Welcome to our comprehensive guide on building and securing a high-availability LAMP stack for enterprise applications on both Debian and RHEL distributions. This guide will take you through each step in detail, ensuring you have a robust and secure environment for your critical business applications.
1. Introduction
The LAMP stack (Linux, Apache, MySQL/MariaDB, PHP/Perl/Python) is a popular open-source web platform used to run dynamic websites and servers. This guide will walk you through the installation and configuration process for a high-availability enterprise setup, followed by essential security practices to safeguard your environment.
2. Prerequisites
Before we begin, ensure you have:
- A fresh installation of Debian or RHEL
- Root or sudo access to the server
- A basic understanding of the command line
3. Installing and Configuring the High-Availability LAMP Stack
Debian
Step 1: Update Your System
sudo apt update && sudo apt upgrade -yStep 2: Install Apache
sudo apt install apache2 -yEnable Apache to start on boot:
sudo systemctl enable apache2Step 3: Install MySQL/MariaDB
sudo apt install mariadb-server -ySecure the MySQL installation:
sudo mysql_secure_installationStep 4: Install PHP
sudo apt install php libapache2-mod-php php-mysql -yRestart Apache to apply changes:
sudo systemctl restart apache2RHEL
Step 1: Update Your System
sudo yum update -yStep 2: Install Apache
sudo yum install httpd -yEnable Apache to start on boot:
sudo systemctl enable httpdStep 3: Install MySQL/MariaDB
sudo yum install mariadb-server mariadb -ySecure the MySQL installation:
sudo mysql_secure_installationStep 4: Install PHP
sudo yum install php php-mysql -yRestart Apache to apply changes:
sudo systemctl restart httpd4. Enhancing Security
Secure Apache
- Disable directory listing:
sudo nano /etc/apache2/apache2.conf # Debian
sudo nano /etc/httpd/conf/httpd.conf # RHEL
# Add/Modify the following line within the <Directory> directive
Options -Indexes- Enable mod_security and mod_evasive:
sudo apt install libapache2-mod-security2 libapache2-mod-evasive -y # Debian
sudo yum install mod_security mod_evasive -y # RHEL
# Enable and configure mod_security
sudo a2enmod security2 # Debian
sudo systemctl restart httpd # RHEL
# Enable and configure mod_evasive
sudo a2enmod evasive # Debian
sudo systemctl restart httpd # RHELSecure MySQL
- Disable remote root login and remove test database:
mysql -u root -p
# Inside MySQL shell
DELETE FROM mysql.user WHERE User='';
DROP DATABASE test;
FLUSH PRIVILEGES;- Configure MySQL for SSL connections:
sudo nano /etc/mysql/my.cnf # Debian
sudo nano /etc/my.cnf # RHEL
# Add the following lines under [mysqld]ssl-ca=/etc/mysql/ca.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pemSecure PHP
- Disable unnecessary functions:
sudo nano /etc/php/7.4/apache2/php.ini # Debian
sudo nano /etc/php.ini # RHEL
# Add/Modify the following line
disable_functions = exec,passthru,shell_exec,system5. Additional Components
Load Balancer
Install HAProxy:
sudo apt install haproxy -y # Debian
sudo yum install haproxy -y # RHEL
# Configure HAProxy
sudo nano /etc/haproxy/haproxy.cfg
# Add a basic configuration for load balancing
frontend http_front
bind *:80
default_backend http_back
backend http_back
balance roundrobin
server web1 192.168.1.10:80 check
server web2 192.168.1.11:80 check
# Start and enable HAProxy
sudo systemctl start haproxy
sudo systemctl enable haproxyCaching
Install Redis:
sudo apt install redis-server -y # Debian
sudo yum install redis -y # RHEL
# Configure Redis to start on boot
sudo systemctl enable redis
sudo systemctl start redisSearch Engine
Install Elasticsearch:
# Add Elasticsearch repository
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - # Debian
sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch # RHEL
# Add repository to the sources list
sudo nano /etc/apt/sources.list.d/elastic-7.x.list # Debian
# Add: deb https://artifacts.elastic.co/packages/7.x/apt stable main
sudo nano /etc/yum.repos.d/elasticsearch.repo # RHEL
# Add: [elasticsearch]
# name=Elasticsearch repository for 7.x packages
# baseurl=https://artifacts.elastic.co/packages/7.x/yum
# gpgcheck=1
# gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
# enabled=1
# autorefresh=1
# type=rpm-md
# Install Elasticsearch
sudo apt update && sudo apt install elasticsearch -y # Debian
sudo yum install elasticsearch -y # RHEL
# Start and enable Elasticsearch
sudo systemctl enable elasticsearch
sudo systemctl start elasticsearch6. Monitoring and Maintenance
Install Prometheus and Grafana
Install Prometheus:
# Download Prometheus
wget https://github.com/prometheus/prometheus/releases/download/v2.26.0/prometheus-2.26.0.linux-amd64.tar.gz
tar -xvf prometheus-2.26.0.linux-amd64.tar.gz
cd prometheus-2.26.0.linux-amd64
# Move binaries to appropriate locations
sudo mv prometheus /usr/local/bin/
sudo mv promtool /usr/local/bin/
# Create configuration file
sudo mv prometheus.yml /etc/prometheus.yml
# Create a systemd service file for Prometheus
sudo nano /etc/systemd/system/prometheus.service
# Add the following content:
[Unit]
Description=Prometheus
Wants=network-online.target
After=network-online.target
[Service]
User=prometheus
ExecStart=/usr/local/bin/prometheus --config.file /etc/prometheus.yml
[Install]
WantedBy=default.target
# Reload systemd and start Prometheus
sudo systemctl daemon-reload
sudo systemctl start prometheus
sudo systemctl enable prometheusInstall Grafana:
# Add Grafana repository
sudo nano /etc/apt/sources.list.d/grafana.list # Debian
Add: deb https://packages.grafana.com/oss/deb stable main
sudo nano /etc/yum.repos.d/grafana.repo # RHEL
Add: [grafana]
name=grafana
baseurl=https://packages.grafana.com/oss/rpm
repo_gpgcheck=1
enabled=1
gpgcheck=1
gpgkey=https://packages.grafana.com/gpg.key
# Install Grafana
sudo apt update && sudo apt install grafana -y # Debian
sudo yum install grafana -y # RHEL
# Start and enable Grafana
sudo systemctl start grafana-server
sudo systemctl enable grafana-server7. Conclusion
Congratulations! You’ve successfully built and secured a high-availability LAMP stack on both Debian and RHEL distributions. This comprehensive guide should serve as a solid foundation for your enterprise applications, ensuring both performance and security.
