The Perfect Nginx Server – Ubuntu (22.04) Edition
This course is based on the latest Ubuntu Server Long Term Support Release 22.04
This is a beginner’s course that assumes you have no knowledge configuring a Linux server, server administration or NGINX.
New to Linux or server administration? Included in the course, is an absolute beginners “crash” Linux course. This 1 hour “course within a course” will teach you the commands, terminology and procedures as it relates to this course.
This course is NGINX is a high-performance web server that is responsible for serving almost all of the most popular sites in the world.
We start with a blank slate and layer by layer configure the perfect nginx server. I will teach you, step by step, to a point where you will have the skill, knowledge and confidence to host multiple hardened WordPress sites, on an unmanaged VPS or dedicated server, using nginx.
You will need no support from your host. You will be your own system administrator.
This course covers the entire spectrum of configuring an Ubuntu based NGINX server. We will cover everything from initial server configuration to hardening and optimizing the server distribution.
Some of the server optimization and hardening steps will include the following topics:
-
SSH Key authentication
-
Setting up both Uncomplicated Firewall and a “Cloud Firewall”
-
Brute force attack protection
-
SWAP
-
Harden Shared Memory
-
Harden and Optimize the Network Layer
-
Tuned and Congestion Control
-
File Access Times and setting the Open File Limits
Then we install, harden and optimize Nginx, MariaDB and php8.1. Although the default installations of Nginx, MariaDB and PHP8.1 are fairly well hardened, we will spend over 1.5 hours hardening and optimizing Nginx, MariaDB and PHP8.1
Then we install our first WordPress site. We then start the process of hardening and optimizing WordPress. Installing a caching and security plugin does not optimize or harden a WordPress site. Some “security plugins” are a source of vulnerabilities themselves.
Almost 4 hours of the course is dedicated to hardening and optimizing WordPress. We look at hardening and optimizing WordPress from the server side and layer by layer we will harden our site.
Some of the hardening topics include:
-
Installing SSL certificates and configuring automatic renewal of those certificates.
-
Securing the http response headers
-
Setting the correct ownership and permissions on the WP files and directories
-
Using nginx directives to protect important parts of our site
-
Hot linking protection to stop other sites from stealing our bandwidth and driving up server costs
-
Nginx DDoS protection
-
Setting up a web application firewall
When it comes to optimizing WP, we will look at the process from both the server-side and the application (WordPress) side.
On the server-side we will cover the following:
-
optimizing the operating system – prior to optimizing WordPress
-
optimizing nginx – prior to optimizing WordPress
-
configuring php-fpm according to your server resources – prior to optimizing WordPress – set to low your site slows down, set to high and your server will crash
-
server-side caching – fastcgi caching is brilliant
-
replacing WP cron with a real cron
On the application or WordPress side you need to look at the following:
-
Caching plugin – W3 Total Cache
-
Optimizing images
-
Post revisions policy
-
Optimizing the database
-
Combining and minifying CSS and JS
Throughout the course, the principle of install only what’s needed, then harden and optimize is followed. The most important aspect of any server is security. I don’t just glance over this aspect, every configuration step you will take is geared towards security. We will optimize the server, but not at the expense of lax security.
It’s impossible to list all the hardening and security layers we implement in this section, for a complete list please refer to the actual course curriculum.
By the end of this course, you will be ready to reap the benefits…
You’ll be able to add a new revenue stream and start earning additional income hosting your own sites using NGINX. There will be numerous new services you will be adding to your resume as a web developer. You will be able to charge for numerous new services – site hosting, site optimization, Let’s Encrypt SSL certificate installation and renewal, backups and even a monthly maintenance fee.
This course is not a lab experiment with no real-world application.
This course was not designed to be completed locally, on your pc or mac or using one of the many available “Virtual Machines”. Oracle’s VirtualBox is one example. The aim of the course is to instruct you on how to setup a secure/hardened hosting environment and then host multiple hardened WordPress sites on a commercially purchased VPS or dedicated server.
I want you to able to look at server logs and see how malicious users and bots are scanning your server, probing and looking for vulnerabilities. You need to be able to see the result of your hardening – banning, blocking, rate limiting – in your server logs. This cannot be done in a Virtual Machine.
All that’s left is for you to sign up for this course and start your wonderful journey as your very own systems administrator running multiple WordPress sites using the latest Ubuntu release and NGINX.
Course Introduction
In this section of the course, we are going to look at various introductory topics that relate to this course. It's important that you complete this section of the course as I cover a wide variety of topics and how they relate to the course.
Linux Essential Skills " Crash Course"
This section of the course is a crash course that covers the linux skills you need to complete this course successfully.
If you are new to linux or server administration, it's important that you watch all the video lectures in the section.
This section covers the commands and processes that you need to know to complete the course.
If you are unsure about any topic covered in this section, please ask for my help on the course Q&A.
I also need to mention that you don’t need access to a server at this stage.
This lecture covers server distributions
This lecture covers the Terminal Emulator
This lecture continues looking at Terminal
This lecture covers the Linux File System
This lecture covers Users and Groups on a Linux server
This lecture covers Ownership and Permissions - one of the most misunderstood topics in Linux.
This lecture covers using Nano to modify configuration files
This lecture covers the Server Fingerprint and why you replace password authentication with SSH Key Authentication.
This lecture covers bash scripts and cronjobs. Bash scripts are used to "automate" procedures and cronjobs are scheduled tasks.
Software
In this section we are going to look at the software you require to complete the course successfully. All software used in this course is free and or open source. You will not be required to purchase any software.
Hosts and Servers
In this section of the course, we are going to cover the following:
server specifications for different types of WordPress sites, by that I'm referring to the resource requirements - for example the number of CPU cores and the RAM
server distributions, that’s the server operating system
my recommended web host
we are also going complete the process of creating an actual server instance for the course
First Server Login as the Administrative "ROOT" User
In this section we are going to login to the server for the first time and start the server hardening process as the root user.
In this section we are going to login to the server for the first time and start the server hardening process as the root user.
First Server Login as a "Non Root" User
In this section we are going to continue the server hardening process as the non-root user
As the non-root user, we will look at using sudo and continue hardening the server by implementing the following measures:
SSH key authentication deals with replacing password usage with a public / private key pair authentication system when logging into your server.
A ssh config file makes logging to a server using ssh key authentication quick and easy
Server updates deal with ensuring all the packages installed on the server are up to date.
Implementing a firewall policy allows you to lock down and close any unused ports and services that are not being used.
Fail2ban is an intrusion prevention framework that will protect your server from brute-force attacks.
The all-powerful administrative account or user on the server is the root user. Any errors made as the root user are normally irreversible and devastating.
When running commands that require root privileges you must always use the sudo, prior to typing
the command.
SSH key authentication deals with replacing password usage with a public / private key pair authentication system when logging into your server
A ssh config file makes logging to a server using ssh key authentication quick and easy
Server updates deal with ensuring all the packages installed on the server are up to date.
Implementing a firewall policy allows you to lock down and close any unused ports and services that are not being used. We are going to configure both Uncomplicated Firewall and Cloud Firewall
Fail2ban is an intrusion prevention framework that will protect your server from brute-force attacks
Harden and Optimize the Server Distribution / Operating System
In this section we are going to further harden the server as well as start to optimize the operating system to help us squeeze every bit of performance we can get out of the server. You cannot tune nginx, mariadb and php for performance and security without first tuning the server operating system for performance and security.
We are going to cover numerous topics in this section.
We'll start with setting the time zone to your local time
In the event of your server running out of memory, it can make use a ssd space as virtual memory. SWAP is to help prevent your server crashing in the event it runs out of memory.
As the /run/shm space can be exploited we need to secure this space in shared memory.
The TCP/IP stack default configuration needs to be hardened against different types of attacks and optimized for performance.
We are going to install Tuned. Tuned is a profile-based system tuning tool that enables both static and dynamic tuning of system settings
We are going to set the congestion control to BBR - Bottleneck Bandwidth and RTT - Round-trip propagation time - this will help to increase throughput and reduce latency for connections
For a performance boost, we are going to disable the filesystem from keeping track of the last time a file was accessed or read
By default, the maximum number of open files allowed per process is set very low. Since sockets are considered files on a Linux system, this limits the number of concurrent connections as well. We need to increase the maximum number of open files allowed per process.
Configuring Cloudflare's Free DNS Service
In this section we are going to look at how you point a domain name to your server using Cloudflare.
Installing the L(EMP) Stack: Nginx, MariaDB and PHP8.1
In this lecture, we are going to look at repositories, the package manager and we are going to install nginx, mariadb and php.
Nginx is the web server, mariadb the database management system and php is the server-side scripting language that is responsible for generating dynamic page content.
Server Mail
In this lecture we are going to configure the server to send mail from the command and using php. This will enable your WP site to send mail without using any plugins.
We are also going to look at the easiest method to create a mail@your_domain email account.
In this lecture we are going to configure the server to send mail from the command and using php. This will enable your WP site to send mail without using any plugins.
We are also going to look at the easiest method to create a mail@your_domain email account.
Understanding Nginx Configuration Files
Before we start configuring nginx, we need to look at the layout of a nginx configuration file as well as definitions that relate to nginx.
We are going to look at directives, contexts, location context modifiers and the try_files directive.
This lecture is important as it teaches you how to read and understand a nginx configuration file.
Before we start configuring nginx, we need to look at the layout of a nginx configuration file as well as definitions that relate to nginx.
We are going to look at directives, contexts, location context modifiers and the try_files directive.
This lecture is important as it teaches you how to read and understand a nginx configuration file.
Harden and Optimize Nginx
The default nginx configuration is secure and fairly well optimized. That makes it easy for us to harden and optimize nginx as there are only a few directives we need to modify to further harden and optimize nginx.
There is no all-in-one configuration that works for all sites. You need to configure nginx for the type of sites you intend nginx to serve and in the case of this course, we will be serving WP sites.
In this section we are going to configure the main, events and http contexts. The server context will be looked at later in the course when we create our first server block.
This section is split into 4 parts.
The default nginx configuration is secure and fairly well optimized. That makes it easy for us to harden and optimize nginx as there are only a few directives we need to modify to further harden and optimize nginx.
There is no all-in-one configuration that works for all sites. You need to configure nginx for the type of sites you intend nginx to serve and in the case of this course, we will be serving WP sites.
In this section we are going to configure the main, events and http contexts. The server context will be looked at later in the course when we create our first server block.
This section is split into 4 parts.
The default nginx configuration is secure and fairly well optimized. That makes it easy for us to harden and optimize nginx as there are only a few directives we need to modify to further harden and optimize nginx.
There is no all-in-one configuration that works for all sites. You need to configure nginx for the type of sites you intend nginx to serve and in the case of this course, we will be serving WP sites.
In this section we are going to configure the main, events and http contexts. The server context will be looked at later in the course when we create our first server block.
This section is split into 4 parts.
The default nginx configuration is secure and fairly well optimized. That makes it easy for us to harden and optimize nginx as there are only a few directives we need to modify to further harden and optimize nginx.
There is no all-in-one configuration that works for all sites. You need to configure nginx for the type of sites you intend nginx to serve and in the case of this course, we will be serving WP sites.
In this section we are going to configure the main, events and http contexts. The server context will be looked at later in the course when we create our first server block.
This section is split into 4 parts.
Save time by using bash aliases. This lecture covers how you create a bash aliases.
Harden and Optimize MariaDB
In this section we are going to harden and optimize mariadb.
We are also going to install mysqltuner. MySQLTuner is a Perl script that analyzes your MySQL performance and based on the statistics it gathers, gives recommendations which variables you should adjust in order to increase performance.
Using the recommendations, you can tune your database configuration to tweak out the last bit of performance and make it work more efficiently
In this section we are going to harden and optimize mariadb.
We are also going to install mysqltuner. MySQLTuner is a Perl script that analyzes your MySQL performance and based on the statistics it gathers, gives recommendations which variables you should adjust in order to increase performance.
Using the recommendations, you can tune your database configuration to tweak out the last bit of performance and make it work more efficiently
In this section we are going to harden and optimize mariadb.
We are also going to install mysqltuner. MySQLTuner is a Perl script that analyzes your MySQL performance and based on the statistics it gathers, gives recommendations which variables you should adjust in order to increase performance.
Using the recommendations, you can tune your database configuration to tweak out the last bit of performance and make it work more efficiently
In this section we are going to harden and optimize mariadb.
We are also going to install mysqltuner. MySQLTuner is a Perl script that analyzes your MySQL performance and based on the statistics it gathers, gives recommendations which variables you should adjust in order to increase performance.
Using the recommendations, you can tune your database configuration to tweak out the last bit of performance and make it work more efficiently
In this section we are going to harden and optimize mariadb.
We are also going to install mysqltuner. MySQLTuner is a Perl script that analyzes your MySQL performance and based on the statistics it gathers, gives recommendations which variables you should adjust in order to increase performance.
Using the recommendations, you can tune your database configuration to tweak out the last bit of performance and make it work more efficiently
Harden and Optimize PHP8.1
In this section we are going to harden and optimize php8.1
In this section we are going to harden and optimize php8.1
In this section we are going to harden and optimize php8.1
Server and Site File and Directory Structure
In this lecture we are going to create the directories that are going to store our WP files and directories.
We are also going to create a bash script to "automate" the process of creating site directories.
Nginx Server Blocks
Nginx Server Blocks allow you to host and serve more than one site on your server.
Some of the configuration that is included in a server block:
port nginx must listen
the domain name
site root - where the files are located
the index page nginx must serve
If you have used Apache before, the server context or server block is the equivalent of a virtual host. For each site you intend to host, you need to create a server block for that site.
You will learn how to create a nginx server block from scratch.
This section is divided into 4 lectures.
Nginx Server Blocks allow you to host and serve more than one site on your server.
Some of the configuration that is included in a server block:
port nginx must listen
the domain name
site root - where the files are located
the index page nginx must serve
If you have used Apache before, the server context or server block is the equivalent of a virtual host. For each site you intend to host, you need to create a server block for that site.
You will learn how to create a nginx server block from scratch.
This section is divided into 4 lectures.
Nginx Server Blocks allow you to host and serve more than one site on your server.
Some of the configuration that is included in a server block:
port nginx must listen
the domain name
site root - where the files are located
the index page nginx must serve
If you have used Apache before, the server context or server block is the equivalent of a virtual host. For each site you intend to host, you need to create a server block for that site.
You will learn how to create a nginx server block from scratch.
This section is divided into 4 lectures.
Nginx Server Blocks allow you to host and serve more than one site on your server.
Some of the configuration that is included in a server block:
port nginx must listen
the domain name
site root - where the files are located
the index page nginx must serve
If you have used Apache before, the server context or server block is the equivalent of a virtual host. For each site you intend to host, you need to create a server block for that site.
You will learn how to create a nginx server block from scratch.
This section is divided into 4 lectures.
Installing WordPress
In this section we are going to install our first WordPress site. We are going to start by creating the database.
We are going to use MariaDB as out database management system. All things being equal, MariaDB is faster than MySQL and whenever possible I always support and prefer to use an open-source project.
In this lecture you are going to install your first WordPress site, this lecture is divided into 2 parts.
In this lecture you are going to install your first WordPress site, this lecture is divided into 2 parts.
Harden WordPress
This is a relatively long section covering many different topics.
I cannot emphasize how important it is to harden your WordPress site.
The topics include:
Installing SSL certificates, configuring nginx to use the ssl certificates and configuring automatic renewal of the certificates
Installing SSL certificates, configuring nginx to use the ssl certificates and configuring automatic renewal of the certificates
Installing SSL certificates, configuring nginx to use the ssl certificates and configuring automatic renewal of the certificates
Installing SSL certificates, configuring nginx to use the ssl certificates and configuring automatic renewal of the certificates
Installing SSL certificates, configuring nginx to use the ssl certificates and configuring automatic renewal of the certificates
Securing the http response headers
Setting the correct ownership and permissions on the WP files and directories
Setting the correct ownership and permissions on the WP files and directories
Setting the correct ownership and permissions on the WP files and directories
Use nginx directives to protect important parts of our site
Stop brute force attacks using nginx directives
Stop other sites from stealing our bandwidth and driving up server costs
Protect your server and sites from small DDoS attacks using nginx.
Finally, we are also going to look at a WAF, a web application firewall.
Optimize WordPress
In this section we are going to optimize WordPress, configure php-fpm and CF. After the hardening WordPress Section, this is the longest section of the course. Take your time and work your way through each sub-section one at a time.
When it comes to optimizing WP, you need to look at the process from both the server-side and the application (WordPress) side.
On the server-side you need to look at the following:
optimizing the operating system
optimizing nginx
configuring php-fpm according to your server resources
server-side caching
setting the WP max memory
replacing WP cron with a real cron
When it comes to optimizing WP, you need to look at the process from both the server-side and the application (WordPress) side.
On the application or WP side you need to look at the following:
Caching plugins
Optimizing images
Your sites post revisions policy
Optimizing the database
Combining and minifying CSS and JS
A fast WordPress site is a cached WordPress site
Different types of WordPress sites need to be cached differently. In this lecture we look at the different types of WordPress sites and how to cache those sites.
The type of caching you need to implement depends on your site, is your site a static or dynamic WP site
Nginx fastcgi caching is brilliant. The performance is absolutely stunning. This lecture is divided into 3 parts
Nginx fastcgi caching is brilliant. The performance is absolutely stunning. This lecture is divided into 3 parts
