๐Ÿš€ NGINX Server Configuration Guide

Professional Backend Server Administration & FileZilla SFTP Client Setup

๐Ÿ“‹ Table of Contents

๐Ÿ” Section 1: phpMyAdmin Installation & Security Configuration

1Generate Secure Random Passwords

Before installing phpMyAdmin, generate three secure random passwords for database authentication and access control:

cat /dev/urandom | tr -dc 'a-za-z0-9' | fold -w 12 | head -n 3
Command Explanation:
  • cat /dev/urandom - Reads random data from the system
  • tr -dc 'a-za-z0-9' - Filters only alphanumeric characters
  • fold -w 12 - Creates 12-character segments
  • head -n 3 - Outputs the first 3 passwords

2Create Database Administrator User

Access MySQL and create a privileged database administrator account:

sudo mysql

Execute the following SQL commands inside MySQL:

GRANT ALL ON *.* TO 'dbadmin'@'localhost' IDENTIFIED BY 'Cb7VogmHUwn6' WITH GRANT OPTION;
flush privileges;
โš ๏ธ Security Note: Replace 'Cb7VogmHUwn6' with your own generated secure password. Never use example passwords in production environments.

3Verify NGINX Configuration

Test and reload NGINX to ensure configuration integrity:

sudo nginx -t
sudo systemctl reload nginx

4Generate HTTP Basic Authentication Credentials

Navigate to the NGINX includes directory and create password hash:

cd /etc/nginx/includes
openssl passwd

When prompted, enter your chosen password (example: w9sv5hu98q0i). The system will generate a hash like:

$1$lSmswTO8$tv.unS.4n68fH.yrV0WHR0

5Create Password File

Store the username and hashed password in a dedicated authentication file:

sudo nano pma_userpass

Add the following content (replace with your credentials):

andrew:$1$lSmswTO8$tv.unS.4n68fH.yrV0WHR0

6Install phpMyAdmin

Update package repository and install phpMyAdmin:

sudo apt update
sudo apt install phpmyadmin

7Create Obscured Symbolic Link

Create a symbolic link with a random directory name to obscure phpMyAdmin location:

sudo ln -s /usr/share/phpmyadmin /var/www/html/V2th1pchBI71
๐Ÿ’ก Best Practice: Using a random string (V2th1pchBI71) instead of /phpmyadmin makes it harder for automated attacks to discover your database management interface.

8Configure NGINX Access Control

Create a dedicated phpMyAdmin configuration file:

sudo nano /etc/nginx/includes/pma.conf

Add the following comprehensive security configuration:

location ^~ /V2th1pchBI71 {
    # CONDITIONS
    satisfy all;
    # HTTP AUTHENTICATION
    auth_basic "Sign In";
    auth_basic_user_file /etc/nginx/includes/pma_username_password;
    # IP BASED ACCESS
    allow your_IP_ADDRESS;
    deny all;
    try_files $uri $uri/ =404;
    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php8.3-fpm.sock;
        include /etc/nginx/includes/fastcgi_optimize.conf;
    }
}
โš ๏ธ Important: Replace your_IP_ADDRESS with your actual public IP address. To find your current IP when SSH'd into the server, use: last -n3

Security Layer Architecture

Client Request
โ†“
IP Whitelist Check
โ†“
HTTP Basic Auth
โ†“
phpMyAdmin Access

9Include Configuration in Default Server Block

Navigate to NGINX sites configuration directory:

cd /etc/nginx/sites-available/
sudo nano default

Add the following include directive inside your server block:

include /etc/nginx/includes/pma.conf;

10Validate and Apply Configuration

Test the NGINX configuration and reload the service:

sudo nginx -t
sudo systemctl reload nginx

11Access phpMyAdmin

Open your web browser and navigate to:

http://server_ip/V2th1pchBI71/
โœ… Success! You should now be prompted for HTTP authentication, followed by the phpMyAdmin login screen with your database credentials.

๐Ÿ“Š Section 2: Log Rotation Configuration

1Configure Global Log Rotation Defaults

Navigate to the logrotate configuration directory and edit the main configuration file:

cd /etc/
sudo nano logrotate.conf

Make the following changes to optimize log management:

Setting Original Value New Value Purpose
Rotation Frequency weekly daily More frequent log rotation for better monitoring
Retention Period rotate 4 rotate 7 Keep 7 days of backup logs
Create New Files create create Create empty log files after rotation
Compression #compress compress Compress old logs to save disk space

2Configure Service-Specific Log Rotation

Navigate to the service-specific logrotate directory:

cd /etc/logrotate.d/
ls

You will need to modify the following four configuration files:

  • fail2ban - Intrusion prevention system logs
  • nginx - Web server access and error logs
  • rsyslog - System logging daemon
  • ufw - Uncomplicated Firewall logs

Edit each file and change weekly to daily and rotate value to 3:

sudo nano fail2ban
sudo nano nginx
sudo nano rsyslog
sudo nano ufw
Configuration Example: In each file, locate the rotation settings and modify them as follows:
  • Change: weekly โ†’ daily
  • Change: rotate 4 โ†’ rotate 3

3Verify Log Rotation Configuration

Test the logrotate configuration in debug mode to ensure all settings are correct:

sudo logrotate -d /etc/logrotate.conf
โœ… Verification: The debug mode will show you what logrotate would do without actually rotating any logs. Review the output for any errors or warnings.

Log Rotation Workflow

Log File Reaches Size/Time Limit
โ†“
Rotate & Rename Old Log
โ†“
Compress Rotated Log
โ†“
Create New Empty Log
โ†“
Delete Logs Older Than Retention Period

๐Ÿงน Section 3: NGINX Default Configuration Cleanup

Optimize and secure the default NGINX server block by removing unnecessary configurations and adding security measures:

1Cleanup Objectives

  • Remove all comments for cleaner configuration
  • Remove the PHP location context (if not needed in default block)
  • Add return 444; to deny direct IP address access

2Optimized Default Server Block

Replace your default server block with this streamlined configuration:

server {
    listen 80 default_server;
    root /var/www/html;
    index index.php;
    server_name _;
    location / {
        try_files $uri $uri/ =404;
        return 444;
    }
}
Configuration Breakdown:
  • listen 80 default_server; - Listens on port 80 as the default catch-all server
  • root /var/www/html; - Sets the document root directory
  • index index.php; - Defines default index file
  • server_name _; - Wildcard server name (catches all unmatched domains)
  • return 444; - Returns no response and closes connection (security measure)
โš ๏ธ Security Benefit: The return 444; directive is a non-standard NGINX status code that closes the connection without sending a response header. This prevents unauthorized access via direct IP address and makes your server less visible to automated scanners.

Request Handling Flow

Client Requests Server IP
โ†“
Matches default_server Block
โ†“
return 444; Executed
โ†“
Connection Closed (No Response)

๐Ÿ“ Section 4: FileZilla SFTP Client Setup & Usage

What is FileZilla?

FileZilla is a free, cross-platform SFTP (SSH File Transfer Protocol) client that enables secure file upload and download operations between your local machine and remote server. It is available for Windows, Mac, and Linux operating systems.

1Download FileZilla Safely

โš ๏ธ Critical Security Warning:
  • Only download FileZilla from the official website: filezilla-project.org
  • Do NOT download from any other source
  • Some installers contain bundled offers - follow instructions below to avoid them

2Correct Download Procedure

  1. Navigate to filezilla-project.org in your web browser
  2. Select "Download FileZilla Client all platforms"
  3. DO NOT click the green "Download FileZilla Client" button (contains bundled offers)
  4. Instead, click "Show additional download options"
  5. Select the appropriate version for your operating system:
    • Windows 64-bit
    • Windows 32-bit
    • Mac OS Intel
    • Mac OS Apple Silicon
    • Linux (via package manager)
๐Ÿ’ก Version Note: FileZilla releases frequent updates. The current version shown may differ from examples. Always download the latest stable release from the official download options.

3Mac Users: Special Setup Requirements

Mac users need to perform additional steps due to hidden directory restrictions:

Why This Is Necessary: Your SSH private key is located in the ~/.ssh directory. Directories starting with a dot (.) are hidden in macOS, and FileZilla cannot directly access files in hidden directories.

Mac Setup Procedure:

  1. Create a new directory in your home folder:
mkdir ~/fzc
  1. Copy your private key to this new directory using Terminal:
cp ~/.ssh/your_private_key ~/fzc/

Alternatively, use Finder to copy the file (you'll need to show hidden files first).

4Configure FileZilla Site Manager

After installing FileZilla, configure a new SFTP connection:

Step-by-Step Configuration:

  1. Launch FileZilla
  2. Select File โ†’ Site Manager or click the Site Manager icon
  3. Click "New Site" to create a new connection profile
  4. Configure the following settings:
Setting Value Notes
Protocol SFTP - SSH File Transfer Protocol Never use FTP - it's insecure
Host Your server IP address Example: 192.168.1.100
Port Leave blank (defaults to 22) Unless you changed SSH port
Logon Type Key file Use SSH key authentication
User Your non-root username Example: andrew
Key file Path to your private key Browse to select the file

5Select Private Key File

Windows Users:

  1. Click "Browse" next to Key file
  2. Navigate to: C:\Users\YourUsername\.ssh\
  3. Change file filter from "PPK files" to "All files"
  4. Select your private key file

Mac Users:

  1. Click "Browse" next to Key file
  2. Navigate to the fzc directory you created
  3. Select your private key file

6Key Conversion Process

When you select your private key, FileZilla will prompt you:

"The file is not in a format supported by FileZilla. Do you want to convert it into a supported format?"

Click Yes to convert the key.

  1. Enter your passphrase to unlock the private key
  2. FileZilla will convert the key to PuTTY Private Key (PPK) format
  3. Save the converted key with a meaningful name (e.g., "filezilla_private_key")
  4. When prompted to remember passwords, choose based on your security preference
โš ๏ธ Security Consideration: Allowing FileZilla to save passwords enables automatic reconnection without re-entering credentials. Only enable this on trusted, secure computers.

7Rename and Connect

  1. Before connecting, rename "New site" to something meaningful (e.g., "Production Server")
  2. Click Connect
  3. If prompted about server fingerprint, verify and click OK to trust and remember
  4. Enter your passphrase when prompted
โœ… Connection Successful! You should now see your server's file system in the right pane (remote site) and your local file system in the left pane.

8Understanding the FileZilla Interface

FileZilla Window Layout

Pane Location Purpose
Local Site Left Side Your computer's files and folders
Remote Site Right Side Server's files and folders
Local Directory Tree Top Left (optional) Can be hidden to save space
Remote Directory Tree Top Right (optional) Can be hidden to save space
Transfer Queue Bottom Shows active and queued file transfers
๐Ÿ’ก Interface Tip: You can hide the directory tree panes (local and remote) through the View menu to gain more workspace for file listings.

9Initial Connection Notes

Upon successful connection, you'll be placed in your user's home directory:

/home/andrew/

You may see directories such as:

  • nginx_bash_scripts
  • server_bash_scripts
  • wp_bash_scripts
First Connection Error: If you see "Could not connect to server" on first attempt, this is often due to firewall rules. Your firewall may prompt you to allow the connection. Once allowed, the connection should succeed immediately.

10File Upload Best Practices

โš ๏ธ Critical Rule: ALWAYS upload files to your user's home directory first. NEVER upload files directly to your WordPress site or other system directories.

Recommended Upload Workflow:

  1. Create a temporary directory in your home folder:
Right-click in remote pane โ†’ Create directory โ†’ Name: fzc_temp
  1. Upload files from your local machine to this temporary directory
  2. Use terminal to move files to their final destination with proper permissions

11Transferring Files

Upload Files (Local to Server):

  1. Navigate to desired folder in left pane (local)
  2. Navigate to destination in right pane (server)
  3. Select files in left pane
  4. Drag and drop to right pane
  5. Files will upload automatically

Download Files (Server to Local):

  1. Navigate to source folder in right pane (server)
  2. Navigate to destination in left pane (local)
  3. Select files in right pane
  4. Drag and drop to left pane
  5. Files will download automatically
๐Ÿ’ก Performance Tip: Increase concurrent transfers for faster performance:
  • Go to Settings โ†’ Transfers
  • Increase "Maximum simultaneous transfers" (recommended: 10)

12Navigating the Server Filesystem

You can navigate outside your home directory, but be aware of permission restrictions:

Directory Access Level Notes
/home/andrew/ Full Access Your home directory - upload here
/var/www/ Read Only Web server root - view only
/var/www/html/yoursite/ Read Only WordPress files - view only
/var/log/ Limited System logs - permission dependent
/lost+found/ No Access System recovery directory
โš ๏ธ Permission Errors: If you attempt to download files without proper permissions (e.g., log files owned by www-data:adm), you'll receive "Permission denied" errors. Always check file ownership and permissions before attempting transfers.

13Post-Upload File Management

After uploading files to your temporary directory, use terminal to move them to their final destination:

Example: Moving uploaded files

cd ~/fzc_temp
ls
sudo mv * /destination/path/

Example: Copying uploaded files

cd ~/fzc_temp
sudo cp * /destination/path/

Cleanup temporary directory:

cd ~
sudo rm -rf fzc_temp

Secure File Upload Workflow

Local Files
โ†“
FileZilla Upload
โ†“
~/fzc_temp/
โ†“
Terminal mv/cp
โ†“
Final Destination
โ†“
Set Correct Permissions

14WordPress Integration

If you've completed WP-CLI training, you can import uploaded media files properly:

wp media import ~/fzc_temp/*.jpg --user=admin
Why Not Upload Directly to WordPress?
  • WordPress tracks media in its database
  • Direct file uploads bypass WordPress's media management
  • Using WP-CLI ensures proper database entries and thumbnail generation
  • Maintains correct file permissions and ownership

15Troubleshooting Common Issues

Issue Cause Solution
Connection Refused Firewall blocking connection Allow FileZilla in firewall settings
Permission Denied Insufficient file permissions Upload to home directory, then move with sudo
Key Format Error Incorrect key format Allow FileZilla to convert key to PPK format
Timeout Errors Network or server issues Check server status, verify SSH is running
Cannot See Hidden Files FileZilla settings Server โ†’ Force showing hidden files

16Security Best Practices

โœ… Security Checklist:
  • Always use SFTP, never FTP
  • Keep FileZilla updated to latest version
  • Use strong passphrases for SSH keys
  • Only save passwords on trusted devices
  • Verify server fingerprint on first connection
  • Upload to home directory first, never directly to system directories
  • Regularly review and clean up temporary upload directories
  • Use key-based authentication instead of passwords

Summary

FileZilla provides a user-friendly graphical interface for secure file transfers via SFTP. By following the proper upload workflow (home directory โ†’ terminal move/copy), you maintain server security and file system integrity while efficiently managing files between your local machine and server.

๐Ÿ“š Conclusion

This comprehensive guide covered four essential aspects of backend server administration:

  1. phpMyAdmin Security: Multi-layer protection using obscured URLs, HTTP authentication, and IP whitelisting
  2. Log Rotation: Automated daily log management to maintain system health and save disk space
  3. NGINX Hardening: Streamlined default configuration that denies unauthorized access attempts
  4. FileZilla SFTP: Secure file transfer with proper workflows and permission management
โœ… Key Takeaways:
  • Security is achieved through multiple layers of protection
  • Regular log rotation prevents disk space issues and maintains performance
  • Proper file upload workflows prevent permission and security issues
  • Always use secure protocols (SFTP) instead of insecure alternatives (FTP)

By implementing these configurations, you've significantly improved your server's security posture, maintainability, and operational efficiency. Regular monitoring and maintenance of these systems will ensure continued optimal performance.