install Nginx 1.16, SSL Let's Encrypt for wildcard, PHP7.3 FPM 7.3.11, MySQL 8, PHPmyadmin 4.6, Postfix 3.4 on Ubuntu 19.10 x64 (Eoan Ermine)

README.TXT

install Nginx, SSL Let's Encrypt, PHP7.3, MySQL, PHPmyadmin, Postfix on Ubuntu 19.10 x64 (Eoan Ermine)

package version :
 
- nginx-extras 1.16.1
- php7.3 fpm 7.3.11
- mysql 8.0.18
- phpmyadmin 4.6.6-5
- postfix 3.4.5-1
- certbot
- certbot-dns-digitalocean

update & upgrade
----------------

$ sudo apt update
$ sudo apt upgrade

install nginx-extras 1.16.1
---------------------------

$ wget --no-check-certificate http://archive.ubuntu.com/ubuntu/pool/universe/n/nginx/nginx-extras_1.16.1-0ubuntu2_amd64.deb
$ sudo apt-get install ./nginx-extras_1.16.1-0ubuntu2_amd64.deb

$ sudo adduser www-data www-data
$ sudo chown -R www-data:www-data /var/www/html

install php7.3 fpm 7.3.11
-------------------------

$ wget --no-check-certificate  http://archive.ubuntu.com/ubuntu/pool/universe/p/php7.3/php7.3-fpm_7.3.11-0ubuntu0.19.10.1_amd64.deb
$ sudo apt-get install ./php7.3-fpm_7.3.11-0ubuntu0.19.10.1_amd64.deb

install mysql-server 8.0.18 & mysql-client 8.0.18
-------------------------------------------------

1. download the MySQL repositories
$ wget –c https://dev.mysql.com/get/mysql-apt-config_0.8.14-1_all.deb

2. install the MySQL repositories
$ sudo apt-get install ./mysql-apt-config_0.8.14-1_all.deb

3. Refresh the Repositories
$ sudo apt-get update

4. Install MySQL
$ sudo apt-get install mysql-server

5. Set up MySQL Security
$ sudo mysql_secure_installation

6. Start, Stop, or Check Status of MySQL Service
$ sudo service mysql status
$ sudo service mysql stop
$ sudo service mysql start

* https://phoenixnap.com/kb/how-to-install-mysql-on-ubuntu-18-04

install phpmyadmin 4.6.6-5
--------------------------

1. install phpmyadmin
$ wget --no-check-certificate http://archive.ubuntu.com/ubuntu/pool/universe/p/phpmyadmin/phpmyadmin_4.6.6-5_all.deb
$ sudo apt-get install ./phpmyadmin_4.6.6-5_all.deb

2. create link synbolic
$ cd /var/www/html
$ ln -s /usr/share/phpmyadmin/ phpmyadmin

3. create user and password
$ apt install apache2-utils
$ htpasswd -c /etc/nginx/.pma_pass
$ cat /etc/nginx/.pma_pass

4. add in file etc/nginx/site-available/default
location /phpmyadmin {
 auth_basic "Admin Login";
 auth_basic_user_file /etc/nginx/pma_pass;
}

enable Firewall for http, https, SMTP, IMAP, IMAPS, POP3, POP3S
---------------------------------------------------------------

$ sudo ufw allow 'OpenSSH'
$ sudo ufw allow 'Nginx Full'
$ sudo ufw allow 'Postfix'
$ sudo ufw allow 22
$ sudo ufw allow 25
$ sudo ufw allow 80
$ sudo ufw allow 443
$ sudo ufw allow 143
$ sudo ufw allow 993
$ sudo ufw allow 110
$ sudo ufw allow 995
$ sudo ufw enable
$ sudo ufw status

install Postfix 3.4.5-1
-----------------------

$ wget --no-check-certificate http://archive.ubuntu.com/ubuntu/pool/main/p/postfix/postfix_3.4.5-1ubuntu1_amd64.deb
$ sudo apt-get install ./postfix_3.4.5-1ubuntu1_amd64.deb

$ sudo chown -R postfix /var
$ sudo chown -R postfix /var/lib
$ sudo chown -R postfix /var/lib/postfix
$ sudo systemctl restart postfix

install SSL certificate
-----------------------

Retrieve and automatically renew Let's Encrypt SSL Wildcard Certificates
with the plugin certbot-dns-digitalocean and API DigitalOcean. The
dns_digitalocean plugin automates the process of completing a dns-01
challenge (DNS01) by creating, and subsequently removing, TXT records
using the DigitalOcean API.

1. create token here: https://cloud.digitalocean.com/settings/api/tokens

2. install certbot and the certbot-dns-digitalocean plugin
$ sudo apt install certbot
$ sudo apt install python3-certbot-dns-digitalocean
$ sudo certbot certonly --dns-digitalocean --dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini --dns-digitalocean-propagation-seconds 60 -d domain.tld -d *.domain.tld -d 123.123.123.123

3. renewal of certificates. renew the certificate every Monday night, and restart nginx
$ sudo crontab -e
30 4 * * 1 certbot renew
40 4 * * 1 /etc/init.d/nginx reload

4. check config & restart Nginx
$ sudo nginx -t
$ sudo /etc/init.d/nginx reload

* https://certbot-dns-digitalocean.readthedocs.io/en/stable/
* https://www.digitalocean.com/community/tutorials/how-to-retrieve-let-s-encrypt-ssl-wildcard-certificates-using-cloudflare-validation-on-centos-7

4. install file dhparam.pem
$ curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/letsencrypt/live/domain.com/dhparam.pem

5. copy the config Nginx in (etc/nginx/site-available/default)
https://ssl-config.mozilla.org/#server=nginx&server-version=1.16.1&config=intermediate

my file sample use in prod environment:

-------------------------------------------------------------------------------------
server {
	
    root /var/www/html;
    index index.php index.html;
	
    server_name domain.com *.domain.com 123.123.123.123;

    listen 80;
    listen [::]:80;
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    # Use the Let's Encrypt certificates
    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    # Include the SSL configuration from OpenSSL
    ssl_dhparam /etc/letsencrypt/live/domain.com/dhparam.pem;

    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/letsencrypt/live/domain.com/cert.pem;

    # replace with the IP address of your resolver
    resolver 8.8.8.8 8.8.4.4;
	
    # redirects www to non-www
    if ($http_host ~ "www.(.*)") 
    {
    	return 301 $scheme://$1$request_uri;
    }
	
    # Redirect non-https traffic to https
    if ($scheme != "https") 
    {
        return 301 https://$host$request_uri;
    }
		
    # For LetsEncrypt:
    location ~ /.well-known 
    {
        root /var/www/html;
        allow all;
    }

    location / 
    {			
    	# First attempt to serve request as file, then
    	# as directory, then fall back to displaying a 404.
    	try_files $uri $uri/ =404;
    }
	
    # pass PHP scripts to FastCGI server
    location ~ \.php$ 
    {   
	try_files $uri =404;
	include /etc/nginx/fastcgi_params;
	fastcgi_pass unix:/run/php/php7.3-fpm.sock;
	include         fastcgi_params;
	fastcgi_index   index.php;
	fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
	fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
    }
}
-------------------------------------------------------------------------------------

6. restart Nginx
$ sudo /etc/init.d/nginx reload

7. create the folder:
$ sudo mkdir /var/www/html/.well-known
$ sudo mkdir /var/www/html/.well-known/acme-challenge

install fail2ban
----------------

$ sudo apt-get install fail2ban
$ sudo systemctl start fail2ban
$ sudo systemctl enable fail2ban

install matomo
--------------

https://github.com/matomo-org/matomo

DONE

Suggestions, and comments are welcome
Last Modified: 2019-11-26