Magento open source is a fantastic platform. Get your stores online with Magento Setup. This tutorial you to setup Magento with high performance Web Server – Nginx and secure the same with Lets Encrypt SSL Certificate.
Pre-Requisites
- Server with Ubuntu – 18.0.4
- SSH – Enabled
- HTTP & HTTPS Ports enabled and should be accessible over the Web
SSH to your instance and let’s update and install dependencies, MySQL and Nginx
sudo apt update && sudo apt upgrade
sudo apt install unzip certbot
sudo apt-get -y install nginx
sudo apt install mysql-server
Let secure the Database & Create your DB Root Password
sudo mysql_secure_installation
Login to MySQL command line and execute the following queries to create database and user for magneto database access
CREATE DATABASE magentodb;
CREATE USER 'magentoadmin'@'localhost' IDENTIFIED BY 'yourpassword';
GRANT ALL PRIVILEGES ON magentodb.* TO ‘magentoadmin’@’localhost';
FLUSH PRIVILEGES;
exit;
Next we want to create the magneto user, group, folder and give correct permissions
sudo useradd -m -U -r -d /opt/magento magento
sudo usermod -a -G magento www-data
mkdir /opt/magento/public_html
sudo chmod 750 /opt/magento
Install PHP dependencies
sudo apt install php7.2-common php7.2-cli php7.2-fpm php7.2-opcache php7.2-gd php7.2-mysql php7.2-curl php7.2-intl php7.2-xsl php7.2-mbstring php7.2-zip php7.2-bcmath php7.2-soap
Configure PHP parameters for Magento requirements
sudo sed -i 's/memory_limit = .*/memory_limit = 2048M/' /etc/php/7.2/fpm/php.ini
sudo sed -i 's/upload_max_filesize = .*/upload_max_filesize = 256M/' /etc/php/7.2/fpm/php.ini
sudo sed -i 's/zlib.output_compression = .*/zlib.output_compression = on/' /etc/php/7.2/fpm/php.ini
sudo sed -i 's/max_execution_time = .*/max_execution_time = 18000/' /etc/php/7.2/fpm/php.ini
sudo sed -i 's/;date.timezone.*/date.timezone = UTC/' /etc/php/7.2/fpm/php.ini
sudo sed -i 's/;opcache.save_comments.*/opcache.save_comments = 1/' /etc/php/7.2/fpm/php.ini
Now we will create PHP Magento Config File
vim /etc/php/7.2/fpm/pool.d/magento.conf
user = magento
group = www-data
listen.owner = magento
listen.group = www-data
listen = /var/run/php/php7.2-fpm-magento.sock
pm = ondemand
pm.max_children = 50
pm.process_idle_timeout = 10s
pm.max_requests = 500
chdir = /
Restart PHP FPM to reload the config
sudo systemctl restart php7.2-fpm
Now Let’s Download and Install composer
curl -sS https://getcomposer.org/installer -o composer-setup.php
php composer-setup.php --install-dir=/usr/local/bin --filename=composer
For better security, we want to generate a Diffie-Hellman parameters strong enough
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
Now let us install Magento via the composer method
sudo su — magento
composer create-project — repository-url=https://repo.magento.com/ magento/project-community-edition /opt/magento/public_html
cd ~/public_html
php bin/magento setup:install --base-url=https://yourwebsite.com/ --base-url-secure=https://mywebsite.com/ --admin-firstname=FirstName --admin-lastname=LastName --admin-email="[email protected]" --admin-user=admin --admin-password="youradminpassword" --db-host=localhost --db-name=magentodb --db-user=magentoadmin --db-password=yourdbpassword --currency=USD --timezone=America/Chicago --use-rewrites=1
php ~/public_html/bin/magento cron:install
Create Config File
sudo vim /etc/nginx/sites-available/mywebsite.com
Add below mentioned configuration in above mentioned file “mywebsite.com”
upstream fastcgi_backend {
server unix:/var/run/php/php7.2-fpm-magento.sock;
}
server {
listen 80;
server_name mywebsite.com;
include snippets/letsencrypt.conf;
return 301 https://mywebsite.com$request_uri;
}
server {
listen 443 ssl http2;
server_name mywebsite.com;
ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/mywebsite.com/chain.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;
keepalive_timeout 300s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
include snippets/letsencrypt.conf;
set $MAGE_ROOT /opt/magento/public_html;
set $MAGE_MODE developer; # or production
access_log /var/log/nginx/mywebsite.com-access.log;
error_log /var/log/nginx/mywebsite.com-error.log;
include /opt/magento/public_html/nginx.conf.sample;
}
Create Link
ln -s /etc/magento/sites-available/mywebsite.com /etc/magento/sites-enabled/
Test, Reload and Restart Nginx Service
nginx -t
sudo service nginx reload
sudo service nginx restart
Now We will secure the same using Let’s Encrypt Certificate. Switch to Root user and perform below mentioned steps
sudo su
mkdir -p /var/lib/letsencrypt/.well-known
chgrp www-data /var/lib/letsencrypt
chmod g+s /var/lib/letsencrypt
Create Config for Letsencrypt
vim /etc/nginx/snippets/letsencrypt.conf
#Add below mentioned content in above conf file.
location ^~ /.well-known/acme-challenge/ {
allow all;
default_type “text/plain”;
rewrite /.well-known/acme-challenge/(.*) /$1 break;
root /var/lib/letsencrypt/;
try_files $uri =404;
}
Generate Certificate (Make sure – your web server is reachable using host name). Certificate generated will be valid for 90 Days.
sudo certbot certonly — agree-tos — email [email protected] — webroot -w /var/lib/letsencrypt/ -d mywebsite.com
Create Cron Job to Automatically renew your Lets Encrypt Certificate
vim /etc/cron.d/certbot
0 */12 * * * root abc -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e ‘sleep int(rand(3600))’ && certbot -q renew — renew-hook “systemctl reload nginx”
Create CRON Job to Automatically renew your Lets Encrypt Certificate
sudo service nginx reload
sudo service nginx restart
Category: Linux