A comprehensive guide for setting modern web environment from scratch

Requires root privileges.

Includes Drupal specific installations and config.

Nowadays we use a modern environments and tools, like Docker or certain cloud, or locally DDEV, which provide complex installations and configurations more or less out-of-the-box. Still sometimes "the classic" remote host setup ends on the agenda and, in my case, every time in such situation I go for online resources, searching and reading/trying until the work is done. Yet, this remains work by just an enthusiast, far from expert. In the latest case I've decided to log down every step thoroughly, for my own sake for any next time but also to share here eventually.

The following is indeed just one possible case scenario that includes at this moment latest Ubuntu, NGINX, PHP, MariaDB, Letsencrypt, Composer, Drush, as well as a group of the other more or less common daemons and tools.

Ubuntu 24.x

# Refresh packages and update

apt update && apt upgrade -y

# Set timezone

# Check time/date information.

timedatectl

# List all timezones.

timedatectl list-timezones

# Set one found on previous list.

timedatectl set-timezone [timezone_string_from_the_list]

# Confirm change.

timedatectl

# Create sudo user

# Add user

adduser your_user_name

# Add to 'sudo' group.

usermod -aG sudo your_user_name

# Add user's SSH public key, paste it in this file.

nano ~/.ssh/authorized_keys

# Memcached

# Install.

apt install memcached libmemcached-tools -y

# Confirm / version.

memcached --version

# Enable auto start.

systemctl enable memcached

# Start service.

systemctl start memcached

# Configure.

nano /etc/memcached.conf

1. Add '-S' at the end of the file after '-P /var/run/memcached/memcached.pid' to enable SASL authentication on your server.
2. Find and uncomment the '-v' directive to enable verbose logging to the '/var/log/memcache' file.
3. Uncomment the '-c 1024' directive to limit the number of simultaneous Memcached connections. Replace 1024 with your desired number of connections.
4. Find the following Memcached port directive to verify the application connection port on your server - 'Default connection port is 11211 -p 11211'
5. Find the following listen directive '-l 127.0.0.1' and '-l ::1' and verify that it's set to your server's loop back address '127.0.0.1' to only accept local Memcached connections.
   5.1 (Option/otherwise) Change the address to your public IP or any like VPC address to allow external connections.
6. Save and close the file, then restart Memcached to apply the configuration changes.

systemctl restart memcached

# Secure.

# Install the SASL package on your server.

apt install sasl2-bin -y

# Create a new directory to store your SASL authentication credentials.

mkdir /etc/sasl2

# Create a new SASL configuration file to use with Memcached. For example, memcached.conf.

nano /etc/sasl2/memcached.conf

# Add the following contents to the file.

log_level: 5
mech_list: plain
sasldb_path: /etc/sasl2/memcached-sasldb2

# Save and close the file The above SASL configuration enables authentication using the Memcached database. Within the configuration:
  
  _log_level_: Enables logging. The value 5 enables high-detail logs.
  _mech_list_: Sets the authentication mechanism. The value plain enables plain username and password usage.
  _sasldb_path_: Specifies the Memcached SASL database file to use for authentication.

# Create a user using the 'saslpasswd' utility. Set password when prompted.

saslpasswd2 -a memcached -c -f /etc/sasl2/memcached-sasldb2 [memcached_user]

# Grant the Memcached user memcache full privileges to the '/etc/sasl2/memcached-sasldb2' database file.

chown memcache:memcache /etc/sasl2/memcached-sasldb2

# Restart Memcached to apply the configuration changes.

systemctl restart memcached

# Connect to Memcached to test your new user credentials.

memcstat --servers="127.0.0.1" -b --username=[memcached_user] --password=[memcached_pass]

# Your output should look like this when successful:
  
  Server: 127.0.0.1 (11211)
  pid: 8317
  uptime: 345
  time: 1716925269
  ...

# Install PHP and the Memcached module

apt install php-memcached -y

# Install PEAR

apt install php-pear

# Then install pecl memcached and memcachepecl install memcache.

pecl install memcached

# Restart service.

systemctl restart memcached

# Rsnapshot

Rsnapshot is rather an old timer nowadays, but for me it does the work and I find it quite solid.

# Install.

apt-get install rsnapshot

# Switch to your web user.

su - your_user_name

# Create 'scripts' and 'snapshots' folder at your user's home location.

mkdir scripts snapshots

# Place scripts in
  '/home/your_user_name/scripts'
folder and make those executable.

chmod +x rsnapshotinfo.sh backup.sh drush_ops.sh

# Switch bask to root.

sudo su

# Configure.

mkdir /etc/rsnapshot.d
nano -w /etc/rsnapshot.d/html.conf

# Note, use Tabs in this and the next config instead of spaces. Enter the following:
    
    snapshot_root	/home/your_user_name/snapshots/
    retain	html	1
    cmd_preexec	/home/your_user_name/scripts/rsnapshotinfo.sh
    cmd_postexec	/home/your_user_name/scripts/backup.sh
    backup	/etc/	./files/
    backup	/your/default/html/folder	./files/
    
    # Note, rsnapshot implements 'backup_script' method. I am not using it here for the sake of Drush operations defined in 'scripts/drush_ops.sh'. It can be used similar to this, for instance to backup database:
    # backup_script  /home/your_user_name/scripts/mysql-backup.sh    ./mysql/

# Edit main rsnapshot config. Change any desirable settings there and add the following to the bottom.

nano /etc/rsnapshot.conf

include_conf    /etc/rsnapshot.d/*.conf

# Edit crontab.

crontab -e

# Enter similar to this (e.g. this runs it every day at 3:47am).

47 3 * * * /usr/bin/rsnapshot html

# Reload cron service.

service cron reload

Sources

Read more about Ubuntu 24.x

NGINX

The cleanest and probably the "safest" way to do this part is to generate configuration with Drush, it's amazing how this tool never fails to surprise in the most positive way! Otherwise, check below more extensive example - warning just an example - there is some extra security rules as well as gzip compression etc.

Additionally, there is a Logrotate utilization example.

Install

# Install current stable version.

apt install nginx

# Check Firewall settings.

ufw app list

# Make sure NGINX has full access.

ufw allow 'Nginx Full'

# Confirm firewall status.

ufw status

# Check NGINX status.

systemctl status nginx

Generate server block with Drush

drush generate misc:nginx-virtual-host

Advanced example, Drupal >= 10

 server {
 
      listen 135.181.156.54:443 ssl http2;
      listen [::]:443 ssl http2;
      server_name ph-eu.dev;
      set $base /usr/share/nginx/html/ph-eu.dev;
      root $base/web;
      # SSL.
      ssl_certificate /etc/letsencrypt/live/ph-eu.dev/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/ph-eu.dev/privkey.pem;
      ssl_trusted_certificate /etc/letsencrypt/live/ph-eu.dev/chain.pem;
      # Security headers.
      add_header X-Frame-Options "SAMEORIGIN" always;
      add_header X-XSS-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      add_header Referrer-Policy "no-referrer-when-downgrade" always;
      add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
      # Gzip
      gzip on;
      gzip_vary on;
      gzip_proxied any;
      gzip_comp_level 6;
      gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
      # Indexes
      index index.php index.htm index.html;
      # Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html
      #sendfile off;
      #error_log /dev/stdout info;
      #access_log /var/log/nginx/access.log;
      location / {
        absolute_redirect off;
        try_files $uri $uri/ /index.php?$query_string; # For Drupal >= 7
      }
      location @rewrite {
        # For D7 and above:
        # Clean URLs are handled in drupal_environment_initialize().
        rewrite ^ /index.php;
      }
      # Handle image styles for Drupal 7+.
      location ~ ^/sites/.*/files/styles/ {
        try_files $uri @rewrite;
      }
      # Pass the PHP scripts to FastCGI server listening on socket.
      location ~ '\.php$|^/update.php' {
        include fastcgi_params;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php-fpm.sock;
        fastcgi_buffers 16 16k;
        fastcgi_buffer_size 32k;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param SCRIPT_NAME $fastcgi_script_name;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_intercept_errors off;
        # fastcgi_read_timeout should match max_execution_time in php.ini
        fastcgi_read_timeout 10m;
        fastcgi_param SERVER_NAME $host;
        #fastcgi_param HTTPS $fcgi_https;
      }
      # Prevent clients from accessing hidden files (starting with a dot)
      # This is particularly important if you store .htpasswd files in the site hierarchy
      # Access to `/.well-known/` is allowed.
      # https://www.mnot.net/blog/2010/04/07/well-known
      # https://tools.ietf.org/html/rfc5785
      location ~* /\.(?!well-known\/) {
        deny all;
      }
      # Prevent clients from accessing to backup/config/source files.
      location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ {
        deny all;
      }
      # Regular private file serving (i.e. handled by Drupal).
      location ^~ /system/files/ {
        ## For not signaling a 404 in the error log whenever the
        ## system/files directory is accessed add the line below.
        ## Note that the 404 is the intended behavior.
        log_not_found off;
        access_log off;
        expires 30d;
        try_files $uri @rewrite;
      }
      # Media: images, icons, video, audio, HTC.
      location ~* \.(jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|webp|htc)$ {
        try_files $uri @rewrite;
        expires max;
        log_not_found off;
      }
      # Js and Css always loaded.
      location ~* \.(js|css)$ {
        try_files $uri @rewrite;
        expires -1;
        log_not_found off;
      }
      # Logging.
      access_log /usr/share/nginx/html/ph-eu.dev/logs/access.log;
      error_log /usr/share/nginx/html/ph-eu.dev/logs/error.log warn;
      #include /etc/nginx/common.d/*.conf;
      #include /mnt/ddev_config/nginx/*.conf;
    }

Logrotate option

# Edit or create logrotate config

 nano /etc/logrotate.d/nginx

# Append similar to this.

/usr/share/nginx/html/ph-eu.dev/logs/*.log {
      daily
      missingok
      rotate 14
      compress
      delaycompress
      notifempty
      create 0640 www-data adm
      sharedscripts
      prerotate
        if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
          run-parts /etc/logrotate.d/httpd-prerotate; \
        fi \
      endscript
      postrotate
        invoke-rc.d nginx rotate >/dev/null 2>&1
        DIR=$(dirname $1);
        #USER=$(stat -c "%U" $DIR);
        chown -R nk_:www-data $DIR;
        chmod 0755 $DIR/*;
      endscript
      su nk_ www-data
    }

Sources

Install

Configuration

Security

https://scaron.info/blog/improve-your-nginx-ssl-configuration.html

Brotli

Read more about NGINX

MariaDB

# Install

apt install mariadb-server mariadb-client

# Check service status.

systemctl status mariadb

# Start service.

systemctl start mariadb

# Enable auto start.

systemctl enable mariadb

# Configuration

# Create custom configuration file.

nano -w /etc/mysql/mariadb.conf.d/70-custom.cnf

# And add this there.

[mysqld]
transaction_isolation="READ-COMMITTED"

# Secure installation

# Start secure installation

mysql_secure_installation

1. Enter root password if you have one, or skip by pressing Enter with key authentication only.
2. Don’t switch to 'unix_socket' authentication because MariaDB is already using 'unix_socket' authentication.
3. Don’t change the root password, no need when using unix_socket authentication.
4. Next, you can press Enter to answer all remaining questions, which will remove anonymous user, disable remote root login and remove test database. This step is a basic requirement for MariaDB database security.

# Login and status

# Check MariaDB server version.

mariadb --version

# Test login

mariadb -u root

exit;

Sources

https://www.linuxbabe.com/ubuntu/install-lemp-stack-ubuntu-24-04-server-desktop

Read more about MariaDB

Letsencrypt

The classic, becomes essential for us who aim open-source.

Certbot

# Install Certbot.

apt -y install certbot

# Create certificate for the given domain(s).

certbot certonly --webroot -w /var/nginx/share/html/ph-eu.dev -d ph-eu.dev

# Check timer and service.

systemctl list-timers certbot.timer --no-pager
systemctl status certbot.timer
systemctl cat certbot.timer
systemctl cat certbot.service

# For manual update, do:

certbot renew

# In case you get error like "Could not bind TCP port 80 because it is already in use by another process on this system...":

# Stop nginx.

service nginx stop

# Run Certbot to obtain the certificate.

certbot certonly --standalone -d ph-eu.dev

# Restart the web server.

service nginx start

Sources

https://www.server-world.info/en/note?os=Ubuntu_24.04&p=ssl&f=2

Read more about Letsencrypt

PHP

# Install

# Install PHP extensions (add php8.3 on the list in case it's not (pre)installed).

apt install php8.3 php8.3-fpm php8.3-cli php8.3-common php8.3-curl php8.3-gd php8.3-mbstring php8.3-mysql php8.3-opcache php8.3-readline php8.3-sqlite3 php8.3-xml php8.3-zip php8.3-apcu

# Configuration.

# Configure APCu cache. Create '20-apcu.ini' file in case it does not exist.

nano -w /etc/php/8.3/fpm/conf.d/20-apcu.ini

# Place this there, for instance.
  
  apc.shm_size="96M"

# Set resources and timezone values for FPM.

nano -w /etc/php/8.3/fpm/conf.d/60-custom.ini

# Enter desired values there, for instance:

; Maximum amount of memory a script may consume. Default is 128M
memory_limit = 1G

; Maximum allowed size for uploaded files. Default is 2M.

upload_max_filesize = 260M

; Maximum size of POST data that PHP will accept. Default is 2M.

post_max_size = 280M

; The OPcache shared memory storage size. Default is 128

opcache.memory_consumption=256

; The amount of memory for interned strings in Mbytes. Default is 8.

opcache.interned_strings_buffer=32

; Set actual timezone.

date.timezone = [your_timezone_string]

# Set timezone to CLI php.

nano -w /etc/php/8.3/cli/conf.d/60-custom.ini

; Set actual timezone.

date.timezone = Europe/Amsterdam

Read more about PHP

Composer and Drush

Composer

# Update packages and install unzip.

apt update
apt install unzip

# Download and verify Composer.

cd ~
curl -sS https://getcomposer.org/installer -o /tmp/composer-setup.php
HASH=`curl -sS https://composer.github.io/installer.sig`
echo $HASH
php -r "if (hash_file('SHA384', '/tmp/composer-setup.php') === '$HASH') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-set
up.php'); } echo PHP_EOL;"

# Install Composer and run it to confirm.

php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composer
composer

Drush

# Navigate to the project root, then:

composer require drush/drush

# Add Drush to the PATH, note this works only from project root.

nano ~/.bashrc

 # Append this.

export PATH="$PATH:./vendor/bin:/usr/local/bin"

# Create site aliases in
[project_root]/drush/sites

# Test aliases
drush sql:sync @prod @self

Sources

Read more about Composer and Drush

Upgrade Drupal 9 to 10 or 11

Basic stuff and Sources for now. To be continued...

Lenient

# Install Composer Lenient for being able to place non-compatible packages.
# @see https://github.com/mglaman/composer-drupal-lenient

composer require mglaman/composer-drupal-lenient

# To allow a package to have a lenient Drupal core version constraint, you must add it to: extra.drupal-lenient.allowed-list

composer config --merge --json extra.drupal-lenient.allowed-list '["drupal/token"]'

# Now you can require the module in question

composer require drupal/token:1.10.0

Rector

# Make sure you are at the project's root. Then, get and copy rector.php

composer require --dev palantirnet/drupal-rector
cp vendor/palantirnet/drupal-rector/rector.php .

# Run check, in this example for a particular module. Remove dry run when ready.

vendor/bin/rector process web/modules/contrib/token --dry-run

Sources

https://www.drupal.org/docs/upgrading-drupal/upgrading-from-drupal-8-or-later/how-to-upgrade-from-drupal-10-to-drupal-11
Check deprecations for contrib and custom modules and themes: https://www.drupal.org/docs/upgrading-drupal/prepare-major-upgrade/deprecation-checking-and-correction-tools-to-prepare-for-a-new-drupal-major-version
Use Rector https://github.com/palantirnet/drupal-rector