Search

Todd Rodzen

Agile Application Development, DevOps, Cloud Architecture Engineering

Tag

PHP

Yet another UBUNTU EC2 server config

Here is another Linux (Ubuntu) AWS EC2 config with multiple nginx virtual servers and SSL using Let’s Encrypt free certificates and CertBot. For this, I spin up an Amazon Ubuntu 16.04 LTS AMI and use Putty terminal to the system with SSH using ubuntu and private key.

sudo -i
apt update -y
apt upgrade
# auto start nginx
sudo systemctl enable nginx.service
# add ubuntu to the root and www-data groups
usermod -a -G root ubuntu
usermod -a -G www-data ubuntu
# give root group write permissions to nginx conf file
chmod 664 /etc/nginx/nginx.conf
# create directory for nginx domain configs
mkdir -p /www/nginx-conf/domains
chmod -R 2775 /www

Modify /etc/nginx/nginx.conf file to include the following line at the bottom of the http section. Also, the default server section can be removed.

# add to the bottom of the http section of the /etc/nginx/conf file
include /www/nginx-conf/domains/*.conf;

Now create an example_com.conf file in /www/nginx-conf/domains/ for each domain. (replace example.com with your domain.)

# save as /www/nginx-conf/domains/example_com.conf file
server {
 listen 80;
 server_name www.example.com;
 return 302 $scheme://example.com$request_uri;

 listen 443 ssl;
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

}

server {
 listen 80;
 server_name example.com;
 root /www/html/example.com;
 include /www/nginx-conf/global_restrictions.conf;

 listen 443 ssl;
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

 location / {
  try_files $uri $uri/ /index.php?$args;
  index index.php index.html index.htm;
 }
 location ~ \.php$ {
  fastcgi_pass unix:/run/php/php7.0-fpm.sock;
  include snippets/fastcgi-php.conf;
 }
}

INSTALL SSL/TLS

Create a CertBot conf file for each domain.

# save as /www/letsencrypt/example_com.conf file

# domains to retrieve certificate
domains = example.com,www.example.com

# increase key size
rsa-key-size = 4096

# the CA endpoint server
server = https://acme-v01.api.letsencrypt.org/directory

# the email to receive renewal reminders, IIRC
email = letsencrypt@example.com

# turn off the ncurses UI, we want this to be run as a cronjob
text = True

Now install CertBot for letsEncrypt certificates from the EPEL.

# install certbot
add-apt-repository ppa:certbot/certbot
apt update
apt upgrade
apt install python-certbot-nginx
# run certbot for each domain
certbot --standalone --config /www/letsencrypt/example_com.conf certonly

# allow write to cron file
chmod 664 /etc/crontab

Add the following line to the /etc/crontab file. This will run the Certbot certificate renew every day at 8am. By default Let’s Encrypt certificates last 90 days and must be renewed.

0 8 * * * root certbot renew --no-self-upgrade

INSTALL PHP and MYSQL/MariaDB

Since this server is only serving Nginx and Node I will not install the Apache httpd server. This also installs from the Amazon Linux extras repo.

# install php and mysql/mariadb
apt install -y php mariadb-server php-mysqlnd
# php modules (gd needed for WordPress, zip needed for phplist plugins)
apt install php-pear php-gd php-mbstring php-zip
# modify mariaDB config file to allow remote bind
chmod 0664 /etc/mysql/mariadb.conf.d/50-server.cnf
# change the following line in the 50-server.cnf file
bind-address=0.0.0.0
# restart the mariadb sysql server
systemctl restart mysql.service
# follow the prompts to create a root password and remove anon access
mysql_secure_installation
# set MariaDB to autostart
systemctl enable mysql.service
# create a test php script 
echo "<?php phpinfo(); ?>" > /www/html/example.com/phpinfo.php

Next login locally to the MySQL server to create a remote access user

# login locally to the mysql server
mysql -u root -p mysql
# enter the root password and the following commands to create a remote access user and password
CREATE USER 'remoteuser'@'localhost' IDENTIFIED BY 'remotepassword';
CREATE USER 'remoteuser'@'%' IDENTIFIED BY 'remotepassword';
GRANT ALL PRIVILEGES ON *.* to remoteuser@localhost IDENTIFIED BY 'remotepassword' WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON *.* to remoteuser@'%' IDENTIFIED BY 'remotepassword' WITH GRANT OPTION;
FLUSH PRIVILEGES;
EXIT;

# Finally start the nginx server
systemctl start nginx.service

That’s All!

Advertisements

AMI Build All-in-One

Full build process

  1. Create an EC2 Linux Instance base – Amazon Linux AMI 2016.09.1 (HVM), SSD Volume Type – ami-0b33d91d
  2. Install the LAMP Stack default Apache port set to 8080 as it will be served to an Nginx reverse proxy server on the same instance (Apache 2.4, MySQL, PHP 6.7)
  3. Install the MEAN Stack
  4. Install Nginx Reverse Proxy Server
  5. Install ColdFusion 2016 update 3 Server

The server is setup and available for Free with a service contract from GTK Solutions.

LAMP on Linux Amazon EC2

As you recall in the recent post Create an EC2 Linux Server I used the standard Amazon Linux AMI image to create an EC2 server. Now let’s get it to host some things.

  1. first step is to allow it to update it initial set of packages type
     sudo yum update
  2. at the prompt type hit Yes
    Is this ok [y/d/N]: y
  3. sudo is the comand to “run as root user” it get’s old typing sudo all the time so lets set it to always use root with the following command
    sudo -i
  4. install the http server, php, and mysql driver
    yum install -y httpd24 php70 mysql56-server php70-mysqlnd
  5. Use the chkconfig command to configure the Apache web server to start at each system boot.
    chkconfig httpd on

    Tip

    The chkconfig command does not provide any confirmation message when you successfully enable a service. You can verify that httpd is on by running the following command.

    chkconfig --list httpd httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

    Here, httpd is on in runlevels 2, 3, 4, and 5 (which is what you want to see).

  6. To allow ec2-user to manipulate all files add the ec2-user to the root group. As write ability is needed in the future you can simply add group write permission.
    sudo usermod -a -G root ec2-user
  7. Amazon uses a different method by creating a www group. My method is simpler by only using the root group but maybe not as secure. The www group method is defined below. It comes from Amazon here.To allow ec2-user to manipulate files in the /var/www directory, you need to modify the ownership and permissions of the directory and files. There are many ways to accomplish this task; in this tutorial, you add a www group to your instance, and you give that group ownership of the /var/www directory and add write permissions for the group. Any members of that group will then be able to add, delete, and modify files for the web server.

    To set file permissions

    1. Add the www group to your instance.
      [ec2-user ~]$ sudo groupadd www
    2. Add your user (in this case, ec2-user) to the www group.
      [ec2-user ~]$ sudo usermod -a -G www ec2-user

      Important

      You need to log out and log back in to pick up the new group. You can use the exit command, or close the terminal window.

    3. Log out and then log back in again, and verify your membership in the www group.
      1. Log out.
        [ec2-user ~]$ exit
      2. Reconnect to your instance, and then run the following command to verify your membership in the www group.
        [ec2-user ~]$ groups ec2-user wheel www
    4. Change the group ownership of /var/www and its contents to the www group.
      [ec2-user ~]$ sudo chown -R root:www /var/www
    5. Change the directory permissions of /var/www and its subdirectories to add group write permissions and to set the group ID on future subdirectories.
      [ec2-user ~]$ sudo chmod 2775 /var/www [ec2-user ~]$ find /var/www -type d -exec sudo chmod 2775 {} \;
    6. Recursively change the file permissions of /var/www and its subdirectories to add group write permissions.
      [ec2-user ~]$ find /var/www -type f -exec sudo chmod 0664 {} \;

    Now ec2-user (and any future members of the www group) can add, delete, and edit files in the Apache document root. Now you are ready to add content, such as a static website or a PHP application.

  8. Create a PHP test file in the www server document root
    echo "" > /var/www/html/phpinfo.php
  9. Change the group of the http Apache server config files to allow editing
    chmod 664 /etc/httpd/conf/httpd.conf

    or using Amazon’s method:

  10. sudo chown -R root:www /etc/httpd/conf
    sudo chmod 2775 /etc/httpd/conf
    find /etc/httpd/conf -type d -exec sudo chmod 2775 {} \;
    find /etc/httpd/conf -type f -exec sudo chmod 0664 {} \;
  11. Using Filezilla or WinSCP do a SCP connection to the server and navigate to the http apache server config directory /etc/httpd/conf and edit the httpd.conf file. Add the virtual host directives to the bottom of the file.UU
     # This first-listed virtual host is also the default for *:80
     #ServerName www.mydomain.com
     DocumentRoot "/var/www/html"
    
    
    #
    # ServerName www.mydomain2.com
    # DocumentRoot "/var/www/html/mydomain2"
    #
    
    #
    # ServerName www.mydomain3.com
    # ServerAlias www.mydomain4alias.com
    # DocumentRoot "/var/www/html/mydomain3
    #

    Uncomment the ServerName and enter your own domain. and also the 2nd and 3rd virtual hosts are fully commented out with the # (just remove the #’s to create the virtual host.)  name the ServerName it with your additional domain name and root directory. Add as many virtual hosts as needed. When done editing upload the file back to /etc/httpd/conf

  12. BONUS: Do you need GD image library support and OpCode Cash both used by drupal? do the following:
     yum install php70-gd
    sudo yum install php70-opcache
    
    
    # Install additional commonly used php packages
    sudo yum install php70-imap
    sudo yum install php70-mbstring
    sudo yum install php70-pdo
    sudo yum install php70-pecl-apcu
  13. Start the Apache web server.
    [ec2-user ~]$ sudo service httpd start Starting httpd: [ OK ]
  14. Use a browser to navigate to the server root and to phpinfo.php page you should get the amazon linux test page and the PHP information page show below.linux-test-pagephp-test-page

The Apache 2.4 webserver is now running with PHP and virtual hosts. If you wish to install mysql and phpMyAdmin on this server follow the directions on Amazon http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/install-LAMP.html I will use the RDS server and mysql Workbench instead.

Powered by WordPress.com.

Up ↑