Skip to content

Secure, production-ready Mautic installation in 2024

Securing your Mautic Installation

UPDATED on FEB 9 2024, for Mautic 4.4.11

This is a basic but production-ready Mautic installation tutorial, that you can run in a SMALL production environment with real data from your customers. This tutorial keeps everything as simple as possible but will require some basic understanding of the Linux command line.

This is a slightly more advanced installation process than the rest of tutorials I usually provide.
It is meant for a basic, but secure and production-ready Mautic sewtup, allowing for a more secure install of Mautic 4.4.12 on a Virtual Private Server (VPS) with PHP 8.1 on top of Ubuntu 22.04 LTS.

This tutorial should take you between 10 and 20 minutes depending on your level of expertise with Mautic and Linux.

If you are new to Mautic or the Linux command line, first try this much simpler Mautic tutorial: Mautic 4.4.12 installation on Ubuntu 22.04 with PHP8.0 and MariaDB 10.6, it’s the simplest way to get started and the probability of anything going sideways is minimal.

Pre-Installation

Create a subdomain to host your SSL-secured Mautic.

In order to have a secure server, you have to start securing it even before you start that server.
In the last step, you will be enabling SSL, but in order to do so, you will need a valid domain pointing to your Mautic VPS, so because DNS propagation takes some time, you should start by creating a new DNS record for your Mautic Installation now, so the DNS gets propagated while you do the steps on this tutorial.

Your subndomain can be anything, for example: mautic.yourdomain.com or whatever.yourdomain.com

This is usually configured in the control panel of your domain registrar (the website where you purchased your domain). If someone else is doing it for you, just ask them to: “Add an A record for mautic.yourdomain.com” Of course, change “yourdomain.com” for your real domain name. They will ask you something like, “What’s the IP?”, or maybe “Where do I point the record to?” Whatever they formulate the question, the answer is always the IP of your VPS 😉 

The first thing you need to do is NOT TO USE A PASSWORD but a KEY instead at the time you create (buy) your new VPS.
Having a key greatly increases your security against brute force attacks and has also a very nice extra advantage: You will never, ever again have to type your password to access your VPS.

Create a Private and Public Key pair:
Keys and passwords are not that different, however, a key is 512 or 1024 characters long (up to 4096 currently) and is designed to be communicated in a more secure fashion and stored only in your computer (preferably encrypted).

I know, creating a private and public key pair is not that fun the first time you do it, I remember how confused I was, back in 2008, when I tried to launch my first AWS instance, a key was required…  Luckily today there are many good tutorials, including several ones from the DO blog that will get you ready in no time.

If you create your key beforehand, you will be able to use it when creating a new droplet and all the key setup process will be automated for you, if you want to reuse an existing VPS that was previously using a password, you will have to install the key in the droplet manually by yourself. In all cases, this page has all the information you might require: https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/

Having a key increases your security almost as much as all the rest of the steps in this tutorial together. If despite that, for whatever reason you choose to use a password, make it at least 32 random characters long.

Another very important step before you start installing Mautic is securing your new server with a firewall.


Configuring a firewall:
There are 2 main options for this, external firewall and internal firewall. An external firewall is provided by your cloud company, the internal firewall is one you set up inside your VPS.

a) Using an external firewall: Most cloud providers will offer you an external firewall, most probably for free. External firewalls on AWS, Google Cloud and other top tier providers are excellent. The main advantage of using a good external firewall is that you can set up your firewall rules before you even start your new VPS, hence protecting it from the very instant of its creation.
Digital Ocean’s firewall is relatively simple to configure, however, you cannot assign a firewall rule to a new droplet before it exists, hence leaving the droplet unprotected for the few minutes that it takes to configure it. This is a huge design flaw that I am sure they will fix soon enough, but in the mean-time, their firewall is no better than an internal firewall.

Since every external firewall works slightly differently than the rest, I am not going to detail the steps, each cloud provider has its own tutorials for their own firewalls, check those. Here is how to set up a firewall on DO.

b) Using an internal firewall: This option is simpler and faster to configure, it does the job perfectly in our situation, and it’s a good practice to set it up even if you also use an external one.

Ubuntu comes with UFW (Uncomplicated FireWall) preinstalled, which makes securing your VPS a snap.
The UFW closes all ports by default, so basically, it closes all possible points of entry to your server, making it quite secure. Since all ports will be closed, unless we “punch a hole” (open a port) on the firewall, nobody is going to be able to reach your VPS, not even you. Since we’re using the SSH protocol to connect to our server, we will need to open port 22 before we activate the firewall or we would be unable to reach our own VPS.
To configure the firewall so port 22 is open:

sudo su

ufw allow 22

If you decided to enable an external firewall this is the time to open port 22 ALSO on the external firewall. In fact, every time we open a port on the internal firewall with the ufw allow command, you have to remember to open the same port on the external firewall.

Now we can start the firewall:

ufw enable

Here’s how ports work: Every computer has about 65.000 ports, if there is a service listening to that port, this service is responsible for the security of that port, for example, if you start an SSH server, it takes control of port 22 and it’s responsible for whatever information comes and goes through that port. If you enable Apache or NginX, they will take ownership of ports 80 and 443, every service uses one or more ports to communicate with the outside world.

What happens to the rest of those 65.000 ports? if there is no service listening on a port… then there’s “nobody” in charge of what happens on those ports, which leaves 65K doors open to anyone, a huge potential security risk.
A firewall takes care of that by blocking any ports that you don’t explicitly open.

Check this article if you want to learn more about UFW

 
Not using the root user:

On the simple installation series of tutorials, for simplicity sake, we used the root account to issue all the commands, this is considered a bad practice security-wise, so consider creating a new user and giving it enough rights to do all the required tasks.
I personally believe that creating a new user and then giving it sudo access is just as dangerous as using the root account directly, so I don’t use this technique except when there will be several users managing a server, then it makes much more sense to have a finer control over who can do what and a log of who did what.
If you decide to create a new user, make it a sudoer, close your current (root) connection and connect back with the new user.

OK, the pre-installation is now complete, we can proceed with the Mautic installation.

Installing Mautic:

Start by opening ports 80 for regular browser access and 443 for SSL requests:

ufw allow 80

ufw allow 443

If you have already installed Mautic beforehand, you can jump to the next step: Securing your MySQL server.
If you haven’t already installed Mautic, you can do that now using any of the tutorials on this web:

Mautic 3: (a bit too outdated maybe) Mautic 3.3.5 Installation on Ubuntu 20.04 with PHP 7.3 and MySQL 5.7

Mautic 4: (Recommended!!) Mautic 4.4.12 Installation on Ubuntu 22.04 with PHP 8.0 and MariaDB 10.6

Mautic 5: (Too new for production, great for testing) Mautic 5.0.3 Installation on Ubuntu 22.04 with PHP 8.1 and MariaDB 11

Securing your MySQL server:

Securing your MariaDB (MySQL) server is very simple and can be done with just one command, this is just a very basic security script, that will ask you some questions in order to make your server more secure but keep it usable for your purposes. For this type of setup, it will perfectly do the job.

mysql_secure_installation

This will start the interactive script, you just have to answer the questions with these answers:

Enter current password for root (enter for none):  (enter)
Change the root password? [Y/n] y
Remove anonymous users? [Y/n] y
Disallow root login remotely? [Y/n] y
Remove test database and access to it? [Y/n] y
Reload privilege tables now? [Y/n] y

You are done, as you see, you basically just have to answer yes to all questions and let the script do the work for you XD.
Almost done, the Mautic server is now installed and secured, before we run the Mautic Configuration Wizard, we need to open port 80 on the firewall to be able to connect to our server from a browser:

 

Enable HTTPS with Certbot

It’s important to enable secure connections from the users connecting to Mautic using a browser, Certbot is about the simplest way to enable SSL on your server. 

Before being able to proceed with enabling HTTPS, you need to have a domain enabled for Mautic, so if your domain is called yourdomain.com, you will need to create a subdomain for Mautic, for example: mautic.yourdomain.com. This is usually configured in the control panel of your domain registrar (the website where you purchased your domain). If someone else is doing it for you, just ask them to: “Add an A record for mautic.yourdomain.com” Of course, change “yourdomain.com” for your real domain name. They will ask you something like, “What’s the IP?”, or maybe “Where do I point the record to?” Whatever they formulate the question, the answer is always the IP of your VPS 😉 

OK then, so Certbot is another automated script that does a lot of work for you and automatically installs the required certificates and automatically modifies your Apache 2 configuration so you don’t have to, it also runs a verification process that requires port 80 to be open in order to make a request from the Open SSL servers to verify your ownership of the server, and during the installation process we will want to force SSL redirection, hence we will also need access to port 443.

To install required packages for Certbot to work, since Certbot is not found in the default Ubuntu repositories, we will first need to add 
the Certbot repository to your server’s list:

sudo add-apt-repository ppa:certbot/certbot

Since we added a new repo, it’s important to make sure all packages are up to date: 
apt update && apt upgrade -y

We can now finally install Cerbot for Apache 2:
sudo apt-get install python-certbot-apache

Now let’s launch Certbot’s interactive setup:

certbot --apache -d mautic.yourdomain.com

 
Now answer the questions and certbot will take care of the rest…
Once the setup is done, you’ll want to enable automatic renewal of the certificate
sudo certbot renew --dry-run

You are good to go, open your browser and try to connect to your Mautic server with HTTPS.

Yosu Cadilla

My name is Yosu Cadilla, a Systems Analyst and Platform Engineer for mktg.dev
I discovered Mautic in 2017 and since have specialized in:
– Running Mautic for Marketing Agencies.
– Running large Mautic instances, sometimes
with millions of contacts.
– Helping companies build and optimize their (usually Mautic) runtime infrastructure.

If you are planning on deploying Mautic for your Marketing Agency, or you have a large Mautic Instance…
Let’s have a chat! yosu.cadilla@gmail.com