In this tutorial you will learn how to install an Apache web server and MariaDB (MySQL) on Debian servers. In addition, we'll explain how to install a number of helpful programs and web services on the servers, such as:
I am doing this on a Debian 11 server (RS 2000) but this guide should also work on other Debian versions.
This tutorial contains content sourced from these documents: https://github.com/SanCraftDev/Debian-Setup/blob/main/README.md and https://github.com/louislam/uptime-kuma.
You need a Debian server with an internet connection. The server should be accessible from the internet via a static IP on port 80 and 443.
You also need root permissions on your server.
First, we need to install snapd and Certbot to obtain SSL certificates:
apt update && apt upgrade -y && apt autoremove -y
apt install curl sudo wget apache2-utils nano git snapd cron zip unzip tar screen openssl software-properties-common dirmngr apt-transport-https -y
snap install core; snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
{ crontab -l 2>/dev/null; echo "$(( $RANDOM % 60 )) $(( $RANDOM % 3 + 3 )) * * * sudo certbot renew --dry-run" ; } | crontab -
Now we are going to install Apache2 and configure it:
apt install apache2 libapache2-mod-php brotli -y
a2enmod rewrite headers env dir mime proxy proxy_http proxy_wstunnel headers ssl http2 expires filter brotli
a2disconf other-vhosts-access-log
{ crontab -l 2>/dev/null; echo "* * * * * chown -R www-data:www-data /var/www" ; } | crontab -
cd /etc/apache2
nano apache2.conf
Press CTRL + W to search for <Directory /var/www/>
.
Search for the line AllowOverride None
and replace it with AllowOverride All
.
- AllowOverride None
+ AllowOverride All
Now add the following at the end of the file:
Protocols h2 h2c http/1.1
SetOutputFilter BROTLI_COMPRESS
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-brotli
<IfModule mod_headers.c>
## Serve brotli compressed CSS files if they exist
### and the client accepts brotli.
RewriteCond "%{HTTP:Accept-encoding}" "br"
RewriteCond "%{REQUEST_FILENAME}\.br" "-s"
RewriteRule "^(.*)\.css" "$1\.css\.br" [QSA]
## Serve brotli compressed JS files if they exist
# and the client accepts brotli.
RewriteCond "%{HTTP:Accept-encoding}" "br"
RewriteCond "%{REQUEST_FILENAME}\.br" "-s"
RewriteRule "^(.*)\.js" "$1\.js\.br" [QSA]
Header set Vary *
## Serve correct content types, and prevent double compression.
RewriteRule "\.css\.br$" "-" [T=text/css,E=no-brotli:1]
RewriteRule "\.js\.br$" "-" [T=text/javascript,E=no-brotli:1]
<FilesMatch "(\.js\.br|\.css\.br)$">
## Serve correct encoding type.
Header append Content-Encoding br
## Force proxies to cache brotli &
## non-brotli css/js files separately.
Header append Vary Accept-Encoding
</FilesMatch>
</IfModule>
Save your changes by pressing CTRL + X, then y.
Now we generate a self-signed certificate for the undefined Apache2 hosts:
openssl req -nodes -new -x509 -subj '/CN=*' -sha256 -keyout /etc/ssl/privkey.pem -out /etc/ssl/fullchain.pem -days 365000
Next, we redirect every HTTP request over HTTPS and delete the Apache2 default configs, as we don't need them:
rm sites-enabled/000-default.conf
rm sites-enabled/000-default-le-ssl.conf
rm sites-enabled/default-ssl.conf
rm -r /var/www/html # run this only if you know that you do not have anything saved inside this folder
nano sites-enabled/0-http.conf
Paste these lines into the file:
<VirtualHost *:80>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R=301,L]
ErrorLog ${APACHE_LOG_DIR}/http-error.log
</VirtualHost>
<VirtualHost *:443>
ErrorLog ${APACHE_LOG_DIR}http-error.log
SSLCertificateFile /etc/ssl/fullchain.pem
SSLCertificateKeyFile /etc/ssl/privkey.pem
</VirtualHost>
Save your changes by first pressing CTRL + X, then y and finally by hitting ENTER.
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
apt update
apt install zip unzip redis-server libapache2-mod-php8.0 libapache2-mod-fcgid libmagickcore-6.q16-6-extra php-dompdf php-pear php8.0 php8.0-{cli,gd,mysql,pdo,mbstring,tokenizer,bcmath,xml,fpm,curl,zip,common,intl,redis,opcache,readline,xsl,bz2,imagick,bcmath,gmp,sqlite3,apcu} -y
nano /etc/php/8.0/apache2/php.ini
Now we have to configure PHP:
apc.enable_cli = 1
to the first empty line. This is sometimes required by Nextcloud as it enables the use of APCu from the CLI. memory_limit = 128M
.
memory_limit = 1024M
or use more/less RAM (M = megabytes of RAM).post_max_size = 8M
.
post_max_size = 10G
. This defines the maximum file size for uploading. You can set this value lower if you don't plan to upload 10-gigabyte files (for example, 100M for maximum 100 megabyte files). upload_max_filesize = 2M
.
upload_max_filesize = 10G
. This defines the maximum file size for uploading. You can set this value lower if you don't plan to upload 10-gigabyte files (for example, 100M for a maximum of 100-megabtye files). ;date.timezone =
.
date.timezone = Europe/Berlin
(or change it to your time zone). a2enmod proxy_fcgi setenvif
a2enconf php8.0-fpm
cp /etc/php/8.0/apache2/php.ini /etc/php/8.0/cli/php.ini
cp /etc/php/8.0/apache2/php.ini /etc/php/8.0/fpm/php.ini
a2dismod php*
a2dismod mpm_prefork
a2enmod mpm_event
service apache2 restart
service php8.0-fpm restart
curl -sS https://getcomposer.org/installer | sudo php -- --install-dir=/usr/local/bin --filename=composer
{ crontab -l 2>/dev/null; echo "$(( $RANDOM % 60 )) $(( $RANDOM % 3 + 3 )) * * * curl -sS https://getcomposer.org/installer | sudo php -- --install-dir=/usr/local/bin --filename=composer" ; } | crontab -
apt-key adv --fetch-keys 'https://mariadb.org/mariadb_release_signing_key.asc'
add-apt-repository 'deb [arch=amd64,i386,arm64,ppc64el] https://mirror.netcologne.de/mariadb/repo/10.5/debian bullseye main'
apt install mariadb-server mariadb-client -y
mysql_secure_installation
Press Enter
Press y
Press y
Set a secure password
Press y
Press y
Press y
Press y
mysql -u root -p
root
as username) and "PASSWORD" with a secure password:CREATE USER 'USERNAME'@'localhost' IDENTIFIED BY 'PASSWORD';
GRANT ALL PRIVILEGES ON *.* TO 'Username'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
exit;
First, make sure your domain or subdomain is linked to your server in its DNS settings.
In the following commands, replace every DOMAIN
with your domain or subdomain:
certbot certonly --apache -d DOMAIN
.nano /etc/apache2/sites-enabled/DOMAIN.conf
. <VirtualHost *:443>
ServerName DOMAIN
DocumentRoot /var/www/FOLDER
ErrorLog ${APACHE_LOG_DIR}/DOMAIN-error.log
Header always set Strict-Transport-Security "max-age=15552000"
SSLCertificateFile /etc/letsencrypt/live/DOMAIN/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/DOMAIN/privkey.pem
</VirtualHost>
DOMAIN
with your domain and set a folder path under "DocumentRoot". All files in this folder will be available via your DOMAIN in the web.mkdir /var/www/FOLDER
. service apache2 restart
. Note:
If you are doing this directly on a domain and NOT on a subdomain, or want to make the site available on more sites, I recommend adding a server alias to the configuration as you see below. (If you want to make this site available on any subdomain that looks like abc
, you can also add abc.*
as the server alias.)
For this change you need to regenerate the SSL certificate with certbot certonly --apache -d DOMAIN,www.DOMAIN,web.DOMAIN,sub.DOMAIN
.
<VirtualHost *:443>
ServerName DOMAIN
+ ServerAlias www.DOMAIN web.DOMAIN
DocumentRoot /var/www/FOLDER
ErrorLog ${APACHE_LOG_DIR}/DOMAIN-error.log
Header always set Strict-Transport-Security "max-age=15552000"
SSLCertificateFile /etc/letsencrypt/live/DOMAIN/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/DOMAIN/privkey.pem
</VirtualHost>
Download and configure phpMyAdmin:
curl -L https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.zip -o phpmyadmin.zip
unzip phpmyadmin.zip
rm phpmyadmin.zip
mv phpMyAdmin-*-all-languages pma
mv pma /var/www
nano /var/www/pma/config.inc.php
Add the following lines and change x1rfsRmlidz69R3vKvxpDVl6lbOReX0Emc3sVD0ZkpXh4ek12zMZCWJJi722Se36M0fiRdRDPk05ePcO4W0l8bP8vJMcMhoLVSs
to make it unique. This will make the cookies used by phpMyAdmin more secure.
<?php
declare(strict_types=1);
$cfg['blowfish_secret'] = 'x1rfsRmlidz69R3vKvxpDVl6lbOReX0Emc3sVD0ZkpXh4ek12zMZCWJJi722Se36M0fiRdRDPk05ePcO4W0l8bP8vJMcMhoLVSs';
$i = 0;
$i++;
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['compress'] = false;
$cfg['Servers'][$i]['AllowNoPassword'] = false;
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';
Save your changes by pressing CTRL + X, then y and finally by hitting ENTER.
Now you have two options:
DocumentRoot /var/www/FOLDER
to DocumentRoot /var/www/pma
). Then you can open phpMyAdmin over this domain/subdomain. You are now finished with the installation of phpMyAdmin. nano /etc/apache2/sites-enabled/FILE.conf
Now add a new line with the following content:
Alias /pma /var/www/pma
You only need to add this one line to the existing file.
It should look like in the example below. The green line must be added (but without the + at the beginning of the line):
<VirtualHost *:443>
ServerName DOMAIN
+ Alias /pma /var/www/pma
DocumentRoot /var/www/FOLDER
ErrorLog ${APACHE_LOG_DIR}/DOMAIN-error.log
Header always set Strict-Transport-Security "max-age=15552000"
SSLCertificateFile /etc/letsencrypt/live/DOMAIN/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/DOMAIN/privkey.pem
</VirtualHost>
Restart Apache2 by running service apache2 restart
.
You can open phpMyAdmin via https://DOMAIN/pma and log in with your data from Step 1.4.2.
If you have phpMyAdmin from Step 1.6 installed, open phpMyAdmin and enter your username and password from Step 1.4.2.
wordpress
if you want to use the database for a WordPress site). Run the following commands:
mysql -u root -p
wordpress
if you want to use the database for a WordPress site) and replace "PASSWORD" with a secure password:CREATE USER 'USERNAME'@'localhost' IDENTIFIED BY 'PASSWORD';
CREATE DATABASE USERNAME;
GRANT ALL PRIVILEGES ON USERNAME.* TO 'USERNAME'@'localhost';
FLUSH PRIVILEGES;
exit;
Now your user has been created and you can connect to the database via localhost.
Information on how to properly install additional webservices can be found in the following tutorials:
You have now installed a web server with PHP and a MySQL/MariaDB database.
This tutorial contains content sourced from https://github.com/SanCraftDev/Debian-Setup/blob/main/README.md and https://github.com/louislam/uptime-kuma.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicence, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
By making a contribution to this project, I certify that:
The contribution was created in whole or in part by me and I have the right to submit it under the license indicated in the file; or
The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same license (unless I am permitted to submit under a different license), as indicated in the file; or
The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it.
I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the license(s) involved.