Here is another Linux 2 (Amazon Fedora 23/24) AWS EC2 config with multiple nginx virtual servers and SSL using Let’s Encrypt free certificates and CertBot. For this I spin up an Amazon Linux 2 AMI and use Putty terminal to the system with SSH using ec2-user and private key.

sudo -i
yum update -y 
# install nginx from amazon linux etras repo
amazon-linux-extras install nginx1.12
# auto start nginx
chkconfig nginx on
# add ec2-user to the root and nginx groups
usermod -a -G root ec2-user
usermod -a -G nginx ec2-user
# give root group write permissions to nginx conf file
chmod 664 /etc/nginx/nginx.conf
# create directory for nginx domain configs
mkdir -p /www/nginx-conf/domains
chmod -R 2775 /www

Modify /etc/nginx/nginx.conf file to include the following line at the bottom of the http section. Also, the default server section can be removed.

# add to the bottom of the http section of the /etc/nginx/conf file
include /www/nginx-conf/domains/*.conf;

Now create an example_com.conf file in /www/nginx-conf/domains/ for each domain. (replace example.com with your domain.)

# save as /www/nginx-conf/domains/example_com.conf file
server {
 listen 80;
 server_name www.example.com;
 return 302 $scheme://example.com$request_uri;

 listen 443 ssl;
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

}

server {
 listen 80;
 server_name example.com;
 root /www/html/example.com;
 include /www/nginx-conf/global_restrictions.conf;

 listen 443 ssl;
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

 location / {
  try_files $uri $uri/ /index.php?$args;
  index index.php index.html index.htm;
 }
 location ~ \.php$ {
  fastcgi_pass unix:/var/run/php-fpm/www.sock;
  fastcgi_index index.php;
  fastcgi_param SCRIPT_FILENAME /www/html/example.com$fastcgi_script_name;
  include fastcgi_params;
 }
}

INSTALL SSL/TLS

Create a CertBot conf file for each domain.

# save as /www/letsencrypt/example_com.conf file

# domains to retrieve certificate
domains = example.com,www.example.com

# increase key size
rsa-key-size = 4096

# the CA endpoint server
server = https://acme-v01.api.letsencrypt.org/directory

# the email to receive renewal reminders, IIRC
email = letsencrypt@example.com

# turn off the ncurses UI, we want this to be run as a cronjob
text = True

Now install CertBot for letsEncrypt certificates from the EPEL.

# download, install, and Enable EPEL
wget -r --no-parent -A 'epel-release-*.rpm' http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/
rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
yum-config-manager --enable epel*
yum repolist all

# install certbot
yum install certbot

# run certbot for each domain
certbot --standalone --config /www/letsencrypt/example_com.conf certonly

# allow write to cron file
chmod 664 /etc/crontab

Add the following line to the /etc/crontab file. This will run the Certbot certificate renew every day at 8am. By default Let’s Encrypt certificates last 90 days and must be renewed.

0 8 * * * root certbot renew --no-self-upgrade

INSTALL PHP and MYSQL/MariaDB

Since this server is only serving Nginx and Node I will not install the Apache httpd server. This also installs from the Amazon Linux extras repo.

# install php and mysql/mariadb
amazon-linux-extras install lamp-mariadb10.2-php7.2
yum install -y php mariadb-server php-mysqlnd
# php modules (gd needed for WordPress)
sudo yum install php-pear php-gd php-mbstring
# modify mariaDB config file to allow remote bind
chmod 0664 /etc/my.cnf.d/mariadb-server.cnf
# uncomment the following line in the mariadb-server.cnf file
bind-address=0.0.0.0
# start the mariadb server
systemctl start mariadb
# follow the prompts to create a root password and remove anon access
mysql_secure_installation
# set MariaDB to autostart
systemctl enable mariadb
# create a test php script 
echo "<?php phpinfo(); ?>" > /www/html/example.com/phpinfo.php

# modify php config file
chmod 0664 /etc/php-fpm.d/www.conf

Modify the following lines within the /etc/php-fpm.d/www.conf file.

user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
listen.mode = 0664

Next login locally to the MySQL server to create a remote access user

# login locally to the mysql server
mysql -u root -p mysql
# enter the root password and the following commands to create a remote access user and password
CREATE USER 'remoteuser'@'localhost' IDENTIFIED BY 'remotepassword';
CREATE USER 'remoteuser'@'%' IDENTIFIED BY 'remotepassword';
GRANT ALL PRIVILEGES ON *.* to remoteuser@localhost IDENTIFIED BY 'remotepassword' WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON *.* to remoteuser@'%' IDENTIFIED BY 'remotepassword' WITH GRANT OPTION;
FLUSH PRIVILEGES;
EXIT;

# Finally start the nginx server
service nginx start

That’s All!

Advertisements