAMP stack remains secure, efficient, and well-maintained.