Secure Mautic Installation on a VPS in 2020
UPDATED on January, 28 – 2020, for Mautic 2.15.3
This is a basic but production-ready Mautic installation tutorial, that you can run in a SMALL production environment with real data from your customers. This tutorial keeps everything as simple as possible but will require some basic understanding of the Linux command line.
If you are new to Mautic or the Linux command line, first try this simpler Mautic tutorial: Mautic Installation in 3 Simple Steps, it’s the simplest way to get started and the probability of anything going sideways is minimal. It’s designed to give you a quick success using the command line so you can have an easy victory and gain the confidence to later advance with this second part.
This is a slightly more advanced installation process allowing for a more secure install of Mautic 2.15.3 on a Virtual Private Server (VPS) with PHP 7.2 on top of Ubuntu 18.04 LTS. This tutorial should take you between 10 and 20 minutes depending on your level of expertise with Mautic and Linux.
In order to have a secure server, you have to start securing it even before you start that server.
In the last step, you will be enabling SSL, in order to do so, you will need a valid domain pointing to your Mautic VPS, so because DNS propagation takes some time, you should start by creating a new DNS record for your Mautic Installation now, for example: mautic.yourdomain.com
The first thing you need to do is NOT TO USE A PASSWORD but a KEY instead at the time you create (buy) your new VPS.
Having a key greatly increases your security against brute force attacks and has also a very nice extra advantage: You will never, ever have to type your password to access your VPS.
Create a Private and Public Key pair:
Keys and passwords are not that different, however, a key is 256 or 512 or 1024 characters long (up to 4096 currently) and is designed to be communicated in a more secure fashion and stored only in your computer (preferably encrypted).
I know, creating a private and public key pair is not that fun the first time you do it, I remember how confused I was, back in 2008, when I tried to launch my first AWS instance, a key was required… Luckily today there are many good tutorials, including several ones from the DO blog that will get you ready in no time.
If you create your key beforehand, you will be able to use it when creating a new droplet and all the key setup process will be automated for you, if you want to reuse an existing VPS that was previously using a password, you will have to install the key in the droplet manually by yourself. In all cases, this page has all the information you might require: https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/
Having a key increases your security almost as much as all the rest of the steps in this tutorial together. If despite that, for whatever reason you choose to use a password, make it at least 32 random characters long.
Another very important step before you start installing Mautic is securing your new server with a firewall.
Configuring a firewall:
There are 2 main options for this, external firewall and internal firewall. An external firewall is provided by your cloud company, the internal firewall is one you set up inside your VPS.
a) Using an external firewall: Most cloud providers will offer you an external firewall, most probably for free. External firewalls on AWS, Google Cloud and other top tier providers are excellent. The main advantage of using a good external firewall is that you can set up your firewall rules before you even start your new VPS, hence protecting it from the very instant of its creation.
Digital Ocean’s firewall is relatively simple to configure, however, you cannot assign a firewall rule to a new droplet before it exists, hence leaving the droplet unprotected for the few minutes that it takes to configure it. This is a huge design flaw that I am sure they will fix soon enough, but in the mean-time, their firewall is no better than an internal firewall.
Since every external firewall works slightly differently than the rest, I am not going to detail the steps, each cloud provider has its own tutorials for their own firewalls, check those. Here is how to set up a firewall on DO.
b) Using an internal firewall: This option is simpler and faster to configure, it does the job perfectly in our situation, and it’s a good practice to set it up even if you also use an external one.
Ubuntu comes with UFW (Uncomplicated FireWall) preinstalled, which makes securing your VPS a snap.
The UFW closes all ports by default, so basically, it closes all possible points of entry to your server, making it quite secure. Since all ports will be closed, unless we “punch a hole” (open a port) on the firewall, nobody is going to be able to reach your VPS, not even you. Since we’re using the SSH protocol to connect to our server, we will need to open port 22 before we activate the firewall or we would be unable to reach our own VPS.
To configure the firewall so port 22 is open:
ufw allow 22
If you decided to enable an external firewall this is the time to open port 22 ALSO on the external firewall. In fact, every time we open a port on the internal firewall with the ufw allow command, you have to remember to open the same port on the external firewall.
Now we can start the firewall:
Here’s how ports work: Every computer has about 65.000 ports, if there is a service listening to that port, this service is responsible for the security of that port, for example, if you start an SSH server, it takes control of port 22 and it’s responsible for whatever information comes and goes through that port. If you enable Apache or NginX, they will take ownership of ports 80 and 443, every service uses one or more ports to communicate with the outside world.
What happens to the rest of those 65.000 ports? if there is no service listening on a port… then there’s “nobody” in charge of what happens on those ports, which leaves 65K doors open to anyone, a huge security risk.
A firewall takes care of that by blocking any ports that you don’t need to use.
Check this article if you want to learn more about UFW
Not using the root user:
On the first tutorial, for simplicity sake, we used the root account to issue all the commands, this is considered a bad practice security-wise, so consider creating a new user and giving it enough rights to do all the required tasks.
I personally believe that creating a new user and then giving it sudo access is just as dangerous as using the root account directly, so I don’t use this technique except when there will be several users managing a server, then it makes much more sense to have a finer control over who can do what and a log of who did what.
If you decide to create a new user, make it a sudoer, close your current (root) connection and connect back with the new user.
OK, the pre-installation is now complete, we can proceed with the Mautic installation.
Most of the following steps are exactly the same as in the first tutorial, if you already followed it, you can skip directly to the “Securing your MySQL server” section below.
Make sure our server is up to date by updating the Ubuntu installation.
apt update && apt upgrade -y
Installing all the required packages (Applications) that are needed to run Mautic.
apt install apache2 libapache2-mod-php php unzip mariadb-server php-xml php-mysql php-imap php-zip php-intl php-curl ntp -y
Activating certain Apache 2 modules that are not active by default after installation.
Downloading and uncompressing the Mautic files.
Making sure Apache and Mautic, both have ownership and write access to the files.
chown -R www-data:www-data /var/www/html
chmod -R 775 /var/www/html
mv 000-default.txt /etc/apache2/sites-available/000-default.conf
Creating a database for Mautic.
mysql -u root
This command will connect you to your database, the only difference you will notice is that the text before your command prompt will change to “MariaDB [(none)]>”
CREATE DATABASE mautic DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
GRANT ALL ON mautic.* TO 'root'@'localhost' IDENTIFIED BY 'password';
After the “EXIT;” command you will return to the normal mode…
Securing your MySQL server:
Securing your MariaDB (MySQL) server is very simple and can be done with just one command, this is just a very basic security script, that will ask you some questions in order to make your server more secure but keep it usable for your purposes. For this type of setup, it will perfectly do the job.
This will start the interactive script, you just have to answer the questions with these answers:
Enter current password for root (enter for none):
(enter)Change the root password? [Y/n]
Remove anonymous users? [Y/n]
Disallow root login remotely? [Y/n]
Remove test database and access to it? [Y/n]
Reload privilege tables now? [Y/n]
You are done, as you see, you basically just have to answer yes to all questions and let the script do the work for you XD.
Almost done, the Mautic server is now installed and secured, before we run the Mautic Configuration Wizard, we need to open port 80 on the firewall to be able to connect to our server from a browser:
ufw allow 80
Now let’s reload Apache configuration to apply our changes.
service apache2 reload
Run the Mautic Configuration Wizard.
Mautic is now ready to be configured, you just need to use a browser, like Chrome or Firefox, and navigate to the IP of your server, for example, if the server was: 220.127.116.11 you would type this in your browser:
http://18.104.22.168 (Change the IP to the one of your VPS or droplet)
Here’s an excerpt of your configuration for the Mautic Installation Wizard
- Database driver: MySQL PDO
- Database Host: localhost
- Database port: 3306
- DB name: Mautic
- Database Table Prefix: Leave empty
- DB User: root
- DB Password: password
- Backup existing tables: No
If you need help with the wizard steps, check this other post with step by step instructions:
Enable HTTPS with certbot
It’s important to enable secure connections to the users connecting to Mautic from a browser, Certbot is about the simplest way to enable SSL on your server.
Before being able to proceed with enabling HTTPS, you need to have a domain enabled for Mautic, so if your domain is called yourdomain.com, you will need to create a subdomain for Mautic, for example: mautic.yourdomain.com. This is usually configured in the control panel of your domain registrar (the website where you purchased your domain). If someone else is doing it for you, just ask them to: “Add an A record for mautic.yourdomain.com” Of course, change “yourdomain.com” for your real domain name. They will ask you something like, “What’s the IP?”, or maybe “Where do I point the record to?” Whatever they formulate the question, the answer is always the IP of your VPS 😉
OK then, so Certbot is another automated script that does a lot of work for you and automatically installs the required certificates and automatically modifies your Apache 2 configuration so you don’t have to, it also runs a verification process that requires port 80 to be open in order to make a request from the Open SSL servers to verify your ownership of the server, and during the installation process we will want to force SSL redirection, hence we will also need access to port 443.
Since we already had open port 80 before, we will now open port 443 for secure https connections.
ufw allow 443
You can verify which ports are open with:
To install required packages for Certbot to work, since Certbot is not found in the default Ubuntu repositories, we will first need to add
the Certbot repository to your server’s list:
sudo add-apt-repository ppa:certbot/certbot
Since we added a new repo, it’s important to make sure all packages are up to date:
apt update && apt upgrade -y
We can now finally install Cerbot for Apache 2:
sudo apt-get install python-certbot-apache
Now let’s launch Certbot’s interactive setup:
certbot --apache -d mautic.yourdomain.com
Now answer the questions and certbot will take care of the rest…
Once the setup is done, you’ll want to enable automatic renewal of the certificate
sudo certbot renew --dry-run
You are good to go, open your browser and try to connect to your Mautic server with HTTPS.
Install the cron jobs.
Mautic is now working and you can navigate to all the sections and explore, but if you want working segments and campaigns you will also need to install the Mautic cron jobs:
Done! Simplest way to install cron jobs, ever…
Got any questions? stuck on one of the steps? anything not working as planned?
Don’t hesitate to ask in the comments here below!!