Deploying a LEMP stack (Linux, Nginx, MySQL, PHP) on Debian 12 is a straightforward process. This guide will walk you through each step to get your server up and running with these technologies.

Prerequisites

• A Debian 12 server.
• A user with sudo privileges.
• Basic understanding of the terminal and SSH.

Step 1: Update Your System

Before starting the installation, it’s a good practice to update the package index and upgrade your system.

sudo apt update && sudo apt upgrade -y

Step 2: Install Nginx

Nginx is a powerful web server that will handle HTTP requests for your application.

sudo apt install nginx -y

After installation, start and enable Nginx to run on boot.

sudo systemctl start nginx
sudo systemctl enable nginx

You can verify that Nginx is running by visiting your server’s IP address in a web browser. You should see the default Nginx welcome page.

Step 3: Install MySQL

MySQL is a widely used database management system. Install it using the following command:

sudo apt install mysql-server -y

After installation, run the security script to improve the security of your MySQL installation.

sudo mysql_secure_installation

This script will guide you through setting a root password and configuring security settings. Follow the prompts to complete the setup.

Step 4: Install PHP

PHP is a server-side scripting language used for web development. Install PHP and some common modules using the following command:

sudo apt install php-fpm php-mysql -y

This command installs PHP and the PHP-FPM (FastCGI Process Manager) package, which is needed for Nginx to process PHP files, as well as the MySQL extension for PHP.

Step 5: Configure Nginx to Use PHP Processor

We need to configure Nginx to use the PHP processor. Open the default Nginx server block configuration file for editing.

sudo nano /etc/nginx/sites-available/default

Modify the file to include the following configuration:

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;
    index index.php index.html index.htm;

    server_name _;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
    }
}

Save and close the file, then test the configuration.

sudo nginx -t

If the test is successful, reload Nginx to apply the changes.

sudo systemctl reload nginx

Step 6: Test PHP

To test PHP, create a new file called info.php in the web root directory.

sudo nano /var/www/html/info.php

Add the following PHP code to the file:

<?php
phpinfo();
?>

Save and close the file. Now, visit http://your_server_ip/info.php in your web browser. You should see a page displaying detailed information about your PHP installation.

Step 7: Secure Your Installation

To improve the security of your installation, remove the info.php file after confirming that PHP is working.

sudo rm /var/www/html/info.php

Additionally, configure the firewall to allow only necessary traffic. Assuming you are using UFW (Uncomplicated Firewall), you can allow HTTP and HTTPS traffic with the following commands:

sudo ufw allow 'Nginx Full'

Enable the firewall if it is not already enabled.

sudo ufw enable

Step 8: Secure Your Site with Let’s Encrypt

Install Certbot

First, install Certbot and the Nginx plugin:

sudo apt install certbot python3-certbot-nginx -y

Obtain an SSL Certificate

Run the following command to obtain an SSL certificate. Replace your_domain with your actual domain name.

sudo certbot --nginx -d your_domain -d www.your_domain

You will be prompted to enter your email address and agree to the terms of service. Certbot will then communicate with Let’s Encrypt to obtain and install the SSL certificate for your domain.

Verify the Installation

After Certbot completes, it will automatically configure Nginx to use the newly obtained certificate. To verify the SSL setup, visit your website using https:// (e.g., https://your_domain). You should see a secure connection indicated by a padlock icon in the browser address bar.

Automate Certificate Renewal

Let’s Encrypt certificates are valid for 90 days. Certbot can automatically renew them, and it’s recommended to set up a cron job to handle this process. The Certbot package includes a script that renews all installed certificates and reloads Nginx to apply the changes when necessary.

Open the crontab editor:

sudo crontab -e

Add the following line to schedule the renewal check to run twice daily:

0 0,12 * * * /usr/bin/certbot renew --quiet

This cron job will run certbot renew twice a day. If the certificate is due for renewal, Certbot will renew it and reload Nginx to apply the changes.

Conclusion

You have successfully secured your LEMP stack with a Let’s Encrypt SSL certificate on Debian 12. Your website now benefits from HTTPS, enhancing security and improving user trust. Regularly monitor your server and keep all software up to date to maintain a secure and reliable web server.