LEMP is an acronym for Linux, nginx, MySQL, and PHP. This page explains how to set up PHP 7.3, MySQL database server, and nginx stack on Amazon Linux AMI running on EC2 or Lightsail to run dynamic web apps.
Amazon Linux AMI LEMP stack installation
The procedure is as follows:
- Update Amazon Linux AMI, run sudo yum update
- Install Nginx, execute: sudo yum install nginx
- Let us install MySQL database server, execute: sudo yum install mysql57-server
- Set up PHP version 7.3, execute:
- Open port 80 using iptables firewall
- Test your LEMP stack running on Amazon AMI Linux
Let us see all steps and examples in details.
1. Update your Amazon Linux AMI system
Check for the updates using the yum command and apply security updates on Amazon Linux AMI:
yum check-update
sudo yum update -y
Reboot the Linux system powered by Amazon Linux AMI if kernel update was installed:
sudo reboot
2. Install Nginx web server
Nginx is a web server and a reverse proxy server for HTTP/HTTPS and more. It is part of LEAP stack. Simply type the following yum command to install it on Amazon Linux AMI:
sudo yum search nginx
sudo yum info nginx
sudo yum install nginx
As usual, nginx web server does not start on Amazon Linux AMI. To start nginx server running, execute the following service command:
sudo service nginx start
Enable service at boot time using the chkconfig command
sudo chkconfig nginx on
Verify that nginx service is running with help of pgrep command/ss command/netstat command commands:
sudo service nginx status
pgrep nginx
ss -tlpn | grep :80
Open port TCP port 80
Edit the file:
sudo vi /etc/sysconfig/iptables
Append the following line to open TCP port 80 before final DROP rule:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
Save and close the file. Restart the firewall:
sudo service iptables restart
See “Set Up a Basic Iptables Firewall on Amazon Linux AMI” for more info about IPv4 and IPv6 firewall.
Test it
Fire a web browser and type your public IPv4 address such as:
http://1.2.3.4/
http://your-domain-mapped-to-public-ip-com/
http://202.1.2.3/
3. Install MySQL database server
The first step is to search for MySQL DB version, run:
yum list mysql*-server
Sample outputs:
Loaded plugins: priorities, update-motd, upgrade-helper Available Packages mysql-server.noarch 5.5-1.6.amzn1 amzn-main mysql51-server.x86_64 5.1.73-8.72.amzn1 amzn-main mysql55-server.x86_64 5.5.62-1.23.amzn1 amzn-updates mysql56-server.x86_64 5.6.45-1.34.amzn1 amzn-updates mysql57-server.x86_64 5.7.27-1.13.amzn1 amzn-updates |
Now you know all about MySQL version, let us install MySQL DB version 5.7.x on Amazon Linux AMI to store data on our LEMP stack:
sudo yum info mysql57-server
sudo yum install mysql57-server
Enable MySQL service
sudo chkconfig mysqld on
Start MySQL service
sudo service mysqld start
Make sure server is running, run:
sudo service mysqld status
Secure MySQL server
Next run the following command to improve the security of your MySQL installation in the following ways:
- Set a password for root accounts.
- Remove root accounts that are accessible from outside the local host.
- Delete anonymous-user accounts.
- Erase the test database (which by default can be accessed by all users, even anonymous users), and privileges that permit anyone to access databases with names that start with test_.
sudo /usr/bin/mysql_secure_installation
Sample session:
New password: Re-enter new password: Estimated strength of the password: 100 Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : Y By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? (Press y|Y for Yes, any other key for No) : Y Success. Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? (Press y|Y for Yes, any other key for No) : Y Success. By default, MySQL comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? (Press y|Y for Yes, any other key for No) : Y - Dropping test database... Success. - Removing privileges on test database... Success. Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? (Press y|Y for Yes, any other key for No) : Y Success. All done! |
4. Install PHP 7.3
Now that we have Nginx and MySQL installed, it is time to install PHP. Again, list PHP versions, run:
yum list php*-fpm
Sample outputs:
Loaded plugins: priorities, update-motd, upgrade-helper Available Packages php-fpm.x86_64 5.3.29-1.8.amzn1 amzn-main php54-fpm.x86_64 5.4.45-1.75.amzn1 amzn-main php55-fpm.x86_64 5.5.38-2.119.amzn1 amzn-main php56-fpm.x86_64 5.6.40-1.142.amzn1 amzn-updates php70-fpm.x86_64 7.0.33-1.32.amzn1 amzn-updates php71-fpm.x86_64 7.1.32-1.42.amzn1 amzn-updates php72-fpm.x86_64 7.2.22-1.16.amzn1 amzn-updates php73-fpm.x86_64 7.3.9-1.19.amzn1 amzn-updates |
PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites. It is recommend that you use php73-fpm with Nginx, run:
sudo yum install php73-fpm
Installing additional PHP modules
- php73-gd – A module for PHP applications for using the gd graphics library.
- php73-mysqlnd – A module for PHP applications that use MySQL databases.
- php73-opcache – The Zend OPcache provides faster PHP execution through opcode caching and optimization. It improves PHP performance by storing precompiled script bytecode in the shared memory.
- php73-pdo – The php-pdo package contains a dynamic shared object that will add database access abstraction layer to PHP. This module provides a common interface for accessing MySQL, PostgreSQL or other databases.
- php73-xmlrpc – The php-xmlrpc package contains a dynamic shared object that will add support for the XML-RPC protocol to PHP.
To install them, run:
sudo yum install php73-gd php73-mysqlnd php73-opcache php73-xmlrpc php73-pdo
One can search and list addional php modules using:
yum list php73-*
Enable the PHP-fpm service
sudo chkconfig php-fpm on
Start the PHP-fpm service
sudo service php-fpm start
Check status of the PHP-fpm service
sudo service php-fpm status
Verify that Unix socket is up and running for PHP-FPM using the ls command:
ls -l /var/run/php-fpm/www.sock
Restart Nginx service
Use the cat command to list config:
cat /etc/nginx/conf.d/php-fpm.conf
You must restart Nginx to activate PHP support via /var/run/php-fpm/www.sock socket:
sudo servive nginx restart
PHP configuration
PHP is configured using the /etc/nginx/default.d/php.conf file as follows:
cat /etc/nginx/default.d/php.conf
Sample outputs:
# pass the PHP scripts to FastCGI server # # See conf.d/php-fpm.conf for socket configuration # index index.php index.html index.htm; location ~ \.(php|phar)(/.*)?$ { fastcgi_split_path_info ^(.+\.(?:php|phar))(/.*)$; fastcgi_intercept_errors on; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_pass php-fpm; } |
Edit the /etc/php-fpm.d/www.conf file:
sudo vi /etc/php-fpm.d/www.conf
Find the apache in the user and group:
user = apache
group = apache
Replace with the nginx:
user = nginx
group = nginx
Make sure you restart/reload PHP-fpm whenever you make config changes:
sudo service php-fpm reload
Test PHP installation on Amazon Linux AMI
Create a file name test.php in /usr/share/nginx/html, run:
sudo vi /usr/share/nginx/html/test.php
Append the following text:
<?php
// test server with php support
phpinfo();
?> |
Fire a web browser such as Firefox and type your public IPv4 address such as:
http://1.2.3.4/test.php
http://your-domain-mapped-to-public-ip-com/test.php
http://202.1.2.3/test.php
Nginx server configuration
Import files:
- Main config file – /etc/nginx/nginx.conf
- PHP-FPM FastCGI socket/server config file – /etc/nginx/conf.d/php-fpm.conf
- Enable PHP 7.3 scripts to FastCGI server for Nginx – /etc/nginx/default.d/php.conf
- Virtual Domain – /etc/nginx/conf.d/ (put each domain config file in this directory)
Sample Nginx virtual domain config:
A sample config for server1.cyberciti.biz virtual domain:
cat /etc/nginx/conf.d/server1.cyberciti.biz
# # A virtual host # server { listen 80; server_name server1.cyberciti.biz server1; location / { root /www/domains/server1.cyberciti.biz/http; index index.html index.htm; } } |
Make sure you restart/reload nginx when you change/update Nginx config files:
sudo service nginx configtest
sudo service nginx reload
Customize MySQL server
You need to edit the /etc/my.cnf file:
cat /etc/my.cnf
Sample outputs:
[mysqld] datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock # Disabling symbolic-links is recommended to prevent assorted security risks symbolic-links=0 # Settings user and group are ignored when systemd is used. # If you need to run mysqld under a different user or group, # customize your systemd unit file for mysqld according to the # instructions in http://fedoraproject.org/wiki/Systemd [mysqld_safe] log-error=/var/log/mysqld.log pid-file=/var/run/mysqld/mysqld.pid |
Again, restart/reload the MySQL service whenever you made change to config:
sudo service mysqld restart
Conclusion
You studied how to install Linux, nginx, MySQL, PHP (LEMP) stack on Amazon Linux AMI. For more information, please see the following resources:
- Top 25 Nginx Web Server Best Security Practices
- Linux 25 PHP Security Best Practices For Sys Admins
- 40 Linux Server Hardening Security Tips [2019 edition]
- See EC2/Lightsail
1 comment
Have a question or comment regarding LEMP on Amazon Linux AMI? Post it on our forum thread