Flarum is an open-source community software designed to create and manage online forums easily. Built with a sleek, modern interface, Flarum offers a streamlined user experience optimized for performance and simplicity. It is highly customizable through a robust extension system, allowing administrators to tailor their forums to specific needs and preferences. Flarum supports responsive design, ensuring compatibility across various devices and features like real-time notifications, rich media embedding, and seamless moderation tools. Its foundation in PHP and MySQL makes it accessible to a wide range of web hosting environments, appealing to small communities and large organizations seeking an efficient platform for online discussions.
In this tutorial, we will learn how to install Flarum Community Software on a server based on Debian 12.
Prerequisites
A server running Debian 12.
A non-root user with sudo privileges.
A Fully Qualified Domain Name (FQDN) like
flarum.example.com
pointing to your server.Ensure your server has swap storage enabled if you are on a server with 1GB RAM.
Make sure everything is updated.
$ sudo apt update && sudo apt upgrade
TFlarum requires a few essential packages to run. Some of these will already be on your server.
$ sudo apt install curl wget nano software-properties-common dirmngr apt-transport-https ca-certificates lsb-release debian-archive-keyring gnupg2 ufw unzip -y
Step 1 – Configure Firewall
The first step is to configure the firewall. Debian comes with ufw (Uncomplicated Firewall) by default.
Check if the firewall is running.
$ sudo ufw status
You will get the following output.
Status: inactive
Allow SSH port so the firewall doesn’t break the current connection upon enabling it.
$ sudo ufw allow OpenSSH
Allow HTTP and HTTPS ports as well.
$ sudo ufw allow http $ sudo ufw allow https
Enable the Firewall
$ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
Check the status of the firewall again.
$ sudo ufw status
You should see a similar output.
Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere 80/tcp ALLOW Anywhere 443 ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) 80/tcp (v6) ALLOW Anywhere (v6) 443 (v6) ALLOW Anywhere (v6)
Step 2 – Install Nginx
Debian 12 ships with an older version of Nginx. To install the latest version, you need to download the official Nginx repository.
Import Nginx’s signing key.
$ curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \ | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
Add the repository for Nginx’s stable version.
$ echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ http://nginx.org/packages/debian `lsb_release -cs` nginx" \ | sudo tee /etc/apt/sources.list.d/nginx.list
Update the system repositories.
$ sudo apt update
Install Nginx.
$ sudo apt install nginx
Verify the installation. On Debian systems, the following command will only work with sudo
.
$ sudo nginx -v nginx version: nginx/1.24.0
Start the Nginx server.
$ sudo systemctl start nginx
Check the service status.
$ sudo systemctl status nginx ? nginx.service - nginx - high performance web server Loaded: loaded (/lib/systemd/system/nginx.service; enabled; preset: enabled) Active: active (running) since Thu 2023-11-09 12:08:18 UTC; 1s ago Docs: https://nginx.org/en/docs/ Process: 1957 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS) Main PID: 1958 (nginx) Tasks: 2 (limit: 1107) Memory: 1.7M CPU: 6ms CGroup: /system.slice/nginx.service ??1958 "nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf" ??1959 "nginx: worker process"
Open your server’s IP address in your web browser. You should see the following page which means your server is up and running.
Step 3 – Install PHP
Debian 12 ships with PHP 8.2 by default. You can install it by running the following command.
$ sudo apt install php-cli php-fpm php-mysql php-xml php-gd php-json php-mbstring php-zip php-curl -y
To always stay on the latest version of PHP or if you want to install multiple versions of PHP, add Ondrej’s PHP repository.
First, import Sury’s repo PHP GPG key.
$ sudo curl -sSLo /usr/share/keyrings/deb.sury.org-php.gpg https://packages.sury.org/php/apt.gpg
Add Ondrej Sury’s PHP repository.
$ sudo sh -c 'echo "deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
Update the system repository list.
$ sudo apt update
Next, install PHP and its extensions required by Flarum.
$ sudo apt install php-cli php-fpm php-mysql php-xml php-gd php-json php-mbstring php-zip php-curl -y
Check if PHP is working correctly.
$ php --version
You should see a similar output.
PHP 8.2.12 (cli) (built: Oct 27 2023 13:00:10) (NTS) Copyright (c) The PHP Group Zend Engine v4.2.12, Copyright (c) Zend Technologies with Zend OPcache v8.2.12, Copyright (c), by Zend Technologies
Step 4 – Install Composer
Composer is a dependency manager for PHP. Flarum needs Composer to install and run various components.
Run the following commands to install Composer. First, we grab the installer, check for the hash to verify it, and then run the installer using the PHP command line. Then, we move the binary to the /usr/local/bin
directory.
$ php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" $ php -r "if (hash_file('sha384', 'composer-setup.php') === 'e21205b207c3ff031906575712edab6f13eb0b361f2085f1f1237b7126d785e826a450292b6cfd1d64d92e6563bbde02') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" $ php composer-setup.php $ php -r "unlink('composer-setup.php');" $ sudo mv composer.phar /usr/local/bin/composer
Check whether the Composer is installed properly.
$ composer --version Composer version 2.6.5 2023-10-06 10:11:52
Step 5 – Install MariaDB
MariaDB is a drop-in replacement for MySQL, which means that the commands to run and operate MariaDB are the same as those for MySQL.
Debian 12 ships with MariaDB 10.11.4 by default, which is a bit outdated. You need to use the official repository to get the latest stable version of MariaDB.
Import MariaDB’s GPG key.
$ sudo curl -o /usr/share/keyrings/mariadb-keyring.pgp 'https://mariadb.org/mariadb_release_signing_key.pgp'
Create MariaDB’s repository file.
$ echo "deb [signed-by=/usr/share/keyrings/mariadb-keyring.pgp] https://deb.mariadb.org/10.11/debian `lsb_release -cs` main" | sudo tee /etc/apt/sources.list.d/mariadb-server.list
Update the system repository list.
$ sudo apt update
Issue the following command to install the MariaDB server.
$ sudo apt install mariadb-server -y
Check if MariaDB is installed correctly.
$ mysql --version
You should see the following output.
mysql Ver 15.1 Distrib 10.11.6-MariaDB, for debian-linux-gnu (x86_64) using EditLine wrapper
You can also use mariadb --version
to check the version.
MariaDB service is already enabled and running. Check its status using the following command.
$ sudo systemctl status mariadb ? mariadb.service - MariaDB 10.11.6 database server Loaded: loaded (/lib/systemd/system/mariadb.service; enabled; preset: enabled) Drop-In: /etc/systemd/system/mariadb.service.d ??migrated-from-my.cnf-settings.conf Active: active (running) since Tue 2023-11-14 08:42:03 UTC; 4min 1s ago Docs: man:mariadbd(8) https://mariadb.com/kb/en/library/systemd/ Process: 74903 ExecStartPre=/usr/bin/install -m 755 -o mysql -g root -d /var/run/mysqld (code=exited, status=0/SUCCESS) Process: 74904 ExecStartPre=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS) Process: 74906 ExecStartPre=/bin/sh -c [ ! -e /usr/bin/galera_recovery ] && VAR= || VAR=`cd /usr/bin/..; /usr/bin/galera_recovery`; [ $? -eq 0 ] && systemctl set-environment _WSREP_START_POSITION=$VAR> Process: 74946 ExecStartPost=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS) Process: 74948 ExecStartPost=/etc/mysql/debian-start (code=exited, status=0/SUCCESS) Main PID: 74935 (mariadbd) Status: "Taking your SQL requests now..." Tasks: 9 (limit: 1107) Memory: 214.9M CPU: 627ms CGroup: /system.slice/mariadb.service ??74935 /usr/sbin/mariadbd
Run the following command to perform default configuration such as giving a root password, removing anonymous users, disallowing root login remotely, and dropping test tables.
$ sudo mariadb-secure-installation
You will be asked for your root password. Since we don’t have any root password set, press the Enter key to proceed.
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and haven't set the root password yet, you should just press enter here. Enter current password for root (enter for none): [PRESS ENTER] OK, successfully used password, moving on...
Next, you will be asked if you want to switch to the unix_socket
plugin. The unix_socket
plugin allows you to log in to MariaDB with your Linux user credentials. Choose n
to skip switching to it since you already have a protected root
account.
Setting the root password or using the unix_socket ensures that nobody can log into the MariaDB root user without the proper authorisation. You already have your root account protected, so you can safely answer 'n'. Switch to unix_socket authentication [Y/n] n ... skipping.
Next, you will be asked if you want to change your root password. On Debian 12, the root account for MariaDB is tied closely to automated system maintenance, so you should not change the configured authentication methods for the account. Doing so would allow a package update to break the database system by removing access to the administrative account. Type n
to proceed.
You already have your root account protected, so you can safely answer 'n'. Change the root password? [Y/n] n ... skipping.
From here on, press y
and then Enter
to accept defaults for all the following questions. This will remove access to anonymous users, test databases, disable remote root login, and load the changes.
By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] y ... Success! Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] y ... Success! By default, MariaDB comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] y - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] y ... Success! Cleaning up... All done! If you've completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB!
That’s it. Next time you want to log in to the MariaDB shell, use the following command.
$ sudo mysql
Enter your Linux root password when prompted.
Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 39 Server version: 10.11.6-MariaDB-1:10.11.6+maria~deb12 mariadb.org binary distribution Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]>
Press exit
to close the MariaDB shell.
Step 6 – Configure MariaDB
Login to MariaDB shell.
$ sudo mysql
Create a new MySQL database, database user, and password for your Flarum installation.
MariaDB> CREATE DATABASE flarum; MariaDB> CREATE USER 'flarumuser'@'localhost' IDENTIFIED BY 'yourpassword'; MariaDB> GRANT ALL PRIVILEGES ON flarum.* TO 'flarumuser'@'localhost';
Replace flarum
, flarumuser
and yourpassword
with the credentials of your choice. Choose a strong password.
Also, create an administrative user with the same capabilities as the root account.
MariaDB> GRANT ALL ON *.* TO 'admin'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;
Flush the privileges to ensure that they are saved in the current session.
MariaDB> FLUSH PRIVILEGES;
Exit the MariaDB shell.
MariaDB> exit
Step 7 – Install Flarum
Create a directory where Flarum will live.
$ sudo mkdir /var/www/flarum -p
Using the -p directive creates parent directories that didn’t exist before.
Change the ownership for the Flarum directory to the currently logged-in Linux user so you can perform commands without using sudo
.
$ sudo chown -R $USER:$USER /var/www/flarum
Navigate to the installation folder.
$ cd /var/www/flarum
Download and Install Flarum using Composer.
$ composer create-project flarum/flarum .
Change the ownership of the Flarum directory to nginx
for the Nginx server.
$ sudo chown -R nginx:nginx /var/www/flarum
Allow write access to the directory.
$ sudo chmod 775 -R /var/www/flarum
From here on, Composer will need sudo permissions to run which is not recommended. You can also change the directory’s group permissions to your Linux user and change them back to nginx after you are done with Composer. This is not an ideal solution as it requires you to perform the same commands repetitively. A more permanent solution is to add your username to the nginx group. Run the following command to add your currently logged-in Linux user to the nginx group.
$ sudo usermod -a -G nginx $USER
To apply the new group membership, log out of the server and back in, or type the following.
su - ${USER}
Step 8 – Install SSL
We need to install Certbot to generate the SSL certificate. You can either install Certbot using Debian’s repository or grab the latest version using the Snapd tool. We will be using the Snapd version.
Debian 12 comes doesn’t come with Snapd installed. Install Snapd package.
$ sudo apt install snapd
Run the following commands to ensure that your version of Snapd is up to date.
$ sudo snap install core && sudo snap refresh core
Install Certbot.
$ sudo snap install --classic certbot
Use the following command to ensure that the Certbot command can be run by creating a symbolic link to the /usr/bin
directory.
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
Verify if Certbot is functioning correctly.
$ certbot --version certbot 2.7.4
Generate the SSL certificate.
$ sudo certbot certonly --nginx --agree-tos --no-eff-email --staple-ocsp --preferred-challenges http -m [email protected] -d flarum.example.com
The above command will download a certificate to the /etc/letsencrypt/live/flarum.example.com
directory on your server.
Generate a Diffie-Hellman group certificate.
$ sudo openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
Check the Certbot renewal scheduler service.
$ sudo systemctl list-timers
You will find snap.certbot.renew.service
as one of the services scheduled to run.
NEXT LEFT LAST PASSED UNIT ACTIVATES --------------------------------------------------------------------------------------------------------------------------- Tue 2023-11-14 15:39:00 UTC 24min left Tue 2023-11-14 15:09:02 UTC 5min ago phpsessionclean.timer phpsessionclean.service Tue 2023-11-14 17:33:00 UTC 2h 18min left - - snap.certbot.renew.timer snap.certbot.renew.service Tue 2023-11-14 19:03:30 UTC 3h 49min left Tue 2023-11-14 15:12:10 UTC 1min 58s ago apt-daily.timer apt-daily.service
Do a dry run of the process to check whether the SSL renewal is working fine.
$ sudo certbot renew --dry-run
If you see no errors, you are all set. Your certificate will renew automatically.
Step 9 – Configure PHP-FPM
Open the file /etc/php/8.2/fpm/pool.d/www.conf
.
$ sudo nano /etc/php/8.2/fpm/pool.d/www.conf
We need to set the Unix user/group of PHP processes to nginx. Find the user=www-data
and group=www-data
lines in the file and change them to nginx
.
; Unix user/group of the child processes. This can be used only if the master ; process running user is root. It is set after the child process is created. ; The user and group can be specified either by their name or by their numeric ; IDs. ; Note: If the user is root, the executable needs to be started with ; --allow-to-run-as-root option to work. ; Default Values: The user is set to master process running user by default. ; If the group is not set, the user's group is used. user = nginx group = nginx ...
Find the listen.owner = www-data
and listen.group = www-data
lines in the file and change them to nginx
.
; Set permissions for unix socket, if one is used. In Linux, read/write ; permissions must be set in order to allow connections from a web server. Many ; BSD-derived systems allow connections regardless of permissions. The owner ; and group can be specified either by name or by their numeric IDs. ; Default Values: Owner is set to the master process running user. If the group ; is not set, the owner's group is used. Mode is set to 0660. listen.owner = nginx listen.group = nginx
Save the file by pressing Ctrl + X and entering Y when prompted.
Increase the file upload size to 8 MB.
$ sudo sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 8M/' /etc/php/8.2/fpm/php.ini
Restart the PHP-FPM service.
$ sudo systemctl restart php8.2-fpm
Change the group of the PHP sessions directory to Nginx.
$ sudo chgrp -R nginx /var/lib/php/sessions
Step 10 – Configure Nginx
Run the following command to add a configuration file for your site.
$ sudo nano /etc/nginx/conf.d/flarum.conf
Paste the following code in the editor.
server { listen [::]:80; listen 80; server_name flarum.example.com; # redirect http to https return 301 https://flarum.example.com$request_uri; } server { listen [::]:443 ssl http2; listen 443 ssl http2; server_name flarum.example.com; access_log /var/log/nginx/flarum.access.log; error_log /var/log/nginx/flarum.error.log; root /var/www/flarum/public; index index.php; include /var/www/flarum/.nginx.conf; client_max_body_size 8M; if ($host != "flarum.example.com") { return 301 $scheme://flarum.example.com$request_uri; } # SSL code ssl_certificate /etc/letsencrypt/live/flarum.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/flarum.example.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/flarum.example.com/chain.pem; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; ssl_prefer_server_ciphers off; ssl_stapling on; ssl_stapling_verify on; ssl_dhparam /etc/ssl/certs/dhparam.pem; resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] valid=60s; resolver_timeout 2s; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; tcp_nopush on; types_hash_max_size 2048; location ~ \.php$ { fastcgi_pass unix:/run/php/php-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_index index.php; include fastcgi_params; } }
This file assumes that we will be hosting example.com
in the directory /var/www/flarum/public
. Flarum ships with some default Nginx settings in the /var/www/flarum/.nginx.conf
file which we have included in our Nginx configuration.
Once finished, press Ctrl + X to close the editor and press Y when prompted to save the file.
Open the file /etc/nginx/nginx.conf
for editing.
$ sudo nano /etc/nginx/nginx.conf
Add the following line before the line include /etc/nginx/conf.d/*.conf;
.
server_names_hash_bucket_size 64;
Save the file by pressing Ctrl + X and entering Y when prompted. Test the Nginx configuration.
$ sudo nginx -t
You should see the following output indicating your configuration is correct.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Reload the Nginx service.
$ sudo systemctl reload nginx
Step 11 – Access and Complete Flarum Install
Open http://example.com
in your browser to complete the installation.
Fill in the required database values we created above. You can leave the Table Prefix entry blank to allow Flarum to use the default prefix or you can enter any custom prefix like fla_
. Choose a username, strong password, and email ID to install Flarum.
Click the Install Flarum button to finish the installation.
Once installed, you should be greeted with the default Flarum homepage.
Your forum is now installed and ready for use.
Enable 2FA
Two-factor authentication is an essential feature for any public forum. Flarum doesn’t ship with the feature natively but you can enable it by installing an extension for the same. The extension for the same is available via Extiverse. Extiverse is an unofficial repository of Flarum themes and plugins.
To install the plugin, first, switch to the Flarum directory.
$ cd /var/www/flarum
Install the plugin using Composer.
$ composer require ianm/twofactor:"*"
The next step is to enable the plugin from the Flarum administration panel. Click your name on the top right of the homepage and click on the Administration link from the drop-down menu.
You will be taken to the administration dashboard. Select the 2FA feature from the left menu and turn it on. You don’t need to change anything as the default settings should work fine.
If you want moderators on the forum to have 2FA enabled, click the Mods button and enable the 2FA required setting. Click the Save Changes button to finish.
To enable 2FA for your account, open your settings page from the top right menu on the forum homepage. Open the Security page by selecting from the left sidebar.
Click the Enable 2FA button and the following popup will open.
Scan the QR code or choose the manual option using your 2FA app and enter the code generated in the box. Click the Verify button when finished. You will be shown backup codes. Save them and click the button to proceed.
You will be asked for confirmation again. Click the Ok button to proceed. The process is now complete.
Configure Email Settings
You will also need to configure mail settings from the Administration panel. Flarum supports Mailgun SMTP service natively or you can use an external SMTP provider.
We are using Amazon SES service for which we have selected smtp from the email driver drop-down menu on the email page. Click the Save Changes button and then click the Send button to send a test email. The page will notify if the mail was sent successfully. You should get the following mail.
If you want to use Mailgun, choose mailgun from the drop-down menu. Fill in the required fields, and save the settings.
Before sending a test mail, you must install a composer package to make it work. Switch to the Flarum directory on the server.
$ cd /var/www/flarum
Install the composer package.
$ composer require guzzlehttp/guzzle:^7.0
Send a test mail to verify.
Conclusion
This concludes our tutorial on installing the Flarum Community forum software on a Debian 12 server. If you have any queries or feedback, shoot them in the comments below.