Amazon Linux AMI Install Linux, nginx, MySQL, PHP (LEMP)

Amazon Linux AMI LEMP stack installation

The procedure is as follows:

1. Update Amazon Linux AMI, run sudo yum update
2. Install Nginx, execute: sudo yum install nginx
3. Let us install MySQL database server, execute: sudo yum install mysql57-server
4. Set up PHP version 7.3, execute:
5. Open port 80 using iptables firewall
6. Test your LEMP stack running on Amazon AMI Linux

Let us see all steps and examples in details.

1. Update your Amazon Linux AMI system

Check for the updates using the yum command and apply security updates on Amazon Linux AMI:
yum check-update
sudo yum update -y

Reboot the Linux system powered by Amazon Linux AMI if kernel update was installed:
sudo reboot

2. Install Nginx web server

Nginx is a web server and a reverse proxy server for HTTP/HTTPS and more. It is part of LEAP stack. Simply type the following yum command to install it on Amazon Linux AMI:
sudo yum search nginx
sudo yum info nginx
sudo yum install nginx

As usual, nginx web server does not start on Amazon Linux AMI. To start nginx server running, execute the following service command:
sudo service nginx start
Enable service at boot time using the chkconfig command sudo chkconfig nginx on
Verify that nginx service is running with help of pgrep command/ss command/netstat command commands:
sudo service nginx status
pgrep nginx
ss -tlpn | grep :80

Open port TCP port 80

Edit the file:
sudo vi /etc/sysconfig/iptables
Append the following line to open TCP port 80 before final DROP rule:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

Save and close the file. Restart the firewall:
sudo service iptables restart
See “Set Up a Basic Iptables Firewall on Amazon Linux AMI” for more info about IPv4 and IPv6 firewall.

Test it

Fire a web browser and type your public IPv4 address such as:
http://1.2.3.4/
http://your-domain-mapped-to-public-ip-com/
http://202.1.2.3/

3. Install MySQL database server

The first step is to search for MySQL DB version, run:
yum list mysql*-server
Sample outputs:

Loaded plugins: priorities, update-motd, upgrade-helper
Available Packages
mysql-server.noarch                          5.5-1.6.amzn1                             amzn-main   
mysql51-server.x86_64                        5.1.73-8.72.amzn1                         amzn-main   
mysql55-server.x86_64                        5.5.62-1.23.amzn1                         amzn-updates
mysql56-server.x86_64                        5.6.45-1.34.amzn1                         amzn-updates
mysql57-server.x86_64                        5.7.27-1.13.amzn1                         amzn-updates

Now you know all about MySQL version, let us install MySQL DB version 5.7.x on Amazon Linux AMI to store data on our LEMP stack:
sudo yum info mysql57-server
sudo yum install mysql57-server

Enable MySQL service

sudo chkconfig mysqld on

Start MySQL service

sudo service mysqld start
Make sure server is running, run:
sudo service mysqld status

Secure MySQL server

Next run the following command to improve the security of your MySQL installation in the following ways:

• Set a password for root accounts.
• Remove root accounts that are accessible from outside the local host.
• Delete anonymous-user accounts.
• Erase the test database (which by default can be accessed by all users, even anonymous users), and privileges that permit anyone to access databases with names that start with test_.

sudo /usr/bin/mysql_secure_installation
Sample session:

New password: 
 
Re-enter new password: 
 
Estimated strength of the password: 100 
Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : Y
By default, a MySQL installation has an anonymous user,
allowing anyone to log into MySQL without having to have
a user account created for them. This is intended only for
testing, and to make the installation go a bit smoother.
You should remove them before moving into a production
environment.
 
Remove anonymous users? (Press y|Y for Yes, any other key for No) : Y
Success.
 
 
Normally, root should only be allowed to connect from
'localhost'. This ensures that someone cannot guess at
the root password from the network.
 
Disallow root login remotely? (Press y|Y for Yes, any other key for No) : Y
Success.
 
By default, MySQL comes with a database named 'test' that
anyone can access. This is also intended only for testing,
and should be removed before moving into a production
environment.
 
 
Remove test database and access to it? (Press y|Y for Yes, any other key for No) : Y
 - Dropping test database...
Success.
 
 - Removing privileges on test database...
Success.
 
Reloading the privilege tables will ensure that all changes
made so far will take effect immediately.
 
Reload privilege tables now? (Press y|Y for Yes, any other key for No) : Y
Success.
 
All done!

4. Install PHP 7.3

Now that we have Nginx and MySQL installed, it is time to install PHP. Again, list PHP versions, run:
yum list php*-fpm
Sample outputs:

Loaded plugins: priorities, update-motd, upgrade-helper
Available Packages
php-fpm.x86_64                         5.3.29-1.8.amzn1                         amzn-main   
php54-fpm.x86_64                       5.4.45-1.75.amzn1                        amzn-main   
php55-fpm.x86_64                       5.5.38-2.119.amzn1                       amzn-main   
php56-fpm.x86_64                       5.6.40-1.142.amzn1                       amzn-updates
php70-fpm.x86_64                       7.0.33-1.32.amzn1                        amzn-updates
php71-fpm.x86_64                       7.1.32-1.42.amzn1                        amzn-updates
php72-fpm.x86_64                       7.2.22-1.16.amzn1                        amzn-updates
php73-fpm.x86_64                       7.3.9-1.19.amzn1                         amzn-updates

PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites. It is recommend that you use php73-fpm with Nginx, run:
sudo yum install php73-fpm

Installing additional PHP modules

• php73-gd – A module for PHP applications for using the gd graphics library.
• php73-mysqlnd – A module for PHP applications that use MySQL databases.
• php73-opcache – The Zend OPcache provides faster PHP execution through opcode caching and optimization. It improves PHP performance by storing precompiled script bytecode in the shared memory.
• php73-pdo – The php-pdo package contains a dynamic shared object that will add database access abstraction layer to PHP. This module provides a common interface for accessing MySQL, PostgreSQL or other databases.
• php73-xmlrpc – The php-xmlrpc package contains a dynamic shared object that will add support for the XML-RPC protocol to PHP.

To install them, run:
sudo yum install php73-gd php73-mysqlnd php73-opcache php73-xmlrpc php73-pdo

One can search and list addional php modules using:
yum list php73-*

Enable the PHP-fpm service

sudo chkconfig php-fpm on

Start the PHP-fpm service

sudo service php-fpm start

Check status of the PHP-fpm service

sudo service php-fpm status
Verify that Unix socket is up and running for PHP-FPM using the ls command:
ls -l /var/run/php-fpm/www.sock

Restart Nginx service

Use the cat command to list config:
cat /etc/nginx/conf.d/php-fpm.conf
You must restart Nginx to activate PHP support via /var/run/php-fpm/www.sock socket:
sudo servive nginx restart

PHP configuration

PHP is configured using the /etc/nginx/default.d/php.conf file as follows:
cat /etc/nginx/default.d/php.conf
Sample outputs:

# pass the PHP scripts to FastCGI server
#
# See conf.d/php-fpm.conf for socket configuration
#
index index.php index.html index.htm;
 
location ~ \.(php|phar)(/.*)?$ {
    fastcgi_split_path_info ^(.+\.(?:php|phar))(/.*)$;
 
    fastcgi_intercept_errors on;
    fastcgi_index  index.php;
    include        fastcgi_params;
    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    fastcgi_param  PATH_INFO $fastcgi_path_info;
    fastcgi_pass   php-fpm;
}

Edit the /etc/php-fpm.d/www.conf file:
sudo vi /etc/php-fpm.d/www.conf
Find the apache in the user and group:
user = apache
group = apache
Replace with the nginx:
user = nginx
group = nginx
Make sure you restart/reload PHP-fpm whenever you make config changes:
sudo service php-fpm reload

Test PHP installation on Amazon Linux AMI

Create a file name test.php in /usr/share/nginx/html, run:
sudo vi /usr/share/nginx/html/test.php
Append the following text:

<?php
// test server with php support 
     phpinfo();
?>

Fire a web browser such as Firefox and type your public IPv4 address such as:
http://1.2.3.4/test.php
http://your-domain-mapped-to-public-ip-com/test.php
http://202.1.2.3/test.php

Nginx server configuration

Import files:

• Main config file – /etc/nginx/nginx.conf
• PHP-FPM FastCGI socket/server config file – /etc/nginx/conf.d/php-fpm.conf
• Enable PHP 7.3 scripts to FastCGI server for Nginx – /etc/nginx/default.d/php.conf
• Virtual Domain – /etc/nginx/conf.d/ (put each domain config file in this directory)

Sample Nginx virtual domain config:

A sample config for server1.cyberciti.biz virtual domain:
cat /etc/nginx/conf.d/server1.cyberciti.biz

#
# A virtual host 
#
server {
    listen       80;
    server_name  server1.cyberciti.biz server1;
 
    location / {
        root   /www/domains/server1.cyberciti.biz/http;
        index  index.html index.htm;
    }
}

Make sure you restart/reload nginx when you change/update Nginx config files:
sudo service nginx configtest
sudo service nginx reload

Customize MySQL server

You need to edit the /etc/my.cnf file:
cat /etc/my.cnf
Sample outputs:

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mysqld according to the
# instructions in http://fedoraproject.org/wiki/Systemd
 
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

Again, restart/reload the MySQL service whenever you made change to config:
sudo service mysqld restart

Conclusion

You studied how to install Linux, nginx, MySQL, PHP (LEMP) stack on Amazon Linux AMI. For more information, please see the following resources:

• Top 25 Nginx Web Server Best Security Practices
• Linux 25 PHP Security Best Practices For Sys Admins
• 40 Linux Server Hardening Security Tips [2019 edition]
• See EC2/Lightsail