Skip to main content

Lightsail Webserver Setup

Create Lightsail instance. Create key-pair that will be used for SSH authentication in PuTTY; download private key and add it to PuTTY configuration.

Enable Lightsail to connect to RDS and S3 resources

Lightsail Console -> Account -> Advanced -> Enable VPC peering in region of RDS/S3 resources

Setting up the Lightsail web server instances to serve requests correctly

1. Modify the Bitnami conf, Bitnami SSL conf, and main httpd.conf and httpd-ssl.conf files. The necessary modifications are listed in the instructions/httpd-modifications.conf file.

2. Deploy SSL certificates: (more info: https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#alternative-approach)

In the below commands, Replace DOMAIN with domain name, e.g. "desertedchateau.com", additional subdomains can be added including wildcards (wildcards are only possible with the DNS challenge). Replace EMAIL-ADDRESS with your valid email address, e.g. "youremail@somewhere.com".

# Linux: (note, this will not work on the webservers, presumably due to VPC peering)

sudo /opt/bitnami/letsencrypt/lego --domains desertedchateau.com --domains *.desertedchateau.com --email youremail@somewhere.com --dns route53 --accept-tos=true run

# Windows:

lego.exe --domains desertedchateau.com --domains *.desertedchateau.com --email youremail@somewhere.com --dns route53 --accept-tos=true run

#

Step 3: updateUpdate the certificates for Apache to use

Stop all web services on the server:

sudo /opt/bitnami/ctlscript.sh stop

Move the current certificates to .old filenames, and create a symlink to the new certificates:

sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt.old

sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.key /opt/bitnami/apache2/conf/bitnami/certs/server.key.old

sudo ln -sf /opt/bitnami/letsencrypt/certificates/desertedchateau.com.key /opt/bitnami/apache2/conf/bitnami/certs/server.key

sudo ln -sf /opt/bitnami/letsencrypt/certificates/desertedchateau.com.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt

sudo chown root:root /opt/bitnami/apache2/conf/bitnami/certs/server*

sudo chmod 600 /opt/bitnami/apache2/conf/bitnami/certs/server*

#

Step 4: change file ownership to daemon, so that Apache can access them and write to them

Change the htdocs folder's owner to daemon (which Apache runs as).

Note we specifically change the Logrotate configuration file to belong to the root user, as this is required for logrotate to function properly.

sudo chown -R daemon:daemon /opt/bitnami/apache2/htdocs

sudo chown root:root /opt/bitnami/apache2/htdocs/src/Config/Logging/logrotate.conf

Make phpMyAdmin config modifications listed in /instructions/phpMyAdmin Setup.txt

Restart all Bitnami services:

sudo /opt/bitnami/ctlscript.sh restart

#

Step 5: Change executable script permissions.permissions

Give permissions 755 (RWX, RX, RX) to the folders that contain executable shell scripts:

sudo chmod -R 755 /opt/bitnami/apache/htdocs/src/Cronjobs

sudo chmod -R 755 /opt/bitnami/apache/htdocs/admin

sudo chmod -R 755 /opt/bitnami/apache/htdocs/src/Scripts

#

Step 6: Install cronjobs on to server, depending on if it is the primary cronjob server or a normal web server

Use the Crontab Addition text instructions in the instructions/aws/lightsail folder.

#

Step 7: Add logrotate configuration to server. NOTE: switch to superuser (sudo su) before doing this, as logrotate is only installed for superuser.

chown root:root /opt/bitnami/apache/htdocs/src/Config/Logging/logrotate.conf
logrotate /opt/bitnami/apache/htdocs/src/Config/Logging/logrotate.conf

# Step 8: Update APT and PECL.

sudo apt-get update
sudo pecl channel-update pecl.php.net

# Step 9: Install PHPRedis on server, as autoloader will fail otherwise, and other extensions.

sudo pecl install redis
sudo apt-get install libyaml-dev
sudo pecl install yaml

# Step 10: Update AWS security groups to allow this Lightsail server to access RDS/Redis

VPC peering won't do the job alone here, as the Lightsail server is not in the same security group as your other AWS resources (and your security group's "allow all" setting only applies to requests from inside the security group).

Update your security group's inbound rules to allow TCP ports 3306 (MariaDB) and 6379 (Redis) for your webserver's private IP (and all the other webservers you have).

# Step 11: Add IPTables restrictions (ONLY FOR TEST ENVIRONMENTS)

Use iptables-script.sh to update with an IP list containing your own ip address and all current Stripe IP addresses.

Back to top