Configure Nginx + PHP-FPM and HTTPS from Let's Encrypt on AWS EC2 with Ubuntu Server 16.04 LTS
The procedure for installing PHP 7.1 and deploying the project to PHP on the created Amazon AWS EC2 instance. Based on this article , with additions from here and from other sources. A newer version of PHP is being used, instructions for installing HTTPS are added, and a sample project setup for Laravel. It is assumed that the instance is used in development mode.
First I will give the code in full. This is not a bash script, but simply a list of commands, commands are executed manually separately, if necessary, enter the necessary data.
Nginx and MySQL
')
If you have one user with whom the project will connect to the database, that is, the constant creation of users is not provided, then the password validation plugin can be disabled.
Remote login is better for all users to disconnect, to connect from your computer, you can do port forwarding through SSH.
Php
PHP 7.1 and 7.2 are not in standard repositories yet.
Midnight commander
Installing is optional if you prefer another editor and a way to navigate the file system.
It is not necessary to run after installation for the first time through
Find the
Exclamation marks indicate where to change.
-
-
-
-
Check the configuration is correct, if everything is fine, restart it.
Create a test file, test PHP, then delete. Run optional.
Now everything in the web directory is created from root, you need to change it to a regular user. Nginx runs PHP from the
Configuring HTTPS is often done after setting up a project when it is already there and working over HTTP. But the actions are common, they do not depend on the project, therefore we will consider it earlier.
Free certificates from Let's Encrypt are used.
Install certbot , it provides configuration and renewal of certificates.
Register a domain name. It should already be available and point to the server IP. To do this, in the domain settings of the registrar you need to add a DNS record of type A.
Run the bot. It will automatically determine the domain according to the Nginx settings, but will ask for confirmation, and also ask several other questions. Then he installs the certificate and addresses the domain name for verification. Nginx settings for HTTPS it changes itself.
Certificate renewal should be added to cron for daily launch.
There is a special command to check whether the update will pass without errors.
Git and composer
Composer is better not to install via apt-get, there is an old version. The Composer website has a script for a more secure installation with a hash check. You can use it, or just take the current hash from there and check it manually.
We clone the project and install dependences. Insert your repository and branch name.
Nginx is configured on the
We set the rights to folders specifically for Laravel. Read more here .
Create a working file with the environment settings. Then everything is as usual - we create, customize, prescribe.
First I will give the code in full. This is not a bash script, but simply a list of commands, commands are executed manually separately, if necessary, enter the necessary data.
General settings
# Instructions how to setup new AWS EC2 instance with Ubuntu Server 16.04 LTS and install PHP Laravel project and HTTPS # This is not a bash script, you have to run and control all commands manually sudo apt-get install nginx mysql-server sudo mysql_secure_installation sudo add-apt-repository ppa:ondrej/php && sudo apt-get update sudo apt-get install php7.1 php7.1-cli php7.1-common php7.1-mysql php7.1-fpm php7.1-curl php7.1-gd php7.1-bz2 php7.1-mcrypt php7.1-json php7.1-tidy php7.1-mbstring php-redis php-memcached php7.1-zip php7.1-dom php7.1-gmp # run after installation to create config directory from current user sudo apt-get install mc mc sudo mcedit /etc/php/7.1/fpm/php.ini # cgi.fix_pathinfo=0 sudo systemctl restart php7.1-fpm sudo mcedit /etc/nginx/sites-available/default server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; #! index index.php index.html index.htm index.nginx-debian.html; server_name _; #! location / { try_files $uri $uri/ /index.php?$query_string; } #! location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php7.1-fpm.sock; } #! location ~ /\.ht { deny all; } } sudo nginx -t sudo systemctl reload nginx echo "<?php phpinfo();" | sudo tee /var/www/html/info.php > /dev/null # check http://11.22.33.44/info.php sudo rm /var/www/html/info.php sudo chown -R "$USER":www-data /var/www/ sudo find /var/www/ -type f -exec chmod 660 {} \; && sudo find /var/www/ -type d -exec chmod 2770 {} \; sudo usermod -a -G www-data ubuntu # https sudo apt-get install software-properties-common && sudo add-apt-repository ppa:certbot/certbot && sudo apt-get update && sudo apt-get install python-certbot-nginx sudo mcedit /etc/nginx/sites-available/default # server_name my.domain.name; sudo systemctl reload nginx sudo certbot --nginx echo -e '#!/bin/sh\n\ncertbot renew\n' | sudo tee /etc/cron.daily/certbot-renew > /dev/null sudo chmod 0755 /etc/cron.daily/certbot-renew sudo certbot renew --dry-run Project Settings
sudo apt-get install git curl -sS https://getcomposer.org/installer | sudo php -- --install-dir=/usr/local/bin --filename=composer cd /var && rm -rf www/html # set repository URL here git clone ... www cd www git checkout dev ln -s public html composer install sudo chgrp -R www-data storage bootstrap/cache sudo chmod -R ug+rwx storage bootstrap/cache sudo chmod -R 0777 storage/framework/cache cp .env.example .env && php artisan key:generate # set values in .env file - APP_NAME, DB_DATABASE, and other System Setup
sudo apt-get install nginx mysql-server sudo mysql_secure_installation Nginx and MySQL
mysql_secure_installation asks a few setup questions.')
Would you like to setup VALIDATE PASSWORD plugin? n Change the password for root? n Remove anonymous users? y Disallow root login remotely? y Remove test database and access to it? y Reload privilege tables now? y If you have one user with whom the project will connect to the database, that is, the constant creation of users is not provided, then the password validation plugin can be disabled.
Remote login is better for all users to disconnect, to connect from your computer, you can do port forwarding through SSH.
sudo add-apt-repository ppa:ondrej/php && sudo apt-get update sudo apt-get install php7.1 php7.1-cli php7.1-common php7.1-mysql php7.1-fpm php7.1-curl php7.1-gd php7.1-bz2 php7.1-mcrypt php7.1-json php7.1-tidy php7.1-mbstring php-redis php-memcached php7.1-zip php7.1-dom php7.1-gmp Php
PHP 7.1 and 7.2 are not in standard repositories yet.
sudo apt-get install mc mc Midnight commander
Installing is optional if you prefer another editor and a way to navigate the file system.
It is not necessary to run after installation for the first time through
sudo mc , since the configuration files will be created by the root user, and when starting from the normal user there will be an access error. sudo mcedit /etc/php/7.1/fpm/php.ini # cgi.fix_pathinfo=0 sudo systemctl restart php7.1-fpm Find the
cgi.fix_pathinfo setting, uncomment and put 0. This is the closing of the vulnerability, you can read more here . sudo mcedit /etc/nginx/sites-available/default server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; #! index index.php index.html index.htm index.nginx-debian.html; server_name _; #! location / { try_files $uri $uri/ /index.php?$query_string; } #! location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php7.1-fpm.sock; } #! location ~ /\.ht { deny all; } } Exclamation marks indicate where to change.
-
index - add index.php-
try_files - remove =404 , add /index.php?$query_string-
location ~ \.php$ - uncomment the section, change the name of the file with the socket-
location ~ /\.ht - uncomment the section for * .htaccess files sudo nginx -t sudo systemctl reload nginx Check the configuration is correct, if everything is fine, restart it.
echo "<?php phpinfo();" | sudo tee /var/www/html/info.php > /dev/null # check http://11.22.33.44/info.php sudo rm /var/www/html/info.php Create a test file, test PHP, then delete. Run optional.
11.22.33.44 denotes the instance IP address. sudo chown -R "$USER":www-data /var/www/ sudo find /var/www/ -type f -exec chmod 660 {} \; && sudo find /var/www/ -type d -exec chmod 2770 {} \; sudo usermod -a -G www-data ubuntu Now everything in the web directory is created from root, you need to change it to a regular user. Nginx runs PHP from the
www-data user from the www-data group, SSH connects with the ubuntu user. You need to add ubuntu to this group, otherwise there may be problems with access. For example, when a console command creates a folder where the recording will go when the site is opened via the web.HTTPS setup
Configuring HTTPS is often done after setting up a project when it is already there and working over HTTP. But the actions are common, they do not depend on the project, therefore we will consider it earlier.
Free certificates from Let's Encrypt are used.
sudo apt-get install software-properties-common && sudo add-apt-repository ppa:certbot/certbot && sudo apt-get update && sudo apt-get install python-certbot-nginx Install certbot , it provides configuration and renewal of certificates.
sudo mcedit /etc/nginx/sites-available/default # server_name my.domain.name; sudo systemctl reload nginx Register a domain name. It should already be available and point to the server IP. To do this, in the domain settings of the registrar you need to add a DNS record of type A.
sudo certbot --nginx Run the bot. It will automatically determine the domain according to the Nginx settings, but will ask for confirmation, and also ask several other questions. Then he installs the certificate and addresses the domain name for verification. Nginx settings for HTTPS it changes itself.
echo -e '#!/bin/sh\n\ncertbot renew\n' | sudo tee /etc/cron.daily/certbot-renew > /dev/null sudo chmod 0755 /etc/cron.daily/certbot-renew Certificate renewal should be added to cron for daily launch.
sudo certbot renew --dry-run There is a special command to check whether the update will pass without errors.
Project Setup
sudo apt-get install git curl -sS https://getcomposer.org/installer | sudo php -- --install-dir=/usr/local/bin --filename=composer Git and composer
Composer is better not to install via apt-get, there is an old version. The Composer website has a script for a more secure installation with a hash check. You can use it, or just take the current hash from there and check it manually.
cd /var && rm -rf www/html # set repository URL here git clone ... www cd www git checkout dev ln -s public html composer install We clone the project and install dependences. Insert your repository and branch name.
Nginx is configured on the
html folder, you need to remove it and make a symlink to the folder where the index.php is in the project. In Laravel, this is the public folder. sudo chgrp -R www-data storage bootstrap/cache sudo chmod -R ug+rwx storage bootstrap/cache sudo chmod -R 0777 storage/framework/cache We set the rights to folders specifically for Laravel. Read more here .
cp .env.example .env && php artisan key:generate Create a working file with the environment settings. Then everything is as usual - we create, customize, prescribe.
Source: https://habr.com/ru/post/344908/
All Articles