EasyEngine: lickety-split installation of WordPress on a LEMP stack, with selective SSL.

So after I spent quite a large amount of time writing my last post, I was contacted in the comments by an enterprising marketing executive from rtCamp, recommending their free EasyEngine product, which quickly installs LEMP and WordPress sites with minimal user interaction.

I was wary at first, since this was a clear solicitation, and I certainly didn’t want to be told that all my work was for nothing.  But I tried it out, and was so delighted, that I am now recommending it as the best way to quickly and securely install WordPress on a LEMP stack.  The installation is also a much more secure configuration than what I recommended.  Plus, did I mention that EasyEngine is free?

So, in essence, ignore my last post.  Here is my revised recommendation for the best way to install WordPress on top of LEMP (Linux, Nginx, mySQL, and PHP) on Ubuntu .

NOTE: rtCamp is apparently working on supporting MariaDB over mySQL, but it’s not final yet. UPDATE July 2, 2014: While I did attempt installing MariaDB over mySQL in Ubuntu, MariaDB kept on crashing on out of memory errors. At this time, I would recommend sticking with mySQL for your EasyEngine installation. That is, skip section IV, and go straight to section V.

I. ASSUMPTIONS

This post, like my previous post assumes that you already have the following in place, and I will not cover them:

• Ubuntu installed on either a dedicated server, a VPS, or on AWS EC2.
• Access to that server’s command line, whether through the console or SSH.
• A sudo user set up on the Ubuntu instance.
• A purchased SSL certificate for your website.
• You understand basic Linux commands such as cp.
• You can use a text editor, such as vi, vim, or nano to edit files on the server.

If anyone really needs help with any the above, please leave a comment and I’ll consider adding it.  I’ve also decided to use nano in this post, instead of vim, since nano will be much easier than vim for me to walk a beginner through.

II. INSTALL EASYENGINE

All you have to do is type the following at the command line:

curl -sL rt.cx/ee | sudo bash

Poof! EasyEngine is installed.

III. INSTALL LEMP STACK

1. Type the following at the command line:

   sudo ee system install

   EasyEngine will begin to install, mostly hands off, until…

2. You will be prompted to enter a username and password for the admin pages that EasyEngine installs on port 22222.  First you will see:

   Enter The HTTP AUTH Username [easyengine]:

   Enter a username that is secure and that you can remember here, and press [Enter].

   Next, you’ll see:

   Enter The HTTP AUTH Password [easyengine]:

   Enter a secure password here and press [Enter].

Poof!  The LEMP stack is installed.

IV. REPLACE MYSQL WITH MARIADB (OPTIONAL)

UPDATE: July 2, 2014: You might not wish to use MariaDB with EasyEngine.  When I did the below, MariaDB regularly crashed, due to out of memory errors.  That meant that my site went down a few times a day.  When I restored mySQL, everything was happy again.  So until I or the folks at rtCamp figure out what the conflict is between EasyEngine and MariaDB, I’m going to have to recommend that you stick with the default EasyEngine mySQL.

I’ve left this section for completeness and history.  If you don’t care, skip to section V.

If, as I recommend, you prefer MariaDB over mySQL, all you have to do is install MariaDB over mySQL from Ubuntu, and everything should work properly:

1. sudo apt-get install mariadb-server

2. When you are prompted to enter a root password…

     | While not mandatory, it is highly recommended that you set a password   │ 
     │ for the MariaDB administrative "root" user.                             │ 
     │                                                                         │ 
     │ If this field is left blank, the password will not be changed.          │ 
     │                                                                         │ 
     │ New password for the MariaDB "root" user:                               |
   

   …leave the field blank, so that MariaDB maintains the mySQL root password that was set by EasyEngine. Then press the [Tab] key until <OK> is selected, and press [Enter].

3. When you are asked if you wish to replace the config file:

   Configuration file '/etc/logrotate.d/mysql-server'
    ==> Modified (by you or by a script) since installation.
    ==> Package distributor has shipped an updated version.
      What would you like to do about it ?  Your options are:
       Y or I  : install the package maintainer's version
       N or O  : keep your currently-installed version
         D     : show the differences between the versions
         Z     : start a shell to examine the situation
    The default action is to keep your current version.
   *** mysql-server (Y/I/N/O/D/Z) [default=N] ? 
   

   …select N (or O) to keep your currently-installed version. This will also maintain any settings set by EasyEngine.

4. You will be prompted a second time to set a root password. Again, leave it blank, press the [Tab] key until <OK> is selected, and press [Enter].

After another minute, MariaDB is installed.

V. INSTALL WORDPRESS

Again, delightfully easy.  Just type the following at the command-line:

sudo ee site create yoursite.com --wp

Obviously replace “yoursite.com” with your actual site’s domain name.

Poof!  WordPress is installed.  Make note of the EasyEngine-generated admin username and password here, or you won’t be able to log in to wp-admin.  Then navigate to http://yoursite.com and http://yoursite.com/wp-admin to verify that WordPress is working.

VI. CONFIGURE SSL

As a reminder, our goal here is to force SSL on login pages and wp-admin pages.

UPDATE, June 30, 2014: So it turns out that my original steps on June 27 for configuring SSL, which borrow heavily from Pothi Kalimuthu‘s configuration files on Github, conflict with the EasyEngine default settings.  Specifically, the “location” directive that forces SSL on wp-login.php is overridden by EasyEngine’s “location” directive (in /etc/nginx/common/wpcommon.conf) which prevents brute force attacks on the login page.  After some back and forth in the rtCamp forums, I found that with the WordPress HTTPS plugin and some minimal SSL configuration in the nginx conf file (/etc/nginx/sites-available/<yoursite>.com), I could set up the SSL force without conflicting with EasyEngine.

As before, this section assumes that you’ve either migrated your SSL certificate from your old site, or you’ve already purchased, requested, and downloaded a new certificate from a trusted certificate authority (CA). Your CA probably has good instructions on its web site for obtaining an SSL certificate.

Assuming that your certificate files are now in ~/.ssl, here are the directions, step by step:

1. Place your site’s certificate file (.crt) in a good place on your server. I recommend /etc/ssl/certs.

   sudo cp ~/.ssl/yoursitename.com.crt /etc/ssl/certs

2. Place your site’s private key file (.key) in a safe place on your server. I recommend /etc/ssl/private.

   sudo cp ~/.ssl/yoursitename.com.key /etc/ssl/private

3. Navigate to your site’s nginx configuration file directory:

   cd /etc/nginx/sites-available/

4. Copy your existing configuration file to a backup file (obviously, replace “yoursite.com” with your site’s actual domain name”):

   sudo cp yoursite.com yoursite.com.bak

5. Open the original config file for editing:

   sudo nano yoursite.com

6. Copy the ENTIRE “server” block and paste at the end of the file, so that you have 2 identical “server” blocks.
7. Inside the *first* server block, add the following line:

   listen 80;
   

8. Inside the *second* server block, add the following 4 lines:

   listen 443;
   ssl on;
   ssl_certificate /etc/ssl/certs/<yourserver>.com.crt; #whatever path you set in step #1
   ssl_certificate_key /etc/ssl/private/<yourserver>.com.key; #whatever path you set in step #2
   

9. [Ctrl] + ‘o’, followed by [Enter] to save the changes.
10. [Ctrl] + ‘x’ to exit nano.
11. Restart Nginx and PHP

    sudo service nginx restart && sudo service php5-fpm restart

12. Navigate to https://<yoursite.com>/wp-admin (it might only work over SSL at this point).
13. On the navigation bar on the left, click on “Plugins”–>”Add New”.
14. Search for “WordPress HTTPS” by typing it in the textbox and clicking on “Search Plugins”.
15. “WordPress HTTPS” should be the first plugin in the list.  Click on its “Install Now” link.
16. In the “Are you sure you want to install this plugin?” popup, Click “OK”.
17. The plugin will install.  When done, click the “Activate Plugin” link in the main page frame.
18. In the navigation bar on the left, you’ll now notice a new item, “HTTPS”, at the bottom.  Click on it.
19. Check the “Force SSL Administration” checkbox, and click the “Save Changes” button.
20. Navigate to http://<yoursite.com>/wp-admin. Make sure that you’re directed to https://<yoursite.com>/wp-admin, and that the login page is also https.  If this does not work, then try rebooting your server and  trying again.
21. Congratulations! SSL has been properly configured.

Again, please let me know in the comments if there are any inaccuracies, inefficiencies, or if anything is just plain unclear. Hooray for EasyEngine!