Ubuntu Yii2 web server with Nginx+Apache

Introduction

Nginx and Apache are two popular PHP web servers. Running both with Nginx in front of Apache (Nginx reverse proxy) will improve performance significantly. This tutorial will show configuring your Ubuntu server for Yii2 framework environments.

Prerequisites

• Ubuntu Server 16.04 LTS "xenial"
• Root account

Step-by-step Guide

1. Update your OS and install the basic program

   apt-get update
   apt-get upgrade
   apt-get install unzip
   add-apt-repository -y ppa:ondrej/php
   apt-add-repository ppa:ondrej/apache2
   add-apt-repository ppa:nginx/stable
   

2. Install Apache and PHP

   apt-get install apache2 libapache2-mod-fastcgi php7.1-fpm
   

3. Install Apache modules

   Install mod_aclr2:

   apt-get install apache2-dev gcc
   wget http://files.directadmin.com/services/custombuild/mod_aclr2-1.0.0.tar.gz
   tar -xzvf mod_aclr2-1.0.0.tar.gz
   apxs -c mod_aclr2.c
   apxs -i -a -n aclr mod_aclr2.la
   

   Install mod_rpaf:

   wget https://github.com/gnif/mod_rpaf/archive/stable.zip
   unzip stable.zip
   cd mod_rpaf-stable
   make
   make install
   

4. Install PHP modules (for Yii2)

   apt-get install -y php-intl php-xml php-mysql php-gd php-zip php-mcrypt php-gmp php-imagick
   apt-get install -y php-mbstring
   apt-get install -y php-mongodb
   apt-get install -y libssh2-1 php-ssh2
   

5. Config Apache

   Create mod_aclr.conf configuration file:

   nano /etc/apache2/mods-available/aclr.conf
   

   Add the following lines:

   AccelRedirectSet On
   AccelRedirectSize 1k
   

   Create rpaf.load file for loading the module:

   nano /etc/apache2/mods-available/rpaf.load
   

   Then add the following line:

   LoadModule rpaf_module /usr/lib/apache2/modules/mod_rpaf.so
   

   Create rpaf.conf configuration file:

   nano /etc/apache2/mods-available/rpaf.conf
   

   Add the following code block, replace SERVER_IP with your server's public/private IP:

   <IfModule mod_rpaf.c>
       RPAF_Enable       On
       RPAF_Header       X-Real-Ip
       RPAF_ProxyIPs     SERVER_IP
       RPAF_SetHostName  On
       RPAF_SetHTTPS     On
       RPAF_SetPort      On
   </IfModule>
   

   Enable Apache's modules:

   a2enmod aclr
   a2enmod rpaf
   a2enmod rewrite
   a2enmod headers
   a2enmod ssl
   a2enmod proxy
   a2enmod proxy_fcgi
   a2enmod actions
   a2enmod proxy_fcgi setenvif
   a2enconf php7.1-fpm
   

6. Changing Apache ports

   nano /etc/apache2/ports.conf
   

   Change Listen 80 to Listen 8080 and Listen 443 to Listen 8081.

   nano /etc/apache2/sites-available/000-default.conf
   

   Change <VirtualHost *:80> to <VirtualHost *:8080>.

   nano /etc/apache2/sites-available/default-ssl.conf
   

   Change <VirtualHost _default_:443> to <VirtualHost _default_:8081>.

   Open /etc/apache2/apache2.conf, add the following code block right under <Directory /var/www/> code block:

   <Directory /home/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
   </Directory>
   

   Finally, enable the default SSL site and reload Apache:

   a2ensite default-ssl
   service apache2 reload
   

7. Install Nginx

   apt-get install nginx
   

8. Config Nginx

   nano /etc/nginx/sites-available/default
   

   Delete all content of the file. We will redirect all HTTP requests to HTTPS, add the code block below:

   server { 
        listen 80 default_server; 
        listen [::]:80 default_server; 
        return 301 https://$host$request_uri;
   }
   

   Next, add the code block for HTTPS:

   server {
        listen 443 default_server http2;
        listen [::]:443 default_server http2;
   
        ssl on;
        ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
        ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; 
   
        root /var/www/html;
        index index.php index.html index.htm index.nginx-debian.html;
        server_name _;
   
        location / {
             proxy_pass https://{IP}:8081;
             proxy_buffering off;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Accel-Internal /nginx_static_files;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
        }
   
        location /nginx_static_files/ {
             alias /var/www/html/;
             internal;
        }
   
        location ~ /(\.ht|\.user\.ini) {
             deny all;
        }
   }
   

   Remove Nginx version in the response header field:

   nano /etc/nginx/nginx.conf
   

   Uncomment server_tokens off;.

   Reload everything:

   service nginx reload
   service apache2 reload
   service php7.0-fpm reload
   

   Visit http://SERVER_IP and https://SERVER_IP to test it; then, you can block ports 8080 and 8081 using a firewall.

   Restore original visitor IP from Cloudflare: create a new file in /etc/nginx/conf.d/cloudflare.conf with the following lines:

   set_real_ip_from 103.21.244.0/22;
   set_real_ip_from 103.22.200.0/22;
   set_real_ip_from 103.31.4.0/22;
   set_real_ip_from 104.16.0.0/12;
   set_real_ip_from 108.162.192.0/18;
   set_real_ip_from 131.0.72.0/22;
   set_real_ip_from 141.101.64.0/18;
   set_real_ip_from 162.158.0.0/15;
   set_real_ip_from 172.64.0.0/13;
   set_real_ip_from 173.245.48.0/20;
   set_real_ip_from 188.114.96.0/20;
   set_real_ip_from 190.93.240.0/20;
   set_real_ip_from 197.234.240.0/22;
   set_real_ip_from 198.41.128.0/17;
   set_real_ip_from 199.27.128.0/21;
   set_real_ip_from 2400:cb00::/32;
   set_real_ip_from 2606:4700::/32;
   set_real_ip_from 2803:f800::/32;
   set_real_ip_from 2405:b500::/32;
   set_real_ip_from 2405:8100::/32;
   set_real_ip_from 2c0f:f248::/32;
   set_real_ip_from 2a06:98c0::/29;
   
   # use any of the following two
   real_ip_header CF-Connecting-IP;
   #real_ip_header X-Forwarded-For;
   

9. Install database

   We use MariaDB instead of MySQL:

   apt-get install software-properties-common
   apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8
   add-apt-repository 'deb [arch=amd64,i386,ppc64el] http://ftp.yz.yamagata-u.ac.jp/pub/dbms/mariadb/repo/10.2/ubuntu xenial main'
   apt update
   apt install mariadb-server
   

10. Secure web server with Let's Encrypt

    Install Certbot:

    add-apt-repository ppa:certbot/certbot
    apt-get update
    apt-get install certbot
    

    Add a new configuration file:

    nano /etc/apache2/conf-available/letsencrypt.conf
    

    Add the following line:

    Alias /.well-known /var/www/html/.well-known
    

    Enable it and reload Apache:

    a2enconf letsencrypt
    service apache2 reload
    

    Install certificate for server's hostname, note that replace {HOSTNAME} with your server hostname:

    certbot certonly --webroot --webroot-path=/var/www/html -d {HOSTNAME}
    

    Update Apache default SSL site:

    nano /etc/apache2/sites-available/default-ssl.conf
    

    Comment out SSLCertificateFile and SSLCertificateKeyFile, then add this below SSLEngine on:

    SSLCertificateFile /etc/letsencrypt/live/{HOSTNAME}/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/{HOSTNAME}/privkey.pem
    SSLCACertificateFile /etc/letsencrypt/live/{HOSTNAME}/chain.pem
    

    Next, update Nginx default site:

    nano /etc/nginx/sites-available/default
    

    Comment out ssl_certificate and ssl_certificate_key, then add this below ssl on:

    ssl_certificate /etc/letsencrypt/live/{HOSTNAME}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/{HOSTNAME}/privkey.pem;
    

    Generate Strong Diffie-Hellman Group:

    openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
    

    Add new configuration snippet:

    nano /etc/nginx/snippets/ssl-params.conf
    

    Add this content:

    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    

    Update Nginx conf file:

    nano /etc/nginx/nginx.conf
    

    Comment out ssl_protocols and ssl_prefer_server_ciphers, then add this line right after that:

    include /etc/nginx/snippets/ssl-params.conf;
    

    Reload services:

    systemctl reload {nginx,apache2}
    

    Set Up Auto Renewal:

    crontab -e
    

    Add this line at the end:

    15 3 * * * /usr/bin/certbot renew --quiet --renew-hook "/bin/systemctl reload {nginx,apache2}"
    

11. Enable firewall

    ufw default deny incoming
    ufw default allow outgoing
    
    ufw allow ssh
    ufw allow 80/tcp
    ufw allow 443/tcp
    
    sudo ufw disable
    sudo ufw enable
    

Conclusion

Your PHP Yii2 server is now configured with an Nginx reverse proxy.