How to Install LEMP Stack on Debian 12/11/10

In the realm of web application development, selecting the appropriate software stack can be a critical factor for the successful deployment of your application. The LEMP stack, an acronym derived from the four open-source components it employs – Linux, ENGINX, MariaDB, and PHP, is a powerful, flexible, and scalable solution for managing web servers.

Unlike its LAMP counterpart (which utilizes Apache), the LEMP stack employs NGINX for its server functionality. NGINX stands out with its unique architecture capable of handling a high number of concurrent connections. This makes it an efficient choice for high-traffic websites where the robust handling of many simultaneous requests is required.

  • NGINX offers a powerful suite of features, including load balancing, reverse proxy, mail proxy, and HTTP cache.
  • Its event-driven architecture allows for more efficient CPU and memory usage, especially under heavy loads.
  • It offers SSL/TLS protocol support directly, contributing to a secure web environment.

The LEMP stack uses MariaDB as its database management system. This open-source relational database system, developed by the original authors of MySQL, ensures high performance, robustness, and ease of use.

  • MariaDB offers a broader set of features and storage engines than MySQL.
  • It provides superior replication with various modes and enhanced performance.
  • Its commitment to open-source philosophy and backwards compatibility with MySQL makes it a preferred choice among many developers.

At the heart of the LEMP stack, we find PHP-FPM (FastCGI Process Manager). It is an advanced, highly efficient alternative PHP FastCGI implementation with significant improvements over mod_php, most notably in its ability to handle high loads.

  • PHP-FPM maintains pools (workers that can respond to PHP requests) to accomplish this task.
  • It provides various management features, such as adaptive process spawning and the ability to start workers with different abilities.
  • The FastCGI aspect allows NGINX to process PHP files and serve dynamic content, thereby significantly speeding up PHP performance.

Deploying a LEMP stack isn’t just about achieving a configuration that works; it’s about harnessing the power of each individual component to create a high-performance, secure, and scalable server environment that’s tailor-made to meet your web application’s specific demands.

In the guide to follow, we will walk through the steps to install the LEMP stack on Debian 12 Bookworm, Debian 11 Bullseye or Debian 10 Buster, arming you with the knowledge and steps to get the most out of your server environment.

Section 1: Installing NGINX – The First Component of LEMP Stack

Step 1: Update Debian System

The foundation for a successful LEMP stack installation is a current operating system. Ensuring your Debian system is up-to-date is crucial to avert package conflicts and guarantee the smooth execution of subsequent processes. This practice aligns your system with the latest security patches and software improvements. Run the following command to update your system:

sudo apt update && sudo apt upgrade

With this command, sudo apt update updates the list of available packages and their versions, while sudo apt upgrade installs the latest versions of the packages you have.

Step 2: NGINX Installation

The cornerstone of the LEMP stack is NGINX, which is our next installation target. By executing the following command, NGINX, an open-source, high-performance HTTP server and reverse proxy, will be installed:

sudo apt install nginx

Upon completion of the NGINX installation, the service generally initiates automatically. However, it is a good practice to confirm this and make sure it operates as expected. You can verify the status of the NGINX service by issuing the following command:

systemctl status nginx

At this stage, you should see an output indicating the active (running) status of the NGINX service, confirming the successful initiation of NGINX.

However, if the server hasn’t started for any reason, the following command can kickstart it, while also setting NGINX to launch automatically upon system reboot:

sudo systemctl enable nginx --now

This command ensures that the NGINX service is both enabled to start on boot (enable) and started immediately (--now).

Optionally, you can visit the server IP address to verify Nginx is installed, you should see a similar test page:

Further Reading

For users interested in installing the latest NGINX mainline or stable version directly from NGINX’s APT repository, refer to our comprehensive guide: Install NGINX Mainline on Debian Linux. This resource offers a step-by-step walkthrough, arming you with the information to optimize your server’s capabilities further.

Section 2: Incorporating MariaDB into the LEMP Stack

The LEMP stack’s assembly process proceeds with the installation of the database module. MariaDB has an esteemed reputation over MySQL within the LEMP stack for its heightened performance and various supplementary attributes. The step-by-step instructions provided here utilize Debian’s repositories to fetch MariaDB’s resources. However, if your requirements are specifically inclined towards a distinct version from’s official libraries, you may refer to our exclusive guide on installing MariaDB on Debian. Find it here: How to Install MariaDB on Debian

Step 1: Commencing the MariaDB Installation

The initiation of MariaDB’s installation involves the execution of a simple command in your terminal. Here it is:

sudo apt install mariadb-server mariadb-client

Step 2: Post-Installation Check of the MariaDB Service

Once MariaDB is installed, the next pivotal step is to confirm the status of the MariaDB service. Similar to what was done for the NGINX web server, it is crucial to ensure that the MariaDB service is both enabled and operating correctly, devoid of any malfunctioning components. The command to inspect the service’s status is as follows:

systemctl status mariadb

In the event that the server has not been activated, you can execute the following command. This will ensure that MariaDB is not only started immediately but also set to automatically boot up upon every system reboot.

sudo systemctl enable mariadb --now

Step 3: Secure the MariaDB Installation

The foundation of a robust database is its security, and MariaDB is no exception. Therefore, post-installation, it is widely advocated by industry professionals to execute the security script associated with the installation. This script fortifies the MariaDB installation by amending its default settings, typically seen as insecure, thus shielding the system from potential exploitations or unauthorized intrusions.

You can run the MariaDB security script, namely mysql_secure_installation, by issuing this command:

sudo mysql_secure_installation

nce the security script is executed, the subsequent step involves adjusting the various settings. These changes include the configuration of the root password, restriction of remote access, elimination of anonymous user accounts, and removal of the test database. Each adjustment adds a layer of security to your MariaDB installation and aids in warding off potential security threats.

Securing Your MariaDB Installation: A Detailed Walkthrough

Establishing the Starting Point

When setting out to enhance the security of your MariaDB, it’s not uncommon to feel overwhelmed at first. However, the mysql_secure_installation script is your unwavering ally in this endeavor, methodically leading you through the maze of configurations. Let’s dissect each step in this process to gain a comprehensive understanding of the journey.

As you set off, the script requires you to input the current root password. In the case of a brand-new MariaDB installation, you needn’t worry; a simple press of the enter key suffices, propelling you further into the configuration process.

Activation of Unix_Socket Authentication

Moving along, you’ll encounter a decision point. The script suggests enabling unix_socket authentication. By typing ‘Y’ and then pressing the ENTER key, you signal your agreement to this proposition, erecting an impenetrable firewall. This firewall stands unyielding, ensuring that no entity can gain access to the MariaDB root user domain without the requisite permissions.

Strengthening Your Defense: Changing the Root Password

As the process continues, you’re presented with an opportunity to fortify your defenses by modifying the root password. If you opt to bolster your protection, confirming your choice by typing ‘Y’ and pressing the ENTER key will solidify your decision. A more robust password equates to heightened defense against potential intruders.

Eradicating Phantom Users

Progressing further, the script queries about eliminating anonymous users. These spectral entities, if left unchecked, could potentially inject security vulnerabilities into your production environment. By typing ‘Y’ and pressing the ENTER key, you decide to expel these phantoms, thereby enhancing the security of your installation.

Prohibiting Remote Root Logins

Your journey then offers a choice to forbid root login from remote locations. This measure, which aids security, thwarts external entities from attempting to guess the root password over the network. Type ‘Y’, followed by the ENTER key to enforce this precautionary measure.

Purging the Test Database

As you approach the journey’s end, the script encourages you to delete the ‘test’ database, accessible to everyone. This database, if not addressed, could become a security loophole in a production environment. By typing ‘Y’ and pressing the ENTER key, you opt to remove this potential vulnerability, further fortifying your MariaDB installation.

Section 3: PHP and PHP-FPM Installation – An Integral Part of the LEMP Stack

The final component of the LEMP stack is the PHP service, acting as the bridge between Nginx and MariaDB. This bridging is accomplished by the PHP-FPM service in combination with extra modules required by phpMyAdmin. In case you prefer installing a different version of PHP, you can follow our guide on how to install PHP on Debian Linux, which elucidates the installation of a specific PHP version tailored to your needs.

Step 1: PHP and PHP-FPM Installation

To install PHP, PHP-FPM, and the required modules on your Debian system, run the following command in your terminal:

sudo apt install php-fpm php php-cli php-mysql php-curl

Step 2: Verifying PHP Service Status

Post-installation, it becomes critical to confirm the status of the PHP service. This validation is similar to what you did for MariaDB, ensuring that PHP is enabled and operates flawlessly without any errors. The command is contingent on the version of PHP installed; in our case, it was PHP 8.2.

systemctl status php8.2-fpm

Step 3: Activating PHP Service

If the PHP service is not yet active, the following command enables it and ensures it auto-starts with every system reboot.

sudo systemctl enable php-fpm --now

This command will activate the PHP-FPM service and ensure it starts automatically during each system boot-up.

Section 4: Integrating PHP-FPM with Nginx Server Block

For Nginx to collaborate effectively with PHP, it’s necessary to modify the server block configuration file of Nginx. These modifications guide Nginx on how to interact with PHP-FPM, enabling efficient processing of PHP files.

Step 1: Modifying Nginx Server Block

Locate your Nginx server block file and append the following lines to it:

location ~ \.php$ {
  fastcgi_pass unix:/run/php/php8.2-fpm.sock;
  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  include fastcgi_params;
  include snippets/fastcgi-php.conf;
  fastcgi_buffer_size 128k;
  fastcgi_buffers 4 128k;
  fastcgi_intercept_errors on;

The configuration above enables Nginx to hand over PHP requests to the PHP-FPM service. The fastcgi_pass line indicates the Unix socket used by the PHP-FPM service. If you need more examples or a more comprehensive understanding of server blocks, please refer to our guide on how to install WordPress with LEMP on Debian Linux.

Step 2: Validating Nginx Configuration

Post modification, it’s imperative to verify your changes to ensure there are no syntax errors. The following command tests your Nginx configuration:

sudo nginx -t

This command checks your entire Nginx configuration for syntax errors. If any errors are identified, it outputs them, allowing you to rectify them immediately.

Step 3: Restarting Nginx Service

Upon successful validation, the next step is to restart the Nginx service. This step ensures that all the changes made to the configuration file take effect:

sudo systemctl restart nginx

This command reboots the Nginx service, and with it, the newly integrated PHP-FPM will start interacting with Nginx.

Section 5: Establishing a Test Landing Page

Preparation for Testing

To ensure that the configuration settings for Nginx and PHP-FPM have been correctly set up, it’s advisable to construct a sample test site. The following instructions guide you on creating a simple index.html file for testing purposes.

Creating a Web Directory

If you haven’t already, you need to create a web directory. This directory will host your website’s files. Let’s create one named under the /var/www/html/ directory:

sudo mkdir -p /var/www/html/

Configuring Permissions

Now, you need to alter the permissions of the directory. The $USER variable can be used to set the ownership of the directory to the currently logged in user:

sudo chown -R $USER:$USER /var/www/html/

To ensure public accessibility to the web directory (enabling users to visit your site), set the permissions using chmod 755:

sudo chmod -R 755 /var/www

Crafting a Test HTML File

Next, create a basic index.html file:

sudo nano /var/www/html/

Paste the following content into the file. This basic HTML structure is purely for testing purposes.

    <title>You have reached!</title>
    <h1>Congratulations! The server block is active!</h1>

Save the file using CTRL+O and then exit using CTRL+X.

Activating the Nginx Server Block

As you approach the conclusion, it’s time to activate the server block configuration file. You need to create a symbolic link (symlink) for the server block configuration file from the sites-available directory to the sites-enabled directory with the following command:

sudo ln -s /etc/nginx/sites-available/ /etc/nginx/sites-enabled/

Validating the Nginx Server Block

Before restarting or reloading your Nginx service, it’s crucial to validate your server block configuration file, especially in a live environment. Run the following command to test your server block configuration file:

sudo nginx -t

If everything is in order, you should see the following messages indicating the successful syntax and configuration check:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Finally, open your web browser and enter your domain address (in this case, to verify if your server is accessible.

Section 6: Enhancing LEMP Security with Let’s Encrypt SSL Certificate

One of the critical steps to solidify your server’s security and build trust with your users is to set up an SSL certificate for your website. By doing so, you’ll be able to run your Nginx server over HTTPS, providing an encrypted channel between your server and your users.

For this purpose, we’ll use Let’s Encrypt, an initiative by the nonprofit Internet Security Research Group (ISRG) that provides free, automated SSL certificates.

Installation of Certbot

To begin the SSL certificate setup, you need to install the certbot package. This utility simplifies obtaining and deploying SSL certificates from Let’s Encrypt. Use the following command to install certbot:

sudo apt install python3-certbot-nginx -y

Generation and Deployment of SSL Certificate

After successfully installing certbot, you can initiate the creation of your SSL certificate. Execute the following command to generate and apply an SSL certificate to your Nginx server:

sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email -d

This command encompasses several features and parameters:

  • --nginx: This indicates that certbot should automatically configure Nginx for SSL.
  • --agree-tos: This parameter indicates your agreement with Let’s Encrypt’s terms of service.
  • --redirect: It instructs certbot to set up a 301 redirect from HTTP to HTTPS.
  • --hsts: It enables the HTTP Strict Transport Security (HSTS) header, which instructs browsers to always use HTTPS.
  • --staple-ocsp: This flag enables OCSP Stapling, a method by which the server periodically queries the certificate issuer’s servers for a signed, time-stamped record of the certificate’s status.

Please remember to replace and with your email address and your domain name respectively.

With these settings in place, your website is now accessible via instead of the insecure Any attempts to access your website over HTTP will be automatically redirected to the HTTPS version, ensuring secure connections at all times.


Installing a LEMP stack on a Debian Linux distribution is a systematic and well-documented process. Throughout the steps, we have managed to install Nginx as the web server, MariaDB as the database server, and PHP for dynamic web content processing. Furthermore, we’ve secured our server block with Let’s Encrypt’s SSL certificate. This forms a comprehensive and secure environment for hosting various web applications.

Taking the time to thoroughly understand each component in the LEMP stack is critical. Not only will it enhance your skills as a system administrator, but it will also enable you to troubleshoot effectively if issues arise. Remember, the LEMP stack’s modularity is its strength. Each component can be tailored and optimized to suit your project’s specific needs.

Additional Resources and Links

To broaden your understanding and help you dive deeper into the world of LEMP stack on Debian Linux, here are some official documentation and resources that you might find useful:

  • Official Debian Documentation: This is the go-to resource for any Debian-related queries. It contains extensive documentation on various aspects of the Debian distribution.
  • Nginx Official Documentation: Comprehensive guide to all things Nginx. Excellent resource for understanding its configuration and directives.
  • MariaDB Knowledge Base: A rich source of information for understanding MariaDB, its usage, and optimization.
  • Official PHP Documentation: Covers every aspect of PHP from basic syntax to advanced features.
  • Let’s Encrypt Documentation: For in-depth knowledge about Let’s Encrypt SSL certificates and their deployment.
  • Certbot User Guide: Detailed information about Certbot, a tool that simplifies the process of using Let’s Encrypt SSL certificates.

Share to...