The Perfect Nginx Server - Ubuntu (22.04) Edition

This section of the course is a crash course that covers the linux skills you need to complete this course successfully.

If you are new to linux or server administration, it's important that you watch all the video lectures in the section.

This section covers the commands and processes that you need to know to complete the course.

If you are unsure about any topic covered in this section, please ask for my help on the course Q&A.

I also need to mention that you don’t need access to a server at this stage.

This lecture covers server distributions

This lecture covers the Terminal Emulator

This lecture continues looking at Terminal

This lecture covers the Linux File System

This lecture covers Users and Groups on a Linux server

This lecture covers Ownership and Permissions - one of the most misunderstood topics in Linux.

This lecture covers using Nano to modify configuration files

This lecture covers the Server Fingerprint and why you replace password authentication with SSH Key Authentication.

This lecture covers bash scripts and cronjobs. Bash scripts are used to "automate" procedures and cronjobs are scheduled tasks.

In this section we are going to look at the software you require to complete the course successfully. All software used in this course is free and or open source. You will not be required to purchase any software.

In this section of the course, we are going to cover the following:

1. server specifications for different types of WordPress sites, by that I'm referring to the resource requirements - for example the number of CPU cores and the RAM

2. server distributions, that’s the server operating system

3. my recommended web host

4. we are also going complete the process of creating an actual server instance for the course

In this section we are going to login to the server for the first time and start the server hardening process as the root user.

In this section we are going to continue the server hardening process as the non-root user

As the non-root user, we will look at using sudo and continue hardening the server by implementing the following measures:

1. SSH key authentication deals with replacing password usage with a public / private key pair authentication system when logging into your server.

2. A ssh config file makes logging to a server using ssh key authentication quick and easy

3. Server updates deal with ensuring all the packages installed on the server are up to date.

4. Implementing a firewall policy allows you to lock down and close any unused ports and services that are not being used.

5. Fail2ban is an intrusion prevention framework that will protect your server from brute-force attacks.

The all-powerful administrative account or user on the server is the root user.  Any errors made as the root user are normally irreversible and devastating.

When running commands that require root privileges you must always use the sudo, prior to typing

the command.

SSH key authentication deals with replacing password usage with a public / private key pair authentication system when logging into your server

A ssh config file makes logging to a server using ssh key authentication quick and easy

Server updates deal with ensuring all the packages installed on the server are up to date.

Implementing a firewall policy allows you to lock down and close any unused ports and services that are not being used. We are going to configure both Uncomplicated Firewall and Cloud Firewall

Fail2ban is an intrusion prevention framework that will protect your server from brute-force attacks

In this section we are going to further harden the server as well as start to optimize the operating system to help us squeeze every bit of performance we can get out of the server. You cannot tune nginx, mariadb and php for performance and security without first tuning the server operating system for performance and security.

We are going to cover numerous topics in this section.

We'll start with setting the time zone to your local time

In the event of your server running out of memory, it can make use a ssd space as virtual memory. SWAP is to help prevent your server crashing in the event it runs out of memory.

As the /run/shm space can be exploited we need to secure this space in shared memory.

The TCP/IP stack default configuration needs to be hardened against different types of attacks and optimized for performance.

We are going to install Tuned. Tuned is a profile-based system tuning tool that enables both static and dynamic tuning of system settings

We are going to set the congestion control to BBR - Bottleneck Bandwidth and RTT - Round-trip propagation time - this will help to increase throughput and reduce latency for connections

For a performance boost, we are going to disable the filesystem from keeping track of the last time a file was accessed or read

By default, the maximum number of open files allowed per process is set very low. Since sockets are considered files on a Linux system, this limits the number of concurrent connections as well. We need to increase the maximum number of open files allowed per process.

In this section we are going to look at how you point a domain name to your server using Cloudflare.

In this lecture, we are going to look at repositories, the package manager and we are going to install nginx, mariadb and php.

Nginx is the web server, mariadb the database management system and php is the server-side scripting language that is responsible for generating dynamic page content.

In this lecture we are going to configure the server to send mail from the command and using php. This will enable your WP site to send mail without using any plugins.

We are also going to look at the easiest method to create a mail@your_domain email account.

Before we start configuring nginx, we need to look at the layout of a nginx configuration file as well as definitions that relate to nginx.

We are going to look at directives, contexts, location context modifiers and the try_files directive.

This lecture is important as it teaches you how to read and understand a nginx configuration file.

The default nginx configuration is secure and fairly well optimized. That makes it easy for us to harden and optimize nginx as there are only a few directives we need to modify to further harden and optimize nginx.

There is no all-in-one configuration that works for all sites. You need to configure nginx for the type of sites you intend nginx to serve and in the case of this course, we will be serving WP sites.

In this section we are going to configure the main, events and http contexts. The server context will be looked at later in the course when we create our first server block.

This section is split into 4 parts.

Save time by using bash aliases. This lecture covers how you create a bash aliases.

In this section we are going to harden and optimize mariadb.

We are also going to install mysqltuner. MySQLTuner is a Perl script that analyzes your MySQL performance and based on the statistics it gathers, gives recommendations which variables you should adjust in order to increase performance.

Using the recommendations, you can tune your database configuration to tweak out the last bit of performance and make it work more efficiently

In this section we are going to harden and optimize php8.1

In this lecture we are going to create the directories that are going to store our WP files and directories.

We are also going to create a bash script to "automate" the process of creating site directories.

Nginx Server Blocks allow you to host and serve more than one site on your server.

Some of the configuration that is included in a server block:

1. port nginx must listen

2. the domain name

3. site root - where the files are located

4. the index page nginx must serve

If you have used Apache before, the server context or server block is the equivalent of a virtual host. For each site you intend to host, you need to create a server block for that site.

You will learn how to create a nginx server block from scratch.

This section is divided into 4 lectures.

In this section we are going to install our first WordPress site. We are going to start by creating the database.

We are going to use MariaDB as out database management system. All things being equal, MariaDB is faster than MySQL and whenever possible I always support and prefer to use an open-source project.

In this lecture you are going to install your first WordPress site, this lecture is divided into 2 parts.

This is a relatively long section covering many different topics.

I cannot emphasize how important it is to harden your WordPress site.

The topics include:

Installing SSL certificates, configuring nginx to use the ssl certificates and configuring automatic renewal of the certificates

Securing the http response headers

Setting the correct ownership and permissions on the WP files and directories

Use nginx directives to protect important parts of our site

Stop brute force attacks using nginx directives

Stop other sites from stealing our bandwidth and driving up server costs

Protect your server and sites from small DDoS attacks using nginx.

Finally, we are also going to look at a WAF, a web application firewall.

In this section we are going to optimize WordPress, configure php-fpm and CF. After the hardening WordPress Section, this is the longest section of the course. Take your time and work your way through each sub-section one at a time.

When it comes to optimizing WP, you need to look at the process from both the server-side and the application (WordPress) side.

On the server-side you need to look at the following:

• optimizing the operating system

• optimizing nginx

• configuring php-fpm according to your server resources

• server-side caching

• setting the WP max memory

• replacing WP cron with a real cron

When it comes to optimizing WP, you need to look at the process from both the server-side and the application (WordPress) side.

On the application or WP side you need to look at the following:

• Caching plugins

• Optimizing images

• Your sites post revisions policy

• Optimizing the database

• Combining and minifying CSS and JS

A fast WordPress site is a cached WordPress site

Different types of WordPress sites need to be cached differently. In this lecture we look at the different types of WordPress sites and how to cache those sites.

The type of caching you need to implement depends on your site, is your site a static or dynamic WP site

Nginx fastcgi caching is brilliant. The performance is absolutely stunning. This lecture is divided into 3 parts