LEMP is a collection of open-source software that is commonly used together to serve web applications. The term LEMP is an acronym that represents the configuration of a Linux operating system with an Nginx (pronounced engine-x, hence the E in the acronym) web server, with site data stored in a MySQL or MariaDB database and dynamic content processed by PHP that is popularly used for hosting extensive websites due to its performance and scalability.
In the following tutorial, you will learn how to install LEMP (Nginx, MariaDB, PHP 8.0) on AlmaLinux 8.
Table of Contents
Prerequisites
- Recommended OS: AlmaLinux 8.
- User account: A user account with sudo privilages or root access (su command).
Updating Operating System
Update your AlmaLinux operating system to make sure all existing packages are up to date:
sudo dnf upgrade --refresh -y
The tutorial will be using the sudo command and assuming you have sudo status. To verify sudo status on your account:
sudo whoami
Example output showing sudo status:
[joshua@localhost ~]$ sudo whoami
root
If you have not set up a sudo user account and would like to, visit our tutorial on How to Add a User to Sudoers on AlmaLinux.
To use the root account, use the following command with the root password to log in.
su
Install Nginx
To kickstart the LEMP stack installation, you will need to install the Nginx web server, which can be done with the following terminal command:
sudo dnf install nginx
Example output:
Type (Y), then press (ENTER KEY) to proceed.
Confirm the installation by checking the build version:
nginx -v
Example output:
nginx version: nginx/1.14.1
By default, when installing Nginx on AlmaLinux, it is not enabled. To enable on boot and to start, use the following:
sudo systemctl enable nginx && sudo systemctl start nginx
Example of successfully enabling (symlink):
Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service → /usr/lib/systemd/system/nginx.service.
Now, check to see the status of your Nginx service with the following terminal command:
systemctl status nginx
Example output saying everything is ok:
It is a good idea to allow HTTP traffic through your firewall with the following command:
sudo firewall-cmd --zone=public --add-service=http --permanent
Reload the firewall with the following command:
sudo firewall-cmd --reload
Now, you can confirm that your Nginx webserver is operational by entering HTTP://server-ip or HTTP://domain-name in your Internet Browser, and you should get the following:
Install and Configure MariaDB
Installation
MariaDB is a drop-in replacement for MySQL and was developed by former members of the MySQL team concerned that Oracle might turn MySQL into a closed-source and potentially paid product.
Enter the following command to install MariaDB:
sudo dnf install mariadb-server mariadb
Example output:
Type (Y), then press (ENTER KEY) to proceed.
To confirm the installation of MariaDB and to check what build is installed, type the following command:
mysql --version
Example output:
mysql Ver 15.1 Distrib 10.3.28-MariaDB, for Linux (x86_64) using readline 5.1
By default, MariaDB does not come enabled just the same as Nginx before it did not. To start and enable MariaDB on system boot, use the following (systemctl) terminal command:
sudo systemctl enable mariadb && sudo systemctl start mariadb
Example of successfully enabling (symlink):
Created symlink /etc/systemd/system/mysql.service → /usr/lib/systemd/system/mariadb.service.
Created symlink /etc/systemd/system/mysqld.service → /usr/lib/systemd/system/mariadb.service.
Created symlink /etc/systemd/system/multi-user.target.wants/mariadb.service → /usr/lib/systemd/system/mariadb.service.
Now, make sure everything is operational with the following command:
systemctl status mariadb
Example output saying everything is ok:
Configuration
Now that MariaDB is up and running on your AlmaLinux system, you need to run the post-installation security script as the default settings need to be reviewed as often they are not secure. This is highly recommended not to skip.
First, run the MariaDB secure installation command as follows:
sudo mysql_secure_installation
Next, you will be given a prompt asking you to enter your (MariaDB root password). For now, press the (ENTER) key as the root password isn’t set yet as below:
Next, type (Y) and press enter to set up the (root) password as below:
The next series of questions you can safely hit (ENTER), which will answer (Y) to all the subsequent questions which ask you to (remove anonymous users, disable remote root login, and remove the test database). Note the (Y) is capitalized, meaning it is the default answer when you press the (ENTER) key.
Example below:
Overview of what should have been done above:
- Setting the password for root accounts.
- Removing root accounts that are accessible from outside the local host.
- Removing anonymous-user accounts.
- Removing the test database, which by default can be accessed by anonymous users.
This step is essential for MariaDB database security and should not be altered or skipped unless you know what you are doing.
Now, login to the MariaDB database terminal with the following command:
sudo mysql -u root -p
You will be prompted to enter the root password that you set in either the installation setup or post-installation security script. Once inside the MySQL service instance, you can execute the following command as a test to see it in operation.
Type the following SHOW DATABASE command:
SHOW DATABASES;
For those new to MySQL and MariaDB, all commands must end with “.”
Example:
To exit the MariaDB database terminal, type (exit;) as follows:
exit;
Install PHP (PHP-FPM)
Import PHP 8.0 Repository
The last part to install in your LEMP installation is PHP. You will need to install (PHP-FPM) which is short for (FastCGI Process Manager). It is highly recommended the PHP install (Remi) repository. For those unaware, Remi is the maintainer for PHP releases on the Rhel family. For the tutorial, we will install the newest PHP 8.0:
The first task is to install the (EPEL) repository, which stands for (Extra Packages for Enterprise Linux). For more recent users to Rhel and AlmaLinux, EPEL contains the most commonly used software packages for Enterprise Linux.
To install EPEL, use the following (dnf) terminal command:
sudo dnf install epel-release
Example output:
Type (Y), then press (ENTER KEY) to proceed.
Now that you have added the EPEL repository, enable (Remi repository) with the following:
sudo dnf install dnf-utils http://rpms.remirepo.net/enterprise/remi-release-8.rpm
Type (Y), then press (ENTER KEY) to proceed.
Next, use the (dnf) command to update your repository list:
sudo dnf update
You will notice a query in your terminal about importing the (GPG key) for the Remi repository as below:
Type (Y), then press (ENTER KEY) to proceed.
Note that you will be prompted two more times to type (Y) two more times to import more GPG keys. This is fine to do.
Next, you will be prompted to upgrade the EPEL release:
Example:
Type (Y), then press (ENTER KEY) to proceed.
Your EPEL repository is now up to date, and you are ready to proceed to the next part of the tutorial.
Enable PHP 8.0 (Remi) Repository
PHP 7.2 is the default PHP choice for standard installation on Rhel/Alma Linux with Remi’s repository. A quick tip is to use the (list php) command to see the options available and the default. The following command can do this:
sudo dnf module list php
You will get the following output as below. Note the (d) tag for default PHP to be installed:
As you can see above, the (d) tag is next to PHP 7.2, which you are going to need to reset and change to proceed to install PHP 8.0 on AlmaLinux. To reset the PHP list is easy with the following command:
sudo dnf module list reset php
Next, enable PHP 8.0 with the following command:
sudo dnf module enable php:remi-8.0 -y
Example output once complete:
Note, you can enable PHP-7.4 by following the dnf module reset command and using the dnf module enable php:remi-7.4 command instead. Choose the version you require for the application, and this was just an example of having the latest PHP version of whatever PHP choice you decide.
Install PHP 8.0
Now that you have added the Remi PHP repository and enabled PHP 8.0 to be the default version on your AlmaLinux system, you can install PHP 8.0 with the following command:
sudo dnf install php
Example output:
Type (Y), then press (ENTER KEY) to proceed.
If you would like to install the most commonly used extensions for PHP 8.0, use the following command:
sudo dnf install php-cli php-fpm php-curl php-mysqlnd php-gd php-opcache php-zip php-intl php-common php-bcmath php-imap php-imagick php-xmlrpc php-json php-readline php-memcached php-redis php-mbstring php-apcu php-xml
Note, remove the options you do not want this is optional.
Example output:
Type (Y), then press (ENTER KEY) to proceed.
Now that you have installed PHP 8.0 and the extensions check the version with the following command:
php -v
Example output:
PHP 8.0.10 (cli) (built: Aug 24 2021 15:40:40) ( NTS gcc x86_64 )
Copyright (c) The PHP Group
Zend Engine v4.0.10, Copyright (c) Zend Technologies
with Zend OPcache v8.0.10, Copyright (c), by Zend Technologies
Lastly, PHP-FPM like Nginx and MariaDB before it is not enabled by default, to enable PHP-FPM on system boot and to kick start it off, use the following (systemctl) command:
sudo systemctl enable php-fpm && sudo systemctl start php-fpm
Example of successfully enabling (symlink):
Created symlink /etc/systemd/system/multi-user.target.wants/php-fpm.service → /usr/lib/systemd/system/php-fpm.service.
Now, as before with checking the status of the other requirements in your LEMP installation, use the following (systemctl) terminal command to check the status to make sure everything is working:
systemctl status php-fpm
If no errors are present, you should get the following output:
Unlike LEMP installations on Debian/Ubuntu that use the (www-data) user, this isn’t the case with RHEL family installations. By default on AlmaLinux, the PHP-FPM service is designed to be run (Apache) user, which is incorrect since we are using Nginx, and this needed to be corrected.
Firstly, open following (www.conf) configuration file:
sudo nano /etc/php-fpm.d/www.conf
Next, replace the (Apache) user and group with the (Nginx) user and group:
To save, press (CTRL+O) then exit (CTRL+X).
Now you will too reload or restart your PHP-FPM service:
sudo systemctl restart php-fpm
Create Test PHP Landing Page
To test PHP-FPM with the Nginx Web server, you must create a file in the webroot directory.
For the guide, you will name the file (info.php) as follows:
sudo nano /usr/share/nginx/html/info.php
Paste the following the (info.php) file:
<?php
phpinfo();
?>
Save the file (CTRL+O), then exit (CTRL+X).
Now in your Internet Browser address bar, enter (server-ip-address/info.php). If you have installed Nginx on your local computer, use the default (127.0.0.1/info.php) or (localhost/info.php).
You should see your server’s PHP information:
This information shows PHP scripts can run properly with the Nginx web server.
For security purposes, you should remove the file. To do this, use the following command:
sudo rm -f /var/www/html/info.php
If you would prefer to keep the file for future purposes, add the following to your Nginx server block file in the server {} section:
location ^~ /info.php {
allow <YOUR IP ADDRESS>;
deny all;
}
This will only allow the IP address specified from accessing the file. It is advised to hide as much system info from potential hackers and malicious actors.
Create an Nginx Server Block
An Nginx server block is the equivalent of a virtual host in Apache, which contains a configuration for your Nginx web server that responds to the public visitors. Below is a complete example of how to achieve this with PHP-FPM in mind.
Create Server Block Directories
The (.conf) files are normally located in (sites-available) and (sites-enabled). Users coming from different distributions would notice this would be already installed; however, for AlmaLinux, you will need to create them.
Create the two required (sites) directory with the following command:
sudo mkdir /etc/nginx/sites-available && sudo mkdir /etc/nginx/sites-enabled
Edit the Nginx Configuration File
After creating the needed directories, edit Nginx’s main configuration file (nginx.conf) as follows:
sudo nano /etc/nginx/nginx.conf
Then paste the next few lines in the (HTTP) section of the (nginx.conf) configuration file:
include /etc/nginx/sites-enabled/*.conf;
server_names_hash_bucket_size 64;
Example:
Note, (server_names_hash_bucket_size) increases the memory allocated to parsing domain names.
Save the configuration with (CLTR+O) and then (CTRL+X) to exit.
Create Server Block Configuration File
Now create a server block file using any text editor, the guide will use (nano):
sudo nano /etc/nginx/sites-available/example.com.conf
Next, you need to set up the configuration file with a working example with PHP-FPM enabled.
An example is provided below for you to copy and paste. Note to replace (server_name) with your domain name or IP:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
root /var/www/html/example.com/;
index index.php index.html index.htm index.nginx-debian.html;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php-fpm/www.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# A long browser cache lifetime can speed up repeat visits to your page
location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
access_log off;
log_not_found off;
expires 360d;
}
# disable access to hidden files
location ~ /\.ht {
access_log off;
log_not_found off;
deny all;
}
}
Now save the server block with (CTRL+O), then exit with (CTRL+X).
Create Test Landing Page
A good idea is to create a sample test site. Below is a standard test index.html set up:
If you haven’t already created your permanent or test web directory:
sudo mkdir -p /var/www/htmlexample.com/
You will need to configure the permissions, and you can set as the user currently logged in with the $USER variable:
sudo chown -R $USER:$USER /var/www/html/example.com/
The last permission setting is to allow the public to read the web directory (access your site) using permission chmod 755:
sudo chmod -R 755 /var/www
Next, create the index.html file:
sudo nano /var/www/html/example.com/index.html
Paste the content below. As you can see, it’s pretty basic as we are only using it for testing purposes.
<html>
<head>
<title>You have reached Example.com!</title>
</head>
<body>
<h1>Congratulations! The server block is active!</h1>
</body>
</html>
Save the configuration with (CLTR+O) and then (CTRL+X) to exit.
Enable Nginx Server Block
You are now in the final stages, and now it is time to enable the server block configuration file. To do so, you need to create a symbolic link (symlink) for the server block configuration file in the (sites-available) directory to the (sites-enabled) directory using the following command:
sudo ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/example.com.conf
Test Nginx Server Block
To finish up, you should always do a dry run before restarting or reloading your Nginx service, which is critical if working in a live environment. Type the following command to test your server block configuration file:
sudo nginx -t
If there are no errors, you will get the following output:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Next, open your Internet Browser and enter your domain address (example.com) to test if your server is reachable.
Congratulations, you have successfully created an Nginx server block that is PHP-FPM ready.
Secure Nginx with Let’s Encrypt SSL Free Certificate
Ideally, you would want to run your Nginx on HTTPS using an SSL certificate. The best way to do this is to use Let’s Encrypt, a free, automated, and open certificate authority run by the nonprofit Internet Security Research Group (ISRG).
First, install the EPEL repository and the mod_ssl package for better-updated packages and security.
sudo dnf install epel-release mod_ssl -y
Next, install the certbot package as follows:
sudo dnf install python3-certbot-nginx -y
Once installed, run the following command to start the creation of your certificate:
sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email you@example.com -d www.example.com
This is the ideal setup that includes force HTTPS 301 redirects, Strict-Transport-Security header, and OCSP Stapling. Just make sure to adjust the e-mail and domain name to your requirements.
Now your URL will be HTTPS://www.example.com instead of HTTP://www.example.com.
Note, if you use the old HTTP URL, it will automatically redirect to HTTPS.
Optionally, you can set a cron job to renew the certificates automatically. Certbot offers a script that does this automatically, and you can first test to make sure everything is working by performing a dry run.
sudo certbot renew --dry-run
If everything is working, open your crontab window by using the following terminal command.
sudo crontab -e
Next, specify the time when it should auto-renew. This should be checked daily at a minimum, and if the certificate needs to be renewed, the script will not update the certificate. If you need help with finding a good time to set, use the crontab.guru free tool.
00 00 */1 * * /usr/sbin/certbot-auto renew
Save (CTRL+O) then exit (CTRL+X), and the cronjob will be automatically enabled.
Comments and Conclusion
In the tutorial, you have learned how to install the LEMP stack to secure MariaDB, test PHP, and create an Nginx server block. Overall, LEMP is a smart option. Now, Nginx has surpassed Apache as the most used HTTP webserver software adequately configured and performance managed can give your webserver a decisive advantage over other setups.