Install Nginx, PHP and MySQL

I’m going to use nginx rather than the more traditional Apache2, because it is more efficient and on a low-power device like the Pi that’s going to be important. I’m also going to install PHP5 (with PHP APC to make it faster than normal) and MySQL as these are pretty common technologies I’m likely to use (I may later play with nodejs and other databases, but for now a standard PHP/MySQL set up is fine). Type (all on one line):

Wait while all of these are set up. Follow any prompts that appear – yes you do want to set a password for the MySQL root user, choose one and remember it.

As I use the new Raspberry Pi 2 B with 4 cores, I don’t need to change that setting in the worker_processes. If you have the dual core, change the value from 4 to 2.

Inside the http { … } block we want to un-comment the ‘server_tokens off’ line;

Enabling this line stops nginx from reporting which version it is to browsers; which helps to stop people from learning your nginx version and then Googling for exploits they might be able to use to hack you.

Put a # in front of line: keepalive_timeout: 65;. We we’ll add our own one in a bit.

We’re also going to add some lines under the Gzip section. Gzip compresses the files before they are sent over the network; which means a faster transfer. Gzipping them does take a bit of time as the Pi will have to zip them all before it sends them. Usually it’s a good trade off and ends up with a faster responding website. You can experiment with this on and off to see which is better for you. You want that section to look like this:

We’re telling nginx to only Gzip files above a certain size, setting some buffers, and telling it which filetypes to Gzip. We’re also setting how compressed to be in gzip_comp_level. It accepts values from 1 to 9; 1 is the least compressed but fastest to compute. 9 is the most compressed but slowest to compute. With the Pi being a low power CPU I’ve chosen a middle-ground value of 6. We’ll also harden nginx against DDOS attacks a little bit by setting some more values. Add these somewhere inside the http block:

All we’re doing here is limiting the amount of time nginx will wait for client connections. Keeping these short means that it’s a bit harder to flood nginx into a state of unresponsiveness. Hit Ctrl + X to exit, save your changes. We also need to set a few sane defaults for nginx when we want to use PHP with it. Enabling PHP support is not a global change, instead we can enable nginx to use PHP for specific virtual hosts, or even for specific directories within a specific virtual host. To set up some nice defaults we can import into virtual hosts as we go, type:

Now, make sure your block looks just like the one below (which is taken directly from the official nginx wiki article)

Setting up PHP

The default settings for PHP will work fine and it’s already pretty well optimised (it even uses Unix sockets rather than TCP to communicate with nginx), but from a security standpoint we can ensure that PHP’s FPM module will only listen to nginx (and therefore is less likely to be hacked) by typing:

And un-commenting the lines listen.owner and listen.group. Save and exit the file.

Securing MySQL

MySQL ships with a few conveniences that are supposed to be removed when put on a real server, to do that type:

Carefully read all the prompts and answer them.