Aller au contenu principal
DevOps 10 min read

Deploy a PHP Application on Debian 12

LC

Louis Cercle

Full-Stack Developer

Debian 12 "Bookworm" is a solid foundation for hosting your PHP applications. This guide walks you through A to Z for configuring a secure production server with Nginx, PHP-FPM 8.2, MariaDB and free SSL.

Prerequisites

  • A VPS with freshly installed Debian 12 (OVH, Hetzner, DigitalOcean...)
  • Root SSH access or sudo user
  • A domain name pointing to the server IP
  • About 30 minutes of your time

1. System Update

# SSH connection
ssh root@your-ip

# Update packages
apt update && apt upgrade -y

# Install basic tools
apt install -y curl wget git unzip sudo ufw

# Create non-root user (recommended)
adduser deploy
usermod -aG sudo deploy

2. Firewall Configuration

Important

Configure UFW before enabling the firewall to avoid locking yourself out of SSH! 

# Allow SSH (port 22)
ufw allow OpenSSH

# Allow HTTP and HTTPS
ufw allow 'Nginx Full'

# Enable firewall
ufw enable

# Check status
ufw status verbose

3. Install Nginx

# Installation
apt install -y nginx

# Start and enable at boot
systemctl start nginx
systemctl enable nginx

# Verification
systemctl status nginx

4. Install PHP 8.2

# PHP 8.2 is available in Debian 12 repos
apt install -y php8.2-fpm php8.2-cli php8.2-common \
    php8.2-mysql php8.2-xml php8.2-curl php8.2-gd \
    php8.2-mbstring php8.2-zip php8.2-intl php8.2-opcache

# Verification
php -v

# Restart PHP-FPM
systemctl restart php8.2-fpm
systemctl enable php8.2-fpm

5. Install MariaDB

# Installation
apt install -y mariadb-server mariadb-client

# Secure installation
mysql_secure_installation
# Answer Y to all questions

# Create database and user
mysql -u root -p

-- SQL commands
CREATE DATABASE myapp CHARACTER SET utf8mb4;
CREATE USER 'myapp_user'@'localhost' IDENTIFIED BY 'SecurePassword123!';
GRANT ALL PRIVILEGES ON myapp.* TO 'myapp_user'@'localhost';
FLUSH PRIVILEGES;
EXIT;

6. SSL with Let's Encrypt

# Install Certbot
apt install -y certbot python3-certbot-nginx

# Get certificate
certbot --nginx -d mydomain.com -d www.mydomain.com

# Automatic renewal is configured
# Verify with:
systemctl status certbot.timer
certbot renew --dry-run

Security Checklist

  • UFW firewall configured
  • Non-root user created
  • SSL/TLS with Let's Encrypt
  • Disable SSH root login
  • SSH keys instead of passwords
  • Fail2ban installed
  • Automatic backups configured

Conclusion

You now have a Debian 12 server ready for production with a modern and secure LEMP stack. To go further, consider Redis for application caching, Supervisor for workers/queues, Docker for application isolation, and CI/CD with GitHub Actions or GitLab CI. Happy deploying!