Skip to main content

Lightsail Webserver Setup

Create Lightsail instance. Create key-pair that will be used for SSH authentication in PuTTY; download private key and add it to PuTTY configuration.

Enable Lightsail to connect to RDS and S3 resources

Go thoto the Lightsail Console -> Account -> Advanced -> Enable VPC peering, for the region of RDS/S3 resources. This only needs to be done once for a given Lightsail region, and applies to all Lightsail servers in that region.

Setting up Lightsail web server instances

Step 1: Modify the Apache httpd.conf files

Modify the bitnami.conf, bitnami-ssl.conf, and main httpd.conconff and httpd-ssl.conf files. The necessary modifications are listed in the instructions/httpd-modifications.conf file.

Step 2: Deploy SSL Certificates

Deploy SSL certificates: (more info: https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#alternative-approach)

In the below commands, replace DOMAIN with domain name, e.g. "desertedchateau.com", additional subdomains can be added including wildcards (wildcards are only possible with the DNS-01 challenge type). Replace EMAIL-ADDRESS with your valid email address, e.g. "youremail@somewhere.com".

Attempting to get the SSL certificates directly on the webservers themselves does not work, presumably due to VPC peering. Request the certificates on a local machine, then deploy them to the webservers manually.

Install Go, which is required for Lego to work: https://go.dev/doc/install

Install the Lego client: https://github.com/go-acme/lego/releases (click "show all assets" to see the Windows releases).  

With these installed, run the following command in Windows command prompt, substituting the necessary variables with the IAM keys for a user with Route 53 permissions, and the Hosted Zone ID for the domain (visible in the Route 53 console):. Make sure you do this from a command prompt with administrator privileges or you will get "missing endpoint" errors.

set AWS_ACCESS_KEY_ID=<access key for Route 53 IAM user> \
set AWS_SECRET_ACCESS_KEY=<secret key for Route 53 IAM user> \
set AWS_REGION=eu-west-3 \
set AWS_HOSTED_ZONE_ID=<hosted zone ID> \
lego.exe --domains desertedchateau.com --domains *.desertedchateau.com --email youremail@somewhere.com --dns route53 --accept-tos=true run
Step 3: Update the certificates for Apache to use

Stop all web services on the server:

sudo /opt/bitnami/ctlscript.sh stop

Move the current certificates to .old filenames, and create a symlink to the new certificates:

sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt.old
sudo mv /opt/bitnami/apache2/conf/bitnami/certs/server.key /opt/bitnami/apache2/conf/bitnami/certs/server.key.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/_.desertedchateau.com.key /opt/bitnami/apache2/conf/bitnami/certs/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/_.desertedchateau.com.crt /opt/bitnami/apache2/conf/bitnami/certs/server.crt
sudo chown root:root /opt/bitnami/apache2/conf/bitnami/certs/server*
sudo chmod 600 /opt/bitnami/apache2/conf/bitnami/certs/server*
Step 4: change file ownership to daemon, so that Apache can access them and write to them

Change the htdocs folder's owner to daemon (which Apache runs as).

sudo chown -R daemon:daemon /opt/bitnami/apache2/htdocs

Make phpMyAdmin config modifications listed in /instructions/phpMyAdmin Setup.txt

Restart all Bitnami services:

sudo /opt/bitnami/ctlscript.sh restart
Step 5: Change executable script permissions

Give permissions 755 (RWX, RX, RX) to the folders that contain executable shell scripts:

sudo chmod -R 755 /opt/bitnami/apache/htdocs/src/Cronjobs
sudo chmod -R 755 /opt/bitnami/apache/htdocs/admin
sudo chmod -R 755 /opt/bitnami/apache/htdocs/src/Scripts
Step 6: Install cronjobs on to server, depending on if it is the primary cronjob server or a normal web server

Use the Crontab Addition text instructions in the instructions/aws/lightsail folder.

Step 7: Add logrotate configuration to server. NOTE: switch to superuser (sudo su) before doing this, as logrotate is only installed for superuser.
chown root:root /opt/bitnami/apache/htdocs/src/Config/Logging/desertedchateau
cp /opt/bitnami/apache/htdocs/src/Config/Logging/desertedchateau /etc/logrotate.d/desertedchateau
Step 8: Update APT, PECL, and PHPRedis

YAML is required for PHPRedis to function properly.

sudo apt-get update
sudo pecl channel-update pecl.php.net
sudo pecl install redis
sudo apt-get install libyaml-dev
sudo pecl install yaml
Step 10: Update AWS security groups to allow this Lightsail server to access RDS/Redis

VPC peering won't do the job alone here, as the Lightsail server is not in the same security group as other AWS resources (and the security group's "allow all" setting only applies to requests from inside the security group).

Update the security group's inbound rules to allow TCP ports 3306 (MariaDB) and 6379 (Redis) for your webserver's private IP (and all the other webservers you have). These IPs are shown in the Lightsail console.

Step 11: Add IPTables restrictions (only for test environments)

Use iptables-script.sh to update with an IP list containing your own ip address and all current Stripe IP addresses.

Back to top