
Installing Debian 10, OpenLiteSpeed, MariaDB and PHP 7.4 on AWS Lightsail.

Rough notes from an IT amateur so he does not forget. Follow at your peril.


Create Lightsail server, link to static IP and set firewall rules

(Assistance: AWS (Create instance, SSH, Static IPs))

Create Instance

Location: Ireland
Select a platform: OS Only –> Debian 10.5

Change SSH Key pair –> Create new –> Create –> Enter awskeypairname –> Generate key pair –> Download file to Desktop

Identify your instance: servername

Click Create instance

Networking tab
Create static IP –> Enter servernameIP –> attach to servername
Make a note of the IP:

Instances tab
Click on instance

Networking tab
IPV4 firewall

Add two rules:

Application: HTTPS
Protocol: TCP
Port: 443

Application: Custom
Protocol: TCP
Port: 7080
Select Restrict to IP address and add your IP address (what is my IP?)

Edit existing SSH rule:

Select Restrict to IP address and add your IP address (what is my IP?)


Amend DNS records to point to the new server

Create/amend two DNS records:

Type: A
TTL: 300

TTL: 300

SSH and Update Debian

Set up initial SSH configuration using Lightsail key pair to allow remote root user login via password:

In terminal:

chmod 400 ~/Desktop/awskeypairname.pem

ssh -i ~/Desktop/awskeypairname.pem admin@

$ sudo -i
(switches to root user)

# nano /etc/ssh/sshd_config

Within the file, scroll through and:

1) Change #PermitRootLogin prohibit-password to PermitRootLogin yes (Note: without the leading # –> ‘uncomments’ the command)

2) Change PasswordAuthentication no to PasswordAuthentication yes

CTRL+O, Enter, CTRL+X to return to the command line.

# service sshd reload

# passwd

(enter new password for root user twice)

# exit
$ exit

ssh root@

(enter earlier password)

Should be able to log in.

# exit

Set up ssh configuration for automatic remote root user login

Assistance: (LearnLinuxTV from 9m50s to 45m50s)

In terminal:


Enter file name: /Users/username/.ssh/id_rsa_servernamekeypairname
Enter passphrase (empty for no passphrase): [Enter]
Enter same passphrase again: [Enter]

(Above generates a second ssh key pair for root user and subsequent standard users)

cat .ssh/

Displays a long key similar to this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWe6bYxUz5nXp7A5zBdsB+6jdO8mmEWowTHHLsQ/9iixrTvKeygMpFQRPmludJeqlR9mMP5lp2LSrva80Flt/L5VxSNMGF1hixPqLyEW+UlsoPmludJeqlR9mMP5lp2LSrva8049I/GrROoLlmB1qgIYeic1swQhMapO1uvKCrrsyKSV9HT0dx+nPRk+0jgbnQIAlIEcW4Da50x5NCKGU0PiCTbPuWFnb4crZ6Z3yviPmludJeqlR9mMP5lp2LSrva8046PDEmuPMVDfaFQMEQCPpoQ8r83kllrGm9aNiPmludJeqlR9llrGm9aSrva80yC4LHmt2LZB7In3yA1 you@yourcomputer.lan

Copy the key onto your clipboard.

Now to ‘paste’ the key onto the server:

ssh root@
(enter password)

# nano .ssh/authorized_keys

File will already contain some text and a key relating to the awskeypairname.

On the line below the existing text/key, paste the copied key from the clipboard.

CTRL+O, Enter, CTRL+X to return to the command line.

# exit

nano .ssh/config

Within the file add the following lines:

Host servername-root
Port 22
User root
IdentityFile ~/.ssh/id_rsa_servernamekeypairname

CTRL+O, Enter, CTRL+X to return to the command line.

ssh servername-root

(should log straight in)

Update Debian packages

While logged in as root, a good opportunity to update Debian packages:

# apt update

# apt upgrade (answer Y to prompts)

# exit


Set up SMTP email for server to send email notifications

(Assistance: Sylvain Durand, Debian (here and here))
(Permission errors within Debian 10: Alternative logfile path requires further adjustments. AskUbuntu)
(Errors within cron: Stackoverflow)

In terminal:

ssh servername-root

Ensure server packages are up to date:

# apt update

Install necessary email packages:

# apt install msmtp-mta (answer Y to prompts)
# apt install bsd-mailx (answer Y to prompts)

Create a system-wide SMTP config file:

# nano /etc/msmtprc

Insert the following lines:

auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile ~/.msmtp.log
account aws-system
port 587
password VeryLOnGPASw0RDAb!tlikeTHiS
account default : aws-system

(host, user and password can be retrieved from AWS SES. Ensure SMTP credentials are created in the SES region matching the host endpoint)

CTRL+O, Enter, CTRL+X to return to the command line.

# echo "message" | mail -s "title"

(Sends a test email. Check your inbox)

# cat .msmtp.log

(Shows the email log, example below. exitcode=EX_OK means it works)

Jan 01 01:23:45 tls=on auth=on user=L0NGUSERNAMEL1KETHIS mailsize=228 smtpstatus=250 smtpmsg='250 Ok 01020176e1cf4f13-b774792c-8714-4dd5-b28a-621d3ff63f3a-000000' exitcode=EX_OK

# exit

Install OpenLiteSpeed and Certbot

Install OpenLiteSpeed, create initial website and create Let’s Encrypt certificate

(Assistance: OpenLiteSpeed (here and here and here), Certbot and Snapcraft)

Within terminal:

ssh servername-root

Ensure server packages are up to date:

# apt update

Install OpenLiteSpeed packages:

# wget -O - | bash

# apt install openlitespeed (answer Y to prompts)

# apt install lsphp74 lsphp74-common lsphp74-curl lsphp74-dev lsphp74-imap lsphp74-intl lsphp74-json lsphp74-ldap lsphp74-mysql lsphp74-opcache lsphp74-pspell lsphp74-memcached lsphp74-redis lsphp74-sqlite3 lsphp74-tidy (answer Y to prompts)

Create files for initial user/website with appropriate permissions:

# groupadd yourdomaincouk

# useradd -M -g yourdomaincouk yourdomaincouk  

mkdir /home/

mkdir /home/

# chown yourdomaincouk:yourdomaincouk /home/

chmod 711 /home/

chown yourdomaincouk:nogroup /home/

chmod 750 /home/

touch /home/

chown -R yourdomaincouk:yourdomaincouk /home/

echo "<?php phpinfo();" > /home/

echo "hello world" > /home/

chown -R yourdomaincouk:yourdomaincouk /home/*

Create log directory for OpenLiteSpeed:

# mkdir /home/

# chown :nogroup /home/

# chmod 750 /home/

Start OpenLiteSpeed and create your WebAdmin login details:

# /usr/local/lsws/bin/lswsctrl start

# /usr/local/lsws/admin/misc/

(Enter administrator username and password)

In browser and OpenLiteSpeed WebAdmin


(proceed through SSL warnings and log into OpenLiteSpeed WebAdmin)

(if does not work and does work, then your DNS changes have yet to propogate).


Within the Server Configuration left-hand menu option:

General tab
General settings

Edit (top-right corner)
Server Name: A name for your server
Administrator Email: A contact email


Within the Virtual Hosts left-hand menu option:
Delete the Example Virtual Host

Add (a new Virtual Host, top-right corner)

Virtual Host Name: yourdomaincouk
Virtual Host Root: /home/
Config File: /usr/local/lsws/conf/vhosts/yourdomaincouk.conf
Enable Scripts/ExtApps: Yes
Restrained: Yes

Save (top-right corner)
CLICK TO CREATE the conf file
Save (top-right corner)

Within the Virtual Host list, click yourdomaincouk.

Within the General tab

Edit (top-right corner)

Document Root: /home/
Domain Name:
Domain Aliases:

Save (top-right corner)

Within the Log tab

Edit (Virtual Host Log, top-right corner)

Use Server’s Log: NO
File Name: $VH_ROOT/logs/virtualhost.log
Log Level: INFO
Rolling Size (bytes): 10M
Keep Days: 90

Save (top-right corner)

Add (Access Log, top-right corner)

Log Control: Own Log File
File Name: $VH_ROOT/logs/access.log
Rolling Size (bytes): 10M
Keep Days: 90
Compress Archive: Yes

Save (top-right corner)

Within the External App tab

Add (top-right corner)

Type: LiteSpeed SAPI App

Next (top-right corner)

Name: yourdomaincouk
Address: uds://tmp/lshttpd/yourdomaincouk.sock
Max Connections: 10
Environment: PHP_LSAPI_CHILDREN=10
Initial Request Timeout (secs): 60
Retry Timeout (secs): 0
Persistent Connection: Yes
Command: /usr/local/lsws/lsphp74/bin/lsphp
Run as User: yourdomaincouk
Run as Group: yourdomaincouk

Save (top-right corner)

Within the Script Handler tab

Add (top-right corner)

Suffixes: php
Handler Type: LiteSpeed SAPI
Handler name: [VHost Level]: yourdomaincouk

Save (top-right corner)

Within the Rewrite tab

Edit (top-right corner)

Enable Rewrite: Yes
Auto Load from .htaccess: Yes

Save (top-right corner)


Select the Listeners left-hand menu option
Delete the Default Listener

Add (a new Listener, top-right corner)

Listener name: http
IP Address: ANY IPv4
Port: 80
Secure: No

Save (top-right corner)

To map the domain to the Listener:

Within Listener Summary, View http Listener (magnifying glass icon)

Within Virtual Host Mappings, Add:

Virtual Host: yourdomaincouk
Domains:,, * ,


Restart OpenLiteSpeed (LSWS PID green button, top-right corner)

Within another browser window:

Visit (should see ‘hello world’)

Visit (should see php details)

Within terminal:


# apt install snapd (answer Y to prompts)

# snap install core

testing snap
# snap install hello-world

(Note: On occasion this error may appear:
Warning: /snap/bin was not found in your $PATH. If you've not restarted your
session since you installed snapd, try doing that. Please see for more details.

If so then:
i) Exit the OpenLiteSpeed WebAdmin browser;
ii) reboot the server by # reboot, then wait a minute;
iii) return to the server by ssh yourdomaincouk-root
iv) return to the OpenLiteSpeed WebAdmin at

# hello-world
(‘Hello World!’ should appear)

# snap refresh core

(Install certbot)
# snap install --classic certbot

(Try a dry-run first to check if everything is working):

# certbot certonly --webroot -w /home/ -d -d --dry-run

(Then create a certificate):

# certbot certonly --webroot -w /home/ -d -d

(Enter email for urgent renewal and security notices (recommended), agree to the T&Cs [Y] and accept/decline campaign updates)

This message should eventually appear:

Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:

Within OpenLiteSpeed WebAdmin


Within the Listeners left-hand menu option:

Add (a new Listener, top-right corner):

Listener name: https
IP Address: ANY IPv4
Port: 443
Secure: Yes

Save (top-right corner):

To map the domain to the Listener:

Within Listener Summary, View https Listener (magnifying glass icon):

Within the SSL tab

Edit (top-right corner).

Private Key File: /etc/letsencrypt/live/
Certificate File: /etc/letsencrypt/live/
Chained Certificate: Yes

Save (top-right corner).

Within the General tab

Within Virtual Host Mappings, Add:

Virtual Host: yourdomaincouk
Domains:,, * ,


Within the Virtual Hosts left-hand menu option:

Click on the yourdomaincouk Virtual Host in the table.

Within the SSL tab

Edit (top-right corner).

Private Key File: /etc/letsencrypt/live/
Certificate File: /etc/letsencrypt/live/
Chained Certificate: Yes

Save (top-right corner).


Within the WebAdmin Settings left-hand menu option:

Select Listeners:

Click on adminListener in the table.

Within the SSL tab

Edit (top-right corner).

Private Key File: /etc/letsencrypt/live/
Certificate File: /etc/letsencrypt/live/
Chained Certificate: Yes

Save (top-right corner).

Restart OpenLiteSpeed (LSWS PID green button, top-right corner).

Within terminal:

# nano /home/

Insert the following text:

RewriteEngine On
RewriteCond %{HTTP_HOST} !yourdomain\.co\.uk [NC,OR]
RewriteCond %{HTTPS}  !=on
RewriteRule ^/?(.*)$1 [R=301,L]

CTRL+O, Enter, CTRL+X to return to the command line.

Restart OpenLiteSpeed for the .htaccess change to take effect:

# /usr/local/lsws/bin/lswsctrl restart

Within another browser window:

Visit (should see ‘hello world’ and secure browser padlock)

Visit (should see php details secure browser padlock)


Install MariaDB, secure installation, create initial database

(Assistance: Digital Ocean)

Within terminal:

ssh servername-root

Ensure server packages are up to date:

# apt update

Install and secure MariaDB:

# apt install mariadb-server (answer Y to prompts)

# mysql_secure_installation

Answer the prompts as below:

Enter current password for root (enter for none): [Enter]
Set root password? [Y/n] n
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y

Create an administrator MariaDB user (example used: adminroot):

# mysql

MariaDB [(none)]> GRANT ALL ON *.* TO 'adminroot'@'localhost' IDENTIFIED BY 'yourpassword' WITH GRANT OPTION; 


MariaDB [(none)]> exit;

Check MariaDB is running:

systemctl status mariadb

mariadb.service - MariaDB 10.3.27 database serve
 Loaded: loaded (/lib/systemd/system/mariadb.service; enabled; vendor preset: 
Active: active (running) since Mon 2020-12-28 11:14:00 UTC; 7min ago
Docs: man:mysqld(8)

Create a database for yourdomaincouk:

# mysql -u adminroot -p

(enter password)

CREATE DATABASE yourdomaincouk;

MariaDB [(none)]>
GRANT ALL ON yourdomaincouk.* TO 'yourdomaincouk'@'localhost' IDENTIFIED BY 'yourpassword';


MariaDB [(none)]> exit;

# exit


Set standard user password, home directory and automatic SSH login

Within terminal: (needs to be changed(

ssh servername-root

# passwd yourdomaincouk

(enter password and confirm password)

# usermod --home /home/ yourdomaincouk

# exit

cat .ssh/

Displays a long key similar to this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWe6bYxUz5nXp7A5zBdsB+6jdO8mmEWowTHHLsQ/9iixrTvKeygMpFQRPmludJeqlR9mMP5lp2LSrva80Flt/L5VxSNMGF1hixPqLyEW+UlsoPmludJeqlR9mMP5lp2LSrva8049I/GrROoLlmB1qgIYeic1swQhMapO1uvKCrrsyKSV9HT0dx+nPRk+0jgbnQIAlIEcW4Da50x5NCKGU0PiCTbPuWFnb4crZ6Z3yviPmludJeqlR9mMP5lp2LSrva8046PDEmuPMVDfaFQMEQCPpoQ8r83kllrGm9aNiPmludJeqlR9llrGm9aSrva80yC4LHmt2LZB7In3yA1 you@yourcomputer.lan

Copy the key onto your clipboard.

Now to ‘paste’ the key onto the server:

ssh yourdomaincouk@

(enter password)

$ mkdir .ssh

$ nano .ssh/authorized_keys

Paste the copied key from the clipboard into the file.

CTRL+O, Enter, CTRL+X to return to the command line.

$ exit

nano .ssh/config

Within the file add the following lines:

Host servername-yourdomaincouk
Port 22
User yourdomaincouk
IdentityFile ~/.ssh/id_rsa_servernamekeypairname

CTRL+O, Enter, CTRL+X to return to the command line.

Test automatic login:

ssh servername-yourdomaincouk

$ exit

Certbot Auto-Renew Set-Up

(Assistance: Certbot)

Within terminal:

ssh servername-root

# nano /etc/letsencrypt/renewal-hooks/deploy/

Within the file add the following lines:

# NOTE: Based on
# Designed for Debian 10. Restarts OLS on every successful SSL renewal (hopefully!)
# Place this script inside

# /etc/letsencrypt/renewal-hooks/deploy/
# and name it ''
# Make the script executable with:
# chmod +x /etc/letsencrypt/renewal-hooks/deploy/
# Enjoy!
/usr/local/lsws/bin/lswsctrl restart

CTRL+O, Enter, CTRL+X to return to the command line.

Make the file executable:

# chmod +x /etc/letsencrypt/renewal-hooks/deploy/

Test the executable file (note the preceding full stop!):

# .

Should receive an [OK] message:

[OK] Send SIGUSR1 to 599

# exit

Certbot Renewal Test

Within terminal:

ssh servername-root

# certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Account registered.
Simulating renewal of an existing certificate for and
Performing the following challenges:
http-01 challenge for
http-01 challenge for
Using the webroot path /home/ for all unmatched domains.
Waiting for verification…
Cleaning up challenges

Dry run: skipping deploy hook command: /etc/letsencrypt/renewal-hooks/deploy/
new certificate deployed without reload, fullchain is

Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/ (success)

# exit

Renewal logs are stored at /var/logs/letsencrypt/

WordPress CLI Installation

(Assistance: WordPress, OpenLiteSpeed Forum)

Within terminal:

ssh servername-root

# curl -O

Check if WP-CLI works using OpenLiteSpeed php:

# /usr/local/lsws/lsphp74/bin/php wp-cli.phar --info

Should see output similar to this:

OS: Linux 4.19.0-13-cloud-amd64 #1 SMP Debian 4.19.160-2(2020-11-28) x86_64
Shell: /bin/sh
PHP binary: /usr/local/lsws/lsphp74/bin/php
PHP version: 7.4.13
php.ini used: /usr/local/lsws/lsphp74/etc/php/7.4/litespeed/php.ini

# chmod +x wp-cli.phar
# mv wp-cli.phar /usr/local/bin/wp

Amend user profile to automatically use OpenLiteSpeed php with WP-CLI during every SSH session:

# nano /home/

Insert the following line:

export PATH=/usr/local/lsws/lsphp74/bin:$PATH

CTRL+O, Enter, CTRL+X to return to the command line.

# exit

Check the automatic profile works:

ssh servername-yourdomaincouk

$ wp --info

Output should show OpenLiteSpeed php:

OS: Linux 4.19.0-13-cloud-amd64 #1 SMP Debian 4.19.160-2(2020-11-28) x86_64
Shell: /bin/sh
PHP binary: /usr/local/lsws/lsphp74/bin/php
PHP version: 7.4.13
php.ini used: /usr/local/lsws/lsphp74/etc/php/7.4/litespeed/php.ini

$ exit

Amend WordPress PHP configurations

ssh servername-root

Create WordPress config file to allow larger plugins, images etc to be uploaded through the dashboard. 

# nano /usr/local/lsws/lsphp74/etc/php/7.4/mods-available/wordpress.ini

Insert the following lines:

post_max_size = 128M
upload_max_filesize = 128M

CTRL+O, Enter, CTRL+X to return to the command line.

Restart OpenLiteSpeed for the PHP change to take effect:

# /usr/local/lsws/bin/lswsctrl restart

Visit to ensure post_max_size and upload_max_filesize both show 128M

# exit

Create Sendy Cronjobs

ssh servername-root

# crontab -u yourdomaincouk -e

Insert the following lines below the comments:

* * * * * /usr/local/lsws/lsphp74/bin/lsphp /home/ > /dev/null 2>&1

* * * * * /usr/local/lsws/lsphp74/bin/lsphp /home/ > /dev/null 2>&1

*/5 * * * * /usr/local/lsws/lsphp74/bin/lsphp /home/ > /dev/null 2>&1

*/15 * * * * /usr/local/lsws/lsphp74/bin/lsphp /home/ > /dev/null 2>&1

CTRL+O, Enter, CTRL+X to return to the command line.

Wait a minute, then check to see whether the cronjobs are running (should be at least two a minute): 

# systemctl status cron

Jan 09 18:37:01 ip-172-26-5-155 CRON[22067]: pam_unix(cron:session): session ope
Jan 09 18:37:01 ip-172-26-5-155 CRON[22065]: pam_unix(cron:session): session ope
Jan 09 18:37:01 ip-172-26-5-155 CRON[22069]: (yourdomaincouk) CMD (/
Jan 09 18:37:01 ip-172-26-5-155 CRON[22070]: (yourdomaincouk) CMD (/

Then q to exit.

# exit