🔐 Hardened Web Server: LEMP/LAMP Stack with A+ TLS

By Elijah Udom May 3, 2025 8 min read

Introduction
Executive Summary
Technical Architecture
Step 1: Install & Configure Nginx
Step 2: Secure MySQL/MariaDB
Step 3: Harden PHP
Step 4: Firewall & TLS
Step 5: Deploy Demo Site
Troubleshooting
Advanced Security
Conclusion

"Because in 2025, deploying a web server without proper security is like leaving your front door open with a sign saying 'Free Laptop Inside' 🚪💻"

Secure web server architecture overview

💼 Executive Summary

Production-ready web server configuration
A+ SSL Labs rating guaranteed
Least privilege database access
Automated TLS certificate management

🏗️ Technical Architecture

Why This Matters

This setup provides a secure foundation that meets modern compliance requirements while maintaining performance and manageability.

1️⃣ Step 1: Install & Configure Nginx

Terminal

sudo apt update && sudo apt install nginx -y
sudo systemctl enable --now nginx
sudo ufw allow 'Nginx Full'

/etc/nginx/sites-available/default

server {
    listen 80;
    server_name sys.elijahu.me;
    location / {
        try_files $uri $uri/ =404;
    }
    autoindex off;
}

2️⃣ Step 2: Secure MySQL/MariaDB

Terminal

sudo apt install mysql-server -y
sudo mysql_secure_installation

MySQL Shell

CREATE DATABASE demo;
CREATE USER 'demo_user'@'localhost' IDENTIFIED BY 'StrongP@ssw0rd!2025';
GRANT SELECT, INSERT, UPDATE, DELETE ON demo.* TO 'demo_user'@'localhost';
FLUSH PRIVILEGES;

3️⃣ Step 3: Harden PHP

Terminal

sudo apt install php-fpm php-mysql -y
sudo systemctl restart php7.4-fpm

/etc/php/7.4/fpm/php.ini

expose_php = Off
display_errors = Off
log_errors = On
disable_functions = exec,passthru,shell_exec,system

4️⃣ Step 4: Firewall & TLS

Terminal

sudo ufw allow OpenSSH
sudo ufw allow 'Nginx Full'
sudo ufw enable
sudo certbot --nginx -d sys.elijahu.me

Nginx SSL Config

listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/sys.elijahu.me/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sys.elijahu.me/privkey.pem;

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;

5️⃣ Step 5: Deploy Demo Site

Terminal

sudo chown -R www-data:www-data /var/www/html
sudo find /var/www/html -type d -exec chmod 755 {} \;
sudo find /var/www/html -type f -exec chmod 644 {} \;
sudo systemctl reload nginx

🐞 Troubleshooting

                            🔧 Common Issues
                            403 Forbidden: Verify ownership of /var/www/html
PHP Errors: Check php-fpm service status
SSL Issues: Renew certificates with sudo certbot renew

                        

🛡️ Advanced Security

Hardening Measures

Fail2ban for SSH protection
Automatic security updates
Read-only filesystems for static content

Monitoring

Lynis audits
OSSEC intrusion detection
Prometheus metrics

🏁 Conclusion

This hardened server configuration provides enterprise-grade security while maintaining performance. For production deployments, consider adding:

Web Application Firewall (WAF)
DDoS protection
Regular penetration testing

🔐 Hardened Web Server: LEMP/LAMP Stack with A+ TLS

Contents

💼 Executive Summary

🏗️ Technical Architecture

Why This Matters

1️⃣ Step 1: Install & Configure Nginx

2️⃣ Step 2: Secure MySQL/MariaDB

3️⃣ Step 3: Harden PHP

4️⃣ Step 4: Firewall & TLS

5️⃣ Step 5: Deploy Demo Site

🐞 Troubleshooting

🔧 Common Issues

🛡️ Advanced Security

Hardening Measures

Monitoring

🏁 Conclusion

Ready to Harden Your Web Server?