Posted on

PHP and MariaDB on Debian

Note: instructions for installing and configuring phpMyAdmin also included below.


Related Artices in Debian Services and Applications - Debian on AWS Lightsail - OpenVPN on Debian + UFW Firewall - Nginx and Letsencrypt on Debian - PHP & MariaDB on Debian - Grav CMS on Debian


As of December, 2018 there are decent performance gains with the latest PHP and MySQL (MariaDB, not Oracle) versions. These are: - PHP 7.3.0 released 06 Dec 2018 - Next PHP release 7.4 likely out December 2019 - MariaDB 10.3.11 released 20 Nov 2018 - Latest MariaDB release 10.4 is in release candidate status as of May, 2019. It would be good to do a new version along with PHP when it's next is released, say Dec 2019/Jan 2020.

PHP 7.3 outperforms PHP 7.2 and earlier versions on nearly all real-world web cms platforms. At the same time, MariaDB does indeed have performance enhancements which generally make it faster than the Oracle offering. For MariaDB the performance advantages have been apparent since at least MariaDB 10.1 vs. MySQL 5.7 back in 2014.

This is no surprise, being that MariaDB was founded and developed under the direction of the original MySQL founder. The main advantages technically are better thread management and defragmentation of the MariaDB than MySQL databases. In addition, a larger variety of engines are available under MariaDB including NoSQL (Cassandra).

Set up PHP Repository and Certs

sudo apt-get install apt-transport-https lsb-release ca-certificates
sudo wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/php.list

Update and Install PHP

Currently this is the 7.3 branch

sudo apt-get update -y
sudo apt-get install -y php7.3
sudo apt-get install -y php7.3-cli php7.3-common php7.3-curl php7.3-fpm php7.3-gd php7.3-json php7.3-mbstring php7.3-opcache php7.3-readline php7.3-xml php7.3-intl php7.3-zip
php7.3-mysql

Update and Upgrade apt

sudo apt update -y
sudo apt upgrade -y

Verify php-fpm status

systemctl status php7.3-fpm.service

stop injected data into server returns

sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php/7.3/fpm/php.ini
systemctl restart php7.3-fpm.service

Edit php7.3 php-fpm conf file if needed, e.g., increase upload size variables.

nano /etc/php/7.3/fpm/php-fpm.conf

Make the following changes:

cgi.fix_pathinfo = 0
...
max_execution_time = 300
...
upload_max_filesize = 32M
...
post_max_size = 32M

MariaDB - Install cert manager, key, repository

currently 10.3

sudo apt-get install -y software-properties-common dirmngr
sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8
sudo add-apt-repository 'deb [arch=amd64,i386,ppc64el] http://mirrors.dotsrc.org/mariadb/repo/10.3/debian stretch main'

Then perform update and install mariadb-server

sudo apt update -y
sudo apt-get install -y mariadb-server
sudo systemctl status mariadb

Enable auth socket

sudo nano /etc/mysql/mariadb.conf.d/50-server.cnf

Add plugin-load-add = auth_socket.so in the [mysqld] section. Then save and restart MariaDB.

sudo systemctl restart mariadb.service

Secure the database

sudo mysql_secure_installation

PhpMyAdmin on Debian

Provided that Nginx and LetsEncrypt SSL is installed and configured. It is time to install PhpMyAdmin

sudo apt-get update
sudo apt-get install -y phpmyadmin

Add a symlink from /usr/share/phpmyadmin to /var/www/html or whatever directory for whichever website

sudo ln -s /usr/share/phpmyadmin /var/www/html

Note for security through obscurity, rename the link

sudo mv /var/www/html/phpmyadmin pma

Install and enamble mcrypt in php, and restart php-fpm

sudo apt-get install -y mcrypt
sudo phpenmod mcrypt
sudo systemctl restart php7.3-fpm

Test to see if it works

https://host.domain.tld/pma/

Limit access to /pma/ by ip address, by editing the nginx configuration

nano /etc/nginx/sites-available/default

Add the following line to the top above server:

geo $admin { default 0; 203.150.176.16 1; }

And put a nested statement under \.php as per this StackOverflow answer

location ~ \.php$ {
    location ~ (/phpmyadmin/) {          # add this
        if ($admin = 0) { return 404; }  # add this
        ## fastcgi parameters            # duplicate these lines
    }                                    # add this
    ## fastcgi parameters ##
}
Posted on

Nginx and Letsencrypt SSL on Debian

It is a good idea to get PHP and MariaDB on Debian set up before Nginx (except the PhpMyAdmin which can come after).

Related Artices in Debian Services and Applications - Debian on AWS Lightsail - OpenVPN on Debian + UFW Firewall - Nginx and Letsencrypt on Debian - PHP & MariaDB on Debian

- Grav CMS on Debian

Install Nginx

Edit the /etc/apt/sources.list to add the Nginx repostitory

nano /etc/apt/sources.list

Add the following repository (currently for Debian 9/Stretch)

deb http://nginx.org/packages/mainline/debian/ stretch nginx

Download and install the key for the repository

wget https://nginx.org/keys/nginx_signing.key
sudo apt-key add nginx_signing.key

Remove nginx-common, update apt and install nginx

sudo apt-get remove -y nginx-common
sudo apt-get update -y
sudo apt-get install -y nginx

Systemd / Nginx Race Condition

There is a known race condition, with a workaround as follows:

mkdir /etc/systemd/system/nginx.service.d
printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf
systemctl daemon-reload

Edit /etc/nginx/sites-available/default

Note: these edits are not comprehensive, just to get certbot working. Uncomment the following lines:

listen 443 ssl default_server;
listen [::]:443 ssl default_server;
...
location / {
...
try_files $uri $uri/ =404;
}

Where it says server_name _; change _ to an appropriate fqdn that has an appropriate A record. Save and restart the nginx:

service nginx restart

Letsencrypt Certbot

sudo apt-get update
sudo apt-get install -y python-certbot-nginx certbot -t stretch-backports

Run letsencrypt (automatic)

certbot

Test access from a browser.

HSTS Preload

Browsers have a list of servers that require https/ssl. Add sites to the list. Two things are required: 80 to 443 redirect, and an hsts header. For the redirect, add this server configuration:

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        return 301 https://$host$request_uri;
}

For the HSTS header, this needs to be added to each server. Can simply be added after the listen 443 ssl; line:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Nginx Info

Nginx has become the standard for much of the web, for the basic standard reason it is not creaky old (though of course still lovable) Apache. However, before we get too far ahead of ourselves, let's recall exactly what we need to know about Nginx in order for it to work as well as Apache: - Installation - Configuration files - Support of SSL / LetsEncrypt - SFTP/SCP access to file system (and file rights + ownership) - Multiple virtual servers / directories - Mimetypes - Support for PHP - Threading - .htaccess and related

Nginx and Related Files and Directories

Standard or default files and directories as follows: - /etc/nginx - application directory - /etc/nginx/nginx.conf - main configuration file - /usr/share/nginx/html - default website root directory - noted as html in nginx.conf - /var/log/nginx/error.log - error log - /var/log/nginx/access.log - access log - /etc/nginx/mime.types - mime types - /etc/php.ini - php configuration file

Nginx / PHP-FPM Security Issues

There are significant issues with PHP-FPM in terms of keeping site caching partitioned when using multiple websites/virtual sites. Opcache should be turned off and individual users should be in charge of a different php-fpm process for each site. How to do this is not listed here (just yet).

Posted on

XFCE vs. Cinnamon 2018

Summary -- The superiority of XFCE or Cinnamon comes down to use cases, and of course preference -- de gustibus non est disputandum.

XFCE Superiority

XFCE is a delight in many ways, when compared with Cinnamon: - Less memory and processor utilization - A bit more stable (though this could be an instability with Nemo) - Faster/easier to configure (the settings menus are much better organized with fewer top-level items)

Cinnamon Superiority

At the same time, Cinnamon has definitely fixed/improved a few things: - Keyboard settings to reconfigure standard keyboard remapping (Win/Cmd/Super remapping, CapsLock behavior) - Shortcuts on the start menu, ease of adding apps from the menu to the dock, and in general a more elegant start menu w/ search, better spacing Beyond these issues, everything else seems to be about applications. Both can do everything else more or less similarly. * Note: one can install Cinnamon on Debian directly, or try Linux Mint Debian Edition (LMDE), or simply standard Mint (an Ubuntu derrivative) and Cinnamon. Cinnamon is also available for a few other Linux distributions.

Nautilus beats Nemo and Thunar

Nemo is simply unstable. Try doing some drag-and-drop and it soon slows, hangs, quits. Thunar is nice, but there is no handy search or buttons to toggle between views. Everything has to be committed to remembered keyboard shortcuts. Silly. Nautilus is not perfect by any means. A seeming limitation of the icon view size set to max 133% is a disappointment. However, beyond that it is very good and definitely an improvement over Nemo and Thunar.

Cinnamon - Better Keyboard Support, Better Dock/Menu

The bottom line is that while Cinnamon has greater resource demands, and a bit less stability, it has a better dock/menu interface and better keyboard configuration support. This makes it a premium modern desktop for Debian and Ubuntu (via the Linux Mint Debian Edition (LMDE).

XFCE - Better Resource Management for Low End Devices

Either Debian + XFCE or the Linux Mint XFCE edition are appropriate for low-end devices, say those with 4gb or less of RAM. This would be appropriate for the Asus C101PA Convertible Chromebook.

See Also for Linux on the ASUS C101PA

Posted on

Gsuite Free Domain Alias Mailboxes

Google likes to remove functionality on free products to induce upselling. This is a common tactic in many software/SAS models. However, the cost of adopting Gsuite is very high, relative to free. Essentially a 5-10 pack of mailboxes with $5/month for the least expensive Gsuite paid option. That's $300-$600/year. What is sadly missing is a less expensive option. I don't mind paying money for valuable services, but an individual consumer who really only has family mailbox accounts, this is ridiculous pricing. As someone with multiple domains, here is how to get around this issue.

No Duplicate Mailboxes

The main problem comes when one wants to have mailboxes that have the same username, e.g., info@primary-domain.com and info@secondary-domain.com. Because added-on domains are always only aliases, only the primary domain is possible (e.g., info@primary-domain.com), and all subsequent domains with the same info@ are aliases of the underlying primary domain.

Steps to Support Duplicate Mailboxes

The work-around is as follows: - Create a unique mailbox such as secondary-domain@primary-domain.com. - After some amount of time (an hour at the most) the address info@secondary-domain.com will be added (provided info@primary-domain.com was already a primary or secondary mailbox address). - Log into secondary-domain@primary-domain.com and add info@secondary-domain.com as a second account. This will generate an email which will be sent to info@primary-domain.com. Verify access with the verification code. Set that info@secondary-domain.com as the default and configure the mailbox to always send email from that address. - Log into info@primary-domain.com and add a forwarding address of secondary-domain@primary-domain.com. This will generate a verification code emailed to secondary-domain@primary-domain.com. Verify this. - Next, create a new filter for incoming mail addressed to: info@secondary-domain.com and have it forward email to secondary-domain@primary-domain.com and also delete the email locally. The steps above will properly route and address mail so that the new mailbox will function properly using the normally disallowed duplicate username in the free version of Gsuite.

Endgame with Gsuite

Frankly I dislike Google and Gsuite. My use is only a holding action to not have to deal with email migration. The vast majority of time I no longer use Gsuite other than calendar and email, and also the use of those accounts for YouTube and Google Business Listings, and also the Analytics/Google Ads suite. Obviously there needs to be Google accounts, but they can be independent Gmail accounts rather than Gsuite accounts. At some point (in 2019), I'll migrate off and do self-hosting on mail and calendar, and therefore move YouTube, Business, Analytics over to Gmail accounts.

Posted on

Artistic Creation Endeavors

Back in the early stages of adulthood, I had at times contact with, interest in, and time spent doing art. This was mainly poetry, short fiction, and painting. Giving it up because of a statement of Baudelaire, and psychic exhaustion, was not the best idea, but it is where I have been with this. It is time to begin to turn the ship of state that is my vocation and avocations back toward that blessed horizon.

Some Blender Resources

Jama Jurabaev

The Next Leap: How A.I. will change the 3D industry

Posted on

Amazon Canada Incompetence

By Amazon Canada, I am referring to the Amazon Advantage Canada operation. Pure, unadulterated incompetence. Support requests go something like this: - Me: Here is my problem, with detail - AC: Request for information (which is already in the detail) - Me: Submission of requested info, again - AC: Thank you, please wait - AC: We are working on this, thank you for your patience - AC: We are working on this, thank you for your patience - AC: It is fixed now, please try again - Me: No, it is still broken - AC: Thank you, please wait - AC: We are working on this, thank you for your patience - AC: We are working on this, thank you for your patience - AC: It is fixed now, please try again - Me: No, it is still broken - AC: We tried to call you, please provide a time to discuss this isse - Me: No, we don't need to talk, please fix the problem - AC: Thank you, please wait - AC: We are working on this, thank you for your patience - AC: We are working on this, thank you for your patience - AC: It is fixed now, please try again - Me: No, it is still broken - AC: Please send screenshots with dates (obviously they don't believe me) - Me: Submission of requested info, again - AC: We tried to call you, please provide a time to discuss this isse - Me: No, we don't need to talk, please fix the problem - AC: Thank you, please wait Repeat with various slight modifications. This has happened to me twice now, with different issues, and it is completely maddening. First, they cannot update an item in inventory. After three months of this nonsense, I just removed/discontinued the item. The second time, most recently, they can't update my bank information and my account is locked and I can't update it myself. This has been the situation now for over a month. Well, bye bye Amazon Canada, incompetence par excellence.

Posted on

Debian + Cinnamon Keyboard Shortcuts

> Note: This is Incomplete

Function LMDE3 ChromeOS
Refresh Ctrl+R
Task List
Partial Screenshot

Debian Terminal

Under Edit > Preferences > Shortcuts set the Edit > Copy, Edit > Paste, and Edit > Select All accelerator keys to Ctrl+C, Ctrl+V, and Ctrl+A respectively.

Screenshots

Under Keyboard > Shortcuts > System > Screenshots and Recording assign F5 to Take a screenshot of an area. This is more efficent than the Ctrl+Shift+F5 of the standard ChrOS keystroke and the standard Dim keyboard backlight setting doesn't apply as I do not use backlit keyboards. In ChrOS it makes sense even to map the Overview (F5) key to partial screenshot as I really don't use that function in any case.

Keyboard Layouts Options

> Keyboard > Layouts > Options - Alt/Win key behavior - Ctrl is mapped to Win keys (and the usual Ctrl keys) - Caps Lock key behavior - Make Caps Lock an additional Hyper (deal with this later to create the Search behavior in ChrOS, if desired) - Switching to another layout - Caps Lock, though this really makes the Shift+Caps Lock function as a language switcher. Note that the last one would be better aligned with ChrOS' Ctrl+Space to switch between languages, if possible. It is more like the OSX Cmd+Space language toggle keystroke.

stty

Since I prefer to have ctrl+c be copy, then that can't be quit, and so I set the break command to ctrl-e using stty.

stty break ^e

However, that is not really necessary since ctrl+\ and ctrl+4 both also institute a quit or break in the console.

chsh

Set the default shell to Bash

chsh -s /bin/bash

> Note: have to log out and back in to see this work.

Notes (Incomplete)

  • With small keyboard there is no actual delete, only backspace. Need to change so the delete key can/is the backspace and so can delete in the file manager (nemo). Actually Fn+Delete = Delete on the Apple wireless keyboard, whereas Delete is actually Backspace.
    • Note that Nemo is so horribly slow when/after doing delete/paste of files between windows, I've gone on to use Nautilus. Also, Nautilus has good batch file renaming, whereas Nemo is woefully incomplete.
  • For rename, note: Fn+2 and slow double-click (nemo only) works.
  • Set the Bash so that it maps my favorite scripts (lx for ls -la), environment editor (nano), and in terminal so ctrl-E is the stop command.
    • Done
  • Set a partial screenshot keystroke / keyboard shortcut
    • Done (F5), set this in the Keyboard control panel/settings.
  • Install exo-utils and run exo-preferred-applications to set the file managers and browsers (though is this read by Cinnamon?)
  • Install and Run dconf-editor to set preferences in a variety of apps/locations
Posted on

Xiaomi Mi Pad 4

Google Play Store on Xiaomi Mi Pad 4

While the Xiaomi Mi Pad 4 ships with Google Play installed, if one does a factory reset, then the resulting MIUI 9.x does not bundle with Google Play Store or the GBoard keyboard. There are several steps needed to get it set up, including: - Find, download, install Google Play Store + Google Play Services - Install and enable the Google Gboard, and Gboard Keyboards

Evie Launcher and Launcher Configuration

I find the Evie Launcher to be a good, modern, and clean interface. Basically it prevents one from getting lost or accidentally creating new screens, which is a fundamental flaw on both Android and iOS default launchers.

Firefox Browser

The Firefox Browser is the go-to browser for all devices. Also, search is using Duck Duck Go.

Things to Turn Off, and On

  • Quick Ball = off
  • Battery Percentage Display = on
  • Enable buttons, turn off full-screen gestures

Other Apps

  • Foscam Viewer
  • Telegram
  • Google Contacts
  • Duo
  • Gmail

MIUI 9 vs. MIUI 10

MIUI 9 focused on speed, removing many components that were generally not used by consumers. MIUI 10 will have much more so-called intelligence, which will likely slow it down to a crawl (unless the AI is turned off, in which case MIUI 10 might be as fast as MIUI 9. For now, I'm holding off on MIUI 10 for most devices (except for the Xiaomi Redmi 6A which does have it come as an OTA update).

Posted on

Fish Shell – Friendly Interactive SHell

Note: I've replaced Fish Shell with Bash in my personal technology stack, as of March 2018. Ha ha, back on Fish Shell. Fish Shell is a very useful shell. I use it on OSX and Linux. Provides for some sanity at the command line. For an editor I use Nano. Note that there are some limitations, and a learning curve on getting it set up. However, it does have some limitations, and is definitely newer than other shells. When trying to run a command that won't work in fish, then simply invoke bash and get it done. No real limitations to speak of. For doing shell scripting, it is very straightforward and definitely more modern. Useful docs on the fish shell available.

What Fish Can't Do (So Well)

Fish is a bit more limited as a general purpose command/utility invoker, as it seems to throw errors. Overall, it is a bit cranky, and really only best when doing scripting. To that end, better facility with Python will probably fill in the gaps around Bash that Fish does well, while focusing on tool that would be even more extensible.

See Also