Skip to main content

Lightsail Webserver Setup

Create Lightsail instance. Create key-pair that will be used for SSH authentication in PuTTY; download private key and add it to PuTTY configuration.

Enable Lightsail to connect to RDS and S3 resources

Lightsail Console -> Account -> Advanced -> Enable VPC peering in region of RDS/S3 resources

Setting up the Lightsail web server instances

to
Step serve1: requestsModify correctlythe Apache httpd.conf files

1. Modify the Bitnami conf, Bitnami SSL conf, and main httpd.conf and httpd-ssl.conf files. The necessary modifications are listed in the instructions/httpd-modifications.conf file.

2. Deploy SSL certificates: (more info: https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#alternative-approach)

In the below commands, Replace DOMAIN with domain name, e.g. "desertedchateau.com", additional subdomains can be added including wildcards (wildcards are only possible with the DNS challenge). Replace EMAIL-ADDRESS with your valid email address, e.g. "youremail@somewhere.com".

# Linux: (note, this will not work on the webservers, presumably due to VPC peering)

sudo /opt/bitnami/letsencrypt/lego --domains desertedchateau.com --domains *.desertedchateau.com --email youremail@somewhere.com --dns route53 --accept-tos=true run


# Windows:

lego.exe --domains desertedchateau.com --domains *.desertedchateau.com --email youremail@somewhere.com --dns route53 --accept-tos=true run

Step 3: Update the certificates for Apache to use

Stop all web services on the server:

sudo /opt/bitnami/ctlscript.sh stop

Move the current certificates to .old filenames, and create a symlink to the new certificates:

sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt.old
sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.key /opt/bitnami/apache2/conf/bitnami/certs/server.key.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/desertedchateau.com.key /opt/bitnami/apache2/conf/bitnami/certs/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/desertedchateau.com.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt
sudo chown root:root /opt/bitnami/apache2/conf/bitnami/certs/server*
sudo chmod 600 /opt/bitnami/apache2/conf/bitnami/certs/server*
Step 4: change file ownership to daemon, so that Apache can access them and write to them

Change the htdocs folder's owner to daemon (which Apache runs as).

Note we specifically change the Logrotate configuration file to belong to the root user, as this is required for logrotate to function properly.

sudo chown -R daemon:daemon /opt/bitnami/apache2/htdocs
sudo chown root:root /opt/bitnami/apache2/htdocs/src/Config/Logging/logrotate.conf

Make phpMyAdmin config modifications listed in /instructions/phpMyAdmin Setup.txt

Restart all Bitnami services:

sudo /opt/bitnami/ctlscript.sh restart
Step 5: Change executable script permissions

Give permissions 755 (RWX, RX, RX) to the folders that contain executable shell scripts:

sudo chmod -R 755 /opt/bitnami/apache/htdocs/src/Cronjobs
sudo chmod -R 755 /opt/bitnami/apache/htdocs/admin
sudo chmod -R 755 /opt/bitnami/apache/htdocs/src/Scripts
Step 6: Install cronjobs on to server, depending on if it is the primary cronjob server or a normal web server

Use the Crontab Addition text instructions in the instructions/aws/lightsail folder.

Step 7: Add logrotate configuration to server. NOTE: switch to superuser (sudo su) before doing this, as logrotate is only installed for superuser.

chown root:root /opt/bitnami/apache/htdocs/src/Config/Logging/logrotate.conf

logrotate /opt/bitnami/apache/htdocs/src/Config/Logging/logrotate.conf


#

Step 8: Update APTAPT, PECL, and PECL.PHPRedis

YAML is required for PHPRedis to function properly.

sudo apt-get update

sudo pecl channel-update pecl.php.net


# Step 9: Install PHPRedis on server, as autoloader will fail otherwise, and other extensions.


sudo pecl install redis

sudo apt-get install libyaml-dev

sudo pecl install yaml

#

Step 10: Update AWS security groups to allow this Lightsail server to access RDS/Redis

VPC peering won't do the job alone here, as the Lightsail server is not in the same security group as your other AWS resources (and yourthe security group's "allow all" setting only applies to requests from inside the security group).

Update yourthe security group's inbound rules to allow TCP ports 3306 (MariaDB) and 6379 (Redis) for your webserver's private IP (and all the other webservers you have).

#

Step 11: Add IPTables restrictions (ONLYonly FORfor TESTtest ENVIRONMENTS)

environments)

Use iptables-script.sh to update with an IP list containing your own ip address and all current Stripe IP addresses.

Back to top