Lightsail Webserver Setup
Create Lightsail instance. Create key-pair that will be used for SSH authentication in PuTTY; download private key and add it to PuTTY configuration.
# Enable Lightsail to connect to RDS and S3 resources
Lightsail Console -> Account -> Advanced -> Enable VPC peering in region of RDS/S3 resources
# Setting up the Lightsail instance to serve requests correctly
1. Modify the Bitnami conf, Bitnami SSL conf, and main httpd.conf and httpd-ssl.conf files. The necessary modifications are listed in the instructions/httpd-modifications.conf file.
2. Deploy SSL certificates: (more info: https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#alternative-approach)
# Replace DOMAIN with domain name, e.g. "desertedchateau.com", additional subdomains can be added including wildcards (wildcards are only possible with the DNS challenge). Replace EMAIL-ADDRESS with your valid email address, e.g. "youremail@somewhere.com".
# Linux: (note, this will not work on the webservers, presumably due to VPC peering)
sudo /opt/bitnami/letsencrypt/lego --domains desertedchateau.com --domains *.desertedchateau.com --email youremail@somewhere.com --dns route53 --accept-tos=true run
# Windows:
lego.exe --domains desertedchateau.com --domains *.desertedchateau.com --email youremail@somewhere.com --dns route53 --accept-tos=true run
# Step 3: update the certificates for Apache to use
sudo /opt/bitnami/ctlscript.sh stop
sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt.old
sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.key /opt/bitnami/apache2/conf/bitnami/certs/server.key.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/desertedchateau.com.key /opt/bitnami/apache2/conf/bitnami/certs/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/desertedchateau.com.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt
sudo chown root:root /opt/bitnami/apache2/conf/bitnami/certs/server*
sudo chmod 600 /opt/bitnami/apache2/conf/bitnami/certs/server*
# Step 4: change file ownership to daemon, so that Apache can access them and write to them
sudo chown -R daemon:daemon /opt/bitnami/apache2/htdocs
sudo chown root:root /opt/bitnami/apache2/htdocs/src/Config/Logging/logrotate.conf
Make phpMyAdmin config modifications listed in /instructions/phpMyAdmin Setup.txt
Restart all Bitnami services:
sudo /opt/bitnami/ctlscript.sh restart
# Step 5: Change executable script permissions.
sudo chmod -R 755 /opt/bitnami/apache/htdocs/src/Cronjobs
sudo chmod -R 755 /opt/bitnami/apache/htdocs/admin
sudo chmod -R 755 /opt/bitnami/apache/htdocs/src/Scripts
# Step 6: Install cronjobs on to server, depending on if it is the primary cronjob server or a normal web server
Use the Crontab Addition text instructions in the instructions/aws/lightsail folder.
# Step 7: Add logrotate configuration to server. NOTE: switch to superuser (sudo su) before doing this, as logrotate is only installed for superuser.
chown root:root /opt/bitnami/apache/htdocs/src/Config/Logging/logrotate.conf
logrotate /opt/bitnami/apache/htdocs/src/Config/Logging/logrotate.conf
# Step 8: Update APT and PECL.
sudo apt-get update
sudo pecl channel-update pecl.php.net
# Step 9: Install PHPRedis on server, as autoloader will fail otherwise, and other extensions.
sudo pecl install redis
sudo apt-get install libyaml-dev
sudo pecl install yaml
# Step 10: Update AWS security groups to allow this Lightsail server to access RDS/Redis
VPC peering won't do the job alone here, as the Lightsail server is not in the same security group as your other AWS resources (and your security group's "allow all" setting only applies to requests from inside the security group).
Update your security group's inbound rules to allow TCP ports 3306 (MariaDB) and 6379 (Redis) for your webserver's private IP (and all the other webservers you have).
# Step 11: Add IPTables restrictions (ONLY FOR TEST ENVIRONMENTS)
Use iptables-script.sh to update with an IP list containing your own ip address and all current Stripe IP addresses.